From 17924c73d7acbb9490d53ce97023b0b3ce415166 Mon Sep 17 00:00:00 2001
From: Dorian <dorian@Dorians-MacBook-Air.local>
Date: Wed, 25 Mar 2026 19:25:55 +0000
Subject: [PATCH] fix: EFI Secure Boot chain with grub.cfg, fix
 non-free-firmware repo
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

EFI boot fix:
- Shim needs grub.cfg in same directory to find the root partition
- Create minimal grub.cfg in /EFI/BOOT/ that chains to /boot/grub/grub.cfg
- Preserve unsigned GRUB as fallback for non-Secure-Boot systems
- Copy full chain to both /EFI/BOOT/ and /EFI/archipelago/ paths
- Log EFI directory contents for debugging

Firmware fix:
- DEB822 format sed was wrong — fix Components line replacement
- Add fallback sources.list entry to guarantee non-free-firmware repo
- Ensures firmware-realtek, intel-microcode actually get installed

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 image-recipe/build-auto-installer-iso.sh | 42 +++++++++++++++++++-----
 1 file changed, 33 insertions(+), 9 deletions(-)

diff --git a/image-recipe/build-auto-installer-iso.sh b/image-recipe/build-auto-installer-iso.sh
index 5206b282..11560c1f 100755
--- a/image-recipe/build-auto-installer-iso.sh
+++ b/image-recipe/build-auto-installer-iso.sh
@@ -203,9 +203,13 @@ FROM debian:bookworm
 ENV DEBIAN_FRONTEND=noninteractive
 
 # Enable non-free-firmware repo for hardware firmware (Realtek NIC, Intel WiFi, etc.)
-RUN sed -i 's/^deb \(.*\) bookworm \(.*\)/deb \1 bookworm \2 non-free-firmware/' /etc/apt/sources.list.d/debian.sources 2>/dev/null || \
-    sed -i 's/^Components: main$/Components: main non-free-firmware/' /etc/apt/sources.list.d/debian.sources 2>/dev/null || \
-    echo "deb http://deb.debian.org/debian bookworm main non-free-firmware" >> /etc/apt/sources.list
+# Bookworm Docker uses DEB822 format in /etc/apt/sources.list.d/debian.sources
+RUN if [ -f /etc/apt/sources.list.d/debian.sources ]; then \
+        sed -i 's/^Components: main$/Components: main non-free-firmware/' /etc/apt/sources.list.d/debian.sources; \
+    elif [ -f /etc/apt/sources.list ]; then \
+        sed -i 's/bookworm main$/bookworm main non-free-firmware/' /etc/apt/sources.list; \
+    fi && \
+    echo "deb http://deb.debian.org/debian bookworm non-free-firmware" >> /etc/apt/sources.list
 
 # Install all packages we need including nginx, podman, tor, and openssl (for self-signed certs)
 RUN apt-get update && apt-get install -y \
@@ -1460,9 +1464,9 @@ else
     fi
 fi
 
-# Secure Boot chain: replace unsigned GRUB with signed shim+grub for Secure Boot compatibility
-# Framework laptops and other Secure Boot-enabled machines need this chain:
-#   BOOTX64.EFI (shimx64, Microsoft-signed) → grubx64.efi (Debian-signed) → kernel
+# Secure Boot chain: set up shim+signed-grub alongside unsigned GRUB for maximum compatibility
+# Boot chain: BOOTX64.EFI (shim) → grubx64.efi (signed GRUB) → grub.cfg → kernel
+# Non-Secure-Boot: falls through shim to grubx64.efi which finds grub.cfg
 echo "   Setting up Secure Boot chain..."
 if [ "$ARCH" = "x86_64" ]; then
     SHIM_SRC="/mnt/target/usr/lib/shim/shimx64.efi.signed"
@@ -1480,15 +1484,35 @@ fi
 EFI_BOOT_DIR="/mnt/target/boot/efi/EFI/BOOT"
 EFI_ARCHY_DIR="/mnt/target/boot/efi/EFI/archipelago"
 if [ -f "$SHIM_SRC" ] && [ -f "$GRUB_SIGNED_SRC" ]; then
-    # Fallback path — what UEFI firmware checks when no boot entry exists
+    # Fallback path (/EFI/BOOT/) — what UEFI firmware checks when no boot entry exists
     mkdir -p "$EFI_BOOT_DIR"
+    # Save the unsigned GRUB that grub-install created (works without Secure Boot)
+    if [ -f "$EFI_BOOT_DIR/$EFI_BOOT_BINARY" ]; then
+        cp "$EFI_BOOT_DIR/$EFI_BOOT_BINARY" "$EFI_BOOT_DIR/grub_unsigned.efi"
+    fi
+    # Shim becomes the primary boot binary
     cp "$SHIM_SRC" "$EFI_BOOT_DIR/$EFI_BOOT_BINARY"
+    # Signed GRUB must be next to shim (shim loads it by name)
     cp "$GRUB_SIGNED_SRC" "$EFI_BOOT_DIR/$GRUB_EFI_BINARY"
-    # Named entry path — for efibootmgr-registered entries
+    # GRUB needs to find its config — create a minimal grub.cfg that chains to the real one
+    cat > "$EFI_BOOT_DIR/grub.cfg" <<'GRUBCFG'
+search.fs_uuid ${GRUB_ROOT_UUID} root
+set prefix=($root)'/boot/grub'
+configfile $prefix/grub.cfg
+GRUBCFG
+    # Replace placeholder with actual root UUID
+    ROOT_UUID=$(blkid -s UUID -o value "$ROOT_PART")
+    sed -i "s/\${GRUB_ROOT_UUID}/$ROOT_UUID/" "$EFI_BOOT_DIR/grub.cfg"
+
+    # Named entry path (/EFI/archipelago/) — for efibootmgr-registered entries
     mkdir -p "$EFI_ARCHY_DIR"
     cp "$SHIM_SRC" "$EFI_ARCHY_DIR/$SHIM_EFI_BINARY"
     cp "$GRUB_SIGNED_SRC" "$EFI_ARCHY_DIR/$GRUB_EFI_BINARY"
-    echo "   ✅ Secure Boot chain installed (shim + signed GRUB)"
+    cp "$EFI_BOOT_DIR/grub.cfg" "$EFI_ARCHY_DIR/grub.cfg"
+
+    echo "   ✅ Secure Boot chain installed (shim + signed GRUB + grub.cfg)"
+    echo "   EFI contents:"
+    ls -la "$EFI_BOOT_DIR/"
 else
     echo "   ⚠️  Signed shim/GRUB not found — Secure Boot machines must disable Secure Boot"
     [ ! -f "$SHIM_SRC" ] && echo "      Missing: $(basename $SHIM_SRC)"