48a2e836ff
This is done for moving packages that are related to secure boot
out of LAT and into integ.
Use grub version: 2.06-1 .
Port grub-efi from LAT and make its build independent from grub2.
The patches for code and changes for debian build are ported from
layers ( meta-lat and meta-secure-core ) of yocto upstream.
Make grub-efi independent from grub2 because some code changes
for secure boot can make grub-pc's build fail.
This porting of grub-efi customizes grub images and grub.cfg for
efi boot. Install those files customized to grub-efi-amd64 package.
Test Plan:
The tests are done with all the changes for this porting,
which involves efitools/shim/grub2/grub-efi/lat-sdk.sh, because
they are in a chain for secure boot verification.
- PASS: secure boot OK on qemu.
- PASS: secure boot OK on PowerEdge R430 lab.
- PASS: secure boot NG on qemu/hardware when shim/grub-efi images
are without the right signatures.
Story: 2009221
Task: 46402
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: Ia3b482c1959b5e6462fe54f0b0e59a69db1b1ca7
49 lines
1.6 KiB
Diff
49 lines
1.6 KiB
Diff
From 7ed6b7cbdc5f0721a7f6e89e601ad1b8c2cff267 Mon Sep 17 00:00:00 2001
|
|
From: Yi Zhao <yi.zhao@windriver.com>
|
|
Date: Wed, 7 Apr 2021 11:00:37 +0800
|
|
Subject: [PATCH] Disable inside lockdown and shim_lock verifiers
|
|
|
|
The lockdown support[1] and secure boot detection[2] have been added to
|
|
grub 2.06. These verifiers are registered when UEFI Secure Boot is
|
|
enabled. Unfortunately, they conflict with the current MOK2 Verify
|
|
mechanism. So disable them when enable SELoader.
|
|
|
|
Fixes grub error:
|
|
error: failed to verify kernel /bzImage
|
|
|
|
[1] http://git.savannah.gnu.org/cgit/grub.git/commit/?id=578c95298bcc46e0296f4c786db64c2ff26ce2cc
|
|
[2] http://git.savannah.gnu.org/cgit/grub.git/commit/?id=d7e54b2e5feee95d2f83058ed30d883c450d1473
|
|
|
|
Upstream-Status: Inappropriate [embedded specific]
|
|
|
|
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
|
[lz: Adapt git log.]
|
|
Signed-off-by: Li Zhou <li.zhou@windriver.com>
|
|
---
|
|
grub-core/kern/efi/init.c | 2 ++
|
|
1 file changed, 2 insertions(+)
|
|
|
|
diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
|
|
index 4a88397..e512a8e 100644
|
|
--- a/grub-core/kern/efi/init.c
|
|
+++ b/grub-core/kern/efi/init.c
|
|
@@ -159,6 +159,7 @@ grub_efi_init (void)
|
|
/* Initialize the memory management system. */
|
|
grub_efi_mm_init ();
|
|
|
|
+#if 0
|
|
/*
|
|
* Lockdown the GRUB and register the shim_lock verifier
|
|
* if the UEFI Secure Boot is enabled.
|
|
@@ -168,6 +169,7 @@ grub_efi_init (void)
|
|
grub_lockdown ();
|
|
grub_shim_lock_verifier_setup ();
|
|
}
|
|
+#endif
|
|
|
|
efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer,
|
|
0, 0, 0, NULL);
|
|
--
|
|
2.17.1
|
|
|