62e3547e57
- Version bump to 2.04 * removed - translations-20170427.tar.xz * grub2.spec - Make signed grub-tpm.efi specific to x86_64-efi build, the platform currently shipped with tpm module from upstream codebase - Add shim_lock to signed grub.efi in x86_64-efi build - x86_64: linuxefi now depends on linux, both will verify kernel via shim_lock - Remove translation tarball and po file hacks as it's been included in upstream tarball * rediff - grub2-setup-try-fs-embed-if-mbr-gap-too-small.patch - grub2-commands-introduce-read_file-subcommand.patch - grub2-secureboot-add-linuxefi.patch - 0001-add-support-for-UEFI-network-protocols.patch - grub2-efi-HP-workaround.patch - grub2-secureboot-install-signed-grub.patch - grub2-linux.patch - use-grub2-as-a-package-name.patch - grub2-pass-corret-root-for-nfsroot.patch - grub2-secureboot-use-linuxefi-on-uefi.patch - grub2-secureboot-no-insmod-on-sb.patch - grub2-secureboot-provide-linuxefi-config.patch - grub2-secureboot-chainloader.patch - grub2-s390x-01-Changes-made-and-files-added-in-order-to-allow-s390x.patch - grub2-s390x-02-kexec-module-added-to-emu.patch - grub2-s390x-04-grub2-install.patch - grub2-btrfs-01-add-ability-to-boot-from-subvolumes.patch - grub2-efi-chainloader-root.patch OBS-URL: https://build.opensuse.org/request/show/741033 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=340
228 lines
7.1 KiB
Diff
228 lines
7.1 KiB
Diff
From 1ff2f31d12f7235423a1eb8a117e0c6f8b2f41c7 Mon Sep 17 00:00:00 2001
|
|
From: Michael Chang <mchang@suse.com>
|
|
Date: Tue, 4 Jun 2019 12:32:35 +0800
|
|
Subject: [PATCH] grub-install: handle signed grub installation on arm64-efi
|
|
|
|
Use grub2-install to handle signed grub installation for arm64 UEFI secure
|
|
boot, the default behavior is auto, which will install signed grub whenever
|
|
detected.
|
|
|
|
Two options, --suse-force-signed and --suse-inhibit-signed, can be used to
|
|
override the default auto detecting behavior. The former will force to use
|
|
prebuilt signed image and thus will fail if missing, the latter will always use
|
|
'mkimage' to create unsigned core image per the user's running environment.
|
|
|
|
Signed-off-by: Michael Chang <mchang@suse.com>
|
|
---
|
|
util/grub-install.c | 86 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
|
|
1 file changed, 85 insertions(+), 1 deletion(-)
|
|
|
|
Index: grub-2.04~rc1/util/grub-install.c
|
|
===================================================================
|
|
--- grub-2.04~rc1.orig/util/grub-install.c
|
|
+++ grub-2.04~rc1/util/grub-install.c
|
|
@@ -84,6 +84,15 @@ static int suse_enable_tpm = 0;
|
|
|
|
enum
|
|
{
|
|
+ SIGNED_GRUB_INHIBIT,
|
|
+ SIGNED_GRUB_AUTO,
|
|
+ SIGNED_GRUB_FORCE
|
|
+ };
|
|
+
|
|
+static int signed_grub_mode = SIGNED_GRUB_AUTO;
|
|
+
|
|
+enum
|
|
+ {
|
|
OPTION_BOOT_DIRECTORY = 0x301,
|
|
OPTION_ROOT_DIRECTORY,
|
|
OPTION_TARGET,
|
|
@@ -108,6 +117,8 @@ enum
|
|
OPTION_NO_BOOTSECTOR,
|
|
OPTION_NO_RS_CODES,
|
|
OPTION_SUSE_ENABLE_TPM,
|
|
+ OPTION_SUSE_FORCE_SIGNED,
|
|
+ OPTION_SUSE_INHIBIT_SIGNED,
|
|
OPTION_MACPPC_DIRECTORY,
|
|
OPTION_ZIPL_DIRECTORY,
|
|
OPTION_LABEL_FONT,
|
|
@@ -237,6 +248,14 @@ argp_parser (int key, char *arg, struct
|
|
suse_enable_tpm = 1;
|
|
return 0;
|
|
|
|
+ case OPTION_SUSE_FORCE_SIGNED:
|
|
+ signed_grub_mode = SIGNED_GRUB_FORCE;
|
|
+ return 0;
|
|
+
|
|
+ case OPTION_SUSE_INHIBIT_SIGNED:
|
|
+ signed_grub_mode = SIGNED_GRUB_INHIBIT;
|
|
+ return 0;
|
|
+
|
|
case OPTION_DEBUG:
|
|
verbosity++;
|
|
return 0;
|
|
@@ -299,7 +318,12 @@ static struct argp_option options[] = {
|
|
N_("Do not apply any reed-solomon codes when embedding core.img. "
|
|
"This option is only available on x86 BIOS targets."), 0},
|
|
{"suse-enable-tpm", OPTION_SUSE_ENABLE_TPM, 0, 0, N_("install TPM modules"), 0},
|
|
-
|
|
+ {"suse-force-signed", OPTION_SUSE_FORCE_SIGNED, 0, 0,
|
|
+ N_("force installation of signed grub" "%s."
