From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id AAD96159C9B for ; Wed, 7 Aug 2024 19:21:46 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E569A2BC065; Wed, 7 Aug 2024 19:21:45 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id C31892BC065 for ; Wed, 7 Aug 2024 19:21:45 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 8B9163430C6 for ; Wed, 7 Aug 2024 19:21:43 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id C006A1EBC for ; Wed, 7 Aug 2024 19:21:41 +0000 (UTC) From: "Andrew Ammerlaan" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Andrew Ammerlaan" Message-ID: <1723058481.940eefc07945dbf5d50dc818c3557e90a0d860f4.andrewammerlaan@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: sys-boot/grub/ X-VCS-Repository: repo/gentoo X-VCS-Files: sys-boot/grub/grub-2.12-r5.ebuild sys-boot/grub/grub-9999.ebuild X-VCS-Directories: sys-boot/grub/ X-VCS-Committer: andrewammerlaan X-VCS-Committer-Name: Andrew Ammerlaan X-VCS-Revision: 940eefc07945dbf5d50dc818c3557e90a0d860f4 X-VCS-Branch: master Date: Wed, 7 Aug 2024 19:21:41 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: a45deac7-887b-4f15-a411-e98ca4a964f4 X-Archives-Hash: d5d8f6eea6c0e8af498303caa3cd73b1 commit: 940eefc07945dbf5d50dc818c3557e90a0d860f4 Author: Andrew Ammerlaan gentoo org> AuthorDate: Wed Aug 7 14:31:33 2024 +0000 Commit: Andrew Ammerlaan gentoo org> CommitDate: Wed Aug 7 19:21:21 2024 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=940eefc0 sys-boot/grub: implement USE=secureboot via grub-mkstandalone This makes it possible to create a pre-built grub EFI executable signed for secureboot via portage/`secureboot.eclass`. It greatly simplifies setting up grub with secureboot, which is now a bit of a tricky section in the handbook, and makes it possible to get a signed grub EFI executable on systems that do not have the `SECUREBOOT_SIGN_KEY` available via a `sys-boot/grub[secureboot]` binpkg. Unfortunately, since the use of boot partitions, and the mounting point of ESP's varies between systems we cannot rely on the default `/boot/grub/grub.cfg` location to configure grub. Instead the standalone executable reads the `grub.cfg` in the same directory it is in. It is then up to the user to either: - configure `sys-kernel/installkernel` to put the `grub.cfg` in a different location via `GRUB_CFG=`, or - add a little `grub.cfg` that chainloads the real `grub.cfg`. To make this even easier we could write some wrapper around grub-install which would optionally install the prebuilt standalone EFI executable plus an appropriate little `grub.cfg` to chainload the usual `grub.cfg`. But lets leave that for later. Signed-off-by: Andrew Ammerlaan gentoo.org> Closes: https://github.com/gentoo/gentoo/pull/38007 Signed-off-by: Andrew Ammerlaan gentoo.org> .../grub/{grub-9999.ebuild => grub-2.12-r5.ebuild} | 99 ++++++++++++++++++++-- sys-boot/grub/grub-9999.ebuild | 86 ++++++++++++++++++- 2 files changed, 178 insertions(+), 7 deletions(-) diff --git a/sys-boot/grub/grub-9999.ebuild b/sys-boot/grub/grub-2.12-r5.ebuild similarity index 73% copy from sys-boot/grub/grub-9999.ebuild copy to sys-boot/grub/grub-2.12-r5.ebuild index f007f3aaa884..1e22477b727a 100644 --- a/sys-boot/grub/grub-9999.ebuild +++ b/sys-boot/grub/grub-2.12-r5.ebuild @@ -16,11 +16,7 @@ EAPI=7 # If any of the above applies to a user patch, the user should set the # corresponding variable in make.conf or the environment. -if [[ ${PV} == 9999 ]]; then - GRUB_AUTORECONF=1 - GRUB_BOOTSTRAP=1 -fi - +GRUB_AUTORECONF=1 PYTHON_COMPAT=( python3_{10..12} ) WANT_LIBTOOL=none VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/dkiper.gpg @@ -29,7 +25,8 @@ if [[ -n ${GRUB_AUTORECONF} ]]; then inherit autotools fi -inherit bash-completion-r1 flag-o-matic multibuild optfeature python-any-r1 toolchain-funcs +inherit bash-completion-r1 flag-o-matic multibuild optfeature python-any-r1 +inherit secureboot toolchain-funcs DESCRIPTION="GNU GRUB boot loader" HOMEPAGE="https://www.gnu.org/software/grub/" @@ -49,6 +46,7 @@ if [[ ${PV} != 9999 ]]; then else SRC_URI=" mirror://gnu/${PN}/${P}.tar.xz + https://dev.gentoo.org/~floppym/dist/${P}-bash-completion.patch.gz verify-sig? ( mirror://gnu/${PN}/${P}.tar.xz.sig ) " S=${WORKDIR}/${P%_*} @@ -161,6 +159,8 @@ src_prepare() { "${FILESDIR}"/gfxpayload.patch "${FILESDIR}"/grub-2.02_beta2-KERNEL_GLOBS.patch "${FILESDIR}"/grub-2.06-test-words.patch + "${FILESDIR}"/grub-2.12-fwsetup.patch + "${WORKDIR}"/grub-2.12-bash-completion.patch ) default @@ -177,6 +177,10 @@ src_prepare() { if [[ -n ${GRUB_AUTORECONF} ]]; then eautoreconf fi + + # Avoid error due to extra_deps.lst missing from source tarball: + # make[3]: *** No rule to make target 'grub-core/extra_deps.lst', needed by 'syminfo.lst'. Stop. + echo "depends bli part_gpt" > grub-core/extra_deps.lst || die } grub_do() { @@ -291,6 +295,70 @@ src_test() { grub_do emake -j1 check } +grub_mkstandalone_secureboot() { + use secureboot || return + + if tc-is-cross-compiler; then + ewarn "USE=secureboot is not supported when cross-compiling." + ewarn "No standalone EFI executable will be built." + return 1 + fi + + local standalone_targets + + case ${CTARGET:-${CHOST}} in + i?86* | x86_64*) + use grub_platforms_efi-32 && standalone_targets+=( i386-efi ) + use grub_platforms_efi-64 && standalone_targets+=( x86_64-efi ) + ;; + arm* | aarch64*) + use grub_platforms_efi-32 && standalone_targets+=( arm-efi ) + use grub_platforms_efi-64 && standalone_targets+=( arm64-efi ) + ;; + riscv*) + use grub_platforms_efi-32 && standalone_targets+=( riscv32-efi ) + use grub_platforms_efi-64 && standalone_targets+=( riscv64-efi ) + ;; + ia64*) + use grub_platforms_efi-64 && standalone_targets+=( ia64-efi ) + ;; + loongarch64*) + use grub_platforms_efi-64 && standalone_targets+=( loongarch64-efi ) + ;; + esac + + if [[ ${#standalone_targets[@]} -eq 0 ]]; then + ewarn "USE=secureboot is enabled, but no suitable EFI target in GRUB_PLATFORMS." + ewarn "No standalone EFI executable will be built." + return 1 + fi + + local target mkstandalone_args + + # grub-mkstandalone embeds a config file, make this config file chainload + # a config file in the same directory grub is installed in. This requires + # pre-loading the part_gpt and part_msdos modules. + echo 'configfile ${cmdpath}/grub.cfg' > "${T}/grub.cfg" || die + for target in "${standalone_targets[@]}"; do + ebegin "Building standalone EFI executable for ${target}" + mkstandalone_args=( + --verbose + --directory="${ED}/usr/lib/grub/${target}" + --locale-directory="${ED}/usr/share/locale" + --format="${target}" + --modules="part_gpt part_msdos" + --sbat="${ED}/usr/share/grub/sbat.csv" + --output="${ED}/usr/lib/grub/grub-${target%-efi}.efi" + "boot/grub/grub.cfg=${T}/grub.cfg" + ) + + "${ED}/usr/bin/grub-mkstandalone" "${mkstandalone_args[@]}" + eend ${?} || die "grub-mkstandalone failed to build EFI executable" + done + + secureboot_auto_sign +} + src_install() { grub_do emake install DESTDIR="${D}" bashcompletiondir="$(get_bashcompdir)" use doc && grub_do_once emake -C docs install-html DESTDIR="${D}" @@ -311,6 +379,8 @@ src_install() { # https://bugs.gentoo.org/900348 QA_CONFIG_IMPL_DECL_SKIP=( re_{compile_pattern,match,search,set_syntax} ) fi + + grub_mkstandalone_secureboot } pkg_postinst() { @@ -345,4 +415,21 @@ pkg_postinst() { ewarn "Due to security concerns, os-prober is disabled by default." ewarn "Set GRUB_DISABLE_OS_PROBER=false in /etc/default/grub to enable it." fi + + if use secureboot; then + elog + elog "The signed standalone grub EFI executable(s) are available in:" + elog " /usr/lib/grub/grub-.efi(.signed)" + elog "These EFI executables should be copied to the usual location at:" + elog " ESP/EFI/Gentoo/grub.efi" + elog "Note that 'grub-install' does not install these images." + elog + elog "These standalone grub executables read the grub config file from" + elog "the grub.cfg in the same directory instead of the default" + elog "/boot/grub/grub.cfg. When sys-kernel/installkernel[grub] is used," + elog "the location of the grub.cfg may