mirror of
https://git.proxmox.com/git/grub2
synced 2025-10-23 09:49:19 +00:00

If we don't have writable grubenv, recordfail doesn't work, which means our quickboot behavior - with a timeout of 0 - leaves the user without a reliable way to access the boot menu if they're on UEFI, because unlike BIOS, UEFI does not support checking the state of modifier keys (i.e. holding down shift at boot is not detectable). Handle this corner case by always using a non-zero timeout on EFI when save_env doesn't work. Reuse GRUB_RECORDFAIL_TIMEOUT to avoid introducing another variable.
194 lines
6.3 KiB
Diff
194 lines
6.3 KiB
Diff
From c11b8c616a6d06cd0d9c0f750439f12fa1c5869f Mon Sep 17 00:00:00 2001
|
|
From: Steve McIntyre <93sam@debian.org>
|
|
Date: Fri, 14 Jun 2019 16:37:11 +0100
|
|
Subject: Deal with --force-extra-removable with signed shim too
|
|
|
|
In this case, we need both the signed shim as /EFI/BOOT/BOOTXXX.EFI
|
|
and signed Grub as /EFI/BOOT/grubXXX.efi.
|
|
|
|
Also install the BOOTXXX.CSV into /EFI/debian, and FBXXX.EFI into
|
|
/EFI/BOOT/ so that it can work when needed (*iff* we're updating the
|
|
NVRAM).
|
|
|
|
[cjwatson: Refactored also_install_removable somewhat for brevity and so
|
|
that we're using consistent case-insensitive logic.]
|
|
|
|
Bug-Debian: https://bugs.debian.org/930531
|
|
Last-Update: 2019-06-14
|
|
|
|
Patch-Name: grub-install-removable-shim.patch
|
|
---
|
|
util/grub-install.c | 84 ++++++++++++++++++++++++++++++++++++---------
|
|
1 file changed, 67 insertions(+), 17 deletions(-)
|
|
|
|
diff --git a/util/grub-install.c b/util/grub-install.c
|
|
index d66de7f8e..35d150c33 100644
|
|
--- a/util/grub-install.c
|
|
+++ b/util/grub-install.c
|
|
@@ -883,17 +883,13 @@ check_component_exists(const char *dir,
|
|
static void
|
|
also_install_removable(const char *src,
|
|
const char *base_efidir,
|
|
- const char *efi_suffix_upper)
|
|
+ const char *efi_file,
|
|
+ int is_needed)
|
|
{
|
|
- char *efi_file = NULL;
|
|
char *dst = NULL;
|
|
char *cur = NULL;
|
|
char *found = NULL;
|
|
|
|
- if (!efi_suffix_upper)
|
|
- grub_util_error ("%s", _("efi_suffix_upper not set"));
|
|
- efi_file = xasprintf ("BOOT%s.EFI", efi_suffix_upper);
|
|
-
|
|
/* We need to install in $base_efidir/EFI/BOOT/$efi_file, but we
|
|
* need to cope with case-insensitive stuff here. Build the path one
|
|
* component at a time, checking for existing matches each time. */
|
|
@@ -927,10 +923,9 @@ also_install_removable(const char *src,
|
|
cur = xstrdup (dst);
|
|
free (dst);
|
|
free (found);
|
|
- grub_install_copy_file (src, cur, 1);
|
|
+ grub_install_copy_file (src, cur, is_needed);
|
|
|
|
free (cur);
|
|
- free (efi_file);
|
|
}
|
|
|
|
int
|
|
@@ -2076,11 +2071,14 @@ main (int argc, char *argv[])
|
|
case GRUB_INSTALL_PLATFORM_IA64_EFI:
|
|
{
|
|
char *dst = grub_util_path_concat (2, efidir, efi_file);
|
|
+ char *removable_file = xasprintf ("BOOT%s.EFI", efi_suffix_upper);
|
|
+
|
|
if (uefi_secure_boot)
|
|
{
|
|
char *shim_signed = NULL;
|
|
char *mok_signed = NULL, *mok_file = NULL;
|
|
char *fb_signed = NULL, *fb_file = NULL;
|
|
+ char *csv_file = NULL;
|
|
char *config_dst;
|
|
FILE *config_dst_f;
|
|
|
|
@@ -2089,11 +2087,15 @@ main (int argc, char *argv[])
|
|
mok_file = xasprintf ("mm%s.efi", efi_suffix);
|
|
fb_signed = xasprintf ("fb%s.efi.signed", efi_suffix);
|
|
fb_file = xasprintf ("fb%s.efi", efi_suffix);
|
|
+ csv_file = xasprintf ("BOOT%s.CSV", efi_suffix_upper);
|
|
+
|
|
+ /* If we have a signed shim binary, install that and all
|
|
+ its helpers in the normal vendor path */
|
|
|
|
if (grub_util_is_regular (shim_signed))
|
|
{
|
|
char *chained_base, *chained_dst;
