Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package grub2 for openSUSE:Factory checked in at 2021-03-05 16:52:16 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/grub2 (Old) and /work/SRC/openSUSE:Factory/.grub2.new.2378 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "grub2" Fri Mar 5 16:52:16 2021 rev:236 rq:877254 version:2.04 Changes: -------- --- /work/SRC/openSUSE:Factory/grub2/grub2.changes 2021-03-05 13:47:06.751722342 +0100 +++ /work/SRC/openSUSE:Factory/.grub2.new.2378/grub2.changes 2021-03-05 16:52:18.968447593 +0100 @@ -2,70 +1,0 @@ -Fri Mar 5 09:41:07 UTC 2021 - Michael Chang <mch...@suse.com> - -- Fix chainloading windows on dual boot machine (bsc#1183073) - * 0001-Add-chainloaded-image-as-shim-s-verifiable-object.patch - -------------------------------------------------------------------- -Fri Feb 26 06:52:18 UTC 2021 - Michael Chang <mch...@suse.com> - -- VUL-0: grub2,shim: implement new SBAT method (bsc#1182057) - * 0031-util-mkimage-Remove-unused-code-to-add-BSS-section.patch - * 0032-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch - * 0033-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch - * 0034-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch - * 0035-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch - * 0036-util-mkimage-Improve-data_size-value-calculation.patch - * 0037-util-mkimage-Refactor-section-setup-to-use-a-helper.patch - * 0038-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch - * 0039-grub-install-common-Add-sbat-option.patch -- Fix CVE-2021-20225 (bsc#1182262) - * 0022-lib-arg-Block-repeated-short-options-that-require-an.patch -- Fix CVE-2020-27749 (bsc#1179264) - * 0024-kern-parser-Fix-resource-leak-if-argc-0.patch - * 0025-kern-parser-Fix-a-memory-leak.patch - * 0026-kern-parser-Introduce-process_char-helper.patch - * 0027-kern-parser-Introduce-terminate_arg-helper.patch - * 0028-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch - * 0029-kern-buffer-Add-variable-sized-heap-buffer.patch - * 0030-kern-parser-Fix-a-stack-buffer-overflow.patch -- Fix CVE-2021-20233 (bsc#1182263) - * 0023-commands-menuentry-Fix-quoting-in-setparams_prefix.patch -- Fix CVE-2020-25647 (bsc#1177883) - * 0021-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch -- Fix CVE-2020-25632 (bsc#1176711) - * 0020-dl-Only-allow-unloading-modules-that-are-not-depende.patch -- Fix CVE-2020-27779, CVE-2020-14372 (bsc#1179265) (bsc#1175970) - * 0001-include-grub-i386-linux.h-Include-missing-grub-types.patch - * 0002-efi-Make-shim_lock-GUID-and-protocol-type-public.patch - * 0003-efi-Return-grub_efi_status_t-from-grub_efi_get_varia.patch - * 0004-efi-Add-a-function-to-read-EFI-variables-with-attrib.patch - * 0005-efi-Add-secure-boot-detection.patch - * 0006-efi-Only-register-shim_lock-verifier-if-shim_lock-pr.patch - * 0007-verifiers-Move-verifiers-API-to-kernel-image.patch - * 0008-efi-Move-the-shim_lock-verifier-to-the-GRUB-core.patch - * 0009-kern-Add-lockdown-support.patch - * 0010-kern-lockdown-Set-a-variable-if-the-GRUB-is-locked-d.patch - * 0011-efi-Lockdown-the-GRUB-when-the-UEFI-Secure-Boot-is-e.patch - * 0012-efi-Use-grub_is_lockdown-instead-of-hardcoding-a-dis.patch - * 0013-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch - * 0014-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch - * 0015-commands-Restrict-commands-that-can-load-BIOS-or-DT-.patch - * 0016-commands-setpci-Restrict-setpci-command-when-locked-.patch - * 0017-commands-hdparm-Restrict-hdparm-command-when-locked-.patch - * 0018-gdb-Restrict-GDB-access-when-locked-down.patch - * 0019-loader-xnu-Don-t-allow-loading-extension-and-package.patch - * 0040-shim_lock-Only-skip-loading-shim_lock-verifier-with-.patch - * 0041-squash-Add-secureboot-support-on-efi-chainloader.patch - * 0042-squash-grub2-efi-chainload-harder.patch - * 0043-squash-Don-t-allow-insmod-when-secure-boot-is-enable.patch - * 0044-squash-kern-Add-lockdown-support.patch - * 0045-squash-Add-support-for-Linux-EFI-stub-loading-on-aar.patch - * 0046-squash-verifiers-Move-verifiers-API-to-kernel-image.patch -- Drop patch supersceded by the new backport - * 0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch - * 0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch - * 0007-linuxefi-fail-kernel-validation-without-shim-protoco.patch -- Add SBAT metadata section to grub.efi -- Drop shim_lock module as it is part of core of grub.efi - * grub2.spec - -------------------------------------------------------------------- Old: ---- 0001-Add-chainloaded-image-as-shim-s-verifiable-object.patch 0001-include-grub-i386-linux.h-Include-missing-grub-types.patch 0002-efi-Make-shim_lock-GUID-and-protocol-type-public.patch 0003-efi-Return-grub_efi_status_t-from-grub_efi_get_varia.patch 0004-efi-Add-a-function-to-read-EFI-variables-with-attrib.patch 0005-efi-Add-secure-boot-detection.patch 0006-efi-Only-register-shim_lock-verifier-if-shim_lock-pr.patch 0007-verifiers-Move-verifiers-API-to-kernel-image.patch 0008-efi-Move-the-shim_lock-verifier-to-the-GRUB-core.patch 0009-kern-Add-lockdown-support.patch 0010-kern-lockdown-Set-a-variable-if-the-GRUB-is-locked-d.patch 0011-efi-Lockdown-the-GRUB-when-the-UEFI-Secure-Boot-is-e.patch 0012-efi-Use-grub_is_lockdown-instead-of-hardcoding-a-dis.patch 0013-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch 0014-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch 0015-commands-Restrict-commands-that-can-load-BIOS-or-DT-.patch 0016-commands-setpci-Restrict-setpci-command-when-locked-.patch 0017-commands-hdparm-Restrict-hdparm-command-when-locked-.patch 0018-gdb-Restrict-GDB-access-when-locked-down.patch 0019-loader-xnu-Don-t-allow-loading-extension-and-package.patch 0020-dl-Only-allow-unloading-modules-that-are-not-depende.patch 0021-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch 0022-lib-arg-Block-repeated-short-options-that-require-an.patch 0023-commands-menuentry-Fix-quoting-in-setparams_prefix.patch 0024-kern-parser-Fix-resource-leak-if-argc-0.patch 0025-kern-parser-Fix-a-memory-leak.patch 0026-kern-parser-Introduce-process_char-helper.patch 0027-kern-parser-Introduce-terminate_arg-helper.patch 0028-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch 0029-kern-buffer-Add-variable-sized-heap-buffer.patch 0030-kern-parser-Fix-a-stack-buffer-overflow.patch 0031-util-mkimage-Remove-unused-code-to-add-BSS-section.patch 0032-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch 0033-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch 0034-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch 0035-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch 0036-util-mkimage-Improve-data_size-value-calculation.patch 0037-util-mkimage-Refactor-section-setup-to-use-a-helper.patch 0038-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch 0039-grub-install-common-Add-sbat-option.patch 0040-shim_lock-Only-skip-loading-shim_lock-verifier-with-.patch 0041-squash-Add-secureboot-support-on-efi-chainloader.patch 0042-squash-grub2-efi-chainload-harder.patch 0043-squash-Don-t-allow-insmod-when-secure-boot-is-enable.patch 0044-squash-kern-Add-lockdown-support.patch 0045-squash-Add-support-for-Linux-EFI-stub-loading-on-aar.patch 0046-squash-verifiers-Move-verifiers-API-to-kernel-image.patch New: ---- 0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch 0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch 0007-linuxefi-fail-kernel-validation-without-shim-protoco.