Add secure boot support in ISO installer

2026-02-14 23:18:59 +00:00 · 2025-05-08 00:38:26 +05:00
parent da5c02590e
commit 19e779d993
2 changed files with 11 additions and 33 deletions
--- a/scale_build/image/iso.py
+++ b/scale_build/image/iso.py
@@ -128,7 +128,7 @@ def make_iso_file():
        run_in_chroot(['apt-get', 'update'], check=False)
        run_in_chroot([
            'apt-get', 'install', '-y', 'grub-common', 'grub2-common', 'grub-efi-amd64-bin',
-            'grub-pc-bin', 'mtools', 'xorriso'
+            'grub-pc-bin', 'mtools', 'xorriso', 'shim-signed'
        ])

        # Debian GRUB EFI searches for GRUB config in a different place
@@ -140,35 +140,11 @@ def make_iso_file():

        iso = os.path.join(RELEASE_DIR, f'TrueNAS-SCALE-{get_image_version(vendor=TRUENAS_VENDOR)}.iso')

-        # Default grub EFI image does not support `search` command which we need to make TrueNAS ISO working in
-        # Rufus "ISO Image mode".
-        # Let's use pre-built Debian GRUB EFI image that the official Debian ISO installer uses.
-        with tempfile.NamedTemporaryFile(dir=RELEASE_DIR) as efi_img:
-            with tempfile.NamedTemporaryFile(suffix='.tar.gz') as f:
-                apt_repos = get_apt_repos(check_custom=True)
-                r = requests.get(
-                    f'{apt_repos["url"]}dists/{apt_repos["distribution"]}/main/installer-amd64/current/images/cdrom/'
-                    'debian-cd_info.tar.gz',
-                    timeout=10,
-                    stream=True,
-                )
-                r.raise_for_status()
-                shutil.copyfileobj(r.raw, f)
-                f.flush()
-
-                with tarfile.open(f.name) as tf:
-                    shutil.copyfileobj(tf.extractfile('./grub/efi.img'), efi_img)
-
-            efi_img.flush()
-
-            run_in_chroot([
-                'grub-mkrescue',
-                '-o', iso,
-                '--efi-boot-part', os.path.join(
-                    RELEASE_DIR, os.path.relpath(efi_img.name, os.path.abspath(RELEASE_DIR))
-                ),
-                CD_DIR,
-            ])
+	# Since grub-mkresuce does not create secure boot enabled images, use proxmox patch
+        run_in_chroot([
+            '/bin/bash', '-c',
+            f'TRUENAS_CD_BUILDER_SHIM_QUIRK=1 grub-mkrescue -o {iso} {CD_DIR}'
+        ])

        lo = run(['losetup', '-f'], log=False).stdout.strip()
        run(['losetup', '-P', lo, iso])
--- a/scripts/grub.cfg
+++ b/scripts/grub.cfg
@@ -13,7 +13,8 @@ function load_video {
 }

 set prefix=($root)/boot/grub
-if loadfont $prefix/fonts/unicode.pf2 ; then
+# $prefix/fonts/unicode.pf2 needs to be signed, so use grub's internal atm
+if loadfont unicode ; then
  set gfxmode=auto
  load_video
  insmod gfxterm
@@ -68,16 +69,17 @@ fi

 insmod play
 play 960 440 1 0 4 440 1
+# nomodeset not compatible with secure boot, using vga=normal
 menuentry --hotkey=i --id=video 'Start $vendor Installation' {
    load_video
    set background_color=black
-    linux    /vmlinuz gfxpayload=text quiet nomodeset boot=live toram=filesystem.squashfs $gfx_console
+    linux    /vmlinuz gfxpayload=text quiet vga=normal boot=live toram=filesystem.squashfs $gfx_console
    initrd   /initrd.img
 }
 menuentry --hotkey=j --id=serial 'Start $vendor Installation (115200 baud)' {
    load_video
    set background_color=black
-    linux    /vmlinuz gfxpayload=text quiet nomodeset boot=live toram=filesystem.squashfs $gfx_console $serial_console
+    linux    /vmlinuz gfxpayload=text quiet vga=normal boot=live toram=filesystem.squashfs $gfx_console $serial_console
    initrd   /initrd.img
 }