[neon/forks/live-build/Neon/release-lts] scripts/build: attempt to inject the MM image file for secureboot

Harald Sitter null at kde.org
Wed Nov 11 13:41:17 GMT 2020 

Git commit b0846c92dec97f4483ed16042ac67729e7e41ce1 by Harald Sitter.
Committed on 11/11/2020 at 13:41.
Pushed by sitter into branch 'Neon/release-lts'.

attempt to inject the MM image file for secureboot

this is missing from upstream live-build unfortunately but at least on
ubuntu bases we need it included as the shim.efi will load the mm.efi
when it finds certain Mok related nvars being set MM being the mok
manager for doing key management.

this notably can happen when the user installs ubuntu with proprietary
hardware that requires unsigned kernel modules. to still carry out
secureboot it needs to enroll a custom key. this is done through the MM.
the installation will set a bunch of nvars that get checked by the shim
on the next boot and the shim then starts the mm and the mm will enroll
the key.
if the actual target system shim is never run but instead one directly
boots into another live iso that iso's shim would be the one in need of
running the mok, hence the need for the mm.efi as otherwise our shim
would attempt to load the MM on account of finding Mok related vars and
then falling flat on the face because the mm*.efi file doesn't exist

this is pretty far out as far as unfortunate chains of events go

CCBUG: 426167

M  +10   -0    scripts/build/lb_binary_grub-efi

https://invent.kde.org/neon/forks/live-build/commit/b0846c92dec97f4483ed16042ac67729e7e41ce1

diff --git a/scripts/build/lb_binary_grub-efi b/scripts/build/lb_binary_grub-efi
index cfc0bc2..43ebd60 100755
--- a/scripts/build/lb_binary_grub-efi
+++ b/scripts/build/lb_binary_grub-efi
@@ -193,6 +193,16 @@ gen_efi_boot_img(){
 			${_CHROOT_DIR}/grub-efi-temp/EFI/boot/grub\$efi_name.efi
 		cp ${_CHROOT_DIR}/usr/lib/shim/shim\$efi_name.efi.signed \
 			${_CHROOT_DIR}/grub-efi-temp/EFI/boot/boot\$efi_name.efi
+		# neon addition, shim will load mmx64 (the mok image) when it finds certain
+		# nvars for key management. These may be left by uncompleted installations
+		# for example.
+		# I'm kinda intentionally not checking for this file in the if
+		# because we'll want this to fail and re-evaluate the situation
+		# should the file ever disappear as it should always be there if
+		# the shim is there too.
+		# https://bugs.kde.org/show_bug.cgi?id=426167
+		cp ${_CHROOT_DIR}/usr/lib/shim/mm\$efi_name.efi \
+			${_CHROOT_DIR}/grub-efi-temp/EFI/boot/mm\$efi_name.efi
 	fi
 }

More information about the Neon-commits mailing list