starlingx/integ
Code Issues Proposed changes
38d40be950
integ/grub/grub-efi/debian/patches/0013-chainloader-handle-the-unauthenticated-image-by-shim.patch
Li Zhou 48a2e836ff Debian: grub-efi: porting from LAT 
This is done for moving packages that are related to secure boot
out of LAT and into integ.

Use grub version: 2.06-1 .

Port grub-efi from LAT and make its build independent from grub2.
The patches for code and changes for debian build are ported from
layers ( meta-lat and meta-secure-core ) of yocto upstream.
Make grub-efi independent from grub2 because some code changes
for secure boot can make grub-pc's build fail.

This porting of grub-efi customizes grub images and grub.cfg for
efi boot. Install those files customized to grub-efi-amd64 package.

Test Plan:
 The tests are done with all the changes for this porting,
 which involves efitools/shim/grub2/grub-efi/lat-sdk.sh, because
 they are in a chain for secure boot verification.
 - PASS: secure boot OK on qemu.
 - PASS: secure boot OK on PowerEdge R430 lab.
 - PASS: secure boot NG on qemu/hardware when shim/grub-efi images
         are without the right signatures.

Story: 2009221
Task: 46402

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: Ia3b482c1959b5e6462fe54f0b0e59a69db1b1ca7
2022-10-08 21:50:14 -04:00

33 lines
1.2 KiB
Diff
Raw Blame History

From d06de03facd9a330a2085450abeecb1b7e637f9c Mon Sep 17 00:00:00 2001
From: Lans Zhang <jia.zhang@windriver.com>
Date: Sun, 24 Apr 2016 12:58:10 +0800
Subject: [PATCH] chainloader: handle the unauthenticated image by shim
Upstream-Status: Pending
EFI_ACCESS_DENIED is another case whenever an unauthenticated image is loaded
by UEFI LoadImage() boot service. Shim verification protocol should handle
this case as EFI_SECURITY_VIOLATION.
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
---
grub-core/loader/efi/chainloader.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
index 285271d..9ff4faf 100644
--- a/grub-core/loader/efi/chainloader.c
+++ b/grub-core/loader/efi/chainloader.c
@@ -933,7 +933,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
goto fail;
}
/* try with shim */
- else if (status == GRUB_EFI_SECURITY_VIOLATION)
+ else if ((status == GRUB_EFI_ACCESS_DENIED) || (status == GRUB_EFI_SECURITY_VIOLATION))
{
status = grub_shim_load_image (address, size, &context);
if (status != GRUB_EFI_SUCCESS)
--
2.17.1
View Git Blame Copy Permalink