From 3af3588ab2e2cf279294d58411d2f4226814080f Mon Sep 17 00:00:00 2001 From: Lans Zhang Date: Thu, 13 Jul 2017 10:26:43 +0800 Subject: grub-efi: carry forward mok2verify to grub-2.02 Signed-off-by: Lans Zhang --- ...support-to-verify-non-PE-file-with-PKCS-7.patch | 226 ++++++++++++++------- .../recipes-bsp/grub/grub-efi_2.02.bbappend | 6 +- 2 files changed, 156 insertions(+), 76 deletions(-) diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch index b5a0a52..a10b77f 100644 --- a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch +++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch @@ -1,6 +1,6 @@ -From 46873e2c5514bf6460a2f0f39ad8f8feb8f18f68 Mon Sep 17 00:00:00 2001 +From 00fd7457c9d907800587e93f87fc5b6de68ba49e Mon Sep 17 00:00:00 2001 From: Lans Zhang -Date: Thu, 16 Mar 2017 14:49:41 +0800 +Date: Wed, 12 Jul 2017 16:02:13 +0800 Subject: [PATCH] mok2verify: support to verify non-PE file with PKCS#7 signature @@ -27,22 +27,23 @@ Signed-off-by: Lans Zhang --- grub-core/Makefile.core.def | 6 ++ grub-core/commands/boot.c | 14 +++- - grub-core/gfxmenu/gui_label.c | 39 ++++++++-- - grub-core/lib/efi/mok2verify.c | 172 +++++++++++++++++++++++++++++++++++++++++ - grub-core/loader/i386/linux.c | 80 +++++++++++++++++++ - grub-core/normal/main.c | 55 ++++++++++++- - grub-core/normal/menu.c | 29 +++++-- - grub-core/normal/menu_text.c | 32 ++++++-- - include/grub/efi/mok2verify.h | 48 ++++++++++++ - 9 files changed, 447 insertions(+), 28 deletions(-) + grub-core/gfxmenu/gui_label.c | 39 +++++++-- + grub-core/lib/efi/mok2verify.c | 182 +++++++++++++++++++++++++++++++++++++++++ + grub-core/loader/i386/linux.c | 60 ++++++++++++++ + grub-core/loader/linux.c | 27 +++++- + grub-core/normal/main.c | 62 +++++++++++++- + grub-core/normal/menu.c | 31 +++++-- + grub-core/normal/menu_text.c | 33 ++++++-- + include/grub/efi/mok2verify.h | 48 +++++++++++ + 10 files changed, 472 insertions(+), 30 deletions(-) create mode 100644 grub-core/lib/efi/mok2verify.c create mode 100644 include/grub/efi/mok2verify.h diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def -index e9e1483..8e72251 100644 +index a82c1f3..76b3c7d 100644 --- a/grub-core/Makefile.core.def +++ b/grub-core/Makefile.core.def -@@ -1434,6 +1434,12 @@ module = { +@@ -1754,6 +1754,12 @@ module = { }; module = { @@ -56,7 +57,7 @@ index e9e1483..8e72251 100644 common = mmap/mmap.c; x86 = mmap/i386/uppermem.c; diff --git a/grub-core/commands/boot.c b/grub-core/commands/boot.c -index 91ec87d..5cddbb6 100644 +index bbca81e..3f44a7e 100644 --- a/grub-core/commands/boot.c +++ b/grub-core/commands/boot.c @@ -24,6 +24,9 @@ @@ -82,26 +83,26 @@ index 91ec87d..5cddbb6 100644 + N_("you need to load the authenticated boot components")); +#endif + return grub_error (GRUB_ERR_NO_KERNEL, -+ N_("you need to load the kernel first")); ++ N_("you need to load the kernel first")); + } - if (grub_loader_flags & GRUB_LOADER_FLAG_NORETURN) - grub_machine_fini (); + grub_machine_fini (grub_loader_flags); + diff --git a/grub-core/gfxmenu/gui_label.c b/grub-core/gfxmenu/gui_label.c -index 637578f..84bf7d4 100644 +index a4c8178..da49c9e 100644 --- a/grub-core/gfxmenu/gui_label.c +++ b/grub-core/gfxmenu/gui_label.c -@@ -23,6 +23,9 @@ - #include +@@ -24,6 +24,9 @@ #include #include + #include +#ifdef GRUB_MACHINE_EFI +#include +#endif static const char *align_options[] = { -@@ -180,15 +183,37 @@ label_set_property (void *vself, const char *name, const char *value) +@@ -183,15 +186,37 @@ label_set_property (void *vself, const char *name, const char *value) else { if (grub_strcmp (value, "@KEYMAP_LONG@") == 