2 files changed, 48 insertions, 0 deletions
diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc
index c3e7a9c..2477a2e 100644
--- a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc
+++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc
@@ -28,6 +28,7 @@ SRC_URI_append_class-target += "\
    file://Grub-get-and-set-efi-variables.patch \
    file://uefi_verify.patch \
    file://0001-grub-verify-Add-strict_security-variable.patch \
+    file://0001-kern-efi-init.c-disable-inside-lockdown-and-shim_loc.patch \
    file://grub-efi.cfg \
    file://boot-menu.inc \
    ${@d.getVar('GRUB_MOKVERIFY_PATCH', True) if d.getVar('UEFI_SELOADER', True) == '1' else ''} \
diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/0001-kern-efi-init.c-disable-inside-lockdown-and-shim_loc.patch b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/0001-kern-efi-init.c-disable-inside-lockdown-and-shim_loc.patch
new file mode 100644
index 0000000..83f5899
--- /dev/null
+++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/0001-kern-efi-init.c-disable-inside-lockdown-and-shim_loc.patch
@@ -0,0 +1,47 @@
+From ca81ba93b6536916673b6cb9cb6aef7652aee971 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Wed, 7 Apr 2021 11:00:37 +0800
+Subject: [PATCH] kern/efi/init.c: disable inside lockdown and shim_lock
+ verifiers
+The lockdown support[1] and secure boot detection[2] have been added to
+grub 2.06. These verifiers are registered when UEFI Secure Boot is
+enabled. Unfortunately, they conflict with the current MOK2 Verify
+mechanism. So disable them when enable SELoader.
+Fixes grub error:
+error: failed to verify kernel /bzImage
+[1] http://git.savannah.gnu.org/cgit/grub.git/commit/?id=578c95298bcc46e0296f4c786db64c2ff26ce2cc
+[2] http://git.savannah.gnu.org/cgit/grub.git/commit/?id=d7e54b2e5feee95d2f83058ed30d883c450d1473
+Upstream-Status: Inappropriate [embedded specific]
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ grub-core/kern/efi/init.c | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
+index 7facacf..67b18e9 100644
+--- a/grub-core/kern/efi/init.c
+++ b/grub-core/kern/efi/init.c
+@@ -95,6 +95,7 @@ grub_efi_init (void)
+   /* Initialize the memory management system.  */
+   grub_efi_mm_init ();
+ 
+#if 0
+   /*
+    * Lockdown the GRUB and register the shim_lock verifier
+    * if the UEFI Secure Boot is enabled.
+@@ -104,6 +105,7 @@ grub_efi_init (void)
+       grub_lockdown ();
+       grub_shim_lock_verifier_setup ();
+     }
+#endif
+ 
+   efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer,
+              0, 0, 0, NULL);
+-- 
+2.17.1

diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc index c3e7a9c..2477a2e 100644 --- a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc +++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc
@@ -28,6 +28,7 @@ SRC_URI_append_class-target += "\
28	file://Grub-get-and-set-efi-variables.patch \	28	file://Grub-get-and-set-efi-variables.patch \
29	file://uefi_verify.patch \	29	file://uefi_verify.patch \
30	file://0001-grub-verify-Add-strict_security-variable.patch \	30	file://0001-grub-verify-Add-strict_security-variable.patch \
		31	file://0001-kern-efi-init.c-disable-inside-lockdown-and-shim_loc.patch \
31	file://grub-efi.cfg \	32	file://grub-efi.cfg \
32	file://boot-menu.inc \	33	file://boot-menu.inc \
33	${@d.getVar('GRUB_MOKVERIFY_PATCH', True) if d.getVar('UEFI_SELOADER', True) == '1' else ''} \	34	${@d.getVar('GRUB_MOKVERIFY_PATCH', True) if d.getVar('UEFI_SELOADER', True) == '1' else ''} \


diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/0001-kern-efi-init.c-disable-inside-lockdown-and-shim_loc.patch b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/0001-kern-efi-init.c-disable-inside-lockdown-and-shim_loc.patch new file mode 100644 index 0000000..83f5899 --- /dev/null +++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/0001-kern-efi-init.c-disable-inside-lockdown-and-shim_loc.patch
@@ -0,0 +1,47 @@
		1	From ca81ba93b6536916673b6cb9cb6aef7652aee971 Mon Sep 17 00:00:00 2001
		2	From: Yi Zhao <yi.zhao@windriver.com>
		3	Date: Wed, 7 Apr 2021 11:00:37 +0800
		4	Subject: [PATCH] kern/efi/init.c: disable inside lockdown and shim_lock
		5	verifiers
		6
		7	The lockdown support[1] and secure boot detection[2] have been added to
		8	grub 2.06. These verifiers are registered when UEFI Secure Boot is
		9	enabled. Unfortunately, they conflict with the current MOK2 Verify
		10	mechanism. So disable them when enable SELoader.
		11
		12	Fixes grub error:
		13	error: failed to verify kernel /bzImage
		14
		15	[1] http://git.savannah.gnu.org/cgit/grub.git/commit/?id=578c95298bcc46e0296f4c786db64c2ff26ce2cc
		16	[2] http://git.savannah.gnu.org/cgit/grub.git/commit/?id=d7e54b2e5feee95d2f83058ed30d883c450d1473
		17
		18	Upstream-Status: Inappropriate [embedded specific]
		19
		20	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		21	---
		22	grub-core/kern/efi/init.c \| 2 ++
		23	1 file changed, 2 insertions(+)
		24
		25	diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
		26	index 7facacf..67b18e9 100644
		27	--- a/grub-core/kern/efi/init.c
		28	+++ b/grub-core/kern/efi/init.c
		29	@@ -95,6 +95,7 @@ grub_efi_init (void)
		30	/* Initialize the memory management system. */
		31	grub_efi_mm_init ();
		32
		33	+#if 0
		34	/*
		35	* Lockdown the GRUB and register the shim_lock verifier
		36	* if the UEFI Secure Boot is enabled.
		37	@@ -104,6 +105,7 @@ grub_efi_init (void)
		38	grub_lockdown ();
		39	grub_shim_lock_verifier_setup ();
		40	}
		41	+#endif
		42
		43	efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer,
		44	0, 0, 0, NULL);
		45	--
		46	2.17.1
		47