Bug#930757: marked as done (unblock: grub2/2.02+dfsg1-19)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 22 Jun 2019 19:13:21 +0200
with message-id <050fbace-0253-282a-998f-606d80155781@debian.org>
and subject line Re: Bug#930757: unblock: grub2/2.02+dfsg1-19
has caused the Debian Bug report #930757,
regarding unblock: grub2/2.02+dfsg1-19
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
930757: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930757
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: grub2/2.02+dfsg1-19
• From: Colin Watson <cjwatson@debian.org>
• Date: Thu, 20 Jun 2019 00:29:01 +0100
• Message-id: <[🔎] 20190619232901.GA16905@riva.ucam.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock grub2.

I hope this is the final grub2 update for the buster release.  It
consists mainly of a number of patches from Steve McIntyre to clean up
problems with our UEFI Secure Boot support.

diff -Nru grub2-2.02+dfsg1/debian/.git-dpm grub2-2.02+dfsg1/debian/.git-dpm
--- grub2-2.02+dfsg1/debian/.git-dpm	2019-05-04 22:58:32.000000000 +0100
+++ grub2-2.02+dfsg1/debian/.git-dpm	2019-06-14 19:04:01.000000000 +0100
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-9569221816a2a1a832be106440375a612e0121b7
-9569221816a2a1a832be106440375a612e0121b7
+6ee5cc98ec6ca10e00d9cd23a969f0b12ae7ab2e
+6ee5cc98ec6ca10e00d9cd23a969f0b12ae7ab2e
 59aeb1cfaa3d5bfd7bbeeee0f0d37f6d9eed51fe
 59aeb1cfaa3d5bfd7bbeeee0f0d37f6d9eed51fe
 grub2_2.02+dfsg1.orig.tar.xz
diff -Nru grub2-2.02+dfsg1/debian/build-efi-images grub2-2.02+dfsg1/debian/build-efi-images
--- grub2-2.02+dfsg1/debian/build-efi-images	2019-05-04 22:58:32.000000000 +0100
+++ grub2-2.02+dfsg1/debian/build-efi-images	2019-06-14 19:04:01.000000000 +0100
@@ -20,16 +20,17 @@
 
 # Make EFI boot images for signing.
 
-if [ $# -lt 5 ]; then
-	echo "usage: $0 GRUB-MKIMAGE GRUB-CORE OUTPUT-DIRECTORY PLATFORM EFI-NAME [EFI-VENDOR]"
+if [ $# -lt 6 ]; then
+	echo "usage: $0 GRUB-MKIMAGE GRUB-CORE OUTPUT-DIRECTORY DEB-ARCH PLATFORM EFI-NAME [EFI-VENDOR]"
 fi
 
 grub_mkimage="$1"
 grub_core="$2"
 outdir="$3"
-platform="$4"
-efi_name="$5"
-efi_vendor="${6:-$(dpkg-vendor --query vendor | tr '[:upper:]' '[:lower:]')}"
+deb_arch="$4"
+platform="$5"
+efi_name="$6"
+efi_vendor="${7:-$(dpkg-vendor --query vendor | tr '[:upper:]' '[:lower:]')}"
 
 # mkfs.msdos may not be on the default PATH.
 export PATH="$PATH:/sbin:/usr/sbin"
@@ -115,6 +116,7 @@
 	memdisk
 	minicmd
 	normal
+	ntfs
 	part_apple
 	part_msdos
 	part_gpt
@@ -141,7 +143,9 @@
 case $platform in
     x86_64-efi|i386-efi)
 	CD_MODULES="$CD_MODULES
+	cpuid
 	linuxefi
+	play
 	"
 	;;
 esac
@@ -181,15 +185,29 @@
 	tftp
 	"
 
