fix: EFI Secure Boot chain with grub.cfg, fix non-free-firmware repo

EFI boot fix: - Shim needs grub.cfg in same directory to find the root partition - Create minimal grub.cfg in /EFI/BOOT/ that chains to /boot/grub/grub.cfg - Preserve unsigned GRUB as fallback for non-Secure-Boot systems - Copy full chain to both /EFI/BOOT/ and /EFI/archipelago/ paths - Log EFI directory contents for debugging Firmware fix: - DEB822 format sed was wrong — fix Components line replacement - Add fallback sources.list entry to guarantee non-free-firmware repo - Ensures firmware-realtek, intel-microcode actually get installed Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 19:25:55 +00:00 · 2026-03-25 19:25:55 +00:00 · 17924c73d7
commit 17924c73d7
parent ec32b336a6
1 changed files with 33 additions and 9 deletions
--- a/image-recipe/build-auto-installer-iso.sh
+++ b/image-recipe/build-auto-installer-iso.sh
@ -203,9 +203,13 @@ FROM debian:bookworm
 ENV DEBIAN_FRONTEND=noninteractive

 # Enable non-free-firmware repo for hardware firmware (Realtek NIC, Intel WiFi, etc.)
-RUN sed -i 's/^deb \(.*\) bookworm \(.*\)/deb \1 bookworm \2 non-free-firmware/' /etc/apt/sources.list.d/debian.sources 2>/dev/null || \
-    sed -i 's/^Components: main$/Components: main non-free-firmware/' /etc/apt/sources.list.d/debian.sources 2>/dev/null || \
-    echo "deb http://deb.debian.org/debian bookworm main non-free-firmware" >> /etc/apt/sources.list
+# Bookworm Docker uses DEB822 format in /etc/apt/sources.list.d/debian.sources
+RUN if [ -f /etc/apt/sources.list.d/debian.sources ]; then \
+        sed -i 's/^Components: main$/Components: main non-free-firmware/' /etc/apt/sources.list.d/debian.sources; \
+    elif [ -f /etc/apt/sources.list ]; then \
+        sed -i 's/bookworm main$/bookworm main non-free-firmware/' /etc/apt/sources.list; \
+    fi && \
+    echo "deb http://deb.debian.org/debian bookworm non-free-firmware" >> /etc/apt/sources.list

 # Install all packages we need including nginx, podman, tor, and openssl (for self-signed certs)
 RUN apt-get update && apt-get install -y \
@ -1460,9 +1464,9 @@ else
    fi
 fi

-# Secure Boot chain: replace unsigned GRUB with signed shim+grub for Secure Boot compatibility
-# Framework laptops and other Secure Boot-enabled machines need this chain:
-#   BOOTX64.EFI (shimx64, Microsoft-signed) → grubx64.efi (Debian-signed) → kernel
+# Secure Boot chain: set up shim+signed-grub alongside unsigned GRUB for maximum compatibility
+# Boot chain: BOOTX64.EFI (shim) → grubx64.efi (signed GRUB) → grub.cfg → kernel
+# Non-Secure-Boot: falls through shim to grubx64.efi which finds grub.cfg
 echo "   Setting up Secure Boot chain..."
 if [ "$ARCH" = "x86_64" ]; then
    SHIM_SRC="/mnt/target/usr/lib/shim/shimx64.efi.signed"
@ -1480,15 +1484,35 @@ fi
 EFI_BOOT_DIR="/mnt/target/boot/efi/EFI/BOOT"
 EFI_ARCHY_DIR="/mnt/target/boot/efi/EFI/archipelago"
 if [ -f "$SHIM_SRC" ] && [ -f "$GRUB_SIGNED_SRC" ]; then
-    # Fallback path — what UEFI firmware checks when no boot entry exists
+    # Fallback path (/EFI/BOOT/) — what UEFI firmware checks when no boot entry exists
    mkdir -p "$EFI_BOOT_DIR"
+    # Save the unsigned GRUB that grub-install created (works without Secure Boot)
+    if [ -f "$EFI_BOOT_DIR/$EFI_BOOT_BINARY" ]; then
+        cp "$EFI_BOOT_DIR/$EFI_BOOT_BINARY" "$EFI_BOOT_DIR/grub_unsigned.efi"
+    fi
+    # Shim becomes the primary boot binary
    cp "$SHIM_SRC" "$EFI_BOOT_DIR/$EFI_BOOT_BINARY"
+    # Signed GRUB must be next to shim (shim loads it by name)
    cp "$GRUB_SIGNED_SRC" "$EFI_BOOT_DIR/$GRUB_EFI_BINARY"
-    # Named entry path — for efibootmgr-registered entries
+    # GRUB needs to find its config — create a minimal grub.cfg that chains to the real one
+    cat > "$EFI_BOOT_DIR/grub.cfg" <<'GRUBCFG'
+search.fs_uuid ${GRUB_ROOT_UUID} root
+set prefix=($root)'/boot/grub'
+configfile $prefix/grub.cfg
+GRUBCFG
+    # Replace placeholder with actual root UUID
+    ROOT_UUID=$(blkid -s UUID -o value "$ROOT_PART")
+    sed -i "s/\${GRUB_ROOT_UUID}/$ROOT_UUID/" "$EFI_BOOT_DIR/grub.cfg"
+
+    # Named entry path (/EFI/archipelago/) — for efibootmgr-registered entries
    mkdir -p "$EFI_ARCHY_DIR"
    cp "$SHIM_SRC" "$EFI_ARCHY_DIR/$SHIM_EFI_BINARY"
    cp "$GRUB_SIGNED_SRC" "$EFI_ARCHY_DIR/$GRUB_EFI_BINARY"
-    echo "   ✅ Secure Boot chain installed (shim + signed GRUB)"
+    cp "$EFI_BOOT_DIR/grub.cfg" "$EFI_ARCHY_DIR/grub.cfg"
+
+    echo "   ✅ Secure Boot chain installed (shim + signed GRUB + grub.cfg)"
+    echo "   EFI contents:"
+    ls -la "$EFI_BOOT_DIR/"
 else
    echo "   ⚠️  Signed shim/GRUB not found — Secure Boot machines must disable Secure Boot"
    [ ! -f "$SHIM_SRC" ] && echo "      Missing: $(basename $SHIM_SRC)"