grub-efi: carry forward mok2verify to grub-2.02

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
2026-05-07 10:09:22 +00:00 · 2017-07-13 10:26:43 +08:00
parent c071ce2d07
commit 3af3588ab2
2 changed files with 156 additions and 76 deletions
@@ -1,6 +1,6 @@
-From 46873e2c5514bf6460a2f0f39ad8f8feb8f18f68 Mon Sep 17 00:00:00 2001
+From 00fd7457c9d907800587e93f87fc5b6de68ba49e Mon Sep 17 00:00:00 2001
 From: Lans Zhang <jia.zhang@windriver.com>
-Date: Thu, 16 Mar 2017 14:49:41 +0800
+Date: Wed, 12 Jul 2017 16:02:13 +0800
 Subject: [PATCH] mok2verify: support to verify non-PE file with PKCS#7
 signature

@@ -27,22 +27,23 @@ Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
 ---
 grub-core/Makefile.core.def    |   6 ++
 grub-core/commands/boot.c      |  14 +++-
- grub-core/gfxmenu/gui_label.c  |  39 ++++++++--
- grub-core/lib/efi/mok2verify.c | 172 +++++++++++++++++++++++++++++++++++++++++
- grub-core/loader/i386/linux.c  |  80 +++++++++++++++++++
- grub-core/normal/main.c        |  55 ++++++++++++-
- grub-core/normal/menu.c        |  29 +++++--
- grub-core/normal/menu_text.c   |  32 ++++++--
- include/grub/efi/mok2verify.h  |  48 ++++++++++++
- 9 files changed, 447 insertions(+), 28 deletions(-)
+ grub-core/gfxmenu/gui_label.c  |  39 +++++++--
+ grub-core/lib/efi/mok2verify.c | 182 +++++++++++++++++++++++++++++++++++++++++
+ grub-core/loader/i386/linux.c  |  60 ++++++++++++++
+ grub-core/loader/linux.c       |  27 +++++-
+ grub-core/normal/main.c        |  62 +++++++++++++-
+ grub-core/normal/menu.c        |  31 +++++--
+ grub-core/normal/menu_text.c   |  33 ++++++--
+ include/grub/efi/mok2verify.h  |  48 +++++++++++
+ 10 files changed, 472 insertions(+), 30 deletions(-)
 create mode 100644 grub-core/lib/efi/mok2verify.c
 create mode 100644 include/grub/efi/mok2verify.h

 diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
-index e9e1483..8e72251 100644
+index a82c1f3..76b3c7d 100644
 --- a/grub-core/Makefile.core.def
 +++ b/grub-core/Makefile.core.def
-@@ -1434,6 +1434,12 @@ module = {
+@@ -1754,6 +1754,12 @@ module = {
 };
 
 module = {
@@ -56,7 +57,7 @@ index e9e1483..8e72251 100644
   common = mmap/mmap.c;
   x86 = mmap/i386/uppermem.c;
 diff --git a/grub-core/commands/boot.c b/grub-core/commands/boot.c
-index 91ec87d..5cddbb6 100644
+index bbca81e..3f44a7e 100644
 --- a/grub-core/commands/boot.c
 +++ b/grub-core/commands/boot.c
@@ -24,6 +24,9 @@
@@ -82,26 +83,26 @@ index 91ec87d..5cddbb6 100644
 +			   N_("you need to load the authenticated boot components"));
 +#endif
 +      return grub_error (GRUB_ERR_NO_KERNEL,
-+		         N_("you need to load the kernel first"));
+			 N_("you need to load the kernel first"));
 +    }
 
-   if (grub_loader_flags & GRUB_LOADER_FLAG_NORETURN)
-     grub_machine_fini ();
+   grub_machine_fini (grub_loader_flags);
+ 
 diff --git a/grub-core/gfxmenu/gui_label.c b/grub-core/gfxmenu/gui_label.c
-index 637578f..84bf7d4 100644
+index a4c8178..da49c9e 100644
 --- a/grub-core/gfxmenu/gui_label.c
 +++ b/grub-core/gfxmenu/gui_label.c
-@@ -23,6 +23,9 @@
- #include <grub/font.h>
+@@ -24,6 +24,9 @@
 #include <grub/gui_string_util.h>
 #include <grub/i18n.h>
+ #include <grub/color.h>
 +#ifdef GRUB_MACHINE_EFI
 +#include <grub/efi/mok2verify.h>
 +#endif
 
