diff --git a/scripts/build/binary_grub-efi b/scripts/build/binary_grub-efi index 41a8c526e..0e78147a9 100755 --- a/scripts/build/binary_grub-efi +++ b/scripts/build/binary_grub-efi @@ -59,81 +59,101 @@ Check_package chroot /usr/bin/grub-mkimage grub-common Check_package chroot /usr/bin/mcopy mtools Check_package chroot /sbin/mkfs.msdos dosfstools -# Check UEFI Secure Boot setting and depends -# By default (auto) do a best-effort build: if the signed binaries are available use -# them, but don't fail if they are not, just print a warning. +_PRE_SB_PACKAGES="${_LB_PACKAGES}" + +secure_boot_package_install () +{ + _SB_EFI_PLATFORM="$1" + _SB_EFI_NAME="$2" + _SB_DEB_ARCH="$3" + _SB_EFI_DEB="$4" + + # Restoring cache + Restore_package_cache binary + + # Installing depends + Install_packages + + # Check UEFI Secure Boot setting and depends + # By default (auto) do a best-effort build: if the signed binaries are available use + # them, but don't fail if they are not, just print a warning. + case "${LB_UEFI_SECURE_BOOT}" in + auto) + # Try to install the shim and signed grub package separately, + # as the grub-efi-*-signed package might be uninstallable (e.g. due to binNMUs) + # Uses the (intentionally) undocumented _LB_PACKAGES variable + echo "!!! The following error/warning messages can be ignored !!!" + set +e + _LB_PACKAGES="shim-signed:${_SB_DEB_ARCH}" + Install_packages + _LB_PACKAGES="grub-efi-${_SB_EFI_DEB}-signed:${_SB_DEB_ARCH}" + Install_packages + set -e + # Use Check_installed, as Check_package will error out immediately + Check_installed chroot /usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed \ + grub-efi-${_SB_EFI_DEB}-signed:${_SB_DEB_ARCH} + _GRUB_INSTALL_STATUS="${INSTALL_STATUS}" + Check_installed chroot /usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed \ + shim-signed:${_SB_DEB_ARCH} + echo "!!! The above error/warning messages can be ignored !!!" + + if [ "${INSTALL_STATUS}" -ne 0 ] + then + Echo_warning "UEFI Secure Boot disabled due to missing Shim. (${_SB_EFI_NAME})" + elif [ "${_GRUB_INSTALL_STATUS}" -ne 0 ] + then + # Each user needs to enroll the hash for grub*.efi in their UEFI setup + Echo_warning "Limited UEFI Secure Boot support enabled: only the Shim is available. (${_SB_EFI_NAME})" + else + # Save efi signed files to chroot/secure-boot-temp as a workaround for #928486 bug. + mkdir -p chroot/secure-boot-temp/usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed + mkdir -p chroot/secure-boot-temp/usr/lib/shim + cp -a chroot/usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed chroot/secure-boot-temp/usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed + cp -a chroot/usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed chroot/secure-boot-temp/usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed + Echo_message "UEFI Secure Boot support enabled. (${_SB_EFI_NAME})" + fi + ;; + enable) + Check_package chroot /usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed \ + grub-efi-${_SB_EFI_DEB}-signed:${_SB_DEB_ARCH} + Check_package chroot /usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed \ + shim-signed:${_SB_DEB_ARCH} + Install_packages + # Save efi signed files to chroot/secure-boot-temp as a workaround for #928486 bug. + mkdir -p chroot/secure-boot-temp/usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed + mkdir -p chroot/secure-boot-temp/usr/lib/shim + cp -a chroot/usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed chroot/secure-boot-temp/usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed + cp -a chroot/usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed chroot/secure-boot-temp/usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed + Echo_message "UEFI Secure Boot support enabled. (${_SB_EFI_NAME})" + ;; + disable) + Echo_message "UEFI Secure Boot support disabled. (${_SB_EFI_NAME})" + ;; + esac + +} + case "${LB_ARCHITECTURE}" in - amd64) - _SB_EFI_PLATFORM="x86_64" - _SB_EFI_NAME="x64" - _SB_EFI_DEB="amd64" - ;; - i386) - _SB_EFI_PLATFORM="i386" - _SB_EFI_NAME="ia32" - _SB_EFI_DEB="ia32" - ;; + amd64|i386) + secure_boot_package_install "x86_64" "x64" "amd64" "amd64" + secure_boot_package_install "i386" "ia32" "i386" "ia32" + ;; arm64) - _SB_EFI_PLATFORM="arm64" - _SB_EFI_NAME="aa64" - _SB_EFI_DEB="arm64" - ;; + secure_boot_package_install "arm64" "aa64" "arm64" "arm64" + ;; armhf) - _SB_EFI_PLATFORM="arm" - _SB_EFI_NAME="arm" - _SB_EFI_DEB="arm" - ;; + secure_boot_package_install "arm" "arm" "arm" "arm" + ;; esac -# Restoring cache -Restore_package_cache binary +# Restore efi signed files from chroot/secure-boot-temp as a workaround for #928486 bug. +if [ -e "chroot/secure-boot-temp" ] +then + cp -a chroot/secure-boot-temp/* chroot/ + rm -rf chroot/secure-boot-temp +fi -# Installing depends -Install_packages - -case "${LB_UEFI_SECURE_BOOT}" in - auto) - # Try to install the shim and signed grub package separately, - # as the grub-efi-*-signed package might be uninstallable (e.g. due to binNMUs) - # Uses the (intentionally) undocumented _LB_PACKAGES variable - echo "!!! The following error/warning messages can be ignored !!!" - set +e - _LB_PACKAGES="shim-signed" - Install_packages - _LB_PACKAGES="grub-efi-${_SB_EFI_DEB}-signed" - Install_packages - set -e - # Use Check_installed, as Check_package will error out immediately - Check_installed chroot /usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed \ - grub-efi-${_SB_EFI_DEB}-signed - _GRUB_INSTALL_STATUS="${INSTALL_STATUS}" - Check_installed chroot /usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed \ - shim-signed - echo "!!! The above error/warning messages can be ignored !!!" - - if [ "${INSTALL_STATUS}" -ne 0 ] - then - Echo_warning "UEFI Secure Boot disabled due to missing Shim." - elif [ "${_GRUB_INSTALL_STATUS}" -ne 0 ] - then - # Each user needs to enroll the hash for grub*.efi in their UEFI setup - Echo_warning "Limited UEFI Secure Boot support enabled: only the Shim is available." - else - Echo_message "UEFI Secure Boot support enabled." - fi - ;; - enable) - Check_package chroot /usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed \ - grub-efi-${_SB_EFI_DEB}-signed - Check_package chroot /usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed \ - shim-signed - Install_packages - Echo_message "UEFI Secure Boot support enabled." - ;; - disable) - Echo_message "UEFI Secure Boot support disabled." - ;; -esac +_LB_PACKAGES="${_PRE_SB_PACKAGES}" # Cleanup files that we generate rm -rf binary/boot/efi.img binary/boot/grub/i386-efi/ binary/boot/grub/x86_64-efi binary/boot/grub/arm64-efi binary/boot/grub/arm-efi @@ -223,28 +243,19 @@ fi PATH="${PATH}:\${LIVE_BUILD_PATH}" # Make sure grub-cpmodules is used as if it was installed in the system case "${LB_ARCHITECTURE}" in - amd64) + amd64|i386) gen_efi_boot_img "x86_64-efi" "x64" "debian-live/amd64" - if [ -r ${_CHROOT_DIR}/usr/lib/grub/\$platform-signed/gcd\$efi_name.efi.signed ]; then - # When a signed grub is available, add 32-bit UEFI support too - gen_efi_boot_img "i386-efi" "ia32" "debian-live/i386" - fi - PATH="\${PRE_EFI_IMAGE_PATH}" - ;; - i386) gen_efi_boot_img "i386-efi" "ia32" "debian-live/i386" - PATH="\${PRE_EFI_IMAGE_PATH}" ;; arm64) gen_efi_boot_img "arm64-efi" "aa64" "debian-live/arm64" - PATH="\${PRE_EFI_IMAGE_PATH}" ;; armhf) gen_efi_boot_img "arm-efi" "arm" "debian-live/arm" - PATH="\${PRE_EFI_IMAGE_PATH}" ;; esac +PATH="\${PRE_EFI_IMAGE_PATH}" # On some platforms the EFI grub image will be loaded, so grub's root # variable will be set to the EFI partition. This means that grub will