5 files changed, 253 insertions, 74 deletions
diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc
index 71a2bc1..6d1d284 100644
--- a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc
+++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc
@@ -1,10 +1,16 @@
 DEPENDS += "openssl-native"
 FILESEXTRAPATHS_prepend := "${THISDIR}/grub-efi:"
+GRUB_SIGN_VERIFY_STRICT ?= "1"
 EXTRA_SRC_URI = "\
    ${@'file://efi-secure-boot.inc file://password.inc' if d.getVar('UEFI_SB', True) == '1' else ''} \
 "
+GRUB_MOKVERIFY_PATCH = " \
+   file://mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch \
+   file://mok2verify-multiboot.patch"
 SRC_URI += "\
    file://0001-pe32.h-add-header-structures-for-TE-and-DOS-executab.patch \
    file://0002-shim-add-needed-data-structures.patch \
@@ -18,10 +24,11 @@ SRC_URI += "\
    file://chainloader-Actually-find-the-relocations-correctly-.patch \
    file://efi-chainloader-implemented-for-32-bit.patch \
    file://Grub-get-and-set-efi-variables.patch \
-    file://mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch \
+    file://uefi_verify.patch \
-    file://mok2verify-multiboot.patch \
+    file://0001-grub-verify-Add-strict_security-variable.patch \
    file://grub-efi.cfg \
    file://boot-menu.inc \
+    ${@d.getVar('GRUB_MOKVERIFY_PATCH', True) if d.getVar('UEFI_SELOADER', True) == '1' else ''} \
    ${EXTRA_SRC_URI} \
 "
@@ -30,8 +37,17 @@ COMPATIBLE_HOST_aarch64 = 'null'
 EFI_BOOT_PATH = "/boot/efi/EFI/BOOT"
-GRUB_BUILDIN_append += " chain ${@'efivar mok2verify password_pbkdf2' \
+GRUB_SECURE_BOOT_MODULES += "${@'efivar password_pbkdf2 ' if d.getVar('UEFI_SB', True) == '1' else ''}"
-                                  if d.getVar('UEFI_SB', True) == '1' else ''}"
+GRUB_SIGNING_MODULES += "${@'pgp gcry_rsa gcry_sha256 gcry_sha512 --pubkey %s ' % d.getVar('GRUB_PUB_KEY', True) \
+  if d.getVar('GRUB_SIGN_VERIFY', True) == '1' else ''}"
+GRUB_SELOADER_MODULES += "${@'mok2verify ' if d.getVar('UEFI_SELOADER', True) == '1' else ''}"
+GRUB_BUILDIN_append += "tftp reboot chain \
+  ${GRUB_SECURE_BOOT_MODULES} \
+  ${GRUB_SIGNING_MODULES} \
+  ${GRUB_SELOADER_MODULES}"
 # For efi_call_foo and efi_shim_exit
 CFLAGS_append = " -fno-toplevel-reorder"
@@ -59,6 +75,22 @@ python __anonymous () {
    d.setVar("GRUB_IMAGE", grubimage)
 }
+do_compile_append() {
+        if [ "${GRUB_SIGN_VERIFY}" = "1" -a "${GRUB_SIGN_VERIFY_STRICT}" = "1" ] ; then
+                cat<<EOF>${WORKDIR}/cfg
+insmod verify
+set strict_security=1
+search.file (\$cmdpath)/EFI/BOOT/grub.cfg root
+set prefix=(\$root)/EFI/BOOT
+EOF
+        else
+                cat<<EOF>${WORKDIR}/cfg
+search.file (\$cmdpath)/EFI/BOOT/grub.cfg root
+set prefix=(\$root)/EFI/BOOT
+EOF
+        fi
+}
 do_compile_append_class-native() {
    make grub-editenv
 }
@@ -97,7 +129,7 @@ do_install_append_class-target() {
    grub-editenv "${D}${EFI_BOOT_PATH}/grubenv" create
    install -d "${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi"
-    grub-mkimage -p /EFI/BOOT -d "./grub-core" \
+    grub-mkimage -c ../cfg -p /EFI/BOOT -d "./grub-core" \
        -O "${GRUB_TARGET}-efi" -o "${B}/${GRUB_IMAGE}" \
        ${GRUB_BUILDIN}
@@ -117,28 +149,29 @@ fakeroot python do_sign_class-target() {
    dir = image_dir + efi_boot_path + '/'
    sb_sign(dir + grub_image, dir + grub_image, d)
-    uks_sel_sign(dir + 'grub.cfg', d)
+    uks_bl_sign(dir + 'grub.cfg', d)
-    uks_sel_sign(dir + 'boot-menu.inc', d)
+    uks_bl_sign(dir + 'boot-menu.inc', d)
    if d.getVar('UEFI_SB', True) == "1":
