代码拉取完成,页面将自动刷新
From 9d91b42285fbb5614c41d9ebdef3f1f65318219a Mon Sep 17 00:00:00 2001
From: nilusyi <[email protected]>
Date: Mon, 1 Apr 2024 17:53:18 +0800
Subject: [PATCH 064/272] grub-install: handle signed grub installation on
arm64-efi
Use grub2-install to handle signed grub installation for arm64 UEFI secure
boot, the default behavior is auto, which will install signed grub whenever
detected.
Two options, --suse-force-signed and --suse-inhibit-signed, can be used to
override the default auto detecting behavior. The former will force to use
prebuilt signed image and thus will fail if missing, the latter will always use
'mkimage' to create unsigned core image per the user's running environment.
Signed-off-by: Michael Chang <[email protected]>
Signed-off-by: nilusyi <[email protected]>
---
util/grub-install.c | 134 +++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 133 insertions(+), 1 deletion(-)
diff --git a/util/grub-install.c b/util/grub-install.c
index b195eabbe..828365580 100644
--- a/util/grub-install.c
+++ b/util/grub-install.c
@@ -82,6 +82,15 @@ static char *product_version;
static int add_rs_codes = 1;
static int enable_tpm = 0;
+enum
+ {
+ SIGNED_GRUB_INHIBIT,
+ SIGNED_GRUB_AUTO,
+ SIGNED_GRUB_FORCE
+ };
+
+static int signed_grub_mode = SIGNED_GRUB_AUTO;
+
enum
{
OPTION_BOOT_DIRECTORY = 0x301,
@@ -109,6 +118,8 @@ enum
OPTION_NO_RS_CODES,
OPTION_MACPPC_DIRECTORY,
OPTION_ENABLE_TPM,
+ OPTION_FORCE_SIGNED,
+ OPTION_INHIBIT_SIGNED,
OPTION_LABEL_FONT,
OPTION_LABEL_COLOR,
OPTION_LABEL_BGCOLOR,
@@ -231,6 +242,14 @@ argp_parser (int key, char *arg, struct argp_state *state)
enable_tpm = 1;
return 0;
+ case OPTION_FORCE_SIGNED:
+ signed_grub_mode = SIGNED_GRUB_FORCE;
+ return 0;
+
+ case OPTION_INHIBIT_SIGNED:
+ signed_grub_mode = SIGNED_GRUB_INHIBIT;
+ return 0;
+
case OPTION_DEBUG:
verbosity++;
return 0;
@@ -294,6 +313,13 @@ static struct argp_option options[] = {
"This option is only available on x86 BIOS targets."), 0},
{"enable-tpm", OPTION_ENABLE_TPM, 0, 0, N_("install TPM modules"), 0},
+ {"force-signed", OPTION_FORCE_SIGNED, 0, 0,
+ N_("force installation of signed grub" "%s."
+ "This option is only available on ARM64 EFI targets."), 0},
+ {"inhibit-signed", OPTION_INHIBIT_SIGNED, 0, 0,
+ N_("inhibit installation of signed grub. "
+ "This option is only available on ARM64 EFI targets."), 0},
+
{"debug", OPTION_DEBUG, 0, OPTION_HIDDEN, 0, 2},
{"no-floppy", OPTION_NO_FLOPPY, 0, OPTION_HIDDEN, 0, 2},
{"debug-image", OPTION_DEBUG_IMAGE, N_("STRING"), OPTION_HIDDEN, 0, 2},
@@ -364,6 +390,22 @@ help_filter (int key, const char *text, void *input __attribute__ ((unused)))
free (plats);
return ret;
}
+ case OPTION_FORCE_SIGNED:
+ {
+ const char *t = get_default_platform ();
+ char *ret;
+ if (grub_strcmp (t, "arm64-efi") == 0)
+ {
+ char *s = grub_util_path_concat (3, grub_util_get_pkglibdir (), t, "grub.efi");
+ char *text2 = xasprintf (" [default=%s]", s);
+ ret = xasprintf (text, text2);
+ free (text2);
+ free (s);
+ }
+ else
+ ret = xasprintf (text, "");
+ return ret;
+ }
case ARGP_KEY_HELP_POST_DOC:
return xasprintf (text, program_name, GRUB_BOOT_DIR_NAME "/" GRUB_DIR_NAME);
default:
@@ -1652,13 +1694,34 @@ main (int argc, char *argv[])
char mkimage_target[200];
const char *core_name = NULL;
