代码拉取完成,页面将自动刷新
同步操作将从 src-openEuler/grub2 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
From 1ff2f31d12f7235423a1eb8a117e0c6f8b2f41c7 Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Tue, 4 Jun 2019 12:32:35 +0800
Subject: [PATCH] grub-install: handle signed grub installation on arm64-efi
Use grub2-install to handle signed grub installation for arm64 UEFI secure
boot, the default behavior is auto, which will install signed grub whenever
detected.
Two options, --suse-force-signed and --suse-inhibit-signed, can be used to
override the default auto detecting behavior. The former will force to use
prebuilt signed image and thus will fail if missing, the latter will always use
'mkimage' to create unsigned core image per the user's running environment.
Signed-off-by: Michael Chang <mchang@suse.com>
---
util/grub-install.c | 86 ++++++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 85 insertions(+), 1 deletion(-)
--- a/util/grub-install.c
+++ b/util/grub-install.c
@@ -85,6 +85,15 @@
enum
{
+ SIGNED_GRUB_INHIBIT,
+ SIGNED_GRUB_AUTO,
+ SIGNED_GRUB_FORCE
+ };
+
+static int signed_grub_mode = SIGNED_GRUB_AUTO;
+
+enum
+ {
OPTION_BOOT_DIRECTORY = 0x301,
OPTION_ROOT_DIRECTORY,
OPTION_TARGET,
@@ -109,6 +118,8 @@
OPTION_NO_BOOTSECTOR,
OPTION_NO_RS_CODES,
OPTION_SUSE_ENABLE_TPM,
+ OPTION_SUSE_FORCE_SIGNED,
+ OPTION_SUSE_INHIBIT_SIGNED,
OPTION_MACPPC_DIRECTORY,
OPTION_ZIPL_DIRECTORY,
OPTION_LABEL_FONT,
@@ -238,6 +249,14 @@
suse_enable_tpm = 1;
return 0;
+ case OPTION_SUSE_FORCE_SIGNED:
+ signed_grub_mode = SIGNED_GRUB_FORCE;
+ return 0;
+
+ case OPTION_SUSE_INHIBIT_SIGNED:
+ signed_grub_mode = SIGNED_GRUB_INHIBIT;
+ return 0;
+
case OPTION_DEBUG:
verbosity++;
return 0;
@@ -300,7 +319,12 @@
N_("Do not apply any reed-solomon codes when embedding core.img. "
"This option is only available on x86 BIOS targets."), 0},
{"suse-enable-tpm", OPTION_SUSE_ENABLE_TPM, 0, 0, N_("install TPM modules"), 0},
-
+ {"suse-force-signed", OPTION_SUSE_FORCE_SIGNED, 0, 0,
+ N_("force installation of signed grub" "%s."
+ "This option is only available on ARM64 EFI targets."), 0},
+ {"suse-inhibit-signed", OPTION_SUSE_INHIBIT_SIGNED, 0, 0,
+ N_("inhibit installation of signed grub. "
+ "This option is only available on ARM64 EFI targets."), 0},
{"debug", OPTION_DEBUG, 0, OPTION_HIDDEN, 0, 2},
{"no-floppy", OPTION_NO_FLOPPY, 0, OPTION_HIDDEN, 0, 2},
{"debug-image", OPTION_DEBUG_IMAGE, N_("STRING"), OPTION_HIDDEN, 0, 2},
@@ -375,6 +399,22 @@
free (plats);
return ret;
}
+ case OPTION_SUSE_FORCE_SIGNED:
+ {
+ const char *t = get_default_platform ();
+ char *ret;
+ if (grub_strcmp (t, "arm64-efi") == 0)
+ {
+ char *s = grub_util_path_concat (3, grub_util_get_pkglibdir (), t, "grub.efi");
+ char *text2 = xasprintf (" [default=%s]", s);
+ ret = xasprintf (text, text2);
+ free (text2);
+ free (s);
+ }
+ else
+ ret = xasprintf (text, "");
+ return ret;
+ }
case ARGP_KEY_HELP_POST_DOC:
return xasprintf (text, program_name, GRUB_BOOT_DIR_NAME "/" GRUB_DIR_NAME);
default:
@@ -1681,13 +1721,34 @@
char mkimage_target[200];
const char *core_name = NULL;
+ char *signed_imgfile = NULL;
switch (platform)
{
+ case GRUB_INSTALL_PLATFORM_ARM64_EFI:
+
