Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock grub2.
I hope this is the final grub2 update for the buster release. It
consists mainly of a number of patches from Steve McIntyre to clean up
problems with our UEFI Secure Boot support.
diff -Nru grub2-2.02+dfsg1/debian/.git-dpm grub2-2.02+dfsg1/debian/.git-dpm
--- grub2-2.02+dfsg1/debian/.git-dpm 2019-05-04 22:58:32.000000000 +0100
+++ grub2-2.02+dfsg1/debian/.git-dpm 2019-06-14 19:04:01.000000000 +0100
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-9569221816a2a1a832be106440375a612e0121b7
-9569221816a2a1a832be106440375a612e0121b7
+6ee5cc98ec6ca10e00d9cd23a969f0b12ae7ab2e
+6ee5cc98ec6ca10e00d9cd23a969f0b12ae7ab2e
59aeb1cfaa3d5bfd7bbeeee0f0d37f6d9eed51fe
59aeb1cfaa3d5bfd7bbeeee0f0d37f6d9eed51fe
grub2_2.02+dfsg1.orig.tar.xz
diff -Nru grub2-2.02+dfsg1/debian/build-efi-images
grub2-2.02+dfsg1/debian/build-efi-images
--- grub2-2.02+dfsg1/debian/build-efi-images 2019-05-04 22:58:32.000000000
+0100
+++ grub2-2.02+dfsg1/debian/build-efi-images 2019-06-14 19:04:01.000000000
+0100
@@ -20,16 +20,17 @@
# Make EFI boot images for signing.
-if [ $# -lt 5 ]; then
- echo "usage: $0 GRUB-MKIMAGE GRUB-CORE OUTPUT-DIRECTORY PLATFORM
EFI-NAME [EFI-VENDOR]"
+if [ $# -lt 6 ]; then
+ echo "usage: $0 GRUB-MKIMAGE GRUB-CORE OUTPUT-DIRECTORY DEB-ARCH
PLATFORM EFI-NAME [EFI-VENDOR]"
fi
grub_mkimage="$1"
grub_core="$2"
outdir="$3"
-platform="$4"
-efi_name="$5"
-efi_vendor="${6:-$(dpkg-vendor --query vendor | tr '[:upper:]' '[:lower:]')}"
+deb_arch="$4"
+platform="$5"
+efi_name="$6"
+efi_vendor="${7:-$(dpkg-vendor --query vendor | tr '[:upper:]' '[:lower:]')}"
# mkfs.msdos may not be on the default PATH.
export PATH="$PATH:/sbin:/usr/sbin"
@@ -115,6 +116,7 @@
memdisk
minicmd
normal
+ ntfs
part_apple
part_msdos
part_gpt
@@ -141,7 +143,9 @@
case $platform in
x86_64-efi|i386-efi)
CD_MODULES="$CD_MODULES
+ cpuid
linuxefi
+ play
"
;;
esac
@@ -181,15 +185,29 @@
tftp
"
+# CD boot image
"$grub_mkimage" -O "$platform" -o "$outdir/gcd$efi_name.efi" \
-d "$grub_core" \
-c "$workdir/grub-bootstrap.cfg" -m "$workdir/memdisk.fat" \
-p /boot/grub \
$CD_MODULES
+
+# Normal disk boot image
"$grub_mkimage" -O "$platform" -o "$outdir/grub$efi_name.efi" \
-d "$grub_core" -p "/EFI/$efi_vendor" $GRUB_MODULES
+
+# Normal network boot image
"$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name.efi" \
-d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \
- -m "$workdir/memdisk-netboot.fat" -p /grub $NET_MODULES
+ -m "$workdir/memdisk-netboot.fat" \
+ -p /grub $NET_MODULES
+
+# Special network boot image for d-i to use. Just the same as the
+# normal network boot image, but with a different value baked in for
+# the prefix setting
+"$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name-installer.efi" \
+ -d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \
+ -m "$workdir/memdisk-netboot.fat" \
+ -p "${efi_vendor}-installer/$deb_arch/grub" $NET_MODULES
exit 0
diff -Nru grub2-2.02+dfsg1/debian/changelog grub2-2.02+dfsg1/debian/changelog
--- grub2-2.02+dfsg1/debian/changelog 2019-05-04 22:58:32.000000000 +0100
+++ grub2-2.02+dfsg1/debian/changelog 2019-06-14 19:04:01.000000000 +0100
@@ -1,3 +1,18 @@
+grub2 (2.02+dfsg1-19) unstable; urgency=medium
+
+ [ Colin Watson ]
+ * Fix format of debian/copyright.
