grub-efi: carry forward mok2verify to grub-2.02

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>

2 files changed, 156 insertions, 76 deletions

diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch
index b5a0a52..a10b77f 100644
--- a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch
+++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch
@@ -1,6 +1,6 @@
-From 46873e2c5514bf6460a2f0f39ad8f8feb8f18f68 Mon Sep 17 00:00:00 2001
+From 00fd7457c9d907800587e93f87fc5b6de68ba49e Mon Sep 17 00:00:00 2001
 From: Lans Zhang <jia.zhang@windriver.com>
-Date: Thu, 16 Mar 2017 14:49:41 +0800
+Date: Wed, 12 Jul 2017 16:02:13 +0800
 Subject: [PATCH] mok2verify: support to verify non-PE file with PKCS#7
  signature
 
@@ -27,22 +27,23 @@ Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
 ---
  grub-core/Makefile.core.def    |   6 ++
  grub-core/commands/boot.c      |  14 +++-
- grub-core/gfxmenu/gui_label.c  |  39 ++++++++--
- grub-core/lib/efi/mok2verify.c | 172 +++++++++++++++++++++++++++++++++++++++++
- grub-core/loader/i386/linux.c  |  80 +++++++++++++++++++
- grub-core/normal/main.c        |  55 ++++++++++++-
- grub-core/normal/menu.c        |  29 +++++--
- grub-core/normal/menu_text.c   |  32 ++++++--
- include/grub/efi/mok2verify.h  |  48 ++++++++++++
- 9 files changed, 447 insertions(+), 28 deletions(-)
+ grub-core/gfxmenu/gui_label.c  |  39 +++++++--
+ grub-core/lib/efi/mok2verify.c | 182 +++++++++++++++++++++++++++++++++++++++++
+ grub-core/loader/i386/linux.c  |  60 ++++++++++++++
+ grub-core/loader/linux.c       |  27 +++++-
+ grub-core/normal/main.c        |  62 +++++++++++++-
+ grub-core/normal/menu.c        |  31 +++++--
+ grub-core/normal/menu_text.c   |  33 ++++++--
+ include/grub/efi/mok2verify.h  |  48 +++++++++++
+ 10 files changed, 472 insertions(+), 30 deletions(-)
  create mode 100644 grub-core/lib/efi/mok2verify.c
  create mode 100644 include/grub/efi/mok2verify.h
 
 diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
-index e9e1483..8e72251 100644
+index a82c1f3..76b3c7d 100644
 --- a/grub-core/Makefile.core.def
 +++ b/grub-core/Makefile.core.def
-@@ -1434,6 +1434,12 @@ module = {
+@@ -1754,6 +1754,12 @@ module = {
  };
  
  module = {
@@ -56,7 +57,7 @@ index e9e1483..8e72251 100644
    common = mmap/mmap.c;
    x86 = mmap/i386/uppermem.c;
 diff --git a/grub-core/commands/boot.c b/grub-core/commands/boot.c
-index 91ec87d..5cddbb6 100644
+index bbca81e..3f44a7e 100644
 --- a/grub-core/commands/boot.c
 +++ b/grub-core/commands/boot.c
 @@ -24,6 +24,9 @@
@@ -82,26 +83,26 @@ index 91ec87d..5cddbb6 100644
 +                          N_("you need to load the authenticated boot components"));
 +#endif
 +      return grub_error (GRUB_ERR_NO_KERNEL,
-+                        N_("you need to load the kernel first"));
++                        N_("you need to load the kernel first"));
 +    }
  
