From 5c315b462ca8cb312cb2bd5c513c9341290ab338 Mon Sep 17 00:00:00 2001 From: Leo Sandoval Date: Tue, 6 Aug 2024 14:30:42 -0600 Subject: [PATCH] Remove 'efi: Use shim's loader protocol for EFI image verification' Although this patch is correct and at some point it will be re-introduced, currently shim does not support the loader protocol so drop it in the meanwhile. Signed-off-by: Leo Sandoval --- ...lback-to-legacy-Linux-loader-when-sh.patch | 0 ...oader-protocol-for-EFI-image-verific.patch | 191 ------------------ ...le-stack-sections-on-EFI-assembly-fi.patch | 0 ...fig.in-turn-off-executable-owner-bit.patch | 0 ...it-Add-IEEE-1275-Radix-support-for-K.patch | 0 ...nsure-grub-cfg-stub-is-not-overwritt.patch | 0 ...-mkconfig-Simplify-os_name-detection.patch | 0 ...move-check-for-mount-point-for-grub-.patch | 0 grub.patches | 15 +- grub2.spec | 5 +- 10 files changed, 11 insertions(+), 200 deletions(-) rename 0267-efi-Disallow-fallback-to-legacy-Linux-loader-when-sh.patch => 0266-efi-Disallow-fallback-to-legacy-Linux-loader-when-sh.patch (100%) delete mode 100644 0266-efi-Use-shim-s-loader-protocol-for-EFI-image-verific.patch rename 0268-Set-non-executable-stack-sections-on-EFI-assembly-fi.patch => 0267-Set-non-executable-stack-sections-on-EFI-assembly-fi.patch (100%) rename 0269-grub-mkconfig.in-turn-off-executable-owner-bit.patch => 0268-grub-mkconfig.in-turn-off-executable-owner-bit.patch (100%) rename 0270-kern-ieee1275-init-Add-IEEE-1275-Radix-support-for-K.patch => 0269-kern-ieee1275-init-Add-IEEE-1275-Radix-support-for-K.patch (100%) rename 0271-grub2-mkconfig-Ensure-grub-cfg-stub-is-not-overwritt.patch => 0270-grub2-mkconfig-Ensure-grub-cfg-stub-is-not-overwritt.patch (100%) rename 0272-grub2-mkconfig-Simplify-os_name-detection.patch => 0271-grub2-mkconfig-Simplify-os_name-detection.patch (100%) rename 0273-grub-mkconfig-Remove-check-for-mount-point-for-grub-.patch => 0272-grub-mkconfig-Remove-check-for-mount-point-for-grub-.patch (100%) diff --git a/0267-efi-Disallow-fallback-to-legacy-Linux-loader-when-sh.patch b/0266-efi-Disallow-fallback-to-legacy-Linux-loader-when-sh.patch similarity index 100% rename from 0267-efi-Disallow-fallback-to-legacy-Linux-loader-when-sh.patch rename to 0266-efi-Disallow-fallback-to-legacy-Linux-loader-when-sh.patch diff --git a/0266-efi-Use-shim-s-loader-protocol-for-EFI-image-verific.patch b/0266-efi-Use-shim-s-loader-protocol-for-EFI-image-verific.patch deleted file mode 100644 index ba16054..0000000 --- a/0266-efi-Use-shim-s-loader-protocol-for-EFI-image-verific.patch +++ /dev/null @@ -1,191 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Mate Kukri -Date: Wed, 12 Jun 2024 16:57:12 +0100 -Subject: [PATCH] efi: Use shim's loader protocol for EFI image verification - and loading - -Signed-off-by: Mate Kukri ---- - grub-core/kern/efi/sb.c | 39 ++++++++++++++------------------------- - grub-core/loader/efi/linux.c | 16 ---------------- - include/grub/efi/api.h | 5 +++++ - include/grub/efi/efi.h | 19 ++++++++++++------- - include/grub/efi/sb.h | 3 --- - 5 files changed, 31 insertions(+), 51 deletions(-) - -diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c -index 8d3e413608b..d3de3959989 100644 ---- a/grub-core/kern/efi/sb.c -+++ b/grub-core/kern/efi/sb.c -@@ -31,8 +31,9 @@ - #include - - static grub_guid_t shim_lock_guid = GRUB_EFI_SHIM_LOCK_GUID; -+static grub_guid_t shim_loader_guid = GRUB_EFI_SHIM_IMAGE_LOADER_GUID; - --static bool shim_lock_enabled = false; -+static grub_efi_loader_t *shim_loader = NULL; - - /* - * Determine whether we're in secure boot mode. -@@ -95,14 +96,6 @@ grub_efi_get_secureboot (void) - if (!