From 7e0355751d79f2d3244c04e052d7d21f48cdabb1 Mon Sep 17 00:00:00 2001 From: Etienne Champetier Date: Fri, 7 Feb 2025 09:16:40 -0500 Subject: [PATCH 1/7] grub2: Add GRUB2_PASSWORD support, source custom.cfg user.cfg, despite his name, is usually used to store GRUB2_PASSWORD variable: - grub2-set-password utility overwrite the whole file - security scanners look at the content of user.cfg https://github.com/ComplianceAsCode/content/blob/47fd3bcded59116ade8ea09eb396f363e37813d4/linux_os/guide/system/bootloader-grub2/uefi/grub2_uefi_password/oval/shared.xml Copy the content of the legacy /etc/grub.d/01_users as 01_users.cfg, and add 41_custom.cfg to source custom.cfg for people in need of custom configs. This gets us closer to classic grub2-mkconfig behaviour. --- Makefile | 2 +- src/grub2/configs.d/01_users.cfg | 10 ++++++++++ src/grub2/configs.d/41_custom.cfg | 3 +++ src/grub2/grub-static-post.cfg | 6 ------ 4 files changed, 14 insertions(+), 7 deletions(-) create mode 100644 src/grub2/configs.d/01_users.cfg create mode 100644 src/grub2/configs.d/41_custom.cfg diff --git a/Makefile b/Makefile index b7112ac1..a5e24199 100644 --- a/Makefile +++ b/Makefile @@ -40,7 +40,7 @@ install: .PHONY: install-grub-static install-grub-static: install -m 644 -D -t ${DESTDIR}$(PREFIX)/lib/bootupd/grub2-static src/grub2/*.cfg - install -m 755 -d ${DESTDIR}$(PREFIX)/lib/bootupd/grub2-static/configs.d + install -m 644 -D -t ${DESTDIR}$(PREFIX)/lib/bootupd/grub2-static/configs.d src/grub2/configs.d/*.cfg .PHONY: install-systemd-unit install-systemd-unit: diff --git a/src/grub2/configs.d/01_users.cfg b/src/grub2/configs.d/01_users.cfg new file mode 100644 index 00000000..beca41eb --- /dev/null +++ b/src/grub2/configs.d/01_users.cfg @@ -0,0 +1,10 @@ +# Keep the comment for grub2-set-password +### BEGIN /etc/grub.d/01_users ### +if [ -f ${prefix}/user.cfg ]; then + source ${prefix}/user.cfg + if [ -n "${GRUB2_PASSWORD}" ]; then + set superusers="root" + export superusers + password_pbkdf2 root ${GRUB2_PASSWORD} + fi +fi diff --git a/src/grub2/configs.d/41_custom.cfg b/src/grub2/configs.d/41_custom.cfg new file mode 100644 index 00000000..80c2f917 --- /dev/null +++ b/src/grub2/configs.d/41_custom.cfg @@ -0,0 +1,3 @@ +if [ -f $prefix/custom.cfg ]; then + source $prefix/custom.cfg +fi diff --git a/src/grub2/grub-static-post.cfg b/src/grub2/grub-static-post.cfg index e426e390..fcceeb99 100644 --- a/src/grub2/grub-static-post.cfg +++ b/src/grub2/grub-static-post.cfg @@ -7,11 +7,5 @@ else set timeout=1 fi -# Import user defined configuration -# tracker: https://github.com/coreos/fedora-coreos-tracker/issues/805 -if [ -f $prefix/user.cfg ]; then - source $prefix/user.cfg -fi - blscfg From 39340309ae71462bb0dd94a12ec57cfa7e1cf51c Mon Sep 17 00:00:00 2001 From: Etienne Champetier Date: Fri, 7 Feb 2025 23:06:51 -0500 Subject: [PATCH 2/7] grub2: remove outdated checks Both features were added 13 years ago. feature_menuentry_id was added in https://github.com/rhboot/grub2/commit/d9bef9bc433ee4f95d8b4124efa7afb119c08730 feature_all_video_module was added in https://github.com/rhboot/grub2/commit/22c7ce85fe51fd749041402ef2c3a7b5ad3078a7 --- src/grub2/grub-static-pre.cfg | 18 ++---------------- 1 file changed, 2 insertions(+), 16 