You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
81 lines
3.1 KiB
81 lines
3.1 KiB
1 month ago
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||
|
From: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
|
||
|
Date: Fri, 4 Mar 2022 09:31:43 +0100
|
||
|
Subject: [PATCH] grub-core/loader/efi/chainloader.c: do not validate
|
||
|
chainloader twice
|
||
|
|
||
|
On secureboot systems, with shimlock verifier, call to
|
||
|
grub_file_open(, GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE) will already
|
||
|
pass the chainloader target through shim-lock protocol verify
|
||
|
call. And create a TPM measurement. If verification fails,
|
||
|
grub_cmd_chainloader will fail at file open time.
|
||
|
|
||
|
This makes previous code paths for negative, and zero return codes
|
||
|
from grub_linuxefi_secure_validate unreachable under secureboot. But
|
||
|
also breaking measurements compatibility with 2.04+linuxefi codebases,
|
||
|
as the chainloader file is passed through shim_lock->verify() twice
|
||
|
(via verifier & direct call to grub_linuxefi_secure_validate)
|
||
|
extending the PCRs twice.
|
||
|
|
||
|
This reduces grub_loader options to perform
|
||
|
grub_secureboot_chainloader when secureboot is on, and otherwise
|
||
|
attempt grub_chainloader_boot.
|
||
|
|
||
|
It means that booting with secureboot off, yet still with shim (which
|
||
|
always verifies things successfully), will stop choosing
|
||
|
grub_secureboot_chainloader, and opting for a more regular
|
||
|
loadimage/startimage codepath. If we want to use the
|
||
|
grub_secureboot_chainloader codepath in such scenarios we should adapt
|
||
|
the code to simply check for shim_lock protocol presence /
|
||
|
shim_lock->context() success?! But I am not sure if that is necessary.
|
||
|
|
||
|
This patch must not be ported to older editions of grub code bases
|
||
|
that do not have verifiers framework, or it is not builtin, or
|
||
|
shim-lock-verifier is an optional module.
|
||
|
|
||
|
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
|
||
|
---
|
||
|
grub-core/loader/efi/chainloader.c | 8 ++------
|
||
|
1 file changed, 2 insertions(+), 6 deletions(-)
|
||
|
|
||
|
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
|
||
|
index 3af6b12292..644cd2e56f 100644
|
||
|
--- a/grub-core/loader/efi/chainloader.c
|
||
|
+++ b/grub-core/loader/efi/chainloader.c
|
||
|
@@ -906,7 +906,6 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
||
|
grub_efi_device_path_t *dp = 0;
|
||
|
char *filename;
|
||
|
void *boot_image = 0;
|
||
|
- int rc;
|
||
|
|
||
|
if (argc == 0)
|
||
|
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
|
||
|
@@ -1082,9 +1081,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
||
|
orig_dev = 0;
|
||
|
}
|
||
|
|
||
|
- rc = grub_linuxefi_secure_validate((void *)(unsigned long)address, fsize);
|
||
|
- grub_dprintf ("chain", "linuxefi_secure_validate: %d\n", rc);
|
||
|
- if (rc > 0)
|
||
|
+ if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
|
||
|
{
|
||
|
grub_file_close (file);
|
||
|
grub_device_close (dev);
|
||
|
@@ -1092,7 +1089,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
||
|
grub_secureboot_chainloader_unload, 0);
|
||
|
return 0;
|
||
|
}
|
||
|
- else if (rc == 0)
|
||
|
+ else
|
||
|
{
|
||
|
grub_load_and_start_image(boot_image);
|
||
|
grub_file_close (file);
|
||
|
@@ -1101,7 +1098,6 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
||
|
|
||
|
return 0;
|
||
|
}
|
||
|
- // -1 fall-through to fail
|
||
|
|
||
|
fail:
|
||
|
if (orig_dev)
|