forked from pool/grub2
6b8bc36c6d
- Use grub2-install to handle signed grub installation for UEFI secure boot and also provide options to override default (bsc#1136601) * grub2-secureboot-install-signed-grub.patch - Remove arm64 linuxefi patches as it's not needed for secure boot * 0001-efi-refactor-grub_efi_allocate_pages.patch * 0002-Remove-grub_efi_allocate_pages.patch * 0003-arm64-efi-move-EFI_PAGE-definitions-to-efi-memory.h.patch * 0004-efi-Add-central-copy-of-grub_efi_find_mmap_size.patch * 0005-efi-Add-grub_efi_get_ram_base-function-for-arm64.patch * 0006-Add-support-for-EFI-handover-on-ARM64.patch OBS-URL: https://build.opensuse.org/request/show/713147 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=335
229 lines
7.1 KiB
Diff
229 lines
7.1 KiB
Diff
From 1ff2f31d12f7235423a1eb8a117e0c6f8b2f41c7 Mon Sep 17 00:00:00 2001
|
|
From: Michael Chang <mchang@suse.com>
|
|
Date: Tue, 4 Jun 2019 12:32:35 +0800
|
|
Subject: [PATCH] grub-install: handle signed grub installation on arm64-efi
|
|
|
|
Use grub2-install to handle signed grub installation for arm64 UEFI secure
|
|
boot, the default behavior is auto, which will install signed grub whenever
|
|
detected.
|
|
|
|
Two options, --suse-force-signed and --suse-inhibit-signed, can be used to
|
|
override the default auto detecting behavior. The former will force to use
|
|
prebuilt signed image and thus will fail if missing, the latter will always use
|
|
'mkimage' to create unsigned core image per the user's running environment.
|
|
|
|
Signed-off-by: Michael Chang <mchang@suse.com>
|
|
---
|
|
util/grub-install.c | 86 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
|
|
1 file changed, 85 insertions(+), 1 deletion(-)
|
|
|
|
Index: grub-2.02/util/grub-install.c
|
|
===================================================================
|
|
--- grub-2.02.orig/util/grub-install.c
|
|
+++ grub-2.02/util/grub-install.c
|
|
@@ -84,6 +84,15 @@ static int suse_enable_tpm = 0;
|
|
|
|
enum
|
|
{
|
|
+ SIGNED_GRUB_INHIBIT,
|
|
+ SIGNED_GRUB_AUTO,
|
|
+ SIGNED_GRUB_FORCE
|
|
+ };
|
|
+
|
|
+static int signed_grub_mode = SIGNED_GRUB_AUTO;
|
|
+
|
|
+enum
|
|
+ {
|
|
OPTION_BOOT_DIRECTORY = 0x301,
|
|
OPTION_ROOT_DIRECTORY,
|
|
OPTION_TARGET,
|
|
@@ -108,6 +117,8 @@ enum
|
|
OPTION_NO_BOOTSECTOR,
|
|
OPTION_NO_RS_CODES,
|
|
OPTION_SUSE_ENABLE_TPM,
|
|
+ OPTION_SUSE_FORCE_SIGNED,
|
|
+ OPTION_SUSE_INHIBIT_SIGNED,
|
|
OPTION_MACPPC_DIRECTORY,
|
|
OPTION_ZIPL_DIRECTORY,
|
|
OPTION_LABEL_FONT,
|
|
@@ -237,6 +248,14 @@ argp_parser (int key, char *arg, struct
|
|
suse_enable_tpm = 1;
|
|
return 0;
|
|
|
|
+ case OPTION_SUSE_FORCE_SIGNED:
|
|
+ signed_grub_mode = SIGNED_GRUB_FORCE;
|
|
+ return 0;
|
|
+
|
|
+ case OPTION_SUSE_INHIBIT_SIGNED:
|
|
+ signed_grub_mode = SIGNED_GRUB_INHIBIT;
|
|
+ return 0;
|
|
+
|
|
case OPTION_DEBUG:
|
|
verbosity++;
|
|
return 0;
|
|
@@ -299,7 +318,12 @@ static struct argp_option options[] = {
|
|
N_("Do not apply any reed-solomon codes when embedding core.img. "
|
|
"This option is only available on x86 BIOS targets."), 0},
|
|
{"suse-enable-tpm", OPTION_SUSE_ENABLE_TPM, 0, 0, N_("install TPM modules"), 0},
|
|
-
|
|
+ {"suse-force-signed", OPTION_SUSE_FORCE_SIGNED, 0, 0,
|
|
+ N_("force installation of signed grub" "%s."