-   if (grub_loader_flags & GRUB_LOADER_FLAG_NORETURN)
-     grub_machine_fini ();
+   grub_machine_fini (grub_loader_flags);
+ 
 diff --git a/grub-core/gfxmenu/gui_label.c b/grub-core/gfxmenu/gui_label.c
-index 637578f..84bf7d4 100644
+index a4c8178..da49c9e 100644
 --- a/grub-core/gfxmenu/gui_label.c
 +++ b/grub-core/gfxmenu/gui_label.c
-@@ -23,6 +23,9 @@
- #include <grub/font.h>
+@@ -24,6 +24,9 @@
  #include <grub/gui_string_util.h>
  #include <grub/i18n.h>
+ #include <grub/color.h>
 +#ifdef GRUB_MACHINE_EFI
 +#include <grub/efi/mok2verify.h>
 +#endif
  
  static const char *align_options[] =
  {
-@@ -180,15 +183,37 @@ label_set_property (void *vself, const char *name, const char *value)
+@@ -183,15 +186,37 @@ label_set_property (void *vself, const char *name, const char *value)
        else
         {
            if (grub_strcmp (value, "@KEYMAP_LONG@") == 0)
@@ -148,10 +149,10 @@ index 637578f..84bf7d4 100644
           self->text = grub_xasprintf (value, self->value);
 diff --git a/grub-core/lib/efi/mok2verify.c b/grub-core/lib/efi/mok2verify.c
 new file mode 100644
-index 0000000..2e48ef9
+index 0000000..3865661
 --- /dev/null
 +++ b/grub-core/lib/efi/mok2verify.c
-@@ -0,0 +1,172 @@
+@@ -0,0 +1,182 @@
 +/* mok2verify.c - MOK2 Verify Protocol support
 + *
 + * BSD 2-clause "Simplified" License
@@ -195,10 +196,8 @@ index 0000000..2e48ef9
 +
 +GRUB_MOD_LICENSE ("GPLv2+");
 +
-+#define EFI_MOK2_VERIFY_PROTOCOL_GUID  \
-+  { 0x4eda73ad, 0x07aa, 0x4b7a, \
-+    { 0xa1, 0x91, 0xd4, 0xd4, 0x10, 0xfb, 0x8c, 0xb4 } \
-+  }
++#define EFI_MOK2_VERIFY_PROTOCOL_GUID \
++  { 0x4eda73ad, 0x07aa, 0x4b7a, { 0xa1, 0x91, 0xd4, 0xd4, 0x10, 0xfb, 0x8c, 0xb4 }}
 +
 +typedef struct efi_mok2_verify_protocol efi_mok2_verify_protocol_t;
 +
@@ -229,19 +228,27 @@ index 0000000..2e48ef9
 +int
 +grub_is_secured (void)
 +{
-+  grub_efi_guid_t global = GRUB_EFI_GLOBAL_VARIABLE_GUID;
-+  void *efi_var;
-+  grub_size_t efi_var_size = 0;
++  grub_efi_guid_t global_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
++  void *var;
++  grub_size_t var_size = 0;
 +  int secured = 0;
 +
-+  efi_var = grub_efi_get_variable ("SecureBoot", &global, &efi_var_size);
-+  if (!efi_var)
++  var = grub_efi_get_variable ("SecureBoot", &global_guid, &var_size);
++  if (!var)
 +    return grub_error (GRUB_ERR_READ_ERROR, N_("cannot read variable"));
 +
-+  if (efi_var_size == 1 && *(grub_uint8_t *) efi_var == 1)
++  if (var_size != 1 || *(grub_uint8_t *) var != 1)
++    goto out;
++
++  grub_free (var);
++
++  var = grub_efi_get_variable ("MokSBState", &grub_efi_mok2_verify_protoco_guid,
++                              &var_size);
++  if (!var || (var_size == 1 && *(grub_uint8_t *) var == 0))
 +    secured = 1;
 +
-+  grub_free (efi_var);
++out:
++  grub_free (var);
 +
 +  return secured;
 +}
@@ -258,6 +265,8 @@ index 0000000..2e48ef9
 +  return ! grub_is_unlockable () && grub_is_secured ();
 +}
 +
++#pragma GCC diagnostic ignored "-Wvla"
++
 +grub_err_t
 +grub_verify_file (const char *path)
 +{
@@ -324,21 +333,23 @@ index 0000000..2e48ef9
 +
 +  return GRUB_ERR_NONE;
 +}
++
++#pragma GCC diagnostic error "-Wvla"
 diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
-index e2425c8..5a12444 100644
+index 083f941..486e420 100644
 --- a/grub-core/loader/i386/linux.c
 +++ b/grub-core/loader/i386/linux.c
-@@ -34,6 +34,9 @@
- #include <grub/i386/relocator.h>
+@@ -35,6 +35,9 @@
  #include <grub/i18n.h>
  #include <grub/lib/cmdline.h>
+ #include <grub/linux.h>
 +#ifdef GRUB_MACHINE_EFI
 +#include <grub/efi/mok2verify.h>
 +#endif
  
