Merge branch 'secureboot-both-x64-and-ia32' into 'master'

Draft: Secure Boot now supports both x64 and ia32 See merge request live-team/live-build!357
2024-12-22 23:00:09 +00:00 · 2024-12-22 23:00:09 +00:00 · 178b258e9e
commit 178b258e9e
parent a99e8c3d97 c09791ddf0
1 changed files with 91 additions and 80 deletions
--- a/scripts/build/binary_grub-efi
+++ b/scripts/build/binary_grub-efi
@ -59,81 +59,101 @@ Check_package chroot /usr/bin/grub-mkimage grub-common
 Check_package chroot /usr/bin/mcopy mtools
 Check_package chroot /sbin/mkfs.msdos dosfstools

-# Check UEFI Secure Boot setting and depends
-# By default (auto) do a best-effort build: if the signed binaries are available use
-# them, but don't fail if they are not, just print a warning.
+_PRE_SB_PACKAGES="${_LB_PACKAGES}"
+
+secure_boot_package_install ()
+{
+	_SB_EFI_PLATFORM="$1"
+	_SB_EFI_NAME="$2"
+	_SB_DEB_ARCH="$3"
+	_SB_EFI_DEB="$4"
+
+	# Restoring cache
+	Restore_package_cache binary
+
+	# Installing depends
+	Install_packages
+
+	# Check UEFI Secure Boot setting and depends
+	# By default (auto) do a best-effort build: if the signed binaries are available use
+	# them, but don't fail if they are not, just print a warning.
+	case "${LB_UEFI_SECURE_BOOT}" in
+		auto)
+			# Try to install the shim and signed grub package separately,
+			# as the grub-efi-*-signed package might be uninstallable (e.g. due to binNMUs)
+			# Uses the (intentionally) undocumented _LB_PACKAGES variable
+			echo "!!! The following error/warning messages can be ignored !!!"
+			set +e
+			_LB_PACKAGES="shim-signed:${_SB_DEB_ARCH}"
+			Install_packages
+			_LB_PACKAGES="grub-efi-${_SB_EFI_DEB}-signed:${_SB_DEB_ARCH}"
+			Install_packages
+			set -e
+			# Use Check_installed, as Check_package will error out immediately
+			Check_installed chroot /usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed \
+				grub-efi-${_SB_EFI_DEB}-signed:${_SB_DEB_ARCH}
+			_GRUB_INSTALL_STATUS="${INSTALL_STATUS}"
+			Check_installed chroot /usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed \
+				shim-signed:${_SB_DEB_ARCH}
+			echo "!!! The above error/warning messages can be ignored !!!"
+
+			if [ "${INSTALL_STATUS}" -ne 0 ]
+			then
+				Echo_warning "UEFI Secure Boot disabled due to missing Shim. (${_SB_EFI_NAME})"
+			elif [ "${_GRUB_INSTALL_STATUS}" -ne 0 ]
+			then
+				# Each user needs to enroll the hash for grub*.efi in their UEFI setup
+				Echo_warning "Limited UEFI Secure Boot support enabled: only the Shim is available. (${_SB_EFI_NAME})"
+			else
+				# Save efi signed files to chroot/secure-boot-temp as a workaround for #928486 bug.
+				mkdir -p chroot/secure-boot-temp/usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed
+				mkdir -p chroot/secure-boot-temp/usr/lib/shim
+				cp -a chroot/usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed chroot/secure-boot-temp/usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed
+				cp -a chroot/usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed chroot/secure-boot-temp/usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed
+				Echo_message "UEFI Secure Boot support enabled. (${_SB_EFI_NAME})"
+			fi
+			;;
+		enable)
+			Check_package chroot /usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed \
+				grub-efi-${_SB_EFI_DEB}-signed:${_SB_DEB_ARCH}
+			Check_package chroot /usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed \
+				shim-signed:${_SB_DEB_ARCH}
+			Install_packages
+			# Save efi signed files to chroot/secure-boot-temp as a workaround for #928486 bug.
+			mkdir -p chroot/secure-boot-temp/usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed
+			mkdir -p chroot/secure-boot-temp/usr/lib/shim
+			cp -a chroot/usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed chroot/secure-boot-temp/usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed
+			cp -a chroot/usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed chroot/secure-boot-temp/usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed
+			Echo_message "UEFI Secure Boot support enabled. (${_SB_EFI_NAME})"
+			;;
+		disable)
+			Echo_message "UEFI Secure Boot support disabled. (${_SB_EFI_NAME})"
+			;;
+	esac
+
+}
+
 case "${LB_ARCHITECTURE}" in
-	amd64)
-		_SB_EFI_PLATFORM="x86_64"
-		_SB_EFI_NAME="x64"
-		_SB_EFI_DEB="amd64"
-		;;
-	i386)
-		_SB_EFI_PLATFORM="i386"
-		_SB_EFI_NAME="ia32"
-		_SB_EFI_DEB="ia32"
-		;;
+	amd64|i386)
+		secure_boot_package_install "x86_64" "x64" "amd64" "amd64"
+		secure_boot_package_install "i386" "ia32" "i386" "ia32"
+	;;
 	arm64)
-		_SB_EFI_PLATFORM="arm64"
-		_SB_EFI_NAME="aa64"
-		_SB_EFI_DEB="arm64"
-		;;
+		secure_boot_package_install "arm64" "aa64" "arm64" "arm64"
+	;;
 	armhf)
-		_SB_EFI_PLATFORM="arm"
-		_SB_EFI_NAME="arm"
-		_SB_EFI_DEB="arm"
-		;;
+		secure_boot_package_install "arm" "arm" "arm" "arm"
+	;;
 esac

