Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock grub2. I hope this is the final grub2 update for the buster release. It consists mainly of a number of patches from Steve McIntyre to clean up problems with our UEFI Secure Boot support. diff -Nru grub2-2.02+dfsg1/debian/.git-dpm grub2-2.02+dfsg1/debian/.git-dpm --- grub2-2.02+dfsg1/debian/.git-dpm 2019-05-04 22:58:32.000000000 +0100 +++ grub2-2.02+dfsg1/debian/.git-dpm 2019-06-14 19:04:01.000000000 +0100 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -9569221816a2a1a832be106440375a612e0121b7 -9569221816a2a1a832be106440375a612e0121b7 +6ee5cc98ec6ca10e00d9cd23a969f0b12ae7ab2e +6ee5cc98ec6ca10e00d9cd23a969f0b12ae7ab2e 59aeb1cfaa3d5bfd7bbeeee0f0d37f6d9eed51fe 59aeb1cfaa3d5bfd7bbeeee0f0d37f6d9eed51fe grub2_2.02+dfsg1.orig.tar.xz diff -Nru grub2-2.02+dfsg1/debian/build-efi-images grub2-2.02+dfsg1/debian/build-efi-images --- grub2-2.02+dfsg1/debian/build-efi-images 2019-05-04 22:58:32.000000000 +0100 +++ grub2-2.02+dfsg1/debian/build-efi-images 2019-06-14 19:04:01.000000000 +0100 @@ -20,16 +20,17 @@ # Make EFI boot images for signing. -if [ $# -lt 5 ]; then - echo "usage: $0 GRUB-MKIMAGE GRUB-CORE OUTPUT-DIRECTORY PLATFORM EFI-NAME [EFI-VENDOR]" +if [ $# -lt 6 ]; then + echo "usage: $0 GRUB-MKIMAGE GRUB-CORE OUTPUT-DIRECTORY DEB-ARCH PLATFORM EFI-NAME [EFI-VENDOR]" fi grub_mkimage="$1" grub_core="$2" outdir="$3" -platform="$4" -efi_name="$5" -efi_vendor="${6:-$(dpkg-vendor --query vendor | tr '[:upper:]' '[:lower:]')}" +deb_arch="$4" +platform="$5" +efi_name="$6" +efi_vendor="${7:-$(dpkg-vendor --query vendor | tr '[:upper:]' '[:lower:]')}" # mkfs.msdos may not be on the default PATH. export PATH="$PATH:/sbin:/usr/sbin" @@ -115,6 +116,7 @@ memdisk minicmd normal + ntfs part_apple part_msdos part_gpt @@ -141,7 +143,9 @@ case $platform in x86_64-efi|i386-efi) CD_MODULES="$CD_MODULES + cpuid linuxefi + play " ;; esac @@ -181,15 +185,29 @@ tftp " +# CD boot image "$grub_mkimage" -O "$platform" -o "$outdir/gcd$efi_name.efi" \ -d "$grub_core" \ -c "$workdir/grub-bootstrap.cfg" -m "$workdir/memdisk.fat" \ -p /boot/grub \ $CD_MODULES + +# Normal disk boot image "$grub_mkimage" -O "$platform" -o "$outdir/grub$efi_name.efi" \ -d "$grub_core" -p "/EFI/$efi_vendor" $GRUB_MODULES + +# Normal network boot image "$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name.efi" \ -d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \ - -m "$workdir/memdisk-netboot.fat" -p /grub $NET_MODULES + -m "$workdir/memdisk-netboot.fat" \ + -p /grub $NET_MODULES + +# Special network boot image for d-i to use. Just the same as the +# normal network boot image, but with a different value baked in for +# the prefix setting +"$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name-installer.efi" \ + -d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \ + -m "$workdir/memdisk-netboot.fat" \ + -p "${efi_vendor}-installer/$deb_arch/grub" $NET_MODULES exit 0 diff -Nru grub2-2.02+dfsg1/debian/changelog grub2-2.02+dfsg1/debian/changelog --- grub2-2.02+dfsg1/debian/changelog 2019-05-04 22:58:32.000000000 +0100 +++ grub2-2.02+dfsg1/debian/changelog 2019-06-14 19:04:01.000000000 +0100 @@ -1,3 +1,18 @@ +grub2 (2.02+dfsg1-19) unstable; urgency=medium + + [ Colin Watson ] + * Fix format of debian/copyright. + + [ Steve McIntyre ] + * Add the ntfs module to signed UEFI images. Closes: #923855 + * Add the cpuid module to signed UEFI images. Closes: #928628 + * Add the play module to signed UEFI images. Closes: #930290 + * Add an extra di-specific version of the UEFI netboot image with a + different baked-in prefix value. Helps to fix #928750. + * Deal with --force-extra-removable with signed shim too. Closes: #930531 + + -- Colin Watson <cjwatson@debian.org> Fri, 14 Jun 2019 19:04:01 +0100 + grub2 (2.02+dfsg1-18) unstable; urgency=medium * Apply patches from Alexander Graf to fix grub-efi-arm crash (closes: diff -Nru grub2-2.02+dfsg1/debian/copyright grub2-2.02+dfsg1/debian/copyright --- grub2-2.02+dfsg1/debian/copyright 2019-05-04 22:58:32.000000000 +0100 +++ grub2-2.02+dfsg1/debian/copyright 2019-06-14 19:04:01.000000000 +0100 @@ -1,4 +1,5 @@ -Name: GNU GRUB +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: GNU GRUB Source: https://www.gnu.org/software/grub/ Files-Excluded: grub-core/lib/libgcrypt*/cipher/crc.c diff -Nru grub2-2.02+dfsg1/debian/patches/grub-install-removable-shim.patch grub2-2.02+dfsg1/debian/patches/grub-install-removable-shim.patch --- grub2-2.02+dfsg1/debian/patches/grub-install-removable-shim.patch 1970-01-01 01:00:00.000000000 +0100 +++ grub2-2.02+dfsg1/debian/patches/grub-install-removable-shim.patch 2019-06-14 19:04:01.000000000 +0100 @@ -0,0 +1,193 @@ +From 6ee5cc98ec6ca10e00d9cd23a969f0b12ae7ab2e Mon Sep 17 00:00:00 2001 +From: Steve McIntyre <93sam@debian.org> +Date: Fri, 14 Jun 2019 16:37:11 +0100 +Subject: Deal with --force-extra-removable with signed shim too + +In this case, we need both the signed shim as /EFI/BOOT/BOOTXXX.EFI +and signed Grub as /EFI/BOOT/grubXXX.efi. + +Also install the BOOTXXX.CSV into /EFI/debian, and FBXXX.EFI into +/EFI/BOOT/ so that it can work when needed (*iff* we're updating the +NVRAM). + +[cjwatson: Refactored also_install_removable somewhat for brevity and so +that we're using consistent case-insensitive logic.] + +Bug-Debian: https://bugs.debian.org/930531 +Last-Update: 2019-06-14 + +Patch-Name: grub-install-removable-shim.patch +--- + util/grub-install.c | 84 ++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 67 insertions(+), 17 deletions(-) + +diff --git a/util/grub-install.c b/util/grub-install.c +index 04d8250c9..03b1283e0 100644 +--- a/util/grub-install.c ++++ b/util/grub-install.c +@@ -880,17 +880,13 @@ check_component_exists(const char *dir, + static void + also_install_removable(const char *src, + const char *base_efidir, +- const char *efi_suffix_upper) ++ const char *efi_file, ++ int is_needed) + { +- char *efi_file = NULL; + char *dst = NULL; + char *cur = NULL; + char *found = NULL; + +- if (!efi_suffix_upper) +- grub_util_error ("%s", _("efi_suffix_upper not set")); +- efi_file = xasprintf ("BOOT%s.EFI", efi_suffix_upper); +- + /* We need to install in $base_efidir/EFI/BOOT/$efi_file, but we + * need to cope with case-insensitive stuff here. Build the path one + * component at a time, checking for existing matches each time. */ +@@ -924,10 +920,9 @@ also_install_removable(const char *src, + cur = xstrdup (dst); + free (dst); + free (found); +- grub_install_copy_file (src, cur, 1); ++ grub_install_copy_file (src, cur, is_needed); + + free (cur); +- free (efi_file); + } + + int +@@ -2046,11 +2041,14 @@ main (int argc, char *argv[]) + case GRUB_INSTALL_PLATFORM_IA64_EFI: + { + char *dst = grub_util_path_concat (2, efidir, efi_file); ++ char *removable_file = xasprintf ("BOOT%s.EFI", efi_suffix_upper); ++ + if (uefi_secure_boot) + { + char *shim_signed = NULL; + char *mok_signed = NULL, *mok_file = NULL; + char *fb_signed = NULL, *fb_file = NULL; ++ char *csv_file = NULL; + char *config_dst; + FILE *config_dst_f; + +@@ -2059,11 +2057,15 @@ main (int argc, char *argv[]) + mok_file = xasprintf ("mm%s.efi", efi_suffix); + fb_signed = xasprintf ("fb%s.efi.signed", efi_suffix); + fb_file = xasprintf ("fb%s.efi", efi_suffix); ++ csv_file = xasprintf ("BOOT%s.CSV", efi_suffix_upper); ++ ++ /* If we have a signed shim binary, install that and all ++ its helpers in the normal vendor path */ + + if (grub_util_is_regular (shim_signed)) + { + char *chained_base, *chained_dst; +- char *mok_src, *mok_dst, *fb_src, *fb_dst; ++ char *mok_src, *mok_dst, *fb_src, *fb_dst, *csv_src, *csv_dst; + if (!removable) + { + free (efi_file); +@@ -2075,8 +2077,6 @@ main (int argc, char *argv[]) + chained_base = xasprintf ("grub%s.efi", efi_suffix); + chained_dst = grub_util_path_concat (2, efidir, chained_base); + grub_install_copy_file (efi_signed, chained_dst, 1); +- free (chained_dst); +- free (chained_base); + + /* Not critical, so not an error if they are not present (as it + won't be for older releases); but if we have them, make +@@ -2087,8 +2087,6 @@ main (int argc, char *argv[]) + mok_file); + grub_install_copy_file (mok_src, + mok_dst, 0); +- free (mok_src); +- free (mok_dst); + + fb_src = grub_util_path_concat (2, "/usr/lib/shim/", + fb_signed); +@@ -2096,27 +2094,79 @@ main (int argc, char *argv[]) + fb_file); + grub_install_copy_file (fb_src, + fb_dst, 0); ++ ++ csv_src = grub_util_path_concat (2, "/usr/lib/shim/", ++ csv_file); ++ csv_dst = grub_util_path_concat (2, efidir, ++ csv_file); ++ grub_install_copy_file (csv_src, ++ csv_dst, 0); ++ ++ /* Install binaries into .../EFI/BOOT too: ++ the shim binary ++ the grub binary ++ the shim fallback binary (not fatal on failure) */ ++ if (force_extra_removable) ++ { ++ grub_util_info ("Secure boot: installing shim and image into rm path"); ++ also_install_removable (shim_signed, base_efidir, removable_file, 1); ++ ++ also_install_removable (efi_signed, base_efidir, chained_base, 1); ++ ++ /* If we're updating the NVRAM, add fallback too - it ++ will re-update the NVRAM later if things break */ ++ if (update_nvram) ++ also_install_removable (fb_src, base_efidir, fb_file, 0); ++ } ++ ++ free (chained_dst); ++ free (chained_base); ++ free (mok_src); ++ free (mok_dst); + free (fb_src); + free (fb_dst); ++ free (csv_src); ++ free (csv_dst); + } + else +- grub_install_copy_file (efi_signed, dst, 1); ++ { ++ /* Tried to install for secure boot, but