  GRUB_MOD_LICENSE ("GPLv3+");
  
-@@ -664,6 +667,55 @@ grub_linux_unload (void)
+@@ -673,6 +676,55 @@ grub_linux_unload (void)
    return GRUB_ERR_NONE;
  }
  
@@ -394,7 +405,7 @@ index e2425c8..5a12444 100644
  static grub_err_t
  grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
                 int argc, char *argv[])
-@@ -687,6 +739,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+@@ -695,6 +747,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
        goto fail;
      }
  
@@ -404,9 +415,43 @@ index e2425c8..5a12444 100644
    file = grub_file_open (argv[0]);
    if (! file)
      goto fail;
-@@ -1132,6 +1187,26 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
-                        argv[i]);
-          goto fail;
+@@ -1132,6 +1187,11 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
+  fail:
+   grub_initrd_close (&initrd_ctx);
+ 
++#ifdef GRUB_MACHINE_EFI
++  /* An unauthenticated initrd always causes a complete boot failure. */
++  if (grub_is_secured () == 1 && grub_errno != GRUB_ERR_NONE)
++    grub_loader_unset();
++#endif
+   return grub_errno;
+ }
+ 
+diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c
+index be6fa0f..edc6d24 100644
+--- a/grub-core/loader/linux.c
++++ b/grub-core/loader/linux.c
+@@ -4,6 +4,9 @@
+ #include <grub/misc.h>
+ #include <grub/file.h>
+ #include <grub/mm.h>
++#ifdef GRUB_MACHINE_EFI
++#include <grub/efi/mok2verify.h>
++#endif
+ 
+ struct newc_head
+ {
+@@ -253,6 +256,7 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
+   int newc = 0;
+   struct dir *root = 0;
+   grub_ssize_t cursize = 0;
++  grub_err_t err;
+ 
+   for (i = 0; i < initrd_ctx->nfiles; i++)
+     {
+@@ -288,6 +292,25 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
+          grub_initrd_close (initrd_ctx);
+          return grub_errno;
         }
 +
 +#ifdef GRUB_MACHINE_EFI
@@ -427,40 +472,55 @@ index e2425c8..5a12444 100644
 +         goto fail;
 +       }
 +#endif
-+
        ptr += cursize;
-       grub_memset (ptr, 0, ALIGN_UP_OVERHEAD (cursize, 4));
+     }
+   if (newc)
+@@ -296,7 +319,9 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
        ptr += ALIGN_UP_OVERHEAD (cursize, 4);
-@@ -1149,6 +1224,11 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
-     grub_file_close (files[i]);
-   grub_free (files);
- 
-+#ifdef GRUB_MACHINE_EFI
-+  /* An unauthenticated initrd always causes a complete boot failure. */
-+  if (grub_is_secured () == 1 && grub_errno != GRUB_ERR_NONE)
-+    grub_loader_unset();
-+#endif
-   return grub_errno;
+       ptr = make_header (ptr, "TRAILER!!!", sizeof ("TRAILER!!!") - 1, 0, 0);
+     }
++
++fail:
+   free_dir (root);
+   root = 0;
+-  return GRUB_ERR_NONE;
++  return err;
  }
- 
 diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
-index 13473ec..f11ce2a 100644
+index 78a70a8..1058c97 100644
 --- a/grub-core/normal/main.c
 +++ b/grub-core/normal/main.c
-@@ -32,6 +32,9 @@
- #include <grub/i18n.h>
+@@ -33,6 +33,9 @@
  #include <grub/charset.h>
  #include <grub/script_sh.h>
+ #include <grub/bufio.h>
 +#ifdef GRUB_MACHINE_EFI
 +#include <grub/efi/mok2verify.h>
 +#endif
  