|
|
+ "This option is only available on ARM64 EFI targets."), 0},
|
|
+ {"suse-inhibit-signed", OPTION_SUSE_INHIBIT_SIGNED, 0, 0,
|
|
+ N_("inhibit installation of signed grub. "
|
|
+ "This option is only available on ARM64 EFI targets."), 0},
|
|
{"debug", OPTION_DEBUG, 0, OPTION_HIDDEN, 0, 2},
|
|
{"no-floppy", OPTION_NO_FLOPPY, 0, OPTION_HIDDEN, 0, 2},
|
|
{"debug-image", OPTION_DEBUG_IMAGE, N_("STRING"), OPTION_HIDDEN, 0, 2},
|
|
@@ -364,6 +388,22 @@ help_filter (int key, const char *text,
|
|
free (plats);
|
|
return ret;
|
|
}
|
|
+ case OPTION_SUSE_FORCE_SIGNED:
|
|
+ {
|
|
+ const char *t = get_default_platform ();
|
|
+ char *ret;
|
|
+ if (grub_strcmp (t, "arm64-efi") == 0)
|
|
+ {
|
|
+ char *s = grub_util_path_concat (3, grub_util_get_pkglibdir (), t, "grub.efi");
|
|
+ char *text2 = xasprintf (" [default=%s]", s);
|
|
+ ret = xasprintf (text, text2);
|
|
+ free (text2);
|
|
+ free (s);
|
|
+ }
|
|
+ else
|
|
+ ret = xasprintf (text, "");
|
|
+ return ret;
|
|
+ }
|
|
case ARGP_KEY_HELP_POST_DOC:
|
|
return xasprintf (text, program_name, GRUB_BOOT_DIR_NAME "/" GRUB_DIR_NAME);
|
|
default:
|
|
@@ -1627,13 +1667,34 @@ main (int argc, char *argv[])
|
|
|
|
char mkimage_target[200];
|
|
const char *core_name = NULL;
|
|
+ char *signed_imgfile = NULL;
|
|
|
|
switch (platform)
|
|
{
|
|
+ case GRUB_INSTALL_PLATFORM_ARM64_EFI:
|
|
+
|
|
+ if (signed_grub_mode > SIGNED_GRUB_INHIBIT)
|
|
+ {
|
|
+ signed_imgfile = grub_util_path_concat (2, grub_install_source_directory, "grub.efi");
|
|
+ if (!grub_util_is_regular (signed_imgfile))
|
|
+ {
|
|
+ if (signed_grub_mode >= SIGNED_GRUB_FORCE)
|
|
+ grub_util_error ("signed image `%s' does not exist\n", signed_imgfile);
|
|
+ else
|
|
+ {
|
|
+ free (signed_imgfile);
|
|
+ signed_imgfile = NULL;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
+ if (signed_imgfile)
|
|
+ fprintf (stderr, _("Use signed file in %s for installation.\n"), signed_imgfile);
|
|
+
|
|
+ /* fallthrough. */
|
|
case GRUB_INSTALL_PLATFORM_I386_EFI:
|
|
case GRUB_INSTALL_PLATFORM_X86_64_EFI:
|
|
case GRUB_INSTALL_PLATFORM_ARM_EFI:
|
|
- case GRUB_INSTALL_PLATFORM_ARM64_EFI:
|
|
case GRUB_INSTALL_PLATFORM_RISCV32_EFI:
|
|
case GRUB_INSTALL_PLATFORM_RISCV64_EFI:
|
|
case GRUB_INSTALL_PLATFORM_IA64_EFI:
|
|
@@ -1703,13 +1764,75 @@ main (int argc, char *argv[])
|
|
core_name);
|
|
char *prefix = xasprintf ("%s%s", prefix_drive ? : "",
|
|
relative_grubdir);
|
|
- if (core_name != mkimage_target)
|
|
+ char *grub_efi_cfg = NULL;
|
|
+
|
|
+ if ((core_name != mkimage_target) && !signed_imgfile)