no signed ++ shim found. Fall back to just installing the signed ++ grub binary */ ++ grub_util_info ("Secure boot (no shim): installing signed grub binary"); ++ grub_install_copy_file (efi_signed, dst, 1); ++ if (force_extra_removable) ++ { ++ grub_util_info ("Secure boot (no shim): installing signed grub binary into rm path"); ++ also_install_removable (efi_signed, base_efidir, removable_file, 1); ++ } ++ } + ++ /* In either case, install our grub.cfg */ + config_dst = grub_util_path_concat (2, efidir, "grub.cfg"); + grub_install_copy_file (load_cfg, config_dst, 1); + config_dst_f = grub_util_fopen (config_dst, "ab"); + fprintf (config_dst_f, "configfile $prefix/grub.cfg\n"); + fclose (config_dst_f); + free (config_dst); +- if (force_extra_removable) +- also_install_removable(efi_signed, base_efidir, efi_suffix_upper); ++ ++ free (csv_file); ++ free (fb_file); ++ free (fb_signed); ++ free (mok_file); ++ free (mok_signed); ++ free (shim_signed); + } + else + { ++ /* No secure boot - just install our newly-generated image */ ++ grub_util_info ("No Secure Boot: installing core image"); + grub_install_copy_file (imgfile, dst, 1); + if (force_extra_removable) +- also_install_removable(imgfile, base_efidir, efi_suffix_upper); ++ also_install_removable (imgfile, base_efidir, removable_file, 1); + } ++ ++ free (removable_file); + free (dst); + } + if (!removable && update_nvram) diff -Nru grub2-2.02+dfsg1/debian/patches/series grub2-2.02+dfsg1/debian/patches/series --- grub2-2.02+dfsg1/debian/patches/series 2019-05-04 22:58:32.000000000 +0100 +++ grub2-2.02+dfsg1/debian/patches/series 2019-06-14 19:04:01.000000000 +0100 @@ -137,3 +137,4 @@ arm-move-trampolines-into-code-section.patch arm-align-section-alignment-with-manual-reloc-offset.patch no-devicetree-if-secure-boot.patch +grub-install-removable-shim.patch diff -Nru grub2-2.02+dfsg1/debian/rules grub2-2.02+dfsg1/debian/rules --- grub2-2.02+dfsg1/debian/rules 2019-05-04 22:58:32.000000000 +0100 +++ grub2-2.02+dfsg1/debian/rules 2019-06-14 19:04:01.000000000 +0100 @@ -219,7 +219,7 @@ obj/grub-$(COMMON_PLATFORM)/grub-mkimage \ obj/$(package)/grub-core \ obj/monolithic/$(package) \ - $(SB_PLATFORM) $(SB_EFI_NAME) $(SB_EFI_VENDOR) + $(DEB_HOST_ARCH) $(SB_PLATFORM) $(SB_EFI_NAME) $(SB_EFI_VENDOR) touch $@ debian/stamps/build-grub-xen-host-i386: PVBOOT_ARCH := i386 diff -Nru grub2-2.02+dfsg1/debian/signing-template.json.in grub2-2.02+dfsg1/debian/signing-template.json.in --- grub2-2.02+dfsg1/debian/signing-template.json.in 2019-05-04 22:58:32.000000000 +0100 +++ grub2-2.02+dfsg1/debian/signing-template.json.in 2019-06-14 19:04:01.000000000 +0100 @@ -6,6 +6,7 @@ "files": [ {"sig_type": "efi", "file": "usr/lib/grub/@efi_platform@/monolithic/gcd@efi@.efi"}, {"sig_type": "efi", "file": "usr/lib/grub/@efi_platform@/monolithic/grubnet@efi@.efi"}, + {"sig_type": "efi", "file": "usr/lib/grub/@efi_platform@/monolithic/grubnet@efi@-installer.efi"}, {"sig_type": "efi", "file": "usr/lib/grub/@efi_platform@/monolithic/grub@efi@.efi"} ] } unblock grub2/2.02+dfsg1-19 Thanks, -- Colin Watson [cjwatson@debian.org]
Attachment:
signature.asc
Description: PGP signature