0) @@ -148,10 +149,10 @@ index 637578f..84bf7d4 100644 self->text = grub_xasprintf (value, self->value); diff --git a/grub-core/lib/efi/mok2verify.c b/grub-core/lib/efi/mok2verify.c new file mode 100644 -index 0000000..2e48ef9 +index 0000000..3865661 --- /dev/null +++ b/grub-core/lib/efi/mok2verify.c -@@ -0,0 +1,172 @@ +@@ -0,0 +1,182 @@ +/* mok2verify.c - MOK2 Verify Protocol support + * + * BSD 2-clause "Simplified" License @@ -195,10 +196,8 @@ index 0000000..2e48ef9 + +GRUB_MOD_LICENSE ("GPLv2+"); + -+#define EFI_MOK2_VERIFY_PROTOCOL_GUID \ -+ { 0x4eda73ad, 0x07aa, 0x4b7a, \ -+ { 0xa1, 0x91, 0xd4, 0xd4, 0x10, 0xfb, 0x8c, 0xb4 } \ -+ } ++#define EFI_MOK2_VERIFY_PROTOCOL_GUID \ ++ { 0x4eda73ad, 0x07aa, 0x4b7a, { 0xa1, 0x91, 0xd4, 0xd4, 0x10, 0xfb, 0x8c, 0xb4 }} + +typedef struct efi_mok2_verify_protocol efi_mok2_verify_protocol_t; + @@ -229,19 +228,27 @@ index 0000000..2e48ef9 +int +grub_is_secured (void) +{ -+ grub_efi_guid_t global = GRUB_EFI_GLOBAL_VARIABLE_GUID; -+ void *efi_var; -+ grub_size_t efi_var_size = 0; ++ grub_efi_guid_t global_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID; ++ void *var; ++ grub_size_t var_size = 0; + int secured = 0; + -+ efi_var = grub_efi_get_variable ("SecureBoot", &global, &efi_var_size); -+ if (!efi_var) ++ var = grub_efi_get_variable ("SecureBoot", &global_guid, &var_size); ++ if (!var) + return grub_error (GRUB_ERR_READ_ERROR, N_("cannot read variable")); + -+ if (efi_var_size == 1 && *(grub_uint8_t *) efi_var == 1) ++ if (var_size != 1 || *(grub_uint8_t *) var != 1) ++ goto out; ++ ++ grub_free (var); ++ ++ var = grub_efi_get_variable ("MokSBState", &grub_efi_mok2_verify_protoco_guid, ++ &var_size); ++ if (!var || (var_size == 1 && *(grub_uint8_t *) var == 0)) + secured = 1; + -+ grub_free (efi_var); ++out: ++ grub_free (var); + + return secured; +} @@ -258,6 +265,8 @@ index 0000000..2e48ef9 + return ! grub_is_unlockable () && grub_is_secured (); +} + ++#pragma GCC diagnostic ignored "-Wvla" ++ +grub_err_t +grub_verify_file (const char *path) +{ @@ -324,21 +333,23 @@ index 0000000..2e48ef9 + + return GRUB_ERR_NONE; +} ++ ++#pragma GCC diagnostic error "-Wvla" diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c -index e2425c8..5a12444 100644 +index 083f941..486e420 100644 --- a/grub-core/loader/i386/linux.c +++ b/grub-core/loader/i386/linux.c -@@ -34,6 +34,9 @@ - #include +@@ -35,6 +35,9 @@ #include #include + #include +#ifdef GRUB_MACHINE_EFI +#include +#endif GRUB_MOD_LICENSE ("GPLv3+"); -@@ -664,6 +667,55 @@ grub_linux_unload (void) +@@ -673,6 +676,55 @@ grub_linux_unload (void) return GRUB_ERR_NONE; } @@ -394,7 +405,7 @@ index e2425c8..5a12444 100644 static grub_err_t grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), int argc, char *argv[]) -@@ -687,6 +739,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), +@@ -695,6 +747,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), goto fail; } @@ -404,9 +415,43 @@ index e2425c8..5a12444 100644 file = grub_file_open (argv[0]); if (! file) goto fail; -@@ -1132,6 +1187,26 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)), - argv[i]); - goto fail; +@@ -1132,6 +1187,11 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)), + fail: + grub_initrd_close (&initrd_ctx); + ++#ifdef GRUB_MACHINE_EFI ++ /* An unauthenticated initrd always causes a complete boot failure. */ ++ if (grub_is_secured () == 1 && grub_errno != GRUB_ERR_NONE) ++ grub_loader_unset(); ++#endif + return grub_errno; + } + +diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c +index be6fa0f..edc6d24 100644 +--- a/grub-core/loader/linux.c ++++ b/grub-core/loader/linux.c +@@ -4,6 +4,9 @@ + #include + #include + #include ++#ifdef GRUB_MACHINE_EFI ++#include ++#endif + + struct newc_head + { +@@ -253,6 +256,7 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx, + int newc = 0; + struct dir *root = 0; + grub_ssize_t cursize = 0; ++ grub_err_t err; + + for (i = 0; i < initrd_ctx->nfiles; i++) + { +@@ -288,6 +292,25 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx, + grub_initrd_close (initrd_ctx); + return grub_errno; } + +#ifdef GRUB_MACHINE_EFI @@ -427,40 +472,55 @@ index e2425c8..5a12444 100644 + goto fail; + } +#endif -+ ptr += cursize; - grub_memset (ptr, 0, ALIGN_UP_OVERHEAD (cursize, 4)); + } + if (newc) +@@ -296,7 +319,9 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx, ptr += ALIGN_UP_OVERHEAD (cursize, 4); -@@ -1149,6 +1224,11 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)), - grub_file_close (files[i]); - grub_free (files); - -+#ifdef GRUB_MACHINE_EFI -+ /* An unauthenticated initrd always causes a complete boot failure. */ -+ if (grub_is_secured () == 1 && grub_errno != GRUB_ERR_NONE) -+ grub_loader_unset(); -+#endif - return grub_errno; + ptr = make_header (ptr, "TRAILER!!!", sizeof ("TRAILER!!!") - 1, 0, 0); + } ++ ++fail: + free_dir (root); + root = 0; +- return GRUB_ERR_NONE; ++ return err; } - diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c -index 13473ec..f11ce2a 100644 +index 78a70a8..1058c97 100644 --- a/grub-core/normal/main.c +++ b/grub-core/normal/main.c -@@ -32,6 +32,9 @@ - #include +@@ -33,6 +33,9 @@ #include #include + #include +#ifdef GRUB_MACHINE_EFI +#include +#endif GRUB_MOD_LICENSE ("GPLv3+"); -@@ -233,6 +236,16 @@ grub_normal_init_page (struct grub_term_output *term) +@@ -195,6 +198,8 @@ read_config_file (const char *config) + return newmenu; + } + ++#pragma GCC diagnostic ignored "-Wformat-nonliteral" ++ + /* Initialize the screen. */ + void + grub_normal_init_page (struct grub_term_output *term, +@@ -202,13 +207,24 @@ grub_normal_init_page (struct grub_term_output *term, + { + grub_ssize_t msg_len; + int posx; ++ const char *msg = _("GNU GRUB version %s"); + char *msg_formatted; + grub_uint32_t *unicode_msg; + grub_uint32_t *last_position; grub_term_cls (term); +- msg_formatted = grub_xasprintf (_("GNU GRUB version %s"), PACKAGE_VERSION); +#ifdef GRUB_MACHINE_EFI + if (grub_is_secured () == 1) + { @@ -471,10 +531,20 @@ index 13473ec..f11ce2a 100644 + } +#endif + - msg_formatted = grub_xasprintf (msg, PACKAGE_VERSION); ++ msg_formatted = grub_xasprintf (msg, PACKAGE_VERSION); if (!msg_formatted) return; -@@ -294,6 +307,24 @@ grub_normal_execute (const char *config, int nested, int batch) + +@@ -233,6 +249,8 @@ grub_normal_init_page (struct grub_term_output *term, + grub_free (unicode_msg); + } + ++#pragma GCC diagnostic error "-Wformat-nonliteral" ++ + static void + read_lists (const char *val) + { +@@ -273,6 +291,24 @@ grub_normal_execute (const char *config, int nested, int batch) if (config) { @@ -499,19 +569,19 @@ index 13473ec..f11ce2a 100644 menu = read_config_file (config); /* Ignore any error. */ -@@ -317,7 +348,10 @@ grub_enter_normal_mode (const char *config) - { +@@ -302,7 +338,10 @@ grub_enter_normal_mode (const char *config) nested_level++; grub_normal_execute (config, 0, 0); -- grub_cmdline_run (0); + grub_boot_time ("Entering shell"); +- grub_cmdline_run (0, 1); +#ifdef GRUB_MACHINE_EFI + if (grub_is_locked () == 0) +#endif -+ grub_cmdline_run (0); ++ grub_cmdline_run (0, 1); nested_level--; if (grub_normal_exit_level) grub_normal_exit_level--; -@@ -352,6 +386,18 @@ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)), +@@ -338,6 +377,18 @@ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)), grub_enter_normal_mode (argv[0]); quit: @@ -530,7 +600,7 @@ index 13473ec..f11ce2a 100644 return 0; } -@@ -527,8 +573,11 @@ GRUB_MOD_INIT(normal) +@@ -525,8 +576,11 @@ GRUB_MOD_INIT(normal) /* Register a command "normal" for the rescue mode. */ grub_register_command ("normal", grub_cmd_normal, 0, N_("Enter normal mode.")); @@ -545,7 +615,7 @@ index 13473ec..f11ce2a 100644 /* Reload terminal colors when these variables are written to. */ grub_register_variable_hook ("color_normal", NULL, grub_env_write_color_normal); diff --git a/grub-core/normal/menu.c b/grub-core/normal/menu.c -index 7e0a158..5ed9670 100644 +index 719e2fb..0665abc 100644 --- a/grub-core/normal/menu.c +++ b/grub-core/normal/menu.c @@ -32,6 +32,9 @@ @@ -558,21 +628,22 @@ index 7e0a158..5ed9670 100644 /* Time to delay after displaying an error message about a default/fallback entry failing to boot. */ -@@ -633,18 +636,28 @@ run_menu (grub_menu_t menu, int nested, int *auto_boot) +@@ -772,18 +775,30 @@ run_menu (grub_menu_t menu, int nested, int *auto_boot) break; case 'c': - menu_fini (); -- grub_cmdline_run (1); +- grub_cmdline_run (1, 0); - goto refresh; +#ifdef GRUB_MACHINE_EFI + if (grub_is_locked () == 0) +#endif + { + menu_fini (); -+ grub_cmdline_run (1); ++ grub_cmdline_run (1, 0); + goto refresh; + } ++ break; case 'e': - menu_fini (); @@ -592,11 +663,12 @@ index 7e0a158..5ed9670 100644 + goto refresh; } - goto refresh; ++ break; default: { diff --git a/grub-core/normal/menu_text.c b/grub-core/normal/menu_text.c -index 1687c28..6e4fbfb 100644 +index e22bb91..28c675f 100644 --- a/grub-core/normal/menu_text.c +++ b/grub-core/normal/menu_text.c @@ -27,6 +27,9 @@ @@ -609,7 +681,15 @@ index 1687c28..6e4fbfb 100644 static grub_uint8_t grub_color_menu_normal; static grub_uint8_t grub_color_menu_highlight; -@@ -179,19 +182,32 @@ command-line or ESC to discard edits and return to the GRUB menu."), +@@ -165,6 +168,7 @@ command-line or ESC to discard edits and return to the GRUB menu."), + } + else + { ++ const char *msg; + char *msg_translated; + + msg_translated = grub_xasprintf (_("Use the %C and %C keys to select which " +@@ -180,19 +184,32 @@ command-line or ESC to discard edits and return to the GRUB menu."), if (nested) { @@ -705,5 +785,5 @@ index 0000000..98ef2d4 + +#endif /* ! GRUB_EFI_MOK2_VERIFY_HEADER */ -- -2.7.4 +2.7.5 diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.02.bbappend b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.02.bbappend index 338c5d9..6a86f96 100644 --- a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.02.bbappend +++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.02.bbappend @@ -17,7 +17,7 @@ SRC_URI += "\ file://chainloader-Actually-find-the-relocations-correctly-.patch \ file://efi-chainloader-implemented-for-32-bit.patch \ file://Grub-get-and-set-efi-variables.patch \ - file://mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch;apply=0 \ + file://mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch \ file://grub-efi.cfg \ file://boot-menu.inc \ ${EXTRA_SRC_URI} \ @@ -25,8 +25,8 @@ SRC_URI += "\ EFI_BOOT_PATH = "/boot/efi/EFI/BOOT" -# TODO: re-add mok2verify when refreshed -GRUB_BUILDIN_append += " chain ${@'efivar password_pbkdf2' if d.getVar('UEFI_SB', True) == '1' else ''}" +GRUB_BUILDIN_append += " chain ${@'efivar mok2verify password_pbkdf2' \ + if d.getVar('UEFI_SB', True) == '1' else ''}" # For efi_call_foo and efi_shim_exit CFLAGS_append = " -fno-toplevel-reorder" -- cgit v1.2.3-54-g00ecf