sync with archiso 674f004

674f004 (tag: v66) Add changelog for 66
8ed192b Merge remote-tracking branch 'origin/merge-requests/281'
aef2427 mkarchiso: touch clock-epoch for extra hint on date and time
642beb7 Merge remote-tracking branch 'origin/merge-requests/277'
a2e886b Use VM runners[1] for building
7bc4c54 mkarchiso: preload more GRUB modules and disable shim_lock verifier
b13e5e3 mkarchiso: copy all GRUB files to the ISO
6ac2230 mkarchiso: unset LANGUAGE

Signed-off-by: David P <megver83@parabola.nu>

2 files changed, 113 insertions, 55 deletions

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 34ec95b..43aafd0 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -8,14 +8,29 @@ Changelog
 Added
 -----
 
-- Add ``efibootimg`` to ``mkarchiso`` to abstract the FAT image path.
-
 Changed
 -------
 
 Removed
 -------
 
+[66] - 2022-08-28
+=================
+
+Added
+-----
+
+- Add ``efibootimg`` to ``mkarchiso`` to abstract the FAT image path.
+- Unset ``LANGUAGE`` since ``LC_ALL=C.UTF-8``, unlike ``LC_ALL=C``, does not override ``LANGUAGE``.
+- Copy all files from the ``grub`` directory to ISO9660 and the FAT image, not just only ``grub.cfg``.
+- Touching ``/usr/lib/clock-epoch`` to to help ``systemd`` with screwed or broken RTC.
+
+Changed
+-------
+
+- Disable GRUB's shim_lock verifier and preload more modules. This allows reusing the GRUB EFI binaries when repacking
+  the ISO to support Secure Boot with custom signatures.
+
 [65] - 2022-06-30
 =================
 
diff --git a/parabolaiso/mkparabolaiso b/parabolaiso/mkparabolaiso
index 36b1114..e4dcbfd 100755
--- a/parabolaiso/mkparabolaiso
+++ b/parabolaiso/mkparabolaiso
@@ -3,10 +3,16 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 set -e -u
+shopt -s extglob
 
 # Control the environment
 umask 0022
 export LC_ALL="C.UTF-8"
+if [[ -v LANGUAGE ]]; then
+    # LC_ALL=C.UTF-8, unlike LC_ALL=C, does not override LANGUAGE.
+    # See https://sourceware.org/bugzilla/show_bug.cgi?id=16621 and https://savannah.gnu.org/bugs/?62815
+    unset LANGUAGE
+fi
 [[ -v SOURCE_DATE_EPOCH ]] || printf -v SOURCE_DATE_EPOCH '%(%s)T' -1
 export SOURCE_DATE_EPOCH
 
@@ -549,18 +555,44 @@ _make_efibootimg() {
     mmd -i "${efibootimg}" ::/EFI ::/EFI/BOOT
 }
 
-# Copy the grub.cfg file in efiboot.img which is used by both IA32 UEFI and x64 UEFI.
-_make_efibootimg_grubcfg() {
-    mcopy -i "${efibootimg}" \
-        "${work_dir}/grub.cfg" ::/EFI/BOOT/grub.cfg
+# Copy GRUB files to efiboot.img which is used by both IA32 UEFI and x64 UEFI.
+_make_common_bootmode_grub_copy_to_efibootimg() {
+    local files_to_copy=()
+
+    files_to_copy+=("${work_dir}/grub/"*)
+    if compgen -G "${profile}/grub/!(*.cfg)" &> /dev/null; then
+        files_to_copy+=("${profile}/grub/"!(*.cfg))
+    fi
+    mcopy -i "${efibootimg}" "${files_to_copy[@]}" ::/EFI/BOOT/
 }
 
