48a2e836ff
This is done for moving packages that are related to secure boot
out of LAT and into integ.
Use grub version: 2.06-1 .
Port grub-efi from LAT and make its build independent from grub2.
The patches for code and changes for debian build are ported from
layers ( meta-lat and meta-secure-core ) of yocto upstream.
Make grub-efi independent from grub2 because some code changes
for secure boot can make grub-pc's build fail.
This porting of grub-efi customizes grub images and grub.cfg for
efi boot. Install those files customized to grub-efi-amd64 package.
Test Plan:
The tests are done with all the changes for this porting,
which involves efitools/shim/grub2/grub-efi/lat-sdk.sh, because
they are in a chain for secure boot verification.
- PASS: secure boot OK on qemu.
- PASS: secure boot OK on PowerEdge R430 lab.
- PASS: secure boot NG on qemu/hardware when shim/grub-efi images
are without the right signatures.
Story: 2009221
Task: 46402
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: Ia3b482c1959b5e6462fe54f0b0e59a69db1b1ca7
70 lines
2.1 KiB
Diff
70 lines
2.1 KiB
Diff
From 038c21e7a7609340734d044482f24fee7f9f7a8f Mon Sep 17 00:00:00 2001
|
|
From: Jason Wessel <jason.wessel@windriver.com>
|
|
Date: Thu, 17 Oct 2019 12:35:01 -0700
|
|
Subject: [PATCH] grub shim verify: Report that the loaded object is verified
|
|
|
|
When check_signatures is set to enforcing, the signatures of the
|
|
loaded files have been checked, so the shim service should be informed
|
|
that it is ok to execute the loaded file.
|
|
|
|
Upstream-Status: Inappropriate
|
|
|
|
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
|
|
---
|
|
grub-core/loader/i386/linux.c | 25 +++++++++++++++++++++++++
|
|
1 file changed, 25 insertions(+)
|
|
|
|
diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
|
|
index 747cfe0..87469e7 100644
|
|
--- a/grub-core/loader/i386/linux.c
|
|
+++ b/grub-core/loader/i386/linux.c
|
|
@@ -21,6 +21,10 @@
|
|
#include <grub/normal.h>
|
|
#include <grub/file.h>
|
|
#include <grub/disk.h>
|
|
+#include <grub/efi/api.h>
|
|
+#include <grub/efi/efi.h>
|
|
+#include <grub/efi/disk.h>
|
|
+#include <grub/efi/shim.h>
|
|
#include <grub/err.h>
|
|
#include <grub/misc.h>
|
|
#include <grub/types.h>
|
|
@@ -647,6 +651,23 @@ grub_linux_unload (void)
|
|
return GRUB_ERR_NONE;
|
|
}
|
|
|
|
+static grub_efi_guid_t grub_shim_protocol_guid = GRUB_EFI_SHIM_PROTOCOL_GUID;
|
|
+
|
|
+static grub_efi_status_t
|
|
+grub_shim_verify (grub_addr_t addr, grub_ssize_t size)
|
|
+{
|
|
+ struct grub_shim_lock *shim_lock;
|
|
+ shim_lock = grub_efi_locate_protocol (&grub_shim_protocol_guid, 0);
|
|
+ if (!shim_lock)
|
|
+ {
|
|
+ grub_error (GRUB_ERR_BAD_OS, "could not load shim protocol");
|
|
+ return GRUB_EFI_UNSUPPORTED;
|
|
+ }
|
|
+
|
|
+ shim_lock->verify((void *) addr, size);
|
|
+ return GRUB_ERR_NONE;
|
|
+}
|
|
+
|
|
static grub_err_t
|
|
grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
|
int argc, char *argv[])
|
|
@@ -680,6 +701,10 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
|
argv[0]);
|
|
goto fail;
|
|
}
|
|
+ const char *ge_val = grub_env_get ("check_signatures");
|
|
+ if (ge_val && (ge_val[0] == '1' || ge_val[0] == 'e'))
|
|
+ /* Verify was handled by .sig files, inform shim */
|
|
+ grub_shim_verify((grub_addr_t)&lh, sizeof(lh));
|
|
|
|
if (lh.boot_flag != grub_cpu_to_le16_compile_time (0xaa55))
|
|
{
|
|
--
|
|
2.17.1
|
|
|