From: Michael Prokop <mika@grml.org>
Date: Wed, 17 Oct 2018 14:46:50 +0000 (+0200)
Subject: EFI/BOOT: bring back files from Ubuntu 18.04
X-Git-Tag: v0.32.2~1
X-Git-Url: http://git.grml.org/?p=grml-live.git;a=commitdiff_plain;h=8c2668bf55e917289d87d9f59f93763d019a32ca;hp=-c

EFI/BOOT: bring back files from Ubuntu 18.04

Bring back the state of EFI/BOOT files as of commit
bc4f02658ffa63a71ef1bc4f37ae3707ff580382 plus the config change with
commit c35a30b42bac4de7089f936d6917b246ade6d5c5, as this was the last
GRUB version that's known to be working with *unsigned* kernel files.

Otherwise SecureBoot fails to boot with:

| Loading kernel...
| error: /boot/grml/vmlinuz has invalid signature.
| Loading initrd...
| error: you need to load the kernel first.

when using grub2-signed (corresponding to Ubuntu's GRUB 2.02+dfsg1-5ubuntu7) with files e.g. from
http://de.archive.ubuntu.com/ubuntu/pool/main/s/shim-signed/shim-signed_1.38+15+1533136590.3beb971-0ubuntu1_amd64.deb +
http://de.archive.ubuntu.com/ubuntu/pool/main/g/grub2-signed/grub-efi-amd64-signed_1.109+2.02+dfsg1-5ubuntu7_amd64.deb

This might be related to the change introduced in:

| grub2-signed (1.93.4) bionic; urgency=medium
|
|   * Rebuild against grub2 2.02-2ubuntu8.3 and check kernel is signed on
|     amd64 EFI before installing grub (LP: #1786491).
|
|  -- Julian Andres Klode <juliank@ubuntu.com>  Mon, 13 Aug 2018 12:51:32 +0200

JFTR, as of 2018-10-17 we have in Ubuntu:

| % rmadison -u ubuntu grub-efi-amd64-signed
|  grub-efi-amd64-signed | 1.9~ubuntu12.04.10+1.99-21ubuntu3.19 | precise-security | amd64
|  grub-efi-amd64-signed | 1.9~ubuntu12.04.10+1.99-21ubuntu3.19 | precise-updates  | amd64
|  grub-efi-amd64-signed | 1.34+2.02~beta2-9                    | trusty           | amd64
|  grub-efi-amd64-signed | 1.34.7+2.02~beta2-9ubuntu1.6         | trusty-security  | amd64
|  grub-efi-amd64-signed | 1.34.17+2.02~beta2-9ubuntu1.15       | trusty-updates   | amd64
|  grub-efi-amd64-signed | 1.66+2.02~beta2-36ubuntu3            | xenial           | amd64
|  grub-efi-amd64-signed | 1.66.18+2.02~beta2-36ubuntu3.18      | xenial-updates   | amd64
|  grub-efi-amd64-signed | 1.93+2.02-2ubuntu8                   | bionic           | amd64
|  grub-efi-amd64-signed | 1.93.7+2.02-2ubuntu8.6               | bionic-updates   | amd64
|  grub-efi-amd64-signed | 1.93.8+2.02-2ubuntu8.7               | bionic-proposed  | amd64
|  grub-efi-amd64-signed | 1.109+2.02+dfsg1-5ubuntu7            | cosmic           | amd64

Note that EFI boot with ovmf 0~20161202.7bbe0b3e-1 with kvm/qemu on
Debian/stretch fails, resulting in a grub shell prompt of GRUB
2.02-2ubuntu8 (without any menu), e.g. when invoked via:

| % qemu-system-x86_64 -bios /usr/share/qemu/OVMF.fd -vga qxl -hda grml.iso -m 512

Both the ovmf versions from kraxel as well from current Debian/testing
AKA buster work though:

| % wget https://www.kraxel.org/repos/jenkins/edk2/edk2.git-ovmf-x64-0-20180807.281.gc526dcd40f.noarch.rpm
| % rpm2cpio edk2.git-ovmf-x64-0-20180807.281.gc526dcd40f.noarch.rpm | cpio -idmv
| % qemu-system-x86_64 -bios ./usr/share/edk2.git/ovmf-x64/OVMF-pure-efi.fd -vga qxl -hda grml.iso -m 512

+

| % wget http://ftp.de.debian.org/debian/pool/main/e/edk2/ovmf_0~20180812.cb5f4f45-1_all.deb
| % dpkg -x ovmf_0\~20180812.cb5f4f45-1_all.deb ovmf
| % qemu-system-x86_64 -bios ovmf/usr/share/ovmf/OVMF.fd -vga qxl -hda grml.iso -m 512

Closes: https://github.com/grml/grml/issues/105

and possibly also related to https://github.com/grml/grml-live/issues/59
---

8c2668bf55e917289d87d9f59f93763d019a32ca
diff --git a/templates/EFI/BOOT/README b/templates/EFI/BOOT/README
index bc2ffe9..6e0ed87 100644
--- a/templates/EFI/BOOT/README
+++ b/templates/EFI/BOOT/README
@@ -1,6 +1,6 @@
 # ubuntu approach:
 shimx64.efi.signed = /usr/lib/shim/shimx64.efi.signed                   from http://de.archive.ubuntu.com/ubuntu/pool/main/s/shim-signed/shim-signed_1.34.9+13-0ubuntu2_amd64.deb
-grubx64.efi.signed = /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed from http://de.archive.ubuntu.com/ubuntu/pool/main/g/grub2-signed/grub-efi-amd64-signed_1.103+2.02+dfsg1-5ubuntu1_amd64.deb
+grubx64.efi.signed = /usr/lib/grub/x86_64-efi-signed/grubx64.efi.signed from http://de.archive.ubuntu.com/ubuntu/pool/main/g/grub2-signed/grub-efi-amd64-signed_1.93+2.02-2ubuntu8_amd64.deb
 # NOTE:
 # shimx64.efi.signed ends up as /EFI/BOOT/bootx64.efi inside [grml_cd]/boot/efi.img, and
 # grubx64.efi.signed ends up as /EFI/BOOT/grubx64.efi inside [grml_cd]/boot/efi.img, whereas
diff --git a/templates/EFI/BOOT/grubx64.efi.signed b/templates/EFI/BOOT/grubx64.efi.signed
index 6e0f7ae..d502e5f 100644
Binary files a/templates/EFI/BOOT/grubx64.efi.signed and b/templates/EFI/BOOT/grubx64.efi.signed differ