|
|
+ "This option is only available on ARM64 EFI targets."), 0},
|
|
+ {"suse-inhibit-signed", OPTION_SUSE_INHIBIT_SIGNED, 0, 0,
|
|
+ N_("inhibit installation of signed grub. "
|
|
+ "This option is only available on ARM64 EFI targets."), 0},
|
|
{"debug", OPTION_DEBUG, 0, OPTION_HIDDEN, 0, 2},
|
|
{"no-floppy", OPTION_NO_FLOPPY, 0, OPTION_HIDDEN, 0, 2},
|
|
{"debug-image", OPTION_DEBUG_IMAGE, N_("STRING"), OPTION_HIDDEN, 0, 2},
|
|
@@ -364,6 +388,22 @@ help_filter (int key, const char *text,
|
|
free (plats);
|
|
return ret;
|
|
}
|
|
+ case OPTION_SUSE_FORCE_SIGNED:
|
|
+ {
|
|
+ const char *t = get_default_platform ();
|
|
+ char *ret;
|
|
+ if (grub_strcmp (t, "arm64-efi") == 0)
|
|
+ {
|
|
+ char *s = grub_util_path_concat (3, grub_util_get_pkglibdir (), t, "grub.efi");
|
|
+ char *text2 = xasprintf (" [default=%s]", s);
|
|
+ ret = xasprintf (text, text2);
|
|
+ free (text2);
|
|
+ free (s);
|
|
+ }
|
|
+ else
|
|
+ ret = xasprintf (text, "");
|
|
+ return ret;
|
|
+ }
|
|
case ARGP_KEY_HELP_POST_DOC:
|
|
return xasprintf (text, program_name, GRUB_BOOT_DIR_NAME "/" GRUB_DIR_NAME);
|
|
default:
|
|
@@ -1596,13 +1636,34 @@ main (int argc, char *argv[])
|
|
|
|
char mkimage_target[200];
|
|
const char *core_name = NULL;
|
|
+ char *signed_imgfile = NULL;
|
|
|
|
switch (platform)
|
|
{
|
|
- case GRUB_INSTALL_PLATFORM_I386_EFI:
|
|
+ case GRUB_INSTALL_PLATFORM_ARM64_EFI:
|
|
+
|
|
+ if (signed_grub_mode > SIGNED_GRUB_INHIBIT)
|
|
+ {
|
|
+ signed_imgfile = grub_util_path_concat (2, grub_install_source_directory, "grub.efi");
|
|
+ if (!grub_util_is_regular (signed_imgfile))
|
|
+ {
|
|
+ if (signed_grub_mode >= SIGNED_GRUB_FORCE)
|
|
+ grub_util_error ("signed image `%s' does not exist\n", signed_imgfile);
|
|
+ else
|
|
+ {
|
|
+ free (signed_imgfile);
|
|
+ signed_imgfile = NULL;
|
|
+ }
|
|
+ }
|
|
+ }
|
|
+
|
|
+ if (signed_imgfile)
|
|
+ fprintf (stderr, _("Use signed file in %s for installation.\n"), signed_imgfile);
|
|
+
|
|
+ /* fallthrough. */
|
|
case GRUB_INSTALL_PLATFORM_X86_64_EFI:
|
|
+ case GRUB_INSTALL_PLATFORM_I386_EFI:
|
|
case GRUB_INSTALL_PLATFORM_ARM_EFI:
|
|
- case GRUB_INSTALL_PLATFORM_ARM64_EFI:
|
|
case GRUB_INSTALL_PLATFORM_IA64_EFI:
|
|
core_name = "core.efi";
|
|
snprintf (mkimage_target, sizeof (mkimage_target),
|
|
@@ -1678,13 +1739,75 @@ main (int argc, char *argv[])
|
|
core_name);
|
|
char *prefix = xasprintf ("%s%s", prefix_drive ? : "",
|
|
relative_grubdir);
|
|
- if (core_name != mkimage_target)
|
|
+ char *grub_efi_cfg = NULL;
|
|
+
|
|
+ if ((core_name != mkimage_target) && !signed_imgfile)