|
|
- char *mok_src, *mok_dst, *fb_src, *fb_dst;
|
|
+ char *mok_src, *mok_dst, *fb_src, *fb_dst, *csv_src, *csv_dst;
|
|
if (!removable)
|
|
{
|
|
free (efi_file);
|
|
@@ -2105,8 +2107,6 @@ main (int argc, char *argv[])
|
|
chained_base = xasprintf ("grub%s.efi", efi_suffix);
|
|
chained_dst = grub_util_path_concat (2, efidir, chained_base);
|
|
grub_install_copy_file (efi_signed, chained_dst, 1);
|
|
- free (chained_dst);
|
|
- free (chained_base);
|
|
|
|
/* Not critical, so not an error if they are not present (as it
|
|
won't be for older releases); but if we have them, make
|
|
@@ -2117,8 +2117,6 @@ main (int argc, char *argv[])
|
|
mok_file);
|
|
grub_install_copy_file (mok_src,
|
|
mok_dst, 0);
|
|
- free (mok_src);
|
|
- free (mok_dst);
|
|
|
|
fb_src = grub_util_path_concat (2, "/usr/lib/shim/",
|
|
fb_signed);
|
|
@@ -2126,27 +2124,79 @@ main (int argc, char *argv[])
|
|
fb_file);
|
|
grub_install_copy_file (fb_src,
|
|
fb_dst, 0);
|
|
+
|
|
+ csv_src = grub_util_path_concat (2, "/usr/lib/shim/",
|
|
+ csv_file);
|
|
+ csv_dst = grub_util_path_concat (2, efidir,
|
|
+ csv_file);
|
|
+ grub_install_copy_file (csv_src,
|
|
+ csv_dst, 0);
|
|
+
|
|
+ /* Install binaries into .../EFI/BOOT too:
|
|
+ the shim binary
|
|
+ the grub binary
|
|
+ the shim fallback binary (not fatal on failure) */
|
|
+ if (force_extra_removable)
|
|
+ {
|
|
+ grub_util_info ("Secure boot: installing shim and image into rm path");
|
|
+ also_install_removable (shim_signed, base_efidir, removable_file, 1);
|
|
+
|
|
+ also_install_removable (efi_signed, base_efidir, chained_base, 1);
|
|
+
|
|
+ /* If we're updating the NVRAM, add fallback too - it
|
|
+ will re-update the NVRAM later if things break */
|
|
+ if (update_nvram)
|
|
+ also_install_removable (fb_src, base_efidir, fb_file, 0);
|
|
+ }
|
|
+
|
|
+ free (chained_dst);
|
|
+ free (chained_base);
|
|
+ free (mok_src);
|
|
+ free (mok_dst);
|
|
free (fb_src);
|
|
free (fb_dst);
|
|
+ free (csv_src);
|
|
+ free (csv_dst);
|
|
}
|
|
else
|
|
- grub_install_copy_file (efi_signed, dst, 1);
|
|
+ {
|
|
+ /* Tried to install for secure boot, but no signed
|
|
+ shim found. Fall back to just installing the signed
|
|
+ grub binary */
|
|
+ grub_util_info ("Secure boot (no shim): installing signed grub binary");
|
|
+ grub_install_copy_file (efi_signed, dst, 1);
|
|
+ if (force_extra_removable)
|
|
+ {
|
|
+ grub_util_info ("Secure boot (no shim): installing signed grub binary into rm path");
|
|
+ also_install_removable (efi_signed, base_efidir, removable_file, 1);
|
|
+ }
|
|
+ }
|
|
|
|
+ /* In either case, install our grub.cfg */
|
|
config_dst = grub_util_path_concat (2, efidir, "grub.cfg");
|
|
grub_install_copy_file (load_cfg, config_dst, 1);
|
|
config_dst_f = grub_util_fopen (config_dst, "ab");
|
|
fprintf (config_dst_f, "configfile $prefix/grub.cfg\n");
|
|
fclose (config_dst_f);
|
|
free (config_dst);
|
|
- if (force_extra_removable)
|
|
- also_install_removable(efi_signed, base_efidir, efi_suffix_upper);
|
|
+
|
|
+ free (csv_file);
|
|
+ free (fb_file);
|
|
+ free (fb_signed);
|
|
+ free (mok_file);
|
|
+ free (mok_signed);
|
|
+ free (shim_signed);
|
|
}
|
|
else
|
|
{
|
|
+ /* No secure boot - just install our newly-generated image */
|
|
+ grub_util_info ("No Secure Boot: installing core image");
|
|
grub_install_copy_file (imgfile, dst, 1);
|
|
if (force_extra_removable)
|
|
- also_install_removable(imgfile, base_efidir, efi_suffix_upper);
|
|
+ also_install_removable (imgfile, base_efidir, removable_file, 1);
|
|
}
|
|
+
|
|
+ free (removable_file);
|
|
free (dst);
|
|
}
|
|
if (!removable && update_nvram)
|