Re: Bug#925309: Wrong prefix directory hardcoded in signed GRUB image

To: Colin Watson <cjwatson@debian.org>, 925309@bugs.debian.org
Cc: Steve McIntyre <steve@einval.com>, debian-efi@lists.debian.org
Subject: Re: Bug#925309: Wrong prefix directory hardcoded in signed GRUB image
From: Pascal Hambourg <pascal@plouf.fr.eu.org>
Date: Tue, 13 Dec 2022 16:00:30 +0100
Message-id: <[🔎] 0c011f31-33f6-360f-ca57-20bdbaf05080@plouf.fr.eu.org>
In-reply-to: <20190324001014.7nc5bigsdcj7lkbc@riva.ucam.org>
References: <73bb3f85-a6b3-afba-0106-7e30efc378b0@plouf.fr.eu.org> <20190324001014.7nc5bigsdcj7lkbc@riva.ucam.org>

(CC'in Steve McIntyre and debian-efi)

On 24/03/2019 at 01:10, Colin Watson wrote:

On Fri, Mar 22, 2019 at 08:47:37PM +0100, Pascal Hambourg wrote:


grub-install installs this initial grub.cfg in the same location as the
signed image, i.e.
- /EFI/BOOT if the option --removable is present
- the directory derived from the --bootloader-id option if present
- the directory derived from $GRUB_DISTRIBUTOR defined in /etc/default/grub

The default value of $GRUB_DISTRIBUTOR is "Debian", so the default install
location is (EFI_PARTITION)/EFI/debian.

However when the signed image is installed in a different location, it still
looks for grub.cfg in (EFI_PARTITION)/EFI/debian instead of $cmdpath and
spawns the grub> shell unless grub.cfg is present in this location. In the
shell, $prefix is set to (EFI_PARTITION)/EFI/debian.

Shouldn't the prefix be initialized with $cmdpath instead of the hardcoded
path /EFI/debian ?


Possibly.  The prefix parameter given to grub-mkimage's -p option has to
be an actual path, not a variable reference.  In order to make it use
$cmdpath, we'd need another one of the arrangements we use for some of
the other pre-built images to use a config file embedded in a memdisk.

Upcoming grub2 2.06-3~deb11u5 brought an unexpected side-effectregarding bugs #925309 and #1017887.An initial config file (memdisk)/grub.cfg is now embedded in the signedcore image along with the font file.

The relevant part is:

	elif [ -e $prefix/grub.cfg ]; then
		source $prefix/grub.cfg
	else
		source $cmdpath/grub.cfg

So if /EFI/debian/grub.cfg does not exist, then /EFI/<id>/grub.cfg cannow be used instead. This is a significant improvement.


However, two issues remain.

1) If /EFI/debian/grub.cfg exists, it is still used even if/EFI/<id>/grub.cfg also exists. This is an issue when installingmultiple instances of GRUB for different Debian systems if one has thedefault <id>="debian". Is it conceivable to reverse the order and use$cmdpath/grub.cfg first ?

2) The file /EFI/<id>/BOOT${ARCH}.CSV always contains the name "debian"regardless of the identifier <id> specified by --bootloader-id on thegrub-install command line or $GRUB_DISTRIBUTOR in /etc/default/grub. Thename in this file is used by fb${ARCH}.efi run by shim when invoked as/EFI/BOOT/BOOT${ARCH}.efi (removable media path) to recreate an EFI bootvariable for the instance, so the variable will be labelled "debian"instead of <id>. Is it conceivable to replace "debian" with <id> in thisfile ?

Reply to:

Follow-Ups:
- Re: Bug#925309: Wrong prefix directory hardcoded in signed GRUB image
  - From: Pascal Hambourg <pascal@plouf.fr.eu.org>

Prev by Date: Re: Debian Signed shim and grub images source code request
Next by Date: Bug#1026243: fwupd: please remove old .gz cache files on upgrade (now using .xz)
Previous by thread: Re: Debian Signed shim and grub images source code request
Next by thread: Re: Bug#925309: Wrong prefix directory hardcoded in signed GRUB image
Index(es):
- Date
- Thread