efi: Set image base address before jumping to the PE/COFF entry point

Resolves: rhbz#1825411

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>

0210-efi-Set-image-base-address-before-jumping-to-the-PE-.patch

@@ -0,0 +1,60 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Thu, 23 Apr 2020 15:06:46 +0200
+Subject: [PATCH] efi: Set image base address before jumping to the PE/COFF
+ entry point
+
+Upstream GRUB uses the EFI LoadImage() and StartImage() to boot the Linux
+kernel. But our custom EFI loader that supports Secure Boot instead uses
+the EFI handover protocol (for x86) or jumping directly to the PE/COFF
+entry point (for aarch64).
+
+This is done to allow the bootloader to verify the images using the shim
+lock protocol to avoid booting untrusted binaries.
+
+Since the bootloader loads the kernel from the boot media instead of using
+LoadImage(), it is responsible to set the Loaded Image base address before
+booting the kernel.
+
+Otherwise the kernel EFI stub will complain that it was not set correctly
+and print the following warning message:
+
+EFI stub: ERROR: FIRMWARE BUG: efi_loaded_image_t::image_base has bogus value
+
+Resolves: rhbz#1825411
+
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+---
+ grub-core/loader/efi/linux.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
+index b56ea0bc041..e09f824862b 100644
+--- a/grub-core/loader/efi/linux.c
++++ b/grub-core/loader/efi/linux.c
+@@ -72,6 +72,7 @@ grub_err_t
+ grub_efi_linux_boot (void *kernel_addr, grub_off_t handover_offset,
+ 		     void *kernel_params)
+ {
++  grub_efi_loaded_image_t *loaded_image = NULL;
+   handover_func hf;
+   int offset = 0;
+ 
+@@ -79,6 +80,17 @@ grub_efi_linux_boot (void *kernel_addr, grub_off_t handover_offset,
+   offset = 512;
+ #endif
+ 
++  /*
++   * Since the EFI loader is not calling the LoadImage() and StartImage()
++   * services for loading the kernel and booting respectively, it has to
++   * set the Loaded Image base address.
++   */
++  loaded_image = grub_efi_get_loaded_image (grub_efi_image_handle);
++  if (loaded_image)
++    loaded_image->image_base = kernel_addr;
++  else
++    grub_dprintf ("linux", "Loaded Image base address could not be set\n");
++
+   grub_dprintf ("linux", "kernel_addr: %p handover_offset: %p params: %p\n",
+ 		kernel_addr, (void *)(grub_efi_uintn_t)handover_offset, kernel_params);
+   hf = (handover_func)((char *)kernel_addr + handover_offset + offset);

grub.patches

@@ -207,3 +207,4 @@ Patch0206: 0206-grub-switch-to-blscfg-Only-mark-GRUB-as-BLS-supporte.patch
 Patch0207: 0207-10_linux.in-Merge-logic-from-10_linux_bls-and-drop-t.patch
 Patch0208: 0208-grub-switch-to-blscfg-Use-install-to-copy-GRUB-binar.patch
 Patch0209: 0209-10_linux.in-Enable-BLS-configuration-if-new-kernel-p.patch
+Patch0210: 0210-efi-Set-image-base-address-before-jumping-to-the-PE-.patch

grub2.spec

@@ -9,7 +9,7 @@
 Name:		grub2
 Epoch:		1
 Version:	2.04
-Release:	13%{?dist}
+Release:	14%{?dist}
 Summary:	Bootloader with support for Linux, Multiboot and more
 License:	GPLv3+
 URL:		http://www.gnu.org/software/grub/
@@ -504,6 +504,10 @@ rm -r /boot/grub2.tmp/ || :
 %endif
 
 %changelog
+* Thu Apr 23 2020 Javier Martinez Canillas <javierm@redhat.com> - 2.04-14
+- efi: Set image base address before jumping to the PE/COFF entry point
+  Resolves: rhbz#1825411
+
 * Thu Apr 16 2020 Javier Martinez Canillas <javierm@redhat.com> - 2.04-13
 - Make the grub-switch-to-blscfg and 10_linux scripts more robust