+# CD boot image
 "$grub_mkimage" -O "$platform" -o "$outdir/gcd$efi_name.efi" \
 	-d "$grub_core" \
 	-c "$workdir/grub-bootstrap.cfg" -m "$workdir/memdisk.fat" \
 	-p /boot/grub \
 	$CD_MODULES
+
+# Normal disk boot image
 "$grub_mkimage" -O "$platform" -o "$outdir/grub$efi_name.efi" \
 	-d "$grub_core" -p "/EFI/$efi_vendor" $GRUB_MODULES
+
+# Normal network boot image
 "$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name.efi" \
 	-d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \
-	-m "$workdir/memdisk-netboot.fat" -p /grub $NET_MODULES
+	-m "$workdir/memdisk-netboot.fat" \
+	-p /grub $NET_MODULES
+
+# Special network boot image for d-i to use. Just the same as the
+# normal network boot image, but with a different value baked in for
+# the prefix setting
+"$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name-installer.efi" \
+	-d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \
+	-m "$workdir/memdisk-netboot.fat" \
+	-p "${efi_vendor}-installer/$deb_arch/grub" $NET_MODULES
 
 exit 0
diff -Nru grub2-2.02+dfsg1/debian/changelog grub2-2.02+dfsg1/debian/changelog
--- grub2-2.02+dfsg1/debian/changelog	2019-05-04 22:58:32.000000000 +0100
+++ grub2-2.02+dfsg1/debian/changelog	2019-06-14 19:04:01.000000000 +0100
@@ -1,3 +1,18 @@
+grub2 (2.02+dfsg1-19) unstable; urgency=medium
+
+  [ Colin Watson ]
+  * Fix format of debian/copyright.
+
+  [ Steve McIntyre ]
+  * Add the ntfs module to signed UEFI images. Closes: #923855
+  * Add the cpuid module to signed UEFI images. Closes: #928628
+  * Add the play module to signed UEFI images. Closes: #930290
+  * Add an extra di-specific version of the UEFI netboot image with a
+    different baked-in prefix value. Helps to fix #928750.
+  * Deal with --force-extra-removable with signed shim too. Closes: #930531
+
+ -- Colin Watson <cjwatson@debian.org>  Fri, 14 Jun 2019 19:04:01 +0100
+
 grub2 (2.02+dfsg1-18) unstable; urgency=medium
 
   * Apply patches from Alexander Graf to fix grub-efi-arm crash (closes:
diff -Nru grub2-2.02+dfsg1/debian/copyright grub2-2.02+dfsg1/debian/copyright
--- grub2-2.02+dfsg1/debian/copyright	2019-05-04 22:58:32.000000000 +0100
+++ grub2-2.02+dfsg1/debian/copyright	2019-06-14 19:04:01.000000000 +0100
@@ -1,4 +1,5 @@
-Name: GNU GRUB
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: GNU GRUB
 Source: https://www.gnu.org/software/grub/
 Files-Excluded: grub-core/lib/libgcrypt*/cipher/crc.c
 