-# Restoring cache
-Restore_package_cache binary
+# Restore efi signed files from chroot/secure-boot-temp as a workaround for #928486 bug.
+if [ -e "chroot/secure-boot-temp" ]
+then
+	cp -a chroot/secure-boot-temp/* chroot/
+	rm -rf chroot/secure-boot-temp
+fi

-# Installing depends
-Install_packages
-
-case "${LB_UEFI_SECURE_BOOT}" in
-	auto)
-		# Try to install the shim and signed grub package separately,
-		# as the grub-efi-*-signed package might be uninstallable (e.g. due to binNMUs)
-		# Uses the (intentionally) undocumented _LB_PACKAGES variable
-		echo "!!! The following error/warning messages can be ignored !!!"
-		set +e
-		_LB_PACKAGES="shim-signed"
-		Install_packages
-		_LB_PACKAGES="grub-efi-${_SB_EFI_DEB}-signed"
-		Install_packages
-		set -e
-		# Use Check_installed, as Check_package will error out immediately
-		Check_installed chroot /usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed \
-			grub-efi-${_SB_EFI_DEB}-signed
-		_GRUB_INSTALL_STATUS="${INSTALL_STATUS}"
-		Check_installed chroot /usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed \
-			shim-signed
-		echo "!!! The above error/warning messages can be ignored !!!"
-
-		if [ "${INSTALL_STATUS}" -ne 0 ]
-		then
-			Echo_warning "UEFI Secure Boot disabled due to missing Shim."
-		elif [ "${_GRUB_INSTALL_STATUS}" -ne 0 ]
-		then
-			# Each user needs to enroll the hash for grub*.efi in their UEFI setup
-			Echo_warning "Limited UEFI Secure Boot support enabled: only the Shim is available."
-		else
-			Echo_message "UEFI Secure Boot support enabled."
-		fi
-		;;
-	enable)
-		Check_package chroot /usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed \
-			grub-efi-${_SB_EFI_DEB}-signed
-		Check_package chroot /usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed \
-			shim-signed
-		Install_packages
-		Echo_message "UEFI Secure Boot support enabled."
-		;;
-	disable)
-		Echo_message "UEFI Secure Boot support disabled."
-		;;
-esac
+_LB_PACKAGES="${_PRE_SB_PACKAGES}"

 # Cleanup files that we generate
 rm -rf binary/boot/efi.img binary/boot/grub/i386-efi/ binary/boot/grub/x86_64-efi binary/boot/grub/arm64-efi binary/boot/grub/arm-efi
@ -223,28 +243,19 @@ fi
 PATH="${PATH}:\${LIVE_BUILD_PATH}" # Make sure grub-cpmodules is used as if it was installed in the system

 case "${LB_ARCHITECTURE}" in
-	amd64)
+	amd64|i386)
 		gen_efi_boot_img "x86_64-efi" "x64" "debian-live/amd64"
-		if [ -r ${_CHROOT_DIR}/usr/lib/grub/\$platform-signed/gcd\$efi_name.efi.signed ]; then
-			# When a signed grub is available, add 32-bit UEFI support too
-			gen_efi_boot_img "i386-efi" "ia32" "debian-live/i386"
-		fi
-		PATH="\${PRE_EFI_IMAGE_PATH}"
-		;;
-	i386)
 		gen_efi_boot_img "i386-efi" "ia32" "debian-live/i386"
-		PATH="\${PRE_EFI_IMAGE_PATH}"
 		;;
 	arm64)
 		gen_efi_boot_img "arm64-efi" "aa64" "debian-live/arm64"
-		PATH="\${PRE_EFI_IMAGE_PATH}"
 		;;
 	armhf)
 		gen_efi_boot_img "arm-efi" "arm" "debian-live/arm"
-		PATH="\${PRE_EFI_IMAGE_PATH}"
 		;;
 esac

+PATH="\${PRE_EFI_IMAGE_PATH}"

 # On some platforms the EFI grub image will be loaded, so grub's root
 # variable will be set to the EFI partition. This means that grub will