From 70e22755a6a80d80c0e5327b35206372c5bb3380 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Tue, 13 Aug 2019 09:47:44 +0800 Subject: grub-efi: update bbappend and refresh patches The grub-efi has been upgraded to 2.04 in oe-core. Update the bbappend and refresh patches to adapt it. Signed-off-by: Yi Zhao --- ...support-to-verify-non-PE-file-with-PKCS-7.patch | 50 ++++--- .../recipes-bsp/grub/grub-efi_2.%.bbappend | 148 +++++++++++++++++++++ .../recipes-bsp/grub/grub-efi_2.02.bbappend | 148 --------------------- 3 files changed, 176 insertions(+), 170 deletions(-) create mode 100644 meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.%.bbappend delete mode 100644 meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.02.bbappend diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch index 8a0588d..b4467c2 100644 --- a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch +++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch @@ -1,4 +1,4 @@ -From 00fd7457c9d907800587e93f87fc5b6de68ba49e Mon Sep 17 00:00:00 2001 +From 69884cfde30dc876cda61714f1476a3d331bc2db Mon Sep 17 00:00:00 2001 From: Lans Zhang Date: Wed, 12 Jul 2017 16:02:13 +0800 Subject: [PATCH] mok2verify: support to verify non-PE file with PKCS#7 @@ -30,6 +30,12 @@ grub-core/normal/main.c. The asm codes are x86 specified but aarch64 is supported by grub-efi now. Signed-off-by: Kai Kang + +Rebase patch for 2.0.4 +Add a parameter file type to grub_verify_linux function to adapt new +grub_file_open function. + +Signed-off-by: Yi Zhao --- grub-core/Makefile.core.def | 6 ++ grub-core/commands/boot.c | 14 +++- @@ -37,19 +43,19 @@ Signed-off-by: Kai Kang grub-core/lib/efi/mok2verify.c | 182 +++++++++++++++++++++++++++++++++++++++++ grub-core/loader/i386/linux.c | 60 ++++++++++++++ grub-core/loader/linux.c | 27 +++++- - grub-core/normal/main.c | 62 +++++++++++++- + grub-core/normal/main.c | 53 +++++++++++- grub-core/normal/menu.c | 31 +++++-- grub-core/normal/menu_text.c | 33 ++++++-- include/grub/efi/mok2verify.h | 48 +++++++++++ - 10 files changed, 472 insertions(+), 30 deletions(-) + 10 files changed, 463 insertions(+), 30 deletions(-) create mode 100644 grub-core/lib/efi/mok2verify.c create mode 100644 include/grub/efi/mok2verify.h diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def -index a82c1f3..76b3c7d 100644 +index 18d2316..59a5cf1 100644 --- a/grub-core/Makefile.core.def +++ b/grub-core/Makefile.core.def -@@ -1754,6 +1754,12 @@ module = { +@@ -1870,6 +1870,12 @@ module = { }; module = { @@ -155,7 +161,7 @@ index a4c8178..da49c9e 100644 self->text = grub_xasprintf (value, self->value); diff --git a/grub-core/lib/efi/mok2verify.c b/grub-core/lib/efi/mok2verify.c new file mode 100644 -index 0000000..3865661 +index 0000000..790efa0 --- /dev/null +++ b/grub-core/lib/efi/mok2verify.c @@ -0,0 +1,182 @@ @@ -342,26 +348,26 @@ index 0000000..3865661 + +#pragma GCC diagnostic error "-Wvla" diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c -index 083f941..486e420 100644 +index d0501e2..e684300 100644 --- a/grub-core/loader/i386/linux.c +++ b/grub-core/loader/i386/linux.c -@@ -35,6 +35,9 @@ - #include +@@ -36,6 +36,9 @@ #include #include + #include +#ifdef GRUB_MACHINE_EFI +#include +#endif GRUB_MOD_LICENSE ("GPLv3+"); -@@ -673,6 +676,55 @@ grub_linux_unload (void) +@@ -635,6 +638,55 @@ grub_linux_unload (void) return GRUB_ERR_NONE; } +#ifdef