diff -Nru grub2-2.02+dfsg1/debian/patches/grub-install-removable-shim.patch grub2-2.02+dfsg1/debian/patches/grub-install-removable-shim.patch
--- grub2-2.02+dfsg1/debian/patches/grub-install-removable-shim.patch	1970-01-01 01:00:00.000000000 +0100
+++ grub2-2.02+dfsg1/debian/patches/grub-install-removable-shim.patch	2019-06-14 19:04:01.000000000 +0100
@@ -0,0 +1,193 @@
+From 6ee5cc98ec6ca10e00d9cd23a969f0b12ae7ab2e Mon Sep 17 00:00:00 2001
+From: Steve McIntyre <93sam@debian.org>
+Date: Fri, 14 Jun 2019 16:37:11 +0100
+Subject: Deal with --force-extra-removable with signed shim too
+
+In this case, we need both the signed shim as /EFI/BOOT/BOOTXXX.EFI
+and signed Grub as /EFI/BOOT/grubXXX.efi.
+
+Also install the BOOTXXX.CSV into /EFI/debian, and FBXXX.EFI into
+/EFI/BOOT/ so that it can work when needed (*iff* we're updating the
+NVRAM).
+
+[cjwatson: Refactored also_install_removable somewhat for brevity and so
+that we're using consistent case-insensitive logic.]
+
+Bug-Debian: https://bugs.debian.org/930531
+Last-Update: 2019-06-14
+
+Patch-Name: grub-install-removable-shim.patch
+---
+ util/grub-install.c | 84 ++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 67 insertions(+), 17 deletions(-)
+
+diff --git a/util/grub-install.c b/util/grub-install.c
+index 04d8250c9..03b1283e0 100644
+--- a/util/grub-install.c
++++ b/util/grub-install.c
+@@ -880,17 +880,13 @@ check_component_exists(const char *dir,
+ static void
+ also_install_removable(const char *src,
+ 		       const char *base_efidir,
+-		       const char *efi_suffix_upper)
++		       const char *efi_file,
++		       int is_needed)
+ {
+-  char *efi_file = NULL;
+   char *dst = NULL;
+   char *cur = NULL;
+   char *found = NULL;
+ 
+-  if (!efi_suffix_upper)
+-    grub_util_error ("%s", _("efi_suffix_upper not set"));
+-  efi_file = xasprintf ("BOOT%s.EFI", efi_suffix_upper);
+-
+   /* We need to install in $base_efidir/EFI/BOOT/$efi_file, but we
+    * need to cope with case-insensitive stuff here. Build the path one
+    * component at a time, checking for existing matches each time. */
+@@ -924,10 +920,9 @@ also_install_removable(const char *src,
+   cur = xstrdup (dst);
+   free (dst);
+   free (found);
+-  grub_install_copy_file (src, cur, 1);
++  grub_install_copy_file (src, cur, is_needed);
+ 
+   free (cur);
+-  free (efi_file);
+ }
+ 
+ int
+@@ -2046,11 +2041,14 @@ main (int argc, char *argv[])
+     case GRUB_INSTALL_PLATFORM_IA64_EFI:
+       {
+ 	char *dst = grub_util_path_concat (2, efidir, efi_file);
++	char *removable_file = xasprintf ("BOOT%s.EFI", efi_suffix_upper);
++
+ 	if (uefi_secure_boot)
+ 	  {
+ 	    char *shim_signed = NULL;
+ 	    char *mok_signed = NULL, *mok_file = NULL;
+ 	    char *fb_signed = NULL, *fb_file = NULL;
++	    char *csv_file = NULL;
+ 	    char *config_dst;
+ 	    FILE *config_dst_f;
+ 
+@@ -2059,11 +2057,15 @@ main (int argc, char *argv[])
+ 	    mok_file = xasprintf ("mm%s.efi", efi_suffix);
+ 	    fb_signed = xasprintf ("fb%s.efi.signed", efi_suffix);
+ 	    fb_file = xasprintf ("fb%s.efi", efi_suffix);
++	    csv_file = xasprintf ("BOOT%s.CSV", efi_suffix_upper);
++
++	    /* If we have a signed shim binary, install that and all
++	       its helpers in the normal vendor path */
+ 
+ 	    if (grub_util_is_regular (shim_signed))
+ 	      {
+ 		char *chained_base, *chained_dst;
+-		char *mok_src, *mok_dst, *fb_src, *fb_dst;
++		char *mok_src, *mok_dst, *fb_src, *fb_dst, *csv_src, *csv_dst;
+ 		if (!removable)
+ 		  {
+ 		    free (efi_file);
+@@ -2075,8 +2077,6 @@ main (int argc, char *argv[])
+ 		chained_base = xasprintf ("grub%s.efi", efi_suffix);
+ 		chained_dst = grub_util_path_concat (2, efidir, chained_base);
+ 		grub_install_copy_file (efi_signed, chained_dst, 1);
+-		free (chained_dst);
+-		free (chained_base);
+ 
+ 		/* Not critical, so not an error if they are not present (as it
+ 		   won't be for older releases); but if we have them, make
+@@ -2087,8 +2087,6 @@ main (int argc, char *argv[])