-_make_bootmode_uefi-ia32.grub.esp() {
+# Copy GRUB files to efiboot.img which is used by both IA32 UEFI and x64 UEFI.
+_make_common_bootmode_grub_copy_to_isofs() {
+    local files_to_copy=()
+
+    files_to_copy+=("${work_dir}/grub/"*)
+    if compgen -G "${profile}/grub/!(*.cfg)" &> /dev/null; then
+        files_to_copy+=("${profile}/grub/"!(*.cfg))
+    fi
+    install -m 0644 -- "${files_to_copy[@]}" "${isofs_dir}/EFI/BOOT/"
+}
+
+# Prepare GRUB configuration files
+_make_common_bootmode_grub_cfg(){
+    local _cfg
+
+    install -d -- "${work_dir}/grub"
+
     # Fill GRUB configuration files
-    sed "s|%PARABOLAISO_LABEL%|${iso_label}|g;
-         s|%INSTALL_DIR%|${install_dir}|g;
-         s|%ARCH%|${arch}|g" \
-        "${profile}/grub/grub.cfg" > "${work_dir}/grub.cfg"
+    for _cfg in "${profile}/grub/"*'.cfg'; do
+        sed "s|%PARABOLAISO_LABEL%|${iso_label}|g;
+             s|%INSTALL_DIR%|${install_dir}|g;
+             s|%ARCH%|${arch}|g" \
+             "${_cfg}" > "${work_dir}/grub/${_cfg##*/}"
+    done
+    # Add all GRUB files to the list of files used to calculate the required FAT image size.
+    efiboot_files+=("${work_dir}/grub/"
+                    "${profile}/grub/"!(*.cfg))
 
     IFS='' read -r -d '' grubembedcfg <<'EOF' || true
 if ! [ -d "$cmdpath" ]; then
@@ -573,12 +605,26 @@ fi
 configfile "${cmdpath}/grub.cfg"
 EOF
     printf '%s\n' "$grubembedcfg" > "${work_dir}/grub-embed.cfg"
+}
+
+_make_bootmode_uefi-ia32.grub.esp() {
+    local grubmodules=()
+
+    # Prepare configuration files
+    _run_once _make_common_bootmode_grub_cfg
 
     # Create EFI binary
+    # Module list from https://bugs.archlinux.org/task/71382#comment202911
+    grubmodules=(all_video at_keyboard boot btrfs cat chain configfile echo efifwsetup efinet ext2 f2fs fat font \
+                 gfxmenu gfxterm gzio halt hfsplus iso9660 jpeg keylayouts linux loadenv loopback lsefi lsefimmap \
+                 minicmd normal part_apple part_gpt part_msdos png read reboot regexp search search_fs_file \
+                 search_fs_uuid search_label serial sleep tpm usb usbserial_common usbserial_ftdi usbserial_pl2303 \
+                 usbserial_usbdebug video xfs zstd)
     grub-mkstandalone -O i386-efi \
-                      --modules="part_gpt part_msdos fat iso9660" \
+                      --modules="${grubmodules[*]}" \
                       --locales="en@quot" \
                       --themes="" \
+                      --disable-shim-lock \
                       -o "${work_dir}/BOOTIA32.EFI" "boot/grub/grub.cfg=${work_dir}/grub-embed.cfg"
     # Add GRUB to the list of files used to calculate the required FAT image size.
     efiboot_files+=("${work_dir}/BOOTIA32.EFI"
@@ -590,22 +636,19 @@ EOF
     elif [[ " ${bootmodes[*]} " =~ uefi-x64.grub.esp ]]; then
         _run_once _make_bootmode_uefi-x64.grub.esp
     else
-        efiboot_imgsize="$(du -bc "${efiboot_files[@]}" \
-            2>/dev/null | awk 'END { print $1 }')"
+        efiboot_imgsize="$(du -bcs -- "${efiboot_files[@]}" 2>/dev/null | awk 'END { print $1 }')"
         # Create a FAT image for the EFI system partition
         _make_efibootimg "$efiboot_imgsize"
     fi
 
     # Copy GRUB EFI binary to the default/fallback boot path
-    mcopy -i "${efibootimg}" \
-        "${work_dir}/BOOTIA32.EFI" ::/EFI/BOOT/BOOTIA32.EFI
+    mcopy -i "${efibootimg}" "${work_dir}/BOOTIA32.EFI" ::/EFI/BOOT/BOOTIA32.EFI
 
-    # Copy GRUB configuration files
-    _run_once _make_efibootimg_grubcfg
+    # Copy GRUB files
+    _run_once _make_common_bootmode_grub_copy_to_efibootimg
 
     if [[ -e "${pacstrap_dir}/usr/share/edk2-shell/ia32/Shell_Full.efi" ]]; then
-        mcopy -i "${efibootimg}" \
-            "${pacstrap_dir}/usr/share/edk2-shell/ia32/Shell_Full.efi" ::/shellia32.efi
+        mcopy -i "${efibootimg}" "${pacstrap_dir}/usr/share/edk2-shell/ia32/Shell_Full.efi" ::/shellia32.efi
     fi
 
