dcavalca / rpms / grub2

Forked from rpms/grub2 3 years ago
Clone

Blame SOURCES/0319-grub-install-disable-support-for-EFI-platforms.patch

3efed6
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
3efed6
From: Jan Hlavac <jhlavac@redhat.com>
3efed6
Date: Fri, 20 Nov 2020 23:51:47 +0100
3efed6
Subject: [PATCH] grub-install: disable support for EFI platforms
3efed6
3efed6
For each platform, GRUB is shipped as a kernel image and a set of
3efed6
modules. These files are then used by the grub-install utility to
3efed6
install GRUB on a specific device. However, in order to support UEFI
3efed6
Secure Boot, the resulting EFI binary must be signed by a recognized
3efed6
private key. For this reason, for EFI platforms, most distributions also
3efed6
ship prebuilt EFI binaries signed by a distribution-specific private
3efed6
key. In this case, however, the grub-install utility should not be used
3efed6
because it would overwrite the signed EFI binary.
3efed6
3efed6
The current fix is suboptimal because it preserves all EFI-related code.
3efed6
A better solution could be to modularize the code and provide a
3efed6
build-time option.
3efed6
3efed6
Resolves: rhbz#1737444
3efed6
3efed6
Signed-off-by: Jan Hlavac <jhlavac@redhat.com>
3efed6
---
3efed6
 util/grub-install.c | 35 ++++++++++++++++-------------------
3efed6
 docs/grub.texi      |  7 +++++++
3efed6
 util/grub-install.8 |  4 +++-
3efed6
 3 files changed, 26 insertions(+), 20 deletions(-)
3efed6
3efed6
diff --git a/util/grub-install.c b/util/grub-install.c
3efed6
index 3bf0e063a86..65bb2f99ef1 100644
3efed6
--- a/util/grub-install.c
3efed6
+++ b/util/grub-install.c
3efed6
@@ -888,6 +888,22 @@ main (int argc, char *argv[])
3efed6
 
3efed6
   platform = grub_install_get_target (grub_install_source_directory);
3efed6
 
3efed6
+  switch (platform)
3efed6
+    {
3efed6
+    case GRUB_INSTALL_PLATFORM_ARM_EFI:
3efed6
+    case GRUB_INSTALL_PLATFORM_ARM64_EFI:
3efed6
+    case GRUB_INSTALL_PLATFORM_I386_EFI:
3efed6
+    case GRUB_INSTALL_PLATFORM_IA64_EFI:
3efed6
+    case GRUB_INSTALL_PLATFORM_X86_64_EFI:
3efed6
+      is_efi = 1;
3efed6
+      grub_util_error (_("this utility cannot be used for EFI platforms"
3efed6
+                         " because it does not support UEFI Secure Boot"));
3efed6
+      break;
3efed6
+    default:
3efed6
+      is_efi = 0;
3efed6
+      break;
3efed6
+    }
3efed6
+
3efed6
   {
3efed6
     char *platname = grub_install_get_platform_name (platform);
3efed6
     fprintf (stderr, _("Installing for %s platform.\n"), platname);
3efed6
@@ -994,26 +1010,7 @@ main (int argc, char *argv[])
3efed6
   grub_hostfs_init ();
3efed6
   grub_host_init ();
3efed6
 
3efed6
-  switch (platform)
3efed6
-    {
3efed6
-    case GRUB_INSTALL_PLATFORM_I386_EFI:
3efed6
-    case GRUB_INSTALL_PLATFORM_X86_64_EFI:
3efed6
-    case GRUB_INSTALL_PLATFORM_ARM_EFI:
3efed6
-    case GRUB_INSTALL_PLATFORM_ARM64_EFI:
3efed6
-    case GRUB_INSTALL_PLATFORM_IA64_EFI:
3efed6
-      is_efi = 1;
3efed6
-      break;
3efed6
-    default:
3efed6
-      is_efi = 0;
3efed6
-      break;
3efed6
-
3efed6
-      /* pacify warning.  */
3efed6
-    case GRUB_INSTALL_PLATFORM_MAX:
3efed6
-      break;
3efed6
-    }
3efed6
-
3efed6
   /* Find the EFI System Partition.  */
3efed6
-
3efed6
   if (is_efi)
3efed6
     {
3efed6
       grub_fs_t fs;
3efed6
diff --git a/docs/grub.texi b/docs/grub.texi
3efed6
index c54bee31679..fa11cc0aff7 100644
3efed6
--- a/docs/grub.texi
3efed6
+++ b/docs/grub.texi
3efed6
@@ -6185,6 +6185,13 @@ grub2-install @var{install_device}
3efed6
 The device name @var{install_device} is an OS device name or a GRUB
3efed6
 device name.
3efed6
 
3efed6
+In order to support UEFI Secure Boot, the resulting GRUB EFI binary must
3efed6
+be signed by a recognized private key. For this reason, for EFI
3efed6
+platforms, most distributions also ship prebuilt GRUB EFI binaries
3efed6
+signed by a distribution-specific private key. In this case, however,
3efed6
+@command{grub2-install} should not be used because it would overwrite
3efed6
+the signed EFI binary.
3efed6
+
3efed6
 @command{grub2-install} accepts the following options:
3efed6
 
3efed6
 @table @option
3efed6
diff --git a/util/grub-install.8 b/util/grub-install.8
3efed6
index 76272a39d2e..02371930fa1 100644
3efed6
--- a/util/grub-install.8
3efed6
+++ b/util/grub-install.8
3efed6
@@ -1,4 +1,4 @@
3efed6
-.TH GRUB-INSTALL 1 "Wed Feb 26 2014"
3efed6
+.TH GRUB-INSTALL 1 "Fri Nov 20 2020"
3efed6
 .SH NAME
3efed6
 \fBgrub-install\fR \(em Install GRUB on a device.
3efed6
 
3efed6
@@ -31,6 +31,8 @@
3efed6
 .SH DESCRIPTION
3efed6
 \fBgrub-install\fR installs GRUB onto a device.  This includes copying GRUB images into the target directory (generally \fI/boot/grub\fR), and on some platforms may also include installing GRUB onto a boot sector.
3efed6
 
3efed6
+In order to support UEFI Secure Boot, the resulting GRUB EFI binary must be signed by a recognized private key. For this reason, for EFI platforms, most distributions also ship prebuilt GRUB EFI binaries signed by a distribution-specific private key. In this case, however, the \fBgrub-install\fR utility should not be used because it would overwrite the signed EFI binary.
3efed6
+
3efed6
 .SH OPTIONS
3efed6
 .TP
3efed6
 \fB--modules\fR=\fIMODULES\fR\!