  GRUB_MOD_LICENSE ("GPLv3+");
  
-@@ -233,6 +236,16 @@ grub_normal_init_page (struct grub_term_output *term)
+@@ -195,6 +198,8 @@ read_config_file (const char *config)
+   return newmenu;
+ }
+ 
++#pragma GCC diagnostic ignored "-Wformat-nonliteral"
++
+ /* Initialize the screen.  */
+ void
+ grub_normal_init_page (struct grub_term_output *term,
+@@ -202,13 +207,24 @@ grub_normal_init_page (struct grub_term_output *term,
+ {
+   grub_ssize_t msg_len;
+   int posx;
++  const char *msg = _("GNU GRUB  version %s");
+   char *msg_formatted;
+   grub_uint32_t *unicode_msg;
+   grub_uint32_t *last_position;
   
    grub_term_cls (term);
  
+-  msg_formatted = grub_xasprintf (_("GNU GRUB  version %s"), PACKAGE_VERSION);
 +#ifdef GRUB_MACHINE_EFI
 +  if (grub_is_secured () == 1)
 +    {
@@ -471,10 +531,20 @@ index 13473ec..f11ce2a 100644
 +    }
 +#endif
 +
-   msg_formatted = grub_xasprintf (msg, PACKAGE_VERSION);
++  msg_formatted = grub_xasprintf (msg, PACKAGE_VERSION);
    if (!msg_formatted)
      return;
-@@ -294,6 +307,24 @@ grub_normal_execute (const char *config, int nested, int batch)
+  
+@@ -233,6 +249,8 @@ grub_normal_init_page (struct grub_term_output *term,
+   grub_free (unicode_msg);
+ }
+ 
++#pragma GCC diagnostic error "-Wformat-nonliteral"
++
+ static void
+ read_lists (const char *val)
+ {
+@@ -273,6 +291,24 @@ grub_normal_execute (const char *config, int nested, int batch)
  
    if (config)
      {
@@ -499,19 +569,19 @@ index 13473ec..f11ce2a 100644
        menu = read_config_file (config);
  
        /* Ignore any error.  */
-@@ -317,7 +348,10 @@ grub_enter_normal_mode (const char *config)
- {
+@@ -302,7 +338,10 @@ grub_enter_normal_mode (const char *config)
    nested_level++;
    grub_normal_execute (config, 0, 0);
--  grub_cmdline_run (0);
+   grub_boot_time ("Entering shell");
+-  grub_cmdline_run (0, 1);
 +#ifdef GRUB_MACHINE_EFI
 +  if (grub_is_locked () == 0)
 +#endif
-+    grub_cmdline_run (0);
++    grub_cmdline_run (0, 1);
    nested_level--;
    if (grub_normal_exit_level)
      grub_normal_exit_level--;
-@@ -352,6 +386,18 @@ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)),
+@@ -338,6 +377,18 @@ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)),
      grub_enter_normal_mode (argv[0]);
  
  quit:
@@ -530,7 +600,7 @@ index 13473ec..f11ce2a 100644
    return 0;
  }
  
-@@ -527,8 +573,11 @@ GRUB_MOD_INIT(normal)
+@@ -525,8 +576,11 @@ GRUB_MOD_INIT(normal)
    /* Register a command "normal" for the rescue mode.  */
    grub_register_command ("normal", grub_cmd_normal,
                          0, N_("Enter normal mode."));
@@ -545,7 +615,7 @@ index 13473ec..f11ce2a 100644
    /* Reload terminal colors when these variables are written to.  */
    grub_register_variable_hook ("color_normal", NULL, grub_env_write_color_normal);
 diff --git a/grub-core/normal/menu.c b/grub-core/normal/menu.c
-index 7e0a158..5ed9670 100644
+index 719e2fb..0665abc 100644
 --- a/grub-core/normal/menu.c
 +++ b/grub-core/normal/menu.c
 @@ -32,6 +32,9 @@
@@ -558,21 +628,22 @@ index 7e0a158..5ed9670 100644
  
  /* Time to delay after displaying an error message about a default/fallback
     entry failing to boot.  */
-@@ -633,18 +636,28 @@ run_menu (grub_menu_t menu, int nested, int *auto_boot)
+@@ -772,18 +775,30 @@ run_menu (grub_menu_t menu, int nested, int *auto_boot)
               break;
  
             case 'c':
 -             menu_fini ();
--             grub_cmdline_run (1);
+-             grub_cmdline_run (1, 0);
 -             goto refresh;
 +#ifdef GRUB_MACHINE_EFI
 +             if (grub_is_locked () == 0)
 +#endif
 +               {
 +                 menu_fini ();
-+                 grub_cmdline_run (1);
++                 grub_cmdline_run (1, 0);
 +                 goto refresh;
 +               }
++             break;
  
             case 'e':
 -             menu_fini ();
@@ -592,11 +663,12 @@ index 7e0a158..5ed9670 100644
 +                 goto refresh;
                 }
 -             goto refresh;
++             break;
  
             default:
               {
 diff --git a/grub-core/normal/menu_text.c b/grub-core/normal/menu_text.c
-index 1687c28..6e4fbfb 100644
+index e22bb91..28c675f 100644
 --- a/grub-core/normal/menu_text.c
 +++ b/grub-core/normal/menu_text.c
 @@ -27,6 +27,9 @@
@@ -609,7 +681,15 @@ index 1687c28..6e4fbfb 100644
  
  static grub_uint8_t grub_color_menu_normal;
  static grub_uint8_t grub_color_menu_highlight;
-@@ -179,19 +182,32 @@ command-line or ESC to discard edits and return to the GRUB menu."),
+@@ -165,6 +168,7 @@ command-line or ESC to discard edits and return to the GRUB menu."),
+     }
+   else
+     {
++      const char *msg;
+       char *msg_translated;
+ 
+       msg_translated = grub_xasprintf (_("Use the %C and %C keys to select which "
+@@ -180,19 +184,32 @@ command-line or ESC to discard edits and return to the GRUB menu."),
  
        if (nested)
         {
@@ -705,5 +785,5 @@ index 0000000..98ef2d4
 +
 +#endif /* ! GRUB_EFI_MOK2_VERIFY_HEADER */
 -- 
-2.7.4
+2.7.5
 
diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.02.bbappend b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.02.bbappend
index 338c5d9..6a86f96 100644
--- a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.02.bbappend
+++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.02.bbappend
@@ -17,7 +17,7 @@ SRC_URI += "\
     file://chainloader-Actually-find-the-relocations-correctly-.patch \
     file://efi-chainloader-implemented-for-32-bit.patch \
     file://Grub-get-and-set-efi-variables.patch \
-    file://mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch;apply=0 \
+    file://mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch \
     file://grub-efi.cfg \
     file://boot-menu.inc \
     ${EXTRA_SRC_URI} \
@@ -25,8 +25,8 @@ SRC_URI += "\
 
 EFI_BOOT_PATH = "/boot/efi/EFI/BOOT"
 
-# TODO: re-add mok2verify when refreshed
-GRUB_BUILDIN_append += " chain ${@'efivar password_pbkdf2' if d.getVar('UEFI_SB', True) == '1' else ''}"
+GRUB_BUILDIN_append += " chain ${@'efivar mok2verify password_pbkdf2' \
+                                  if d.getVar('UEFI_SB', True) == '1' else ''}"
 
 # For efi_call_foo and efi_shim_exit
 CFLAGS_append = " -fno-toplevel-reorder"