Bug#851994: grub2: build unsigned efi monolithic packages

Luca Boccassi luca.boccassi at gmail.com
Fri Jan 20 16:26:13 UTC 2017 

Source: grub2
Version: 2.02~beta3-3
Severity: wishlist
Tags: patch

Dear maintainer,

It would be very useful for users wanting to self-sign their EFI
binaries to be able to get the unsigned packages through apt (gpg
authenticated etc etc) to have monolithic unsigned EFI images.
The attached very trivial patch implements just that, following the
model of linux and linux-signed. The .tar.gz archive is still built
together with the package as I understand it will be needed for DAK.

Kind regards,
Luca Boccassi

From 7471c4807c82957adbc538a81fc681a3e9d2eebd Mon Sep 17 00:00:00 2001
From: Luca Boccassi <lboccass at brocade.com>
Date: Fri, 6 Jan 2017 14:51:12 +0000
Subject: [PATCH] Build unsigned efi monolithic packages

Following the linux and linux-signed model, -unsigned efi packages
for arm64 and amd64 are added and built together with the existing
.tar.gz archive.
This is useful for example to be able to get the unsigned packages
through apt (gpg authenticated etc etc) for users wanting to
self-sign their EFI binaries.
---
 debian/control | 36 ++++++++++++++++++++++++++++++++++++
 debian/rules   | 19 +++++++++++--------
 2 files changed, 47 insertions(+), 8 deletions(-)

diff --git a/debian/control b/debian/control
index 821e2cd..eeb4578 100644
--- a/debian/control
+++ b/debian/control
@@ -342,6 +342,24 @@ Description: GRand Unified Bootloader, version 2 (EFI-AMD64 version)
  EFI-AMD64 architecture, such as the one provided by Intel Macs (that is, unless
  a BIOS interface has been activated).
 
+Package: grub-efi-amd64-unsigned
+Architecture: any-amd64
+Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version}), efibootmgr [linux-any]
+Replaces: grub2 (<< ${source:Version}), grub-common (<= 1.97~beta2-1), grub-efi-amd64 (<< 1.99-1)
+Multi-Arch: foreign
+Description: GRand Unified Bootloader, version 2 (EFI-AMD64 binaries)
+ GRUB is a portable, powerful bootloader.  This version of GRUB is based on a
+ cleaner design than its predecessors, and provides the following new features:
+ .
+  - Scripting in grub.cfg using BASH-like syntax.
+  - Support for modern partition maps such as GPT.
+  - Modular generation of grub.cfg via update-grub.  Packages providing GRUB
+    add-ons can plug in their own script rules and trigger updates by invoking
+    update-grub.
+ .
+ This package contains a version of GRUB that has been built as a monolithic EFI
+ image for use with EFI-AMD64 architecture.
+
 Package: grub-efi-ia64-bin
 Architecture: any-ia64
 Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version})
@@ -482,6 +500,24 @@ Description: GRand Unified Bootloader, version 2 (ARM64 UEFI version)
  This package contains a version of GRUB that has been built for use on
  ARM64 systems with UEFI.
 
+Package: grub-efi-arm64-unsigned
+Architecture: any-arm64
+Pre-Depends: ${misc:Pre-Depends}
+Depends: ${shlibs:Depends}, ${misc:Depends}, grub2-common (= ${binary:Version}), grub-efi-arm64-bin (= ${binary:Version}), ucf
+Multi-Arch: foreign
+Description: GRand Unified Bootloader, version 2 (ARM64 UEFI version)
+ GRUB is a portable, powerful bootloader.  This version of GRUB is based on a
+ cleaner design than its predecessors, and provides the following new features:
+ .
+  - Scripting in grub.cfg using BASH-like syntax.
+  - Support for modern partition maps such as GPT.
+  - Modular generation of grub.cfg via update-grub.  Packages providing GRUB
+    add-ons can plug in their own script rules and trigger updates by invoking
+    update-grub.
+ .
+ This package contains a version of GRUB that has been built as a monolithic EFI
+ image for use on ARM64 systems with UEFI.
+
 Package: grub-ieee1275-bin
 Architecture: any-i386 any-amd64 any-powerpc any-ppc64 any-ppc64el any-sparc any-sparc64
 Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version})
diff --git a/debian/rules b/debian/rules
index dad1863..a9e1460 100755
--- a/debian/rules
+++ b/debian/rules
@@ -447,6 +447,16 @@ ifneq (,$(filter grub-pc,$(BUILD_PACKAGES)))
 		< debian/legacy/update-grub.ubuntu.patch
 endif
 endif
+ifneq (,$(SB_PACKAGE))
+	mkdir -p debian/$(SB_PACKAGE)-unsigned/usr/lib/grub/$(SB_PLATFORM)-signed/
+	debian/build-efi-images \
+		obj/grub-$(COMMON_PLATFORM)/grub-mkimage \
+		obj/$(SB_PACKAGE)/grub-core \
+		debian/$(SB_PACKAGE)-unsigned/usr/lib/grub/$(SB_PLATFORM)-signed \
+		$(SB_PLATFORM) $(SB_EFI_NAME)
+	echo $(deb_version) \
+		> debian/$(SB_PACKAGE)-unsigned/usr/lib/grub/$(SB_PLATFORM)-signed/version
+endif
 
 override_dh_installdocs:
 	dh_installdocs $(patsubst %,-p%,$(filter grub-common grub-rescue-pc grub-firmware-qemu grub-xen-host,$(BUILD_PACKAGES))) -A AUTHORS NEWS README THANKS TODO
@@ -483,14 +493,7 @@ TARNAME := grub2_$(deb_version)_$(DEB_HOST_ARCH).tar.gz
 override_dh_builddeb:
 	dh_builddeb -- -Zxz
 ifneq (,$(SB_PACKAGE))
-	debian/build-efi-images \
-		obj/grub-$(COMMON_PLATFORM)/grub-mkimage \
-		obj/$(SB_PACKAGE)/grub-core \
-		debian/grub2-images/$(deb_version) \
-		$(SB_PLATFORM) $(SB_EFI_NAME)
-	echo $(deb_version) \
-		> debian/grub2-images/$(deb_version)/version
-	cd debian/grub2-images && tar czvf ../../../$(TARNAME) .
+	cd debian/$(SB_PACKAGE)-unsigned/usr/lib/grub/$(SB_PLATFORM)-signed/ && tar czvf ../../../../../../../$(TARNAME) .
 	dpkg-distaddfile $(TARNAME) raw-uefi -
 endif
 
-- 
2.1.4

More information about the Pkg-grub-devel mailing list