diff --git a/changelog/security/2023-10-12-grub-update.md b/changelog/security/2023-10-12-grub-update.md new file mode 100644 index 00000000000..7e36bbab06e --- /dev/null +++ b/changelog/security/2023-10-12-grub-update.md @@ -0,0 +1 @@ +- grub ([CVE-2023-4692](https://nvd.nist.gov/vuln/detail/CVE-2023-4692), [CVE-2023-4693](https://nvd.nist.gov/vuln/detail/CVE-2023-4693)) diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/Manifest b/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/Manifest index e69bf3b0ad4..9adaa7a4b23 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/Manifest +++ b/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/Manifest @@ -1,8 +1,5 @@ DIST dejavu-sans-ttf-2.37.zip 417746 BLAKE2B c8904f3cd5a49370a7dc10e456684c88aeae998a99090bf4d0a5baa4f36cc8fb8f70586cf6d610a5ffeee97261d28c80f55bbe9dcfc3ed796d5c2d60e79adb58 SHA512 ede5899daa1984c5aa8cacb1c850eb53f189dddef3d9bb78bf9774d8976b7c0d6eb0bcf86237cd7d11f5b36cf5b5058d42cd94d3bd76f2bd0931c7ceb1271fae -DIST grub-2.06-backports-r2.tar.xz 40416 BLAKE2B d9b4a8274a24aa35023eef7450bc4311045d0872250b1d11b1714b9daa32f7862fe1444b5b86db8b885a9f7b3af2459a5b2f87f0beaf4326a982fd96ec51d602 SHA512 99cf40b3d3d10cf6ba928ccc571c3a8baab217f650267fa7de4ba4ce807a895ff9414156647cc4dcb34bfbe48747a0c486bf60fee1c188a2dc89f26c2db3840f +DIST grub-2.06-backports-r3.tar.xz 47612 BLAKE2B 235610e826c7a76d05872fb51e74564fb3861590f95377d5dcb9a5a4b0f5037d0b71c9f334bfe0bbe399f65036088d808f7af8e43090007ab7394002d05f7b4a SHA512 561f031dca2cdc13fc1b3f3cfdbdccd7decd67ef18ddcc588327f141b026eadcda5d64d729929859cad54959b3855ff86c1f62e3ff1d8ae5f6f5ac5761fa6ba4 DIST grub-2.06.tar.xz 6581924 BLAKE2B 2a40b9b03d7bb3b9e7b1309ab274d686f01b3c42e7035ebc6e5a0e59a59c3b7362ba518341664b314cb0dbc8222bb10ea05ce09f08ce9d58a293207cb909e417 SHA512 4f11c648f3078567e53fc0c74d5026fdc6da4be27d188975e79d9a4df817ade0fe5ad2ddd694238a07edc45adfa02943d83c57767dd51548102b375e529e8efe DIST grub-2.06.tar.xz.sig 566 BLAKE2B 2ff18fb40d9cce36cac110ba9996f88236dbaa261d19e777a6d23a0e9754a9fc8bc45a01896f4838c88bb44edff0172a97611202cb3ffd5653a3cbdfc102ae16 SHA512 797683dafade76b5981bd02f079d7dcecb36f5d07eca652181fd69f3df821931f84cc0d8771bfb80506ef41fbd96edfb202b6698af1fec3c8228dd320a05fa84 -DIST grub-2.12~rc1.tar.xz 6589460 BLAKE2B edfad62a01970026ca4ad088056da6225ef1319a08e8a95418b24cc8102be7fe45bb1412797aab13f8c1f4f690cf2fa9e5b4725f6769013ce76aa81c43952557 SHA512 6f1fbce004b6dccf58e203bf6a6eeb771bac5ecc54b503265e56a97e9adce0221677bb3e64328144ec921f327a099f0345e7a9952be41cd8808f7635cded52cb -DIST grub-2.12~rc1.tar.xz.sig 566 BLAKE2B 4b0563623498d06f512d29d9a84a4f8386e7d5adf257d0f2ea8f3301e5112b7ad669741d78519dfa35d16e7f1695b0c74740d679f07e41774ecc8910c3f6bc5c SHA512 b8b3c818679b50810e2d9e597a01c34b05fbc1218a88bdf35aaec798ce29b376c7aa696c50233d416306a480f6ee602dfcbe7eaf481c503f3c203a7b8e8db7a2 DIST unifont-12.1.02.pcf.gz 1335424 BLAKE2B 97080312468e3f3c8aa6f49cef08f5622641e8c9c035f3ede1e09d8d98de4e78d3b23c8aba2e8070eb46cbebd2d55e8568e467d7f15f35aa8fc8db792b7e5f14 SHA512 b280b2db7cf5f480b0668c331130dede2c0cc87d5e02e44566b77787113d0f6604d0105522858288f2ac6b8e77df7a2d9878725013a6c778dc5bfb183156e2f0 -DIST unifont-15.0.06.pcf.gz 1358322 BLAKE2B 81811e3de390ca35d1a2dc1f1dee73464e97f44907ba522c218ba9c5e39ca3c9d767552780a257a97c156eb623c17786d9c0d2b67786d61df5ca33a1e10db7ca SHA512 0a28a406629c604f5cbf51f501528239a7ed50d19f93ea505bc5bdc72639e4b926b03f4b8782a5733041f7cdb4aebb9948ac7cfd5a8ad9a0fe309944e595517b diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/files/grub-2.06-fs-ext2-ignore-checksum-seed.patch b/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/files/grub-2.06-fs-ext2-ignore-checksum-seed.patch deleted file mode 100644 index 9024b479a87..