diff --git a/debian/.git-dpm b/debian/.git-dpm index bfb43d93a..50bff2d28 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -b5148a73117bceb9d831e7b53509893618bff3df -b5148a73117bceb9d831e7b53509893618bff3df +ec85b3d37cd12b4121a286a47e84ecb79a714df8 +ec85b3d37cd12b4121a286a47e84ecb79a714df8 59aeb1cfaa3d5bfd7bbeeee0f0d37f6d9eed51fe 59aeb1cfaa3d5bfd7bbeeee0f0d37f6d9eed51fe grub2_2.02+dfsg1.orig.tar.xz diff --git a/debian/changelog b/debian/changelog index 66e923329..24d01ba93 100644 --- a/debian/changelog +++ b/debian/changelog @@ -18,6 +18,10 @@ grub2 (2.02+dfsg1-11) UNRELEASED; urgency=medium * Include a.out header in assembly of sparc64 boot loader (closes: #921249). + [ Hervé Werner ] + * Fix setup on Secure Boot systems where cryptodisk is in use (closes: + #917117). + [ Debconf translations ] * [de] German (Helge Kreutzmann and Holger Wansing; closes: #921018). diff --git a/debian/patches/series b/debian/patches/series index f6c1d7c19..67cb70b57 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -125,3 +125,4 @@ mkimage_Align_efi_sections_on_4k_boundary.patch mkimage_clarify_file_alignment_efi.patch at-keyboard-module-init.patch sparc64-aout-fix.patch +uefi-secure-boot-cryptomount.patch diff --git a/debian/patches/uefi-secure-boot-cryptomount.patch b/debian/patches/uefi-secure-boot-cryptomount.patch new file mode 100644 index 000000000..82923a3ff --- /dev/null +++ b/debian/patches/uefi-secure-boot-cryptomount.patch @@ -0,0 +1,48 @@ +From ec85b3d37cd12b4121a286a47e84ecb79a714df8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Herv=C3=A9=20Werner?= +Date: Mon, 28 Jan 2019 17:24:23 +0100 +Subject: Fix setup on Secure Boot systems where cryptodisk is in use + +On full-encrypted systems, including /boot, the current code omits +cryptodisk commands needed to open the drives if Secure Boot is enabled. +This prevents grub2 from reading any further configuration residing on +the encrypted disk. +This patch fixes this issue by adding the needed "cryptomount" commands in +the load.cfg file that is then copied in the EFI partition. + +Bug-Debian: https://bugs.debian.org/917117 +Last-Update: 2019-02-10 + +Patch-Name: uefi-secure-boot-cryptomount.patch +--- + util/grub-install.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/util/grub-install.c b/util/grub-install.c +index 6bc96fc8f..81b648efc 100644 +--- a/util/grub-install.c ++++ b/util/grub-install.c +@@ -1502,6 +1502,23 @@ main (int argc, char *argv[]) + || uefi_secure_boot) + { + char *uuid = NULL; ++ ++ if (uefi_secure_boot && config.is_cryptodisk_enabled) ++ { ++ if (grub_dev->disk) ++ probe_cryptodisk_uuid (grub_dev->disk); ++ ++ for (curdrive = grub_drives + 1; *curdrive; curdrive++) ++ { ++ grub_device_t dev = grub_device_open (*curdrive); ++ if (!dev) ++ continue; ++ if (dev->disk) ++ probe_cryptodisk_uuid (dev->disk); ++ grub_device_close (dev); ++ } ++ } ++ + /* generic method (used on coreboot and ata mod). */ + if (!force_file_id && grub_fs->uuid && grub_fs->uuid (grub_dev, + &uuid)) diff --git a/util/grub-install.c b/util/grub-install.c index 6bc96fc8f..81b648efc 100644 --- a/util/grub-install.c +++ b/util/grub-install.c @@ -1502,6 +1502,23 @@ main (int argc, char *argv[]) || uefi_secure_boot) { char *uuid = NULL; + + if (uefi_secure_boot && config.is_cryptodisk_enabled) + { + if (grub_dev->disk) + probe_cryptodisk_uuid (grub_dev->disk); + + for (curdrive = grub_drives + 1; *curdrive; curdrive++) + { + grub_device_t dev = grub_device_open (*curdrive); + if (!dev) + continue; + if (dev->disk) + probe_cryptodisk_uuid (dev->disk); + grub_device_close (dev); + } + } + /* generic method (used on coreboot and ata mod). */ if (!force_file_id && grub_fs->uuid && grub_fs->uuid (grub_dev, &uuid))