-        uks_sel_sign(dir + 'efi-secure-boot.inc', d)
+        uks_bl_sign(dir + 'efi-secure-boot.inc', d)
-        uks_sel_sign(dir + 'password.inc', d)
+        uks_bl_sign(dir + 'password.inc', d)
 }
 python do_sign() {
 }
 addtask sign after do_install before do_deploy do_package
 do_sign[prefuncs] += "check_deploy_keys"
+do_sign[prefuncs] += "${@'check_boot_public_key' if d.getVar('GRUB_SIGN_VERIFY', True) == '1' else ''}"
-fakeroot do_chownp7b() {
+fakeroot do_chownboot() {
-    chown root:root -R "${D}${EFI_BOOT_PATH}/grub.cfg.p7b"
+    chown root:root -R "${D}${EFI_BOOT_PATH}/grub.cfg${SB_FILE_EXT}"
-    chown root:root -R "${D}${EFI_BOOT_PATH}/boot-menu.inc.p7b"
+    chown root:root -R "${D}${EFI_BOOT_PATH}/boot-menu.inc${SB_FILE_EXT}"
    [ x"${UEFI_SB}" = x"1" ] && {
-        chown root:root -R "${D}${EFI_BOOT_PATH}/efi-secure-boot.inc.p7b"
+        chown root:root -R "${D}${EFI_BOOT_PATH}/efi-secure-boot.inc${SB_FILE_EXT}"
-        chown root:root -R "${D}${EFI_BOOT_PATH}/password.inc.p7b"
+        chown root:root -R "${D}${EFI_BOOT_PATH}/password.inc${SB_FILE_EXT}"
    }
 }
-addtask chownp7b after do_deploy before do_package
+addtask chownboot after do_deploy before do_package
 # Override the do_deploy() in oe-core.
 do_deploy_class-target() {
diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/0001-grub-verify-Add-strict_security-variable.patch b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/0001-grub-verify-Add-strict_security-variable.patch
new file mode 100644
index 0000000..11bfe76
--- /dev/null
+++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/0001-grub-verify-Add-strict_security-variable.patch
@@ -0,0 +1,102 @@
+From 8a7ad88b4880e25df1f54b80631dc035e1e25662 Mon Sep 17 00:00:00 2001
+From: Jason Wessel <jason.wessel@windriver.com>
+Date: Thu, 17 Oct 2019 12:35:01 -0700
+Subject: [PATCH] grub verify:  Add strict_security variable
+With strict_security set to 1, it is impossible to change the value of
+check_signatures.  It will also cause grub to reboot instead of
+allowing a rescue or grub shell, which could allow an end user to
+alter boot arguments or load some other binary.
+Upstream-Status: Pending
+Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
+---
+ grub-core/commands/pgp.c |   16 +++++++++++++++-
+ grub-core/kern/main.c    |    9 +++++++++
+ grub-core/normal/main.c  |    7 +++++--
+ 3 files changed, 29 insertions(+), 3 deletions(-)
+--- a/grub-core/commands/pgp.c
+++ b/grub-core/commands/pgp.c
+@@ -864,6 +864,7 @@ grub_cmd_verify_signature (grub_extcmd_c
+ }
+ 
+ static int sec = 0;
+static int strict_sec = 0;
+ 
+ static grub_err_t
+ grub_pubkey_init (grub_file_t io, enum grub_file_type type __attribute__ ((unused)),
+@@ -918,10 +919,21 @@ static char *
+ grub_env_write_sec (struct grub_env_var *var __attribute__ ((unused)),
+                    const char *val)
+ {
+-  sec = (*val == '1') || (*val == 'e');
+  if (!strict_sec)
+    sec = (*val == '1') || (*val == 'e');
+   return grub_strdup (sec ? "enforce" : "no");
+ }
+ 
+static char *
+grub_env_write_strict_sec (struct grub_env_var *var __attribute__ ((unused)),
+                          const char *val)
+{
+  /* once it is set, it is a one way transition */
+  if (!strict_sec)
+    strict_sec = (*val == '1') || (*val == 'e');
+  return grub_strdup (strict_sec ? "enforce" : "no");
+}
+
+ static grub_ssize_t 
+ pseudo_read (struct grub_file *file, char *buf, grub_size_t len)
+ {
+@@ -961,7 +973,9 @@ GRUB_MOD_INIT(pgp)
+     sec = 0;
+ 
+   grub_register_variable_hook ("check_signatures", 0, grub_env_write_sec);
