summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>2019-09-04 10:23:51 +0300
committerDmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>2019-09-04 12:01:45 +0300
commit26ced755f525311d102e95adbc3a36072c62ce00 (patch)
treefe1ee74a0284caf7a8fe876568b67a376c90feb5
parent99ec1bedbbb23252f824137b1a5017275d9467fe (diff)
downloadmeta-secure-core-26ced755f525311d102e95adbc3a36072c62ce00.tar.gz
grub-efi: support mok2 verify in multiboot2 protocol
Add support for verifying PKCS#7 signatures via MOK2 protocol to multiboot2 command enabling one to load multiboot-capable kernels. Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
Diffstat
-rw-r--r--meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc1
-rw-r--r--meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-multiboot.patch54
2 files changed, 55 insertions, 0 deletions
diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc
index 32da43a..71a2bc1 100644
--- a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc
+++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc
@@ -19,6 +19,7 @@ SRC_URI += "\
19 file://efi-chainloader-implemented-for-32-bit.patch \ 19 file://efi-chainloader-implemented-for-32-bit.patch \
20 file://Grub-get-and-set-efi-variables.patch \ 20 file://Grub-get-and-set-efi-variables.patch \
21 file://mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch \ 21 file://mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch \
22 file://mok2verify-multiboot.patch \
22 file://grub-efi.cfg \ 23 file://grub-efi.cfg \
23 file://boot-menu.inc \ 24 file://boot-menu.inc \
24 ${EXTRA_SRC_URI} \ 25 ${EXTRA_SRC_URI} \
diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-multiboot.patch b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-multiboot.patch
new file mode 100644
index 0000000..eebc3f1
--- /dev/null
+++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-multiboot.patch
@@ -0,0 +1,54 @@
1Index: grub-2.02/grub-core/loader/multiboot.c
2===================================================================
3--- grub-2.02.orig/grub-core/loader/multiboot.c
4+++ grub-2.02/grub-core/loader/multiboot.c
5@@ -47,6 +47,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
6
7 #ifdef GRUB_MACHINE_EFI
8 #include <grub/efi/efi.h>
9+#include <grub/efi/mok2verify.h>
10 #endif
11
12 struct grub_relocator *GRUB_MULTIBOOT (relocator) = NULL;
13@@ -325,6 +326,20 @@ grub_cmd_multiboot (grub_command_t cmd _
14 if (! file)
15 return grub_errno;
16
17+#if GRUB_MACHINE_EFI
18+ err = grub_verify_file (argv[0]);
19+ if (err != GRUB_ERR_NONE)
20+ {
21+ grub_error(err, N_("Failed to verify module %s"), argv[0]);
22+
23+ /* An unauthenticated module always causes a complete boot failure. */
24+ if (grub_is_secured () == 1)
25+ grub_loader_unset();
26+
27+ return err;
28+ }
29+#endif
30+
31 grub_dl_ref (my_mod);
32
33 /* Skip filename. */
34@@ -379,6 +394,20 @@ grub_cmd_module (grub_command_t cmd __at
35 if (! file)
36 return grub_errno;
37
38+#if GRUB_MACHINE_EFI
39+ err = grub_verify_file (argv[0]);
40+ if (err != GRUB_ERR_NONE)
41+ {
42+ grub_error(err, N_("Failed to verify module %s"), argv[0]);
43+
44+ /* An unauthenticated module always causes a complete boot failure. */
45+ if (grub_is_secured () == 1)
46+ grub_loader_unset();
47+
48+ return err;
49+ }
50+#endif
51+
52 #ifndef GRUB_USE_MULTIBOOT2
53 lowest_addr = 0x100000;
54 if (grub_multiboot_quirks & GRUB_MULTIBOOT_QUIRK_MODULES_AFTER_KERNEL)
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2025-05-28 12:05:59 +0000