GRUB_MACHINE_EFI +static grub_err_t -+grub_verify_linux (const char *path) ++grub_verify_linux (const char *path, enum grub_file_type type) +{ + grub_file_t file; + grub_ssize_t size; @@ -369,7 +375,7 @@ index 083f941..486e420 100644 + + grub_dprintf ("linux", "Verifying kernel %s\n", path); + -+ file = grub_file_open (path); ++ file = grub_file_open (path, type); + if (!file) + return grub_errno; + @@ -402,7 +408,7 @@ index 083f941..486e420 100644 +} +#else +static grub_err_t -+grub_verify_linux (const char *path) ++grub_verify_linux (const char *path, enum grub_file_type type) +{ + return GRUB_ERR_NONE; +} @@ -411,17 +417,17 @@ index 083f941..486e420 100644 static grub_err_t grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), int argc, char *argv[]) -@@ -695,6 +747,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), +@@ -657,6 +709,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), goto fail; } -+ if (grub_verify_linux (argv[0])) ++ if (grub_verify_linux (argv[0], GRUB_FILE_TYPE_LINUX_KERNEL)) + goto fail; + - file = grub_file_open (argv[0]); + file = grub_file_open (argv[0], GRUB_FILE_TYPE_LINUX_KERNEL); if (! file) goto fail; -@@ -1132,6 +1187,11 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)), +@@ -1114,6 +1169,11 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)), fail: grub_initrd_close (&initrd_ctx); @@ -434,7 +440,7 @@ index 083f941..486e420 100644 } diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c -index be6fa0f..edc6d24 100644 +index 471b214..bb312ac 100644 --- a/grub-core/loader/linux.c +++ b/grub-core/loader/linux.c @@ -4,6 +4,9 @@ @@ -493,7 +499,7 @@ index be6fa0f..edc6d24 100644 + return err; } diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c -index 78a70a8..b1340c7 100644 +index 1b03dfd..f48a549 100644 --- a/grub-core/normal/main.c +++ b/grub-core/normal/main.c @@ -33,6 +33,9 @@ @@ -612,7 +618,7 @@ index 78a70a8..b1340c7 100644 /* Reload terminal colors when these variables are written to. */ grub_register_variable_hook ("color_normal", NULL, grub_env_write_color_normal); diff --git a/grub-core/normal/menu.c b/grub-core/normal/menu.c -index 719e2fb..0665abc 100644 +index d5e0c79..512f710 100644 --- a/grub-core/normal/menu.c +++ b/grub-core/normal/menu.c @@ -32,6 +32,9 @@ @@ -625,7 +631,7 @@ index 719e2fb..0665abc 100644 /* Time to delay after displaying an error message about a default/fallback entry failing to boot. */ -@@ -772,18 +775,30 @@ run_menu (grub_menu_t menu, int nested, int *auto_boot) +@@ -773,18 +776,30 @@ run_menu (grub_menu_t menu, int nested, int *auto_boot) break; case 'c': @@ -782,5 +788,5 @@ index 0000000..98ef2d4 + +#endif /* ! GRUB_EFI_MOK2_VERIFY_HEADER */ -- -2.7.5 +2.7.4 diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.%.bbappend b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.%.bbappend new file mode 100644 index 0000000..da3fda9 --- /dev/null +++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.