grub-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH v1 11/15] grub-install: disable support for EFI platforms


From: Neal Gompa
Subject: Re: [PATCH v1 11/15] grub-install: disable support for EFI platforms
Date: Sun, 3 Nov 2024 20:07:26 -0500

On Thu, Oct 31, 2024 at 3:43 PM Leo Sandoval <lsandova@redhat.com> wrote:
>
> From: Jan Hlavac <jhlavc@redhat.com>
>
> For each platform, GRUB is shipped as a kernel image and a set of
> modules. These files are then used by the grub-install utility to
> install GRUB on a specific device. However, in order to support UEFI
> Secure Boot, the resulting EFI binary must be signed by a recognized
> private key. For this reason, for EFI platforms, most distributions also
> ship prebuilt EFI binaries signed by a distribution-specific private
> key. In this case, however, the grub-install utility should not be used
> because it would overwrite the signed EFI binary.
>
> The current fix is suboptimal because it preserves all EFI-related code.
> A better solution could be to modularize the code and provide a
> build-time option.
>
> Resolves: rhbz#1737444
>
> Signed-off-by: Jan Hlavac <jhlavac@redhat.com>
> [rharwood: drop man page]
> ---
>  docs/grub.texi      |  7 +++++++
>  util/grub-install.c | 41 +++++++++++++++++++----------------------
>  2 files changed, 26 insertions(+), 22 deletions(-)
>
> diff --git a/docs/grub.texi b/docs/grub.texi
> index a225f9a88..bc9791794 100644
> --- a/docs/grub.texi
> +++ b/docs/grub.texi
> @@ -7080,6 +7080,13 @@ grub-install @var{install_device}
>  The device name @var{install_device} is an OS device name or a GRUB
>  device name.
>
> +In order to support UEFI Secure Boot, the resulting GRUB EFI binary must
> +be signed by a recognized private key. For this reason, for EFI
> +platforms, most distributions also ship prebuilt GRUB EFI binaries
> +signed by a distribution-specific private key. In this case, however,
> +@command{grub2-install} should not be used because it would overwrite
> +the signed EFI binary.
> +
>  @command{grub-install} accepts the following options:
>
>  @table @option
> diff --git a/util/grub-install.c b/util/grub-install.c
> index c245d9359..ee61b042b 100644
> --- a/util/grub-install.c
> +++ b/util/grub-install.c
> @@ -910,6 +910,25 @@ main (int argc, char *argv[])
>
>    platform = grub_install_get_target (grub_install_source_directory);
>
> +  switch (platform)
> +    {
> +    case GRUB_INSTALL_PLATFORM_ARM_EFI:
> +    case GRUB_INSTALL_PLATFORM_ARM64_EFI:
> +    case GRUB_INSTALL_PLATFORM_I386_EFI:
> +    case GRUB_INSTALL_PLATFORM_IA64_EFI:
> +    case GRUB_INSTALL_PLATFORM_LOONGARCH64_EFI:
> +    case GRUB_INSTALL_PLATFORM_RISCV32_EFI:
> +    case GRUB_INSTALL_PLATFORM_RISCV64_EFI:
> +    case GRUB_INSTALL_PLATFORM_X86_64_EFI:
> +      is_efi = 1;
> +      grub_util_error (_("this utility cannot be used for EFI platforms"
> +                         " because it does not support UEFI Secure Boot"));
> +      break;
> +    default:
> +      is_efi = 0;
> +      break;
> +    }
> +
>    {
>      char *platname = grub_install_get_platform_name (platform);
>      fprintf (stderr, _("Installing for %s platform.\n"), platname);
> @@ -1024,27 +1043,6 @@ main (int argc, char *argv[])
>    grub_hostfs_init ();
>    grub_host_init ();
>
> -  switch (platform)
> -    {
> -    case GRUB_INSTALL_PLATFORM_I386_EFI:
> -    case GRUB_INSTALL_PLATFORM_X86_64_EFI:
> -    case GRUB_INSTALL_PLATFORM_ARM_EFI:
> -    case GRUB_INSTALL_PLATFORM_ARM64_EFI:
> -    case GRUB_INSTALL_PLATFORM_LOONGARCH64_EFI:
> -    case GRUB_INSTALL_PLATFORM_RISCV32_EFI:
> -    case GRUB_INSTALL_PLATFORM_RISCV64_EFI:
> -    case GRUB_INSTALL_PLATFORM_IA64_EFI:
> -      is_efi = 1;
> -      break;
> -    default:
> -      is_efi = 0;
> -      break;
> -
> -      /* pacify warning.  */
> -    case GRUB_INSTALL_PLATFORM_MAX:
> -      break;
> -    }
> -
>    switch (platform)
>      {
>      case GRUB_INSTALL_PLATFORM_I386_IEEE1275:
> @@ -1060,7 +1058,6 @@ main (int argc, char *argv[])
>      }
>
>    /* Find the EFI System Partition.  */
> -
>    if (is_efi)
>      {
>        grub_fs_t fs;
> --
> 2.46.2

This patch should not be upstreamed as-is, since it completely breaks
the ability to generate grub-efi binaries on the system with the
assumption that pre-existing ones have been shipped by a distributor.

The rework mentioned in the commit message body needs to happen here,
because it's unacceptable to just completely break stuff.



-- 
真実はいつも一つ!/ Always, there's only one truth!



reply via email to

[Prev in Thread] Current Thread [Next in Thread]