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/files/grub-2.06-fs-ext2-ignore-checksum-seed.patch +++ /dev/null @@ -1,62 +0,0 @@ -https://bugs.gentoo.org/894200 -https://git.savannah.gnu.org/cgit/grub.git/patch/?id=7fd5feff97c4b1f446f8fcf6d37aca0c64e7c763 - -From 7fd5feff97c4b1f446f8fcf6d37aca0c64e7c763 Mon Sep 17 00:00:00 2001 -From: Javier Martinez Canillas -Date: Fri, 11 Jun 2021 21:36:16 +0200 -Subject: fs/ext2: Ignore checksum seed incompat feature - -This incompat feature is used to denote that the filesystem stored its -metadata checksum seed in the superblock. This is used to allow tune2fs -changing the UUID on a mounted metdata_csum filesystem without having -to rewrite all the disk metadata. However, the GRUB doesn't use the -metadata checksum at all. So, it can just ignore this feature if it -is enabled. This is consistent with the GRUB filesystem code in general -which just does a best effort to access the filesystem's data. - -The checksum seed incompat feature has to be removed from the ignore -list if the support for metadata checksum verification is added to the -GRUB ext2 driver later. - -Suggested-by: Eric Sandeen -Suggested-by: Lukas Czerner -Signed-off-by: Javier Martinez Canillas -Reviewed-by: Lukas Czerner -Reviewed-by: Daniel Kiper ---- - grub-core/fs/ext2.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c -index e7dd78e..4953a15 100644 ---- a/grub-core/fs/ext2.c -+++ b/grub-core/fs/ext2.c -@@ -103,6 +103,7 @@ GRUB_MOD_LICENSE ("GPLv3+"); - #define EXT4_FEATURE_INCOMPAT_64BIT 0x0080 - #define EXT4_FEATURE_INCOMPAT_MMP 0x0100 - #define EXT4_FEATURE_INCOMPAT_FLEX_BG 0x0200 -+#define EXT4_FEATURE_INCOMPAT_CSUM_SEED 0x2000 - #define EXT4_FEATURE_INCOMPAT_ENCRYPT 0x10000 - - /* The set of back-incompatible features this driver DOES support. Add (OR) -@@ -123,10 +124,15 @@ GRUB_MOD_LICENSE ("GPLv3+"); - * mmp: Not really back-incompatible - was added as such to - * avoid multiple read-write mounts. Safe to ignore for this - * RO driver. -+ * checksum seed: Not really back-incompatible - was added to allow tools -+ * such as tune2fs to change the UUID on a mounted metadata -+ * checksummed filesystem. Safe to ignore for now since the -+ * driver doesn't support checksum verification. However, it -+ * has to be removed from this list if the support is added later. - */ - #define EXT2_DRIVER_IGNORED_INCOMPAT ( EXT3_FEATURE_INCOMPAT_RECOVER \ -- | EXT4_FEATURE_INCOMPAT_MMP) -- -+ | EXT4_FEATURE_INCOMPAT_MMP \ -+ | EXT4_FEATURE_INCOMPAT_CSUM_SEED) - - #define EXT3_JOURNAL_MAGIC_NUMBER 0xc03b3998U - --- -cgit v1.1 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/files/grub-2.06-gentpl.py-Remove-.interp-section-from-.img-files.patch b/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/files/grub-2.06-gentpl.py-Remove-.interp-section-from-.img-files.patch deleted file mode 100644 index 8d543d4ea9b..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/files/grub-2.06-gentpl.py-Remove-.interp-section-from-.img-files.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 28ad1f9b95799afc94fa178ec935e297da94cced Mon Sep 17 00:00:00 2001 -From: Nicholas Vinson -Date: Fri, 13 Jan 2023 02:56:35 -0500 -Subject: [PATCH] gentpl.py: Remove .interp section from .img files. - -Whn building .img files, a .interp section from the .image files will -sometimes be copied into the .img file. This additional section pushes -the .img file beyond the 512-byte limit and causes grub-install to fail -to run for i386-pc platforms. - -Signed-off-by: Nicholas Vinson ---- - gentpl.