+
+ [ Steve McIntyre ]
+ * Add the ntfs module to signed UEFI images. Closes: #923855
+ * Add the cpuid module to signed UEFI images. Closes: #928628
+ * Add the play module to signed UEFI images. Closes: #930290
+ * Add an extra di-specific version of the UEFI netboot image with a
+ different baked-in prefix value. Helps to fix #928750.
+ * Deal with --force-extra-removable with signed shim too. Closes: #930531
+
+ -- Colin Watson <cjwat...@debian.org> Fri, 14 Jun 2019 19:04:01 +0100
+
grub2 (2.02+dfsg1-18) unstable; urgency=medium
* Apply patches from Alexander Graf to fix grub-efi-arm crash (closes:
diff -Nru grub2-2.02+dfsg1/debian/copyright grub2-2.02+dfsg1/debian/copyright
--- grub2-2.02+dfsg1/debian/copyright 2019-05-04 22:58:32.000000000 +0100
+++ grub2-2.02+dfsg1/debian/copyright 2019-06-14 19:04:01.000000000 +0100
@@ -1,4 +1,5 @@
-Name: GNU GRUB
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: GNU GRUB
Source: https://www.gnu.org/software/grub/
Files-Excluded: grub-core/lib/libgcrypt*/cipher/crc.c
diff -Nru grub2-2.02+dfsg1/debian/patches/grub-install-removable-shim.patch
grub2-2.02+dfsg1/debian/patches/grub-install-removable-shim.patch
--- grub2-2.02+dfsg1/debian/patches/grub-install-removable-shim.patch
1970-01-01 01:00:00.000000000 +0100
+++ grub2-2.02+dfsg1/debian/patches/grub-install-removable-shim.patch
2019-06-14 19:04:01.000000000 +0100
@@ -0,0 +1,193 @@
+From 6ee5cc98ec6ca10e00d9cd23a969f0b12ae7ab2e Mon Sep 17 00:00:00 2001
+From: Steve McIntyre <93...@debian.org>
+Date: Fri, 14 Jun 2019 16:37:11 +0100
+Subject: Deal with --force-extra-removable with signed shim too
+
+In this case, we need both the signed shim as /EFI/BOOT/BOOTXXX.EFI
+and signed Grub as /EFI/BOOT/grubXXX.efi.
+
+Also install the BOOTXXX.CSV into /EFI/debian, and FBXXX.EFI into
+/EFI/BOOT/ so that it can work when needed (*iff* we're updating the
+NVRAM).
+
+[cjwatson: Refactored also_install_removable somewhat for brevity and so
+that we're using consistent case-insensitive logic.]