%.bbappend @@ -0,0 +1,148 @@ +DEPENDS += "openssl-native" +FILESEXTRAPATHS_prepend := "${THISDIR}/grub-efi:" + +EXTRA_SRC_URI = "\ + ${@'file://efi-secure-boot.inc file://password.inc' if d.getVar('UEFI_SB', True) == '1' else ''} \ +" + +SRC_URI += "\ + file://0001-pe32.h-add-header-structures-for-TE-and-DOS-executab.patch \ + file://0002-shim-add-needed-data-structures.patch \ + file://0003-efi-chainloader-implement-an-UEFI-Exit-service-for-s.patch \ + file://0004-efi-chainloader-port-shim-to-grub.patch \ + file://0005-efi-chainloader-use-shim-to-load-and-verify-an-image.patch \ + file://0006-efi-chainloader-boot-the-image-using-shim.patch \ + file://0007-efi-chainloader-take-care-of-unload-undershim.patch \ + file://chainloader-handle-the-unauthenticated-image-by-shim.patch \ + file://chainloader-Don-t-check-empty-section-in-file-like-..patch \ + file://chainloader-Actually-find-the-relocations-correctly-.patch \ + file://efi-chainloader-implemented-for-32-bit.patch \ + file://Grub-get-and-set-efi-variables.patch \ + file://mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch \ + file://grub-efi.cfg \ + file://boot-menu.inc \ + ${EXTRA_SRC_URI} \ +" + +# functions efi_call_foo and efi_shim_exit are not implemented for arm64 yet +COMPATIBLE_HOST_aarch64 = 'null' + +EFI_BOOT_PATH = "/boot/efi/EFI/BOOT" + +GRUB_BUILDIN_append += " chain ${@'efivar mok2verify password_pbkdf2' \ + if d.getVar('UEFI_SB', True) == '1' else ''}" + +# For efi_call_foo and efi_shim_exit +CFLAGS_append = " -fno-toplevel-reorder" + +# Set a default root specifier. +inherit user-key-store + +python __anonymous () { + if d.getVar('UEFI_SB', True) != "1": + return + + # Override the default filename if efi-secure-boot enabled. + # grub-efi must be renamed as grub${arch}.efi for working with shim + # or SELoader. + import re + + target = d.getVar('TARGET_ARCH', True) + if target == "x86_64": + grubimage = "grubx64.efi" + elif re.match('i.86', target): + grubimage = "grubia32.efi" + else: + raise bb.parse.SkipPackage("grub-efi is incompatible with target %s" % target) + + d.setVar("GRUB_IMAGE", grubimage) +} + +do_compile_append_class-native() { + make grub-editenv +} + +do_install_append_class-native() { + install -m 0755 grub-editenv "${D}${bindir}" +} + +do_install_append_class-target() { + local menu="${WORKDIR}/boot-menu.inc" + + # Enable the default IMA rules if IMA is enabled and luks is disabled. + # This is because unseal operation will fail when any PCR is extended + # due to updating the aggregate integrity value by the default IMA rules. + [ x"${IMA}" = x"1" -a x"${@bb.utils.contains('DISTRO_FEATURES', 'luks', '1', '0', d)}" != x"1" ] && { + ! grep -q "ima_policy=tcb" "$menu" && + sed -i 's/^\s*linux\s\+.*bzImage.*/& ima_policy=tcb/g' "$menu" + } + + # Replace the root parameter in boot command line with BOOT_CMD_ROOT, + # which can be configured. It is helpful when secure boot is enabled. + [ -n "${BOOT_CMD_ROOT}" ] && { + sed -i "s,root=/dev/hda2,root=${BOOT_CMD_ROOT},g" "$menu" + } + + # Install the stacked grub configs. + install -d "${D}${EFI_BOOT_PATH}" + install -m 0600 "${WORKDIR}/grub-efi.cfg" "${D}${EFI_BOOT_PATH}/grub.cfg" + install -m 0600 "$menu" "${D}${EFI_BOOT_PATH}" + [ x"${UEFI_SB}" = x"1" ] && { + install -m 0600 "${WORKDIR}/efi-secure-boot.inc" "${D}${EFI_BOOT_PATH}" + install -m 0600 "${WORKDIR}/password.inc" "${D}${EFI_BOOT_PATH}" + } + + # Create the initial environment block with empty item. + grub-editenv "${D}${EFI_BOOT_PATH}/grubenv" create + + install -d "${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi" + grub-mkimage -p /EFI/BOOT -d "./grub-core" \ + -O "${GRUB_TARGET}-efi" -o "${B}/${GRUB_IMAGE}" \ + ${GRUB_BUILDIN} + + install -m 0644 "${B}/${GRUB_IMAGE}" "${D}${EFI_BOOT_PATH}/${GRUB_IMAGE}" + + # Install the modules