deletions(-) diff --git a/src/grub2/grub-static-pre.cfg b/src/grub2/grub-static-pre.cfg index d4a81d88..b98cbebe 100644 --- a/src/grub2/grub-static-pre.cfg +++ b/src/grub2/grub-static-pre.cfg @@ -43,24 +43,10 @@ if [ -f $prefix/console.cfg ]; then source $prefix/console.cfg fi -if [ x"${feature_menuentry_id}" = xy ]; then - menuentry_id_option="--id" -else - menuentry_id_option="" -fi +menuentry_id_option="--id" function load_video { - if [ x$feature_all_video_module = xy ]; then - insmod all_video - else - insmod efi_gop - insmod efi_uga - insmod ieee1275_fb - insmod vbe - insmod vga - insmod video_bochs - insmod video_cirrus - fi + insmod all_video } # Other package code will be injected from here From 3cb339fcbee2f727d5a1da067f7c5308dbe41238 Mon Sep 17 00:00:00 2001 From: Etienne Champetier Date: Fri, 7 Feb 2025 20:02:26 -0500 Subject: [PATCH 3/7] grub2: move timeout into grub-static-pre.cfg In classic install timeout setting is at the end of 00_header, being at the end of grub-static-pre.cfg is equivalent. This allow to overide the timeout setting using configs.d. While at it remove the feature_timeout_style check as the feature was added 12 years ago in https://github.com/rhboot/grub2/commit/8f236c141916cc149e325fd8ebeab725568bf907 --- src/grub2/grub-static-post.cfg | 9 --------- src/grub2/grub-static-pre.cfg | 3 +++ 2 files changed, 3 insertions(+), 9 deletions(-) diff --git a/src/grub2/grub-static-post.cfg b/src/grub2/grub-static-post.cfg index fcceeb99..0db7517f 100644 --- a/src/grub2/grub-static-post.cfg +++ b/src/grub2/grub-static-post.cfg @@ -1,11 +1,2 @@ -if [ x$feature_timeout_style = xy ] ; then - set timeout_style=menu - set timeout=1 -# Fallback normal timeout code in case the timeout_style feature is -# unavailable. -else - set timeout=1 -fi - blscfg diff --git a/src/grub2/grub-static-pre.cfg b/src/grub2/grub-static-pre.cfg index b98cbebe..a0920084 100644 --- a/src/grub2/grub-static-pre.cfg +++ b/src/grub2/grub-static-pre.cfg @@ -49,4 +49,7 @@ function load_video { insmod all_video } +set timeout_style=menu +set timeout=1 + # Other package code will be injected from here From 39d35998e815c9d48d30c97d43bbdab65e558c63 Mon Sep 17 00:00:00 2001 From: Etienne Champetier Date: Fri, 7 Feb 2025 20:37:28 -0500 Subject: [PATCH 4/7] grub2: move blscfg to configs.d This allows to add menu entries after the BLS entries, for exemple 'UEFI Firmware Settings'. --- src/grub2/configs.d/10_blscfg.cfg | 1 + src/grub2/grub-static-post.cfg | 2 -- 2 files changed, 1 insertion(+), 2 deletions(-) create mode 100644 src/grub2/configs.d/10_blscfg.cfg diff --git a/src/grub2/configs.d/10_blscfg.cfg b/src/grub2/configs.d/10_blscfg.cfg new file mode 100644 index 00000000..f3945a91 --- /dev/null +++ b/src/grub2/configs.d/10_blscfg.cfg @@ -0,0 +1 @@ +blscfg diff --git a/src/grub2/grub-static-post.cfg b/src/grub2/grub-static-post.cfg index 0db7517f..e69de29b 100644 --- a/src/grub2/grub-static-post.cfg +++ b/src/grub2/grub-static-post.cfg @@ -1,2 +0,0 @@ -blscfg - From a01079c5e2c82bb676294fe1e2cec3c28b266a3e Mon Sep 17 00:00:00 2001 From: Etienne Champetier Date: Fri, 7 Feb 2025 21:32:32 -0500 Subject: [PATCH 5/7] grubconfigs: include dropins instead of sourcing This will make updating config easier as there