grub: Make SELoader optional and add gpg verify support

Allow SELoader to be an optional component for secure boot verification. The GPG_SIGN_VERIFY variable was added to control the ability to have grub perform all of the verification of the loaded files using a public key which gets built into grub at the time that mkimage is run. It is not intended that GPG_SIGN_VERIFY and UEFI_SELOADER would both be set to "1". While this configuration could work, it makes very little sense to use the system that way. Also enabled is the tftp feature for grub as a builtin. This allows grub to start from the network when the UEFI is configured to boot off the network with tftp. [ Issue: LINUXEXEC-2450 ] Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
2026-04-20 18:08:17 +00:00 · 2019-10-24 14:00:42 -07:00
parent e19748f11e
commit 01f67e4c7e
5 changed files with 253 additions and 74 deletions
--- a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc
+++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc
@@ -1,10 +1,16 @@
 DEPENDS += "openssl-native"
 FILESEXTRAPATHS_prepend := "${THISDIR}/grub-efi:"

+GRUB_SIGN_VERIFY_STRICT ?= "1"
+
 EXTRA_SRC_URI = "\
    ${@'file://efi-secure-boot.inc file://password.inc' if d.getVar('UEFI_SB', True) == '1' else ''} \
 "

+GRUB_MOKVERIFY_PATCH = " \
+   file://mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch \
+   file://mok2verify-multiboot.patch"
+
 SRC_URI += "\
    file://0001-pe32.h-add-header-structures-for-TE-and-DOS-executab.patch \
    file://0002-shim-add-needed-data-structures.patch \
@@ -18,10 +24,11 @@ SRC_URI += "\
    file://chainloader-Actually-find-the-relocations-correctly-.patch \
    file://efi-chainloader-implemented-for-32-bit.patch \
    file://Grub-get-and-set-efi-variables.patch \
-    file://mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch \
-    file://mok2verify-multiboot.patch \
+    file://uefi_verify.patch \
+    file://0001-grub-verify-Add-strict_security-variable.patch \
    file://grub-efi.cfg \
    file://boot-menu.inc \
+    ${@d.getVar('GRUB_MOKVERIFY_PATCH', True) if d.getVar('UEFI_SELOADER', True) == '1' else ''} \
    ${EXTRA_SRC_URI} \
 "

@@ -30,8 +37,17 @@ COMPATIBLE_HOST_aarch64 = 'null'

 EFI_BOOT_PATH = "/boot/efi/EFI/BOOT"

-GRUB_BUILDIN_append += " chain ${@'efivar mok2verify password_pbkdf2' \
-                                  if d.getVar('UEFI_SB', True) == '1' else ''}"
+GRUB_SECURE_BOOT_MODULES += "${@'efivar password_pbkdf2 ' if d.getVar('UEFI_SB', True) == '1' else ''}"
+
+GRUB_SIGNING_MODULES += "${@'pgp gcry_rsa gcry_sha256 gcry_sha512 --pubkey %s ' % d.getVar('GRUB_PUB_KEY', True) \
+  if d.getVar('GRUB_SIGN_VERIFY', True) == '1' else ''}"
+
+GRUB_SELOADER_MODULES += "${@'mok2verify ' if d.getVar('UEFI_SELOADER', True) == '1' else ''}"
+
+GRUB_BUILDIN_append += "tftp reboot chain \
+  ${GRUB_SECURE_BOOT_MODULES} \
+  ${GRUB_SIGNING_MODULES} \
+  ${GRUB_SELOADER_MODULES}"

 # For efi_call_foo and efi_shim_exit
 CFLAGS_append = " -fno-toplevel-reorder"
@@ -59,6 +75,22 @@ python __anonymous () {
    d.setVar("GRUB_IMAGE", grubimage)
 }

