From 3b505a066e48625cd5c3ef7aba9d6be85868cf21 Mon Sep 17 00:00:00 2001 From: adrian15 Date: Sat, 10 Aug 2024 22:53:23 +0200 Subject: [PATCH 1/7] binary_grub-efi: Reset PRE_EFI_IMAGE_PATH only once after esac. --- scripts/build/binary_grub-efi | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/scripts/build/binary_grub-efi b/scripts/build/binary_grub-efi index 41a8c526e..343288e3d 100755 --- a/scripts/build/binary_grub-efi +++ b/scripts/build/binary_grub-efi @@ -229,22 +229,19 @@ case "${LB_ARCHITECTURE}" in # When a signed grub is available, add 32-bit UEFI support too gen_efi_boot_img "i386-efi" "ia32" "debian-live/i386" fi - PATH="\${PRE_EFI_IMAGE_PATH}" ;; i386) gen_efi_boot_img "i386-efi" "ia32" "debian-live/i386" - PATH="\${PRE_EFI_IMAGE_PATH}" ;; arm64) gen_efi_boot_img "arm64-efi" "aa64" "debian-live/arm64" - PATH="\${PRE_EFI_IMAGE_PATH}" ;; armhf) gen_efi_boot_img "arm-efi" "arm" "debian-live/arm" - PATH="\${PRE_EFI_IMAGE_PATH}" ;; esac +PATH="\${PRE_EFI_IMAGE_PATH}" # On some platforms the EFI grub image will be loaded, so grub's root # variable will be set to the EFI partition. This means that grub will From 6257c2664527fedf6b2754dff925e3380d2149b4 Mon Sep 17 00:00:00 2001 From: adrian15 Date: Sat, 10 Aug 2024 23:16:33 +0200 Subject: [PATCH 2/7] binary_grub-efi: Simplify gen_efi_boot_img i386-efi call. --- scripts/build/binary_grub-efi | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/scripts/build/binary_grub-efi b/scripts/build/binary_grub-efi index 343288e3d..0ccc17891 100755 --- a/scripts/build/binary_grub-efi +++ b/scripts/build/binary_grub-efi @@ -225,10 +225,7 @@ PATH="${PATH}:\${LIVE_BUILD_PATH}" # Make sure grub-cpmodules is used as if it w case "${LB_ARCHITECTURE}" in amd64) gen_efi_boot_img "x86_64-efi" "x64" "debian-live/amd64" - if [ -r ${_CHROOT_DIR}/usr/lib/grub/\$platform-signed/gcd\$efi_name.efi.signed ]; then - # When a signed grub is available, add 32-bit UEFI support too - gen_efi_boot_img "i386-efi" "ia32" "debian-live/i386" - fi + gen_efi_boot_img "i386-efi" "ia32" "debian-live/i386" ;; i386) gen_efi_boot_img "i386-efi" "ia32" "debian-live/i386" From 2d6f2526a0d294033275446d018c92561c6aee7f Mon Sep 17 00:00:00 2001 From: adrian15 Date: Sat, 10 Aug 2024 23:17:29 +0200 Subject: [PATCH 3/7] binary_grub-efi: Generate boot entries for both amd64 and i386 architectures. --- scripts/build/binary_grub-efi | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/scripts/build/binary_grub-efi b/scripts/build/binary_grub-efi index 0ccc17891..c3ecd8b83 100755 --- a/scripts/build/binary_grub-efi +++ b/scripts/build/binary_grub-efi @@ -223,13 +223,10 @@ fi PATH="${PATH}:\${LIVE_BUILD_PATH}" # Make sure grub-cpmodules is used as if it was installed in the system case "${LB_ARCHITECTURE}" in - amd64) + amd64|i386) gen_efi_boot_img "x86_64-efi" "x64" "debian-live/amd64" gen_efi_boot_img "i386-efi" "ia32" "debian-live/i386" ;; - i386) - gen_efi_boot_img "i386-efi" "ia32" "debian-live/i386" - ;; arm64) gen_efi_boot_img "arm64-efi" "aa64" "debian-live/arm64" ;; From 8f2434a3abcd314b90151f6457d3998d121fd3bb Mon Sep 17 00:00:00 2001 From: adrian15 Date: Sun, 28 Jul 2024 18:15:26 +0200 Subject: [PATCH 4/7] Add Secure Boot code into one function. (1) --- scripts/build/binary_grub-efi | 141 +++++++++++++++++----------------- 1 file changed, 72 insertions(+), 69 deletions(-) diff --git a/scripts/build/binary_grub-efi b/scripts/build/binary_grub-efi index c3ecd8b83..742e71cac 100755 --- a/scripts/build/binary_grub-efi +++ b/scripts/build/binary_grub-efi @@ -59,82 +59,85 @@ Check_package chroot /usr/bin/grub-mkimage grub-common Check_package chroot /usr/bin/mcopy