+ 						    mok_file);
+ 		grub_install_copy_file (mok_src,
+ 					mok_dst, 0);
+-		free (mok_src);
+-		free (mok_dst);
+ 
+ 		fb_src = grub_util_path_concat (2, "/usr/lib/shim/",
+ 						    fb_signed);
+@@ -2096,27 +2094,79 @@ main (int argc, char *argv[])
+ 						    fb_file);
+ 		grub_install_copy_file (fb_src,
+ 					fb_dst, 0);
++
++		csv_src = grub_util_path_concat (2, "/usr/lib/shim/",
++						    csv_file);
++		csv_dst = grub_util_path_concat (2, efidir,
++						    csv_file);
++		grub_install_copy_file (csv_src,
++					csv_dst, 0);
++
++		/* Install binaries into .../EFI/BOOT too:
++		   the shim binary
++		   the grub binary
++		   the shim fallback binary (not fatal on failure) */
++		if (force_extra_removable)
++		  {
++		    grub_util_info ("Secure boot: installing shim and image into rm path");
++		    also_install_removable (shim_signed, base_efidir, removable_file, 1);
++
++		    also_install_removable (efi_signed, base_efidir, chained_base, 1);
++
++		    /* If we're updating the NVRAM, add fallback too - it
++			will re-update the NVRAM later if things break */
++		    if (update_nvram)
++		      also_install_removable (fb_src, base_efidir, fb_file, 0);
++		  }
++
++		free (chained_dst);
++		free (chained_base);
++		free (mok_src);
++		free (mok_dst);
+ 		free (fb_src);
+ 		free (fb_dst);
++		free (csv_src);
++		free (csv_dst);
+ 	      }
+ 	    else
+-	      grub_install_copy_file (efi_signed, dst, 1);
++	      {
++		/* Tried to install for secure boot, but no signed
++		   shim found. Fall back to just installing the signed
++		   grub binary */
++		grub_util_info ("Secure boot (no shim): installing signed grub binary");
++		grub_install_copy_file (efi_signed, dst, 1);
++		if (force_extra_removable)
++		  {
++		    grub_util_info ("Secure boot (no shim): installing signed grub binary into rm path");
++		    also_install_removable (efi_signed, base_efidir, removable_file, 1);
++		  }
++	      }
+ 
++	    /* In either case, install our grub.cfg */
+ 	    config_dst = grub_util_path_concat (2, efidir, "grub.cfg");
+ 	    grub_install_copy_file (load_cfg, config_dst, 1);
+ 	    config_dst_f = grub_util_fopen (config_dst, "ab");
+ 	    fprintf (config_dst_f, "configfile $prefix/grub.cfg\n");
+ 	    fclose (config_dst_f);
+ 	    free (config_dst);
+-	    if (force_extra_removable)
+-	      also_install_removable(efi_signed, base_efidir, efi_suffix_upper);
++
++	    free (csv_file);
++	    free (fb_file);
++	    free (fb_signed);
++	    free (mok_file);
++	    free (mok_signed);
++	    free (shim_signed);
+ 	  }
+ 	else
+ 	  {
++	    /* No secure boot - just install our newly-generated image */
++	    grub_util_info ("No Secure Boot: installing core image");
+ 	    grub_install_copy_file (imgfile, dst, 1);
+ 	    if (force_extra_removable)
+-	      also_install_removable(imgfile, base_efidir, efi_suffix_upper);
++	      also_install_removable (imgfile, base_efidir, removable_file, 1);
+ 	  }
++
++	free (removable_file);
+ 	free (dst);
+       }
+       if (!removable && update_nvram)
diff -Nru grub2-2.02+dfsg1/debian/patches/series grub2-2.02+dfsg1/debian/patches/series
--- grub2-2.02+dfsg1/debian/patches/series	2019-05-04 22:58:32.000000000 +0100
+++ grub2-2.02+dfsg1/debian/patches/series	2019-06-14 19:04:01.000000000 +0100
@@ -137,3 +137,4 @@
 arm-move-trampolines-into-code-section.patch
 arm-align-section-alignment-with-manual-reloc-offset.patch
 no-devicetree-if-secure-boot.patch
+grub-install-removable-shim.patch
diff -Nru grub2-2.02+dfsg1/debian/rules grub2-2.02+dfsg1/debian/rules
--- grub2-2.02+dfsg1/debian/rules	2019-05-04 22:58:32.000000000 +0100
+++ grub2-2.02+dfsg1/debian/rules	2019-06-14 19:04:01.000000000 +0100
@@ -219,7 +219,7 @@
 		obj/grub-$(COMMON_PLATFORM)/grub-mkimage \
 		obj/$(package)/grub-core \
 		obj/monolithic/$(package) \
-		$(SB_PLATFORM) $(SB_EFI_NAME) $(SB_EFI_VENDOR)
+		$(DEB_HOST_ARCH) $(SB_PLATFORM) $(SB_EFI_NAME) $(SB_EFI_VENDOR)
 	touch $@
 