will be no need to cleanup dropins files in /boot/grub2/. --- src/grub2/grub-static-post.cfg | 0 src/grubconfigs.rs | 20 +++++++++----------- 2 files changed, 9 insertions(+), 11 deletions(-) delete mode 100644 src/grub2/grub-static-post.cfg diff --git a/src/grub2/grub-static-post.cfg b/src/grub2/grub-static-post.cfg deleted file mode 100644 index e69de29b..00000000 diff --git a/src/grubconfigs.rs b/src/grubconfigs.rs index 09aeebfb..f4ea24ee 100644 --- a/src/grubconfigs.rs +++ b/src/grubconfigs.rs @@ -29,7 +29,10 @@ pub(crate) fn install( bootdir.create_dir(GRUB2DIR, 0o700)?; } - let mut config = std::fs::read_to_string(Path::new(CONFIGDIR).join("grub-static-pre.cfg"))?; + let mut config = String::from("# Generated by bootupd / do not edit\n\n"); + + let pre = std::fs::read_to_string(Path::new(CONFIGDIR).join("grub-static-pre.cfg"))?; + config.push_str(pre.as_str()); let dropindir = openat::Dir::open(&Path::new(CONFIGDIR).join(DROPINDIR))?; // Sort the files for reproducibility @@ -47,16 +50,11 @@ pub(crate) fn install( log::debug!("Ignoring {name}"); continue; } - writeln!(config, "source $prefix/{name}")?; - dropindir - .copy_file_at(name, bootdir, format!("{GRUB2DIR}/{name}")) - .with_context(|| format!("Copying {name}"))?; - println!("Installed {name}"); - } - - { - let post = std::fs::read_to_string(Path::new(CONFIGDIR).join("grub-static-post.cfg"))?; - config.push_str(post.as_str()); + writeln!(config, "\n### BEGIN {name} ###")?; + let dropin = std::fs::read_to_string(Path::new(CONFIGDIR).join(DROPINDIR).join(name))?; + config.push_str(dropin.as_str()); + writeln!(config, "### END {name} ###")?; + println!("Added {name}"); } bootdir From 683eb9dba889835905388bcd950db8bebf6e4077 Mon Sep 17 00:00:00 2001 From: Etienne Champetier Date: Fri, 7 Feb 2025 20:46:32 -0500 Subject: [PATCH 6/7] grub2: add 'UEFI Firmware Settings' menuentry --- src/grub2/configs.d/30_uefi-firmware.cfg | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 src/grub2/configs.d/30_uefi-firmware.cfg diff --git a/src/grub2/configs.d/30_uefi-firmware.cfg b/src/grub2/configs.d/30_uefi-firmware.cfg new file mode 100644 index 00000000..fa9fade1 --- /dev/null +++ b/src/grub2/configs.d/30_uefi-firmware.cfg @@ -0,0 +1,5 @@ +if [ "$grub_platform" = "efi" ]; then + menuentry 'UEFI Firmware Settings' $menuentry_id_option 'uefi-firmware' { + fwsetup + } +fi From 741e9a585909cc7ebe048f154c29fc93807c783e Mon Sep 17 00:00:00 2001 From: Etienne Champetier Date: Fri, 7 Feb 2025 22:54:43 -0500 Subject: [PATCH 7/7] grub2: add support for menu_show_once_timeout --- src/grub2/configs.d/14_menu_show_once.cfg | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 src/grub2/configs.d/14_menu_show_once.cfg diff --git a/src/grub2/configs.d/14_menu_show_once.cfg b/src/grub2/configs.d/14_menu_show_once.cfg new file mode 100644 index 00000000..8f170bf4 --- /dev/null +++ b/src/grub2/configs.d/14_menu_show_once.cfg @@ -0,0 +1,8 @@ +# Force the menu to be shown once, with a timeout of ${menu_show_once_timeout} +# if requested by ${menu_show_once_timeout} being set in the env. +if [ "${menu_show_once_timeout}" ]; then + set timeout_style=menu + set timeout="${menu_show_once_timeout}" + unset menu_show_once_timeout + save_env menu_show_once_timeout +fi