mtools Check_package chroot /sbin/mkfs.msdos dosfstools -# Check UEFI Secure Boot setting and depends -# By default (auto) do a best-effort build: if the signed binaries are available use -# them, but don't fail if they are not, just print a warning. -case "${LB_ARCHITECTURE}" in - amd64) - _SB_EFI_PLATFORM="x86_64" - _SB_EFI_NAME="x64" - _SB_EFI_DEB="amd64" - ;; - i386) - _SB_EFI_PLATFORM="i386" - _SB_EFI_NAME="ia32" - _SB_EFI_DEB="ia32" - ;; - arm64) - _SB_EFI_PLATFORM="arm64" - _SB_EFI_NAME="aa64" - _SB_EFI_DEB="arm64" - ;; - armhf) - _SB_EFI_PLATFORM="arm" - _SB_EFI_NAME="arm" - _SB_EFI_DEB="arm" - ;; -esac +_PRE_SB_PACKAGES="${_LB_PACKAGES}" -# Restoring cache -Restore_package_cache binary +secure_boot_package_install () +{ + _SB_EFI_PLATFORM="$1" + _SB_EFI_NAME="$2" + _SB_DEB_ARCH="$3" + _SB_EFI_DEB="$4" -# Installing depends -Install_packages + # Restoring cache + Restore_package_cache binary -case "${LB_UEFI_SECURE_BOOT}" in - auto) - # Try to install the shim and signed grub package separately, - # as the grub-efi-*-signed package might be uninstallable (e.g. due to binNMUs) - # Uses the (intentionally) undocumented _LB_PACKAGES variable - echo "!!! The following error/warning messages can be ignored !!!" - set +e - _LB_PACKAGES="shim-signed" - Install_packages - _LB_PACKAGES="grub-efi-${_SB_EFI_DEB}-signed" - Install_packages - set -e - # Use Check_installed, as Check_package will error out immediately - Check_installed chroot /usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed \ - grub-efi-${_SB_EFI_DEB}-signed - _GRUB_INSTALL_STATUS="${INSTALL_STATUS}" - Check_installed chroot /usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed \ - shim-signed - echo "!!! The above error/warning messages can be ignored !!!" + # Installing depends + Install_packages - if [ "${INSTALL_STATUS}" -ne 0 ] - then - Echo_warning "UEFI Secure Boot disabled due to missing Shim." - elif [ "${_GRUB_INSTALL_STATUS}" -ne 0 ] - then - # Each user needs to enroll the hash for grub*.efi in their UEFI setup - Echo_warning "Limited UEFI Secure Boot support enabled: only the Shim is available." - else + # Check UEFI Secure Boot setting and depends + # By default (auto) do a best-effort build: if the signed binaries are available use + # them, but don't fail if they are not, just print a warning. + case "${LB_UEFI_SECURE_BOOT}" in + auto) + # Try to install the shim and signed grub package separately, + # as the grub-efi-*-signed package might be uninstallable (e.g. due to binNMUs) + # Uses the (intentionally) undocumented _LB_PACKAGES variable + echo "!!! The following error/warning messages can be ignored !!!" + set +e + _LB_PACKAGES="shim-signed" + Install_packages + _LB_PACKAGES="grub-efi-${_SB_EFI_DEB}-signed" + Install_packages + set -e + # Use Check_installed, as Check_package will error out immediately + Check_installed chroot /usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed \ + grub-efi-${_SB_EFI_DEB}-signed + _GRUB_INSTALL_STATUS="${INSTALL_STATUS}" + Check_installed chroot /usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed \ + shim-signed + echo "!!! The above error/warning messages can be ignored !!!" + + if [ "${INSTALL_STATUS}" -ne 0 ] + then + Echo_warning "UEFI Secure Boot disabled due to missing Shim." + elif [ "${_GRUB_INSTALL_STATUS}" -ne 0 ] + then + # Each user needs to enroll the hash for grub*.efi in their UEFI setup + Echo_warning "Limited UEFI Secure Boot support enabled: only the Shim is available." + else + Echo_message "UEFI Secure Boot support enabled." + fi + ;; + enable) + Check_package chroot /usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed \ + grub-efi-${_SB_EFI_DEB}-signed + Check_package chroot /usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed \ + shim-signed + Install_packages Echo_message "UEFI Secure Boot support enabled." - fi - ;; - enable) - Check_package chroot /usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed \ - grub-efi-${_SB_EFI_DEB}-signed - Check_package chroot /usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed \ - shim-signed - Install_packages - Echo_message "UEFI Secure Boot support enabled." - ;; - disable) - Echo_message "UEFI Secure Boot support disabled." - ;; + ;; + disable) + Echo_message "UEFI Secure Boot support disabled." + ;; + esac + +} + +case "${LB_ARCHITECTURE}" in + amd64|i386) + secure_boot_package_install "x86_64" "x64" "amd64" "amd64" + secure_boot_package_install "i386" "ia32" "i386" "ia32" + ;; + arm64) + secure_boot_package_install "arm64" "aa64" "arm64" "arm64" + ;; + armhf) + secure_boot_package_install "arm" "arm" "arm" "arm" + ;; esac +_LB_PACKAGES="${_PRE_SB_PACKAGES}" + # Cleanup files that we generate rm -rf binary/boot/efi.img binary/boot/grub/i386-efi/ binary/boot/grub/x86_64-efi binary/boot/grub/arm64-efi binary/boot/grub/arm-efi From 6370625c86f58c63ddcfff9678338cdf6db82b6c Mon Sep 17 00:00:00 2001 From: adrian15 Date: Sun, 28 Jul 2024 18:18:12 +0200 Subject: [PATCH 5/7] Add Secure Boot code into one function. (2) - Show which EFI type we are dealing with --- scripts/build/binary_grub-efi | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/scripts/build/binary_grub-efi b/scripts/build/binary_grub-efi index 742e71cac..cc7102db6 100755 --- a/scripts/build/binary_grub-efi +++ b/scripts/build/binary_grub-efi @@ -99,13 +99,13 @@ secure_boot_package_install () if [ "${INSTALL_STATUS}" -ne 0 ] then - Echo_warning "UEFI Secure Boot disabled due to missing Shim." + Echo_warning "UEFI Secure Boot disabled due to missing Shim. (${_SB_EFI_NAME})" elif [ "${_GRUB_INSTALL_STATUS}" -ne 0 ] then # Each user needs to enroll the hash for grub*.efi in their UEFI setup - Echo_warning "Limited UEFI Secure Boot support enabled: only the Shim is available." + Echo_warning "Limited UEFI Secure Boot support enabled: only the Shim is available. (${_SB_EFI_NAME})" else - Echo_message "UEFI Secure Boot support enabled." + Echo_message "UEFI Secure Boot support enabled. (${_SB_EFI_NAME})" fi ;; enable) @@ -114,10 +114,10 @@ secure_boot_package_install () Check_package chroot /usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed \ shim-signed Install_packages - Echo_message "UEFI Secure Boot support enabled." + Echo_message "UEFI Secure Boot support enabled. (${_SB_EFI_NAME})" ;; disable) - Echo_message "UEFI Secure Boot support disabled." + Echo_message "UEFI Secure Boot support disabled. (${_SB_EFI_NAME})" ;; esac From 9a144a48705557f557a07dc71bb1ccaf484739fb Mon Sep 17 00:00:00 2001 From: adrian15 Date: Sun, 28 Jul 2024 18:22:27 +0200 Subject: [PATCH 6/7] Add Secure Boot code into one function. (3) Use _SB_DEB_ARCH variable --- scripts/build/binary_grub-efi | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/scripts/build/binary_grub-efi b/scripts/build/binary_grub-efi index cc7102db6..182331b99 100755 --- a/scripts/build/binary_grub-efi +++ b/scripts/build/binary_grub-efi @@ -84,17 +84,17 @@ secure_boot_package_install () # Uses the (intentionally) undocumented _LB_PACKAGES variable echo "!!! The following error/warning messages can be ignored !!!" set +e - _LB_PACKAGES="shim-signed" + _LB_PACKAGES="shim-signed:${_SB_DEB_ARCH}" Install_packages - _LB_PACKAGES="grub-efi-${_SB_EFI_DEB}-signed" + _LB_PACKAGES="grub-efi-${_SB_EFI_DEB}-signed:${_SB_DEB_ARCH}" Install_packages