Commit ae0a4658 authored by Lorenzo "Palinuro" Faletra's avatar Lorenzo "Palinuro" Faletra
Browse files

Import Debian changes 2.02+dfsg1-19parrot1

grub2 (2.02+dfsg1-19parrot1) testing; urgency=medium

  * Import new Debian release.

grub2 (2.02+dfsg1-19) unstable; urgency=medium

  [ Colin Watson ]
  * Fix format of debian/copyright.

  [ Steve McIntyre ]
  * Add the ntfs module to signed UEFI images. Closes: #923855
  * Add the cpuid module to signed UEFI images. Closes: #928628
  * Add the play module to signed UEFI images. Closes: #930290
  * Add an extra di-specific version of the UEFI netboot image with a
    different baked-in prefix value. Helps to fix #928750.
  * Deal with --force-extra-removable with signed shim too. Closes: #930531
parent a2b964b3
# see git-dpm(1) from git-dpm package
9569221816a2a1a832be106440375a612e0121b7
9569221816a2a1a832be106440375a612e0121b7
6ee5cc98ec6ca10e00d9cd23a969f0b12ae7ab2e
6ee5cc98ec6ca10e00d9cd23a969f0b12ae7ab2e
59aeb1cfaa3d5bfd7bbeeee0f0d37f6d9eed51fe
59aeb1cfaa3d5bfd7bbeeee0f0d37f6d9eed51fe
grub2_2.02+dfsg1.orig.tar.xz
......
......@@ -20,16 +20,17 @@ set -e
# Make EFI boot images for signing.
if [ $# -lt 5 ]; then
echo "usage: $0 GRUB-MKIMAGE GRUB-CORE OUTPUT-DIRECTORY PLATFORM EFI-NAME [EFI-VENDOR]"
if [ $# -lt 6 ]; then
echo "usage: $0 GRUB-MKIMAGE GRUB-CORE OUTPUT-DIRECTORY DEB-ARCH PLATFORM EFI-NAME [EFI-VENDOR]"
fi
grub_mkimage="$1"
grub_core="$2"
outdir="$3"
platform="$4"
efi_name="$5"
efi_vendor="${6:-$(dpkg-vendor --query vendor | tr '[:upper:]' '[:lower:]')}"
deb_arch="$4"
platform="$5"
efi_name="$6"
efi_vendor="${7:-$(dpkg-vendor --query vendor | tr '[:upper:]' '[:lower:]')}"
# mkfs.msdos may not be on the default PATH.
export PATH="$PATH:/sbin:/usr/sbin"
......@@ -115,6 +116,7 @@ CD_MODULES="
memdisk
minicmd
normal
ntfs
part_apple
part_msdos
part_gpt
......@@ -141,7 +143,9 @@ CD_MODULES="
case $platform in
x86_64-efi|i386-efi)
CD_MODULES="$CD_MODULES
cpuid
linuxefi
play
"
;;
esac
......@@ -181,15 +185,29 @@ NET_MODULES="$CD_MODULES
tftp
"
# CD boot image
"$grub_mkimage" -O "$platform" -o "$outdir/gcd$efi_name.efi" \
-d "$grub_core" \
-c "$workdir/grub-bootstrap.cfg" -m "$workdir/memdisk.fat" \
-p /boot/grub \
$CD_MODULES
# Normal disk boot image
"$grub_mkimage" -O "$platform" -o "$outdir/grub$efi_name.efi" \
-d "$grub_core" -p "/EFI/$efi_vendor" $GRUB_MODULES
# Normal network boot image
"$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name.efi" \
-d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \
-m "$workdir/memdisk-netboot.fat" -p /grub $NET_MODULES
-m "$workdir/memdisk-netboot.fat" \
-p /grub $NET_MODULES
# Special network boot image for d-i to use. Just the same as the
# normal network boot image, but with a different value baked in for
# the prefix setting
"$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name-installer.efi" \
-d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \
-m "$workdir/memdisk-netboot.fat" \
-p "${efi_vendor}-installer/$deb_arch/grub" $NET_MODULES
exit 0
grub2 (2.02+dfsg1-19parrot1) testing; urgency=medium
* Import new Debian release.
-- Lorenzo "Palinuro" Faletra <palinuro@parrotsec.org> Mon, 24 Jun 2019 22:58:21 +0200
grub2 (2.02+dfsg1-19) unstable; urgency=medium
[ Colin Watson ]
* Fix format of debian/copyright.
