Secure Boot + 32 bit UEFI

.gitignore

@@ -2,3 +2,4 @@ build/*
 wine
 tools/buildtest
 *.pyo
+.key

Makefile

@@ -1,7 +1,7 @@
 export SHELL = sh
 PACKAGE = wubi
 ICON = data/images/Wubi.ico
-VERSION = $(shell head -n 1 debian/changelog | sed -e "s/^$(PACKAGE) (\(.*\)).*/\1/g" | cut -d r -f 1)
+VERSION = $(shell head -n 1 debian/changelog | sed -e "s/^$(PACKAGE) (\(.*\)).*/\1/g" | cut -d r -f 1) 
 REVISION = $(shell head -n 1 debian/changelog | sed -e "s/^$(PACKAGE) (\(.*\)).*/\1/g" | cut -d r -f 2)
 COPYRIGHTYEAR = 2009
 AUTHOR = Agostino Russo
@@ -21,7 +21,7 @@ wubizip: wubi-pre-build
 	cp wine/drive_c/Python23/python.exe build/wubi #TBD
 	cd build; zip -r wubi.zip wubi
 
-wubi-pre-build: check_wine pylauncher winboot2 src/main.py src/wubi/*.py cpuid version.py translations
+wubi-pre-build: check_wine check_winboot pylauncher winboot2 src/main.py src/wubi/*.py cpuid version.py translations
 	rm -rf build/wubi
 	rm -rf build/bin
 	cp -a blobs build/bin
@@ -84,8 +84,17 @@ winboot2:
 	mkdir -p build/winboot/EFI
 	grub-mkimage -O x86_64-efi -c build/winboot/wubildr-bootstrap.cfg -m build/winboot/wubildr.tar -o build/winboot/EFI/grubx64.efi \
 		loadenv part_msdos part_gpt fat ntfs ext2 ntfscomp iso9660 loopback search linux linuxefi boot minicmd cat cpuid chain halt help ls reboot \
-		echo test configfile gzio normal sleep memdisk tar font gfxterm gettext true efi_gop efi_uga video_bochs video_cirrus probe efifwsetup
+		echo test configfile gzio normal sleep memdisk tar font gfxterm gettext true efi_gop efi_uga video_bochs video_cirrus probe efifwsetup \
+		all_video gfxterm_background png gfxmenu
 	cp /usr/lib/shim/shim.efi.signed build/winboot/EFI/shimx64.efi
+	cp /usr/lib/shim/MokManager.efi.signed build/winboot/EFI/MokManager.efi
+	sbsign --key .key/*.key --cert .key/*.crt --output build/winboot/EFI/grubx64.efi build/winboot/EFI/grubx64.efi
+	grub-mkimage -O i386-efi -c build/winboot/wubildr-bootstrap.cfg -m build/winboot/wubildr.tar -o build/winboot/EFI/grubia32.efi \
+		loadenv part_msdos part_gpt fat ntfs ext2 ntfscomp iso9660 loopback search linux linuxefi boot minicmd cat cpuid chain halt help ls reboot \
+		echo test configfile gzio normal sleep memdisk tar font gfxterm gettext true efi_gop efi_uga video_bochs video_cirrus probe efifwsetup \
+		all_video gfxterm_background png gfxmenu
+	sbsign --key .key/*.key --cert .key/*.crt --output build/winboot/EFI/grubia32.efi build/winboot/EFI/grubia32.efi
+	cp .key/*.cer build/winboot/EFI/.
 
 winboot: grub4dos grubutil
 	mkdir -p build/winboot
@@ -116,6 +125,9 @@ runbin: wubi
 check_wine: tools/check_wine
 	tools/check_wine
 
+check_winboot: tools/check_winboot
+	tools/check_winboot
+
 unittest:
 	tools/pywine tools/test
 
@@ -129,5 +141,5 @@ clean:
 	rm -rf dist/*
 	rm -rf build/*
 
-.PHONY: all build test wubi wubizip wubi-pre-build pot runpy runbin ckeck_wine unittest
+.PHONY: all build test wubi wubizip wubi-pre-build pot runpy runbin check_wine check_winboot unittest
 	7z translations version.py pylauncher winboot grubutil grub4dos

debian/changelog

@@ -1,3 +1,10 @@
+wubi (16.04r301) xenial; urgency=low
+
+  [Hakuna Matata]
+
+  * 32 bit UEFI support
+  * SecureBoot
+
 wubi (16.04r300) xenial; urgency=low
 
   [Hakuna Matata]

src/wubi/backends/win32/backend.py

@@ -36,6 +36,7 @@
 import shutil
 import logging
 import tempfile
+import struct
 log = logging.getLogger('WindowsBackend')
 
 
@@ -601,11 +602,37 @@ def modify_EFI_folder(self, associated_task,bcdedit):
             shutil.rmtree(dest)        
         log.debug('Copying EFI folder %s -> %s' % (src, dest))
         shutil.copytree(src,  dest)
+        if self.get_efi_arch(associated_task,efi_drive)=="ia32":
+            efi_path = join_path(dest, 'grubia32.efi')[2:]
+        else:
+            efi_path = join_path(dest, 'shimx64.efi')[2:]
         if efi_drive != boot_drive:
             run_command(['mountvol', efi_drive, '/d'])
-        efi_path = join_path(dest, 'shimx64.efi')[2:]     
         return efi_path
 
+    def get_efi_arch(self, associated_task, efi_drive):
+        machine=0
+        bootmgfw=join_path(efi_drive,'EFI','Microsoft','Boot','bootmgfw.efi')
+        if os.path.exists(bootmgfw):
+            f=open(bootmgfw, 'rb')
+            s=f.read(2)
+            if s=='MZ':
+                f.seek(60)
+                s=f.read(4)
+                header_offset=struct.unpack("<L", s)[0]
+                f.seek(header_offset+4)
+                s=f.read(2)
+                machine=struct.unpack("<H", s)[0]
+            f.close()
+        if machine==332:
+            efi_arch = "ia32"
+        elif machine==34404:
+            efi_arch = "x64"
+        else:
+            efi_arch ="unknown"
+        log.debug("efi_arch=%s" % efi_arch)
+        return efi_arch
+
     def undo_EFI_folder(self, associated_task):
         for efi_drive in 'HIJKLMNOPQRSTUVWXYZ':
             drive = Drive(efi_drive)

tools/check_winboot

@@ -0,0 +1,41 @@
+#!/bin/sh
+
+if [ ! -e /usr/lib/grub/i386-pc/moddep.lst ]; then
+	echo "Installing grub-pc-bin"
+	sudo apt-get install grub-pc-bin #TBD do not assume apt
+fi
+if [ ! -e /usr/lib/grub/x86_64-efi/moddep.lst ]; then
+	echo "Installing grub-efi-amd64-bin"
+	sudo apt-get install grub-efi-amd64-bin #TBD do not assume apt
+fi
+if [ ! -e /usr/lib/grub/i386-efi/moddep.lst ]; then
+	echo "Installing grub-efi-ia32-bin"
+	sudo apt-get install grub-efi-ia32-bin #TBD do not assume apt
+fi
+if [ ! -e /usr/lib/shim/MokManager.efi.signed ]; then
+	echo "Installing shim..."
+	sudo apt-get install shim #TBD do not assume apt
+fi
+if [ ! -e /usr/lib/shim/shim.efi.signed ]; then
+	echo "Installing shim-signed..."
+	sudo apt-get install shim-signed #TBD do not assume apt
+fi
+if [ ! -e /usr/bin/sbsign ]; then
+	echo "Installing sbsigntool..."
+	sudo apt-get install sbsigntool #TBD do not assume apt
+fi
+if [ ! -e /usr/bin/openssl ];then
+	echo "Installing openssl..."
+	sudo apt-get install openssl #TBD do not assume apt
+fi
+if [ ! -e .key ];then
+	echo "generating new Secure Boot key..."
+	mkdir .key
+        openssl req -new -x509 -newkey rsa:2048 -keyout .key/$(whoami)_wubi.key \
+	-out  .key/$(whoami)_wubi.crt -nodes -days 3650 -subj "/CN="$(whoami)" Wubi/"
+	openssl x509 -in  .key/$(whoami)_wubi.crt -out  .key/$(whoami)_wubi.cer -outform DER
+fi
+
+
+
+