 debian/stamps/build-grub-xen-host-i386: PVBOOT_ARCH := i386
diff -Nru grub2-2.02+dfsg1/debian/signing-template.json.in grub2-2.02+dfsg1/debian/signing-template.json.in
--- grub2-2.02+dfsg1/debian/signing-template.json.in	2019-05-04 22:58:32.000000000 +0100
+++ grub2-2.02+dfsg1/debian/signing-template.json.in	2019-06-14 19:04:01.000000000 +0100
@@ -6,6 +6,7 @@
             "files": [
                 {"sig_type": "efi", "file": "usr/lib/grub/@efi_platform@/monolithic/gcd@efi@.efi"},
                 {"sig_type": "efi", "file": "usr/lib/grub/@efi_platform@/monolithic/grubnet@efi@.efi"},
+                {"sig_type": "efi", "file": "usr/lib/grub/@efi_platform@/monolithic/grubnet@efi@-installer.efi"},
                 {"sig_type": "efi", "file": "usr/lib/grub/@efi_platform@/monolithic/grub@efi@.efi"}
             ]
         }

unblock grub2/2.02+dfsg1-19

Thanks,

-- 
Colin Watson                                       [cjwatson@debian.org]

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

• To: Colin Watson <cjwatson@debian.org>
• Cc: 930757-done@bugs.debian.org
• Subject: Re: Bug#930757: unblock: grub2/2.02+dfsg1-19
• From: Paul Gevers <elbrus@debian.org>
• Date: Sat, 22 Jun 2019 19:13:21 +0200
• Message-id: <050fbace-0253-282a-998f-606d80155781@debian.org>
• In-reply-to: <[🔎] 20190622170821.yk37hfq44scqux5l@mraw.org>
• References: <[🔎] 20190619232901.GA16905@riva.ucam.org> <handler.930757.B.15609869498462.ack@bugs.debian.org> <[🔎] 20190619232901.GA16905@riva.ucam.org> <[🔎] 20190619233754.GM3829@riva.ucam.org> <d3014268-be00-746e-c962-c7f3d0791134@debian.org> <[🔎] 88d5600f-a619-4f13-f016-f435d1e7fbe0@debian.org> <[🔎] 20190622170821.yk37hfq44scqux5l@mraw.org>

Hi Colin,

On 22-06-2019 19:08, Cyril Brulebois wrote:
> Paul Gevers <elbrus@debian.org> (2019-06-22):
>> On 21-06-2019 23:10, Paul Gevers wrote:
>>> On 20-06-2019 01:37, Colin Watson wrote:
>>>> unblock grub2/2.02+dfsg1-19
>>>> unblock grub-efi-amd64-signed/1+2.02+dfsg1+19
>>>> unblock grub-efi-arm64-signed/1+2.02+dfsg1+19
>>>> unblock grub-efi-ia32-signed/1+2.02+dfsg1+19
>>>
>>> Unblocked, thanks.
>>
>> I failed to notice this needs an ACK from d-i. Hence the CC.
> 
> No objections, thanks.

So now also unblocked for udeb.

Paul

Attachment: signature.asc
Description: OpenPGP digital signature

--- End Message ---