mirrors/meta-secure-core
1
0
Fork 0
mirror of https://github.com/jiazhang0/meta-secure-core.git synced 2026-05-07 02:08:20 +00:00
Code Issues Projects Releases Wiki Activity

grub-efi: carry forward mok2verify to grub-2.02

Browse Source 
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
This commit is contained in:
Lans Zhang
2017-07-13 10:26:43 +08:00
parent c071ce2d07
commit 3af3588ab2
2 changed files with 156 additions and 76 deletions
Download Patch File Download Diff File Expand all files Collapse all files

226
meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch
View File

@@ -1,6 +1,6 @@
From 46873e2c5514bf6460a2f0f39ad8f8feb8f18f68 Mon Sep 17 00:00:00 2001
From 00fd7457c9d907800587e93f87fc5b6de68ba49e Mon Sep 17 00:00:00 2001
From: Lans Zhang <jia.zhang@windriver.com>
Date: Thu, 16 Mar 2017 14:49:41 +0800
Date: Wed, 12 Jul 2017 16:02:13 +0800
Subject: [PATCH] mok2verify: support to verify non-PE file with PKCS#7
signature
@@ -27,22 +27,23 @@ Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
---
grub-core/Makefile.core.def | 6 ++
grub-core/commands/boot.c | 14 +++-
grub-core/gfxmenu/gui_label.c | 39 ++++++++--
grub-core/lib/efi/mok2verify.c | 172 +++++++++++++++++++++++++++++++++++++++++
grub-core/loader/i386/linux.c | 80 +++++++++++++++++++
grub-core/normal/main.c | 55 ++++++++++++-
grub-core/normal/menu.c | 29 +++++--
grub-core/normal/menu_text.c | 32 ++++++--
include/grub/efi/mok2verify.h | 48 ++++++++++++
9 files changed, 447 insertions(+), 28 deletions(-)
grub-core/gfxmenu/gui_label.c | 39 +++++++--
grub-core/lib/efi/mok2verify.c | 182 +++++++++++++++++++++++++++++++++++++++++
grub-core/loader/i386/linux.c | 60 ++++++++++++++
grub-core/loader/linux.c | 27 +++++-
grub-core/normal/main.c | 62 +++++++++++++-
grub-core/normal/menu.c | 31 +++++--
grub-core/normal/menu_text.c | 33 ++++++--
include/grub/efi/mok2verify.h | 48 +++++++++++
10 files changed, 472 insertions(+), 30 deletions(-)
create mode 100644 grub-core/lib/efi/mok2verify.c
create mode 100644 include/grub/efi/mok2verify.h
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index e9e1483..8e72251 100644
index a82c1f3..76b3c7d 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -1434,6 +1434,12 @@ module = {
@@ -1754,6 +1754,12 @@ module = {
};
module = {
@@ -56,7 +57,7 @@ index e9e1483..8e72251 100644
common = mmap/mmap.c;
x86 = mmap/i386/uppermem.c;
diff --git a/grub-core/commands/boot.c b/grub-core/commands/boot.c
index 91ec87d..5cddbb6 100644
index bbca81e..3f44a7e 100644
--- a/grub-core/commands/boot.c
+++ b/grub-core/commands/boot.c
@@ -24,6 +24,9 @@
@@ -82,26 +83,26 @@ index 91ec87d..5cddbb6 100644
+ N_("you need to load the authenticated boot components"));
+#endif
+ return grub_error (GRUB_ERR_NO_KERNEL,
+ N_("you need to load the kernel first"));
+ N_("you need to load the kernel first"));
+ }
if (grub_loader_flags & GRUB_LOADER_FLAG_NORETURN)
grub_machine_fini ();
grub_machine_fini (grub_loader_flags);
diff --git a/grub-core/gfxmenu/gui_label.c b/grub-core/gfxmenu/gui_label.c
index 637578f..84bf7d4 100644
index a4c8178..da49c9e 100644
--- a/grub-core/gfxmenu/gui_label.c
+++ b/grub-core/gfxmenu/gui_label.c
@@ -23,6 +23,9 @@
#include <grub/font.h>
@@ -24,6 +24,9 @@
#include <grub/gui_string_util.h>
#include <grub/i18n.h>
#include <grub/color.h>
+#ifdef GRUB_MACHINE_EFI
+#include <grub/efi/mok2verify.h>
+#endif
static const char *align_options[] =
{
@@ -180,15 +183,37 @@ label_set_property (void *vself, const char *name, const char *value)
