Bug 1722938 - Include several modules in the EFI build of Grub2 for security use-cases
Summary: Include several modules in the EFI build of Grub2 for security use-cases
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: Changes Tracking
Version: 31
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Benjamin
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-06-21 18:28 UTC by Ben Cotton
Modified: 2020-02-27 15:41 UTC (History)
6 users (show)

Fixed In Version: grub2-2.02-91.fc31
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-10-29 17:13:57 UTC
Type: ---


Attachments (Terms of Use)
patches grub.macros to satisfy the change proposal (1.26 KB, patch)
2019-07-06 15:48 UTC, Benjamin
no flags Details | Diff
automates the setup of sig verification (1.92 KB, application/x-shellscript)
2019-07-06 15:49 UTC, Benjamin
no flags Details
kernel postinstall file. needs review and should utilise kernel-install's command line arguments (1.93 KB, application/x-shellscript)
2019-07-06 15:52 UTC, Benjamin
no flags Details

Description Ben Cotton 2019-06-21 18:28:01 UTC
This is a tracking bug for Change: Include several modules in the EFI build of Grub2 for security use-cases
For more details, see: https://fedoraproject.org/wiki/Changes/Include_security_modules_in_efi_Grub2

Include Grub's "verify," "cryptodisk" and "luks" modules in grubx64.efi of the 'grub2-efi-x64' package.

Comment 1 Benjamin 2019-07-06 15:47:17 UTC
Hi,

Pull requests seem to be disabled for rpms/grub2, so I'm attaching a patch or you can pull from https://src.fedoraproject.org/fork/benjamind/rpms/grub2/c/f1fa5ed240873321c2dd27320c833f45daef3a66?branch=master.

I'm attaching two scripts that I wrote to assist the signature verification portion of the change, and while I know that I should edit the second to properly use kernel-install, I don't think it can be shipped for the moment anyway because it wasn't made part of the change proposal initially. In the meantime, it may be useful for testing (it does work for me in its current state). The first simply automates a lot of the process.

Comment 2 Benjamin 2019-07-06 15:48:50 UTC
Created attachment 1587914 [details]
patches grub.macros to satisfy the change proposal

Comment 3 Benjamin 2019-07-06 15:49:42 UTC
Created attachment 1587915 [details]
automates the setup of sig verification

Comment 4 Benjamin 2019-07-06 15:52:36 UTC
Created attachment 1587916 [details]
kernel postinstall file. needs review and should utilise kernel-install's command line arguments

Place in /usr/lib/kernel/install.d/ and name it "99-grub_verify.install"

Comment 5 Javier Martinez Canillas 2019-07-15 10:57:40 UTC
Fixed in grub2-2.02-91.fc31.

Comment 6 Ben Cotton 2019-08-13 16:55:06 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to '31'.

Comment 7 Ben Cotton 2019-08-13 19:02:28 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to 31.

Comment 8 Ben Cotton 2019-08-29 19:27:40 UTC
We have reached the '100% Code Complete' milestone in the Fedora 31 release cycle. If your Change is complete, please set the status to ON_QA. The Beta Freeze is underway. If you need a freeze exception, see https://fedoraproject.org/wiki/QA:SOP_freeze_exception_bug_process

If this Change will not be ready for Fedora 31, please set the version to rawhide.

Comment 9 Benjamin 2019-08-29 22:01:58 UTC
I re-conferred with Javier a bit ago about reconsidering the above scripts for inclusion, but he told me that it was too close to the branch point.

With them out of the picture, this change is complete.

Comment 10 Ben Cotton 2019-10-29 17:13:57 UTC
Closing Change tracking bugs for the Fedora 31 release.


Note You need to log in before you can comment on or make changes to this bug.