+do_compile_append() {
+	if [ "${GRUB_SIGN_VERIFY}" = "1" -a "${GRUB_SIGN_VERIFY_STRICT}" = "1" ] ; then
+		cat<<EOF>${WORKDIR}/cfg
+insmod verify
+set strict_security=1
+search.file (\$cmdpath)/EFI/BOOT/grub.cfg root
+set prefix=(\$root)/EFI/BOOT
+EOF
+	else
+		cat<<EOF>${WORKDIR}/cfg
+search.file (\$cmdpath)/EFI/BOOT/grub.cfg root
+set prefix=(\$root)/EFI/BOOT
+EOF
+	fi
+}
+
 do_compile_append_class-native() {
    make grub-editenv
 }
@@ -97,7 +129,7 @@ do_install_append_class-target() {
    grub-editenv "${D}${EFI_BOOT_PATH}/grubenv" create

    install -d "${D}${EFI_BOOT_PATH}/${GRUB_TARGET}-efi"
-    grub-mkimage -p /EFI/BOOT -d "./grub-core" \
+    grub-mkimage -c ../cfg -p /EFI/BOOT -d "./grub-core" \
        -O "${GRUB_TARGET}-efi" -o "${B}/${GRUB_IMAGE}" \
        ${GRUB_BUILDIN}

@@ -117,28 +149,29 @@ fakeroot python do_sign_class-target() {
    dir = image_dir + efi_boot_path + '/'

    sb_sign(dir + grub_image, dir + grub_image, d)
-    uks_sel_sign(dir + 'grub.cfg', d)
-    uks_sel_sign(dir + 'boot-menu.inc', d)
+    uks_bl_sign(dir + 'grub.cfg', d)
+    uks_bl_sign(dir + 'boot-menu.inc', d)

    if d.getVar('UEFI_SB', True) == "1":
-        uks_sel_sign(dir + 'efi-secure-boot.inc', d)
-        uks_sel_sign(dir + 'password.inc', d)
+        uks_bl_sign(dir + 'efi-secure-boot.inc', d)
+        uks_bl_sign(dir + 'password.inc', d)
 }

 python do_sign() {
 }
 addtask sign after do_install before do_deploy do_package
 do_sign[prefuncs] += "check_deploy_keys"
+do_sign[prefuncs] += "${@'check_boot_public_key' if d.getVar('GRUB_SIGN_VERIFY', True) == '1' else ''}"

-fakeroot do_chownp7b() {
-    chown root:root -R "${D}${EFI_BOOT_PATH}/grub.cfg.p7b"
-    chown root:root -R "${D}${EFI_BOOT_PATH}/boot-menu.inc.p7b"
+fakeroot do_chownboot() {
+    chown root:root -R "${D}${EFI_BOOT_PATH}/grub.cfg${SB_FILE_EXT}"
+    chown root:root -R "${D}${EFI_BOOT_PATH}/boot-menu.inc${SB_FILE_EXT}"
    [ x"${UEFI_SB}" = x"1" ] && {
-        chown root:root -R "${D}${EFI_BOOT_PATH}/efi-secure-boot.inc.p7b"
-        chown root:root -R "${D}${EFI_BOOT_PATH}/password.inc.p7b"
+        chown root:root -R "${D}${EFI_BOOT_PATH}/efi-secure-boot.inc${SB_FILE_EXT}"
+        chown root:root -R "${D}${EFI_BOOT_PATH}/password.inc${SB_FILE_EXT}"
    }
 }
-addtask chownp7b after do_deploy before do_package
+addtask chownboot after do_deploy before do_package

