summaryrefslogtreecommitdiffstats
path: root/debian/patches/grub-install-removable-shim.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/grub-install-removable-shim.patch')
-rw-r--r--debian/patches/grub-install-removable-shim.patch195
1 files changed, 195 insertions, 0 deletions
diff --git a/debian/patches/grub-install-removable-shim.patch b/debian/patches/grub-install-removable-shim.patch
new file mode 100644
index 0000000..a384387
--- /dev/null
+++ b/debian/patches/grub-install-removable-shim.patch
@@ -0,0 +1,195 @@
+From c8351a8a7a7664dfac4de63fb6df185b2a52a346 Mon Sep 17 00:00:00 2001
+From: Steve McIntyre <93sam@debian.org>
+Date: Fri, 14 Jun 2019 16:37:11 +0100
+Subject: Deal with --force-extra-removable with signed shim too
+
+In this case, we need both the signed shim as /EFI/BOOT/BOOTXXX.EFI
+and signed Grub as /EFI/BOOT/grubXXX.efi.
+
+Also install the BOOTXXX.CSV into /EFI/debian, and FBXXX.EFI into
+/EFI/BOOT/ so that it can work when needed (*iff* we're updating the
+NVRAM).
+
+[cjwatson: Refactored also_install_removable somewhat for brevity and so
+that we're using consistent case-insensitive logic.]
+
+Bug-Debian: https://bugs.debian.org/930531
+Last-Update: 2021-09-24
+
+Patch-Name: grub-install-removable-shim.patch
+---
+ util/grub-install.c | 83 +++++++++++++++++++++++++++++++++++----------
+ 1 file changed, 66 insertions(+), 17 deletions(-)
+
+diff --git a/util/grub-install.c b/util/grub-install.c
+index 05b695226..43fc27c55 100644
+--- a/util/grub-install.c
++++ b/util/grub-install.c
+@@ -891,17 +891,13 @@ check_component_exists(const char *dir,
+ static void
+ also_install_removable(const char *src,
+ const char *base_efidir,
+- const char *efi_suffix_upper)
++ const char *efi_file,
++ int is_needed)
+ {
+- char *efi_file = NULL;
+ char *dst = NULL;
+ char *cur = NULL;
+ char *found = NULL;
+
+- if (!efi_suffix_upper)
+- grub_util_error ("%s", _("efi_suffix_upper not set"));
+- efi_file = xasprintf ("BOOT%s.EFI", efi_suffix_upper);
+-
+ /* We need to install in $base_efidir/EFI/BOOT/$efi_file, but we
+ * need to cope with case-insensitive stuff here. Build the path one
+ * component at a time, checking for existing matches each time. */
+@@ -935,10 +931,9 @@ also_install_removable(const char *src,
+ cur = xstrdup (dst);
+ free (dst);
+ free (found);
+- grub_install_copy_file (src, cur, 1);
++ grub_install_copy_file (src, cur, is_needed);
+
+ free (cur);
+- free (efi_file);
+ }
+
+ int
+@@ -2103,11 +2098,14 @@ main (int argc, char *argv[])
+ case GRUB_INSTALL_PLATFORM_IA64_EFI:
+ {
+ char *dst = grub_util_path_concat (2, efidir, efi_file);
++ char *removable_file = xasprintf ("BOOT%s.EFI", efi_suffix_upper);
++
+ if (uefi_secure_boot)
+ {
+ char *shim_signed = NULL;
+ char *mok_signed = NULL, *mok_file = NULL;
+ char *fb_signed = NULL, *fb_file = NULL;
++ char *csv_file = NULL;
+ char *config_dst;
+ FILE *config_dst_f;
+
+@@ -2116,11 +2114,15 @@ main (int argc, char *argv[])
+ mok_file = xasprintf ("mm%s.efi", efi_suffix);
+ fb_signed = xasprintf ("fb%s.efi.signed", efi_suffix);
+ fb_file = xasprintf ("fb%s.efi", efi_suffix);
++ csv_file = xasprintf ("BOOT%s.CSV", efi_suffix_upper);
++
++ /* If we have a signed shim binary, install that and all
++ its helpers in the normal vendor path */
+
+ if (grub_util_is_regular (shim_signed))
+ {
+ char *chained_base, *chained_dst;
