From 01f67e4c7e4cb33acfa5a7a0c3d634cb6489278a Mon Sep 17 00:00:00 2001 From: Jason Wessel Date: Thu, 24 Oct 2019 14:00:42 -0700 Subject: grub: Make SELoader optional and add gpg verify support Allow SELoader to be an optional component for secure boot verification. The GPG_SIGN_VERIFY variable was added to control the ability to have grub perform all of the verification of the loaded files using a public key which gets built into grub at the time that mkimage is run. It is not intended that GPG_SIGN_VERIFY and UEFI_SELOADER would both be set to "1". While this configuration could work, it makes very little sense to use the system that way. Also enabled is the tftp feature for grub as a builtin. This allows grub to start from the network when the UEFI is configured to boot off the network with tftp. [ Issue: LINUXEXEC-2450 ] Signed-off-by: Jason Wessel --- .../recipes-bsp/grub/grub-efi-efi-secure-boot.inc | 63 ++++++++++--- ...-grub-verify-Add-strict_security-variable.patch | 102 +++++++++++++++++++++ ...support-to-verify-non-PE-file-with-PKCS-7.patch | 93 +++++++------------ .../recipes-bsp/grub/grub-efi/uefi_verify.patch | 63 +++++++++++++ meta-signing-key/conf/layer.conf | 6 ++ 5 files changed, 253 insertions(+), 74 deletions(-) create mode 100644 meta-efi-secure-boot/recipes-bsp/grub/grub-efi/0001-grub-verify-Add-strict_security-variable.patch create mode 100644 meta-efi-secure-boot/recipes-bsp/grub/grub-efi/uefi_verify.patch diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc index 71a2bc1..6d1d284 100644 --- a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc +++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc @@ -1,10 +1,16 @@ DEPENDS += "openssl-native" FILESEXTRAPATHS_prepend := "${THISDIR}/grub-efi:" +GRUB_SIGN_VERIFY_STRICT ?= "1" + EXTRA_SRC_URI = "\ ${@'file://efi-secure-boot.inc file://password.inc' if d.getVar('UEFI_SB', True) == '1' else ''} \ " +GRUB_MOKVERIFY_PATCH = " \ + file://mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch \ + file://mok2verify-multiboot.patch" + SRC_URI += "\ file://0001-pe32.h-add-header-structures-for-TE-and-DOS-executab.patch \ file://0002-shim-add-needed-data-structures.patch \ @@ -18,10 +24,11 @@ SRC_URI += "\ file://chainloader-Actually-find-the-relocations-correctly-.patch \ file://efi-chainloader-implemented-for-32-bit.patch \ file://Grub-get-and-set-efi-variables.patch \ - file://mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch \ - file://mok2verify-multiboot.patch \ + file://uefi_verify.patch \ + file://0001-grub-verify-Add-strict_security-variable.patch \ file://grub-efi.cfg \ file://boot-menu.inc \ + ${@d.getVar('GRUB_MOKVERIFY_PATCH', True) if d.getVar('UEFI_SELOADER', True) == '1' else ''} \ ${EXTRA_SRC_URI} \ " @@ -30,8 +37,17 @@ COMPATIBLE_HOST_aarch64 = 'null' EFI_BOOT_PATH = "/boot/efi/EFI/BOOT" -GRUB_BUILDIN_append += " chain ${@'efivar mok2verify password_pbkdf2' \ - if d.getVar('UEFI_SB', True) == '1' else ''}" +GRUB_SECURE_BOOT_MODULES += "${@'efivar password_pbkdf2 ' if d.getVar('UEFI_SB', True) == '1' else ''}" + +GRUB_SIGNING_MODULES += "${@'pgp gcry_rsa gcry_sha256 gcry_sha512 --pubkey %s ' % d.getVar('GRUB_PUB_KEY', True) \ + if d.getVar('GRUB_SIGN_VERIFY', True) == '1' else ''}" + +GRUB_SELOADER_MODULES += "${@'mok2verify ' if d.getVar('UEFI_SELOADER', True) == '1' else ''}" + +GRUB_BUILDIN_append += "tftp reboot chain \ + ${GRUB_SECURE_BOOT_MODULES} \ + ${GRUB_SIGNING_MODULES} \ + ${GRUB_SELOADER_MODULES}" # For efi_call_foo and efi_shim_exit CFLAGS_append = " -fno-toplevel-reorder" @@ -59,6 +75,22 @@ python __anonymous () { d.setVar("GRUB_IMAGE", grubimage) } +do_compile_append() { + if [ "${GRUB_SIGN_VERIFY}" = "1" -a "${GRUB_SIGN_VERIFY_STRICT}" = "1" ] ; then + cat<${WORKDIR}/cfg +insmod verify +set strict_security=1 +search.file (\$cmdpath)/EFI/BOOT/grub.cfg root +set prefix=(\$root)/EFI/BOOT +EOF + else + cat<${WORKDIR}/cfg +search.file (\$cmdpath)/EFI/BOOT/grub.cfg root +set prefix=(\$root)/EFI/BOOT +EOF + fi +} + do_compile_append_class-native() { make grub-editenv } @@ -97,7 +129,7 @@ do_install_append_class-target() { grub-editenv "${D}${EFI_BOOT_PATH}/grubenv" create install -d "${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi" - grub-mkimage -p /EFI/BOOT -d "./grub-core" \ + grub-mkimage -c ../cfg -p /EFI/BOOT -d "./grub-core" \ -O "${GRUB_TARGET}-efi" -o "${B}/${GRUB_IMAGE}" \ ${GRUB_BUILDIN} @@ -117,28 +149,29 @@ fakeroot python do_sign_class-target() { dir = image_dir + efi_boot_path + '/' sb_sign(dir + grub_image, dir + grub_image, d) - uks_sel_sign(dir + 'grub.cfg', d) - uks_sel_sign(dir + 'boot-menu.inc', d) + uks_bl_sign(dir + 'grub.cfg', d) + uks_bl_sign(dir + 'boot-menu.inc', d) if d.getVar('UEFI_SB', True) == "1": - uks_sel_sign(dir + 'efi-secure-boot.inc', d) - uks_sel_sign(dir + 'password.inc', d) + uks_bl_sign(dir + 'efi-secure-boot.inc', d) + uks_bl_sign(dir + 'password.inc', d) } python do_sign() { } addtask sign after do_install before do_deploy do_package do_sign[prefuncs] += "check_deploy_keys" +do_sign[prefuncs] += "${@'check_boot_public_key' if d.getVar('GRUB_SIGN_VERIFY', True) == '1' else ''}" -fakeroot do_chownp7b() { - chown root:root -R "${D}${EFI_BOOT_PATH}/grub.cfg.p7b" - chown root:root -R "${D}${EFI_BOOT_PATH}/boot-menu.inc.p7b" +fakeroot do_chownboot() { + chown root:root -R "${D}${EFI_BOOT_PATH}/grub.cfg${SB_FILE_EXT}" + chown root:root -R "${D}${EFI_BOOT_PATH}/boot-menu.inc${SB_FILE_EXT}" [ x"${UEFI_SB}" = x"1" ] && { - chown root:root -R "${D}${EFI_BOOT_PATH}/efi-secure-boot.inc.p7b" - chown root:root -R "${D}${EFI_BOOT_PATH}/password.inc.p7b" + chown root:root -R "${D}${EFI_BOOT_PATH}/efi-secure-boot.inc${SB_FILE_EXT}" + chown root:root -R "${D}${EFI_BOOT_PATH}/password.inc${SB_FILE_EXT}" } } -addtask chownp7b after do_deploy before do_package +addtask chownboot after do_deploy before do_package # Override the do_deploy() in oe-core. do_deploy_class-target() { diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/0001-grub-verify-Add-strict_security-variable.patch b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/0001-grub-verify-Add-strict_security-variable.patch new file mode 100644 index 0000000..11bfe76 --- /dev/null +++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/0001-grub-verify-Add-strict_security-variable.patch @@ -0,0 +1,102 @@ +From 8a7ad88b4880e25df1f54b80631dc035e1e25662 Mon Sep 17 00:00:00 2001 +From: Jason Wessel +Date: Thu, 17 Oct 2019 12:35:01 -0700 +Subject: [PATCH] grub verify: Add strict_security variable + +With strict_security set to 1, it is impossible to change the value of +check_signatures. It will also cause grub to reboot instead of +allowing a rescue or grub shell, which could allow an end user to +alter boot arguments or load some other binary. + +Upstream-Status: Pending + +Signed-off-by: Jason Wessel +--- + grub-core/commands/pgp.c | 16 +++++++++++++++- + grub-core/kern/main.c | 9 +++++++++ + grub-core/normal/main.c | 7 +++++-- + 3 files changed, 29 insertions(+), 3 deletions(-) + +--- a/grub-core/commands/pgp.c ++++ b/grub-core/commands/pgp.c +@@ -864,6 +864,7 @@ grub_cmd_verify_signature (grub_extcmd_c + } + + static int sec = 