[ Steve McIntyre ]
* Add the ntfs module to signed UEFI images. Closes: #923855
* Add the cpuid module to signed UEFI images. Closes: #928628
* Add the play module to signed UEFI images. Closes: #930290
* Add an extra di-specific version of the UEFI netboot image with a
different baked-in prefix value. Helps to fix #928750.
* Deal with --force-extra-removable with signed shim too. Closes: #930531
-- Colin Watson <cjwatson@debian.org> Fri, 14 Jun 2019 19:04:01 +0100
grub2 (2.02+dfsg1-18parrot2) testing; urgency=medium
* Re-include Parrot failsafe boot options.
......
......@@ -2,8 +2,8 @@ Source: grub2
Section: admin
Priority: optional
XSBC-Original-Maintainer: GRUB Maintainers <pkg-grub-devel@alioth-lists.debian.net>
Maintainer: Kali Developers <devel@kali.org>
Uploaders: Felix Zielcke <fzielcke@z-51.de>, Jordi Mallach <jordi@debian.org>, Colin Watson <cjwatson@debian.org>, Ian Campbell <ijc@debian.org>
Maintainer: Parrot Dev Team <team@parrotsec.org>
Uploaders: Lorenzo "Palinuro" Faletra <palinuro@parrotsec.org>
Build-Depends: debhelper (>= 10~),
patchutils,
python,
......@@ -38,8 +38,8 @@ Build-Depends: debhelper (>= 10~),
Build-Conflicts: autoconf2.13, libzfs-dev, libnvpair-dev
Standards-Version: 3.9.6
Homepage: https://www.gnu.org/software/grub/
Vcs-Git: https://gitlab.com/kalilinux/packages/grub2.git
Vcs-Browser: https://gitlab.com/kalilinux/packages/grub2
Vcs-Git: https://nest.parrotsec.org/debian-packages/grub2
Vcs-Browser: https://nest.parrotsec.org/debian-packages/grub2
Rules-Requires-Root: no
Package: grub2
......
Name: GNU GRUB
Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
Upstream-Name: GNU GRUB
Source: https://www.gnu.org/software/grub/
Files-Excluded: grub-core/lib/libgcrypt*/cipher/crc.c
......
Description: Add failsafe options for acpi and nouveau on boot screen
Author: Lorenzo "Palinuro" Faletra <palinuro@parrotsec.org>
Last-Update: 2019-03-20
--- grub2-2.02+dfsg1.orig/util/grub.d/10_linux.in
+++ grub2-2.02+dfsg1/util/grub.d/10_linux.in
@@ -17,6 +17,8 @@ set -e
# You should have received a copy of the GNU General Public License
# along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+
+
prefix="@prefix@"
exec_prefix="@exec_prefix@"
datarootdir="@datarootdir@"
@@ -120,6 +122,10 @@ linux_entry ()
title="$(gettext_printf "%s, with Linux %s (%s)" "${os}" "${version}" "$(gettext "${GRUB_RECOVERY_TITLE}")")" ;;
init-*)
title="$(gettext_printf "%s, with Linux %s (%s)" "${os}" "${version}" "${type#init-}")" ;;
+ nouveau-off)
+ title="$(gettext_printf "%s, with Linux %s (%s)" "${os}" "${version}" "$(gettext "Nouveau/Nvidia Off")")" ;;
+ acpi-off)
+ title="$(gettext_printf "%s, with Linux %s (%s)" "${os}" "${version}" "$(gettext "ACPI Off")")" ;;
*)
title="$(gettext_printf "%s, with Linux %s" "${os}" "${version}")" ;;
esac
@@ -334,6 +340,11 @@ while [ "x$list" != "x" ] ; do
if [ "x$is_top_level" = xtrue ] && [ "x${GRUB_DISABLE_SUBMENU}" != xy ]; then
linux_entry "${OS}" "${version}" simple \
"${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
+
+ linux_entry "${OS}" "${version}" nouveau-off \
+ "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT} nouveau.modeset=0"
+ linux_entry "${OS}" "${version}" acpi-off \
+ "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT} acpi=off"
submenu_indentation="$grub_tab"
From 6ee5cc98ec6ca10e00d9cd23a969f0b12ae7ab2e Mon Sep 17 00:00:00 2001
From: Steve McIntyre <93sam@debian.org>
Date: Fri, 14 Jun 2019 16:37:11 +0100
Subject: Deal with --force-extra-removable with signed shim too
In this case, we need both the signed shim as /EFI/BOOT/BOOTXXX.EFI
and signed Grub as /EFI/BOOT/grubXXX.efi.
