grub-install-removable-shim.patch 6.33 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193
From 6ee5cc98ec6ca10e00d9cd23a969f0b12ae7ab2e Mon Sep 17 00:00:00 2001
From: Steve McIntyre <93sam@debian.org>
Date: Fri, 14 Jun 2019 16:37:11 +0100
Subject: Deal with --force-extra-removable with signed shim too

In this case, we need both the signed shim as /EFI/BOOT/BOOTXXX.EFI
and signed Grub as /EFI/BOOT/grubXXX.efi.

Also install the BOOTXXX.CSV into /EFI/debian, and FBXXX.EFI into
/EFI/BOOT/ so that it can work when needed (*iff* we're updating the
NVRAM).

[cjwatson: Refactored also_install_removable somewhat for brevity and so
that we're using consistent case-insensitive logic.]

Bug-Debian: https://bugs.debian.org/930531
Last-Update: 2019-06-14

Patch-Name: grub-install-removable-shim.patch
---
 util/grub-install.c | 84 ++++++++++++++++++++++++++++++++++++---------
 1 file changed, 67 insertions(+), 17 deletions(-)

diff --git a/util/grub-install.c b/util/grub-install.c
index 04d8250c9..03b1283e0 100644
--- a/util/grub-install.c
+++ b/util/grub-install.c
@@ -880,17 +880,13 @@ check_component_exists(const char *dir,
 static void
 also_install_removable(const char *src,
 		       const char *base_efidir,
-		       const char *efi_suffix_upper)
+		       const char *efi_file,
+		       int is_needed)
 {
-  char *efi_file = NULL;
   char *dst = NULL;
   char *cur = NULL;
   char *found = NULL;
 
-  if (!efi_suffix_upper)
-    grub_util_error ("%s", _("efi_suffix_upper not set"));
-  efi_file = xasprintf ("BOOT%s.EFI", efi_suffix_upper);
-
   /* We need to install in $base_efidir/EFI/BOOT/$efi_file, but we
    * need to cope with case-insensitive stuff here. Build the path one
    * component at a time, checking for existing matches each time. */
@@ -924,10 +920,9 @@ also_install_removable(const char *src,
   cur = xstrdup (dst);
   free (dst);
   free (found);
-  grub_install_copy_file (src, cur, 1);
+  grub_install_copy_file (src, cur, is_needed);
 
   free (cur);
-  free (efi_file);
 }
 
 int
@@ -2046,11 +2041,14 @@ main (int argc, char *argv[])
     case GRUB_INSTALL_PLATFORM_IA64_EFI:
       {
 	char *dst = grub_util_path_concat (2, efidir, efi_file);
+	char *removable_file = xasprintf ("BOOT%s.EFI", efi_suffix_upper);
+
 	if (uefi_secure_boot)
 	  {
 	    char *shim_signed = NULL;
 	    char *mok_signed = NULL, *mok_file = NULL;
 	    char *fb_signed = NULL, *fb_file = NULL;
+	    char *csv_file = NULL;
 	    char *config_dst;
 	    FILE *config_dst_f;
 
@@ -2059,11 +2057,15 @@ main (int argc, char *argv[])
 	    mok_file = xasprintf ("mm%s.efi", efi_suffix);
 	    fb_signed = xasprintf ("fb%s.efi.signed", efi_suffix);
 	    fb_file = xasprintf ("fb%s.efi", efi_suffix);
+	    csv_file = xasprintf ("BOOT%s.CSV", efi_suffix_upper);
+
+	    /* If we have a signed shim binary, install that and all
+	       its helpers in the normal vendor path */
 
 	    if (grub_util_is_regular (shim_signed))
 	      {
 		char *chained_base, *chained_dst;
-		char *mok_src, *mok_dst, *fb_src, *fb_dst;
+		char *mok_src, *mok_dst, *fb_src, *fb_dst, *csv_src, *csv_dst;
 		if (!removable)
 		  {
 		    free (efi_file);
@@ -2075,8 +2077,6 @@ main (int argc, char *argv[])
 		chained_base = xasprintf ("grub%s.efi", efi_suffix);
 		chained_dst = grub_util_path_concat (2, efidir, chained_base);
 		grub_install_copy_file (efi_signed, chained_dst, 1);
-		free (chained_dst);
-		free (chained_base);
 