(attr & GRUB_EFI_VARIABLE_RUNTIME_ACCESS) && *moksbstate == 1) - { - secureboot = GRUB_EFI_SECUREBOOT_MODE_DISABLED; -- /* -- * TODO: Replace this all with shim's LoadImage protocol, delegating policy to it. -- * -- * We need to set shim_lock_enabled here because we disabled secure boot -- * validation *inside* shim but not in the firmware, so we set this variable -- * here to trigger that code path, whereas the actual verifier is not enabled. -- */ -- shim_lock_enabled = true; - goto out; - } - -@@ -183,14 +176,16 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)), - static grub_err_t - shim_lock_verifier_write (void *context __attribute__ ((unused)), void *buf, grub_size_t size) - { -- grub_efi_shim_lock_protocol_t *sl = grub_efi_locate_protocol (&shim_lock_guid, 0); -+ grub_efi_handle_t image_handle; - -- if (!sl) -- return grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock protocol not found")); -+ if (!shim_loader) -+ return grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim loader protocol not found")); - -- if (sl->verify (buf, size) != GRUB_EFI_SUCCESS) -+ if (shim_loader->load_image (false, grub_efi_image_handle, NULL, buf, size, &image_handle) != GRUB_EFI_SUCCESS) - return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad shim signature")); - -+ shim_loader->unload_image(image_handle); -+ - return GRUB_ERR_NONE; - } - -@@ -205,11 +200,10 @@ void - grub_shim_lock_verifier_setup (void) - { - struct grub_module_header *header; -- grub_efi_shim_lock_protocol_t *sl = -- grub_efi_locate_protocol (&shim_lock_guid, 0); -+ shim_loader = grub_efi_locate_protocol (&shim_loader_guid, 0); - -- /* shim_lock is missing, check if GRUB image is built with --disable-shim-lock. */ -- if (!sl) -+ /* shim loader protocol is missing, check if GRUB image is built with --disable-shim-lock. */ -+ if (!shim_loader) - { - FOR_MODULES (header) - { -@@ -222,17 +216,12 @@ grub_shim_lock_verifier_setup (void) - if (grub_efi_get_secureboot () != GRUB_EFI_SECUREBOOT_MODE_ENABLED) - return; - -+ /* register loader */ -+ grub_efi_register_loader(shim_loader); -+ - /* Enforce shim_lock_verifier. */ - grub_verifier_register (&shim_lock_verifier); - -- shim_lock_enabled = true; -- - grub_env_set ("shim_lock", "y"); - grub_env_export ("shim_lock"); - } -- --bool --grub_is_shim_lock_enabled (void) --{ -- return shim_lock_enabled; --} -diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c -index fe48001442a..da5dcafad8b 100644 ---- a/grub-core/loader/efi/linux.c -+++ b/grub-core/loader/efi/linux.c -@@ -727,22 +727,6 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), - - grub_dl_ref (my_mod); - -- if (grub_is_shim_lock_enabled () == true) -- { --#if defined(__i386__) || defined(__x86_64__) -- grub_dprintf ("linux", "shim_lock enabled, falling back to legacy Linux