Your message dated Fri, 21 Jun 2019 23:10:25 +0200 with message-id <d3014268-be00-746e-c962-c7f3d0791134@debian.org> and subject line Re: Bug#930757: unblock: grub2/2.02+dfsg1-19 has caused the Debian Bug report #930757, regarding unblock: grub2/2.02+dfsg1-19 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 930757: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930757 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: grub2/2.02+dfsg1-19
- From: Colin Watson <cjwatson@debian.org>
- Date: Thu, 20 Jun 2019 00:29:01 +0100
- Message-id: <[🔎] 20190619232901.GA16905@riva.ucam.org>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock grub2. I hope this is the final grub2 update for the buster release. It consists mainly of a number of patches from Steve McIntyre to clean up problems with our UEFI Secure Boot support. diff -Nru grub2-2.02+dfsg1/debian/.git-dpm grub2-2.02+dfsg1/debian/.git-dpm --- grub2-2.02+dfsg1/debian/.git-dpm 2019-05-04 22:58:32.000000000 +0100 +++ grub2-2.02+dfsg1/debian/.git-dpm 2019-06-14 19:04:01.000000000 +0100 @@ -1,6 +1,6 @@ # see git-dpm(1) from git-dpm package -9569221816a2a1a832be106440375a612e0121b7 -9569221816a2a1a832be106440375a612e0121b7 +6ee5cc98ec6ca10e00d9cd23a969f0b12ae7ab2e +6ee5cc98ec6ca10e00d9cd23a969f0b12ae7ab2e 59aeb1cfaa3d5bfd7bbeeee0f0d37f6d9eed51fe 59aeb1cfaa3d5bfd7bbeeee0f0d37f6d9eed51fe grub2_2.02+dfsg1.orig.tar.xz diff -Nru grub2-2.02+dfsg1/debian/build-efi-images grub2-2.02+dfsg1/debian/build-efi-images --- grub2-2.02+dfsg1/debian/build-efi-images 2019-05-04 22:58:32.000000000 +0100 +++ grub2-2.02+dfsg1/debian/build-efi-images 2019-06-14 19:04:01.000000000 +0100 @@ -20,16 +20,17 @@ # Make EFI boot images for signing. -if [ $# -lt 5 ]; then - echo "usage: $0 GRUB-MKIMAGE GRUB-CORE OUTPUT-DIRECTORY PLATFORM EFI-NAME [EFI-VENDOR]" +if [ $# -lt 6 ]; then + echo "usage: $0 GRUB-MKIMAGE GRUB-CORE OUTPUT-DIRECTORY DEB-ARCH PLATFORM EFI-NAME [EFI-VENDOR]" fi grub_mkimage="$1" grub_core="$2" outdir="$3" -platform="$4" -efi_name="$5" -efi_vendor="${6:-$(dpkg-vendor --query vendor | tr '[:upper:]' '[:lower:]')}" +deb_arch="$4" +platform="$5" +efi_name="$6" +efi_vendor="${7:-$(dpkg-vendor --query vendor | tr '[:upper:]' '[:lower:]')}" # mkfs.msdos may not be on the default PATH. export PATH="$PATH:/sbin:/usr/sbin" @@ -115,6 +116,7 @@ memdisk minicmd normal + ntfs part_apple part_msdos part_gpt @@ -141,7 +143,9 @@ case $platform in x86_64-efi|i386-efi) CD_MODULES="$CD_MODULES + cpuid linuxefi + play " ;; esac @@ -181,15 +185,29 @@ tftp " +# CD boot image "$grub_mkimage" -O "$platform" -o "$outdir/gcd$efi_name.efi" \ -d "$grub_core" \ -c "$workdir/grub-bootstrap.cfg" -m "$workdir/memdisk.fat" \ -p /boot/grub \ $CD_MODULES + +# Normal disk boot image "$grub_mkimage" -O "$platform" -o "$outdir/grub$efi_name.efi" \ -d "$grub_core" -p "/EFI/$efi_vendor" $GRUB_MODULES + +# Normal network boot image "$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name.efi" \ -d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \ - -m "$workdir/memdisk-netboot.fat" -p /grub $NET_MODULES + -m "$workdir/memdisk-netboot.fat" \ + -p /grub $NET_MODULES + +# Special network boot image for d-i to use. Just the same as the +# normal network boot image, but with a different value baked in for +# the prefix setting +"$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name-installer.efi" \ + -d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \ + -m "$workdir/memdisk-netboot.fat" \ + -p "${efi_vendor}-installer/$deb_arch/grub" $NET_MODULES