0; ++static int strict_sec = 0; + + static grub_err_t + grub_pubkey_init (grub_file_t io, enum grub_file_type type __attribute__ ((unused)), +@@ -918,10 +919,21 @@ static char * + grub_env_write_sec (struct grub_env_var *var __attribute__ ((unused)), + const char *val) + { +- sec = (*val == '1') || (*val == 'e'); ++ if (!strict_sec) ++ sec = (*val == '1') || (*val == 'e'); + return grub_strdup (sec ? "enforce" : "no"); + } + ++static char * ++grub_env_write_strict_sec (struct grub_env_var *var __attribute__ ((unused)), ++ const char *val) ++{ ++ /* once it is set, it is a one way transition */ ++ if (!strict_sec) ++ strict_sec = (*val == '1') || (*val == 'e'); ++ return grub_strdup (strict_sec ? "enforce" : "no"); ++} ++ + static grub_ssize_t + pseudo_read (struct grub_file *file, char *buf, grub_size_t len) + { +@@ -961,7 +973,9 @@ GRUB_MOD_INIT(pgp) + sec = 0; + + grub_register_variable_hook ("check_signatures", 0, grub_env_write_sec); ++ grub_register_variable_hook ("strict_security", 0, grub_env_write_strict_sec); + grub_env_export ("check_signatures"); ++ grub_env_export ("strict_security"); + + grub_pk_trusted = 0; + FOR_MODULES (header) +--- a/grub-core/kern/main.c ++++ b/grub-core/kern/main.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + + #ifdef GRUB_MACHINE_PCBIOS + #include +@@ -308,5 +309,13 @@ grub_main (void) + grub_boot_time ("After execution of embedded config. Attempt to go to normal mode"); + + grub_load_normal_mode (); ++ const char *val = grub_env_get ("strict_security"); ++ if (val && (val[0] == '1' || val[0] == 'e')) ++ while (1) { ++ grub_printf("Boot configuration error - Attempting reboot\n"); ++ grub_sleep(3); ++ grub_dl_load ("reboot"); ++ grub_command_execute ("reboot", 0, 0); ++ } + grub_rescue_run (); + } +--- a/grub-core/normal/main.c ++++ b/grub-core/normal/main.c +@@ -301,8 +301,11 @@ grub_enter_normal_mode (const char *conf + grub_boot_time ("Entering normal mode"); + nested_level++; + grub_normal_execute (config, 0, 0); +- grub_boot_time ("Entering shell"); +- grub_cmdline_run (0, 1); ++ const char *val = grub_env_get ("strict_security"); ++ if (!(val && (val[0] == '1' || val[0] == 'e'))) { ++ grub_boot_time ("Entering shell"); ++ grub_cmdline_run (0, 1); ++ } + nested_level--; + if (grub_normal_exit_level) + grub_normal_exit_level--; diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch index b4467c2..4cd8953 100644 --- a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch +++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch @@ -37,22 +37,20 @@ grub_file_open function. Signed-off-by: Yi Zhao --- - grub-core/Makefile.core.def | 6 ++ - grub-core/commands/boot.c | 14 +++- - grub-core/gfxmenu/gui_label.c | 39 +++++++-- - grub-core/lib/efi/mok2verify.c | 182 +++++++++++++++++++++++++++++++++++++++++ - grub-core/loader/i386/linux.c | 60 ++++++++++++++ - grub-core/loader/linux.c | 27 +++++- - grub-core/normal/main.c | 53 +++++++++++- - grub-core/normal/menu.c | 31 +++++-- - grub-core/normal/menu_text.c | 33 ++++++-- - include/grub/efi/mok2verify.h | 48 +++++++++++ + grub-core/Makefile.core.def | 6 + + grub-core/commands/boot.c | 14 ++- + grub-core/gfxmenu/gui_label.c | 39 +++++++- + grub-core/lib/efi/mok2verify.c | 182 +++++++++++++++++++++++++++++++++++++++++ + grub-core/loader/i386/linux.c | 60 +++++++++++++ + grub-core/loader/linux.c | 27 +++++- + grub-core/normal/main.c | 53 +++++++++++ + grub-core/normal/menu.c | 31 +++++- + grub-core/normal/menu_text.c | 33 +++++-- + include/grub/efi/mok2verify.h | 48 ++++++++++ 10 files changed, 463 insertions(+), 30 