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ grub2.spec ++++++ --- /var/tmp/diff_new_pack.a566aa/_old 2021-03-05 16:52:21.180449663 +0100 +++ /var/tmp/diff_new_pack.a566aa/_new 2021-03-05 16:52:21.184449667 +0100 @@ -321,12 +321,16 @@ # overflows in initrd size handling Patch713: 0010-linux-Fix-integer-overflows-in-initrd-size-handling.patch Patch714: 0001-kern-mm.c-Make-grub_calloc-inline.patch +# bsc#1174421 VUL-0: CVE-2020-15705: grub2: linuxefi: fail kernel validation +# without shim protocol +Patch715: 0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch Patch716: 0002-cmdline-Provide-cmdline-functions-as-module.patch # bsc#1172745 L3: SLES 12 SP4 - Slow boot of system after updated kernel - # takes 45 minutes after grub to start loading kernel Patch717: 0001-ieee1275-powerpc-implements-fibre-channel-discovery-.patch Patch718: 0002-ieee1275-powerpc-enables-device-mapper-discovery.patch Patch719: 0001-Unify-the-check-to-enable-btrfs-relative-path.patch +Patch720: 0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch Patch721: 0001-efi-linux-provide-linux-command.patch # Improve the error handling when grub2-install fails with short mbr gap # (bsc#1176062) @@ -339,58 +343,11 @@ Patch733: 0004-arm-arm64-loader-Better-memory-allocation-and-error-.patch Patch734: 0005-Make-linux_arm_kernel_header.hdr_offset-be-at-the-ri.patch Patch735: 0006-efi-Set-image-base-address-before-jumping-to-the-PE-.patch +Patch736: 0007-linuxefi-fail-kernel-validation-without-shim-protoco.patch Patch737: 0008-squash-Add-support-for-Linux-EFI-stub-loading-on-aar.patch Patch738: 0009-squash-Add-support-for-linuxefi.patch Patch739: 0001-Fix-build-error-in-binutils-2.36.patch Patch740: 0001-emu-fix-executable-stack-marking.patch -# Boothole2 -Patch741: 0001-include-grub-i386-linux.h-Include-missing-grub-types.patch -Patch742: 0002-efi-Make-shim_lock-GUID-and-protocol-type-public.patch -Patch743: 0003-efi-Return-grub_efi_status_t-from-grub_efi_get_varia.patch -Patch744: 0004-efi-Add-a-function-to-read-EFI-variables-with-attrib.patch -Patch745: 0005-efi-Add-secure-boot-detection.patch -Patch746: 0006-efi-Only-register-shim_lock-verifier-if-shim_lock-pr.patch -Patch747: 0007-verifiers-Move-verifiers-API-to-kernel-image.patch -Patch748: 0008-efi-Move-the-shim_lock-verifier-to-the-GRUB-core.patch -Patch749: 0009-kern-Add-lockdown-support.patch -Patch750: 0010-kern-lockdown-Set-a-variable-if-the-GRUB-is-locked-d.patch -Patch751: 0011-efi-Lockdown-the-GRUB-when-the-UEFI-Secure-Boot-is-e.patch -Patch752: 0012-efi-Use-grub_is_lockdown-instead-of-hardcoding-a-dis.patch -Patch753: 0013-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch -Patch754: 0014-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch -Patch755: 0015-commands-Restrict-commands-that-can-load-BIOS-or-DT-.patch -Patch756: 0016-commands-setpci-Restrict-setpci-command-when-locked-.patch -Patch757: 0017-commands-hdparm-Restrict-hdparm-command-when-locked-.patch -Patch758: 0018-gdb-Restrict-GDB-access-when-locked-down.patch -Patch759: 