+  grub_register_variable_hook ("strict_security", 0, grub_env_write_strict_sec);
+   grub_env_export ("check_signatures");
+  grub_env_export ("strict_security");
+ 
+   grub_pk_trusted = 0;
+   FOR_MODULES (header)
+--- a/grub-core/kern/main.c
+++ b/grub-core/kern/main.c
+@@ -29,6 +29,7 @@
+ #include <grub/command.h>
+ #include <grub/reader.h>
+ #include <grub/parser.h>
+#include <grub/time.h>
+ 
+ #ifdef GRUB_MACHINE_PCBIOS
+ #include <grub/machine/memory.h>
+@@ -308,5 +309,13 @@ grub_main (void)
+   grub_boot_time ("After execution of embedded config. Attempt to go to normal mode");
+ 
+   grub_load_normal_mode ();
+  const char *val = grub_env_get ("strict_security");
+  if (val && (val[0] == '1' || val[0] == 'e'))
+    while (1) {
+      grub_printf("Boot configuration error - Attempting reboot\n");
+      grub_sleep(3);
+      grub_dl_load ("reboot");
+      grub_command_execute ("reboot", 0, 0);
+    }
+   grub_rescue_run ();
+ }
+--- a/grub-core/normal/main.c
+++ b/grub-core/normal/main.c
+@@ -301,8 +301,11 @@ grub_enter_normal_mode (const char *conf
+   grub_boot_time ("Entering normal mode");
+   nested_level++;
+   grub_normal_execute (config, 0, 0);
+-  grub_boot_time ("Entering shell");
+-  grub_cmdline_run (0, 1);
+  const char *val = grub_env_get ("strict_security");
+  if (!(val && (val[0] == '1' || val[0] == 'e'))) {
+    grub_boot_time ("Entering shell");
+    grub_cmdline_run (0, 1);
+  }
+   nested_level--;
+   if (grub_normal_exit_level)
+     grub_normal_exit_level--;
diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch
index b4467c2..4cd8953 100644
--- a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch
+++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch
@@ -37,22 +37,20 @@ grub_file_open function.
 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
- grub-core/Makefile.core.def    |   6 ++
+ grub-core/Makefile.core.def    |    6 +
- grub-core/commands/boot.c      |  14 +++-
+ grub-core/commands/boot.c      |   14 ++-
- grub-core/gfxmenu/gui_label.c  |  39 +++++++--
+ grub-core/gfxmenu/gui_label.c  |   39 +++++++-
- grub-core/lib/efi/mok2verify.c | 182 +++++++++++++++++++++++++++++++++++++++++
+ grub-core/lib/efi/mok2verify.c |  182 +++++++++++++++++++++++++++++++++++++++++
- grub-core/loader/i386/linux.c  |  60 ++++++++++++++
+ grub-core/loader/i386/linux.c  |   60 +++++++++++++
- grub-core/loader/linux.c       |  27 +++++-
+ grub-core/loader/linux.c       |   27 +++++-
- grub-core/normal/main.c        |  53 +++++++++++-
+ grub-core/normal/main.c        |   53 +++++++++++
- grub-core/normal/menu.c        |  31 +++++--
+ grub-core/normal/menu.c        |   31 +++++-
- grub-core/normal/menu_text.c   |  33 ++++++--
+ grub-core/normal/menu_text.c   |   33 +++++--
- include/grub/efi/mok2verify.h  |  48 +++++++++++
+ include/grub/efi/mok2verify.h  |   48 ++++++++++
 10 files changed, 463 insertions(+), 30 deletions(-)
 create mode 100644 grub-core/lib/efi/mok2verify.c
 create mode 100644 include/grub/efi/mok2verify.h
-diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
-index 18d2316..59a5cf1 100644
 --- a/grub-core/Makefile.core.def
 +++ b/grub-core/Makefile.core.def
 @@ -1870,6 +1870,12 @@ module = {
@@ -68,8 +66,6 @@ index 18d2316..59a5cf1 100644
   name = mmap;
   common = mmap/mmap.c;
   x86 = mmap/i386/uppermem.c;
-diff --git a/grub-core/commands/boot.c b/grub-core/commands/boot.c
-index bbca81e..3f44a7e 100644
 --- a/grub-core/commands/boot.c
 +++ b/grub-core/commands/boot.c
 @@ -24,6 +24,9 @@
@@ -100,8 +96,6 @@ index bbca81e..3f44a7e 100644
 