deletions(-) create mode 100644 grub-core/lib/efi/mok2verify.c create mode 100644 include/grub/efi/mok2verify.h -diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def -index 18d2316..59a5cf1 100644 --- a/grub-core/Makefile.core.def +++ b/grub-core/Makefile.core.def @@ -1870,6 +1870,12 @@ module = { @@ -68,8 +66,6 @@ index 18d2316..59a5cf1 100644 name = mmap; common = mmap/mmap.c; x86 = mmap/i386/uppermem.c; -diff --git a/grub-core/commands/boot.c b/grub-core/commands/boot.c -index bbca81e..3f44a7e 100644 --- a/grub-core/commands/boot.c +++ b/grub-core/commands/boot.c @@ -24,6 +24,9 @@ @@ -100,8 +96,6 @@ index bbca81e..3f44a7e 100644 grub_machine_fini (grub_loader_flags); -diff --git a/grub-core/gfxmenu/gui_label.c b/grub-core/gfxmenu/gui_label.c -index a4c8178..da49c9e 100644 --- a/grub-core/gfxmenu/gui_label.c +++ b/grub-core/gfxmenu/gui_label.c @@ -24,6 +24,9 @@ @@ -114,7 +108,7 @@ index a4c8178..da49c9e 100644 static const char *align_options[] = { -@@ -183,15 +186,37 @@ label_set_property (void *vself, const char *name, const char *value) +@@ -183,15 +186,37 @@ label_set_property (void *vself, const c else { if (grub_strcmp (value, "@KEYMAP_LONG@") == 0) @@ -159,9 +153,6 @@ index a4c8178..da49c9e 100644 /* FIXME: Add more templates here if needed. */ self->template = grub_strdup (value); self->text = grub_xasprintf (value, self->value); -diff --git a/grub-core/lib/efi/mok2verify.c b/grub-core/lib/efi/mok2verify.c -new file mode 100644 -index 0000000..790efa0 --- /dev/null +++ b/grub-core/lib/efi/mok2verify.c @@ -0,0 +1,182 @@ @@ -347,11 +338,9 @@ index 0000000..790efa0 +} + +#pragma GCC diagnostic error "-Wvla" -diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c -index d0501e2..e684300 100644 --- a/grub-core/loader/i386/linux.c +++ b/grub-core/loader/i386/linux.c -@@ -36,6 +36,9 @@ +@@ -40,6 +40,9 @@ #include #include #include @@ -361,7 +350,7 @@ index d0501e2..e684300 100644 GRUB_MOD_LICENSE ("GPLv3+"); -@@ -635,6 +638,55 @@ grub_linux_unload (void) +@@ -657,6 +660,55 @@ grub_shim_verify (grub_addr_t addr, grub return GRUB_ERR_NONE; } @@ -417,7 +406,7 @@ index d0501e2..e684300 100644 static grub_err_t grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), int argc, char *argv[]) -@@ -657,6 +709,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), +@@ -679,6 +731,9 @@ grub_cmd_linux (grub_command_t cmd __att goto fail; } @@ -427,7 +416,7 @@ index d0501e2..e684300 100644 file = grub_file_open (argv[0], GRUB_FILE_TYPE_LINUX_KERNEL); if (! file) goto fail; -@@ -1114,6 +1169,11 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)), +@@ -1140,6 +1195,11 @@ grub_cmd_initrd (grub_command_t cmd __at fail: grub_initrd_close (&initrd_ctx); @@ -439,8 +428,6 @@ index d0501e2..e684300 100644 return grub_errno; } -diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c -index 471b214..bb312ac 100644 --- a/grub-core/loader/linux.c +++ b/grub-core/loader/linux.c @@ -4,6 +4,9 @@ @@ -453,7 +440,7 @@ index 471b214..bb312ac 100644 struct newc_head { -@@ -253,6 +256,7 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx, +@@ -253,6 +256,7 @@ grub_initrd_load (struct grub_linux_init int newc = 0; struct dir *root = 0; grub_ssize_t cursize = 0; @@ -461,7 +448,7 @@ index 471b214..bb312ac 100644 for (i = 0; i < initrd_ctx->nfiles; i++) { -@@ -288,6 +292,25 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx, +@@ -288,6 +292,25 @@ grub_initrd_load (struct grub_linux_init grub_initrd_close (initrd_ctx); return grub_errno; } @@ -487,7 +474,7 @@ index 471b214..bb312ac 100644 ptr += cursize; } if (newc) -@@ -296,7 +319,9 