Generate configuration for signed UEFI kernels if available

Forwarded: no
Last-Update: 2013-12-25

Patch-Name: mkconfig-signed-kernel.patch

diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
index fd87a124dd72528592717e9c7aecc6c375dd0723..61335e908e56b6a25b9d5a3e96623aba334aa278 100644 (file)
--- a/util/grub.d/10_linux.in
+++ b/util/grub.d/10_linux.in
@@ -161,8 +161,16 @@ linux_entry ()
   message="$(gettext_printf "Loading Linux %s ..." ${version})"
   sed "s/^/$submenu_indentation/" << EOF
        echo    '$(echo "$message" | grub_quote)'
+EOF
+  if test -d /sys/firmware/efi && test -e "${linux}.efi.signed"; then
+    sed "s/^/$submenu_indentation/" << EOF
+       linux   ${rel_dirname}/${basename}.efi.signed root=${linux_root_device_thisversion} ro ${args}
+EOF
+  else
+    sed "s/^/$submenu_indentation/" << EOF
        linux   ${rel_dirname}/${basename} root=${linux_root_device_thisversion} ro ${args}
 EOF
+  fi
   if test -n "${initrd}" ; then
     # TRANSLATORS: ramdisk isn't identifier. Should be translated.
     message="$(gettext_printf "Loading initial ramdisk ...")"
@@ -214,6 +222,13 @@ submenu_indentation=""
 is_top_level=true
 while [ "x$list" != "x" ] ; do
   linux=`version_find_latest $list`
+  case $linux in
+    *.efi.signed)
+      # We handle these in linux_entry.
+      list=`echo $list | tr ' ' '\n' | grep -vx $linux | tr '\n' ' '`
+      continue
+      ;;
+  esac
   gettext_printf "Found linux image: %s\n" "$linux" >&2
   basename=`basename $linux`
   dirname=`dirname $linux`