rpms/grub2
7
0
Fork 0
Code Issues Pull Requests Releases Activity
bf10e723fb
grub2/0269-grub-install-disable-support-for-EFI-platforms.patch
DistroBaker 1d842d2b55 Merged update from upstream sources 
This is an automated DistroBaker update from upstream sources.
If you do not know what this is about or would like to opt out,
contact the OSCI team.

Source: https://src.fedoraproject.org/rpms/grub2.git#f9736ec08517869c0e2d4e3491da8abe09ab1d60
2021-01-12 16:38:06 +00:00

121 lines
4.3 KiB
Diff
Raw Blame History

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jan Hlavac <jhlavac@redhat.com>
Date: Fri, 20 Nov 2020 23:51:47 +0100
Subject: [PATCH] grub-install: disable support for EFI platforms
For each platform, GRUB is shipped as a kernel image and a set of
modules. These files are then used by the grub-install utility to
install GRUB on a specific device. However, in order to support UEFI
Secure Boot, the resulting EFI binary must be signed by a recognized
private key. For this reason, for EFI platforms, most distributions also
ship prebuilt EFI binaries signed by a distribution-specific private
key. In this case, however, the grub-install utility should not be used
because it would overwrite the signed EFI binary.
The current fix is suboptimal because it preserves all EFI-related code.
A better solution could be to modularize the code and provide a
build-time option.
Resolves: rhbz#1737444
Signed-off-by: Jan Hlavac <jhlavac@redhat.com>
---
util/grub-install.c | 37 ++++++++++++++++---------------------
docs/grub.texi | 7 +++++++
util/grub-install.8 | 4 +++-
3 files changed, 26 insertions(+), 22 deletions(-)
diff --git a/util/grub-install.c b/util/grub-install.c
index dddb7576c97..b3f5e414052 100644
--- a/util/grub-install.c
+++ b/util/grub-install.c
@@ -899,6 +899,22 @@ main (int argc, char *argv[])
platform = grub_install_get_target (grub_install_source_directory);
+ switch (platform)
+ {
+ case GRUB_INSTALL_PLATFORM_ARM_EFI:
+ case GRUB_INSTALL_PLATFORM_ARM64_EFI:
+ case GRUB_INSTALL_PLATFORM_I386_EFI:
+ case GRUB_INSTALL_PLATFORM_IA64_EFI:
+ case GRUB_INSTALL_PLATFORM_X86_64_EFI:
+ is_efi = 1;
+ grub_util_error (_("this utility cannot be used for EFI platforms"
+ " because it does not support UEFI Secure Boot"));
+ break;
+ default:
+ is_efi = 0;
+ break;
+ }
+
{
char *platname = grub_install_get_platform_name (platform);
fprintf (stderr, _("Installing for %s platform.\n"), platname);
@@ -1011,28 +1027,7 @@ main (int argc, char *argv[])
grub_hostfs_init ();
grub_host_init ();
- switch (platform)
- {
- case GRUB_INSTALL_PLATFORM_I386_EFI:
- case GRUB_INSTALL_PLATFORM_X86_64_EFI:
- case GRUB_INSTALL_PLATFORM_ARM_EFI:
- case GRUB_INSTALL_PLATFORM_ARM64_EFI:
- case GRUB_INSTALL_PLATFORM_RISCV32_EFI:
- case GRUB_INSTALL_PLATFORM_RISCV64_EFI:
- case GRUB_INSTALL_PLATFORM_IA64_EFI:
- is_efi = 1;
- break;
- default:
- is_efi = 0;
- break;
-
- /* pacify warning. */
- case GRUB_INSTALL_PLATFORM_MAX:
- break;
- }
-
/* Find the EFI System Partition. */
-
if (is_efi)
{
grub_fs_t fs;
diff --git a/docs/grub.texi b/docs/grub.texi
index 495462b8e48..085b9974cc5 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -6293,6 +6293,13 @@ grub2-install @var{install_device}
The device name @var{install_device} is an OS device name or a GRUB
device name.
+In order to support UEFI Secure Boot, the resulting GRUB EFI binary must
+be signed by a recognized private key. For this reason, for EFI
+platforms, most distributions also ship prebuilt GRUB EFI binaries
+signed by a distribution-specific private key. In this case, however,
+@command{grub2-install} should not be used because it would overwrite
+the signed EFI binary.
+
@command{grub2-install} accepts the following options:
@table @option
diff --git a/util/grub-install.8 b/util/grub-install.8
index 1db89e94b3b..811d441b16c 100644
--- a/util/grub-install.8
+++ b/util/grub-install.8
@@ -1,4 +1,4 @@
-.TH GRUB-INSTALL 1 "Wed Feb 26 2014"
+.TH GRUB-INSTALL 1 "Fri Nov 20 2020"
.SH NAME
\fBgrub-install\fR \(em Install GRUB on a device.
@@ -31,6 +31,8 @@
.SH DESCRIPTION
\fBgrub-install\fR installs GRUB onto a device. This includes copying GRUB images into the target directory (generally \fI/boot/grub\fR), and on some platforms may also include installing GRUB onto a boot sector.
+In order to support UEFI Secure Boot, the resulting GRUB EFI binary must be signed by a recognized private key. For this reason, for EFI platforms, most distributions also ship prebuilt GRUB EFI binaries signed by a distribution-specific private key. In this case, however, the \fBgrub-install\fR utility should not be used because it would overwrite the signed EFI binary.
+
.SH OPTIONS
.TP
\fB--modules\fR=\fIMODULES\fR\!
Reference in New Issue View Git Blame Copy Permalink