summaryrefslogtreecommitdiffstats
path: root/debian/patches/install-signed.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/install-signed.patch')
-rw-r--r--debian/patches/install-signed.patch309
1 files changed, 309 insertions, 0 deletions
diff --git a/debian/patches/install-signed.patch b/debian/patches/install-signed.patch
new file mode 100644
index 0000000..62f315f
--- /dev/null
+++ b/debian/patches/install-signed.patch
@@ -0,0 +1,309 @@
+From 0bd31f4c7468f0b42ff6673f47112b9167c6381c Mon Sep 17 00:00:00 2001
+From: Colin Watson <cjwatson@ubuntu.com>
+Date: Mon, 13 Jan 2014 12:13:22 +0000
+Subject: Install signed images if UEFI Secure Boot is enabled
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Author: Stéphane Graber <stgraber@ubuntu.com>
+Author: Steve Langasek <steve.langasek@ubuntu.com>
+Author: Linn Crosetto <linn@hpe.com>
+Author: Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>
+Forwarded: no
+Last-Update: 2023-01-15
+
+Patch-Name: install-signed.patch
+---
+ util/grub-install.c | 212 ++++++++++++++++++++++++++++++++------------
+ 1 file changed, 153 insertions(+), 59 deletions(-)
+
+Index: grub.git/util/grub-install.c
+===================================================================
+--- grub.git.orig/util/grub-install.c
++++ grub.git/util/grub-install.c
+@@ -79,6 +79,7 @@ static char *label_color;
+ static char *label_bgcolor;
+ static char *product_version;
+ static int add_rs_codes = 1;
++static int uefi_secure_boot = 1;
+
+ enum
+ {
+@@ -109,7 +110,9 @@ enum
+ OPTION_LABEL_FONT,
+ OPTION_LABEL_COLOR,
+ OPTION_LABEL_BGCOLOR,
+- OPTION_PRODUCT_VERSION
++ OPTION_PRODUCT_VERSION,
++ OPTION_UEFI_SECURE_BOOT,
++ OPTION_NO_UEFI_SECURE_BOOT
+ };
+
+ static int fs_probe = 1;
+@@ -233,6 +236,14 @@ argp_parser (int key, char *arg, struct
+ bootloader_id = xstrdup (arg);
+ return 0;
+
++ case OPTION_UEFI_SECURE_BOOT:
++ uefi_secure_boot = 1;
++ return 0;
++
++ case OPTION_NO_UEFI_SECURE_BOOT:
++ uefi_secure_boot = 0;
++ return 0;
++
+ case ARGP_KEY_ARG:
+ if (install_device)
+ grub_util_error ("%s", _("More than one install device?"));
+@@ -302,6 +313,14 @@ static struct argp_option options[] = {
+ {"label-color", OPTION_LABEL_COLOR, N_("COLOR"), 0, N_("use COLOR for label"), 2},
+ {"label-bgcolor", OPTION_LABEL_BGCOLOR, N_("COLOR"), 0, N_("use COLOR for label background"), 2},
+ {"product-version", OPTION_PRODUCT_VERSION, N_("STRING"), 0, N_("use STRING as product version"), 2},
++ {"uefi-secure-boot", OPTION_UEFI_SECURE_BOOT, 0, 0,
++ N_("install an image usable with UEFI Secure Boot. "
++ "This option is only available on EFI and if the grub-efi-amd64-signed "
++ "package is installed."), 2},
++ {"no-uefi-secure-boot", OPTION_NO_UEFI_SECURE_BOOT, 0, 0,
++ N_("do not install an image usable with UEFI Secure Boot, even if the "
++ "system was currently started using it. "
++ "This option is only available on EFI."), 2},
+ {0, 0, 0, 0, 0, 0}
+ };
+
+@@ -832,7 +851,8 @@ main (int argc, char *argv[])
+ {
+ int is_efi = 0;
+ const char *efi_distributor = NULL;
+- const char *efi_file = NULL;
++ const char *efi_suffix = NULL, *efi_suffix_upper = NULL;
++ char *efi_file = NULL;
+ char **grub_devices;
+ grub_fs_t grub_fs;
