diff options
Diffstat (limited to '')
-rw-r--r-- | debian/patches/uefi-secure-boot-cryptomount.patch | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/debian/patches/uefi-secure-boot-cryptomount.patch b/debian/patches/uefi-secure-boot-cryptomount.patch new file mode 100644 index 0000000..cbef39c --- /dev/null +++ b/debian/patches/uefi-secure-boot-cryptomount.patch @@ -0,0 +1,48 @@ +From 7fd79864c87c57d586989d12c3d4a7e432b3d73a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Herv=C3=A9=20Werner?= <dud225@hotmail.com> +Date: Mon, 28 Jan 2019 17:24:23 +0100 +Subject: Fix setup on Secure Boot systems where cryptodisk is in use + +On full-encrypted systems, including /boot, the current code omits +cryptodisk commands needed to open the drives if Secure Boot is enabled. +This prevents grub2 from reading any further configuration residing on +the encrypted disk. +This patch fixes this issue by adding the needed "cryptomount" commands in +the load.cfg file that is then copied in the EFI partition. + +Bug-Debian: https://bugs.debian.org/917117 +Last-Update: 2019-02-10 + +Patch-Name: uefi-secure-boot-cryptomount.patch +--- + util/grub-install.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/util/grub-install.c b/util/grub-install.c +index b51fe4710..58f1453ba 100644 +--- a/util/grub-install.c ++++ b/util/grub-install.c +@@ -1531,6 +1531,23 @@ main (int argc, char *argv[]) + || uefi_secure_boot) + { + char *uuid = NULL; ++ ++ if (uefi_secure_boot && config.is_cryptodisk_enabled) ++ { ++ if (grub_dev->disk) ++ probe_cryptodisk_uuid (grub_dev->disk); ++ ++ for (curdrive = grub_drives + 1; *curdrive; curdrive++) ++ { ++ grub_device_t dev = grub_device_open (*curdrive); ++ if (!dev) ++ continue; ++ if (dev->disk) ++ probe_cryptodisk_uuid (dev->disk); ++ grub_device_close (dev); ++ } ++ } ++ + /* generic method (used on coreboot and ata mod). */ + if (!force_file_id + && grub_fs->fs_uuid && grub_fs->fs_uuid (grub_dev, &uuid)) |