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx, +@@ -296,7 +319,9 @@ grub_initrd_load (struct grub_linux_init ptr += ALIGN_UP_OVERHEAD (cursize, 4); ptr = make_header (ptr, "TRAILER!!!", sizeof ("TRAILER!!!") - 1, 0, 0); } @@ -498,8 +485,6 @@ index 471b214..bb312ac 100644 - return GRUB_ERR_NONE; + return err; } -diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c -index 1b03dfd..f48a549 100644 --- a/grub-core/normal/main.c +++ b/grub-core/normal/main.c @@ -33,6 +33,9 @@ @@ -521,7 +506,7 @@ index 1b03dfd..f48a549 100644 /* Initialize the screen. */ void grub_normal_init_page (struct grub_term_output *term, -@@ -202,13 +207,24 @@ grub_normal_init_page (struct grub_term_output *term, +@@ -202,13 +207,24 @@ grub_normal_init_page (struct grub_term_ { grub_ssize_t msg_len; int posx; @@ -547,7 +532,7 @@ index 1b03dfd..f48a549 100644 if (!msg_formatted) return; -@@ -233,6 +249,8 @@ grub_normal_init_page (struct grub_term_output *term, +@@ -233,6 +249,8 @@ grub_normal_init_page (struct grub_term_ grub_free (unicode_msg); } @@ -556,7 +541,7 @@ index 1b03dfd..f48a549 100644 static void read_lists (const char *val) { -@@ -273,6 +291,20 @@ grub_normal_execute (const char *config, int nested, int batch) +@@ -273,6 +291,20 @@ grub_normal_execute (const char *config, if (config) { @@ -577,19 +562,19 @@ index 1b03dfd..f48a549 100644 menu = read_config_file (config); /* Ignore any error. */ -@@ -302,7 +334,10 @@ grub_enter_normal_mode (const char *config) - nested_level++; - grub_normal_execute (config, 0, 0); - grub_boot_time ("Entering shell"); -- grub_cmdline_run (0, 1); +@@ -304,7 +336,10 @@ grub_enter_normal_mode (const char *conf + const char *val = grub_env_get ("strict_security"); + if (!(val && (val[0] == '1' || val[0] == 'e'))) { + grub_boot_time ("Entering shell"); +- grub_cmdline_run (0, 1); +#ifdef GRUB_MACHINE_EFI -+ if (grub_is_locked () == 0) ++ if (grub_is_locked () == 0) +#endif -+ grub_cmdline_run (0, 1); ++ grub_cmdline_run (0, 1); + } nested_level--; if (grub_normal_exit_level) - grub_normal_exit_level--; -@@ -338,6 +373,13 @@ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)), +@@ -341,6 +376,13 @@ grub_cmd_normal (struct grub_command *cm grub_enter_normal_mode (argv[0]); quit: @@ -603,7 +588,7 @@ index 1b03dfd..f48a549 100644 return 0; } -@@ -525,8 +567,11 @@ GRUB_MOD_INIT(normal) +@@ -528,8 +570,11 @@ GRUB_MOD_INIT(normal) /* Register a command "normal" for the rescue mode. */ grub_register_command ("normal", grub_cmd_normal, 0, N_("Enter normal mode.")); @@ -617,8 +602,6 @@ index 1b03dfd..f48a549 100644 /* Reload terminal colors when these variables are written to. */ grub_register_variable_hook ("color_normal", NULL, grub_env_write_color_normal); -diff --git a/grub-core/normal/menu.c b/grub-core/normal/menu.c -index d5e0c79..512f710 100644 --- a/grub-core/normal/menu.c +++ b/grub-core/normal/menu.c @@ -32,6 +32,9 @@ @@ -631,7 +614,7 @@ index d5e0c79..512f710 100644 /* Time to delay after displaying an error message about a default/fallback entry failing to boot. */ -@@ -773,18 +776,30 @@ run_menu (grub_menu_t menu, int nested, int *auto_boot) +@@ -773,18 +776,30 @@ run_menu (grub_menu_t menu, int nested, break; case 'c': @@ -670,8 +653,6 @@ index d5e0c79..512f710 100644 default: { -diff --git a/grub-core/normal/menu_text.c b/grub-core/normal/menu_text.c -index e22bb91..28c675f 100644 --- a/grub-core/normal/menu_text.c +++ b/grub-core/normal/menu_text.c @@ -27,6 +27,9 @@ @@ -684,7 +665,7 @@ index e22bb91..28c675f 100644 static grub_uint8_t grub_color_menu_normal; static grub_uint8_t