0019-loader-xnu-Don-t-allow-loading-extension-and-package.patch -Patch760: 0020-dl-Only-allow-unloading-modules-that-are-not-depende.patch -Patch761: 0021-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch -Patch762: 0022-lib-arg-Block-repeated-short-options-that-require-an.patch -Patch763: 0023-commands-menuentry-Fix-quoting-in-setparams_prefix.patch -Patch764: 0024-kern-parser-Fix-resource-leak-if-argc-0.patch -Patch765: 0025-kern-parser-Fix-a-memory-leak.patch -Patch766: 0026-kern-parser-Introduce-process_char-helper.patch -Patch767: 0027-kern-parser-Introduce-terminate_arg-helper.patch -Patch768: 0028-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch -Patch769: 0029-kern-buffer-Add-variable-sized-heap-buffer.patch -Patch770: 0030-kern-parser-Fix-a-stack-buffer-overflow.patch -Patch771: 0031-util-mkimage-Remove-unused-code-to-add-BSS-section.patch -Patch772: 0032-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch -Patch773: 0033-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch -Patch774: 0034-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch -Patch775: 0035-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch -Patch776: 0036-util-mkimage-Improve-data_size-value-calculation.patch -Patch777: 0037-util-mkimage-Refactor-section-setup-to-use-a-helper.patch -Patch778: 0038-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch -Patch779: 0039-grub-install-common-Add-sbat-option.patch -Patch780: 0040-shim_lock-Only-skip-loading-shim_lock-verifier-with-.patch -Patch781: 0041-squash-Add-secureboot-support-on-efi-chainloader.patch -Patch782: 0042-squash-grub2-efi-chainload-harder.patch -Patch783: 0043-squash-Don-t-allow-insmod-when-secure-boot-is-enable.patch -Patch784: 0044-squash-kern-Add-lockdown-support.patch -Patch785: 0045-squash-Add-support-for-Linux-EFI-stub-loading-on-aar.patch -Patch786: 0046-squash-verifiers-Move-verifiers-API-to-kernel-image.patch -Patch787: 0001-Add-chainloaded-image-as-shim-s-verifiable-object.patch Requires: gettext-runtime %if 0%{?suse_version} >= 1140 @@ -707,10 +664,12 @@ %patch712 -p1 %patch713 -p1 %patch714 -p1 +%patch715 -p1 %patch716 -p1 %patch717 -p1 %patch718 -p1 %patch719 -p1 +%patch720 -p1 %patch721 -p1 %patch722 -p1 %patch723 -p1 @@ -720,57 +679,11 @@ %patch733 -p1 %patch734 -p1 %patch735 -p1 +%patch736 -p1 %patch737 -p1 %patch738 -p1 %patch739 -p1 %patch740 -p1 -%patch741 -p1 -%patch742 -p1 -%patch743 -p1 -%patch744 -p1 -%patch745 -p1 -%patch746 -p1 -%patch747 -p1 -%patch748 -p1 -%patch749 -p1 -%patch750 -p1 -%patch751 -p1 -%patch752 -p1 -%patch753 -p1 -%patch754 -p1 -%patch755 -p1 -%patch756 -p1 -%patch757 -p1 -%patch758 -p1 -%patch759 -p1 -%patch760 -p1 -%patch761 -p1 -%patch762 -p1 -%patch763 -p1 -%patch764 -p1 -%patch765 -p1 -%patch766 -p1 -%patch767 -p1 -%patch768 -p1 -%patch769 -p1 -%patch770 -p1 -%patch771 -p1 -%patch772 -p1 -%patch773 -p1 -%patch774 -p1 -%patch775 -p1 -%patch776 -p1 -%patch777 -p1 -%patch778 -p1 -%patch779 -p1 -%patch780 -p1 -%patch781 -p1 -%patch782 -p1 -%patch783 -p1 -%patch784 -p1 -%patch785 -p1 -%patch786 -p1 -%patch787 -p1 %build # collect evidence to debug spurious build failure on SLE15 @@ -876,30 +789,16 @@ CRYPTO_MODULES="luks gcry_rijndael gcry_sha1 gcry_sha256" %ifarch x86_64 -CD_MODULES="${CD_MODULES} linuxefi" +CD_MODULES="${CD_MODULES} shim_lock linuxefi" %else CD_MODULES="${CD_MODULES} linux" %endif -# SBAT metadata -%if 0%{?is_opensuse} == 1 -distro_id="opensuse" -distro_name="The openSUSE Project" -%else -distro_id="sle" -distro_name="SUSE Linux Enterprise" -%endif -upstream_sbat=1 -distro_sbat=1 -echo "sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md" > sbat.csv -echo "grub,${upstream_sbat},Free Software Foundation,grub,%{version},https://www.gnu.org/software/grub/" >> sbat.csv -echo "grub.