Bug#925309: Wrong prefix directory hardcoded in signed GRUB image

Pascal Hambourg pascal at plouf.fr.eu.org
Tue Dec 13 15:00:30 GMT 2022 

(CC'in Steve McIntyre and debian-efi)

On 24/03/2019 at 01:10, Colin Watson wrote:
> On Fri, Mar 22, 2019 at 08:47:37PM +0100, Pascal Hambourg wrote:
>>
>> grub-install installs this initial grub.cfg in the same location as the
>> signed image, i.e.
>> - /EFI/BOOT if the option --removable is present
>> - the directory derived from the --bootloader-id option if present
>> - the directory derived from $GRUB_DISTRIBUTOR defined in /etc/default/grub
>>
>> The default value of $GRUB_DISTRIBUTOR is "Debian", so the default install
>> location is (EFI_PARTITION)/EFI/debian.
>>
>> However when the signed image is installed in a different location, it still
>> looks for grub.cfg in (EFI_PARTITION)/EFI/debian instead of $cmdpath and
>> spawns the grub> shell unless grub.cfg is present in this location. In the
>> shell, $prefix is set to (EFI_PARTITION)/EFI/debian.
>>
>> Shouldn't the prefix be initialized with $cmdpath instead of the hardcoded
>> path /EFI/debian ?
> 
> Possibly.  The prefix parameter given to grub-mkimage's -p option has to
> be an actual path, not a variable reference.  In order to make it use
> $cmdpath, we'd need another one of the arrangements we use for some of
> the other pre-built images to use a config file embedded in a memdisk.

Upcoming grub2 2.06-3~deb11u5 brought an unexpected side-effect 
regarding bugs #925309 and #1017887.
An initial config file (memdisk)/grub.cfg is now embedded in the signed 
core image along with the font file.
The relevant part is:

	elif [ -e $prefix/grub.cfg ]; then
		source $prefix/grub.cfg
	else
		source $cmdpath/grub.cfg

So if /EFI/debian/grub.cfg does not exist, then /EFI/<id>/grub.cfg can 
now be used instead. This is a significant improvement.

However, two issues remain.

1) If /EFI/debian/grub.cfg exists, it is still used even if 
/EFI/<id>/grub.cfg also exists. This is an issue when installing 
multiple instances of GRUB for different Debian systems if one has the 
default <id>="debian". Is it conceivable to reverse the order and use 
$cmdpath/grub.cfg first ?

2) The file /EFI/<id>/BOOT${ARCH}.CSV always contains the name "debian" 
regardless of the identifier <id> specified by --bootloader-id on the 
grub-install command line or $GRUB_DISTRIBUTOR in /etc/default/grub. The 
name in this file is used by fb${ARCH}.efi run by shim when invoked as 
/EFI/BOOT/BOOT${ARCH}.efi (removable media path) to recreate an EFI boot 
variable for the instance, so the variable will be labelled "debian" 
instead of <id>. Is it conceivable to replace "debian" with <id> in this 
file ?

More information about the Pkg-grub-devel mailing list