     _msg_info "Done! GRUB set up for UEFI booting successfully."
@@ -617,6 +660,9 @@ _make_bootmode_uefi-ia32.grub.eltorito() {
     # uefi-ia32.grub.eltorito has the same requirements as uefi-ia32.grub.esp
     _run_once _make_bootmode_uefi-ia32.grub.esp
 
+    # Prepare configuration files
+    _run_once _make_common_bootmode_grub_cfg
+
     # Additionally set up systemd-boot in ISO 9660. This allows creating a medium for the live environment by using
     # manual partitioning and simply copying the ISO 9660 file system contents.
     # This is not related to El Torito booting and no firmware uses these files.
@@ -624,65 +670,55 @@ _make_bootmode_uefi-ia32.grub.eltorito() {
     install -d -m 0755 -- "${isofs_dir}/EFI/BOOT"
 
     # Copy GRUB EFI binary to the default/fallback boot path
-    install -m 0644 -- "${work_dir}/BOOTIA32.EFI" \
-        "${isofs_dir}/EFI/BOOT/BOOTIA32.EFI"
+    install -m 0644 -- "${work_dir}/BOOTIA32.EFI" "${isofs_dir}/EFI/BOOT/BOOTIA32.EFI"
 
     # Copy GRUB configuration files
-    install -m 0644 -- "${work_dir}/grub.cfg" "${isofs_dir}/EFI/BOOT/grub.cfg"
+    _run_once _make_common_bootmode_grub_copy_to_isofs
 
     # edk2-shell based UEFI shell
     if [[ -e "${pacstrap_dir}/usr/share/edk2-shell/ia32/Shell_Full.efi" ]]; then
-        install -m 0644 -- "${pacstrap_dir}/usr/share/edk2-shell/ia32/Shell_Full.efi" \
-                           "${isofs_dir}/shellia32.efi"
+        install -m 0644 -- "${pacstrap_dir}/usr/share/edk2-shell/ia32/Shell_Full.efi" "${isofs_dir}/shellia32.efi"
     fi
 
     _msg_info "Done!"
 }
 
 _make_bootmode_uefi-x64.grub.esp() {
-    # Fill Grub configuration files
-    sed "s|%PARABOLAISO_LABEL%|${iso_label}|g;
-         s|%INSTALL_DIR%|${install_dir}|g;
-         s|%ARCH%|${arch}|g" \
-        "${profile}/grub/grub.cfg" > "${work_dir}/grub.cfg"
+    local grubmodules=()
 
-    IFS='' read -r -d '' grubembedcfg <<'EOF' || true
-if ! [ -d "$cmdpath" ]; then
-    # On some firmware, GRUB has a wrong cmdpath when booted from an optical disc.
-    # https://gitlab.archlinux.org/archlinux/archiso/-/issues/183
-    if regexp --set=1:isodevice '^(\([^)]+\))\/?[Ee][Ff][Ii]\/[Bb][Oo][Oo][Tt]\/?$' "$cmdpath"; then
-        cmdpath="${isodevice}/EFI/BOOT"
-    fi
-fi
-configfile "${cmdpath}/grub.cfg"
-EOF
-    printf '%s\n' "$grubembedcfg" > "${work_dir}/grub-embed.cfg"
+    # Prepare configuration files
+    _run_once _make_common_bootmode_grub_cfg
 
     # Create EFI binary
+    # Module list from https://bugs.archlinux.org/task/71382#comment202911
+    grubmodules=(all_video at_keyboard boot btrfs cat chain configfile echo efifwsetup efinet ext2 f2fs fat font \
+                 gfxmenu gfxterm gzio halt hfsplus iso9660 jpeg keylayouts linux loadenv loopback lsefi lsefimmap \
+                 minicmd normal part_apple part_gpt part_msdos png read reboot regexp search search_fs_file \
+                 search_fs_uuid search_label serial sleep tpm usb usbserial_common usbserial_ftdi usbserial_pl2303 \
+                 usbserial_usbdebug video xfs zstd)
     grub-mkstandalone -O x86_64-efi \
-                      --modules="part_gpt part_msdos fat iso9660" \
+                      --modules="${grubmodules[*]}" \
                       --locales="en@quot" \
                       --themes="" \
+                      --disable-shim-lock \
                       -o "${work_dir}/BOOTx64.EFI" "boot/grub/grub.cfg=${work_dir}/grub-embed.cfg"
     # Add GRUB to the list of files used to calculate the required FAT image size.
     efiboot_files+=("${work_dir}/BOOTx64.EFI"
                     "${pacstrap_dir}/usr/share/edk2-shell/x64/Shell_Full.efi")
 