+ if (signed_grub_mode > SIGNED_GRUB_INHIBIT)
+ {
+ signed_imgfile = grub_util_path_concat (2, grub_install_source_directory, "grub.efi");
+ if (!grub_util_is_regular (signed_imgfile))
+ {
+ if (signed_grub_mode >= SIGNED_GRUB_FORCE)
+ grub_util_error ("signed image `%s' does not exist\n", signed_imgfile);
+ else
+ {
+ free (signed_imgfile);
+ signed_imgfile = NULL;
+ }
+ }
+ }
+
+ if (signed_imgfile)
+ fprintf (stderr, _("Use signed file in %s for installation.\n"), signed_imgfile);
+
+ /* fallthrough. */
case GRUB_INSTALL_PLATFORM_I386_EFI:
case GRUB_INSTALL_PLATFORM_X86_64_EFI:
case GRUB_INSTALL_PLATFORM_ARM_EFI:
- case GRUB_INSTALL_PLATFORM_ARM64_EFI:
case GRUB_INSTALL_PLATFORM_LOONGARCH64_EFI:
case GRUB_INSTALL_PLATFORM_RISCV32_EFI:
case GRUB_INSTALL_PLATFORM_RISCV64_EFI:
@@ -1758,13 +1819,75 @@
core_name);
char *prefix = xasprintf ("%s%s", prefix_drive ? : "",
relative_grubdir);
- if (core_name != mkimage_target)
+ char *grub_efi_cfg = NULL;
+
+ if ((core_name != mkimage_target) && !signed_imgfile)
grub_install_make_image_wrap (/* source dir */ grub_install_source_directory,
/*prefix */ prefix,
/* output */ imgfile,
/* memdisk */ NULL,
have_load_cfg ? load_cfg : NULL,
/* image target */ mkimage_target, 0);
+ else if (signed_imgfile)
+ {
+ FILE *grub_cfg_f;
+
+ grub_install_copy_file (signed_imgfile, imgfile, 1);
+ grub_efi_cfg = grub_util_path_concat (2, platdir, "grub.cfg");
+ grub_cfg_f = grub_util_fopen (grub_efi_cfg, "wb");
+ if (!grub_cfg_f)
+ grub_util_error (_("Can't create file: %s"), strerror (errno));
+
+ if (have_abstractions)
+ {
+ fprintf (grub_cfg_f, "set prefix=(%s)%s\n", grub_drives[0], relative_grubdir);
+ fprintf (grub_cfg_f, "set root=%s\n", grub_drives[0]);
+ }
+ else if (prefix_drive)
+ {
+ char *uuid = NULL;
+ if (grub_fs->fs_uuid && grub_fs->fs_uuid (grub_dev, &uuid))
+ {
+ grub_print_error ();
+ grub_errno = 0;
+ uuid = NULL;
+ }
+ if (!uuid)
+ grub_util_error ("cannot find fs uuid for %s", grub_fs->name);
+
+ fprintf (grub_cfg_f, "search --fs-uuid --set=root %s\n", uuid);
+ fprintf (grub_cfg_f, "set prefix=($root)%s\n", relative_grubdir);
+ }
+
+ if (have_load_cfg)
+ {
+ size_t len;
+ char *buf;
+
+ FILE *fp = grub_util_fopen (load_cfg, "rb");
+ if (!fp)
+ grub_util_error (_("Can't read file: %s"), strerror (errno));
+
+ fseek (fp, 0, SEEK_END);
+ len = ftell (fp);
+ fseek (fp, 0, SEEK_SET);
+ buf = xmalloc (len);
+
+ if (fread (buf, 1, len, fp) != len)
+ grub_util_error (_("cannot read `%s': %s"), load_cfg, strerror (errno));
+
+ if (fwrite (buf, 1, len, grub_cfg_f) != len)
+ grub_util_error (_("cannot write `%s': %s"), grub_efi_cfg, strerror (errno));
+
+ free (buf);
+ fclose (fp);
+ }
+
+ fprintf (grub_cfg_f, "source ${prefix}/grub.cfg\n");
+ fclose (grub_cfg_f);
+ free (signed_imgfile);
+ signed_imgfile = NULL;
+ }
/* Backward-compatibility kludges. */
switch (platform)
{
@@ -2061,6 +2184,13 @@
grub_set_install_backup_ponr ();
free (dst);
+ if (grub_efi_cfg)
+ {
+ dst = grub_util_path_concat (2, efidir, "grub.cfg");
+ grub_install_copy_file (grub_efi_cfg, dst, 1);
+ free (dst);
+ free (grub_efi_cfg);
+ }
}
if (!removable && update_nvram)
{
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。