+ grub_device_t grub_dev = NULL;
+@@ -1102,6 +1122,39 @@ main (int argc, char *argv[])
+ */
+ char *t;
+ efi_distributor = bootloader_id;
++ switch (platform)
++ {
++ case GRUB_INSTALL_PLATFORM_I386_EFI:
++ efi_suffix = "ia32";
++ efi_suffix_upper = "IA32";
++ break;
++ case GRUB_INSTALL_PLATFORM_X86_64_EFI:
++ efi_suffix = "x64";
++ efi_suffix_upper = "X64";
++ break;
++ case GRUB_INSTALL_PLATFORM_IA64_EFI:
++ efi_suffix = "ia64";
++ efi_suffix_upper = "IA64";
++ break;
++ case GRUB_INSTALL_PLATFORM_ARM_EFI:
++ efi_suffix = "arm";
++ efi_suffix_upper = "ARM";
++ break;
++ case GRUB_INSTALL_PLATFORM_ARM64_EFI:
++ efi_suffix = "aa64";
++ efi_suffix_upper = "AA64";
++ break;
++ case GRUB_INSTALL_PLATFORM_RISCV32_EFI:
++ efi_suffix = "riscv32";
++ efi_suffix_upper = "RISCV32";
++ break;
++ case GRUB_INSTALL_PLATFORM_RISCV64_EFI:
++ efi_suffix = "riscv64";
++ efi_suffix_upper = "RISCV64";
++ break;
++ default:
++ break;
++ }
+ if (removable)
+ {
+ /* The specification makes stricter requirements of removable
+@@ -1110,66 +1163,16 @@ main (int argc, char *argv[])
+ must have a specific file name depending on the architecture.
+ */
+ efi_distributor = "BOOT";
+- switch (platform)
+- {
+- case GRUB_INSTALL_PLATFORM_I386_EFI:
+- efi_file = "BOOTIA32.EFI";
+- break;
+- case GRUB_INSTALL_PLATFORM_X86_64_EFI:
+- efi_file = "BOOTX64.EFI";
+- break;
+- case GRUB_INSTALL_PLATFORM_IA64_EFI:
+- efi_file = "BOOTIA64.EFI";
+- break;
+- case GRUB_INSTALL_PLATFORM_ARM_EFI:
+- efi_file = "BOOTARM.EFI";
+- break;
+- case GRUB_INSTALL_PLATFORM_ARM64_EFI:
+- efi_file = "BOOTAA64.EFI";
+- break;
+- case GRUB_INSTALL_PLATFORM_RISCV32_EFI:
+- efi_file = "BOOTRISCV32.EFI";
+- break;
+- case GRUB_INSTALL_PLATFORM_RISCV64_EFI:
+- efi_file = "BOOTRISCV64.EFI";
+- break;
+- default:
+- grub_util_error ("%s", _("You've found a bug"));
+- break;
+- }
++ if (!efi_suffix)
++ grub_util_error ("%s", _("You've found a bug"));
++ efi_file = xasprintf ("BOOT%s.EFI", efi_suffix_upper);
+ }
+ else
+ {
+ /* It is convenient for each architecture to have a different
+ efi_file, so that different versions can be installed in parallel.
+ */
+- switch (platform)
+- {
+- case GRUB_INSTALL_PLATFORM_I386_EFI:
+- efi_file = "grubia32.efi";
+- break;
+- case GRUB_INSTALL_PLATFORM_X86_64_EFI:
+- efi_file = "grubx64.efi";
+- break;
+- case GRUB_INSTALL_PLATFORM_IA64_EFI:
+- efi_file = "grubia64.efi";
+- break;
+- case GRUB_INSTALL_PLATFORM_ARM_EFI:
+- efi_file = "grubarm.efi";
+- break;
+- case GRUB_INSTALL_PLATFORM_ARM64_EFI:
+- efi_file = "grubaa64.efi";
+- break;
+- case GRUB_INSTALL_PLATFORM_RISCV32_EFI:
+- efi_file = "grubriscv32.efi";
+- break;
+- case GRUB_INSTALL_PLATFORM_RISCV64_EFI:
+- efi_file = "grubriscv64.efi";
+- break;
+- default:
+- efi_file = "grub.efi";
+- break;
+- }
++ efi_file = xasprintf ("grub%s.efi", efi_suffix);
+ }
+ t = grub_util_path_concat (3, efidir, "EFI", efi_distributor);
+ free (efidir);
+@@ -1375,14 +1378,38 @@ main (int argc, char *argv[])
+ }
+ }
+
+- if (!have_abstractions)
++ char *efi_signed = NULL;
++ switch (platform)
++ {
++ case GRUB_INSTALL_PLATFORM_I386_EFI:
++ case GRUB_INSTALL_PLATFORM_X86_64_EFI:
++ case GRUB_INSTALL_PLATFORM_ARM_EFI:
++ case GRUB_INSTALL_PLATFORM_ARM64_EFI:
++ case GRUB_INSTALL_PLATFORM_IA64_EFI:
++ {
++ char *dir = xasprintf ("%s-signed", grub_install_source_directory);
++ char *signed_image;
++ signed_image = xasprintf ("grub%s.efi.signed", efi_suffix);
++ efi_signed = grub_util_path_concat (2, dir, signed_image);
++ break;
++ }
++
++ default:
++ break;
++ }
++
++ if (!efi_signed || !grub_util_is_regular (efi_signed))
++ uefi_secure_boot = 0;
++
++ if (!have_abstractions || uefi_secure_boot)
+ {
+ if ((disk_module && grub_strcmp (disk_module, "biosdisk") != 0)
+ || grub_drives[1]
+ || (!install_drive
+ && platform != GRUB_INSTALL_PLATFORM_POWERPC_IEEE1275)
+ || (install_drive && !is_same_disk (grub_drives[0], install_drive))
+- || !have_bootdev (platform))
++ || !have_bootdev (platform)
++ || uefi_secure_boot)
+ {
+ char *uuid = NULL;
+ /* generic method (used on coreboot and ata mod). */
+@@ -1927,7 +1957,72 @@ main (int argc, char *argv[])
+ case GRUB_INSTALL_PLATFORM_IA64_EFI:
+ {
+ char *dst = grub_util_path_concat (2, efidir, efi_file);
+- grub_install_copy_file (imgfile, dst, 1);
++ if (uefi_secure_boot)
++ {
++ char *shim_signed = NULL;
++ char *mok_signed = NULL, *mok_file = NULL;
++ char *fb_signed = NULL, *fb_file = NULL;
++ char *config_dst;
++ FILE *config_dst_f;
++
++ shim_signed = xasprintf ("/usr/lib/shim/shim%s.efi.signed", efi_suffix);
++ mok_signed = xasprintf ("mm%s.efi.signed", efi_suffix);
++ mok_file = xasprintf ("mm%s.efi", efi_suffix);
++ fb_signed = xasprintf ("fb%s.efi.signed", efi_suffix);
++ fb_file = xasprintf ("fb%s.efi", efi_suffix);
++
++ if (grub_util_is_regular (shim_signed))
++ {
++ char *chained_base, *chained_dst;
++ char *mok_src, *mok_dst, *fb_src, *fb_dst;
++ if (!removable)
++ {
++ free (efi_file);
++ efi_file = xasprintf ("shim%s.efi", efi_suffix);
++ free (dst);
++ dst = grub_util_path_concat (2, efidir, efi_file);
++ }
++ grub_install_copy_file (shim_signed, dst, 1);
++ chained_base = xasprintf ("grub%s.efi", efi_suffix);
++ chained_dst = grub_util_path_concat (2, efidir, chained_base);
++ grub_install_copy_file (efi_signed, chained_dst, 1);
++ free (chained_dst);
++ free (chained_base);
++
++ /* Not critical, so not an error if they are not present (as it
++ won't be for older releases); but if we have them, make
++ sure they are installed. */
++ mok_src = grub_util_path_concat (2, "/usr/lib/shim/",
++ mok_signed);
++ mok_dst = grub_util_path_concat (2, efidir,
++ mok_file);
++ grub_install_copy_file (mok_src,
++ mok_dst, 0);
++ free (mok_src);
++ free (mok_dst);
++
++ fb_src = grub_util_path_concat (2, "/usr/lib/shim/",
++ fb_signed);
++ fb_dst = grub_util_path_concat (2, efidir,
++ fb_file);
++ if (!removable)
++ grub_install_copy_file (fb_src,
++ fb_dst, 0);
++ free (fb_src);
++ free (fb_dst);
++ }
++ else
++ grub_install_copy_file (efi_signed, dst, 1);
++
++ config_dst = grub_util_path_concat (2, efidir, "grub.cfg");
++ grub_install_copy_file (load_cfg, config_dst, 1);
++ config_dst_f = grub_util_fopen (config_dst, "ab");
++ fprintf (config_dst_f, "configfile $prefix/grub.cfg\n");
++ fclose (config_dst_f);
++ free (config_dst);
++ }
++ else
++ grub_install_copy_file (imgfile, dst, 1);
+
+ grub_set_install_backup_ponr ();
+