Bug#1081041: live-build: GRUB should reliable detect Live media in case multiple Live medias is present (UEFI, secure boot)

Sat, 07 Sep 2024 05:45:31 -0700 

Package: live-build
Severity: normal
X-Debbugs-Cc: safinas...@gmail.com

Current Live image ( 
https://cdimage.debian.org/cdimage/weekly-live-builds/amd64/iso-hybrid/debian-live-testing-amd64-kde.iso
 )
contains file /EFI/boot/grubx64.efi , which is binary identical to the file 
/usr/lib/grub/x86_64-efi-signed/gcdx64.efi.signed
from package "grub-efi-amd64-signed". (Keywords: UEFI, secure boot, GRUB.)

"gcdx64.efi.signed" is generated here: 
https://sources.debian.org/src/grub2/2.12-5/debian/build-efi-images/#L219 .

As you can see, this GRUB binary has memdisk, which contains this config file:
https://sources.debian.org/src/grub2/2.12-5/debian/build-efi-images/#L63 .

This config file tries to find any media, which contains file /.disk/info or 
/.disk/mini-info and then sets "prefix".
This is wrong, because this is unreliable if multiple Live medias are present.

Contrast this with official d-i approach: official d-i image contains GRUB 
binary grubx64.efi.signed, as opposed to
gcdx64.efi.signed . This binary always unconditionally loads file 
/EFI/debian/grub.cfg ( /EFI/debian/grub.cfg is located
outside of grubx64.efi.signed, so /EFI/debian/grub.cfg does not have to be 
signed). Then /EFI/debian/grub.cfg finds real
root by its UUID (for example, by file 
/mnt/.disk/id/30d00ffb-e0c5-493a-947c-64a7b625803b ). Live Debian should do 
similar
thing.

Moreover, gcdx64.efi.signed approach for finding real root is wrong. So (after 
Live Debian migrates away from gcdx64.efi.signed)
gcdx64.efi.signed should be removed from Debian archive or its generation code 
should be somehow changed


-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-0.deb9.30-amd64 (SMP w/8 CPU threads)
Locale: LANG=C, LC_CTYPE=C (charmap=UTF-8) (ignored: LC_ALL set to C.UTF-8), 
LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: unable to detect

Versions of packages live-build depends on:
pn  cpio         <none>
pn  debootstrap  <none>

Versions of packages live-build recommends:
ii  apt-utils                       2.7.10
ii  bzip2                           1.0.8-5+b2
pn  cryptsetup                      <none>
ii  file                            1:5.45-2+b1
pn  live-boot-doc                   <none>
pn  live-config-doc                 <none>
pn  live-manual-html | live-manual  <none>
ii  rsync                           3.2.7-1+b1
pn  systemd-container               <none>
ii  wget                            1.21.4-1+b1
ii  xz-utils                        5.4.5-0.3

Versions of packages live-build suggests:
ii  e2fsprogs  1.47.0-2+b1
pn  mtd-utils  <none>
pn  parted     <none>

Reply via email to