 # Override the do_deploy() in oe-core.
 do_deploy_class-target() {
--- a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/0001-grub-verify-Add-strict_security-variable.patch
+++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/0001-grub-verify-Add-strict_security-variable.patch
@@ -0,0 +1,102 @@
+From 8a7ad88b4880e25df1f54b80631dc035e1e25662 Mon Sep 17 00:00:00 2001
+From: Jason Wessel <jason.wessel@windriver.com>
+Date: Thu, 17 Oct 2019 12:35:01 -0700
+Subject: [PATCH] grub verify:  Add strict_security variable
+
+With strict_security set to 1, it is impossible to change the value of
+check_signatures.  It will also cause grub to reboot instead of
+allowing a rescue or grub shell, which could allow an end user to
+alter boot arguments or load some other binary.
+
+Upstream-Status: Pending
+
+Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
+---
+ grub-core/commands/pgp.c |   16 +++++++++++++++-
+ grub-core/kern/main.c    |    9 +++++++++
+ grub-core/normal/main.c  |    7 +++++--
+ 3 files changed, 29 insertions(+), 3 deletions(-)
+
+--- a/grub-core/commands/pgp.c
+++ b/grub-core/commands/pgp.c
+@@ -864,6 +864,7 @@ grub_cmd_verify_signature (grub_extcmd_c
+ }
+ 
+ static int sec = 0;
+static int strict_sec = 0;
+ 
+ static grub_err_t
+ grub_pubkey_init (grub_file_t io, enum grub_file_type type __attribute__ ((unused)),
+@@ -918,10 +919,21 @@ static char *
+ grub_env_write_sec (struct grub_env_var *var __attribute__ ((unused)),
+ 		    const char *val)
+ {
+-  sec = (*val == '1') || (*val == 'e');
+  if (!strict_sec)
+    sec = (*val == '1') || (*val == 'e');
+   return grub_strdup (sec ? "enforce" : "no");
+ }
+ 
+static char *
+grub_env_write_strict_sec (struct grub_env_var *var __attribute__ ((unused)),
+			   const char *val)
+{
+  /* once it is set, it is a one way transition */
+  if (!strict_sec)
+    strict_sec = (*val == '1') || (*val == 'e');
+  return grub_strdup (strict_sec ? "enforce" : "no");
+}
+
+ static grub_ssize_t 
+ pseudo_read (struct grub_file *file, char *buf, grub_size_t len)
+ {
+@@ -961,7 +973,9 @@ GRUB_MOD_INIT(pgp)
+     sec = 0;
+ 
+   grub_register_variable_hook ("check_signatures", 0, grub_env_write_sec);
+  grub_register_variable_hook ("strict_security", 0, grub_env_write_strict_sec);
+   grub_env_export ("check_signatures");
+  grub_env_export ("strict_security");
+ 
+   grub_pk_trusted = 0;
+   FOR_MODULES (header)
+--- a/grub-core/kern/main.c
+++ b/grub-core/kern/main.c
+@@ -29,6 +29,7 @@
+ #include <grub/command.h>
+ #include <grub/reader.h>
+ #include <grub/parser.h>
+#include <grub/time.h>
+ 
+ #ifdef GRUB_MACHINE_PCBIOS
+ #include <grub/machine/memory.h>
+@@ -308,5 +309,13 @@ grub_main (void)
+   grub_boot_time ("After execution of embedded config. Attempt to go to normal mode");
+ 
+   grub_load_normal_mode ();
+  const char *val = grub_env_get ("strict_security");
+  if (val && (val[0] == '1' || val[0] == 'e'))
+    while (1) {
+      grub_printf("Boot configuration error - Attempting reboot\n");
+      grub_sleep(3);
+      grub_dl_load ("reboot");
+      grub_command_execute ("reboot", 0, 0);
+    }
+   grub_rescue_run ();
+ }
+--- a/grub-core/normal/main.c
+++ b/grub-core/normal/main.c
+@@ -301,8 +301,11 @@ grub_enter_normal_mode (const char *conf
+   grub_boot_time ("Entering normal mode");
+   nested_level++;
+   grub_normal_execute (config, 0, 0);
+-  grub_boot_time ("Entering shell");
+-  grub_cmdline_run (0, 1);
+  const char *val = grub_env_get ("strict_security");
+  if (!(val && (val[0] == '1' || val[0] == 'e'))) {
+    grub_boot_time ("Entering shell");
+    grub_cmdline_run (0, 1);
+  }
+   nested_level--;
+   if (grub_normal_exit_level)
+     grub_normal_exit_level--;
--- a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch
+++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch
@@ -37,22 +37,20 @@ grub_file_open function.