 		/* Not critical, so not an error if they are not present (as it
 		   won't be for older releases); but if we have them, make
@@ -2087,8 +2087,6 @@ main (int argc, char *argv[])
 						    mok_file);
 		grub_install_copy_file (mok_src,
 					mok_dst, 0);
-		free (mok_src);
-		free (mok_dst);
 
 		fb_src = grub_util_path_concat (2, "/usr/lib/shim/",
 						    fb_signed);
@@ -2096,27 +2094,79 @@ main (int argc, char *argv[])
 						    fb_file);
 		grub_install_copy_file (fb_src,
 					fb_dst, 0);
+
+		csv_src = grub_util_path_concat (2, "/usr/lib/shim/",
+						    csv_file);
+		csv_dst = grub_util_path_concat (2, efidir,
+						    csv_file);
+		grub_install_copy_file (csv_src,
+					csv_dst, 0);
+
+		/* Install binaries into .../EFI/BOOT too:
+		   the shim binary
+		   the grub binary
+		   the shim fallback binary (not fatal on failure) */
+		if (force_extra_removable)
+		  {
+		    grub_util_info ("Secure boot: installing shim and image into rm path");
+		    also_install_removable (shim_signed, base_efidir, removable_file, 1);
+
+		    also_install_removable (efi_signed, base_efidir, chained_base, 1);
+
+		    /* If we're updating the NVRAM, add fallback too - it
+			will re-update the NVRAM later if things break */
+		    if (update_nvram)
+		      also_install_removable (fb_src, base_efidir, fb_file, 0);
+		  }
+
+		free (chained_dst);
+		free (chained_base);
+		free (mok_src);
+		free (mok_dst);
 		free (fb_src);
 		free (fb_dst);
+		free (csv_src);
+		free (csv_dst);
 	      }
 	    else
-	      grub_install_copy_file (efi_signed, dst, 1);
+	      {
+		/* Tried to install for secure boot, but no signed
+		   shim found. Fall back to just installing the signed
+		   grub binary */
+		grub_util_info ("Secure boot (no shim): installing signed grub binary");
+		grub_install_copy_file (efi_signed, dst, 1);
+		if (force_extra_removable)
+		  {
+		    grub_util_info ("Secure boot (no shim): installing signed grub binary into rm path");
+		    also_install_removable (efi_signed, base_efidir, removable_file, 1);
+		  }
+	      }
 
+	    /* In either case, install our grub.cfg */
 	    config_dst = grub_util_path_concat (2, efidir, "grub.cfg");
 	    grub_install_copy_file (load_cfg, config_dst, 1);
 	    config_dst_f = grub_util_fopen (config_dst, "ab");
 	    fprintf (config_dst_f, "configfile $prefix/grub.cfg\n");
 	    fclose (config_dst_f);
 	    free (config_dst);
-	    if (force_extra_removable)
-	      also_install_removable(efi_signed, base_efidir, efi_suffix_upper);
+
+	    free (csv_file);
+	    free (fb_file);
+	    free (fb_signed);
+	    free (mok_file);
+	    free (mok_signed);
+	    free (shim_signed);
 	  }
 	else
 	  {
+	    /* No secure boot - just install our newly-generated image */
+	    grub_util_info ("No Secure Boot: installing core image");
 	    grub_install_copy_file (imgfile, dst, 1);
 	    if (force_extra_removable)
-	      also_install_removable(imgfile, base_efidir, efi_suffix_upper);
+	      also_install_removable (imgfile, base_efidir, removable_file, 1);
 	  }
+
+	free (removable_file);
 	free (dst);
       }
       if (!removable && update_nvram)