-    efiboot_imgsize="$(du -bc "${efiboot_files[@]}" \
-        2>/dev/null | awk 'END { print $1 }')"
+    efiboot_imgsize="$(du -bcs -- "${efiboot_files[@]}" 2>/dev/null | awk 'END { print $1 }')"
 
     # Create a FAT image for the EFI system partition
     _make_efibootimg "$efiboot_imgsize"
 
-    # Copy grub EFI binary to the default/fallback boot path
-    mcopy -i "${efibootimg}" \
-        "${work_dir}/BOOTx64.EFI" ::/EFI/BOOT/BOOTx64.EFI
+    # Copy GRUB EFI binary to the default/fallback boot path
+    mcopy -i "${efibootimg}" "${work_dir}/BOOTx64.EFI" ::/EFI/BOOT/BOOTx64.EFI
 
-    _run_once _make_efibootimg_grubcfg
+    # Copy GRUB files
+    _run_once _make_common_bootmode_grub_copy_to_efibootimg
 
     if [[ -e "${pacstrap_dir}/usr/share/edk2-shell/x64/Shell_Full.efi" ]]; then
-        mcopy -i "${efibootimg}" \
-            "${pacstrap_dir}/usr/share/edk2-shell/x64/Shell_Full.efi" ::/shellx64.efi
+        mcopy -i "${efibootimg}" "${pacstrap_dir}/usr/share/edk2-shell/x64/Shell_Full.efi" ::/shellx64.efi
     fi
 
     _msg_info "Done! GRUB set up for UEFI booting successfully."
@@ -694,6 +730,9 @@ _make_bootmode_uefi-x64.grub.eltorito() {
     # uefi-x64.grub.eltorito has the same requirements as uefi-x64.grub.esp
     _run_once _make_bootmode_uefi-x64.grub.esp
 
+    # Prepare configuration files
+    _run_once _make_common_bootmode_grub_cfg
+
     # Additionally set up systemd-boot in ISO 9660. This allows creating a medium for the live environment by using
     # manual partitioning and simply copying the ISO 9660 file system contents.
     # This is not related to El Torito booting and no firmware uses these files.
@@ -701,11 +740,10 @@ _make_bootmode_uefi-x64.grub.eltorito() {
     install -d -m 0755 -- "${isofs_dir}/EFI/BOOT"
 
     # Copy GRUB EFI binary to the default/fallback boot path
-    install -m 0644 -- "${work_dir}/BOOTx64.EFI" \
-        "${isofs_dir}/EFI/BOOT/BOOTx64.EFI"
+    install -m 0644 -- "${work_dir}/BOOTx64.EFI" "${isofs_dir}/EFI/BOOT/BOOTx64.EFI"
 
-    # Copy GRUB configuration files
-    install -m 0644 -- "${work_dir}/grub.cfg" "${isofs_dir}/EFI/BOOT"
+    # Copy GRUB files
+    _run_once _make_common_bootmode_grub_copy_to_isofs
 
     # edk2-shell based UEFI shell
     if [[ -e "${pacstrap_dir}/usr/share/edk2-shell/x64/Shell_Full.efi" ]]; then
@@ -727,7 +765,7 @@ _make_bootmode_uefi-x64.systemd-boot.esp() {
                     "${pacstrap_dir}/boot/vmlinuz-"*
                     "${pacstrap_dir}/boot/initramfs-"*".img"
                     "${_available_ucodes[@]}")
-    efiboot_imgsize="$(du -bc "${efiboot_files[@]}" \
+    efiboot_imgsize="$(du -bcs -- "${efiboot_files[@]}" \
         2>/dev/null | awk 'END { print $1 }')"
     # Create a FAT image for the EFI system partition
     _make_efibootimg "$efiboot_imgsize"
@@ -1635,6 +1673,11 @@ _make_version() {
         [[ ! -e "${_os_release}" ]] || sed -i '/^IMAGE_ID=/d;/^IMAGE_VERSION=/d' "${_os_release}"
         printf 'IMAGE_ID=%s\nIMAGE_VERSION=%s\n' "${iso_name}" "${iso_version}" >> "${_os_release}"
     fi
+
+    # Touch /usr/lib/clock-epoch to give another hint on date and time
+    # for systems with screwed or broken RTC.
+    touch -m -d"@${SOURCE_DATE_EPOCH}" -- "${pacstrap_dir}/usr/lib/clock-epoch"
+
     _msg_info "Done!"
 }