|
|
8e15ce |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
8e15ce |
From: Jan Hlavac <jhlavac@redhat.com>
|
|
|
8e15ce |
Date: Fri, 20 Nov 2020 23:51:47 +0100
|
|
|
8e15ce |
Subject: [PATCH] grub-install: disable support for EFI platforms
|
|
|
8e15ce |
|
|
|
8e15ce |
For each platform, GRUB is shipped as a kernel image and a set of
|
|
|
8e15ce |
modules. These files are then used by the grub-install utility to
|
|
|
8e15ce |
install GRUB on a specific device. However, in order to support UEFI
|
|
|
8e15ce |
Secure Boot, the resulting EFI binary must be signed by a recognized
|
|
|
8e15ce |
private key. For this reason, for EFI platforms, most distributions also
|
|
|
8e15ce |
ship prebuilt EFI binaries signed by a distribution-specific private
|
|
|
8e15ce |
key. In this case, however, the grub-install utility should not be used
|
|
|
8e15ce |
because it would overwrite the signed EFI binary.
|
|
|
8e15ce |
|
|
|
8e15ce |
The current fix is suboptimal because it preserves all EFI-related code.
|
|
|
8e15ce |
A better solution could be to modularize the code and provide a
|
|
|
8e15ce |
build-time option.
|
|
|
8e15ce |
|
|
|
8e15ce |
Resolves: rhbz#1737444
|
|
|
8e15ce |
|
|
|
8e15ce |
Signed-off-by: Jan Hlavac <jhlavac@redhat.com>
|
|
|
8e15ce |
---
|
|
|
8e15ce |
util/grub-install.c | 37 ++++++++++++++++---------------------
|
|
|
8e15ce |
docs/grub.texi | 7 +++++++
|
|
|
8e15ce |
util/grub-install.8 | 4 +++-
|
|
|
8e15ce |
3 files changed, 26 insertions(+), 22 deletions(-)
|
|
|
8e15ce |
|
|
|
8e15ce |
diff --git a/util/grub-install.c b/util/grub-install.c
|
|
|
8e15ce |
index a2bec7446cb..5babc7af551 100644
|
|
|
8e15ce |
--- a/util/grub-install.c
|
|
|
8e15ce |
+++ b/util/grub-install.c
|
|
|
8e15ce |
@@ -899,6 +899,22 @@ main (int argc, char *argv[])
|
|
|
8e15ce |
|
|
|
8e15ce |
platform = grub_install_get_target (grub_install_source_directory);
|
|
|
8e15ce |
|
|
|
8e15ce |
+ switch (platform)
|
|
|
8e15ce |
+ {
|
|
|
8e15ce |
+ case GRUB_INSTALL_PLATFORM_ARM_EFI:
|
|
|
8e15ce |
+ case GRUB_INSTALL_PLATFORM_ARM64_EFI:
|
|
|
8e15ce |
+ case GRUB_INSTALL_PLATFORM_I386_EFI:
|
|
|
8e15ce |
+ case GRUB_INSTALL_PLATFORM_IA64_EFI:
|
|
|
8e15ce |
+ case GRUB_INSTALL_PLATFORM_X86_64_EFI:
|
|
|
8e15ce |
+ is_efi = 1;
|
|
|
8e15ce |
+ grub_util_error (_("this utility cannot be used for EFI platforms"
|
|
|
8e15ce |
+ " because it does not support UEFI Secure Boot"));
|
|
|
8e15ce |
+ break;
|
|
|
8e15ce |
+ default:
|
|
|
8e15ce |
+ is_efi = 0;
|
|
|
8e15ce |
+ break;
|
|
|
8e15ce |
+ }
|
|
|
8e15ce |
+
|
|
|
8e15ce |
{
|
|
|
8e15ce |
char *platname = grub_install_get_platform_name (platform);
|
|
|
8e15ce |
fprintf (stderr, _("Installing for %s platform.\n"), platname);
|
|
|
8e15ce |
@@ -1011,28 +1027,7 @@ main (int argc, char *argv[])
|
|
|
8e15ce |
grub_hostfs_init ();
|
|
|
8e15ce |
grub_host_init ();
|
|
|
8e15ce |
|
|
|
8e15ce |
- switch (platform)
|
|
|
8e15ce |
- {
|
|
|
8e15ce |
- case GRUB_INSTALL_PLATFORM_I386_EFI:
|
|
|
