barker-build-kit/.github/workflows/grub2-bootloader.yml at master · puppylinux-woof-CE/barker-build-kit · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
name: Build GRUB2 EFI Package for Puppy
on:
  workflow_dispatch:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - name: Install dependencies
      run: |
        sudo apt-get update
        sudo apt-get install -y \
          build-essential autoconf automake bison flex libtool pkg-config \
          gettext autopoint python3 rsync texinfo \
          sbsigntool openssl xorriso xz-utils mtools dosfstools liblzma-dev libfreetype-dev \
          libnss3-dev gnu-efi unifont

    - name: Build GRUB from source
      run: |
        git clone --depth 1 https://git.savannah.gnu.org/git/grub.git
        cd grub
        ./bootstrap
        ./configure \
          --with-platform=efi \
          --target=x86_64 \
          --prefix=/ \
          --disable-werror
        make -j$(nproc)
        # Install to a local subdirectory to avoid permission/system issues
        make install DESTDIR=$(pwd)/output

    - name: Create advanced early.cfg
      run: |
        cat > early.cfg << 'EOF'
        # Scan for existing configs
        for loc in /grub.cfg /boot/grub.cfg /boot/efi/grub.cfg /boot/efi/grub/grub.cfg /boot/efi/grub2/grub.cfg /grub/grub.cfg /grub2/grub.cfg; do
            search --file --set=root $loc
            if [ -f ($root)$loc ]; then
                configfile ($root)$loc
            fi
        done

        menuentry "GRUB Shell" { terminal_input console; terminal_output console }
        menuentry "Reboot" { reboot }
        menuentry "Poweroff" { halt }
        EOF

    - name: Build EFI binaries
      run: |
        GRUB_ROOT=$(pwd)/grub/output
        MODDIR=$GRUB_ROOT/lib/grub/x86_64-efi
        BINDIR=$GRUB_ROOT/bin

        cat > sbat.csv << 'EOF'
        sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md
        grub,8,GRUB,grub,2.15,https://www.gnu.org/software/grub/
        puppy,8,Puppy Linux,puppy,26.01,https://puppylinux.com/
        EOF

        cat > bootx64.csv << 'EOF'
        shimx64.efi,puppy,,This is the boot entry for puppy
        EOF


        $BINDIR/grub-mkstandalone \
          -O x86_64-efi \
          --compression=xz \
          --sbat sbat.csv \
          --directory=$MODDIR \
          -o grubx64.efi \
          --modules="part_gpt part_msdos fat exfat ntfs ext2 f2fs btrfs hfsplus udf normal configfile search search_fs_file search_fs_uuid linux chain loopback iso9660 efi_gop gfxterm all_video font" \
          "boot/grub/grub.cfg=early.cfg" "boot/grub/fonts/unicode.pf2=$GRUB_ROOT/share/grub/ascii.pf2"

    - name: Build rhboot/shim and MOKManager
      run: |

            git clone --recursive --depth 1 https://github.com/rhboot/shim.git
            cd shim

            # We define DEFAULT_LOADER to tell shim to look for grubx64.efi
            make DEFAULT_LOADER=\\\\grubx64.efi

            cp mmx64.efi ../mmx64.efi
            cp shimx64.efi ../shimx64.efi
            cp fbx64.efi ../fbx64.efi

    - name: Strip EFI binaries and modules
      run: |

        find . -type f -name "*.efi" | xargs -i strip --strip-unneeded '{}'
        find grub/output/lib/grub/x86_64-efi -type f -name "*.mod" | xargs -i strip --strip-unneeded '{}'

    - name: Generate Secure Boot keys and Certificate
      run: |
        # Generate private key and PEM cert
        openssl req -new -x509 -newkey rsa:4096 \
          -keyout db.key -out db.crt -nodes -days 18250 \
          -subj "/CN=Puppy Linux Secure Boot Certificate/"

        # Convert PEM to DER (.cer) for UEFI enrollment
        openssl x509 -in db.crt -outform DER -out puppy.cer

    - name: Sign EFI
      run: |

        for efi_file in grubx64.efi mmx64.efi shimx64.efi fbx64.efi
        do
          sbsign --key db.key --cert db.crt --output ${efi_file}.signed $efi_file
        done

    - name: Prepare ESP layout (Modules + Fonts + Cert)
      run: |

        mkdir -p esp/EFI/BOOT/grub/fonts
        mkdir -p esp/EFI/BOOT/grub/x86_64-efi
        mkdir -p esp/keys

        # Copy Binaries

        for efi_file in grubx64.efi mmx64.efi fbx64.efi shimx64.efi
        do
          cp ${efi_file}.signed esp/EFI/BOOT/${efi_file}
        done

        #default boot
        cp shimx64.efi.signed esp/EFI/BOOT/BOOTX64.EFI

        cp bootx64.csv esp/EFI/BOOT/BOOTX64.CSV

        # Copy Certificate for easy access
        cp puppy.cer esp/keys/puppy-enroll-me.cer

        # Copy Modules and Fonts
        cp -r grub/output/lib/grub/x86_64-efi/*.mod esp/EFI/BOOT/grub/x86_64-efi/
        cp -r grub/output/lib/grub/x86_64-efi/*.lst esp/EFI/BOOT/grub/x86_64-efi/
        cp grub/output/share/grub/*.pf2 esp/EFI/BOOT/grub/fonts/ || true

    - name: Package ESP tarball
      run: tar -cJf puppy-grub-efi-pack.tar.xz -C esp .

    - name: Create El Torito image
      run: |
        dd if=/dev/zero of=efi.img bs=1M count=8
        mkfs.vfat -F32 efi.img
        mmd -i efi.img ::/EFI ::/EFI/BOOT


        for efi_file in grubx64.efi mmx64.efi fbx64.efi shimx64.efi
        do
          mcopy -i efi.img ${efi_file}.signed ::/EFI/BOOT/${efi_file}
        done

        #default boot
        mcopy -i efi.img shimx64.efi.signed ::/EFI/BOOT/BOOTX64.EFI

        mcopy -i efi.img bootx64.csv ::/EFI/BOOT/BOOTX64.CSV

    - name: Upload artifacts
      uses: actions/upload-artifact@v4
      with:
        name: puppy-grub-build
        path: |
          puppy-grub-efi-pack.tar.xz
          efi.img
          puppy.cer