+ char *signed_imgfile = NULL;
switch (platform)
{
+ case GRUB_INSTALL_PLATFORM_ARM64_EFI:
+
+ if (signed_grub_mode > SIGNED_GRUB_INHIBIT)
+ {
+ signed_imgfile = grub_util_path_concat (2, grub_install_source_directory, "grub.efi");
+ if (!grub_util_is_regular (signed_imgfile))
+ {
+ if (signed_grub_mode >= SIGNED_GRUB_FORCE)
+ grub_util_error ("signed image `%s' does not exist\n", signed_imgfile);
+ else
+ {
+ free (signed_imgfile);
+ signed_imgfile = NULL;
+ }
+ }
+ }
+
+ if (signed_imgfile)
+ fprintf (stderr, _("Use signed file in %s for installation.\n"), signed_imgfile);
+
+ /* fallthrough. */
case GRUB_INSTALL_PLATFORM_I386_EFI:
case GRUB_INSTALL_PLATFORM_X86_64_EFI:
case GRUB_INSTALL_PLATFORM_ARM_EFI:
- case GRUB_INSTALL_PLATFORM_ARM64_EFI:
case GRUB_INSTALL_PLATFORM_LOONGARCH64_EFI:
case GRUB_INSTALL_PLATFORM_RISCV32_EFI:
case GRUB_INSTALL_PLATFORM_RISCV64_EFI:
@@ -1725,12 +1788,74 @@ main (int argc, char *argv[])
core_name);
char *prefix = xasprintf ("%s%s", prefix_drive ? : "",
relative_grubdir);
+ char *grub_efi_cfg = NULL;
+ if (!signed_imgfile)
grub_install_make_image_wrap (/* source dir */ grub_install_source_directory,
/*prefix */ prefix,
/* output */ imgfile,
/* memdisk */ NULL,
have_load_cfg ? load_cfg : NULL,
/* image target */ mkimage_target, 0);
+ else if (signed_imgfile)
+ {
+ FILE *grub_cfg_f;
+
+ grub_install_copy_file (signed_imgfile, imgfile, 1);
+ grub_efi_cfg = grub_util_path_concat (2, platdir, "grub.cfg");
+ grub_cfg_f = grub_util_fopen (grub_efi_cfg, "wb");
+ if (!grub_cfg_f)
+ grub_util_error (_("Can't create file: %s"), strerror (errno));
+
+ if (have_abstractions)
+ {
+ fprintf (grub_cfg_f, "set prefix=(%s)%s\n", grub_drives[0], relative_grubdir);
+ fprintf (grub_cfg_f, "set root=%s\n", grub_drives[0]);
+ }
+ else if (prefix_drive)
+ {
+ char *uuid = NULL;
+ if (grub_fs->fs_uuid && grub_fs->fs_uuid (grub_dev, &uuid))
+ {
+ grub_print_error ();
+ grub_errno = 0;
+ uuid = NULL;
+ }
+ if (!uuid)
+ grub_util_error ("cannot find fs uuid for %s", grub_fs->name);
+
+ fprintf (grub_cfg_f, "search --fs-uuid --set=root %s\n", uuid);
+ fprintf (grub_cfg_f, "set prefix=($root)%s\n", relative_grubdir);
+ }
+
+ if (have_load_cfg)
+ {
+ size_t len;
+ char *buf;
+
+ FILE *fp = grub_util_fopen (load_cfg, "rb");
+ if (!fp)
+ grub_util_error (_("Can't read file: %s"), strerror (errno));
+
+ fseek (fp, 0, SEEK_END);
+ len = ftell (fp);
+ fseek (fp, 0, SEEK_SET);
+ buf = xmalloc (len);
+
+ if (fread (buf, 1, len, fp) != len)
+ grub_util_error (_("cannot read `%s': %s"), load_cfg, strerror (errno));
+
+ if (fwrite (buf, 1, len, grub_cfg_f) != len)
+ grub_util_error (_("cannot write `%s': %s"), grub_efi_cfg, strerror (errno));
+
+ free (buf);
+ fclose (fp);
+ }
+
+ fprintf (grub_cfg_f, "source ${prefix}/grub.cfg\n");
+ fclose (grub_cfg_f);
+ free (signed_imgfile);
+ signed_imgfile = NULL;
+ }
/* Backward-compatibility kludges. */
switch (platform)
{
@@ -2023,6 +2148,13 @@ main (int argc, char *argv[])
grub_set_install_backup_ponr ();
free (dst);
+ if (grub_efi_cfg)
+ {
+ dst = grub_util_path_concat (2, efidir, "grub.cfg");
+ grub_install_copy_file (grub_efi_cfg, dst, 1);
+ free (dst);
+ free (grub_efi_cfg);
+ }
}
if (!removable && update_nvram)
{
--
2.41.0
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。