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/gentpl.py b/gentpl.py -index c86550d4f..823a8b5f8 100644 ---- a/gentpl.py -+++ b/gentpl.py -@@ -766,7 +766,7 @@ def image(defn, platform): - if test x$(TARGET_APPLE_LINKER) = x1; then \ - $(MACHO2IMG) $< $@; \ - else \ -- $(TARGET_OBJCOPY) $(""" + cname(defn) + """_OBJCOPYFLAGS) --strip-unneeded -R .note -R .comment -R .note.gnu.build-id -R .MIPS.abiflags -R .reginfo -R .rel.dyn -R .note.gnu.gold-version -R .note.gnu.property -R .ARM.exidx $< $@; \ -+ $(TARGET_OBJCOPY) $(""" + cname(defn) + """_OBJCOPYFLAGS) --strip-unneeded -R .note -R .comment -R .note.gnu.build-id -R .MIPS.abiflags -R .reginfo -R .rel.dyn -R .note.gnu.gold-version -R .note.gnu.property -R .ARM.exidx -R .interp $< $@; \ - fi - """) - --- -2.39.0 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/files/grub-2.06-grub-mkconfig-restore-umask.patch b/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/files/grub-2.06-grub-mkconfig-restore-umask.patch deleted file mode 100644 index e2a6414ef05..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/files/grub-2.06-grub-mkconfig-restore-umask.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 0adec29674561034771c13e446069b41ef41e4d4 Mon Sep 17 00:00:00 2001 -From: Michael Chang -Date: Fri, 3 Dec 2021 16:13:28 +0800 -Subject: grub-mkconfig: Restore umask for the grub.cfg - -The commit ab2e53c8a (grub-mkconfig: Honor a symlink when generating -configuration by grub-mkconfig) has inadvertently discarded umask for -creating grub.cfg in the process of running grub-mkconfig. The resulting -wrong permission (0644) would allow unprivileged users to read GRUB -configuration file content. This presents a low confidentiality risk -as grub.cfg may contain non-secured plain-text passwords. - -This patch restores the missing umask and sets the creation file mode -to 0600 preventing unprivileged access. - -Fixes: CVE-2021-3981 - -Signed-off-by: Michael Chang -Reviewed-by: Daniel Kiper ---- - util/grub-mkconfig.in | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in -index c3ea761..62335d0 100644 ---- a/util/grub-mkconfig.in -+++ b/util/grub-mkconfig.in -@@ -301,7 +301,10 @@ and /etc/grub.d/* files or please file a bug report with - exit 1 - else - # none of the children aborted with error, install the new grub.cfg -+ oldumask=$(umask) -+ umask 077 - cat ${grub_cfg}.new > ${grub_cfg} -+ umask $oldumask - rm -f ${grub_cfg}.new - fi - fi --- -cgit v1.1 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/files/grub-2.06-locale.patch b/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/files/grub-2.06-locale.patch deleted file mode 100644 index 14706cbca3a..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/files/grub-2.06-locale.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 5983c2c6adf1c1bbb3ecd751253d1e898bdfd8a3 Mon Sep 17 00:00:00 2001 -From: Michael Chang -Date: Tue, 26 Oct 2021 15:11:00 +0800 -Subject: templates: Filter out POSIX locale for translation - -The POSIX locale is default or native operating system's locale -identical to the C locale, so no translation to human speaking languages -are provided. For this reason we should filter out LANG=POSIX as well as -LANG=C upon generating grub.cfg to avoid looking up for it's gettext's -message catalogs that will consequently result in an unpleasant message: - - error: file `/boot/grub/locale/POSIX.gmo' not found - -Signed-off-by: Michael Chang -Reviewed-by: Daniel Kiper ---- - util/grub.d/00_header.