exit 0 diff -Nru grub2-2.02+dfsg1/debian/changelog grub2-2.02+dfsg1/debian/changelog --- grub2-2.02+dfsg1/debian/changelog 2019-05-04 22:58:32.000000000 +0100 +++ grub2-2.02+dfsg1/debian/changelog 2019-06-14 19:04:01.000000000 +0100 @@ -1,3 +1,18 @@ +grub2 (2.02+dfsg1-19) unstable; urgency=medium + + [ Colin Watson ] + * Fix format of debian/copyright. + + [ Steve McIntyre ] + * Add the ntfs module to signed UEFI images. Closes: #923855 + * Add the cpuid module to signed UEFI images. Closes: #928628 + * Add the play module to signed UEFI images. Closes: #930290 + * Add an extra di-specific version of the UEFI netboot image with a + different baked-in prefix value. Helps to fix #928750. + * Deal with --force-extra-removable with signed shim too. Closes: #930531 + + -- Colin Watson <cjwatson@debian.org> Fri, 14 Jun 2019 19:04:01 +0100 + grub2 (2.02+dfsg1-18) unstable; urgency=medium * Apply patches from Alexander Graf to fix grub-efi-arm crash (closes: diff -Nru grub2-2.02+dfsg1/debian/copyright grub2-2.02+dfsg1/debian/copyright --- grub2-2.02+dfsg1/debian/copyright 2019-05-04 22:58:32.000000000 +0100 +++ grub2-2.02+dfsg1/debian/copyright 2019-06-14 19:04:01.000000000 +0100 @@ -1,4 +1,5 @@ -Name: GNU GRUB +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: GNU GRUB Source: https://www.gnu.org/software/grub/ Files-Excluded: grub-core/lib/libgcrypt*/cipher/crc.c diff -Nru grub2-2.02+dfsg1/debian/patches/grub-install-removable-shim.patch grub2-2.02+dfsg1/debian/patches/grub-install-removable-shim.patch --- grub2-2.02+dfsg1/debian/patches/grub-install-removable-shim.patch 1970-01-01 01:00:00.000000000 +0100 +++ grub2-2.02+dfsg1/debian/patches/grub-install-removable-shim.patch 2019-06-14 19:04:01.000000000 +0100 @@ -0,0 +1,193 @@ +From 6ee5cc98ec6ca10e00d9cd23a969f0b12ae7ab2e Mon Sep 17 00:00:00 2001 +From: Steve McIntyre <93sam@debian.org> +Date: Fri, 14 Jun 2019 16:37:11 +0100 +Subject: Deal with --force-extra-removable with signed shim too + +In this case, we need both the signed shim as /EFI/BOOT/BOOTXXX.EFI +and signed Grub as /EFI/BOOT/grubXXX.efi. + +Also install the BOOTXXX.CSV into /EFI/debian, and FBXXX.EFI into +/EFI/BOOT/ so that it can work when needed (*iff* we're updating the +NVRAM). + +[cjwatson: Refactored also_install_removable somewhat for brevity and so +that we're using consistent case-insensitive logic.] + +Bug-Debian: https://bugs.debian.org/930531 +Last-Update: 2019-06-14 + +Patch-Name: grub-install-removable-shim.patch +--- + util/grub-install.c | 84 ++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 67 insertions(+), 17 deletions(-) + +diff --git a/util/grub-install.c b/util/grub-install.c +index 04d8250c9..03b1283e0 100644 +--- a/util/grub-install.c ++++ b/util/grub-install.c +@@ -880,17 +880,13 @@ check_component_exists(const char *dir, + static void + also_install_removable(const char *src, + const char *base_efidir, +- const char *efi_suffix_upper) ++ const char *efi_file, ++ int is_needed) + { +- char *efi_file = NULL; + char *dst = NULL; + char *cur = NULL; + char *found = NULL; + +- if (!efi_suffix_upper) +- grub_util_error ("%s", _("efi_suffix_upper not set")); +- efi_file = xasprintf ("BOOT%s.EFI", efi_suffix_upper); +- + /* We need to install in $base_efidir/EFI/BOOT/$efi_file, but we + * need to cope with case-insensitive stuff here. Build the path one + * component at a time, checking for existing matches each time. */ +@@ -924,10 +920,9 @@ also_install_removable(const char *src, + cur = xstrdup (dst); + free (dst); + free (found); +- grub_install_copy_file (src, cur, 1); ++ grub_install_copy_file (src, cur, is_needed); + + free (cur); +- free (efi_file); + } + + int +@@ -2046,11 +2041,14 @@ main (int argc, char *argv[]) + case GRUB_INSTALL_PLATFORM_IA64_EFI: + { + char *dst = grub_util_path_concat (2, efidir, efi_file); ++ char *removable_file = xasprintf ("BOOT%s.EFI", efi_suffix_upper); ++ + if (uefi_secure_boot) + { + char *shim_signed = NULL; + char *mok_signed = NULL, *mok_file = NULL; + char *fb_signed = NULL, *fb_file = NULL; ++ char *csv_file = NULL; + char *config_dst; + FILE *config_dst_f; + +@@ -2059,11 +2057,15 @@ main (int argc, char *argv[]) + mok_file = xasprintf ("mm%s.efi", efi_suffix); + fb_signed = xasprintf ("fb%s.efi.signed", efi_suffix); + fb_file = xasprintf ("fb%s.efi", efi_suffix); ++ csv_file = xasprintf ("BOOT%s.CSV", efi_suffix_upper); ++ ++ /* If we have a signed shim binary, install that and all ++ its helpers in the normal vendor path */ + + if (grub_util_is_regular (shim_signed)) + { + char *chained_base, *chained_dst; +- char *mok_src, *mok_dst, *fb_src, *fb_dst; ++ char *mok_src, *mok_dst, *fb_src, *fb_dst, *csv_src, *csv_dst; + if (!removable) + { + free (efi_file); +@@ -2075,8 +2077,6 @@ main (int argc, char *argv[]) + chained_base = xasprintf ("grub%s.efi", efi_suffix); + chained_dst = grub_util_path_concat (2, efidir, chained_base); + grub_install_copy_file (efi_signed, chained_dst, 1); +- free (chained_dst); +- free (chained_base); + + /* Not critical, so not an error if they are not present (as it + won't be for older releases); but if we have them, make +@@ -2087,8 +2087,6 @@ main (int argc, char *argv[]) + mok_file); + grub_install_copy_file (mok_src, + mok_dst, 0); +- free (mok_src); +- free (mok_dst); + + fb_src = grub_util_path_concat (2, "/usr/lib/shim/", + fb_signed); +@@ -2096,27 +2094,79 @@ main (int argc, char *argv[]) + fb_file); + grub_install_copy_file (fb_src, + fb_dst, 0); ++ ++ csv_src = grub_util_path_concat (2, "/usr/lib/shim/", ++ csv_file); ++ csv_dst = grub_util_path_concat (2, efidir, ++ csv_file); ++ grub_install_copy_file (csv_src, ++ csv_dst, 0); ++ ++ /* Install binaries into .../EFI/BOOT too: ++ the shim binary ++ the grub binary ++ the shim fallback binary (not fatal on failure) */ ++ if (force_extra_removable) ++ { ++ grub_util_info ("Secure boot: installing shim and image into rm path"); ++ also_install_removable (shim_signed, base_efidir, removable_file, 1); ++ ++ also_install_removable (efi_signed, base_efidir, chained_base, 1); ++ ++ /* If we're updating the NVRAM, add fallback too - it ++ will re-update the NVRAM later if things break */ ++ if (update_nvram) ++ also_install_removable (fb_src, base_efidir, fb_file, 0); ++ } ++ ++ free (chained_dst); ++ free (chained_base); ++ free (mok_src); ++ free (mok_dst); + free (fb_src); + free (fb_dst); ++ free (csv_src); ++ free (csv_dst); + } + else +- grub_install_copy_file (efi_signed, dst, 1); ++ { ++ /* Tried to install for secure boot, but no signed ++ shim found. Fall back to just installing the signed ++ grub binary */ ++ grub_util_info ("Secure boot (no shim): installing signed grub binary"); ++ grub_install_copy_file (efi_signed, dst, 1); ++ if (force_extra_removable) ++ { ++ grub_util_info ("Secure boot (no shim): installing signed grub binary into rm path"); ++ also_install_removable (efi_signed, base_efidir, removable_file, 1); ++ } ++ } + ++ /* In either case, install our grub.cfg */ + config_dst = grub_util_path_concat (2, efidir, "grub.cfg"); + grub_install_copy_file (load_cfg, config_dst, 1); + config_dst_f = grub_util_fopen (config_dst, "ab"); + fprintf (config_dst_f, "configfile $prefix/grub.cfg\n"); + fclose (config_dst_f); + free (config_dst); +- if (force_extra_removable) +- also_install_removable(efi_signed, base_efidir, efi_suffix_upper); ++ ++ free (csv_file); ++ free (fb_file); ++ free (fb_signed); ++ free (mok_file); ++ free (mok_signed); ++ free (shim_signed); + } + else + { ++ /* No secure boot - just install our newly-generated image */ ++ grub_util_info ("No Secure Boot: installing core image"); + grub_install_copy_file (imgfile, dst, 1); + if (force_extra_removable) +- also_install_removable(imgfile, base_efidir, efi_suffix_upper); ++ also_install_removable (imgfile, base_efidir, removable_file, 1); + } ++ ++ free (removable_file); + free (dst); + } + if (!removable && update_nvram) diff -Nru grub2-2.02+dfsg1/debian/patches/series grub2-2.02+dfsg1/debian/patches/series --- grub2-2.02+dfsg1/debian/patches/series 2019-05-04 22:58:32.000000000 +0100 +++ grub2-2.02+dfsg1/debian/patches/series 2019-06-14 19:04:01.000000000 +0100 @@ -137,3 +137,4 @@ arm-move-trampolines-into-code-section.patch arm-align-section-alignment-with-manual-reloc-offset.patch no-devicetree-if-secure-boot.patch +grub-install-removable-shim.patch diff -Nru grub2-2.02+dfsg1/debian/rules grub2-2.02+dfsg1/debian/rules --- grub2-2.02+dfsg1/debian/rules 2019-05-04 22:58:32.000000000 +0100 +++ grub2-2.02+dfsg1/debian/rules 2019-06-14 19:04:01.000000000 +0100 @@ -219,7 +219,7 @@ obj/grub-$(COMMON_PLATFORM)/grub-mkimage \ obj/$(package)/grub-core \ obj/monolithic/$(package) \ - $(SB_PLATFORM) $(SB_EFI_NAME) $(SB_EFI_VENDOR) + $(DEB_HOST_ARCH) $(SB_PLATFORM) $(SB_EFI_NAME) $(SB_EFI_VENDOR) touch $@ debian/stamps/build-grub-xen-host-i386: PVBOOT_ARCH := i386 diff -Nru grub2-2.02+dfsg1/debian/signing-template.json.in grub2-2.02+dfsg1/debian/signing-template.json.in --- grub2-2.02+dfsg1/debian/signing-template.json.in 2019-05-04 22:58:32.000000000 +0100 +++ grub2-2.02+dfsg1/debian/signing-template.json.in 2019-06-14 19:04:01.000000000 +0100 @@ -6,6 +6,7 @@ "files": [ {"sig_type": "efi", "file": "usr/lib/grub/@efi_platform@/monolithic/gcd@efi@.efi"}, {"sig_type": "efi", "file": "usr/lib/grub/@efi_platform@/monolithic/grubnet@efi@.efi"}, + {"sig_type": "efi", "file": "usr/lib/grub/@efi_platform@/monolithic/grubnet@efi@-installer.efi"}, {"sig_type": "efi", "file": "usr/lib/grub/@efi_platform@/monolithic/grub@efi@.efi"} ] } unblock grub2/2.02+dfsg1-19 Thanks, -- Colin Watson [cjwatson@debian.org]Attachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: Colin Watson <cjwatson@debian.org>, 930757-done@bugs.debian.org
- Subject: Re: Bug#930757: unblock: grub2/2.02+dfsg1-19
- From: Paul Gevers <elbrus@debian.org>
- Date: Fri, 21 Jun 2019 23:10:25 +0200
- Message-id: <d3014268-be00-746e-c962-c7f3d0791134@debian.org>
- In-reply-to: <[🔎] 20190619233754.GM3829@riva.ucam.org>
- References: <[🔎] 20190619232901.GA16905@riva.ucam.org> <handler.930757.B.15609869498462.ack@bugs.debian.org> <[🔎] 20190619232901.GA16905@riva.ucam.org> <[🔎] 20190619233754.GM3829@riva.ucam.org>
Hi Colin On 20-06-2019 01:37, Colin Watson wrote: > unblock grub2/2.02+dfsg1-19 > unblock grub-efi-amd64-signed/1+2.02+dfsg1+19 > unblock grub-efi-arm64-signed/1+2.02+dfsg1+19 > unblock grub-efi-ia32-signed/1+2.02+dfsg1+19 Unblocked, thanks. PaulAttachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---