to grub-efi's search path + make -C grub-core install DESTDIR="${D}${EFI_BOOT_PATH}" pkglibdir="" + + # Remove .module + rm -f ${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi/*.module +} + +fakeroot python do_sign_class-target() { + image_dir = d.getVar('D', True) + efi_boot_path = d.getVar('EFI_BOOT_PATH', True) + grub_image = d.getVar('GRUB_IMAGE', True) + dir = image_dir + efi_boot_path + '/' + + sb_sign(dir + grub_image, dir + grub_image, d) + uks_sel_sign(dir + 'grub.cfg', d) + uks_sel_sign(dir + 'boot-menu.inc', d) + + if d.getVar('UEFI_SB', True) == "1": + uks_sel_sign(dir + 'efi-secure-boot.inc', d) + uks_sel_sign(dir + 'password.inc', d) +} + +python do_sign() { +} +addtask sign after do_install before do_deploy do_package +do_sign[prefuncs] += "check_deploy_keys" + +# Override the do_deploy() in oe-core. +do_deploy_class-target() { + install -m 0644 "${D}${EFI_BOOT_PATH}/${GRUB_IMAGE}" "${DEPLOYDIR}" + + install -d "${DEPLOYDIR}/efi-unsigned" + install -m 0644 "${B}/${GRUB_IMAGE}" "${DEPLOYDIR}/efi-unsigned" + cp -af "${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi" "${DEPLOYDIR}/efi-unsigned" +} + +FILES_${PN} += "/boot/efi" + +CONFFILES_${PN} += "\ + ${EFI_BOOT_PATH}/grub.cfg \ + ${EFI_BOOT_PATH}/grubenv \ + ${EFI_BOOT_PATH}/boot-menu.inc \ + ${EFI_BOOT_PATH}/efi-secure-boot.inc \ +" diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.02.bbappend b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.02.bbappend deleted file mode 100644 index da3fda9..0000000 --- a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.02.bbappend +++ /dev/null @@ -1,148 +0,0 @@ -DEPENDS += "openssl-native" -FILESEXTRAPATHS_prepend := "${THISDIR}/grub-efi:" - -EXTRA_SRC_URI = "\ - ${@'file://efi-secure-boot.inc file://password.inc' if d.getVar('UEFI_SB', True) == '1' else ''} \ -" - -SRC_URI += "\ - file://0001-pe32.h-add-header-structures-for-TE-and-DOS-executab.patch \ - file://0002-shim-add-needed-data-structures.patch \ - file://0003-efi-chainloader-implement-an-UEFI-Exit-service-for-s.patch \ - file://0004-efi-chainloader-port-shim-to-grub.patch \ - file://0005-efi-chainloader-use-shim-to-load-and-verify-an-image.patch \ - file://0006-efi-chainloader-boot-the-image-using-shim.patch \ - file://0007-efi-chainloader-take-care-of-unload-undershim.patch \ - file://chainloader-handle-the-unauthenticated-image-by-shim.patch \ - file://chainloader-Don-t-check-empty-section-in-file-like-..patch \ - file://chainloader-Actually-find-the-relocations-correctly-.patch \ - file://efi-chainloader-implemented-for-32-bit.patch \ - file://Grub-get-and-set-efi-variables.patch \ - file://mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch \ - file://grub-efi.cfg \ - file://boot-menu.inc \ - ${EXTRA_SRC_URI} \ -" - -# functions efi_call_foo and efi_shim_exit are not implemented for arm64 yet -COMPATIBLE_HOST_aarch64 = 'null' - -EFI_BOOT_PATH = "/boot/efi/EFI/BOOT" - -GRUB_BUILDIN_append += " chain ${@'efivar mok2verify password_pbkdf2' \ - if d.getVar('UEFI_SB', True) == '1' else ''}" - -# For efi_call_foo and efi_shim_exit -CFLAGS_append = " -fno-toplevel-reorder" - -# Set a default root specifier. -inherit user-key-store - -python __anonymous () { - if d.getVar('UEFI_SB', True) != "1": - return - - # Override the default filename if efi-secure-boot enabled. - # grub-efi must be renamed as grub${arch}.efi for working