set -e # Use Check_installed, as Check_package will error out immediately Check_installed chroot /usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed \ - grub-efi-${_SB_EFI_DEB}-signed + grub-efi-${_SB_EFI_DEB}-signed:${_SB_DEB_ARCH} _GRUB_INSTALL_STATUS="${INSTALL_STATUS}" Check_installed chroot /usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed \ - shim-signed + shim-signed:${_SB_DEB_ARCH} echo "!!! The above error/warning messages can be ignored !!!" if [ "${INSTALL_STATUS}" -ne 0 ] @@ -110,9 +110,9 @@ secure_boot_package_install () ;; enable) Check_package chroot /usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed \ - grub-efi-${_SB_EFI_DEB}-signed + grub-efi-${_SB_EFI_DEB}-signed:${_SB_DEB_ARCH} Check_package chroot /usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed \ - shim-signed + shim-signed:${_SB_DEB_ARCH} Install_packages Echo_message "UEFI Secure Boot support enabled. (${_SB_EFI_NAME})" ;; From c09791ddf044275b0f3181ab1fabc46ce76ec1aa Mon Sep 17 00:00:00 2001 From: adrian15 Date: Sun, 5 May 2019 23:07:11 +0200 Subject: [PATCH 7/7] Secure Boot workaround for 928486 bug This workaround simulates shim-signed:amd64 and shim-signed:i386 installation coexistence. This is also a workaround for 936009 so: This workaround simulates shim-unsigned:amd64 and shim-unsigned:i386 installation coexistence. --- scripts/build/binary_grub-efi | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/scripts/build/binary_grub-efi b/scripts/build/binary_grub-efi index 182331b99..0e78147a9 100755 --- a/scripts/build/binary_grub-efi +++ b/scripts/build/binary_grub-efi @@ -105,6 +105,11 @@ secure_boot_package_install () # Each user needs to enroll the hash for grub*.efi in their UEFI setup Echo_warning "Limited UEFI Secure Boot support enabled: only the Shim is available. (${_SB_EFI_NAME})" else + # Save efi signed files to chroot/secure-boot-temp as a workaround for #928486 bug. + mkdir -p chroot/secure-boot-temp/usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed + mkdir -p chroot/secure-boot-temp/usr/lib/shim + cp -a chroot/usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed chroot/secure-boot-temp/usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed + cp -a chroot/usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed chroot/secure-boot-temp/usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed Echo_message "UEFI Secure Boot support enabled. (${_SB_EFI_NAME})" fi ;; @@ -114,6 +119,11 @@ secure_boot_package_install () Check_package chroot /usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed \ shim-signed:${_SB_DEB_ARCH} Install_packages + # Save efi signed files to chroot/secure-boot-temp as a workaround for #928486 bug. + mkdir -p chroot/secure-boot-temp/usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed + mkdir -p chroot/secure-boot-temp/usr/lib/shim + cp -a chroot/usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed chroot/secure-boot-temp/usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed + cp -a chroot/usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed chroot/secure-boot-temp/usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed Echo_message "UEFI Secure Boot support enabled. (${_SB_EFI_NAME})" ;; disable) @@ -136,6 +146,13 @@ case "${LB_ARCHITECTURE}" in ;; esac +# Restore efi signed files from chroot/secure-boot-temp as a workaround for #928486 bug. +if [ -e "chroot/secure-boot-temp" ] +then + cp -a chroot/secure-boot-temp/* chroot/ + rm -rf chroot/secure-boot-temp +fi + _LB_PACKAGES="${_PRE_SB_PACKAGES}" # Cleanup files that we generate