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/util/grub.d/00_header.in b/util/grub.d/00_header.in -index 93a9023..f74c2a4 100644 ---- a/util/grub.d/00_header.in -+++ b/util/grub.d/00_header.in -@@ -191,7 +191,7 @@ EOF - EOF - - # Gettext variables and module --if [ "x${LANG}" != "xC" ] && [ "x${LANG}" != "x" ]; then -+if [ "x${LANG}" != "xC" ] && [ "x${LANG}" != "xPOSIX" ] && [ "x${LANG}" != "x" ]; then - cat << EOF - set locale_dir=\$prefix/locale - set lang=${grub_lang} --- -cgit v1.1 - -From f42266a8a2a4215e4ffe419b8092bdf9ced33e8e Mon Sep 17 00:00:00 2001 -From: Christian Hesse -Date: Mon, 19 Sep 2022 15:31:28 +0200 -Subject: templates: Filter C.UTF-8 locale for translation - -In addition to C locale there is also C.UTF-8 locale now. Filter that as -well, by using ${grub_lang}, which contains a stripped value. -This fixes the following message and resulting boot failure: - - error: file `/boot/grub/locale/C.gmo' not found. - -Signed-off-by: Christian Hesse -Reviewed-by: Daniel Kiper ---- - util/grub.d/00_header.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/util/grub.d/00_header.in b/util/grub.d/00_header.in -index f74c2a4..6a316a5 100644 ---- a/util/grub.d/00_header.in -+++ b/util/grub.d/00_header.in -@@ -191,7 +191,7 @@ EOF - EOF - - # Gettext variables and module --if [ "x${LANG}" != "xC" ] && [ "x${LANG}" != "xPOSIX" ] && [ "x${LANG}" != "x" ]; then -+if [ "x${grub_lang}" != "xC" ] && [ "x${LANG}" != "xPOSIX" ] && [ "x${LANG}" != "x" ]; then - cat << EOF - set locale_dir=\$prefix/locale - set lang=${grub_lang} --- -cgit v1.1 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/files/grub-2.06-riscv.patch b/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/files/grub-2.06-riscv.patch deleted file mode 100644 index 83c54375704..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/files/grub-2.06-riscv.patch +++ /dev/null @@ -1,49 +0,0 @@ -https://bugs.gentoo.org/905785 - -From 049efdd72eb7baa7b2bf8884391ee7fe650da5a0 Mon Sep 17 00:00:00 2001 -From: Heinrich Schuchardt -Date: Sat, 29 Jan 2022 13:36:55 +0100 -Subject: RISC-V: Adjust -march flags for binutils 2.38 - -As of version 2.38 binutils defaults to ISA specification version -2019-12-13. This version of the specification has has separated the -the csr read/write (csrr*/csrw*) instructions and the fence.i from -the I extension and put them into separate Zicsr and Zifencei -extensions. - -This implies that we have to adjust the -march flag passed to the -compiler accordingly. - -Signed-off-by: Heinrich Schuchardt -Reviewed-by: Daniel Kiper ---- - configure.ac | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/configure.ac b/configure.ac -index 4f649ed..5c01af0 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -870,11 +870,19 @@ if test x"$platform" != xemu ; then - CFLAGS="$TARGET_CFLAGS -march=rv32imac -mabi=ilp32 -Werror" - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])], - [grub_cv_target_cc_soft_float="-march=rv32imac -mabi=ilp32"], []) -+ # ISA spec version 20191213 factored out extensions Zicsr and Zifencei -+ CFLAGS="$TARGET_CFLAGS -march=rv32imac_zicsr_zifencei -mabi=ilp32 -Werror" -+ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])], -+ [grub_cv_target_cc_soft_float="-march=rv32imac_zicsr_zifencei -mabi=ilp32"], []) - fi - if test "x$target_cpu" = xriscv64; then - CFLAGS="$TARGET_CFLAGS -march=rv64imac -mabi=lp64 -Werror" - AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])], - [grub_cv_target_cc_soft_float="-march=rv64imac -mabi=lp64"], []) -+ # ISA spec version 20191213 factored out extensions Zicsr and Zifencei -+ CFLAGS="$TARGET_CFLAGS -march=rv64imac_zicsr_zifencei -mabi=lp64 -Werror" -+ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[]])], -+ [grub_cv_target_cc_soft_float="-march=rv64imac_zicsr_zifencei -mabi=lp64"], []) - fi - if test "x$target_cpu" = xia64; then - CFLAGS="$TARGET_CFLAGS -mno-inline-float-divide -mno-inline-sqrt -Werror" --- -cgit v1.1 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/files/grub-2.12_rc1-util-grub.d-25_bli.in-fix-shebang-on-unmerged-usr.patch b/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/files/grub-2.12_rc1-util-grub.d-25_bli.in-fix-shebang-on-unmerged-usr.patch deleted file mode 100644 index 6c5096d35e7..00000000000 --- a/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/files/grub-2.12_rc1-util-grub.d-25_bli.in-fix-shebang-on-unmerged-usr.patch +++ /dev/null @@ -1,31 +0,0 @@ -From f827aac60d760a026db642b9d5c1ecbf587cfefc Mon Sep 17 00:00:00 2001 -From: Oskari Pirhonen -Date: Mon, 10 Jul 2023 23:55:43 -0500 -Subject: [PATCH] util/grub.d/25_bli.in: fix shebang on unmerged-usr - -On an unmerged-usr system, grub-mkconfig errors out with the following -error due to /usr/bin/sh not existing: - -/usr/sbin/grub-mkconfig: /etc/grub.d/25_bli: /usr/bin/sh: bad interpreter: No such file or directory - -Use a /bin/sh shebang to fix the error as well as match the other -existing files. - -Signed-off-by: Oskari Pirhonen ---- - util/grub.d/25_bli.in | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/util/grub.d/25_bli.in b/util/grub.d/25_bli.in -index 6e4538716..26e27a019 100644 ---- a/util/grub.d/25_bli.in -+++ b/util/grub.d/25_bli.in -@@ -1,4 +1,4 @@ --#!/usr/bin/sh -+#! /bin/sh - set -e - - # grub-mkconfig helper script. --- -2.41.0 - diff --git a/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/grub-2.06-r7.ebuild b/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/grub-2.06-r9.ebuild similarity index 96% rename from sdk_container/src/third_party/coreos-overlay/sys-boot/grub/grub-2.06-r7.ebuild rename to sdk_container/src/third_party/coreos-overlay/sys-boot/grub/grub-2.06-r9.ebuild index df7a8afb622..72140d4ab9b 100644 --- a/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/grub-2.06-r7.ebuild +++ b/sdk_container/src/third_party/coreos-overlay/sys-boot/grub/grub-2.06-r9.ebuild @@ -54,24 +54,21 @@ if [[ ${PV} != 9999 ]]; then " S=${WORKDIR}/${P%_*} fi - KEYWORDS="amd64 arm arm64 ~ia64 ppc ppc64 ~riscv sparc x86" + # Flatcar: Mark as stable for arm64. + KEYWORDS="amd64 ~arm arm64 ~ia64 ~ppc ~ppc64 ~riscv ~sparc x86" else inherit git-r3 EGIT_REPO_URI="https://git.savannah.gnu.org/git/grub.git" fi -SRC_URI+=" https://dev.gentoo.org/~floppym/dist/${P}-backports-r2.tar.xz" +SRC_URI+=" https://dev.gentoo.org/~floppym/dist/${P}-backports-r3.tar.xz" PATCHES=( "${WORKDIR}/${P}-backports" "${FILESDIR}"/gfxpayload.patch "${FILESDIR}"/grub-2.02_beta2-KERNEL_GLOBS.patch "${FILESDIR}"/grub-2.06-test-words.patch - "${FILESDIR}"/grub-2.06-grub-mkconfig-restore-umask.patch - "${FILESDIR}"/grub-2.06-gentpl.py-Remove-.interp-section-from-.img-files.patch - "${FILESDIR}"/grub-2.06-fs-ext2-ignore-checksum-seed.patch - "${FILESDIR}"/grub-2.06-riscv.patch - "${FILESDIR}"/grub-2.06-locale.patch + # Flatcar: Add our patches. "${FILESDIR}"/grub-2.06-add-verity-hash.patch "${FILESDIR}"/grub-2.06-add-gpt-partition-scheme.patch ) @@ -103,6 +100,7 @@ REQUIRED_USE=" grub_platforms_loongson? ( fonts ) " +# Flatcar: Add a dependency on aarch64 cross gcc for arm64 platform. BDEPEND=" ${PYTHON_DEPS} >=sys-devel/flex-2.5.35 @@ -216,6 +214,7 @@ grub_configure() { efi*) platform=efi ;; xen-pvh) platform=xen_pvh ;; xen*) platform=xen ;; + # Flatcar: Handle arm64 as efi platform arm64*) platform=efi ;; guessed) ;; *) platform=${MULTIBUILD_VARIANT} ;;