manuel/live-build
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Secure Boot workaround for 928486 bug

Browse Source 
This workaround simulates shim-signed:amd64 and shim-signed:i386 installation coexistence.

This is also a workaround for 936009 so:

This workaround simulates shim-unsigned:amd64 and shim-unsigned:i386 installation coexistence.
This commit is contained in:
adrian15 2019-05-05 23:07:11 +02:00 committed by adrian15sgd
parent 9a144a4870
commit c09791ddf0
1 changed files with 17 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
scripts/build/binary_grub-efi
View File

@ -105,6 +105,11 @@ secure_boot_package_install ()
# Each user needs to enroll the hash for grub*.efi in their UEFI setup
Echo_warning "Limited UEFI Secure Boot support enabled: only the Shim is available. (${_SB_EFI_NAME})"
else
# Save efi signed files to chroot/secure-boot-temp as a workaround for #928486 bug.
mkdir -p chroot/secure-boot-temp/usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed
mkdir -p chroot/secure-boot-temp/usr/lib/shim
cp -a chroot/usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed chroot/secure-boot-temp/usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed
cp -a chroot/usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed chroot/secure-boot-temp/usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed
Echo_message "UEFI Secure Boot support enabled. (${_SB_EFI_NAME})"
fi
;;
@ -114,6 +119,11 @@ secure_boot_package_install ()
Check_package chroot /usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed \
shim-signed:${_SB_DEB_ARCH}
Install_packages
# Save efi signed files to chroot/secure-boot-temp as a workaround for #928486 bug.
mkdir -p chroot/secure-boot-temp/usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed
mkdir -p chroot/secure-boot-temp/usr/lib/shim
cp -a chroot/usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed chroot/secure-boot-temp/usr/lib/grub/${_SB_EFI_PLATFORM}-efi-signed/gcd${_SB_EFI_NAME}.efi.signed
cp -a chroot/usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed chroot/secure-boot-temp/usr/lib/shim/shim${_SB_EFI_NAME}.efi.signed
Echo_message "UEFI Secure Boot support enabled. (${_SB_EFI_NAME})"
;;
disable)
@ -136,6 +146,13 @@ case "${LB_ARCHITECTURE}" in
;;
esac
# Restore efi signed files from chroot/secure-boot-temp as a workaround for #928486 bug.
if [ -e "chroot/secure-boot-temp" ]
then
cp -a chroot/secure-boot-temp/* chroot/
rm -rf chroot/secure-boot-temp
fi
_LB_PACKAGES="${_PRE_SB_PACKAGES}"
# Cleanup files that we generate