   grub_machine_fini (grub_loader_flags);
 
-diff --git a/grub-core/gfxmenu/gui_label.c b/grub-core/gfxmenu/gui_label.c
-index a4c8178..da49c9e 100644
 --- a/grub-core/gfxmenu/gui_label.c
 +++ b/grub-core/gfxmenu/gui_label.c
 @@ -24,6 +24,9 @@
@@ -114,7 +108,7 @@ index a4c8178..da49c9e 100644
 
 static const char *align_options[] =
 {
-@@ -183,15 +186,37 @@ label_set_property (void *vself, const char *name, const char *value)
+@@ -183,15 +186,37 @@ label_set_property (void *vself, const c
       else
        {
           if (grub_strcmp (value, "@KEYMAP_LONG@") == 0)
@@ -159,9 +153,6 @@ index a4c8178..da49c9e 100644
           /* FIXME: Add more templates here if needed.  */
          self->template = grub_strdup (value);
          self->text = grub_xasprintf (value, self->value);
-diff --git a/grub-core/lib/efi/mok2verify.c b/grub-core/lib/efi/mok2verify.c
-new file mode 100644
-index 0000000..790efa0
 --- /dev/null
 +++ b/grub-core/lib/efi/mok2verify.c
 @@ -0,0 +1,182 @@
@@ -347,11 +338,9 @@ index 0000000..790efa0
 +}
 +
 +#pragma GCC diagnostic error "-Wvla"
-diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
-index d0501e2..e684300 100644
 --- a/grub-core/loader/i386/linux.c
 +++ b/grub-core/loader/i386/linux.c
-@@ -36,6 +36,9 @@
+@@ -40,6 +40,9 @@
 #include <grub/lib/cmdline.h>
 #include <grub/linux.h>
 #include <grub/machine/kernel.h>
@@ -361,7 +350,7 @@ index d0501e2..e684300 100644
 
 GRUB_MOD_LICENSE ("GPLv3+");
 
-@@ -635,6 +638,55 @@ grub_linux_unload (void)
+@@ -657,6 +660,55 @@ grub_shim_verify (grub_addr_t addr, grub
   return GRUB_ERR_NONE;
 }
 
