diff options
Diffstat (limited to 'debian/patches/install-signed.patch')
-rw-r--r-- | debian/patches/install-signed.patch | 309 |
1 files changed, 309 insertions, 0 deletions
diff --git a/debian/patches/install-signed.patch b/debian/patches/install-signed.patch new file mode 100644 index 0000000..62f315f --- /dev/null +++ b/debian/patches/install-signed.patch @@ -0,0 +1,309 @@ +From 0bd31f4c7468f0b42ff6673f47112b9167c6381c Mon Sep 17 00:00:00 2001 +From: Colin Watson <cjwatson@ubuntu.com> +Date: Mon, 13 Jan 2014 12:13:22 +0000 +Subject: Install signed images if UEFI Secure Boot is enabled +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Author: Stéphane Graber <stgraber@ubuntu.com> +Author: Steve Langasek <steve.langasek@ubuntu.com> +Author: Linn Crosetto <linn@hpe.com> +Author: Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> +Forwarded: no +Last-Update: 2023-01-15 + +Patch-Name: install-signed.patch +--- + util/grub-install.c | 212 ++++++++++++++++++++++++++++++++------------ + 1 file changed, 153 insertions(+), 59 deletions(-) + +Index: grub.git/util/grub-install.c +=================================================================== +--- grub.git.orig/util/grub-install.c ++++ grub.git/util/grub-install.c +@@ -79,6 +79,7 @@ static char *label_color; + static char *label_bgcolor; + static char *product_version; + static int add_rs_codes = 1; ++static int uefi_secure_boot = 1; + + enum + { +@@ -109,7 +110,9 @@ enum + OPTION_LABEL_FONT, + OPTION_LABEL_COLOR, + OPTION_LABEL_BGCOLOR, +- OPTION_PRODUCT_VERSION ++ OPTION_PRODUCT_VERSION, ++ OPTION_UEFI_SECURE_BOOT, ++ OPTION_NO_UEFI_SECURE_BOOT + }; + + static int fs_probe = 1; +@@ -233,6 +236,14 @@ argp_parser (int key, char *arg, struct + bootloader_id = xstrdup (arg); + return 0; + ++ case OPTION_UEFI_SECURE_BOOT: ++ uefi_secure_boot = 1; ++ return 0; ++ ++ case OPTION_NO_UEFI_SECURE_BOOT: ++ uefi_secure_boot = 0; ++ return 0; ++ + case ARGP_KEY_ARG: + if (install_device) + grub_util_error ("%s", _("More than one install device?")); +@@ -302,6 +313,14 @@ static struct argp_option options[] = { + {"label-color", OPTION_LABEL_COLOR, N_("COLOR"), 0, N_("use COLOR for label"), 2}, + {"label-bgcolor", OPTION_LABEL_BGCOLOR, N_("COLOR"), 0, N_("use COLOR for label background"), 2}, + {"product-version", OPTION_PRODUCT_VERSION, N_("STRING"), 0, N_("use STRING as product version"), 2}, ++ {"uefi-secure-boot", OPTION_UEFI_SECURE_BOOT, 0, 0, ++ N_("install an image usable with UEFI Secure Boot. " ++ "This option is only available on EFI and if the grub-efi-amd64-signed " ++ "package is installed."), 2}, ++ {"no-uefi-secure-boot", OPTION_NO_UEFI_SECURE_BOOT, 0, 0, ++ N_("do not install an image usable with UEFI Secure Boot, even if the " ++ "system was currently started using it. " ++ "This option is only available on EFI."), 2}, + {0, 0, 0, 0, 0, 0} + }; + +@@ -832,7 +851,8 @@ main (int argc, char *argv[]) + { + int is_efi = 0; + const char *efi_distributor = NULL; +- const char *efi_file = NULL; ++ const char *efi_suffix = NULL, *efi_suffix_upper = NULL; ++ char *efi_file = NULL; + char **grub_devices; + grub_fs_t grub_fs; + grub_device_t grub_dev = NULL; +@@ -1102,6 +1122,39 @@ main (int argc, char *argv[]) + */ + char *t; + efi_distributor = bootloader_id; ++ switch (platform) ++ { ++ case GRUB_INSTALL_PLATFORM_I386_EFI: ++ efi_suffix = "ia32"; ++ efi_suffix_upper = "IA32"; ++ break; ++ case GRUB_INSTALL_PLATFORM_X86_64_EFI: ++ efi_suffix = "x64"; ++ efi_suffix_upper = "X64"; ++ break; ++ case GRUB_INSTALL_PLATFORM_IA64_EFI: ++ efi_suffix = "ia64"; ++ efi_suffix_upper = "IA64"; ++ break; ++ case GRUB_INSTALL_PLATFORM_ARM_EFI: ++ efi_suffix = "arm"; ++ efi_suffix_upper = "ARM"; ++ break; ++ case GRUB_INSTALL_PLATFORM_ARM64_EFI: ++ efi_suffix = "aa64"; ++ efi_suffix_upper = "AA64"; ++ break; ++ case GRUB_INSTALL_PLATFORM_RISCV32_EFI: ++ efi_suffix = "riscv32"; ++ efi_suffix_upper = "RISCV32"; ++ break; ++ case GRUB_INSTALL_PLATFORM_RISCV64_EFI: ++ efi_suffix = "riscv64"; ++ efi_suffix_upper = "RISCV64"; ++ break; ++ default: ++ break; ++ } + if (removable) + { + /* The specification makes stricter requirements of removable +@@ -1110,66 +1163,16 @@ main (int argc, char *argv[]) + must have a specific file name depending on the architecture. + */ + efi_distributor = "BOOT"; +- switch (platform) +- { +- case GRUB_INSTALL_PLATFORM_I386_EFI: +- efi_file = "BOOTIA32.EFI"; +- break; +- case GRUB_INSTALL_PLATFORM_X86_64_EFI: +- efi_file = "BOOTX64.EFI"; +- break; +- case GRUB_INSTALL_PLATFORM_IA64_EFI: +- efi_file = "BOOTIA64.EFI"; +- break; +- case GRUB_INSTALL_PLATFORM_ARM_EFI: +- efi_file = "BOOTARM.EFI"; +- break; +- case GRUB_INSTALL_PLATFORM_ARM64_EFI: +- efi_file = "BOOTAA64.EFI"; +- break; +- case GRUB_INSTALL_PLATFORM_RISCV32_EFI: +- efi_file = "BOOTRISCV32.EFI"; +- break; +- case GRUB_INSTALL_PLATFORM_RISCV64_EFI: +- efi_file = "BOOTRISCV64.EFI"; +- break; +- default: +- grub_util_error ("%s", _("You've found a bug")); +- break; +- } ++ if (!efi_suffix) ++ grub_util_error ("%s", _("You've found a bug")); ++ efi_file = xasprintf ("BOOT%s.EFI", efi_suffix_upper); + } + else + { + /* It is convenient for each architecture to have a different + efi_file, so that different versions can be installed in parallel. + */ +- switch (platform) +- { +- case GRUB_INSTALL_PLATFORM_I386_EFI: +- efi_file = "grubia32.efi"; +- break; +- case GRUB_INSTALL_PLATFORM_X86_64_EFI: +- efi_file = "grubx64.efi"; +- break; +- case GRUB_INSTALL_PLATFORM_IA64_EFI: +- efi_file = "grubia64.efi"; +- break; +- case GRUB_INSTALL_PLATFORM_ARM_EFI: +- efi_file = "grubarm.efi"; +- break; +- case GRUB_INSTALL_PLATFORM_ARM64_EFI: +- efi_file = "grubaa64.efi"; +- break; +- case GRUB_INSTALL_PLATFORM_RISCV32_EFI: +- efi_file = "grubriscv32.efi"; +- break; +- case GRUB_INSTALL_PLATFORM_RISCV64_EFI: +- efi_file = "grubriscv64.efi"; +- break; +- default: +- efi_file = "grub.efi"; +- break; +- } ++ efi_file = xasprintf ("grub%s.efi", efi_suffix); + } + t = grub_util_path_concat (3, efidir, "EFI", efi_distributor); + free (efidir); +@@ -1375,14 +1378,38 @@ main (int argc, char *argv[]) + } + } + +- if (!have_abstractions) ++ char *efi_signed = NULL; ++ switch (platform) ++ { ++ case GRUB_INSTALL_PLATFORM_I386_EFI: ++ case GRUB_INSTALL_PLATFORM_X86_64_EFI: ++ case GRUB_INSTALL_PLATFORM_ARM_EFI: ++ case GRUB_INSTALL_PLATFORM_ARM64_EFI: ++ case GRUB_INSTALL_PLATFORM_IA64_EFI: ++ { ++ char *dir = xasprintf ("%s-signed", grub_install_source_directory); ++ char *signed_image; ++ signed_image = xasprintf ("grub%s.efi.signed", efi_suffix); ++ efi_signed = grub_util_path_concat (2, dir, signed_image); ++ break; ++ } ++ ++ default: ++ break; ++ } ++ ++ if (!efi_signed || !grub_util_is_regular (efi_signed)) ++ uefi_secure_boot = 0; ++ ++ if (!have_abstractions || uefi_secure_boot) + { + if ((disk_module && grub_strcmp (disk_module, "biosdisk") != 0) + || grub_drives[1] + || (!install_drive + && platform != GRUB_INSTALL_PLATFORM_POWERPC_IEEE1275) + || (install_drive && !is_same_disk (grub_drives[0], install_drive)) +- || !have_bootdev (platform)) ++ || !have_bootdev (platform) ++ || uefi_secure_boot) + { + char *uuid = NULL; + /* generic method (used on coreboot and ata mod). */ +@@ -1927,7 +1957,72 @@ main (int argc, char *argv[]) + case GRUB_INSTALL_PLATFORM_IA64_EFI: + { + char *dst = grub_util_path_concat (2, efidir, efi_file); +- grub_install_copy_file (imgfile, dst, 1); ++ if (uefi_secure_boot) ++ { ++ char *shim_signed = NULL; ++ char *mok_signed = NULL, *mok_file = NULL; ++ char *fb_signed = NULL, *fb_file = NULL; ++ char *config_dst; ++ FILE *config_dst_f; ++ ++ shim_signed = xasprintf ("/usr/lib/shim/shim%s.efi.signed", efi_suffix); ++ mok_signed = xasprintf ("mm%s.efi.signed", efi_suffix); ++ mok_file = xasprintf ("mm%s.efi", efi_suffix); ++ fb_signed = xasprintf ("fb%s.efi.signed", efi_suffix); ++ fb_file = xasprintf ("fb%s.efi", efi_suffix); ++ ++ if (grub_util_is_regular (shim_signed)) ++ { ++ char *chained_base, *chained_dst; ++ char *mok_src, *mok_dst, *fb_src, *fb_dst; ++ if (!removable) ++ { ++ free (efi_file); ++ efi_file = xasprintf ("shim%s.efi", efi_suffix); ++ free (dst); ++ dst = grub_util_path_concat (2, efidir, efi_file); ++ } ++ grub_install_copy_file (shim_signed, dst, 1); ++ chained_base = xasprintf ("grub%s.efi", efi_suffix); ++ chained_dst = grub_util_path_concat (2, efidir, chained_base); ++ grub_install_copy_file (efi_signed, chained_dst, 1); ++ free (chained_dst); ++ free (chained_base); ++ ++ /* Not critical, so not an error if they are not present (as it ++ won't be for older releases); but if we have them, make ++ sure they are installed. */ ++ mok_src = grub_util_path_concat (2, "/usr/lib/shim/", ++ mok_signed); ++ mok_dst = grub_util_path_concat (2, efidir, ++ mok_file); ++ grub_install_copy_file (mok_src, ++ mok_dst, 0); ++ free (mok_src); ++ free (mok_dst); ++ ++ fb_src = grub_util_path_concat (2, "/usr/lib/shim/", ++ fb_signed); ++ fb_dst = grub_util_path_concat (2, efidir, ++ fb_file); ++ if (!removable) ++ grub_install_copy_file (fb_src, ++ fb_dst, 0); ++ free (fb_src); ++ free (fb_dst); ++ } ++ else ++ grub_install_copy_file (efi_signed, dst, 1); ++ ++ config_dst = grub_util_path_concat (2, efidir, "grub.cfg"); ++ grub_install_copy_file (load_cfg, config_dst, 1); ++ config_dst_f = grub_util_fopen (config_dst, "ab"); ++ fprintf (config_dst_f, "configfile $prefix/grub.cfg\n"); ++ fclose (config_dst_f); ++ free (config_dst); ++ } ++ else ++ grub_install_copy_file (imgfile, dst, 1); + + grub_set_install_backup_ponr (); + |