@@ -183,15 +186,37 @@ label_set_property (void *vself, const char *name, const char *value)
else
{
if (grub_strcmp (value, "@KEYMAP_LONG@") == 0)
@@ -148,10 +149,10 @@ index 637578f..84bf7d4 100644
self->text = grub_xasprintf (value, self->value);
diff --git a/grub-core/lib/efi/mok2verify.c b/grub-core/lib/efi/mok2verify.c
new file mode 100644
index 0000000..2e48ef9
index 0000000..3865661
--- /dev/null
+++ b/grub-core/lib/efi/mok2verify.c
@@ -0,0 +1,172 @@
@@ -0,0 +1,182 @@
+/* mok2verify.c - MOK2 Verify Protocol support
+ *
+ * BSD 2-clause "Simplified" License
@@ -195,10 +196,8 @@ index 0000000..2e48ef9
+
+GRUB_MOD_LICENSE ("GPLv2+");
+
+#define EFI_MOK2_VERIFY_PROTOCOL_GUID \
+ { 0x4eda73ad, 0x07aa, 0x4b7a, \
+ { 0xa1, 0x91, 0xd4, 0xd4, 0x10, 0xfb, 0x8c, 0xb4 } \
+ }
+#define EFI_MOK2_VERIFY_PROTOCOL_GUID \
+ { 0x4eda73ad, 0x07aa, 0x4b7a, { 0xa1, 0x91, 0xd4, 0xd4, 0x10, 0xfb, 0x8c, 0xb4 }}
+
+typedef struct efi_mok2_verify_protocol efi_mok2_verify_protocol_t;
+
@@ -229,19 +228,27 @@ index 0000000..2e48ef9
+int
+grub_is_secured (void)
+{
+ grub_efi_guid_t global = GRUB_EFI_GLOBAL_VARIABLE_GUID;
+ void *efi_var;
+ grub_size_t efi_var_size = 0;
+ grub_efi_guid_t global_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
+ void *var;
+ grub_size_t var_size = 0;
+ int secured = 0;
+
+ efi_var = grub_efi_get_variable ("SecureBoot", &global, &efi_var_size);
+ if (!efi_var)
+ var = grub_efi_get_variable ("SecureBoot", &global_guid, &var_size);
+ if (!var)
+ return grub_error (GRUB_ERR_READ_ERROR, N_("cannot read variable"));
+
+ if (efi_var_size == 1 && *(grub_uint8_t *) efi_var == 1)
+ if (var_size != 1 || *(grub_uint8_t *) var != 1)
+ goto out;
+
+ grub_free (var);
+
+ var = grub_efi_get_variable ("MokSBState", &grub_efi_mok2_verify_protoco_guid,
+ &var_size);
+ if (!var || (var_size == 1 && *(grub_uint8_t *) var == 0))
+ secured = 1;
+
+ grub_free (efi_var);
+out:
+ grub_free (var);
+
+ return secured;
+}
@@ -258,6 +265,8 @@ index 0000000..2e48ef9
+ return ! grub_is_unlockable () && grub_is_secured ();
+}
+
+#pragma GCC diagnostic ignored "-Wvla"
+
+grub_err_t
+grub_verify_file (const char *path)
+{
@@ -324,21 +333,23 @@ index 0000000..2e48ef9
+
+ return GRUB_ERR_NONE;
+}
+
+#pragma GCC diagnostic error "-Wvla"
diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
index e2425c8..5a12444 100644
index 083f941..486e420 100644
--- a/grub-core/loader/i386/linux.c
+++ b/grub-core/loader/i386/linux.c
@@ -34,6 +34,9 @@
#include <grub/i386/relocator.h>
@@ -35,6 +35,9 @@
#include <grub/i18n.h>
#include <grub/lib/cmdline.h>
#include <grub/linux.h>
+#ifdef GRUB_MACHINE_EFI
+#include <grub/efi/mok2verify.h>
+#endif
GRUB_MOD_LICENSE ("GPLv3+");
@@ -664,6 +667,55 @@ grub_linux_unload (void)
@@ -673,6 +676,55 @@ grub_linux_unload (void)
return GRUB_ERR_NONE;
}
@@ -394,7 +405,7 @@ index e2425c8..5a12444 100644
static grub_err_t
grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
int argc, char *argv[])
@@ -687,6 +739,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
@@ -695,6 +747,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
goto fail;
}
@@ -404,9 +415,43 @@ index e2425c8..5a12444 100644
file = grub_file_open (argv[0]);
if (! file)
goto fail;
@@ -1132,6 +1187,26 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
argv[i]);
goto fail;
@@ -1132,6 +1187,11 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
fail:
grub_initrd_close (&initrd_ctx);
+#ifdef GRUB_MACHINE_EFI
+ /* An unauthenticated initrd always causes a complete boot failure. */
+ if (grub_is_secured () == 1 && grub_errno != GRUB_ERR_NONE)
