Bug#1026915: grub-install --removable uses CD boot image instead of normal disk boot image

2023-01-15 Thread Steve McIntyre
On Fri, Dec 23, 2022 at 10:03:18PM +0100, Pascal Hambourg wrote:
>Package: grub-efi-amd64-bin
>Version: 2.06-3~deb11u5
>Tags: patch
>
>When installing GRUB for UEFI secure boot, "grub-install --removable" uses
>the CD boot image gcd{arch}.efi.signed which is designed for CD boot and
>lacks encryption, LVM and RAID support. Such image cannot read /boot on LUKS,
>LVM or Linux RAID.

Right, you're totally correct. IMHO there's no good reason for us to
use the smaller image here with stuff missing. Let's fix that!

-- 
Steve McIntyre, Cambridge, UK.st...@einval.com
"C++ ate my sanity" -- Jon Rabone



Bug#1026915: grub-install --removable uses CD boot image instead of normal disk boot image

2022-12-23 Thread Pascal Hambourg

Package: grub-efi-amd64-bin
Version: 2.06-3~deb11u5
Tags: patch

When installing GRUB for UEFI secure boot, "grub-install --removable" 
uses the CD boot image gcd{arch}.efi.signed which is designed for CD 
boot and lacks encryption, LVM and RAID support. Such image cannot read 
/boot on LUKS, LVM or Linux RAID.


The attached patch uses the normal disk boot image grub{arch}.efi.signed 
instead. This is now possible because the normal disk image embeds a 
config file which searches grub.cfg in $prefix (/EFI/debian) then 
$cmdpath (/EFI/BOOT), instead of $prefix only in previous versions. IMO 
it would be better to reverse the order, cf. patch attached to bug #925309.From 304e813b0c1ff030c4d4dd896aeb46be88478763 Mon Sep 17 00:00:00 2001
From: Pascal Hambourg 
Date: Fri, 23 Dec 2022 12:13:20 +0100
Subject: [PATCH] Use normal signed EFI disk boot image with --removable

grub-install --removable uses the CD boot image gcd{arch}.efi.signed
which is designed for CD boot and lacks crypto, lvm and raid support.
Use the normal disk boot image grub{arch}.efi.signed instead.
---
 debian/patches/install-signed.patch | 17 +++--
 1 file changed, 7 insertions(+), 10 deletions(-)

diff --git a/debian/patches/install-signed.patch b/debian/patches/install-signed.patch
index bfeb3a938..2a5329f13 100644
--- a/debian/patches/install-signed.patch
+++ b/debian/patches/install-signed.patch
@@ -11,15 +11,15 @@ Author: Steve Langasek 
 Author: Linn Crosetto 
 Author: Mathieu Trudel-Lapierre 
 Forwarded: no
-Last-Update: 2021-09-24
+Last-Update: 2022-12-23
 
 Patch-Name: install-signed.patch
 ---
- util/grub-install.c | 212 
- 1 file changed, 153 insertions(+), 59 deletions(-)
+ util/grub-install.c | 209 +++-
+ 1 file changed, 150 insertions(+), 59 deletions(-)
 
 diff --git a/util/grub-install.c b/util/grub-install.c
-index 48e2d3779..f49c78d0b 100644
+index 48e2d3779..a18a35ac8 100644
 --- a/util/grub-install.c
 +++ b/util/grub-install.c
 @@ -80,6 +80,7 @@ static char *label_color;
@@ -192,7 +192,7 @@ index 48e2d3779..f49c78d0b 100644
  	}
t = grub_util_path_concat (3, efidir, "EFI", efi_distributor);
free (efidir);
-@@ -1376,14 +1379,41 @@ main (int argc, char *argv[])
+@@ -1376,14 +1379,38 @@ main (int argc, char *argv[])
  	}
  }
  
@@ -208,10 +208,7 @@ index 48e2d3779..f49c78d0b 100644
 +  {
 +	char *dir = xasprintf ("%s-signed", grub_install_source_directory);
 +	char *signed_image;
-+	if (removable)
-+	  signed_image = xasprintf ("gcd%s.efi.signed", efi_suffix);
-+	else
-+	  signed_image = xasprintf ("grub%s.efi.signed", efi_suffix);
++	signed_image = xasprintf ("grub%s.efi.signed", efi_suffix);
 +	efi_signed = grub_util_path_concat (2, dir, signed_image);
 +	break;
 +  }
@@ -236,7 +233,7 @@ index 48e2d3779..f49c78d0b 100644
  	{
  	  char *uuid = NULL;
  	  /*  generic method (used on coreboot and ata mod).  */
-@@ -1941,7 +1971,71 @@ main (int argc, char *argv[])
+@@ -1941,7 +1968,71 @@ main (int argc, char *argv[])
  case GRUB_INSTALL_PLATFORM_IA64_EFI:
{
  	char *dst = grub_util_path_concat (2, efidir, efi_file);
-- 
2.30.2