8e15ce |
- case GRUB_INSTALL_PLATFORM_X86_64_EFI:
|
|
|
8e15ce |
- case GRUB_INSTALL_PLATFORM_ARM_EFI:
|
|
|
8e15ce |
- case GRUB_INSTALL_PLATFORM_ARM64_EFI:
|
|
|
8e15ce |
- case GRUB_INSTALL_PLATFORM_RISCV32_EFI:
|
|
|
8e15ce |
- case GRUB_INSTALL_PLATFORM_RISCV64_EFI:
|
|
|
8e15ce |
- case GRUB_INSTALL_PLATFORM_IA64_EFI:
|
|
|
8e15ce |
- is_efi = 1;
|
|
|
8e15ce |
- break;
|
|
|
8e15ce |
- default:
|
|
|
8e15ce |
- is_efi = 0;
|
|
|
8e15ce |
- break;
|
|
|
8e15ce |
-
|
|
|
8e15ce |
- /* pacify warning. */
|
|
|
8e15ce |
- case GRUB_INSTALL_PLATFORM_MAX:
|
|
|
8e15ce |
- break;
|
|
|
8e15ce |
- }
|
|
|
8e15ce |
-
|
|
|
8e15ce |
/* Find the EFI System Partition. */
|
|
|
8e15ce |
-
|
|
|
8e15ce |
if (is_efi)
|
|
|
8e15ce |
{
|
|
|
8e15ce |
grub_fs_t fs;
|
|
|
8e15ce |
diff --git a/docs/grub.texi b/docs/grub.texi
|
|
|
8e15ce |
index 04ed6ac1f07..4870faaa00a 100644
|
|
|
8e15ce |
--- a/docs/grub.texi
|
|
|
8e15ce |
+++ b/docs/grub.texi
|
|
|
8e15ce |
@@ -6509,6 +6509,13 @@ grub2-install @var{install_device}
|
|
|
8e15ce |
The device name @var{install_device} is an OS device name or a GRUB
|
|
|
8e15ce |
device name.
|
|
|
8e15ce |
|
|
|
8e15ce |
+In order to support UEFI Secure Boot, the resulting GRUB EFI binary must
|
|
|
8e15ce |
+be signed by a recognized private key. For this reason, for EFI
|
|
|
8e15ce |
+platforms, most distributions also ship prebuilt GRUB EFI binaries
|
|
|
8e15ce |
+signed by a distribution-specific private key. In this case, however,
|
|
|
8e15ce |
+@command{grub2-install} should not be used because it would overwrite
|
|
|
8e15ce |
+the signed EFI binary.
|
|
|
8e15ce |
+
|
|
|
8e15ce |
@command{grub2-install} accepts the following options:
|
|
|
8e15ce |
|
|
|
8e15ce |
@table @option
|
|
|
8e15ce |
diff --git a/util/grub-install.8 b/util/grub-install.8
|
|
|
8e15ce |
index 1db89e94b3b..811d441b16c 100644
|
|
|
8e15ce |
--- a/util/grub-install.8
|
|
|
8e15ce |
+++ b/util/grub-install.8
|
|
|
8e15ce |
@@ -1,4 +1,4 @@
|
|
|
8e15ce |
-.TH GRUB-INSTALL 1 "Wed Feb 26 2014"
|
|
|
8e15ce |
+.TH GRUB-INSTALL 1 "Fri Nov 20 2020"
|
|
|
8e15ce |
.SH NAME
|
|
|
8e15ce |
\fBgrub-install\fR \(em Install GRUB on a device.
|
|
|
8e15ce |
|
|
|
8e15ce |
@@ -31,6 +31,8 @@
|
|
|
8e15ce |
.SH DESCRIPTION
|
|
|
8e15ce |
\fBgrub-install\fR installs GRUB onto a device. This includes copying GRUB images into the target directory (generally \fI/boot/grub\fR), and on some platforms may also include installing GRUB onto a boot sector.
|
|
|
8e15ce |
|
|
|
8e15ce |
+In order to support UEFI Secure Boot, the resulting GRUB EFI binary must be signed by a recognized private key. For this reason, for EFI platforms, most distributions also ship prebuilt GRUB EFI binaries signed by a distribution-specific private key. In this case, however, the \fBgrub-install\fR utility should not be used because it would overwrite the signed EFI binary.
|
|
|
8e15ce |
+
|
|
|
8e15ce |
.SH OPTIONS
|
|
|
8e15ce |
.TP
|
|
|
8e15ce |
\fB--modules\fR=\fIMODULES\fR\!
|