+ grub_loader_unset();
+#endif
return grub_errno;
}
diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c
index be6fa0f..edc6d24 100644
--- a/grub-core/loader/linux.c
+++ b/grub-core/loader/linux.c
@@ -4,6 +4,9 @@
#include <grub/misc.h>
#include <grub/file.h>
#include <grub/mm.h>
+#ifdef GRUB_MACHINE_EFI
+#include <grub/efi/mok2verify.h>
+#endif
struct newc_head
{
@@ -253,6 +256,7 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
int newc = 0;
struct dir *root = 0;
grub_ssize_t cursize = 0;
+ grub_err_t err;
for (i = 0; i < initrd_ctx->nfiles; i++)
{
@@ -288,6 +292,25 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
grub_initrd_close (initrd_ctx);
return grub_errno;
}
+
+#ifdef GRUB_MACHINE_EFI
@@ -427,40 +472,55 @@ index e2425c8..5a12444 100644
+ goto fail;
+ }
+#endif
+
ptr += cursize;
grub_memset (ptr, 0, ALIGN_UP_OVERHEAD (cursize, 4));
}
if (newc)
@@ -296,7 +319,9 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
ptr += ALIGN_UP_OVERHEAD (cursize, 4);
@@ -1149,6 +1224,11 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
grub_file_close (files[i]);
grub_free (files);
+#ifdef GRUB_MACHINE_EFI
+ /* An unauthenticated initrd always causes a complete boot failure. */
+ if (grub_is_secured () == 1 && grub_errno != GRUB_ERR_NONE)
+ grub_loader_unset();
+#endif
return grub_errno;
ptr = make_header (ptr, "TRAILER!!!", sizeof ("TRAILER!!!") - 1, 0, 0);
}
+
+fail:
free_dir (root);
root = 0;
- return GRUB_ERR_NONE;
+ return err;
}
diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
index 13473ec..f11ce2a 100644
index 78a70a8..1058c97 100644
--- a/grub-core/normal/main.c
+++ b/grub-core/normal/main.c
@@ -32,6 +32,9 @@
#include <grub/i18n.h>
@@ -33,6 +33,9 @@
#include <grub/charset.h>
#include <grub/script_sh.h>
#include <grub/bufio.h>
+#ifdef GRUB_MACHINE_EFI
+#include <grub/efi/mok2verify.h>
+#endif
GRUB_MOD_LICENSE ("GPLv3+");
@@ -233,6 +236,16 @@ grub_normal_init_page (struct grub_term_output *term)
@@ -195,6 +198,8 @@ read_config_file (const char *config)
return newmenu;
}
+#pragma GCC diagnostic ignored "-Wformat-nonliteral"
+
/* Initialize the screen. */
void
grub_normal_init_page (struct grub_term_output *term,
@@ -202,13 +207,24 @@ grub_normal_init_page (struct grub_term_output *term,
{
grub_ssize_t msg_len;
int posx;
+ const char *msg = _("GNU GRUB version %s");
char *msg_formatted;
grub_uint32_t *unicode_msg;
grub_uint32_t *last_position;
grub_term_cls (term);
- msg_formatted = grub_xasprintf (_("GNU GRUB version %s"), PACKAGE_VERSION);
+#ifdef GRUB_MACHINE_EFI
+ if (grub_is_secured () == 1)
+ {
@@ -471,10 +531,20 @@ index 13473ec..f11ce2a 100644
+ }
+#endif
+
msg_formatted = grub_xasprintf (msg, PACKAGE_VERSION);
+ msg_formatted = grub_xasprintf (msg, PACKAGE_VERSION);
if (!msg_formatted)
return;
@@ -294,6 +307,24 @@ grub_normal_execute (const char *config, int nested, int batch)
@@ -233,6 +249,8 @@ grub_normal_init_page (struct grub_term_output *term,
grub_free (unicode_msg);
}
+#pragma GCC diagnostic error "-Wformat-nonliteral"
+
static void
read_lists (const char *val)
{
@@ -273,6 +291,24 @@ grub_normal_execute (const char *config, int nested, int batch)
if (config)
{
@@ -499,19 +569,19 @@ index 13473ec..f11ce2a 100644
menu = read_config_file (config);
/* Ignore any error. */
@@ -317,7 +348,10 @@ grub_enter_normal_mode (const char *config)
{
@@ -302,7 +338,10 @@ grub_enter_normal_mode (const char *config)
nested_level++;
grub_normal_execute (config, 0, 0);
- grub_cmdline_run (0);
grub_boot_time ("Entering shell");
- grub_cmdline_run (0, 1);