Also install the BOOTXXX.CSV into /EFI/debian, and FBXXX.EFI into
/EFI/BOOT/ so that it can work when needed (*iff* we're updating the
NVRAM).
[cjwatson: Refactored also_install_removable somewhat for brevity and so
that we're using consistent case-insensitive logic.]
Bug-Debian: https://bugs.debian.org/930531
Last-Update: 2019-06-14
Patch-Name: grub-install-removable-shim.patch
---
util/grub-install.c | 84 ++++++++++++++++++++++++++++++++++++---------
1 file changed, 67 insertions(+), 17 deletions(-)
diff --git a/util/grub-install.c b/util/grub-install.c
index 04d8250c9..03b1283e0 100644
--- a/util/grub-install.c
+++ b/util/grub-install.c
@@ -880,17 +880,13 @@ check_component_exists(const char *dir,
static void
also_install_removable(const char *src,
const char *base_efidir,
- const char *efi_suffix_upper)
+ const char *efi_file,
+ int is_needed)
{
- char *efi_file = NULL;
char *dst = NULL;
char *cur = NULL;
char *found = NULL;
- if (!efi_suffix_upper)
- grub_util_error ("%s", _("efi_suffix_upper not set"));
- efi_file = xasprintf ("BOOT%s.EFI", efi_suffix_upper);
-
/* We need to install in $base_efidir/EFI/BOOT/$efi_file, but we
* need to cope with case-insensitive stuff here. Build the path one
* component at a time, checking for existing matches each time. */
@@ -924,10 +920,9 @@ also_install_removable(const char *src,
cur = xstrdup (dst);
free (dst);
free (found);
- grub_install_copy_file (src, cur, 1);
+ grub_install_copy_file (src, cur, is_needed);
free (cur);
- free (efi_file);
}
int
@@ -2046,11 +2041,14 @@ main (int argc, char *argv[])
case GRUB_INSTALL_PLATFORM_IA64_EFI:
{
char *dst = grub_util_path_concat (2, efidir, efi_file);
+ char *removable_file = xasprintf ("BOOT%s.EFI", efi_suffix_upper);
+
if (uefi_secure_boot)
{
char *shim_signed = NULL;
char *mok_signed = NULL, *mok_file = NULL;
char *fb_signed = NULL, *fb_file = NULL;
+ char *csv_file = NULL;
char *config_dst;
FILE *config_dst_f;
@@ -2059,11 +2057,15 @@ main (int argc, char *argv[])
mok_file = xasprintf ("mm%s.efi", efi_suffix);
fb_signed = xasprintf ("fb%s.efi.signed", efi_suffix);
fb_file = xasprintf ("fb%s.efi", efi_suffix);
+ csv_file = xasprintf ("BOOT%s.CSV", efi_suffix_upper);
+
+ /* If we have a signed shim binary, install that and all
+ its helpers in the normal vendor path */
if (grub_util_is_regular (shim_signed))
{
char *chained_base, *chained_dst;
- char *mok_src, *mok_dst, *fb_src, *fb_dst;
+ char *mok_src, *mok_dst, *fb_src, *fb_dst, *csv_src, *csv_dst;
if (!removable)
{
free (efi_file);
@@ -2075,8 +2077,6 @@ main (int argc, char *argv[])
chained_base = xasprintf ("grub%s.efi", efi_suffix);
chained_dst = grub_util_path_concat (2, efidir, chained_base);
grub_install_copy_file (efi_signed, chained_dst, 1);
- free (chained_dst);
- free (chained_base);
/* Not critical, so not an error if they are not present (as it
won't be for older releases); but if we have them, make
@@ -2087,8 +2087,6 @@ main (int argc, char *argv[])
mok_file);
grub_install_copy_file (mok_src,
mok_dst, 0);
- free (mok_src);
- free (mok_dst);
fb_src = grub_util_path_concat (2, "/usr/lib/shim/",
fb_signed);
@@ -2096,27 +2094,79 @@ main (int argc, char *argv[])
fb_file);
grub_install_copy_file (fb_src,
fb_dst, 0);
+
+ csv_src = grub_util_path_concat (2, "/usr/lib/shim/",
+ csv_file);
+ csv_dst = grub_util_path_concat (2, efidir,