@@ -417,7 +406,7 @@ index d0501e2..e684300 100644
 static grub_err_t
 grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
                int argc, char *argv[])
-@@ -657,6 +709,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+@@ -679,6 +731,9 @@ grub_cmd_linux (grub_command_t cmd __att
       goto fail;
     }
 
@@ -427,7 +416,7 @@ index d0501e2..e684300 100644
   file = grub_file_open (argv[0], GRUB_FILE_TYPE_LINUX_KERNEL);
   if (! file)
     goto fail;
-@@ -1114,6 +1169,11 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
+@@ -1140,6 +1195,11 @@ grub_cmd_initrd (grub_command_t cmd __at
  fail:
   grub_initrd_close (&initrd_ctx);
 
@@ -439,8 +428,6 @@ index d0501e2..e684300 100644
   return grub_errno;
 }
 
-diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c
-index 471b214..bb312ac 100644
 --- a/grub-core/loader/linux.c
 +++ b/grub-core/loader/linux.c
 @@ -4,6 +4,9 @@
@@ -453,7 +440,7 @@ index 471b214..bb312ac 100644
 
 struct newc_head
 {
-@@ -253,6 +256,7 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
+@@ -253,6 +256,7 @@ grub_initrd_load (struct grub_linux_init
   int newc = 0;
   struct dir *root = 0;
   grub_ssize_t cursize = 0;
@@ -461,7 +448,7 @@ index 471b214..bb312ac 100644
 
   for (i = 0; i < initrd_ctx->nfiles; i++)
     {
-@@ -288,6 +292,25 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
+@@ -288,6 +292,25 @@ grub_initrd_load (struct grub_linux_init
          grub_initrd_close (initrd_ctx);
          return grub_errno;
        }
@@ -487,7 +474,7 @@ index 471b214..bb312ac 100644
       ptr += cursize;
     }
   if (newc)
-@@ -296,7 +319,9 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
+@@ -296,7 +319,9 @@ grub_initrd_load (struct grub_linux_init
       ptr += ALIGN_UP_OVERHEAD (cursize, 4);
       ptr = make_header (ptr, "TRAILER!!!", sizeof ("TRAILER!!!") - 1, 0, 0);
     }
@@ -498,8 +485,6 @@ index 471b214..bb312ac 100644
 -  return GRUB_ERR_NONE;
 +  return err;
 }
-diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
-index 1b03dfd..f48a549 100644
 --- a/grub-core/normal/main.c
 +++ b/grub-core/normal/main.c
 @@ -33,6 +33,9 @@
@@ -521,7 +506,7 @@ index 1b03dfd..f48a549 100644
 /* Initialize the screen.  */
 void
 grub_normal_init_page (struct grub_term_output *term,
-@@ -202,13 +207,24 @@ grub_normal_init_page (struct grub_term_output *term,
+@@ -202,13 +207,24 @@ grub_normal_init_page (struct grub_term_
 {
   grub_ssize_t msg_len;
   int posx;
@@ -547,7 +532,7 @@ index 1b03dfd..f48a549 100644
   if (!msg_formatted)
     return;
  
-@@ -233,6 +249,8 @@ grub_normal_init_page (struct grub_term_output *term,
+@@ -233,6 +249,8 @@ grub_normal_init_page (struct grub_term_
   grub_free (unicode_msg);
 }
 
@@ -556,7 +541,7 @@ index 1b03dfd..f48a549 100644
 static void
 read_lists (const char *val)
 {
-@@ -273,6 +291,20 @@ grub_normal_execute (const char *config, int nested, int batch)
+@@ -273,6 +291,20 @@ grub_normal_execute (const char *config,
 
   if (config)
     {
@@ -577,19 +562,19 @@ index 1b03dfd..f48a549 100644
       menu = read_config_file (config);
 
       /* Ignore any error.  */
-@@ -302,7 +334,10 @@ grub_enter_normal_mode (const char *config)
+@@ -304,7 +336,10 @@ grub_enter_normal_mode (const char *conf
-   nested_level++;
+   const char *val = grub_env_get ("strict_security");
-   grub_normal_execute (config, 0, 0);
+   if (!(val && (val[0] == '1' || val[0] == 'e'))) {
-   grub_boot_time ("Entering shell");
+     grub_boot_time ("Entering shell");
-  grub_cmdline_run (0, 1);
+-    grub_cmdline_run (0, 1);
 +#ifdef GRUB_MACHINE_EFI
-+  if (grub_is_locked () == 0)
+    if (grub_is_locked () == 0)
 +#endif
-+    grub_cmdline_run (0, 1);
+      grub_cmdline_run (0, 1);
+   }
   nested_level--;
   if (grub_normal_exit_level)
-     grub_normal_exit_level--;
+@@ -341,6 +376,13 @@ grub_cmd_normal (struct grub_command *cm
-@@ -338,6 +373,13 @@ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)),
     grub_enter_normal_mode (argv[0]);
 
 quit:
@@ -603,7 +588,7 @@ index 1b03dfd..f48a549 100644
   return 0;
 }
 
-@@ -525,8 +567,11 @@ GRUB_MOD_INIT(normal)
+@@ -528,8 +570,11 @@ GRUB_MOD_INIT(normal)
   /* Register a command "normal" for the rescue mode.  */
   grub_register_command ("normal", grub_cmd_normal,
                         0, N_("Enter normal mode."));
@@ -617,8 +602,6 @@ index 1b03dfd..f48a549 100644
 
   /* Reload terminal colors when these variables are written to.  */
   grub_register_variable_hook ("color_normal", NULL, grub_env_write_color_normal);
-diff --git a/grub-core/normal/menu.c b/grub-core/normal/menu.c
-index d5e0c79..512f710 100644
 --- a/grub-core/normal/menu.c
 +++ b/grub-core/normal/menu.c
 @@ -32,6 +32,9 @@
@@ -631,7 +614,7 @@ index d5e0c79..512f710 100644
 
 /* Time to delay after displaying an error message about a default/fallback
    entry failing to boot.  */
-@@ -773,18 +776,30 @@ run_menu (grub_menu_t menu, int nested, int *auto_boot)
+@@ -773,18 +776,30 @@ run_menu (grub_menu_t menu, int nested,
              break;
 
            case 'c':
@@ -670,8 +653,6 @@ index d5e0c79..512f710 100644
 
            default:
              {
-diff --git a/grub-core/normal/menu_text.c b/grub-core/normal/menu_text.c
-index e22bb91..28c675f 100644
 --- a/grub-core/normal/menu_text.c
 +++ b/grub-core/normal/menu_text.c
 @@ -27,6 +27,9 @@
@@ -684,7 +665,7 @@ index e22bb91..28c675f 100644
 
 static grub_uint8_t grub_color_menu_normal;
 static grub_uint8_t grub_color_menu_highlight;
-@@ -165,6 +168,7 @@ command-line or ESC to discard edits and return to the GRUB menu."),
+@@ -165,6 +168,7 @@ command-line or ESC to discard edits and
     }
   else
     {
@@ -692,7 +673,7 @@ index e22bb91..28c675f 100644
       char *msg_translated;
 
       msg_translated = grub_xasprintf (_("Use the %C and %C keys to select which "
-@@ -180,19 +184,32 @@ command-line or ESC to discard edits and return to the GRUB menu."),
+@@ -180,19 +184,32 @@ command-line or ESC to discard edits and
 