grub_color_menu_highlight; -@@ -165,6 +168,7 @@ command-line or ESC to discard edits and return to the GRUB menu."), +@@ -165,6 +168,7 @@ command-line or ESC to discard edits and } else { @@ -692,7 +673,7 @@ index e22bb91..28c675f 100644 char *msg_translated; msg_translated = grub_xasprintf (_("Use the %C and %C keys to select which " -@@ -180,19 +184,32 @@ command-line or ESC to discard edits and return to the GRUB menu."), +@@ -180,19 +184,32 @@ command-line or ESC to discard edits and if (nested) { @@ -733,9 +714,6 @@ index e22bb91..28c675f 100644 } } return ret; -diff --git a/include/grub/efi/mok2verify.h b/include/grub/efi/mok2verify.h -new file mode 100644 -index 0000000..98ef2d4 --- /dev/null +++ b/include/grub/efi/mok2verify.h @@ -0,0 +1,48 @@ @@ -787,6 +765,3 @@ index 0000000..98ef2d4 +EXPORT_FUNC (grub_verify_file) (const char *path); + +#endif /* ! GRUB_EFI_MOK2_VERIFY_HEADER */ --- -2.7.4 - diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/uefi_verify.patch b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/uefi_verify.patch new file mode 100644 index 0000000..68aca71 --- /dev/null +++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/uefi_verify.patch @@ -0,0 +1,63 @@ +From: Jason Wessel +Date: Thu, 17 Oct 2019 12:35:01 -0700 +Subject: [PATCH] grub shim verify: Report that the loaded object is verified + +When check_signatures is set to enforcing, the signatures of the +loaded files have been checked, so the shim service should be informed +that it is ok to execute the loaded file. + +Upstream-Status: Inappropriate + +Signed-off-by: Jason Wessel +--- + grub-core/loader/i386/linux.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +--- a/grub-core/loader/i386/linux.c ++++ b/grub-core/loader/i386/linux.c +@@ -21,6 +21,10 @@ + #include + #include + #include ++#include ++#include ++#include ++#include + #include + #include + #include +@@ -673,6 +677,23 @@ grub_linux_unload (void) + return GRUB_ERR_NONE; + } + ++static grub_efi_guid_t grub_shim_protocol_guid = GRUB_EFI_SHIM_PROTOCOL_GUID; ++ ++static grub_efi_status_t ++grub_shim_verify (grub_addr_t addr, grub_ssize_t size) ++{ ++ struct grub_shim_lock *shim_lock; ++ shim_lock = grub_efi_locate_protocol (&grub_shim_protocol_guid, 0); ++ if (!shim_lock) ++ { ++ grub_error (GRUB_ERR_BAD_OS, "could not load shim protocol"); ++ return GRUB_EFI_UNSUPPORTED; ++ } ++ ++ shim_lock->verify((void *) addr, size); ++ return GRUB_ERR_NONE; ++} ++ + static grub_err_t + grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), + int argc, char *argv[]) +@@ -706,6 +728,10 @@ grub_cmd_linux (grub_command_t cmd __att + argv[0]); + goto fail; + } ++ const char *ge_val = grub_env_get ("check_signatures"); ++ if (ge_val && (ge_val[0] == '1' || ge_val[0] == 'e')) ++ /* Verify was handled by .sig files, inform shim */ ++ grub_shim_verify((grub_addr_t)&lh, sizeof(lh)); + + if (lh.boot_flag != grub_cpu_to_le16_compile_time (0xaa55)) + { diff --git a/meta-signing-key/conf/layer.conf b/meta-signing-key/conf/layer.conf index 2755aa2..84b06a2 100644 --- a/meta-signing-key/conf/layer.conf +++ b/meta-signing-key/conf/layer.conf @@ -31,6 +31,12 @@ MSFT_KEK_CERT = "${LAYERDIR}/files/uefi_sb_keys/ms-KEK.crt" # EV certificate EV_CERT ??= "${LAYERDIR}/files/mok_sb_keys/wosign_ev_cert.crt" +# Use SELoader with the UEFI shim +UEFI_SELOADER ??= "1" + +# Use gpg key to protect and verify all files used by grub +GRUB_SIGN_VERIFY ??= "0" + # By default the sample keys are used MOK_SB_KEYS_DIR ??= "${SAMPLE_MOK_SB_KEYS_DIR}" UEFI_SB_KEYS_DIR ??= "${SAMPLE_UEFI_SB_KEYS_DIR}" -- cgit v1.2.3-54-g00ecf