From b28e5aa886c9466154ee73a619c7bac02fc4f351 Mon Sep 17 00:00:00 2001 From: Javier Martinez Canillas Date: Thu, 23 Apr 2020 13:02:18 +0200 Subject: [PATCH] efi: Set image base address before jumping to the PE/COFF entry point Resolves: rhbz#1825411 Signed-off-by: Javier Martinez Canillas --- ...se-address-before-jumping-to-the-PE-.patch | 60 +++++++++++++++++++ grub.patches | 1 + grub2.spec | 6 +- 3 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 0210-efi-Set-image-base-address-before-jumping-to-the-PE-.patch diff --git a/0210-efi-Set-image-base-address-before-jumping-to-the-PE-.patch b/0210-efi-Set-image-base-address-before-jumping-to-the-PE-.patch new file mode 100644 index 0000000..3691587 --- /dev/null +++ b/0210-efi-Set-image-base-address-before-jumping-to-the-PE-.patch @@ -0,0 +1,60 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Thu, 23 Apr 2020 15:06:46 +0200 +Subject: [PATCH] efi: Set image base address before jumping to the PE/COFF + entry point + +Upstream GRUB uses the EFI LoadImage() and StartImage() to boot the Linux +kernel. But our custom EFI loader that supports Secure Boot instead uses +the EFI handover protocol (for x86) or jumping directly to the PE/COFF +entry point (for aarch64). + +This is done to allow the bootloader to verify the images using the shim +lock protocol to avoid booting untrusted binaries. + +Since the bootloader loads the kernel from the boot media instead of using +LoadImage(), it is responsible to set the Loaded Image base address before +booting the kernel. + +Otherwise the kernel EFI stub will complain that it was not set correctly +and print the following warning message: + +EFI stub: ERROR: FIRMWARE BUG: efi_loaded_image_t::image_base has bogus value + +Resolves: rhbz#1825411 + +Signed-off-by: Javier Martinez Canillas +--- + grub-core/loader/efi/linux.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c +index b56ea0bc041..e09f824862b 100644 +--- a/grub-core/loader/efi/linux.c ++++ b/grub-core/loader/efi/linux.c +@@ -72,6 +72,7 @@ grub_err_t + grub_efi_linux_boot (void *kernel_addr, grub_off_t handover_offset, + void *kernel_params) + { ++ grub_efi_loaded_image_t *loaded_image = NULL; + handover_func hf; + int offset = 0; + +@@ -79,6 +80,17 @@ grub_efi_linux_boot (void *kernel_addr, grub_off_t handover_offset, + offset = 512; + #endif + ++ /* ++ * Since the EFI loader is not calling the LoadImage() and StartImage() ++ * services for loading the kernel and booting respectively, it has to ++ * set the Loaded Image base address. ++ */ ++ loaded_image = grub_efi_get_loaded_image (grub_efi_image_handle); ++ if (loaded_image) ++ loaded_image->image_base = kernel_addr; ++ else ++ grub_dprintf ("linux", "Loaded Image base address could not be set\n"); ++ + grub_dprintf ("linux", "kernel_addr: %p handover_offset: %p params: %p\n", + kernel_addr, (void *)(grub_efi_uintn_t)handover_offset, kernel_params); + hf = (handover_func)((char *)kernel_addr + handover_offset + offset); diff --git a/grub.patches b/grub.patches index e78e4d7..e325f5c 100644 --- a/grub.patches +++ b/grub.patches @@ -207,3 +207,4 @@ Patch0206: 0206-grub-switch-to-blscfg-Only-mark-GRUB-as-BLS-supporte.patch Patch0207: 0207-10_linux.in-Merge-logic-from-10_linux_bls-and-drop-t.patch Patch0208: 0208-grub-switch-to-blscfg-Use-install-to-copy-GRUB-binar.patch Patch0209: 0209-10_linux.in-Enable-BLS-configuration-if-new-kernel-p.patch +Patch0210: 0210-efi-Set-image-base-address-before-jumping-to-the-PE-.patch diff --git a/grub2.spec b/grub2.spec index 016165c..13e54f4 100644 --- a/grub2.spec +++ b/grub2.spec @@ -9,7 +9,7 @@ Name: grub2 Epoch: 1 Version: 2.04 -Release: 13%{?dist} +Release: 14%{?dist} Summary: Bootloader with support for Linux, Multiboot and more License: GPLv3+ URL: http://www.gnu.org/software/grub/ @@ -504,6 +504,10 @@ rm -r /boot/grub2.tmp/ || : %endif %changelog +* Thu Apr 23 2020 Javier Martinez Canillas - 2.04-14 +- efi: Set image base address before jumping to the PE/COFF entry point + Resolves: rhbz#1825411 + * Thu Apr 16 2020 Javier Martinez Canillas - 2.04-13 - Make the grub-switch-to-blscfg and 10_linux scripts more robust