proxmox-mirrors/grub2
1
0
Fork 0
mirror of https://git.proxmox.com/git/grub2 synced 2025-10-31 13:55:51 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
ac32067c63
grub2/debian/patches/uefi-secure-boot-cryptomount.patch
Steve Langasek ac32067c63 If we don't have writable grubenv and we're on EFI, always show the menu 
If we don't have writable grubenv, recordfail doesn't work, which means our
quickboot behavior - with a timeout of 0 - leaves the user without a
reliable way to access the boot menu if they're on UEFI, because unlike
BIOS, UEFI does not support checking the state of modifier keys (i.e.
holding down shift at boot is not detectable).

Handle this corner case by always using a non-zero timeout on EFI when
save_env doesn't work.

Reuse GRUB_RECORDFAIL_TIMEOUT to avoid introducing another variable.
2019-06-24 08:13:18 +01:00

49 lines
1.6 KiB
Diff
Raw Blame History

From 467a98b72ec7afe3c234b95cae4841386b9a714f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Herv=C3=A9=20Werner?= <dud225@hotmail.com>
Date: Mon, 28 Jan 2019 17:24:23 +0100
Subject: Fix setup on Secure Boot systems where cryptodisk is in use
On full-encrypted systems, including /boot, the current code omits
cryptodisk commands needed to open the drives if Secure Boot is enabled.
This prevents grub2 from reading any further configuration residing on
the encrypted disk.
This patch fixes this issue by adding the needed "cryptomount" commands in
the load.cfg file that is then copied in the EFI partition.
Bug-Debian: https://bugs.debian.org/917117
Last-Update: 2019-02-10
Patch-Name: uefi-secure-boot-cryptomount.patch
---
util/grub-install.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/util/grub-install.c b/util/grub-install.c
index 5f3217ae4..6462d3c70 100644
--- a/util/grub-install.c
+++ b/util/grub-install.c
@@ -1521,6 +1521,23 @@ main (int argc, char *argv[])
|| uefi_secure_boot)
{
char *uuid = NULL;
+
+ if (uefi_secure_boot && config.is_cryptodisk_enabled)
+ {
+ if (grub_dev->disk)
+ probe_cryptodisk_uuid (grub_dev->disk);
+
+ for (curdrive = grub_drives + 1; *curdrive; curdrive++)
+ {
+ grub_device_t dev = grub_device_open (*curdrive);
+ if (!dev)
+ continue;
+ if (dev->disk)
+ probe_cryptodisk_uuid (dev->disk);
+ grub_device_close (dev);
+ }
+ }
+
/* generic method (used on coreboot and ata mod). */
if (!force_file_id
&& grub_fs->fs_uuid && grub_fs->fs_uuid (grub_dev, &uuid))
Reference in New Issue View Git Blame Copy Permalink