|
|
grub_install_make_image_wrap (/* source dir */ grub_install_source_directory,
|
|
/*prefix */ prefix,
|
|
/* output */ imgfile,
|
|
/* memdisk */ NULL,
|
|
have_load_cfg ? load_cfg : NULL,
|
|
/* image target */ mkimage_target, 0);
|
|
+ else if (signed_imgfile)
|
|
+ {
|
|
+ FILE *grub_cfg_f;
|
|
+
|
|
+ grub_install_copy_file (signed_imgfile, imgfile, 1);
|
|
+ grub_efi_cfg = grub_util_path_concat (2, platdir, "grub.cfg");
|
|
+ grub_cfg_f = grub_util_fopen (grub_efi_cfg, "wb");
|
|
+ if (!grub_cfg_f)
|
|
+ grub_util_error (_("Can't create file: %s"), strerror (errno));
|
|
+
|
|
+ if (have_abstractions)
|
|
+ {
|
|
+ fprintf (grub_cfg_f, "set prefix=(%s)%s\n", grub_drives[0], relative_grubdir);
|
|
+ fprintf (grub_cfg_f, "set root=%s\n", grub_drives[0]);
|
|
+ }
|
|
+ else if (prefix_drive)
|
|
+ {
|
|
+ char *uuid = NULL;
|
|
+ if (grub_fs->fs_uuid && grub_fs->fs_uuid (grub_dev, &uuid))
|
|
+ {
|
|
+ grub_print_error ();
|
|
+ grub_errno = 0;
|
|
+ uuid = NULL;
|
|
+ }
|
|
+ if (!uuid)
|
|
+ grub_util_error ("cannot find fs uuid for %s", grub_fs->name);
|
|
+
|
|
+ fprintf (grub_cfg_f, "search --fs-uuid --set=root %s\n", uuid);
|
|
+ fprintf (grub_cfg_f, "set prefix=($root)%s\n", relative_grubdir);
|
|
+ }
|
|
+
|
|
+ if (have_load_cfg)
|
|
+ {
|
|
+ size_t len;
|
|
+ char *buf;
|
|
+
|
|
+ FILE *fp = grub_util_fopen (load_cfg, "rb");
|
|
+ if (!fp)
|
|
+ grub_util_error (_("Can't read file: %s"), strerror (errno));
|
|
+
|
|
+ fseek (fp, 0, SEEK_END);
|
|
+ len = ftell (fp);
|
|
+ fseek (fp, 0, SEEK_SET);
|
|
+ buf = xmalloc (len);
|
|
+
|
|
+ if (fread (buf, 1, len, fp) != len)
|
|
+ grub_util_error (_("cannot read `%s': %s"), load_cfg, strerror (errno));
|
|
+
|
|
+ if (fwrite (buf, 1, len, grub_cfg_f) != len)
|
|
+ grub_util_error (_("cannot write `%s': %s"), grub_efi_cfg, strerror (errno));
|
|
+
|
|
+ free (buf);
|
|
+ fclose (fp);
|
|
+ }
|
|
+
|
|
+ fprintf (grub_cfg_f, "source ${prefix}/grub.cfg\n");
|
|
+ fclose (grub_cfg_f);
|
|
+ free (signed_imgfile);
|
|
+ signed_imgfile = NULL;
|
|
+ }
|
|
/* Backward-compatibility kludges. */
|
|
switch (platform)
|
|
{
|
|
@@ -1985,6 +2108,13 @@ main (int argc, char *argv[])
|
|
char *dst = grub_util_path_concat (2, efidir, efi_file);
|
|
grub_install_copy_file (imgfile, dst, 1);
|
|
free (dst);
|
|
+ if (grub_efi_cfg)
|
|
+ {
|
|
+ dst = grub_util_path_concat (2, efidir, "grub.cfg");
|
|
+ grub_install_copy_file (grub_efi_cfg, dst, 1);
|
|
+ free (dst);
|
|
+ free (grub_efi_cfg);
|
|
+ }
|
|
}
|
|
if (!removable && update_nvram)
|
|
{
|