 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
- grub-core/Makefile.core.def    |   6 ++
- grub-core/commands/boot.c      |  14 +++-
- grub-core/gfxmenu/gui_label.c  |  39 +++++++--
- grub-core/lib/efi/mok2verify.c | 182 +++++++++++++++++++++++++++++++++++++++++
- grub-core/loader/i386/linux.c  |  60 ++++++++++++++
- grub-core/loader/linux.c       |  27 +++++-
- grub-core/normal/main.c        |  53 +++++++++++-
- grub-core/normal/menu.c        |  31 +++++--
- grub-core/normal/menu_text.c   |  33 ++++++--
- include/grub/efi/mok2verify.h  |  48 +++++++++++
+ grub-core/Makefile.core.def    |    6 +
+ grub-core/commands/boot.c      |   14 ++-
+ grub-core/gfxmenu/gui_label.c  |   39 +++++++-
+ grub-core/lib/efi/mok2verify.c |  182 +++++++++++++++++++++++++++++++++++++++++
+ grub-core/loader/i386/linux.c  |   60 +++++++++++++
+ grub-core/loader/linux.c       |   27 +++++-
+ grub-core/normal/main.c        |   53 +++++++++++
+ grub-core/normal/menu.c        |   31 +++++-
+ grub-core/normal/menu_text.c   |   33 +++++--
+ include/grub/efi/mok2verify.h  |   48 ++++++++++
 10 files changed, 463 insertions(+), 30 deletions(-)
 create mode 100644 grub-core/lib/efi/mok2verify.c
 create mode 100644 include/grub/efi/mok2verify.h

-diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
-index 18d2316..59a5cf1 100644
 --- a/grub-core/Makefile.core.def
 +++ b/grub-core/Makefile.core.def
@@ -1870,6 +1870,12 @@ module = {
@@ -68,8 +66,6 @@ index 18d2316..59a5cf1 100644
   name = mmap;
   common = mmap/mmap.c;
   x86 = mmap/i386/uppermem.c;
-diff --git a/grub-core/commands/boot.c b/grub-core/commands/boot.c
-index bbca81e..3f44a7e 100644
 --- a/grub-core/commands/boot.c
 +++ b/grub-core/commands/boot.c
@@ -24,6 +24,9 @@
@@ -100,8 +96,6 @@ index bbca81e..3f44a7e 100644
 
   grub_machine_fini (grub_loader_flags);
 
-diff --git a/grub-core/gfxmenu/gui_label.c b/grub-core/gfxmenu/gui_label.c
-index a4c8178..da49c9e 100644
 --- a/grub-core/gfxmenu/gui_label.c
 +++ b/grub-core/gfxmenu/gui_label.c
@@ -24,6 +24,9 @@
@@ -114,7 +108,7 @@ index a4c8178..da49c9e 100644
 
 static const char *align_options[] =
 {
-@@ -183,15 +186,37 @@ label_set_property (void *vself, const char *name, const char *value)
+@@ -183,15 +186,37 @@ label_set_property (void *vself, const c
       else
 	{
 	   if (grub_strcmp (value, "@KEYMAP_LONG@") == 0)
@@ -159,9 +153,6 @@ index a4c8178..da49c9e 100644
 	   /* FIXME: Add more templates here if needed.  */
 	  self->template = grub_strdup (value);
 	  self->text = grub_xasprintf (value, self->value);
-diff --git a/grub-core/lib/efi/mok2verify.c b/grub-core/lib/efi/mok2verify.c
-new file mode 100644
-index 0000000..790efa0
 --- /dev/null
 +++ b/grub-core/lib/efi/mok2verify.c
@@ -0,0 +1,182 @@
@@ -347,11 +338,9 @@ index 0000000..790efa0
 +}
 +
 +#pragma GCC diagnostic error "-Wvla"
-diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
-index d0501e2..e684300 100644
 --- a/grub-core/loader/i386/linux.c
 +++ b/grub-core/loader/i386/linux.c
-@@ -36,6 +36,9 @@
+@@ -40,6 +40,9 @@
 #include <grub/lib/cmdline.h>
 #include <grub/linux.h>
 #include <grub/machine/kernel.h>
@@ -361,7 +350,7 @@ index d0501e2..e684300 100644
 