+- char *mok_src, *mok_dst, *fb_src, *fb_dst;
++ char *mok_src, *mok_dst, *fb_src, *fb_dst, *csv_src, *csv_dst;
+ if (!removable)
+ {
+ free (efi_file);
+@@ -2132,8 +2134,6 @@ main (int argc, char *argv[])
+ chained_base = xasprintf ("grub%s.efi", efi_suffix);
+ chained_dst = grub_util_path_concat (2, efidir, chained_base);
+ grub_install_copy_file (efi_signed, chained_dst, 1);
+- free (chained_dst);
+- free (chained_base);
+
+ /* Not critical, so not an error if they are not present (as it
+ won't be for older releases); but if we have them, make
+@@ -2144,8 +2144,6 @@ main (int argc, char *argv[])
+ mok_file);
+ grub_install_copy_file (mok_src,
+ mok_dst, 0);
+- free (mok_src);
+- free (mok_dst);
+
+ fb_src = grub_util_path_concat (2, "/usr/lib/shim/",
+ fb_signed);
+@@ -2153,30 +2151,81 @@ main (int argc, char *argv[])
+ fb_file);
+ grub_install_copy_file (fb_src,
+ fb_dst, 0);
++
++ csv_src = grub_util_path_concat (2, "/usr/lib/shim/",
++ csv_file);
++ csv_dst = grub_util_path_concat (2, efidir,
++ csv_file);
++ grub_install_copy_file (csv_src,
++ csv_dst, 0);
++
++ /* Install binaries into .../EFI/BOOT too:
++ the shim binary
++ the grub binary
++ the shim fallback binary (not fatal on failure) */
++ if (force_extra_removable)
++ {
++ grub_util_info ("Secure boot: installing shim and image into rm path");
++ also_install_removable (shim_signed, base_efidir, removable_file, 1);
++
++ also_install_removable (efi_signed, base_efidir, chained_base, 1);
++
++ /* If we're updating the NVRAM, add fallback too - it
++ will re-update the NVRAM later if things break */
++ if (update_nvram)
++ also_install_removable (fb_src, base_efidir, fb_file, 0);
++ }
++
++ free (chained_dst);
++ free (chained_base);
++ free (mok_src);
++ free (mok_dst);
+ free (fb_src);
+ free (fb_dst);
++ free (csv_src);
++ free (csv_dst);
+ }
+ else
+- grub_install_copy_file (efi_signed, dst, 1);
++ {
++ /* Tried to install for secure boot, but no signed
++ shim found. Fall back to just installing the signed
++ grub binary */
++ grub_util_info ("Secure boot (no shim): installing signed grub binary");
++ grub_install_copy_file (efi_signed, dst, 1);
++ if (force_extra_removable)
++ {
++ grub_util_info ("Secure boot (no shim): installing signed grub binary into rm path");
++ also_install_removable (efi_signed, base_efidir, removable_file, 1);
++ }
++ }
+
++ /* In either case, install our grub.cfg */
+ config_dst = grub_util_path_concat (2, efidir, "grub.cfg");
+ grub_install_copy_file (load_cfg, config_dst, 1);
+ config_dst_f = grub_util_fopen (config_dst, "ab");
+ fprintf (config_dst_f, "configfile $prefix/grub.cfg\n");
+ fclose (config_dst_f);
+ free (config_dst);
+- if (force_extra_removable)
+- also_install_removable(efi_signed, base_efidir, efi_suffix_upper);
++
++ free (csv_file);
++ free (fb_file);
++ free (fb_signed);
++ free (mok_file);
++ free (mok_signed);
++ free (shim_signed);
+ }
+ else
+ {
++ /* No secure boot - just install our newly-generated image */
++ grub_util_info ("No Secure Boot: installing core image");
+ grub_install_copy_file (imgfile, dst, 1);
+ if (force_extra_removable)
+- also_install_removable(imgfile, base_efidir, efi_suffix_upper);
++ also_install_removable (imgfile, base_efidir, removable_file, 1);
+ }
+
+ grub_set_install_backup_ponr ();
+
++ free (removable_file);
+ free (dst);
+ }
+ if (!removable && update_nvram)