[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH v3 2/2] efi: Fallback to legacy mode if shim is loaded on x86 arc
|
From: |
Daniel Kiper |
|
Subject: |
[PATCH v3 2/2] efi: Fallback to legacy mode if shim is loaded on x86 archs |
|
Date: |
Fri, 30 Jun 2023 16:02:15 +0200 |
The LoadImage() provided by the shim does not consult MOK when loading
an image. So, simply signature verification fails when it should not.
This means we cannot use Linux EFI stub to start the kernel when the
shim is loaded. We have to fallback to legacy mode on x86 architectures.
This is not possible on other architectures due to lack of legacy mode.
This is workaround which should disappear when the shim provides
LoadImage() which looks up MOK during signature verification.
On the occasion align constants in include/grub/efi/sb.h.
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/kern/efi/sb.c | 10 ++++++++++
grub-core/loader/efi/linux.c | 17 +++++++++++++++++
include/grub/efi/sb.h | 5 ++++-
3 files changed, 31 insertions(+), 1 deletion(-)
diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
index 80cfa0888..60550a6da 100644
--- a/grub-core/kern/efi/sb.c
+++ b/grub-core/kern/efi/sb.c
@@ -32,6 +32,8 @@
static grub_guid_t shim_lock_guid = GRUB_EFI_SHIM_LOCK_GUID;
+static bool shim_lock_enabled = false;
+
/*
* Determine whether we're in secure boot mode.
*
@@ -215,6 +217,14 @@ grub_shim_lock_verifier_setup (void)
/* Enforce shim_lock_verifier. */
grub_verifier_register (&shim_lock_verifier);
+ shim_lock_enabled = true;
+
grub_env_set ("shim_lock", "y");
grub_env_export ("shim_lock");
}
+
+bool
+grub_is_shim_lock_enabled (void)
+{
+ return shim_lock_enabled;
+}
diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
index c1eef7c98..fb4d12e3f 100644
--- a/grub-core/loader/efi/linux.c
+++ b/grub-core/loader/efi/linux.c
@@ -29,6 +29,7 @@
#include <grub/efi/fdtload.h>
#include <grub/efi/memory.h>
#include <grub/efi/pe32.h>
+#include <grub/efi/sb.h>
#include <grub/i18n.h>
#include <grub/lib/cmdline.h>
#include <grub/verify.h>
@@ -458,6 +459,22 @@ grub_cmd_linux (grub_command_t cmd __attribute__
((unused)),
grub_dl_ref (my_mod);
+ if (grub_is_shim_lock_enabled () == true)
+ {
+#if defined(__i386__) || defined(__x86_64__)
+ grub_dprintf ("linux", "shim_lock enabled, falling back to legacy Linux
kernel loader\n");
+
+ err = grub_cmd_linux_x86_legacy (cmd, argc, argv);
+
+ if (err == GRUB_ERR_NONE)
+ return GRUB_ERR_NONE;
+ else
+ goto fail;
+#else
+ grub_dprintf ("linux", "shim_lock enabled, trying Linux kernel EFI stub
loader\n");
+#endif
+ }
+
if (argc == 0)
{
grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
diff --git a/include/grub/efi/sb.h b/include/grub/efi/sb.h
index 30c4335bb..49a9ad01c 100644
--- a/include/grub/efi/sb.h
+++ b/include/grub/efi/sb.h
@@ -22,7 +22,7 @@
#include <grub/types.h>
#include <grub/dl.h>
-#define GRUB_EFI_SECUREBOOT_MODE_UNSET 0
+#define GRUB_EFI_SECUREBOOT_MODE_UNSET 0
#define GRUB_EFI_SECUREBOOT_MODE_UNKNOWN 1
#define GRUB_EFI_SECUREBOOT_MODE_DISABLED 2
#define GRUB_EFI_SECUREBOOT_MODE_ENABLED 3
@@ -31,6 +31,9 @@
extern grub_uint8_t
EXPORT_FUNC (grub_efi_get_secureboot) (void);
+extern bool
+EXPORT_FUNC (grub_is_shim_lock_enabled) (void);
+
extern void
grub_shim_lock_verifier_setup (void);
#else
--
2.11.0