 GRUB_MOD_LICENSE ("GPLv3+");
 
-@@ -635,6 +638,55 @@ grub_linux_unload (void)
+@@ -657,6 +660,55 @@ grub_shim_verify (grub_addr_t addr, grub
   return GRUB_ERR_NONE;
 }
 
@@ -417,7 +406,7 @@ index d0501e2..e684300 100644
 static grub_err_t
 grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
 		int argc, char *argv[])
-@@ -657,6 +709,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+@@ -679,6 +731,9 @@ grub_cmd_linux (grub_command_t cmd __att
       goto fail;
     }
 
@@ -427,7 +416,7 @@ index d0501e2..e684300 100644
   file = grub_file_open (argv[0], GRUB_FILE_TYPE_LINUX_KERNEL);
   if (! file)
     goto fail;
-@@ -1114,6 +1169,11 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
+@@ -1140,6 +1195,11 @@ grub_cmd_initrd (grub_command_t cmd __at
  fail:
   grub_initrd_close (&initrd_ctx);
 
@@ -439,8 +428,6 @@ index d0501e2..e684300 100644
   return grub_errno;
 }
 
-diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c
-index 471b214..bb312ac 100644
 --- a/grub-core/loader/linux.c
 +++ b/grub-core/loader/linux.c
@@ -4,6 +4,9 @@
@@ -453,7 +440,7 @@ index 471b214..bb312ac 100644
 
 struct newc_head
 {
-@@ -253,6 +256,7 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
+@@ -253,6 +256,7 @@ grub_initrd_load (struct grub_linux_init
   int newc = 0;
   struct dir *root = 0;
   grub_ssize_t cursize = 0;
@@ -461,7 +448,7 @@ index 471b214..bb312ac 100644
 
   for (i = 0; i < initrd_ctx->nfiles; i++)
     {
-@@ -288,6 +292,25 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
+@@ -288,6 +292,25 @@ grub_initrd_load (struct grub_linux_init
 	  grub_initrd_close (initrd_ctx);
 	  return grub_errno;
 	}
@@ -487,7 +474,7 @@ index 471b214..bb312ac 100644
       ptr += cursize;
     }
   if (newc)
-@@ -296,7 +319,9 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
+@@ -296,7 +319,9 @@ grub_initrd_load (struct grub_linux_init
       ptr += ALIGN_UP_OVERHEAD (cursize, 4);
       ptr = make_header (ptr, "TRAILER!!!", sizeof ("TRAILER!!!") - 1, 0, 0);
     }
@@ -498,8 +485,6 @@ index 471b214..bb312ac 100644
 -  return GRUB_ERR_NONE;
 +  return err;
 }
-diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
-index 1b03dfd..f48a549 100644
 --- a/grub-core/normal/main.c
 +++ b/grub-core/normal/main.c
@@ -33,6 +33,9 @@
@@ -521,7 +506,7 @@ index 1b03dfd..f48a549 100644
 /* Initialize the screen.  */
 void
 grub_normal_init_page (struct grub_term_output *term,
-@@ -202,13 +207,24 @@ grub_normal_init_page (struct grub_term_output *term,
+@@ -202,13 +207,24 @@ grub_normal_init_page (struct grub_term_
 {
   grub_ssize_t msg_len;
   int posx;
@@ -547,7 +532,7 @@ index 1b03dfd..f48a549 100644
   if (!msg_formatted)
     return;
  
-@@ -233,6 +249,8 @@ grub_normal_init_page (struct grub_term_output *term,
+@@ -233,6 +249,8 @@ grub_normal_init_page (struct grub_term_
   grub_free (unicode_msg);
 }
 
@@ -556,7 +541,7 @@ index 1b03dfd..f48a549 100644
 static void
 read_lists (const char *val)
 {
-@@ -273,6 +291,20 @@ grub_normal_execute (const char *config, int nested, int batch)
+@@ -273,6 +291,20 @@ grub_normal_execute (const char *config,
 
   if (config)
     {
@@ -577,19 +562,19 @@ index 1b03dfd..f48a549 100644
       menu = read_config_file (config);
 