kernel loader\n"); -- -- err = grub_cmd_linux_x86_legacy (cmd, argc, argv); -- -- if (err == GRUB_ERR_NONE) -- return GRUB_ERR_NONE; -- else -- goto fail; --#else -- grub_dprintf ("linux", "shim_lock enabled, trying Linux kernel EFI stub loader\n"); --#endif -- } -- - if (argc == 0) - { - grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected")); -diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h -index 76c88fbdcb0..da51f57fd4a 100644 ---- a/include/grub/efi/api.h -+++ b/include/grub/efi/api.h -@@ -364,6 +364,11 @@ - { 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 } \ - } - -+#define GRUB_EFI_SHIM_IMAGE_LOADER_GUID \ -+ { 0x1f492041, 0xfadb, 0x4e59, \ -+ {0x9e, 0x57, 0x7c, 0xaf, 0xe7, 0x3a, 0x55, 0xab } \ -+ } -+ - #define GRUB_EFI_RNG_PROTOCOL_GUID \ - { 0x3152bca5, 0xeade, 0x433d, \ - { 0x86, 0x2e, 0xc0, 0x1c, 0xdc, 0x29, 0x1f, 0x44 } \ -diff --git a/include/grub/efi/efi.h b/include/grub/efi/efi.h -index 7eed1bd791d..77d067977f6 100644 ---- a/include/grub/efi/efi.h -+++ b/include/grub/efi/efi.h -@@ -220,15 +220,20 @@ EXPORT_FUNC (grub_efi_unload_image) (grub_efi_handle_t image_handle); - typedef struct grub_efi_loader - { - grub_efi_status_t (__grub_efi_api *load_image) (grub_efi_boolean_t boot_policy, -- grub_efi_handle_t parent_image_handle, -- grub_efi_device_path_t *file_path, -- void *source_buffer, -- grub_efi_uintn_t source_size, -- grub_efi_handle_t *image_handle); -+ grub_efi_handle_t parent_image_handle, -+ grub_efi_device_path_t *file_path, -+ void *source_buffer, -+ grub_efi_uintn_t source_size, -+ grub_efi_handle_t *image_handle); - - grub_efi_status_t (__grub_efi_api *start_image) (grub_efi_handle_t image_handle, -- grub_efi_uintn_t *exit_data_size, -- grub_efi_char16_t **exit_data); -+ grub_efi_uintn_t *exit_data_size, -+ grub_efi_char16_t **exit_data); -+ -+ grub_efi_status_t (__grub_efi_api *exit) (grub_efi_handle_t image_handle, -+ grub_efi_status_t exit_status, -+ grub_efi_uintn_t exit_data_size, -+ grub_efi_char16_t *exit_data); - - grub_efi_status_t (__grub_efi_api *unload_image) (grub_efi_handle_t image_handle); - } grub_efi_loader_t; -diff --git a/include/grub/efi/sb.h b/include/grub/efi/sb.h -index 49a9ad01cc9..bf8d2db5ff2 100644 ---- a/include/grub/efi/sb.h -+++ b/include/grub/efi/sb.h -@@ -31,9 +31,6 @@ - extern grub_uint8_t - EXPORT_FUNC (grub_efi_get_secureboot) (void); - --extern bool --EXPORT_FUNC (grub_is_shim_lock_enabled) (void); -- - extern void - grub_shim_lock_verifier_setup (void); - #else diff --git a/0268-Set-non-executable-stack-sections-on-EFI-assembly-fi.patch b/0267-Set-non-executable-stack-sections-on-EFI-assembly-fi.patch similarity index 100% rename from 0268-Set-non-executable-stack-sections-on-EFI-assembly-fi.patch rename to 0267-Set-non-executable-stack-sections-on-EFI-assembly-fi.patch diff --git a/0269-grub-mkconfig.in-turn-off-executable-owner-bit.patch b/0268-grub-mkconfig.in-turn-off-executable-owner-bit.patch similarity index 100% rename from 0269-grub-mkconfig.in-turn-off-executable-owner-bit.patch rename to 0268-grub-mkconfig.in-turn-off-executable-owner-bit.patch diff --git a/0270-kern-ieee1275-init-Add-IEEE-1275-Radix-support-for-K.patch b/0269-kern-ieee1275-init-Add-IEEE-1275-Radix-support-for-K.patch