grub2/debian/patches/grub-install-removable-shim.patch
Steve Langasek ac32067c63 If we don't have writable grubenv and we're on EFI, always show the menu
If we don't have writable grubenv, recordfail doesn't work, which means our
quickboot behavior - with a timeout of 0 - leaves the user without a
reliable way to access the boot menu if they're on UEFI, because unlike
BIOS, UEFI does not support checking the state of modifier keys (i.e.
holding down shift at boot is not detectable).

Handle this corner case by always using a non-zero timeout on EFI when
save_env doesn't work.

Reuse GRUB_RECORDFAIL_TIMEOUT to avoid introducing another variable.
2019-06-24 08:13:18 +01:00

194 lines
6.3 KiB
Diff

From c11b8c616a6d06cd0d9c0f750439f12fa1c5869f Mon Sep 17 00:00:00 2001
From: Steve McIntyre <93sam@debian.org>
Date: Fri, 14 Jun 2019 16:37:11 +0100
Subject: Deal with --force-extra-removable with signed shim too
In this case, we need both the signed shim as /EFI/BOOT/BOOTXXX.EFI
and signed Grub as /EFI/BOOT/grubXXX.efi.
Also install the BOOTXXX.CSV into /EFI/debian, and FBXXX.EFI into
/EFI/BOOT/ so that it can work when needed (*iff* we're updating the
NVRAM).
[cjwatson: Refactored also_install_removable somewhat for brevity and so
that we're using consistent case-insensitive logic.]
Bug-Debian: https://bugs.debian.org/930531
Last-Update: 2019-06-14
Patch-Name: grub-install-removable-shim.patch
---
util/grub-install.c | 84 ++++++++++++++++++++++++++++++++++++---------
1 file changed, 67 insertions(+), 17 deletions(-)
diff --git a/util/grub-install.c b/util/grub-install.c
index d66de7f8e..35d150c33 100644
--- a/util/grub-install.c
+++ b/util/grub-install.c
@@ -883,17 +883,13 @@ check_component_exists(const char *dir,
static void
also_install_removable(const char *src,
const char *base_efidir,
- const char *efi_suffix_upper)
+ const char *efi_file,
+ int is_needed)
{
- char *efi_file = NULL;
char *dst = NULL;
char *cur = NULL;
char *found = NULL;
- if (!efi_suffix_upper)
- grub_util_error ("%s", _("efi_suffix_upper not set"));
- efi_file = xasprintf ("BOOT%s.EFI", efi_suffix_upper);
-
/* We need to install in $base_efidir/EFI/BOOT/$efi_file, but we
* need to cope with case-insensitive stuff here. Build the path one
* component at a time, checking for existing matches each time. */
@@ -927,10 +923,9 @@ also_install_removable(const char *src,
cur = xstrdup (dst);
free (dst);
free (found);
- grub_install_copy_file (src, cur, 1);
+ grub_install_copy_file (src, cur, is_needed);
free (cur);
- free (efi_file);
}
int
@@ -2076,11 +2071,14 @@ main (int argc, char *argv[])
case GRUB_INSTALL_PLATFORM_IA64_EFI:
{
char *dst = grub_util_path_concat (2, efidir, efi_file);
+ char *removable_file = xasprintf ("BOOT%s.EFI", efi_suffix_upper);
+
if (uefi_secure_boot)
{
char *shim_signed = NULL;
char *mok_signed = NULL, *mok_file = NULL;
char *fb_signed = NULL, *fb_file = NULL;
+ char *csv_file = NULL;
char *config_dst;
FILE *config_dst_f;
@@ -2089,11 +2087,15 @@ main (int argc, char *argv[])
mok_file = xasprintf ("mm%s.efi", efi_suffix);
fb_signed = xasprintf ("fb%s.efi.signed", efi_suffix);
fb_file = xasprintf ("fb%s.efi", efi_suffix);
+ csv_file = xasprintf ("BOOT%s.CSV", efi_suffix_upper);
+
+ /* If we have a signed shim binary, install that and all