be overridden by setting the" + elog "GRUB_CFG environment variable:" + elog " GRUB_CFG=ESP/EFI/Gentoo/grub.cfg" + elog + fi } diff --git a/sys-boot/grub/grub-9999.ebuild b/sys-boot/grub/grub-9999.ebuild index f007f3aaa884..2b24a0433912 100644 --- a/sys-boot/grub/grub-9999.ebuild +++ b/sys-boot/grub/grub-9999.ebuild @@ -29,7 +29,8 @@ if [[ -n ${GRUB_AUTORECONF} ]]; then inherit autotools fi -inherit bash-completion-r1 flag-o-matic multibuild optfeature python-any-r1 toolchain-funcs +inherit bash-completion-r1 flag-o-matic multibuild optfeature python-any-r1 +inherit secureboot toolchain-funcs DESCRIPTION="GNU GRUB boot loader" HOMEPAGE="https://www.gnu.org/software/grub/" @@ -291,6 +292,70 @@ src_test() { grub_do emake -j1 check } +grub_mkstandalone_secureboot() { + use secureboot || return + + if tc-is-cross-compiler; then + ewarn "USE=secureboot is not supported when cross-compiling." + ewarn "No standalone EFI executable will be built." + return 1 + fi + + local standalone_targets + + case ${CTARGET:-${CHOST}} in + i?86* | x86_64*) + use grub_platforms_efi-32 && standalone_targets+=( i386-efi ) + use grub_platforms_efi-64 && standalone_targets+=( x86_64-efi ) + ;; + arm* | aarch64*) + use grub_platforms_efi-32 && standalone_targets+=( arm-efi ) + use grub_platforms_efi-64 && standalone_targets+=( arm64-efi ) + ;; + riscv*) + use grub_platforms_efi-32 && standalone_targets+=( riscv32-efi ) + use grub_platforms_efi-64 && standalone_targets+=( riscv64-efi ) + ;; + ia64*) + use grub_platforms_efi-64 && standalone_targets+=( ia64-efi ) + ;; + loongarch64*) + use grub_platforms_efi-64 && standalone_targets+=( loongarch64-efi ) + ;; + esac + + if [[ ${#standalone_targets[@]} -eq 0 ]]; then + ewarn "USE=secureboot is enabled, but no suitable EFI target in GRUB_PLATFORMS." + ewarn "No standalone EFI executable will be built." + return 1 + fi + + local target mkstandalone_args + + # grub-mkstandalone embeds a config file, make this config file chainload + # a config file in the same directory grub is installed in. This requires + # pre-loading the part_gpt and part_msdos modules. + echo 'configfile ${cmdpath}/grub.cfg' > "${T}/grub.cfg" || die + for target in "${standalone_targets[@]}"; do + ebegin "Building standalone EFI executable for ${target}" + mkstandalone_args=( + --verbose + --directory="${ED}/usr/lib/grub/${target}" + --locale-directory="${ED}/usr/share/locale" + --format="${target}" + --modules="part_gpt part_msdos" + --sbat="${ED}/usr/share/grub/sbat.csv" + --output="${ED}/usr/lib/grub/grub-${target%-efi}.efi" + "boot/grub/grub.cfg=${T}/grub.cfg" + ) + + "${ED}/usr/bin/grub-mkstandalone" "${mkstandalone_args[@]}" + eend ${?} || die "grub-mkstandalone failed to build EFI executable" + done + + secureboot_auto_sign +} + src_install() { grub_do emake install DESTDIR="${D}" bashcompletiondir="$(get_bashcompdir)" use doc && grub_do_once emake -C docs install-html DESTDIR="${D}" @@ -311,6 +376,8 @@ src_install() { # https://bugs.gentoo.org/900348 QA_CONFIG_IMPL_DECL_SKIP=( re_{compile_pattern,match,search,set_syntax} ) fi + + grub_mkstandalone_secureboot } pkg_postinst() { @@ -345,4 +412,21 @@ pkg_postinst() { ewarn "Due to security concerns, os-prober is disabled by default." ewarn "Set GRUB_DISABLE_OS_PROBER=false in /etc/default/grub to enable it." fi + + if use secureboot; then + elog + elog "The signed standalone grub EFI executable(s) are available in:" + elog " /usr/lib/grub/grub-.efi(.signed)" + elog "These EFI executables should be copied to the usual location at:" + elog " ESP/EFI/Gentoo/grub.efi" + elog "Note that 'grub-install' does not install these images." + elog + elog "These standalone grub executables read the grub config file from" + elog "the grub.cfg in the same directory instead of the default" + elog "/boot/grub/grub.cfg. When sys-kernel/installkernel[grub] is used," + elog "the location of the grub.cfg may be overridden by setting the" + elog "GRUB_CFG environment variable:" + elog " GRUB_CFG=ESP/EFI/Gentoo/grub.cfg" + elog + fi }