with shim - # or SELoader. - import re - - target = d.getVar('TARGET_ARCH', True) - if target == "x86_64": - grubimage = "grubx64.efi" - elif re.match('i.86', target): - grubimage = "grubia32.efi" - else: - raise bb.parse.SkipPackage("grub-efi is incompatible with target %s" % target) - - d.setVar("GRUB_IMAGE", grubimage) -} - -do_compile_append_class-native() { - make grub-editenv -} - -do_install_append_class-native() { - install -m 0755 grub-editenv "${D}${bindir}" -} - -do_install_append_class-target() { - local menu="${WORKDIR}/boot-menu.inc" - - # Enable the default IMA rules if IMA is enabled and luks is disabled. - # This is because unseal operation will fail when any PCR is extended - # due to updating the aggregate integrity value by the default IMA rules. - [ x"${IMA}" = x"1" -a x"${@bb.utils.contains('DISTRO_FEATURES', 'luks', '1', '0', d)}" != x"1" ] && { - ! grep -q "ima_policy=tcb" "$menu" && - sed -i 's/^\s*linux\s\+.*bzImage.*/& ima_policy=tcb/g' "$menu" - } - - # Replace the root parameter in boot command line with BOOT_CMD_ROOT, - # which can be configured. It is helpful when secure boot is enabled. - [ -n "${BOOT_CMD_ROOT}" ] && { - sed -i "s,root=/dev/hda2,root=${BOOT_CMD_ROOT},g" "$menu" - } - - # Install the stacked grub configs. - install -d "${D}${EFI_BOOT_PATH}" - install -m 0600 "${WORKDIR}/grub-efi.cfg" "${D}${EFI_BOOT_PATH}/grub.cfg" - install -m 0600 "$menu" "${D}${EFI_BOOT_PATH}" - [ x"${UEFI_SB}" = x"1" ] && { - install -m 0600 "${WORKDIR}/efi-secure-boot.inc" "${D}${EFI_BOOT_PATH}" - install -m 0600 "${WORKDIR}/password.inc" "${D}${EFI_BOOT_PATH}" - } - - # Create the initial environment block with empty item. - grub-editenv "${D}${EFI_BOOT_PATH}/grubenv" create - - install -d "${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi" - grub-mkimage -p /EFI/BOOT -d "./grub-core" \ - -O "${GRUB_TARGET}-efi" -o "${B}/${GRUB_IMAGE}" \ - ${GRUB_BUILDIN} - - install -m 0644 "${B}/${GRUB_IMAGE}" "${D}${EFI_BOOT_PATH}/${GRUB_IMAGE}" - - # Install the modules to grub-efi's search path - make -C grub-core install DESTDIR="${D}${EFI_BOOT_PATH}" pkglibdir="" - - # Remove .module - rm -f ${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi/*.module -} - -fakeroot python do_sign_class-target() { - image_dir = d.getVar('D', True) - efi_boot_path = d.getVar('EFI_BOOT_PATH', True) - grub_image = d.getVar('GRUB_IMAGE', True) - dir = image_dir + efi_boot_path + '/' - - sb_sign(dir + grub_image, dir + grub_image, d) - uks_sel_sign(dir + 'grub.cfg', d) - uks_sel_sign(dir + 'boot-menu.inc', d) - - if d.getVar('UEFI_SB', True) == "1": - uks_sel_sign(dir + 'efi-secure-boot.inc', d) - uks_sel_sign(dir + 'password.inc', d) -} - -python do_sign() { -} -addtask sign after do_install before do_deploy do_package -do_sign[prefuncs] += "check_deploy_keys" - -# Override the do_deploy() in oe-core. -do_deploy_class-target() { - install -m 0644 "${D}${EFI_BOOT_PATH}/${GRUB_IMAGE}" "${DEPLOYDIR}" - - install -d "${DEPLOYDIR}/efi-unsigned" - install -m 0644 "${B}/${GRUB_IMAGE}" "${DEPLOYDIR}/efi-unsigned" - cp -af "${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi" "${DEPLOYDIR}/efi-unsigned" -} - -FILES_${PN} += "/boot/efi" - -CONFFILES_${PN} += "\ - ${EFI_BOOT_PATH}/grub.cfg \ - ${EFI_BOOT_PATH}/grubenv \ - ${EFI_BOOT_PATH}/boot-menu.inc \ - ${EFI_BOOT_PATH}/efi-secure-boot.inc \ -" -- cgit v1.2.3-54-g00ecf