+ its helpers in the normal vendor path */
if (grub_util_is_regular (shim_signed))
{
char *chained_base, *chained_dst;
- char *mok_src, *mok_dst, *fb_src, *fb_dst;
+ char *mok_src, *mok_dst, *fb_src, *fb_dst, *csv_src, *csv_dst;
if (!removable)
{
free (efi_file);
@@ -2105,8 +2107,6 @@ main (int argc, char *argv[])
chained_base = xasprintf ("grub%s.efi", efi_suffix);
chained_dst = grub_util_path_concat (2, efidir, chained_base);
grub_install_copy_file (efi_signed, chained_dst, 1);
- free (chained_dst);
- free (chained_base);
/* Not critical, so not an error if they are not present (as it
won't be for older releases); but if we have them, make
@@ -2117,8 +2117,6 @@ main (int argc, char *argv[])
mok_file);
grub_install_copy_file (mok_src,
mok_dst, 0);
- free (mok_src);
- free (mok_dst);
fb_src = grub_util_path_concat (2, "/usr/lib/shim/",
fb_signed);
@@ -2126,27 +2124,79 @@ main (int argc, char *argv[])
fb_file);
grub_install_copy_file (fb_src,
fb_dst, 0);
+
+ csv_src = grub_util_path_concat (2, "/usr/lib/shim/",
+ csv_file);
+ csv_dst = grub_util_path_concat (2, efidir,
+ csv_file);
+ grub_install_copy_file (csv_src,
+ csv_dst, 0);
+
+ /* Install binaries into .../EFI/BOOT too:
+ the shim binary
+ the grub binary
+ the shim fallback binary (not fatal on failure) */
+ if (force_extra_removable)
+ {
+ grub_util_info ("Secure boot: installing shim and image into rm path");
+ also_install_removable (shim_signed, base_efidir, removable_file, 1);
+
+ also_install_removable (efi_signed, base_efidir, chained_base, 1);
+
+ /* If we're updating the NVRAM, add fallback too - it
+ will re-update the NVRAM later if things break */
+ if (update_nvram)
+ also_install_removable (fb_src, base_efidir, fb_file, 0);
+ }
+
+ free (chained_dst);
+ free (chained_base);
+ free (mok_src);
+ free (mok_dst);
free (fb_src);
free (fb_dst);
+ free (csv_src);
+ free (csv_dst);
}
else
- grub_install_copy_file (efi_signed, dst, 1);
+ {
+ /* Tried to install for secure boot, but no signed
+ shim found. Fall back to just installing the signed
+ grub binary */
+ grub_util_info ("Secure boot (no shim): installing signed grub binary");
+ grub_install_copy_file (efi_signed, dst, 1);
+ if (force_extra_removable)
+ {
+ grub_util_info ("Secure boot (no shim): installing signed grub binary into rm path");
+ also_install_removable (efi_signed, base_efidir, removable_file, 1);
+ }
+ }
+ /* In either case, install our grub.cfg */
config_dst = grub_util_path_concat (2, efidir, "grub.cfg");
grub_install_copy_file (load_cfg, config_dst, 1);
config_dst_f = grub_util_fopen (config_dst, "ab");
fprintf (config_dst_f, "configfile $prefix/grub.cfg\n");
fclose (config_dst_f);
free (config_dst);
- if (force_extra_removable)
- also_install_removable(efi_signed, base_efidir, efi_suffix_upper);
+
+ free (csv_file);
+ free (fb_file);
+ free (fb_signed);
+ free (mok_file);
+ free (mok_signed);
+ free (shim_signed);
}
else
{
+ /* No secure boot - just install our newly-generated image */
+ grub_util_info ("No Secure Boot: installing core image");
grub_install_copy_file (imgfile, dst, 1);
if (force_extra_removable)
- also_install_removable(imgfile, base_efidir, efi_suffix_upper);
+ also_install_removable (imgfile, base_efidir, removable_file, 1);
}
+
+ free (removable_file);
free (dst);
}
if (!removable && update_nvram)