From 7b36f5b0ad751081f6316dcb0498df307a2ec902 Mon Sep 17 00:00:00 2001
From: Roland Clobus <rclobus@rclobus.nl>
Date: Sun, 30 Apr 2023 12:55:19 +0200
Subject: [PATCH] UEFI-secure: Don't attempt to load unsigned modules

The part_*.mod modules are not inside the signed .efi-file, so they must
not be 'insmod'ed in secure boot mode.
---
 scripts/build/efi-image | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/scripts/build/efi-image b/scripts/build/efi-image
index bc8ed3a93..5a180aec2 100755
--- a/scripts/build/efi-image
+++ b/scripts/build/efi-image
@@ -57,17 +57,22 @@ EOF
 find $workdir -newermt "$(date -d@${SOURCE_DATE_EPOCH} '+%Y-%m-%d %H:%M:%S')" -exec touch '{}' -d@${SOURCE_DATE_EPOCH} ';'
 
 mkdir -p "$outdir/boot/grub/$platform"
-(for i in /usr/lib/grub/$platform/part_*.mod; do
+# All partition modules will be activated, unless UEFI secure boot is active (they are not signed)
+PARTITIONLIST=""
+(echo "if [ x$grub_platform == xefi -a x$lockdown != xy ] ; then "; \
+ for i in /usr/lib/grub/$platform/part_*.mod; do
 	i=`echo $i | sed 's?^.*/??g;s?\.mod$??g;'`
 	echo "insmod $i"
+	PARTITIONLIST="${PARTITIONLIST} $i"
  done; \
+ echo "fi"; \
  echo "source /boot/grub/grub.cfg") >"$outdir/boot/grub/$platform/grub.cfg"
 
 # Build the core image.
 (cd "$workdir"; tar -cf - boot) >"$memdisk_img"
 grub-mkimage -O "$platform" -m "$memdisk_img" \
 	-o "$workdir/boot$efi_name.efi" -p '(memdisk)/boot/grub' \
-	search iso9660 configfile normal memdisk tar part_msdos part_gpt fat
+	search iso9660 configfile normal memdisk tar ${PARTITIONLIST} fat
 
 grub-mkimage -O "$platform" \
 	-o "$outdir/bootnet$efi_name.efi" -p "$netboot_prefix/grub" \