+
+Bug-Debian: https://bugs.debian.org/930531
+Last-Update: 2019-06-14
+
+Patch-Name: grub-install-removable-shim.patch
+---
+ util/grub-install.c | 84 ++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 67 insertions(+), 17 deletions(-)
+
+diff --git a/util/grub-install.c b/util/grub-install.c
+index 04d8250c9..03b1283e0 100644
+--- a/util/grub-install.c
++++ b/util/grub-install.c
+@@ -880,17 +880,13 @@ check_component_exists(const char *dir,
+ static void
+ also_install_removable(const char *src,
+ const char *base_efidir,
+- const char *efi_suffix_upper)
++ const char *efi_file,
++ int is_needed)
+ {
+- char *efi_file = NULL;
+ char *dst = NULL;
+ char *cur = NULL;
+ char *found = NULL;
+
+- if (!efi_suffix_upper)
+- grub_util_error ("%s", _("efi_suffix_upper not set"));
+- efi_file = xasprintf ("BOOT%s.EFI", efi_suffix_upper);
+-
+ /* We need to install in $base_efidir/EFI/BOOT/$efi_file, but we
+ * need to cope with case-insensitive stuff here. Build the path one
+ * component at a time, checking for existing matches each time. */
+@@ -924,10 +920,9 @@ also_install_removable(const char *src,
+ cur = xstrdup (dst);
+ free (dst);
+ free (found);
+- grub_install_copy_file (src, cur, 1);
++ grub_install_copy_file (src, cur, is_needed);
+
+ free (cur);
+- free (efi_file);
+ }
+
+ int
+@@ -2046,11 +2041,14 @@ main (int argc, char *argv[])
+ case GRUB_INSTALL_PLATFORM_IA64_EFI:
+ {
+ char *dst = grub_util_path_concat (2, efidir, efi_file);
++ char *removable_file = xasprintf ("BOOT%s.EFI", efi_suffix_upper);
++
+ if (uefi_secure_boot)
+ {
+ char *shim_signed = NULL;
+ char *mok_signed = NULL, *mok_file = NULL;
+ char *fb_signed = NULL, *fb_file = NULL;
++ char *csv_file = NULL;
+ char *config_dst;
+ FILE *config_dst_f;
+
+@@ -2059,11 +2057,15 @@ main (int argc, char *argv[])
+ mok_file = xasprintf ("mm%s.efi", efi_suffix);
+ fb_signed = xasprintf ("fb%s.efi.signed", efi_suffix);
+ fb_file = xasprintf ("fb%s.efi", efi_suffix);
++ csv_file = xasprintf ("BOOT%s.CSV", efi_suffix_upper);
++
++ /* If we have a signed shim binary, install that and all
++ its helpers in the normal vendor path */
+
+ if (grub_util_is_regular (shim_signed))
+ {
+ char *chained_base, *chained_dst;
+- char *mok_src, *mok_dst, *fb_src, *fb_dst;
++ char *mok_src, *mok_dst, *fb_src, *fb_dst, *csv_src, *csv_dst;
+ if (!removable)
+ {
+ free (efi_file);
+@@ -2075,8 +2077,6 @@ main (int argc, char *argv[])
+ chained_base = xasprintf ("grub%s.efi", efi_suffix);
+ chained_dst = grub_util_path_concat (2, efidir, chained_base);
+ grub_install_copy_file (efi_signed, chained_dst, 1);
+- free (chained_dst);
+- free (chained_base);
+
+ /* Not critical, so not an error if they are not present (as it
+ won't be for older releases); but if we have them, make
+@@ -2087,8 +2087,6 @@ main (int argc, char *argv[])
+ mok_file);
+ grub_install_copy_file (mok_src,
+ mok_dst, 0);
+- free (mok_src);
+- free (mok_dst);
+
+ fb_src = grub_util_path_concat (2, "/usr/lib/shim/",
+ fb_signed);
+@@ -2096,27 +2094,79 @@ main (int argc, char *argv[])
+ fb_file);
+ grub_install_copy_file (fb_src,
+ fb_dst, 0);
++
++ csv_src = grub_util_path_concat (2, "/usr/lib/shim/",
++ csv_file);
++ csv_dst = grub_util_path_concat (2, efidir,
++ csv_file);
++ grub_install_copy_file (csv_src,
++ csv_dst, 0);
++
++ /* Install binaries into .../EFI/BOOT too:
++ the shim binary
++ the grub binary
++ the shim fallback binary (not fatal on failure) */
++ if (force_extra_removable)
++ {
++ grub_util_info ("Secure boot: installing shim and image
into rm path");
++ also_install_removable (shim_signed, base_efidir,
removable_file, 1);
++
++ also_install_removable (efi_signed, base_efidir,
chained_base, 1);
++
++ /* If we're updating the NVRAM, add fallback too - it
++ will re-update the NVRAM later if things break */
++ if (update_nvram)
++ also_install_removable (fb_src, base_efidir, fb_file, 0);
++ }
++
++ free (chained_dst);
++ free (chained_base);
++ free (mok_src);
++ free (mok_dst);
+ free (fb_src);
+ free (fb_dst);
++ free (csv_src);
++ free (csv_dst);
+ }
+ else
+- grub_install_copy_file (efi_signed, dst, 1);
++ {
++ /* Tried to install for secure boot, but no signed
++ shim found. Fall back to just installing the signed
++ grub binary */
++ grub_util_info ("Secure boot (no shim): installing signed grub
binary");
++ grub_install_copy_file (efi_signed, dst, 1);
++ if (force_extra_removable)
++ {
++ grub_util_info ("Secure boot (no shim): installing signed
grub binary into rm path");
++ also_install_removable (efi_signed, base_efidir,
removable_file, 1);
++ }
++ }
+
++ /* In either case, install our grub.cfg */
+ config_dst = grub_util_path_concat (2, efidir, "grub.cfg");
+ grub_install_copy_file (load_cfg, config_dst, 1);
+ config_dst_f = grub_util_fopen (config_dst, "ab");
+ fprintf (config_dst_f, "configfile $prefix/grub.cfg\n");
+ fclose (config_dst_f);
+ free (config_dst);
+- if (force_extra_removable)
+- also_install_removable(efi_signed, base_efidir, efi_suffix_upper);
++
++ free (csv_file);
++ free (fb_file);
++ free (fb_signed);
++ free (mok_file);
++ free (mok_signed);
++ free (shim_signed);
+ }
+ else
+ {
++ /* No secure boot - just install our newly-generated image */
++ grub_util_info ("No Secure Boot: installing core image");
+ grub_install_copy_file (imgfile, dst, 1);
+ if (force_extra_removable)
+- also_install_removable(imgfile, base_efidir, efi_suffix_upper);
++ also_install_removable (imgfile, base_efidir, removable_file, 1);
+ }
++
++ free (removable_file);
+ free (dst);
+ }
+ if (!removable && update_nvram)
diff -Nru grub2-2.02+dfsg1/debian/patches/series
grub2-2.02+dfsg1/debian/patches/series
--- grub2-2.02+dfsg1/debian/patches/series 2019-05-04 22:58:32.000000000
+0100
+++ grub2-2.02+dfsg1/debian/patches/series 2019-06-14 19:04:01.000000000
+0100
@@ -137,3 +137,4 @@
arm-move-trampolines-into-code-section.patch
arm-align-section-alignment-with-manual-reloc-offset.patch
no-devicetree-if-secure-boot.patch
+grub-install-removable-shim.patch
diff -Nru grub2-2.02+dfsg1/debian/rules grub2-2.02+dfsg1/debian/rules
--- grub2-2.02+dfsg1/debian/rules 2019-05-04 22:58:32.000000000 +0100
+++ grub2-2.02+dfsg1/debian/rules 2019-06-14 19:04:01.000000000 +0100
@@ -219,7 +219,7 @@
obj/grub-$(COMMON_PLATFORM)/grub-mkimage \
obj/$(package)/grub-core \
obj/monolithic/$(package) \
- $(SB_PLATFORM) $(SB_EFI_NAME) $(SB_EFI_VENDOR)
+ $(DEB_HOST_ARCH) $(SB_PLATFORM) $(SB_EFI_NAME) $(SB_EFI_VENDOR)
touch $@
debian/stamps/build-grub-xen-host-i386: PVBOOT_ARCH := i386
diff -Nru grub2-2.02+dfsg1/debian/signing-template.json.in
grub2-2.02+dfsg1/debian/signing-template.json.in
--- grub2-2.02+dfsg1/debian/signing-template.json.in 2019-05-04
22:58:32.000000000 +0100
+++ grub2-2.02+dfsg1/debian/signing-template.json.in 2019-06-14
19:04:01.000000000 +0100
@@ -6,6 +6,7 @@
"files": [
{"sig_type": "efi", "file":
"usr/lib/grub/@efi_platform@/monolithic/gcd@efi@.efi"},
{"sig_type": "efi", "file":
"usr/lib/grub/@efi_platform@/monolithic/grubnet@efi@.efi"},
+ {"sig_type": "efi", "file":
"usr/lib/grub/@efi_platform@/monolithic/grubnet@e...@-installer.efi"},
{"sig_type": "efi", "file":
"usr/lib/grub/@efi_platform@/monolithic/grub@efi@.efi"}
]
}
unblock grub2/2.02+dfsg1-19
Thanks,
--
Colin Watson [cjwat...@debian.org]
signature.asc
Description: PGP signature
