Fix setup on Secure Boot systems where cryptodisk is in use

2025-10-22 17:12:13 +00:00 · 2019-02-10 11:31:07 +00:00 · 2019-02-10 11:31:07 +00:00 · d65bf6c55b
commit d65bf6c55b
parent e86e85d2b8 ec85b3d37c
5 changed files with 72 additions and 2 deletions
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-b5148a73117bceb9d831e7b53509893618bff3df
-b5148a73117bceb9d831e7b53509893618bff3df
+ec85b3d37cd12b4121a286a47e84ecb79a714df8
+ec85b3d37cd12b4121a286a47e84ecb79a714df8
 59aeb1cfaa3d5bfd7bbeeee0f0d37f6d9eed51fe
 59aeb1cfaa3d5bfd7bbeeee0f0d37f6d9eed51fe
 grub2_2.02+dfsg1.orig.tar.xz
--- a/debian/changelog
+++ b/debian/changelog
@ -18,6 +18,10 @@ grub2 (2.02+dfsg1-11) UNRELEASED; urgency=medium
  * Include a.out header in assembly of sparc64 boot loader (closes:
    #921249).

+  [ Hervé Werner ]
+  * Fix setup on Secure Boot systems where cryptodisk is in use (closes:
+    #917117).
+
  [ Debconf translations ]
  * [de] German (Helge Kreutzmann and Holger Wansing; closes: #921018).

--- a/debian/patches/series
+++ b/debian/patches/series
@ -125,3 +125,4 @@ mkimage_Align_efi_sections_on_4k_boundary.patch
 mkimage_clarify_file_alignment_efi.patch
 at-keyboard-module-init.patch
 sparc64-aout-fix.patch
+uefi-secure-boot-cryptomount.patch
--- a/debian/patches/uefi-secure-boot-cryptomount.patch
+++ b/debian/patches/uefi-secure-boot-cryptomount.patch
@ -0,0 +1,48 @@
+From ec85b3d37cd12b4121a286a47e84ecb79a714df8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Herv=C3=A9=20Werner?= <dud225@hotmail.com>
+Date: Mon, 28 Jan 2019 17:24:23 +0100
+Subject: Fix setup on Secure Boot systems where cryptodisk is in use
+
+On full-encrypted systems, including /boot, the current code omits
+cryptodisk commands needed to open the drives if Secure Boot is enabled.
+This prevents grub2 from reading any further configuration residing on
+the encrypted disk.
+This patch fixes this issue by adding the needed "cryptomount" commands in
+the load.cfg file that is then copied in the EFI partition.
+
+Bug-Debian: https://bugs.debian.org/917117
+Last-Update: 2019-02-10
+
+Patch-Name: uefi-secure-boot-cryptomount.patch
+---
+ util/grub-install.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/util/grub-install.c b/util/grub-install.c
+index 6bc96fc8f..81b648efc 100644
+--- a/util/grub-install.c
+++ b/util/grub-install.c
+@@ -1502,6 +1502,23 @@ main (int argc, char *argv[])
+ 	  || uefi_secure_boot)
+ 	{
+ 	  char *uuid = NULL;
+
+	  if (uefi_secure_boot && config.is_cryptodisk_enabled)
+	    {
+	      if (grub_dev->disk)
+		probe_cryptodisk_uuid (grub_dev->disk);
+
+	      for (curdrive = grub_drives + 1; *curdrive; curdrive++)
+		{
+		  grub_device_t dev = grub_device_open (*curdrive);
+		  if (!dev)
+		    continue;
+		  if (dev->disk)
+		    probe_cryptodisk_uuid (dev->disk);
+		  grub_device_close (dev);
+		}
+	    }
+
+ 	  /*  generic method (used on coreboot and ata mod).  */
+ 	  if (!force_file_id && grub_fs->uuid && grub_fs->uuid (grub_dev,
+ 								&uuid))
--- a/util/grub-install.c
+++ b/util/grub-install.c
@ -1502,6 +1502,23 @@ main (int argc, char *argv[])
 	  || uefi_secure_boot)
 	{
 	  char *uuid = NULL;
+
+	  if (uefi_secure_boot && config.is_cryptodisk_enabled)
+	    {
+	      if (grub_dev->disk)
+		probe_cryptodisk_uuid (grub_dev->disk);
+
+	      for (curdrive = grub_drives + 1; *curdrive; curdrive++)
+		{
+		  grub_device_t dev = grub_device_open (*curdrive);
+		  if (!dev)
+		    continue;
+		  if (dev->disk)
+		    probe_cryptodisk_uuid (dev->disk);
+		  grub_device_close (dev);
+		}
+	    }
+
 	  /*  generic method (used on coreboot and ata mod).  */
 	  if (!force_file_id && grub_fs->uuid && grub_fs->uuid (grub_dev,
 								&uuid))