From 26ced755f525311d102e95adbc3a36072c62ce00 Mon Sep 17 00:00:00 2001
From: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
Date: Wed, 4 Sep 2019 10:23:51 +0300
Subject: grub-efi: support mok2 verify in multiboot2 protocol

Add support for verifying PKCS#7 signatures via MOK2 protocol to
multiboot2 command enabling one to load multiboot-capable kernels.

Signed-off-by: Dmitry Eremin-Solenikov <dmitry_eremin-solenikov@mentor.com>
---
 .../recipes-bsp/grub/grub-efi-efi-secure-boot.inc  |  1 +
 .../grub/grub-efi/mok2verify-multiboot.patch       | 54 ++++++++++++++++++++++
 2 files changed, 55 insertions(+)
 create mode 100644 meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-multiboot.patch

diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc
index 32da43a..71a2bc1 100644
--- a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc
+++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc
@@ -19,6 +19,7 @@ SRC_URI += "\
     file://efi-chainloader-implemented-for-32-bit.patch \
     file://Grub-get-and-set-efi-variables.patch \
     file://mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch \
+    file://mok2verify-multiboot.patch \
     file://grub-efi.cfg \
     file://boot-menu.inc \
     ${EXTRA_SRC_URI} \
diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-multiboot.patch b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-multiboot.patch
new file mode 100644
index 0000000..eebc3f1
--- /dev/null
+++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-multiboot.patch
@@ -0,0 +1,54 @@
+Index: grub-2.02/grub-core/loader/multiboot.c
+===================================================================
+--- grub-2.02.orig/grub-core/loader/multiboot.c
++++ grub-2.02/grub-core/loader/multiboot.c
+@@ -47,6 +47,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+ #ifdef GRUB_MACHINE_EFI
+ #include <grub/efi/efi.h>
++#include <grub/efi/mok2verify.h>
+ #endif
+ 
+ struct grub_relocator *GRUB_MULTIBOOT (relocator) = NULL;
+@@ -325,6 +326,20 @@ grub_cmd_multiboot (grub_command_t cmd _
+   if (! file)
+     return grub_errno;
+ 
++#if GRUB_MACHINE_EFI
++  err = grub_verify_file (argv[0]);
++  if (err != GRUB_ERR_NONE)
++    {
++      grub_error(err, N_("Failed to verify module %s"), argv[0]);
++
++      /* An unauthenticated module always causes a complete boot failure. */
++      if (grub_is_secured () == 1)
++	grub_loader_unset();
++
++      return err;
++    }
++#endif
++
+   grub_dl_ref (my_mod);
+ 
+   /* Skip filename.  */
+@@ -379,6 +394,20 @@ grub_cmd_module (grub_command_t cmd __at
+   if (! file)
+     return grub_errno;
+ 
++#if GRUB_MACHINE_EFI
++  err = grub_verify_file (argv[0]);
++  if (err != GRUB_ERR_NONE)
++    {
++      grub_error(err, N_("Failed to verify module %s"), argv[0]);
++
++      /* An unauthenticated module always causes a complete boot failure. */
++      if (grub_is_secured () == 1)
++	grub_loader_unset();
++
++      return err;
++    }
++#endif
++
+ #ifndef GRUB_USE_MULTIBOOT2
+   lowest_addr = 0x100000;
+   if (grub_multiboot_quirks & GRUB_MULTIBOOT_QUIRK_MODULES_AFTER_KERNEL)
-- 
cgit v1.2.3-54-g00ecf