       /* Ignore any error.  */
-@@ -302,7 +334,10 @@ grub_enter_normal_mode (const char *config)
-   nested_level++;
-   grub_normal_execute (config, 0, 0);
-   grub_boot_time ("Entering shell");
-  grub_cmdline_run (0, 1);
+@@ -304,7 +336,10 @@ grub_enter_normal_mode (const char *conf
+   const char *val = grub_env_get ("strict_security");
+   if (!(val && (val[0] == '1' || val[0] == 'e'))) {
+     grub_boot_time ("Entering shell");
+-    grub_cmdline_run (0, 1);
 +#ifdef GRUB_MACHINE_EFI
-+  if (grub_is_locked () == 0)
+    if (grub_is_locked () == 0)
 +#endif
-+    grub_cmdline_run (0, 1);
+      grub_cmdline_run (0, 1);
+   }
   nested_level--;
   if (grub_normal_exit_level)
-     grub_normal_exit_level--;
-@@ -338,6 +373,13 @@ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)),
+@@ -341,6 +376,13 @@ grub_cmd_normal (struct grub_command *cm
     grub_enter_normal_mode (argv[0]);
 
 quit:
@@ -603,7 +588,7 @@ index 1b03dfd..f48a549 100644
   return 0;
 }
 
-@@ -525,8 +567,11 @@ GRUB_MOD_INIT(normal)
+@@ -528,8 +570,11 @@ GRUB_MOD_INIT(normal)
   /* Register a command "normal" for the rescue mode.  */
   grub_register_command ("normal", grub_cmd_normal,
 			 0, N_("Enter normal mode."));
@@ -617,8 +602,6 @@ index 1b03dfd..f48a549 100644
 
   /* Reload terminal colors when these variables are written to.  */
   grub_register_variable_hook ("color_normal", NULL, grub_env_write_color_normal);
-diff --git a/grub-core/normal/menu.c b/grub-core/normal/menu.c
-index d5e0c79..512f710 100644
 --- a/grub-core/normal/menu.c
 +++ b/grub-core/normal/menu.c
@@ -32,6 +32,9 @@
@@ -631,7 +614,7 @@ index d5e0c79..512f710 100644
 
 /* Time to delay after displaying an error message about a default/fallback
    entry failing to boot.  */
-@@ -773,18 +776,30 @@ run_menu (grub_menu_t menu, int nested, int *auto_boot)
+@@ -773,18 +776,30 @@ run_menu (grub_menu_t menu, int nested,
 	      break;
 
 	    case 'c':
@@ -670,8 +653,6 @@ index d5e0c79..512f710 100644
 
 	    default:
 	      {
-diff --git a/grub-core/normal/menu_text.c b/grub-core/normal/menu_text.c
-index e22bb91..28c675f 100644
 --- a/grub-core/normal/menu_text.c
 +++ b/grub-core/normal/menu_text.c
@@ -27,6 +27,9 @@
@@ -684,7 +665,7 @@ index e22bb91..28c675f 100644
 
 static grub_uint8_t grub_color_menu_normal;
 static grub_uint8_t grub_color_menu_highlight;
-@@ -165,6 +168,7 @@ command-line or ESC to discard edits and return to the GRUB menu."),
+@@ -165,6 +168,7 @@ command-line or ESC to discard edits and
     }
   else
     {
@@ -692,7 +673,7 @@ index e22bb91..28c675f 100644
       char *msg_translated;
 
       msg_translated = grub_xasprintf (_("Use the %C and %C keys to select which "
-@@ -180,19 +184,32 @@ command-line or ESC to discard edits and return to the GRUB menu."),
+@@ -180,19 +184,32 @@ command-line or ESC to discard edits and
 