       if (nested)
        {
@@ -733,9 +714,6 @@ index e22bb91..28c675f 100644
        }       
     }
   return ret;
-diff --git a/include/grub/efi/mok2verify.h b/include/grub/efi/mok2verify.h
-new file mode 100644
-index 0000000..98ef2d4
 --- /dev/null
 +++ b/include/grub/efi/mok2verify.h
 @@ -0,0 +1,48 @@
@@ -787,6 +765,3 @@ index 0000000..98ef2d4
 +EXPORT_FUNC (grub_verify_file) (const char *path);
 +
 +#endif /* ! GRUB_EFI_MOK2_VERIFY_HEADER */
-- 
-2.7.4
diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/uefi_verify.patch b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/uefi_verify.patch
new file mode 100644
index 0000000..68aca71
--- /dev/null
+++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/uefi_verify.patch
@@ -0,0 +1,63 @@
+From: Jason Wessel <jason.wessel@windriver.com>
+Date: Thu, 17 Oct 2019 12:35:01 -0700
+Subject: [PATCH] grub shim verify: Report that the loaded object is verified
+When check_signatures is set to enforcing, the signatures of the
+loaded files have been checked, so the shim service should be informed
+that it is ok to execute the loaded file.
+Upstream-Status: Inappropriate
+Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
+---
+ grub-core/loader/i386/linux.c |   26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+--- a/grub-core/loader/i386/linux.c
+++ b/grub-core/loader/i386/linux.c
+@@ -21,6 +21,10 @@
+ #include <grub/normal.h>
+ #include <grub/file.h>
+ #include <grub/disk.h>
+#include <grub/efi/api.h>
+#include <grub/efi/efi.h>
+#include <grub/efi/disk.h>
+#include <grub/efi/shim.h>
+ #include <grub/err.h>
+ #include <grub/misc.h>
+ #include <grub/types.h>
+@@ -673,6 +677,23 @@ grub_linux_unload (void)
+   return GRUB_ERR_NONE;
+ }
+ 
+static grub_efi_guid_t grub_shim_protocol_guid = GRUB_EFI_SHIM_PROTOCOL_GUID;
+
+static grub_efi_status_t
+grub_shim_verify (grub_addr_t addr, grub_ssize_t size)
+{
+  struct grub_shim_lock *shim_lock;
+  shim_lock = grub_efi_locate_protocol (&grub_shim_protocol_guid, 0);
+  if (!shim_lock)
+    {
+      grub_error (GRUB_ERR_BAD_OS, "could not load shim protocol");
+      return GRUB_EFI_UNSUPPORTED;
+    }
+
+  shim_lock->verify((void *) addr, size);
+  return GRUB_ERR_NONE;
+}
+
+ static grub_err_t
+ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+                int argc, char *argv[])
+@@ -706,6 +728,10 @@ grub_cmd_linux (grub_command_t cmd __att
+                    argv[0]);
+       goto fail;
+     }
+  const char *ge_val = grub_env_get ("check_signatures");
+  if (ge_val && (ge_val[0] == '1' || ge_val[0] == 'e'))
+    /* Verify was handled by .sig files, inform shim */
+    grub_shim_verify((grub_addr_t)&lh, sizeof(lh));
+ 
+   if (lh.boot_flag != grub_cpu_to_le16_compile_time (0xaa55))
+     {
diff --git a/meta-signing-key/conf/layer.conf b/meta-signing-key/conf/layer.conf
index 2755aa2..84b06a2 100644
--- a/meta-signing-key/conf/layer.conf
+++ b/meta-signing-key/conf/layer.conf
@@ -31,6 +31,12 @@ MSFT_KEK_CERT = "${LAYERDIR}/files/uefi_sb_keys/ms-KEK.crt"
 # EV certificate
 EV_CERT ??= "${LAYERDIR}/files/mok_sb_keys/wosign_ev_cert.crt"
+# Use SELoader with the UEFI shim
+UEFI_SELOADER ??= "1"
+# Use gpg key to protect and verify all files used by grub
+GRUB_SIGN_VERIFY ??= "0"
 # By default the sample keys are used
 MOK_SB_KEYS_DIR ??= "${SAMPLE_MOK_SB_KEYS_DIR}"
 UEFI_SB_KEYS_DIR ??= "${SAMPLE_UEFI_SB_KEYS_DIR}"