From: Daan De Meyer Date: Sat, 16 Dec 2023 23:21:09 +0000 (+0100) Subject: Look for shimx64.efi.signed.latest first X-Git-Tag: v20~55^2~15 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cacc59422dbc9bf4b3b0f66a646deff0e440a526;p=thirdparty%2Fmkosi.git Look for shimx64.efi.signed.latest first shimx64.efi.signed is an absolute symlink on Ubuntu to some path in /etc so let's make sure we try shimx64.efi.signed.latest first. Also, for safety, let's ignore any absolute symlinks while traversing shim binaries. --- diff --git a/mkosi/__init__.py b/mkosi/__init__.py index 09f48712b..ba94a58a4 100644 --- a/mkosi/__init__.py +++ b/mkosi/__init__.py @@ -851,6 +851,10 @@ def find_and_install_shim_binary( if state.config.shim_bootloader == ShimBootloader.signed: for pattern in signed: for p in state.root.glob(pattern): + if p.is_symlink() and p.readlink().is_absolute(): + logging.warning(f"Ignoring signed {name} EFI binary which is an absolute path to {p.readlink()}") + continue + rel = p.relative_to(state.root) log_step(f"Installing signed {name} EFI binary from /{rel} to /{output}") shutil.copy2(p, state.root / output) @@ -861,6 +865,10 @@ def find_and_install_shim_binary( else: for pattern in unsigned: for p in state.root.glob(pattern): + if p.is_symlink() and p.readlink().is_absolute(): + logging.warning(f"Ignoring unsigned {name} EFI binary which is an absolute path to {p.readlink()}") + continue + rel = p.relative_to(state.root) if state.config.secure_boot: log_step(f"Signing and installing unsigned {name} EFI binary from /{rel} to /{output}") @@ -892,8 +900,8 @@ def install_shim(state: MkosiState) -> None: arch = state.config.architecture.to_efi() signed = [ - f"usr/lib/shim/shim{arch}.efi.signed", # Debian f"usr/lib/shim/shim{arch}.efi.signed.latest", # Ubuntu + f"usr/lib/shim/shim{arch}.efi.signed", # Debian f"boot/efi/EFI/*/shim{arch}.efi", # Fedora/CentOS "usr/share/efi/*/shim.efi", # OpenSUSE ]