       if (nested)
 	{
@@ -733,9 +714,6 @@ index e22bb91..28c675f 100644
 	}	
     }
   return ret;
-diff --git a/include/grub/efi/mok2verify.h b/include/grub/efi/mok2verify.h
-new file mode 100644
-index 0000000..98ef2d4
 --- /dev/null
 +++ b/include/grub/efi/mok2verify.h
@@ -0,0 +1,48 @@
@@ -787,6 +765,3 @@ index 0000000..98ef2d4
 +EXPORT_FUNC (grub_verify_file) (const char *path);
 +
 +#endif	/* ! GRUB_EFI_MOK2_VERIFY_HEADER */
-- 
-2.7.4
-
--- a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/uefi_verify.patch
+++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/uefi_verify.patch
@@ -0,0 +1,63 @@
+From: Jason Wessel <jason.wessel@windriver.com>
+Date: Thu, 17 Oct 2019 12:35:01 -0700
+Subject: [PATCH] grub shim verify: Report that the loaded object is verified
+
+When check_signatures is set to enforcing, the signatures of the
+loaded files have been checked, so the shim service should be informed
+that it is ok to execute the loaded file.
+
+Upstream-Status: Inappropriate
+
+Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
+---
+ grub-core/loader/i386/linux.c |   26 ++++++++++++++++++++++++++
+ 1 file changed, 26 insertions(+)
+
+--- a/grub-core/loader/i386/linux.c
+++ b/grub-core/loader/i386/linux.c
+@@ -21,6 +21,10 @@
+ #include <grub/normal.h>
+ #include <grub/file.h>
+ #include <grub/disk.h>
+#include <grub/efi/api.h>
+#include <grub/efi/efi.h>
+#include <grub/efi/disk.h>
+#include <grub/efi/shim.h>
+ #include <grub/err.h>
+ #include <grub/misc.h>
+ #include <grub/types.h>
+@@ -673,6 +677,23 @@ grub_linux_unload (void)
+   return GRUB_ERR_NONE;
+ }
+ 
+static grub_efi_guid_t grub_shim_protocol_guid = GRUB_EFI_SHIM_PROTOCOL_GUID;
+
+static grub_efi_status_t
+grub_shim_verify (grub_addr_t addr, grub_ssize_t size)
+{
+  struct grub_shim_lock *shim_lock;
+  shim_lock = grub_efi_locate_protocol (&grub_shim_protocol_guid, 0);
+  if (!shim_lock)
+    {
+      grub_error (GRUB_ERR_BAD_OS, "could not load shim protocol");
+      return GRUB_EFI_UNSUPPORTED;
+    }
+
+  shim_lock->verify((void *) addr, size);
+  return GRUB_ERR_NONE;
+}
+
+ static grub_err_t
+ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+ 		int argc, char *argv[])
+@@ -706,6 +728,10 @@ grub_cmd_linux (grub_command_t cmd __att
+ 		    argv[0]);
+       goto fail;
+     }
+  const char *ge_val = grub_env_get ("check_signatures");
+  if (ge_val && (ge_val[0] == '1' || ge_val[0] == 'e'))
+    /* Verify was handled by .sig files, inform shim */
+    grub_shim_verify((grub_addr_t)&lh, sizeof(lh));
+ 
+   if (lh.boot_flag != grub_cpu_to_le16_compile_time (0xaa55))
+     {
--- a/meta-signing-key/conf/layer.conf
+++ b/meta-signing-key/conf/layer.conf
@@ -31,6 +31,12 @@ MSFT_KEK_CERT = "${LAYERDIR}/files/uefi_sb_keys/ms-KEK.crt"
 # EV certificate
 EV_CERT ??= "${LAYERDIR}/files/mok_sb_keys/wosign_ev_cert.crt"

+# Use SELoader with the UEFI shim
+UEFI_SELOADER ??= "1"
+
+# Use gpg key to protect and verify all files used by grub
+GRUB_SIGN_VERIFY ??= "0"
+
 # By default the sample keys are used
 MOK_SB_KEYS_DIR ??= "${SAMPLE_MOK_SB_KEYS_DIR}"
 UEFI_SB_KEYS_DIR ??= "${SAMPLE_UEFI_SB_KEYS_DIR}"