summaryrefslogtreecommitdiff
path: root/sys-boot/grub/files/grub-2.00-secureboot-user-sign-2.patch
blob: 9648efa73ef39a557d2e4528555669ee06f244fc (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
diff -Nurp grub-2.00.orig/util/grub-install.in grub-2.00/util/grub-install.in
--- grub-2.00.orig/util/grub-install.in	2012-06-26 23:31:03.000000000 +0200
+++ grub-2.00/util/grub-install.in	2012-12-28 10:11:09.515872080 +0100
@@ -821,12 +821,60 @@ elif [ x"${grub_modinfo_target_cpu}-${gr
     gettext "You will have to set \`SystemPartition' and \`OSLoader' manually." 1>&2
     echo 1>&2
 elif [ x"$grub_modinfo_platform" = xefi ]; then
+
+    # sign the efi file with the User SecureBoot key
+    _sign_grub_efi() {
+	local _image="${1}"
+        local _image_dir="$(dirname "${_image}")"
+        local _image_name="$(basename "${_image}")"
+
+	case "$host_os" in
+	    linux*)
+		modprobe -q efivars 2>/dev/null || true ;;
+	esac
+
+	local _private="/boot/SecureBoot/user-private.key"
+	local _public="/boot/SecureBoot/user-public.crt"
+	local _shim_dir="/usr/share/shim-signed-*"
+	if test -f "${_private}" && test -f "${_public}"; then
+            echo "SecureBoot signing ${_image}"
+            sbsign --key "${_private}" --cert "${_public}" \
+                --output "${_image}.signed" \
+                "${_image}" && \
+                mv "${_image}.signed" "${_image}" && \
+		cp ${_shim_dir}/*.efi "${_image_dir}/"
+
+	    # if the image is called bootx64.efi, we need to rename it into
+	    # grubx64.efi and place shim.efi there.
+	    if test "${_image_name}" = "bootx64.efi" || test "${_image_name}" = "BOOTX64.EFI"; then
+		mv "${_image}" "${_image_dir}/grubx64.efi"
+		mv "${_image_dir}/shim.efi" "${_image_dir}/${_image_name}"
+	    else
+    	        # otherwise, if it's named grubx64.efi, we just need to move
+	        # shim.efi to bootx64.efi
+		mv "${_image_dir}/shim.efi" "${_image_dir}/bootx64.efi"
+		if test "${_image_name}" != "grubx64.efi" && test "${_image_name}" != "GRUBX64.EFI"; then
+		    mv "${_image_dir}/${_image_name}" "${_image_dir}/grubx64.efi"
+		fi
+		# and then change efi_file
+		efi_file="bootx64.efi"
+	    fi
+	else
+	    echo "Cannot sign ${_image} for SecureBoot" 1>&2
+	    echo "Kogaion keypair at $(basename ${_private}) not found" 1>&2
+	fi
+    }
+
     cp "${grubdir}/${grub_modinfo_target_cpu}-$grub_modinfo_platform/core.${imgext}" "${efidir}/${efi_file}"
+    _efi_grub_file="${efidir}/${efi_file}"
     # For old macs. Suggested by Peter Jones.
     if [ x$grub_modinfo_target_cpu = xi386 ]; then
 	cp "${grubdir}/${grub_modinfo_target_cpu}-$grub_modinfo_platform/core.${imgext}" "${efidir}/boot.efi"
+	_efi_grub_file="${efidir}/boot.efi"
     fi
 
+    _sign_grub_efi "${_efi_grub_file}"
+
     # Try to make this image bootable using the EFI Boot Manager, if available.
     efibootmgr="`which efibootmgr`"
     if test "$removable" = no && test -n "$efi_distributor" && \