From a5ddb3cb4380396025f8ccbc1f7c11bae11b8b8b Mon Sep 17 00:00:00 2001
From: nilusyi <nilusyi@tencent.com>
Date: Wed, 3 Apr 2024 14:49:19 +0800
Subject: [PATCH 251/272] grub-install: disable support for EFI platforms,
 unless use --force

v1: For each platform, GRUB is shipped as a kernel image and a set of
modules. These files are then used by the grub-install utility to
install GRUB on a specific device. However, in order to support UEFI
Secure Boot, the resulting EFI binary must be signed by a recognized
private key. For this reason, for EFI platforms, most distributions also
ship prebuilt EFI binaries signed by a distribution-specific private
key. In this case, however, the grub-install utility should not be used
because it would overwrite the signed EFI binary.

v2: UEFI Secure Boot requires signed grub binaries to work, so grub-
install should not be used. However, users who have Secure Boot
disabled and wish to use the command should not be prevented from
doing so if they invoke --force.

fixes bz#1917213 / bz#2240994

Signed-off-by: Jan Hlavac <jhlavac@redhat.com>
Signed-off-by: Marta Lewandowska <mlewando@redhat.com>
Signed-off-by: nilusyi <nilusyi@tencent.com>
---
 util/grub-install.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/util/grub-install.c b/util/grub-install.c
index 4f0af4844..7a2fcfea2 100644
--- a/util/grub-install.c
+++ b/util/grub-install.c
@@ -1151,6 +1151,12 @@ main (int argc, char *argv[])
     case GRUB_INSTALL_PLATFORM_RISCV64_EFI:
     case GRUB_INSTALL_PLATFORM_IA64_EFI:
       is_efi = 1;
+      if (!force)
+        grub_util_error (_("This utility should not be used for EFI platforms"
+                          " because it does not support UEFI Secure Boot."
+                          " If you really wish to proceed, invoke the --force"
+                          " option.\nMake sure Secure Boot is disabled before"
+                          " proceeding"));
       break;
     default:
       is_efi = 0;
-- 
2.41.0