similarity index 100% rename from 0270-kern-ieee1275-init-Add-IEEE-1275-Radix-support-for-K.patch rename to 0269-kern-ieee1275-init-Add-IEEE-1275-Radix-support-for-K.patch diff --git a/0271-grub2-mkconfig-Ensure-grub-cfg-stub-is-not-overwritt.patch b/0270-grub2-mkconfig-Ensure-grub-cfg-stub-is-not-overwritt.patch similarity index 100% rename from 0271-grub2-mkconfig-Ensure-grub-cfg-stub-is-not-overwritt.patch rename to 0270-grub2-mkconfig-Ensure-grub-cfg-stub-is-not-overwritt.patch diff --git a/0272-grub2-mkconfig-Simplify-os_name-detection.patch b/0271-grub2-mkconfig-Simplify-os_name-detection.patch similarity index 100% rename from 0272-grub2-mkconfig-Simplify-os_name-detection.patch rename to 0271-grub2-mkconfig-Simplify-os_name-detection.patch diff --git a/0273-grub-mkconfig-Remove-check-for-mount-point-for-grub-.patch b/0272-grub-mkconfig-Remove-check-for-mount-point-for-grub-.patch similarity index 100% rename from 0273-grub-mkconfig-Remove-check-for-mount-point-for-grub-.patch rename to 0272-grub-mkconfig-Remove-check-for-mount-point-for-grub-.patch diff --git a/grub.patches b/grub.patches index f4de23f..ecde23d 100644 --- a/grub.patches +++ b/grub.patches @@ -263,11 +263,10 @@ Patch0262: 0262-cmd-search-Rework-of-CVE-2023-4001-fix.patch Patch0263: 0263-loader-efi-linux.c-read-the-kernel-image-before-head.patch Patch0264: 0264-nx-set-attrs-in-our-kernel-loaders.patch Patch0265: 0265-efi-Provide-wrappers-for-load_image-start_image.patch -Patch0266: 0266-efi-Use-shim-s-loader-protocol-for-EFI-image-verific.patch -Patch0267: 0267-efi-Disallow-fallback-to-legacy-Linux-loader-when-sh.patch -Patch0268: 0268-Set-non-executable-stack-sections-on-EFI-assembly-fi.patch -Patch0269: 0269-grub-mkconfig.in-turn-off-executable-owner-bit.patch -Patch0270: 0270-kern-ieee1275-init-Add-IEEE-1275-Radix-support-for-K.patch -Patch0271: 0271-grub2-mkconfig-Ensure-grub-cfg-stub-is-not-overwritt.patch -Patch0272: 0272-grub2-mkconfig-Simplify-os_name-detection.patch -Patch0273: 0273-grub-mkconfig-Remove-check-for-mount-point-for-grub-.patch +Patch0266: 0266-efi-Disallow-fallback-to-legacy-Linux-loader-when-sh.patch +Patch0267: 0267-Set-non-executable-stack-sections-on-EFI-assembly-fi.patch +Patch0268: 0268-grub-mkconfig.in-turn-off-executable-owner-bit.patch +Patch0269: 0269-kern-ieee1275-init-Add-IEEE-1275-Radix-support-for-K.patch +Patch0270: 0270-grub2-mkconfig-Ensure-grub-cfg-stub-is-not-overwritt.patch +Patch0271: 0271-grub2-mkconfig-Simplify-os_name-detection.patch +Patch0272: 0272-grub-mkconfig-Remove-check-for-mount-point-for-grub-.patch diff --git a/grub2.spec b/grub2.spec index 9cbb5d0..6267997 100644 --- a/grub2.spec +++ b/grub2.spec @@ -17,7 +17,7 @@ Name: grub2 Epoch: 1 Version: 2.12 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Bootloader with support for Linux, Multiboot and more License: GPL-3.0-or-later URL: http://www.gnu.org/software/grub/ @@ -560,6 +560,9 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg %endif %changelog +* Tue Aug 6 2024 Leo Sandoval - 2.12-3 +- Remove 'efi: Use shim's loader protocol for EFI image verification' + * Tue Aug 6 2024 Nicolas Frayer - 2.12-2 - mkconfig: More hardening to prevent overwriting grub cfg stub