It was only needed for upgrades from GRUB 1.99 (now a long time ago) and
can inappropriately hide problems when /etc/grub.d/00_header should have
been updated but wasn't.
Closes: #953201
If we don't have writable grubenv, recordfail doesn't work, which means our
quickboot behavior - with a timeout of 0 - leaves the user without a
reliable way to access the boot menu if they're on UEFI, because unlike
BIOS, UEFI does not support checking the state of modifier keys (i.e.
holding down shift at boot is not detectable).
Handle this corner case by always using a non-zero timeout on EFI when
save_env doesn't work.
Reuse GRUB_RECORDFAIL_TIMEOUT to avoid introducing another variable.
QUIET_BOOT is always defined: it is 1 if --enable-quiet-boot is passed
to configure, and 0 otherwise. But every CPP conditional was based on
whether it is defined or not; so the --enable-quiet-boot code paths were
in fact always enabled.
[ Philipp Hahn ]
Disallow unsigned kernels if UEFI Secure Boot is enabled
(patch by Linn Crosetto <linn@hpe.com>)
Add patch to fix lockdown mode
(patch by Luca Boccassi <bluca@debian.org>)
Repack upstream tarball without grub-core/lib/libgcrypt*/cipher/crc.c,
and provide a replacement implementation backported from more recent
versions of libgcrypt.
Closes: #745409
Add an extra option to grub-install "--force-extra-removable". On EFI
platforms, this will cause an extra copy of the grub-efi image to be
written to the appropriate removable media patch
/boot/efi/EFI/BOOT/BOOT$ARCH.EFI as well. This will help with broken
UEFI implementations where the firmware does not work when configured
with new boot paths.
Also added new debconf logic to add this extra option to grub-install
calls when grub2/force_efi_extra_removable is set true. This allows
other programs like d-i / grub-installer to configure this for general
use.
Provides part of the fix for #767037
[ ijc -- included debian/po/* update ]