+ csv_file);
+ grub_install_copy_file (csv_src,
+ csv_dst, 0);
+
+ /* Install binaries into .../EFI/BOOT too:
+ the shim binary
+ the grub binary
+ the shim fallback binary (not fatal on failure) */
+ if (force_extra_removable)
+ {
+ grub_util_info ("Secure boot: installing shim and image into rm path");
+ also_install_removable (shim_signed, base_efidir, removable_file, 1);
+
+ also_install_removable (efi_signed, base_efidir, chained_base, 1);
+
+ /* If we're updating the NVRAM, add fallback too - it
+ will re-update the NVRAM later if things break */
+ if (update_nvram)
+ also_install_removable (fb_src, base_efidir, fb_file, 0);
+ }
+
+ free (chained_dst);
+ free (chained_base);
+ free (mok_src);
+ free (mok_dst);
free (fb_src);
free (fb_dst);
+ free (csv_src);
+ free (csv_dst);
}
else
- grub_install_copy_file (efi_signed, dst, 1);
+ {
+ /* Tried to install for secure boot, but no signed
+ shim found. Fall back to just installing the signed
+ grub binary */
+ grub_util_info ("Secure boot (no shim): installing signed grub binary");
+ grub_install_copy_file (efi_signed, dst, 1);
+ if (force_extra_removable)
+ {
+ grub_util_info ("Secure boot (no shim): installing signed grub binary into rm path");
+ also_install_removable (efi_signed, base_efidir, removable_file, 1);
+ }
+ }
+ /* In either case, install our grub.cfg */
config_dst = grub_util_path_concat (2, efidir, "grub.cfg");
grub_install_copy_file (load_cfg, config_dst, 1);
config_dst_f = grub_util_fopen (config_dst, "ab");
fprintf (config_dst_f, "configfile $prefix/grub.cfg\n");
fclose (config_dst_f);
free (config_dst);
- if (force_extra_removable)
- also_install_removable(efi_signed, base_efidir, efi_suffix_upper);
+
+ free (csv_file);
+ free (fb_file);
+ free (fb_signed);
+ free (mok_file);
+ free (mok_signed);
+ free (shim_signed);
}
else
{
+ /* No secure boot - just install our newly-generated image */
+ grub_util_info ("No Secure Boot: installing core image");
grub_install_copy_file (imgfile, dst, 1);
if (force_extra_removable)
- also_install_removable(imgfile, base_efidir, efi_suffix_upper);
+ also_install_removable (imgfile, base_efidir, removable_file, 1);
}
+
+ free (removable_file);
free (dst);
}
if (!removable && update_nvram)
......@@ -137,4 +137,4 @@ efi-variable-storage-minimise-writes.patch
arm-move-trampolines-into-code-section.patch
arm-align-section-alignment-with-manual-reloc-offset.patch
no-devicetree-if-secure-boot.patch
add-failsafe-boot-options.patch
grub-install-removable-shim.patch
......@@ -219,7 +219,7 @@ debian/stamps/build-grub-efi-ia32 debian/stamps/build-grub-efi-amd64 debian/stam
obj/grub-$(COMMON_PLATFORM)/grub-mkimage \
obj/$(package)/grub-core \
obj/monolithic/$(package) \
$(SB_PLATFORM) $(SB_EFI_NAME) $(SB_EFI_VENDOR)
$(DEB_HOST_ARCH) $(SB_PLATFORM) $(SB_EFI_NAME) $(SB_EFI_VENDOR)
touch $@
debian/stamps/build-grub-xen-host-i386: PVBOOT_ARCH := i386
......
......@@ -6,6 +6,7 @@
"files": [
{"sig_type": "efi", "file": "usr/lib/grub/@efi_platform@/monolithic/gcd@efi@.efi"},
{"sig_type": "efi", "file": "usr/lib/grub/@efi_platform@/monolithic/grubnet@efi@.efi"},
{"sig_type": "efi", "file": "usr/lib/grub/@efi_platform@/monolithic/grubnet@efi@-installer.efi"},
{"sig_type": "efi", "file": "usr/lib/grub/@efi_platform@/monolithic/grub@efi@.efi"}
]
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment