grub2/grub2-secureboot-install-signed-grub.patch
Michael Chang 62e3547e57 Accepting request 741033 from home:michael-chang:devel
- Version bump to 2.04
  * removed
    - translations-20170427.tar.xz
  * grub2.spec
    - Make signed grub-tpm.efi specific to x86_64-efi build, the platform
      currently shipped with tpm module from upstream codebase
    - Add shim_lock to signed grub.efi in x86_64-efi build
    - x86_64: linuxefi now depends on linux, both will verify kernel via
      shim_lock
    - Remove translation tarball and po file hacks as it's been included in
      upstream tarball
  * rediff
    - grub2-setup-try-fs-embed-if-mbr-gap-too-small.patch
    - grub2-commands-introduce-read_file-subcommand.patch
    - grub2-secureboot-add-linuxefi.patch
    - 0001-add-support-for-UEFI-network-protocols.patch
    - grub2-efi-HP-workaround.patch
    - grub2-secureboot-install-signed-grub.patch
    - grub2-linux.patch
    - use-grub2-as-a-package-name.patch
    - grub2-pass-corret-root-for-nfsroot.patch
    - grub2-secureboot-use-linuxefi-on-uefi.patch
    - grub2-secureboot-no-insmod-on-sb.patch
    - grub2-secureboot-provide-linuxefi-config.patch
    - grub2-secureboot-chainloader.patch
    - grub2-s390x-01-Changes-made-and-files-added-in-order-to-allow-s390x.patch
    - grub2-s390x-02-kexec-module-added-to-emu.patch
    - grub2-s390x-04-grub2-install.patch
    - grub2-btrfs-01-add-ability-to-boot-from-subvolumes.patch
    - grub2-efi-chainloader-root.patch

OBS-URL: https://build.opensuse.org/request/show/741033
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=340
2019-10-18 10:18:53 +00:00