|
|
grub_install_make_image_wrap (/* source dir */ grub_install_source_directory,
|
|
/*prefix */ prefix,
|
|
/* output */ imgfile,
|
|
/* memdisk */ NULL,
|
|
have_load_cfg ? load_cfg : NULL,
|
|
/* image target */ mkimage_target, 0);
|
|
+ else if (signed_imgfile)
|
|
+ {
|
|
+ FILE *grub_cfg_f;
|
|
+
|
|
+ grub_install_copy_file (signed_imgfile, imgfile, 1);
|
|
+ grub_efi_cfg = grub_util_path_concat (2, platdir, "grub.cfg");
|
|
+ grub_cfg_f = grub_util_fopen (grub_efi_cfg, "wb");
|
|
+ if (!grub_cfg_f)
|
|
+ grub_util_error (_("Can't create file: %s"), strerror (errno));
|
|
+
|
|
+ if (have_abstractions)
|
|
+ {
|
|
+ fprintf (grub_cfg_f, "set prefix=(%s)%s\n", grub_drives[0], relative_grubdir);
|
|
+ fprintf (grub_cfg_f, "set root=%s\n", grub_drives[0]);
|
|
+ }
|
|
+ else if (prefix_drive)
|
|
+ {
|
|
+ char *uuid = NULL;
|
|
+ if (grub_fs->uuid && grub_fs->uuid (grub_dev, &uuid))
|
|
+ {
|
|
+ grub_print_error ();
|
|
+ grub_errno = 0;
|
|
+ uuid = NULL;
|
|
+ }
|
|
+ if (!uuid)
|
|
+ grub_util_error ("cannot find fs uuid for %s", grub_fs->name);
|
|
+
|
|
+ fprintf (grub_cfg_f, "search --fs-uuid --set=root %s\n", uuid);
|
|
+ fprintf (grub_cfg_f, "set prefix=($root)%s\n", relative_grubdir);
|
|
+ }
|
|
+
|
|
+ if (have_load_cfg)
|
|
+ {
|
|
+ size_t len;
|
|
+ char *buf;
|
|
+
|
|
+ FILE *fp = grub_util_fopen (load_cfg, "rb");
|
|
+ if (!fp)
|
|
+ grub_util_error (_("Can't read file: %s"), strerror (errno));
|
|
+
|
|
+ fseek (fp, 0, SEEK_END);
|
|
+ len = ftell (fp);
|
|
+ fseek (fp, 0, SEEK_SET);
|
|
+ buf = xmalloc (len);
|
|
+
|
|
+ if (fread (buf, 1, len, fp) != len)
|
|
+ grub_util_error (_("cannot read `%s': %s"), load_cfg, strerror (errno));
|
|
+
|
|
+ if (fwrite (buf, 1, len, grub_cfg_f) != len)
|
|
+ grub_util_error (_("cannot write `%s': %s"), grub_efi_cfg, strerror (errno));
|
|
+
|
|
+ free (buf);
|
|
+ fclose (fp);
|
|
+ }
|
|
+
|
|
+ fprintf (grub_cfg_f, "source ${prefix}/grub.cfg\n");
|
|
+ fclose (grub_cfg_f);
|
|
+ free (signed_imgfile);
|
|
+ signed_imgfile = NULL;
|
|
+ }
|
|
/* Backward-compatibility kludges. */
|
|
switch (platform)
|
|
{
|
|
@@ -1950,6 +2073,13 @@ main (int argc, char *argv[])
|
|
char *dst = grub_util_path_concat (2, efidir, efi_file);
|
|
grub_install_copy_file (imgfile, dst, 1);
|
|
free (dst);
|
|
+ if (grub_efi_cfg)
|
|
+ {
|
|
+ dst = grub_util_path_concat (2, efidir, "grub.cfg");
|
|
+ grub_install_copy_file (grub_efi_cfg, dst, 1);
|
|
+ free (dst);
|
|
+ free (grub_efi_cfg);
|
|
+ }
|
|
}
|
|
if (!removable && update_nvram)
|
|
{
|