Fix setup on Secure Boot systems where cryptodisk is in use

2025-10-22 10:14:37 +00:00 · 2019-02-10 11:31:07 +00:00 · 2019-02-10 11:31:07 +00:00 · d65bf6c55b
commit d65bf6c55b
parent e86e85d2b8 ec85b3d37c
5 changed files with 72 additions and 2 deletions
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-b5148a73117bceb9d831e7b53509893618bff3df
+ec85b3d37cd12b4121a286a47e84ecb79a714df8
-b5148a73117bceb9d831e7b53509893618bff3df
+ec85b3d37cd12b4121a286a47e84ecb79a714df8
 59aeb1cfaa3d5bfd7bbeeee0f0d37f6d9eed51fe
 59aeb1cfaa3d5bfd7bbeeee0f0d37f6d9eed51fe
 grub2_2.02+dfsg1.orig.tar.xz
--- a/debian/changelog
+++ b/debian/changelog
@ -18,6 +18,10 @@ grub2 (2.02+dfsg1-11) UNRELEASED; urgency=medium
  * Include a.out header in assembly of sparc64 boot loader (closes:
    #921249).
  [ Hervé Werner ]
  * Fix setup on Secure Boot systems where cryptodisk is in use (closes:
    #917117).
  [ Debconf translations ]
  * [de] German (Helge Kreutzmann and Holger Wansing; closes: #921018).
--- a/debian/patches/series
+++ b/debian/patches/series
@ -125,3 +125,4 @@ mkimage_Align_efi_sections_on_4k_boundary.patch
 mkimage_clarify_file_alignment_efi.patch
 at-keyboard-module-init.patch
 sparc64-aout-fix.patch
 uefi-secure-boot-cryptomount.patch
--- a/debian/patches/uefi-secure-boot-cryptomount.patch
+++ b/debian/patches/uefi-secure-boot-cryptomount.patch
@ -0,0 +1,48 @@
 From ec85b3d37cd12b4121a286a47e84ecb79a714df8 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Herv=C3=A9=20Werner?= <dud225@hotmail.com>
 Date: Mon, 28 Jan 2019 17:24:23 +0100
 Subject: Fix setup on Secure Boot systems where cryptodisk is in use
 On full-encrypted systems, including /boot, the current code omits
 cryptodisk commands needed to open the drives if Secure Boot is enabled.
 This prevents grub2 from reading any further configuration residing on
 the encrypted disk.
 This patch fixes this issue by adding the needed "cryptomount" commands in
 the load.cfg file that is then copied in the EFI partition.
 Bug-Debian: https://bugs.debian.org/917117
 Last-Update: 2019-02-10
 Patch-Name: uefi-secure-boot-cryptomount.patch
 ---
 util/grub-install.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 diff --git a/util/grub-install.c b/util/grub-install.c
 index 6bc96fc8f..81b648efc 100644
 --- a/util/grub-install.c
 +++ b/util/grub-install.c
@@ -1502,6 +1502,23 @@ main (int argc, char *argv[])
 	  || uefi_secure_boot)
 	{
 	  char *uuid = NULL;
 +
 +	  if (uefi_secure_boot && config.is_cryptodisk_enabled)
 +	    {
 +	      if (grub_dev->disk)
 +		probe_cryptodisk_uuid (grub_dev->disk);
 +
 +	      for (curdrive = grub_drives + 1; *curdrive; curdrive++)
 +		{
 +		  grub_device_t dev = grub_device_open (*curdrive);
 +		  if (!dev)
 +		    continue;
 +		  if (dev->disk)
 +		    probe_cryptodisk_uuid (dev->disk);
 +		  grub_device_close (dev);
 +		}
 +	    }
 +
 	  /*  generic method (used on coreboot and ata mod).  */
 	  if (!force_file_id && grub_fs->uuid && grub_fs->uuid (grub_dev,
 								&uuid))
--- a/util/grub-install.c
+++ b/util/grub-install.c
@ -1502,6 +1502,23 @@ main (int argc, char *argv[])
 	  || uefi_secure_boot)
 	{
 	  char *uuid = NULL;
 	  if (uefi_secure_boot && config.is_cryptodisk_enabled)
 	    {
 	      if (grub_dev->disk)
 		probe_cryptodisk_uuid (grub_dev->disk);
 	      for (curdrive = grub_drives + 1; *curdrive; curdrive++)
 		{
 		  grub_device_t dev = grub_device_open (*curdrive);
 		  if (!dev)
 		    continue;
 		  if (dev->disk)
 		    probe_cryptodisk_uuid (dev->disk);
 		  grub_device_close (dev);
 		}
 	    }
 	  /*  generic method (used on coreboot and ata mod).  */
 	  if (!force_file_id && grub_fs->uuid && grub_fs->uuid (grub_dev,
 								&uuid))