grub-install --removable uses CD boot image instead of normal disk boot image
Package: grub-efi-amd64-bin
Version: 2.06-3~deb11u5
Tags: patch
When installing GRUB for UEFI secure boot, "grub-install --removable"
uses the CD boot image gcd{arch}.efi.signed which is designed for CD
boot and lacks encryption, LVM and RAID support. Such image cannot read
/boot on LUKS, LVM or Linux RAID.
The attached patch uses the normal disk boot image grub{arch}.efi.signed
instead. This is now possible because the normal disk image embeds a
config file which searches grub.cfg in $prefix (/EFI/debian) then
$cmdpath (/EFI/BOOT), instead of $prefix only in previous versions. IMO
it would be better to reverse the order, cf. patch attached to bug #925309.From 304e813b0c1ff030c4d4dd896aeb46be88478763 Mon Sep 17 00:00:00 2001
From: Pascal Hambourg <pascal@plouf.fr.eu.org>
Date: Fri, 23 Dec 2022 12:13:20 +0100
Subject: [PATCH] Use normal signed EFI disk boot image with --removable
grub-install --removable uses the CD boot image gcd{arch}.efi.signed
which is designed for CD boot and lacks crypto, lvm and raid support.
Use the normal disk boot image grub{arch}.efi.signed instead.
---
debian/patches/install-signed.patch | 17 +++++++----------
1 file changed, 7 insertions(+), 10 deletions(-)
diff --git a/debian/patches/install-signed.patch b/debian/patches/install-signed.patch
index bfeb3a938..2a5329f13 100644
--- a/debian/patches/install-signed.patch
+++ b/debian/patches/install-signed.patch
@@ -11,15 +11,15 @@ Author: Steve Langasek <steve.langasek@ubuntu.com>
Author: Linn Crosetto <linn@hpe.com>
Author: Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>
Forwarded: no
-Last-Update: 2021-09-24
+Last-Update: 2022-12-23
Patch-Name: install-signed.patch
---
- util/grub-install.c | 212 ++++++++++++++++++++++++++++++++------------
- 1 file changed, 153 insertions(+), 59 deletions(-)
+ util/grub-install.c | 209 +++++++++++++++++++++++++++++++-------------
+ 1 file changed, 150 insertions(+), 59 deletions(-)
diff --git a/util/grub-install.c b/util/grub-install.c
-index 48e2d3779..f49c78d0b 100644
+index 48e2d3779..a18a35ac8 100644
--- a/util/grub-install.c
+++ b/util/grub-install.c
@@ -80,6 +80,7 @@ static char *label_color;
@@ -192,7 +192,7 @@ index 48e2d3779..f49c78d0b 100644
}
t = grub_util_path_concat (3, efidir, "EFI", efi_distributor);
free (efidir);
-@@ -1376,14 +1379,41 @@ main (int argc, char *argv[])
+@@ -1376,14 +1379,38 @@ main (int argc, char *argv[])
}
}
@@ -208,10 +208,7 @@ index 48e2d3779..f49c78d0b 100644
+ {
+ char *dir = xasprintf ("%s-signed", grub_install_source_directory);
+ char *signed_image;
-+ if (removable)
-+ signed_image = xasprintf ("gcd%s.efi.signed", efi_suffix);
-+ else
-+ signed_image = xasprintf ("grub%s.efi.signed", efi_suffix);
++ signed_image = xasprintf ("grub%s.efi.signed", efi_suffix);
+ efi_signed = grub_util_path_concat (2, dir, signed_image);
+ break;
+ }
@@ -236,7 +233,7 @@ index 48e2d3779..f49c78d0b 100644
{
char *uuid = NULL;
/* generic method (used on coreboot and ata mod). */
-@@ -1941,7 +1971,71 @@ main (int argc, char *argv[])
+@@ -1941,7 +1968,71 @@ main (int argc, char *argv[])
case GRUB_INSTALL_PLATFORM_IA64_EFI:
{
char *dst = grub_util_path_concat (2, efidir, efi_file);
--
2.30.2
Reply to: