Bug#930757: unblock: grub2/2.02+dfsg1-19

[Colin Watson <cjwatson@debian.org>]

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock grub2.

I hope this is the final grub2 update for the buster release.  It
consists mainly of a number of patches from Steve McIntyre to clean up
problems with our UEFI Secure Boot support.

diff -Nru grub2-2.02+dfsg1/debian/.git-dpm grub2-2.02+dfsg1/debian/.git-dpm
--- grub2-2.02+dfsg1/debian/.git-dpm	2019-05-04 22:58:32.000000000 +0100
+++ grub2-2.02+dfsg1/debian/.git-dpm	2019-06-14 19:04:01.000000000 +0100
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-9569221816a2a1a832be106440375a612e0121b7
-9569221816a2a1a832be106440375a612e0121b7
+6ee5cc98ec6ca10e00d9cd23a969f0b12ae7ab2e
+6ee5cc98ec6ca10e00d9cd23a969f0b12ae7ab2e
 59aeb1cfaa3d5bfd7bbeeee0f0d37f6d9eed51fe
 59aeb1cfaa3d5bfd7bbeeee0f0d37f6d9eed51fe
 grub2_2.02+dfsg1.orig.tar.xz
diff -Nru grub2-2.02+dfsg1/debian/build-efi-images grub2-2.02+dfsg1/debian/build-efi-images
--- grub2-2.02+dfsg1/debian/build-efi-images	2019-05-04 22:58:32.000000000 +0100
+++ grub2-2.02+dfsg1/debian/build-efi-images	2019-06-14 19:04:01.000000000 +0100
@@ -20,16 +20,17 @@
 
 # Make EFI boot images for signing.
 
-if [ $# -lt 5 ]; then
-	echo "usage: $0 GRUB-MKIMAGE GRUB-CORE OUTPUT-DIRECTORY PLATFORM EFI-NAME [EFI-VENDOR]"
+if [ $# -lt 6 ]; then
+	echo "usage: $0 GRUB-MKIMAGE GRUB-CORE OUTPUT-DIRECTORY DEB-ARCH PLATFORM EFI-NAME [EFI-VENDOR]"
 fi
 
 grub_mkimage="$1"
 grub_core="$2"
 outdir="$3"
-platform="$4"
-efi_name="$5"
-efi_vendor="${6:-$(dpkg-vendor --query vendor | tr '[:upper:]' '[:lower:]')}"
+deb_arch="$4"
+platform="$5"
+efi_name="$6"
+efi_vendor="${7:-$(dpkg-vendor --query vendor | tr '[:upper:]' '[:lower:]')}"
 
 # mkfs.msdos may not be on the default PATH.
 export PATH="$PATH:/sbin:/usr/sbin"
@@ -115,6 +116,7 @@
 	memdisk
 	minicmd
 	normal
+	ntfs
 	part_apple
 	part_msdos
 	part_gpt
@@ -141,7 +143,9 @@
 case $platform in
     x86_64-efi|i386-efi)
 	CD_MODULES="$CD_MODULES
+	cpuid
 	linuxefi
+	play
 	"
 	;;
 esac
@@ -181,15 +185,29 @@
 	tftp
 	"
 
+# CD boot image
 "$grub_mkimage" -O "$platform" -o "$outdir/gcd$efi_name.efi" \
 	-d "$grub_core" \
 	-c "$workdir/grub-bootstrap.cfg" -m "$workdir/memdisk.fat" \
 	-p /boot/grub \
 	$CD_MODULES
+
+# Normal disk boot image
 "$grub_mkimage" -O "$platform" -o "$outdir/grub$efi_name.efi" \
 	-d "$grub_core" -p "/EFI/$efi_vendor" $GRUB_MODULES
+
+# Normal network boot image
 "$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name.efi" \
 	-d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \
-	-m "$workdir/memdisk-netboot.fat" -p /grub $NET_MODULES
+	-m "$workdir/memdisk-netboot.fat" \
+	-p /grub $NET_MODULES
+
+# Special network boot image for d-i to use. Just the same as the
+# normal network boot image, but with a different value baked in for
+# the prefix setting
+"$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name-installer.efi" \
+	-d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \
+	-m "$workdir/memdisk-netboot.fat" \
+	-p "${efi_vendor}-installer/$deb_arch/grub" $NET_MODULES
 
 exit 0
diff -Nru grub2-2.02+dfsg1/debian/changelog grub2-2.02+dfsg1/debian/changelog
--- grub2-2.02+dfsg1/debian/changelog	2019-05-04 22:58:32.000000000 +0100
+++ grub2-2.02+dfsg1/debian/changelog	2019-06-14 19:04:01.000000000 +0100
@@ -1,3 +1,18 @@
+grub2 (2.02+dfsg1-19) unstable; urgency=medium
+
+  [ Colin Watson ]
+  * Fix format of debian/copyright.
+
+  [ Steve McIntyre ]
+  * Add the ntfs module to signed UEFI images. Closes: #923855
+  * Add the cpuid module to signed UEFI images. Closes: #928628
+  * Add the play module to signed UEFI images. Closes: #930290
+  * Add an extra di-specific version of the UEFI netboot image with a
+    different baked-in prefix value. Helps to fix #928750.
+  * Deal with --force-extra-removable with signed shim too. Closes: #930531
+
+ -- Colin Watson <cjwatson@debian.org>  Fri, 14 Jun 2019 19:04:01 +0100
+
 grub2 (2.02+dfsg1-18) unstable; urgency=medium
 
   * Apply patches from Alexander Graf to fix grub-efi-arm crash (closes:
diff -Nru grub2-2.02+dfsg1/debian/copyright grub2-2.02+dfsg1/debian/copyright
--- grub2-2.02+dfsg1/debian/copyright	2019-05-04 22:58:32.000000000 +0100
+++ grub2-2.02+dfsg1/debian/copyright	2019-06-14 19:04:01.000000000 +0100
@@ -1,4 +1,5 @@
-Name: GNU GRUB
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: GNU GRUB
 Source: https://www.gnu.org/software/grub/
 Files-Excluded: grub-core/lib/libgcrypt*/cipher/crc.c
 
diff -Nru grub2-2.02+dfsg1/debian/patches/grub-install-removable-shim.patch grub2-2.02+dfsg1/debian/patches/grub-install-removable-shim.patch
--- grub2-2.02+dfsg1/debian/patches/grub-install-removable-shim.patch	1970-01-01 01:00:00.000000000 +0100
+++ grub2-2.02+dfsg1/debian/patches/grub-install-removable-shim.patch	2019-06-14 19:04:01.000000000 +0100
@@ -0,0 +1,193 @@
+From 6ee5cc98ec6ca10e00d9cd23a969f0b12ae7ab2e Mon Sep 17 00:00:00 2001
+From: Steve McIntyre <93sam@debian.org>
+Date: Fri, 14 Jun 2019 16:37:11 +0100
+Subject: Deal with --force-extra-removable with signed shim too
+
+In this case, we need both the signed shim as /EFI/BOOT/BOOTXXX.EFI
+and signed Grub as /EFI/BOOT/grubXXX.efi.
+
+Also install the BOOTXXX.CSV into /EFI/debian, and FBXXX.EFI into
+/EFI/BOOT/ so that it can work when needed (*iff* we're updating the
+NVRAM).
+
+[cjwatson: Refactored also_install_removable somewhat for brevity and so
+that we're using consistent case-insensitive logic.]
+
+Bug-Debian: https://bugs.debian.org/930531
+Last-Update: 2019-06-14
+
+Patch-Name: grub-install-removable-shim.patch
+---
+ util/grub-install.c | 84 ++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 67 insertions(+), 17 deletions(-)
+
+diff --git a/util/grub-install.c b/util/grub-install.c
+index 04d8250c9..03b1283e0 100644
+--- a/util/grub-install.c
++++ b/util/grub-install.c
+@@ -880,17 +880,13 @@ check_component_exists(const char *dir,
+ static void
+ also_install_removable(const char *src,
+ 		       const char *base_efidir,
+-		       const char *efi_suffix_upper)
++		       const char *efi_file,
++		       int is_needed)
+ {
+-  char *efi_file = NULL;
+   char *dst = NULL;
+   char *cur = NULL;
+   char *found = NULL;
+ 
+-  if (!efi_suffix_upper)
+-    grub_util_error ("%s", _("efi_suffix_upper not set"));
+-  efi_file = xasprintf ("BOOT%s.EFI", efi_suffix_upper);
+-
+   /* We need to install in $base_efidir/EFI/BOOT/$efi_file, but we
+    * need to cope with case-insensitive stuff here. Build the path one
+    * component at a time, checking for existing matches each time. */
+@@ -924,10 +920,9 @@ also_install_removable(const char *src,
+   cur = xstrdup (dst);
+   free (dst);
+   free (found);
+-  grub_install_copy_file (src, cur, 1);
++  grub_install_copy_file (src, cur, is_needed);
+ 
+   free (cur);
+-  free (efi_file);
+ }
+ 
+ int
+@@ -2046,11 +2041,14 @@ main (int argc, char *argv[])
+     case GRUB_INSTALL_PLATFORM_IA64_EFI:
+       {
+ 	char *dst = grub_util_path_concat (2, efidir, efi_file);
++	char *removable_file = xasprintf ("BOOT%s.EFI", efi_suffix_upper);
++
+ 	if (uefi_secure_boot)
+ 	  {
+ 	    char *shim_signed = NULL;
+ 	    char *mok_signed = NULL, *mok_file = NULL;
+ 	    char *fb_signed = NULL, *fb_file = NULL;
++	    char *csv_file = NULL;
+ 	    char *config_dst;
+ 	    FILE *config_dst_f;
+ 
+@@ -2059,11 +2057,15 @@ main (int argc, char *argv[])
+ 	    mok_file = xasprintf ("mm%s.efi", efi_suffix);
+ 	    fb_signed = xasprintf ("fb%s.efi.signed", efi_suffix);
+ 	    fb_file = xasprintf ("fb%s.efi", efi_suffix);
++	    csv_file = xasprintf ("BOOT%s.CSV", efi_suffix_upper);
++
++	    /* If we have a signed shim binary, install that and all
++	       its helpers in the normal vendor path */
+ 
+ 	    if (grub_util_is_regular (shim_signed))
+ 	      {
+ 		char *chained_base, *chained_dst;
+-		char *mok_src, *mok_dst, *fb_src, *fb_dst;
++		char *mok_src, *mok_dst, *fb_src, *fb_dst, *csv_src, *csv_dst;
+ 		if (!removable)
+ 		  {
+ 		    free (efi_file);
+@@ -2075,8 +2077,6 @@ main (int argc, char *argv[])
+ 		chained_base = xasprintf ("grub%s.efi", efi_suffix);
+ 		chained_dst = grub_util_path_concat (2, efidir, chained_base);
+ 		grub_install_copy_file (efi_signed, chained_dst, 1);
+-		free (chained_dst);
+-		free (chained_base);
+ 
+ 		/* Not critical, so not an error if they are not present (as it
+ 		   won't be for older releases); but if we have them, make
+@@ -2087,8 +2087,6 @@ main (int argc, char *argv[])
+ 						    mok_file);
+ 		grub_install_copy_file (mok_src,
+ 					mok_dst, 0);
+-		free (mok_src);
+-		free (mok_dst);
+ 
+ 		fb_src = grub_util_path_concat (2, "/usr/lib/shim/",
+ 						    fb_signed);
+@@ -2096,27 +2094,79 @@ main (int argc, char *argv[])
+ 						    fb_file);
+ 		grub_install_copy_file (fb_src,
+ 					fb_dst, 0);
++
++		csv_src = grub_util_path_concat (2, "/usr/lib/shim/",
++						    csv_file);
++		csv_dst = grub_util_path_concat (2, efidir,
++						    csv_file);
++		grub_install_copy_file (csv_src,
++					csv_dst, 0);
++
++		/* Install binaries into .../EFI/BOOT too:
++		   the shim binary
++		   the grub binary
++		   the shim fallback binary (not fatal on failure) */
++		if (force_extra_removable)
++		  {
++		    grub_util_info ("Secure boot: installing shim and image into rm path");
++		    also_install_removable (shim_signed, base_efidir, removable_file, 1);
++
++		    also_install_removable (efi_signed, base_efidir, chained_base, 1);
++
++		    /* If we're updating the NVRAM, add fallback too - it
++			will re-update the NVRAM later if things break */
++		    if (update_nvram)
++		      also_install_removable (fb_src, base_efidir, fb_file, 0);
++		  }
++
++		free (chained_dst);
++		free (chained_base);
++		free (mok_src);
++		free (mok_dst);
+ 		free (fb_src);
+ 		free (fb_dst);
++		free (csv_src);
++		free (csv_dst);
+ 	      }
+ 	    else
+-	      grub_install_copy_file (efi_signed, dst, 1);
++	      {
++		/* Tried to install for secure boot, but no signed
++		   shim found. Fall back to just installing the signed
++		   grub binary */
++		grub_util_info ("Secure boot (no shim): installing signed grub binary");
++		grub_install_copy_file (efi_signed, dst, 1);
++		if (force_extra_removable)
++		  {
++		    grub_util_info ("Secure boot (no shim): installing signed grub binary into rm path");
++		    also_install_removable (efi_signed, base_efidir, removable_file, 1);
++		  }
++	      }
+ 
++	    /* In either case, install our grub.cfg */
+ 	    config_dst = grub_util_path_concat (2, efidir, "grub.cfg");
+ 	    grub_install_copy_file (load_cfg, config_dst, 1);
+ 	    config_dst_f = grub_util_fopen (config_dst, "ab");
+ 	    fprintf (config_dst_f, "configfile $prefix/grub.cfg\n");
+ 	    fclose (config_dst_f);
+ 	    free (config_dst);
+-	    if (force_extra_removable)
+-	      also_install_removable(efi_signed, base_efidir, efi_suffix_upper);
++
++	    free (csv_file);
++	    free (fb_file);
++	    free (fb_signed);
++	    free (mok_file);
++	    free (mok_signed);
++	    free (shim_signed);
+ 	  }
+ 	else
+ 	  {
++	    /* No secure boot - just install our newly-generated image */
++	    grub_util_info ("No Secure Boot: installing core image");
+ 	    grub_install_copy_file (imgfile, dst, 1);
+ 	    if (force_extra_removable)
+-	      also_install_removable(imgfile, base_efidir, efi_suffix_upper);
++	      also_install_removable (imgfile, base_efidir, removable_file, 1);
+ 	  }
++
++	free (removable_file);
+ 	free (dst);
+       }
+       if (!removable && update_nvram)
diff -Nru grub2-2.02+dfsg1/debian/patches/series grub2-2.02+dfsg1/debian/patches/series
--- grub2-2.02+dfsg1/debian/patches/series	2019-05-04 22:58:32.000000000 +0100
+++ grub2-2.02+dfsg1/debian/patches/series	2019-06-14 19:04:01.000000000 +0100
@@ -137,3 +137,4 @@
 arm-move-trampolines-into-code-section.patch
 arm-align-section-alignment-with-manual-reloc-offset.patch
 no-devicetree-if-secure-boot.patch
+grub-install-removable-shim.patch
diff -Nru grub2-2.02+dfsg1/debian/rules grub2-2.02+dfsg1/debian/rules
--- grub2-2.02+dfsg1/debian/rules	2019-05-04 22:58:32.000000000 +0100
+++ grub2-2.02+dfsg1/debian/rules	2019-06-14 19:04:01.000000000 +0100
@@ -219,7 +219,7 @@
 		obj/grub-$(COMMON_PLATFORM)/grub-mkimage \
 		obj/$(package)/grub-core \
 		obj/monolithic/$(package) \
-		$(SB_PLATFORM) $(SB_EFI_NAME) $(SB_EFI_VENDOR)
+		$(DEB_HOST_ARCH) $(SB_PLATFORM) $(SB_EFI_NAME) $(SB_EFI_VENDOR)
 	touch $@
 
 debian/stamps/build-grub-xen-host-i386: PVBOOT_ARCH := i386
diff -Nru grub2-2.02+dfsg1/debian/signing-template.json.in grub2-2.02+dfsg1/debian/signing-template.json.in
--- grub2-2.02+dfsg1/debian/signing-template.json.in	2019-05-04 22:58:32.000000000 +0100
+++ grub2-2.02+dfsg1/debian/signing-template.json.in	2019-06-14 19:04:01.000000000 +0100
@@ -6,6 +6,7 @@
             "files": [
                 {"sig_type": "efi", "file": "usr/lib/grub/@efi_platform@/monolithic/gcd@efi@.efi"},
                 {"sig_type": "efi", "file": "usr/lib/grub/@efi_platform@/monolithic/grubnet@efi@.efi"},
+                {"sig_type": "efi", "file": "usr/lib/grub/@efi_platform@/monolithic/grubnet@efi@-installer.efi"},
                 {"sig_type": "efi", "file": "usr/lib/grub/@efi_platform@/monolithic/grub@efi@.efi"}
             ]
         }

unblock grub2/2.02+dfsg1-19

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]

Attachment: signature.asc
Description: PGP signature