Blame SOURCES/0169-grub-install-disable-support-for-EFI-platforms.patch

8e15ce
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
8e15ce
From: Jan Hlavac <jhlavac@redhat.com>
8e15ce
Date: Fri, 20 Nov 2020 23:51:47 +0100
8e15ce
Subject: [PATCH] grub-install: disable support for EFI platforms
8e15ce
8e15ce
For each platform, GRUB is shipped as a kernel image and a set of
8e15ce
modules. These files are then used by the grub-install utility to
8e15ce
install GRUB on a specific device. However, in order to support UEFI
8e15ce
Secure Boot, the resulting EFI binary must be signed by a recognized
8e15ce
private key. For this reason, for EFI platforms, most distributions also
8e15ce
ship prebuilt EFI binaries signed by a distribution-specific private
8e15ce
key. In this case, however, the grub-install utility should not be used
8e15ce
because it would overwrite the signed EFI binary.
8e15ce
8e15ce
The current fix is suboptimal because it preserves all EFI-related code.
8e15ce
A better solution could be to modularize the code and provide a
8e15ce
build-time option.
8e15ce
8e15ce
Resolves: rhbz#1737444
8e15ce
8e15ce
Signed-off-by: Jan Hlavac <jhlavac@redhat.com>
8e15ce
---
8e15ce
 util/grub-install.c | 37 ++++++++++++++++---------------------
8e15ce
 docs/grub.texi      |  7 +++++++
8e15ce
 util/grub-install.8 |  4 +++-
8e15ce
 3 files changed, 26 insertions(+), 22 deletions(-)
8e15ce
8e15ce
diff --git a/util/grub-install.c b/util/grub-install.c
8e15ce
index a2bec7446cb..5babc7af551 100644
8e15ce
--- a/util/grub-install.c
8e15ce
+++ b/util/grub-install.c
8e15ce
@@ -899,6 +899,22 @@ main (int argc, char *argv[])
8e15ce
 
8e15ce
   platform = grub_install_get_target (grub_install_source_directory);
8e15ce
 
8e15ce
+  switch (platform)
8e15ce
+    {
8e15ce
+    case GRUB_INSTALL_PLATFORM_ARM_EFI:
8e15ce
+    case GRUB_INSTALL_PLATFORM_ARM64_EFI:
8e15ce
+    case GRUB_INSTALL_PLATFORM_I386_EFI:
8e15ce
+    case GRUB_INSTALL_PLATFORM_IA64_EFI:
8e15ce
+    case GRUB_INSTALL_PLATFORM_X86_64_EFI:
8e15ce
+      is_efi = 1;
8e15ce
+      grub_util_error (_("this utility cannot be used for EFI platforms"
8e15ce
+                         " because it does not support UEFI Secure Boot"));
8e15ce
+      break;
8e15ce
+    default:
8e15ce
+      is_efi = 0;
8e15ce
+      break;
8e15ce
+    }
8e15ce
+
8e15ce
   {
8e15ce
     char *platname = grub_install_get_platform_name (platform);
8e15ce
     fprintf (stderr, _("Installing for %s platform.\n"), platname);
8e15ce
@@ -1011,28 +1027,7 @@ main (int argc, char *argv[])
8e15ce
   grub_hostfs_init ();
8e15ce
   grub_host_init ();
8e15ce
 
8e15ce
-  switch (platform)
8e15ce
-    {
8e15ce
-    case GRUB_INSTALL_PLATFORM_I386_EFI:
8e15ce
-    case GRUB_INSTALL_PLATFORM_X86_64_EFI:
8e15ce
-    case GRUB_INSTALL_PLATFORM_ARM_EFI:
8e15ce
-    case GRUB_INSTALL_PLATFORM_ARM64_EFI:
8e15ce
-    case GRUB_INSTALL_PLATFORM_RISCV32_EFI:
8e15ce
-    case GRUB_INSTALL_PLATFORM_RISCV64_EFI:
8e15ce
-    case GRUB_INSTALL_PLATFORM_IA64_EFI:
8e15ce
-      is_efi = 1;
8e15ce
-      break;
8e15ce
-    default:
8e15ce
-      is_efi = 0;
8e15ce
-      break;
8e15ce
-
8e15ce
-      /* pacify warning.  */
8e15ce
-    case GRUB_INSTALL_PLATFORM_MAX:
8e15ce
-      break;
8e15ce
-    }
8e15ce
-
8e15ce
   /* Find the EFI System Partition.  */
8e15ce
-
8e15ce
   if (is_efi)
8e15ce
     {
8e15ce
       grub_fs_t fs;
8e15ce
diff --git a/docs/grub.texi b/docs/grub.texi
8e15ce
index 04ed6ac1f07..4870faaa00a 100644
8e15ce
--- a/docs/grub.texi
8e15ce
+++ b/docs/grub.texi
8e15ce
@@ -6509,6 +6509,13 @@ grub2-install @var{install_device}
8e15ce
 The device name @var{install_device} is an OS device name or a GRUB
8e15ce
 device name.
8e15ce
 
8e15ce
+In order to support UEFI Secure Boot, the resulting GRUB EFI binary must
8e15ce
+be signed by a recognized private key. For this reason, for EFI
8e15ce
+platforms, most distributions also ship prebuilt GRUB EFI binaries
8e15ce
+signed by a distribution-specific private key. In this case, however,
8e15ce
+@command{grub2-install} should not be used because it would overwrite
8e15ce
+the signed EFI binary.
8e15ce
+
8e15ce
 @command{grub2-install} accepts the following options:
8e15ce
 
8e15ce
 @table @option
8e15ce
diff --git a/util/grub-install.8 b/util/grub-install.8
8e15ce
index 1db89e94b3b..811d441b16c 100644
8e15ce
--- a/util/grub-install.8
8e15ce
+++ b/util/grub-install.8
8e15ce
@@ -1,4 +1,4 @@
8e15ce
-.TH GRUB-INSTALL 1 "Wed Feb 26 2014"
8e15ce
+.TH GRUB-INSTALL 1 "Fri Nov 20 2020"
8e15ce
 .SH NAME
8e15ce
 \fBgrub-install\fR \(em Install GRUB on a device.
8e15ce
 
8e15ce
@@ -31,6 +31,8 @@
8e15ce
 .SH DESCRIPTION
8e15ce
 \fBgrub-install\fR installs GRUB onto a device.  This includes copying GRUB images into the target directory (generally \fI/boot/grub\fR), and on some platforms may also include installing GRUB onto a boot sector.
8e15ce
 
8e15ce
+In order to support UEFI Secure Boot, the resulting GRUB EFI binary must be signed by a recognized private key. For this reason, for EFI platforms, most distributions also ship prebuilt GRUB EFI binaries signed by a distribution-specific private key. In this case, however, the \fBgrub-install\fR utility should not be used because it would overwrite the signed EFI binary.
8e15ce
+
8e15ce
 .SH OPTIONS
8e15ce
 .TP
8e15ce
 \fB--modules\fR=\fIMODULES\fR\!