+#ifdef GRUB_MACHINE_EFI
+ if (grub_is_locked () == 0)
+#endif
+ grub_cmdline_run (0);
+ grub_cmdline_run (0, 1);
nested_level--;
if (grub_normal_exit_level)
grub_normal_exit_level--;
@@ -352,6 +386,18 @@ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)),
@@ -338,6 +377,18 @@ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)),
grub_enter_normal_mode (argv[0]);
quit:
@@ -530,7 +600,7 @@ index 13473ec..f11ce2a 100644
return 0;
}
@@ -527,8 +573,11 @@ GRUB_MOD_INIT(normal)
@@ -525,8 +576,11 @@ GRUB_MOD_INIT(normal)
/* Register a command "normal" for the rescue mode. */
grub_register_command ("normal", grub_cmd_normal,
0, N_("Enter normal mode."));
@@ -545,7 +615,7 @@ index 13473ec..f11ce2a 100644
/* Reload terminal colors when these variables are written to. */
grub_register_variable_hook ("color_normal", NULL, grub_env_write_color_normal);
diff --git a/grub-core/normal/menu.c b/grub-core/normal/menu.c
index 7e0a158..5ed9670 100644
index 719e2fb..0665abc 100644
--- a/grub-core/normal/menu.c
+++ b/grub-core/normal/menu.c
@@ -32,6 +32,9 @@
@@ -558,21 +628,22 @@ index 7e0a158..5ed9670 100644
/* Time to delay after displaying an error message about a default/fallback
entry failing to boot. */
@@ -633,18 +636,28 @@ run_menu (grub_menu_t menu, int nested, int *auto_boot)
@@ -772,18 +775,30 @@ run_menu (grub_menu_t menu, int nested, int *auto_boot)
break;
case 'c':
- menu_fini ();
- grub_cmdline_run (1);
- grub_cmdline_run (1, 0);
- goto refresh;
+#ifdef GRUB_MACHINE_EFI
+ if (grub_is_locked () == 0)
+#endif
+ {
+ menu_fini ();
+ grub_cmdline_run (1);
+ grub_cmdline_run (1, 0);
+ goto refresh;
+ }
+ break;
case 'e':
- menu_fini ();
@@ -592,11 +663,12 @@ index 7e0a158..5ed9670 100644
+ goto refresh;
}
- goto refresh;
+ break;
default:
{
diff --git a/grub-core/normal/menu_text.c b/grub-core/normal/menu_text.c
index 1687c28..6e4fbfb 100644
index e22bb91..28c675f 100644
--- a/grub-core/normal/menu_text.c
+++ b/grub-core/normal/menu_text.c
@@ -27,6 +27,9 @@
@@ -609,7 +681,15 @@ index 1687c28..6e4fbfb 100644
static grub_uint8_t grub_color_menu_normal;
static grub_uint8_t grub_color_menu_highlight;
@@ -179,19 +182,32 @@ command-line or ESC to discard edits and return to the GRUB menu."),
@@ -165,6 +168,7 @@ command-line or ESC to discard edits and return to the GRUB menu."),
}
else
{
+ const char *msg;
char *msg_translated;
msg_translated = grub_xasprintf (_("Use the %C and %C keys to select which "
@@ -180,19 +184,32 @@ command-line or ESC to discard edits and return to the GRUB menu."),
if (nested)
{
@@ -705,5 +785,5 @@ index 0000000..98ef2d4
+
+#endif /* ! GRUB_EFI_MOK2_VERIFY_HEADER */
--
2.7.4
2.7.5

6
meta-efi-secure-boot/recipes-bsp/grub/grub-efi_2.02.bbappend
View File

@@ -17,7 +17,7 @@ SRC_URI += "\
file://chainloader-Actually-find-the-relocations-correctly-.patch \
file://efi-chainloader-implemented-for-32-bit.patch \
file://Grub-get-and-set-efi-variables.patch \
file://mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch;apply=0 \
file://mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch \
file://grub-efi.cfg \
file://boot-menu.inc \
${EXTRA_SRC_URI} \
@@ -25,8 +25,8 @@ SRC_URI += "\
EFI_BOOT_PATH = "/boot/efi/EFI/BOOT"
# TODO: re-add mok2verify when refreshed
GRUB_BUILDIN_append += " chain ${@'efivar password_pbkdf2' if d.getVar('UEFI_SB', True) == '1' else ''}"
GRUB_BUILDIN_append += " chain ${@'efivar mok2verify password_pbkdf2' \
if d.getVar('UEFI_SB', True) == '1' else ''}"
# For efi_call_foo and efi_shim_exit
CFLAGS_append = " -fno-toplevel-reorder"