228 lines
7.1 KiB
Diff

From 1ff2f31d12f7235423a1eb8a117e0c6f8b2f41c7 Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Tue, 4 Jun 2019 12:32:35 +0800
Subject: [PATCH] grub-install: handle signed grub installation on arm64-efi
Use grub2-install to handle signed grub installation for arm64 UEFI secure
boot, the default behavior is auto, which will install signed grub whenever
detected.
Two options, --suse-force-signed and --suse-inhibit-signed, can be used to
override the default auto detecting behavior. The former will force to use
prebuilt signed image and thus will fail if missing, the latter will always use
'mkimage' to create unsigned core image per the user's running environment.
Signed-off-by: Michael Chang <mchang@suse.com>
---
util/grub-install.c | 86 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 85 insertions(+), 1 deletion(-)
Index: grub-2.04~rc1/util/grub-install.c
===================================================================
--- grub-2.04~rc1.orig/util/grub-install.c
+++ grub-2.04~rc1/util/grub-install.c
@@ -84,6 +84,15 @@ static int suse_enable_tpm = 0;
enum
{
+ SIGNED_GRUB_INHIBIT,
+ SIGNED_GRUB_AUTO,
+ SIGNED_GRUB_FORCE
+ };
+
+static int signed_grub_mode = SIGNED_GRUB_AUTO;
+
+enum
+ {
OPTION_BOOT_DIRECTORY = 0x301,
OPTION_ROOT_DIRECTORY,
OPTION_TARGET,
@@ -108,6 +117,8 @@ enum
OPTION_NO_BOOTSECTOR,
OPTION_NO_RS_CODES,
OPTION_SUSE_ENABLE_TPM,
+ OPTION_SUSE_FORCE_SIGNED,
+ OPTION_SUSE_INHIBIT_SIGNED,
OPTION_MACPPC_DIRECTORY,
OPTION_ZIPL_DIRECTORY,
OPTION_LABEL_FONT,
@@ -237,6 +248,14 @@ argp_parser (int key, char *arg, struct
suse_enable_tpm = 1;
return 0;
+ case OPTION_SUSE_FORCE_SIGNED:
+ signed_grub_mode = SIGNED_GRUB_FORCE;
+ return 0;
+
+ case OPTION_SUSE_INHIBIT_SIGNED:
+ signed_grub_mode = SIGNED_GRUB_INHIBIT;
+ return 0;
+
case OPTION_DEBUG:
verbosity++;
return 0;
@@ -299,7 +318,12 @@ static struct argp_option options[] = {
N_("Do not apply any reed-solomon codes when embedding core.img. "
"This option is only available on x86 BIOS targets."), 0},
{"suse-enable-tpm", OPTION_SUSE_ENABLE_TPM, 0, 0, N_("install TPM modules"), 0},
-
+ {"suse-force-signed", OPTION_SUSE_FORCE_SIGNED, 0, 0,
+ N_("force installation of signed grub" "%s."
+ "This option is only available on ARM64 EFI targets."), 0},
+ {"suse-inhibit-signed", OPTION_SUSE_INHIBIT_SIGNED, 0, 0,
+ N_("inhibit installation of signed grub. "
+ "This option is only available on ARM64 EFI targets."), 0},
{"debug", OPTION_DEBUG, 0, OPTION_HIDDEN, 0, 2},
{"no-floppy", OPTION_NO_FLOPPY, 0, OPTION_HIDDEN, 0, 2},
{"debug-image", OPTION_DEBUG_IMAGE, N_("STRING"), OPTION_HIDDEN, 0, 2},
@@ -364,6 +388,22 @@ help_filter (int key, const char *text,
free (plats);
return ret;
}
+ case OPTION_SUSE_FORCE_SIGNED:
+ {
+ const char *t = get_default_platform ();
+ char *ret;
+ if (grub_strcmp (t, "arm64-efi") == 0)
+ {
+ char *s = grub_util_path_concat (3, grub_util_get_pkglibdir (), t, "grub.efi");
+ char *text2 = xasprintf (" [default=%s]", s);
+ ret = xasprintf (text, text2);
+ free (text2);
+ free (s);
+ }
+ else
+ ret = xasprintf (text, "");
+ return ret;
+ }
case ARGP_KEY_HELP_POST_DOC:
return xasprintf (text, program_name, GRUB_BOOT_DIR_NAME "/" GRUB_DIR_NAME);
default:
@@ -1627,13 +1667,34 @@ main (int argc, char *argv[])
char mkimage_target[200];
const char *core_name = NULL;
+ char *signed_imgfile = NULL;
switch (platform)
{
+ case GRUB_INSTALL_PLATFORM_ARM64_EFI:
+
+ if (signed_grub_mode > SIGNED_GRUB_INHIBIT)
+ {
+ signed_imgfile = grub_util_path_concat (2, grub_install_source_directory, "grub.efi");
+ if (!grub_util_is_regular (signed_imgfile))
+ {
+ if (signed_grub_mode >= SIGNED_GRUB_FORCE)
+ grub_util_error ("signed image `%s' does not exist\n", signed_imgfile);
+ else
+ {
+ free (signed_imgfile);
+ signed_imgfile = NULL;
+ }
+ }
+ }
+
+ if (signed_imgfile)
+ fprintf (stderr, _("Use signed file in %s for installation.\n"), signed_imgfile);
+
+ /* fallthrough. */
case GRUB_INSTALL_PLATFORM_I386_EFI:
case GRUB_INSTALL_PLATFORM_X86_64_EFI:
case GRUB_INSTALL_PLATFORM_ARM_EFI:
- case GRUB_INSTALL_PLATFORM_ARM64_EFI:
case GRUB_INSTALL_PLATFORM_RISCV32_EFI:
case GRUB_INSTALL_PLATFORM_RISCV64_EFI:
case GRUB_INSTALL_PLATFORM_IA64_EFI:
@@ -1703,13 +1764,75 @@ main (int argc, char *argv[])
core_name);
char *prefix = xasprintf ("%s%s", prefix_drive ? : "",
relative_grubdir);
- if (core_name != mkimage_target)
+ char *grub_efi_cfg = NULL;
+
+ if ((core_name != mkimage_target) && !signed_imgfile)
grub_install_make_image_wrap (/* source dir */ grub_install_source_directory,
/*prefix */ prefix,
/* output */ imgfile,
/* memdisk */ NULL,
have_load_cfg ? load_cfg : NULL,
/* image target */ mkimage_target, 0);
+ else if (signed_imgfile)
+ {
+ FILE *grub_cfg_f;
+
+ grub_install_copy_file (signed_imgfile, imgfile, 1);
+ grub_efi_cfg = grub_util_path_concat (2, platdir, "grub.cfg");
+ grub_cfg_f = grub_util_fopen (grub_efi_cfg, "wb");
+ if (!grub_cfg_f)
+ grub_util_error (_("Can't create file: %s"), strerror (errno));
+
+ if (have_abstractions)
+ {
+ fprintf (grub_cfg_f, "set prefix=(%s)%s\n", grub_drives[0], relative_grubdir);
+ fprintf (grub_cfg_f, "set root=%s\n", grub_drives[0]);
+ }
+ else if (prefix_drive)
+ {
+ char *uuid = NULL;
+ if (grub_fs->fs_uuid && grub_fs->fs_uuid (grub_dev, &uuid))
+ {
+ grub_print_error ();
+ grub_errno = 0;
+ uuid = NULL;
+ }
+ if (!uuid)
+ grub_util_error ("cannot find fs uuid for %s", grub_fs->name);
+
+ fprintf (grub_cfg_f, "search --fs-uuid --set=root %s\n", uuid);
+ fprintf (grub_cfg_f, "set prefix=($root)%s\n", relative_grubdir);
+ }
+
+ if (have_load_cfg)
+ {
+ size_t len;
+ char *buf;
+
+ FILE *fp = grub_util_fopen (load_cfg, "rb");
+ if (!fp)
+ grub_util_error (_("Can't read file: %s"), strerror (errno));
+
+ fseek (fp, 0, SEEK_END);
+ len = ftell (fp);
+ fseek (fp, 0, SEEK_SET);
+ buf = xmalloc (len);
+
+ if (fread (buf, 1, len, fp) != len)
+ grub_util_error (_("cannot read `%s': %s"), load_cfg, strerror (errno));
+
+ if (fwrite (buf, 1, len, grub_cfg_f) != len)
+ grub_util_error (_("cannot write `%s': %s"), grub_efi_cfg, strerror (errno));
+
+ free (buf);
+ fclose (fp);
+ }
+
+ fprintf (grub_cfg_f, "source ${prefix}/grub.cfg\n");
+ fclose (grub_cfg_f);
+ free (signed_imgfile);
+ signed_imgfile = NULL;
+ }
/* Backward-compatibility kludges. */
switch (platform)
{
@@ -1985,6 +2108,13 @@ main (int argc, char *argv[])
char *dst = grub_util_path_concat (2, efidir, efi_file);
grub_install_copy_file (imgfile, dst, 1);
free (dst);
+ if (grub_efi_cfg)
+ {
+ dst = grub_util_path_concat (2, efidir, "grub.cfg");
+ grub_install_copy_file (grub_efi_cfg, dst, 1);
+ free (dst);
+ free (grub_efi_cfg);
+ }
}
if (!removable && update_nvram)
{