${distro_id},${distro_sbat},${distro_name},%{name},%{version},mail:security-t...@suse.de" >> sbat.csv - GRUB_MODULES="${CD_MODULES} ${FS_MODULES} ${PXE_MODULES} ${CRYPTO_MODULES} mdraid09 mdraid1x lvm serial" -./grub-mkimage -O %{grubefiarch} -o grub.efi --prefix= --sbat sbat.csv \ +./grub-mkimage -O %{grubefiarch} -o grub.efi --prefix= \ -d grub-core ${GRUB_MODULES} %ifarch x86_64 -./grub-mkimage -O %{grubefiarch} -o grub-tpm.efi --prefix= --sbat sbat.csv \ +./grub-mkimage -O %{grubefiarch} -o grub-tpm.efi --prefix= \ -d grub-core ${GRUB_MODULES} tpm %endif ++++++ 0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch ++++++ >From 1b4f4b2f5cd9b804a5bb66861b659d05d9a4f35a Mon Sep 17 00:00:00 2001 From: Michael Chang <mch...@suse.com> Date: Mon, 17 Aug 2020 17:09:01 +0800 Subject: [PATCH 1/2] linuxefi: fail kernel validation without shim protocol. If certificates that signed grub are installed into db, grub can be booted directly. It will then boot any kernel without signature validation. The booted kernel will think it was booted in secureboot mode and will implement lockdown, yet it could have been tampered. This version of the patch skips calling verification, when booted without secureboot. CVE-2020-15705 Reported-by: Mathieu Trudel-Lapierre <cypher...@ubuntu.com> Also-by: Dimitri John Ledkov <x...@ubuntu.com> Signed-off-by: Michael Chang <mch...@suse.com> --- grub-core/loader/i386/efi/linux.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c index 61b2d5177..8017e8c05 100644 --- a/grub-core/loader/i386/efi/linux.c +++ b/grub-core/loader/i386/efi/linux.c @@ -172,6 +172,23 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), goto fail; } + if (grub_efi_secure_boot()) + { + grub_dl_t mod; + + mod = grub_dl_get ("shim_lock"); + if (!mod) + { + grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock module is not loaded")); + goto fail; + } + if (!grub_dl_is_persistent (mod)) + { + grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock protocol is not available")); + goto fail; + } + } + file = grub_file_open (argv[0], GRUB_FILE_TYPE_LINUX_KERNEL); if (! file) goto fail; -- 2.26.2 ++++++ 0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch ++++++ >From a60cfeacdeefb21215d35c4cad025e57de900352 Mon Sep 17 00:00:00 2001 From: Michael Chang <mch...@suse.com> Date: Thu, 27 Aug 2020 13:18:25 +0800 Subject: [PATCH] shim_lock: Disable GRUB_VERIFY_FLAGS_DEFER_AUTH if secure boot off The GRUB_VERIFY_FLAGS_DEFER_AUTH is enabled regardless secure boot status that will cause error [1] on loading external grub modules if secure boot turned off in which shim protocol itself did not verify images so should not request verification for external modules either. This patch fixed the problem by adding the secure boot status check before requesting other verifiers to verify external module, therefore external module loading can work after shim_lock module loaded and secure boot turned off. [1] error: verification requested but nobody cares: (hd0,gpt10)/boot/grub2/x86_64-efi/linux.mod. Signed-off-by: Michael Chang <mch...@suse.com> --- grub-core/commands/efi/shim_lock.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/grub-core/commands/efi/shim_lock.c b/grub-core/commands/efi/shim_lock.c index 764098cfc..18d121297 100644 --- a/grub-core/commands/efi/shim_lock.c +++ b/grub-core/commands/efi/shim_lock.c @@ -82,7 +82,8 @@ shim_lock_init (grub_file_t io, enum grub_file_type type, case GRUB_FILE_TYPE_ACPI_TABLE: case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE: - *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH; + if (grub_efi_secure_boot()) + *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH; return GRUB_ERR_NONE; -- 2.26.2 ++++++ 0007-linuxefi-fail-kernel-validation-without-shim-protoco.patch ++++++ >From 496890ebd2605eb1ff15f8d96c30b5d617f1bb85 Mon Sep 17 00:00:00 2001 From: Michael Chang <mch...@suse.com> Date: Fri, 6 Nov 2020 11:19:06 +0000 Subject: [PATCH 7/9] linuxefi: fail kernel validation without shim protocol. If certificates that signed grub are installed into db, grub can be booted directly. It will then boot any kernel without signature validation. The booted kernel will think it was booted in secureboot mode and will implement lockdown, yet it could have been tampered. This version of the patch skips calling verification, when booted without secureboot. And is indented with gnu ident. CVE-2020-15705 Reported-by: Mathieu Trudel-Lapierre <cypher...@ubuntu.com> Signed-off-by: Michael Chang <mch...@suse.com> --- grub-core/loader/arm64/efi/linux.c | 38 +++++++++++++++++++++++------- 1 file changed, 29 insertions(+), 9 deletions(-) diff --git a/grub-core/loader/arm64/efi/linux.c b/grub-core/loader/arm64/efi/linux.c index a4041be5c..0e5782caa 100644 --- a/grub-core/loader/arm64/efi/linux.c +++ b/grub-core/loader/arm64/efi/linux.c @@ -58,21 +58,35 @@ struct grub_efi_shim_lock }; typedef struct grub_efi_shim_lock grub_efi_shim_lock_t; -static grub_efi_boolean_t +// Returns 1 on success, -1 on error, 0 when not available +static int grub_linuxefi_secure_validate (void *data, grub_uint32_t size) { grub_efi_guid_t guid = SHIM_LOCK_GUID; grub_efi_shim_lock_t *shim_lock; + grub_efi_status_t status; shim_lock = grub_efi_locate_protocol(&guid, NULL); - + grub_dprintf ("secureboot", "shim_lock: %p\n", shim_lock); if (!shim_lock) - return 1; + { + grub_dprintf ("secureboot", "shim not available\n"); + return 0; + } - if (shim_lock->verify(data, size) == GRUB_EFI_SUCCESS) - return 1; + grub_dprintf ("secureboot", "Asking shim to verify kernel signature\n"); + status = shim_lock->verify (data, size); + grub_dprintf ("secureboot", "shim_lock->verify(): %ld\n", (long int)status); + if (status == GRUB_EFI_SUCCESS) + { + grub_dprintf ("secureboot", "Kernel signature verification passed\n"); + return 1; + } - return 0; + grub_dprintf ("secureboot", "Kernel signature verification failed (0x%lx)\n", + (unsigned long) status); + + return -1; } #pragma GCC diagnostic push @@ -399,6 +413,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), struct linux_arch_kernel_header lh; struct grub_armxx_linux_pe_header *pe; grub_err_t err; + int rc; grub_dl_ref (my_mod); @@ -443,10 +458,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), grub_dprintf ("linux", "kernel @ %p\n", kernel_addr); - if (!grub_linuxefi_secure_validate (kernel_addr, kernel_size)) + if (grub_efi_secure_boot ()) { - grub_error (GRUB_ERR_INVALID_COMMAND, N_("%s has invalid signature"), argv[0]); - goto fail; + rc = grub_linuxefi_secure_validate (kernel_addr, kernel_size); + if (rc <= 0) + { + grub_error (GRUB_ERR_INVALID_COMMAND, + N_("%s has invalid signature"), argv[0]); + goto fail; + } } pe = (void *)((unsigned long)kernel_addr + lh.hdr_offset); -- 2.26.2