 static const char *align_options[] =
 {
-@@ -180,15 +183,37 @@ label_set_property (void *vself, const char *name, const char *value)
+@@ -183,15 +186,37 @@ label_set_property (void *vself, const char *name, const char *value)
       else
 	{
 	   if (grub_strcmp (value, "@KEYMAP_LONG@") == 0)
@@ -148,10 +149,10 @@ index 637578f..84bf7d4 100644
 	  self->text = grub_xasprintf (value, self->value);
 diff --git a/grub-core/lib/efi/mok2verify.c b/grub-core/lib/efi/mok2verify.c
 new file mode 100644
-index 0000000..2e48ef9
+index 0000000..3865661
 --- /dev/null
 +++ b/grub-core/lib/efi/mok2verify.c
-@@ -0,0 +1,172 @@
+@@ -0,0 +1,182 @@
 +/* mok2verify.c - MOK2 Verify Protocol support
 + *
 + * BSD 2-clause "Simplified" License
@@ -195,10 +196,8 @@ index 0000000..2e48ef9
 +
 +GRUB_MOD_LICENSE ("GPLv2+");
 +
-+#define EFI_MOK2_VERIFY_PROTOCOL_GUID	\
-+  { 0x4eda73ad, 0x07aa, 0x4b7a, \
-+    { 0xa1, 0x91, 0xd4, 0xd4, 0x10, 0xfb, 0x8c, 0xb4 } \
-+  }
+#define EFI_MOK2_VERIFY_PROTOCOL_GUID \
+  { 0x4eda73ad, 0x07aa, 0x4b7a, { 0xa1, 0x91, 0xd4, 0xd4, 0x10, 0xfb, 0x8c, 0xb4 }}
 +
 +typedef struct efi_mok2_verify_protocol efi_mok2_verify_protocol_t;
 +
@@ -229,19 +228,27 @@ index 0000000..2e48ef9
 +int
 +grub_is_secured (void)
 +{
-+  grub_efi_guid_t global = GRUB_EFI_GLOBAL_VARIABLE_GUID;
-+  void *efi_var;
-+  grub_size_t efi_var_size = 0;
+  grub_efi_guid_t global_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
+  void *var;
+  grub_size_t var_size = 0;
 +  int secured = 0;
 +
-+  efi_var = grub_efi_get_variable ("SecureBoot", &global, &efi_var_size);
-+  if (!efi_var)
+  var = grub_efi_get_variable ("SecureBoot", &global_guid, &var_size);
+  if (!var)
 +    return grub_error (GRUB_ERR_READ_ERROR, N_("cannot read variable"));
 +
-+  if (efi_var_size == 1 && *(grub_uint8_t *) efi_var == 1)
+  if (var_size != 1 || *(grub_uint8_t *) var != 1)
+    goto out;
+
+  grub_free (var);
+
+  var = grub_efi_get_variable ("MokSBState", &grub_efi_mok2_verify_protoco_guid,
+			       &var_size);
+  if (!var || (var_size == 1 && *(grub_uint8_t *) var == 0))
 +    secured = 1;
 +
-+  grub_free (efi_var);
+out:
+  grub_free (var);
 +
 +  return secured;
 +}
@@ -258,6 +265,8 @@ index 0000000..2e48ef9
 +  return ! grub_is_unlockable () && grub_is_secured ();
 +}
 +
+#pragma GCC diagnostic ignored "-Wvla"
+
 +grub_err_t
 +grub_verify_file (const char *path)
 +{
@@ -324,21 +333,23 @@ index 0000000..2e48ef9
 +
 +  return GRUB_ERR_NONE;
 +}
+
+#pragma GCC diagnostic error "-Wvla"
 diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
-index e2425c8..5a12444 100644
+index 083f941..486e420 100644
 --- a/grub-core/loader/i386/linux.c
 +++ b/grub-core/loader/i386/linux.c
-@@ -34,6 +34,9 @@
- #include <grub/i386/relocator.h>
+@@ -35,6 +35,9 @@
 #include <grub/i18n.h>
 #include <grub/lib/cmdline.h>
+ #include <grub/linux.h>
 +#ifdef GRUB_MACHINE_EFI
 +#include <grub/efi/mok2verify.h>
 +#endif
 
 GRUB_MOD_LICENSE ("GPLv3+");
 
-@@ -664,6 +667,55 @@ grub_linux_unload (void)
+@@ -673,6 +676,55 @@ grub_linux_unload (void)
   return GRUB_ERR_NONE;
 }
 
@@ -394,7 +405,7 @@ index e2425c8..5a12444 100644
 static grub_err_t
 grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
 		int argc, char *argv[])
-@@ -687,6 +739,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+@@ -695,6 +747,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
       goto fail;
     }
 
@@ -404,9 +415,43 @@ index e2425c8..5a12444 100644
   file = grub_file_open (argv[0]);
   if (! file)
     goto fail;
-@@ -1132,6 +1187,26 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
- 			argv[i]);
- 	  goto fail;
+@@ -1132,6 +1187,11 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
+  fail:
+   grub_initrd_close (&initrd_ctx);
+ 
+#ifdef GRUB_MACHINE_EFI
+  /* An unauthenticated initrd always causes a complete boot failure. */
+  if (grub_is_secured () == 1 && grub_errno != GRUB_ERR_NONE)
+    grub_loader_unset();
+#endif
+   return grub_errno;
+ }
+ 
+diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c
+index be6fa0f..edc6d24 100644
+--- a/grub-core/loader/linux.c
+++ b/grub-core/loader/linux.c
+@@ -4,6 +4,9 @@
+ #include <grub/misc.h>
+ #include <grub/file.h>
+ #include <grub/mm.h>
+#ifdef GRUB_MACHINE_EFI
+#include <grub/efi/mok2verify.h>
+#endif
+ 
+ struct newc_head
+ {
+@@ -253,6 +256,7 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
+   int newc = 0;
+   struct dir *root = 0;
+   grub_ssize_t cursize = 0;
+  grub_err_t err;
+ 
+   for (i = 0; i < initrd_ctx->nfiles; i++)
+     {
+@@ -288,6 +292,25 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
+ 	  grub_initrd_close (initrd_ctx);
+ 	  return grub_errno;
 	}
 +
 +#ifdef GRUB_MACHINE_EFI
@@ -427,40 +472,55 @@ index e2425c8..5a12444 100644
 +	  goto fail;
 +	}
 +#endif
-+
       ptr += cursize;
-       grub_memset (ptr, 0, ALIGN_UP_OVERHEAD (cursize, 4));
+     }
+   if (newc)
+@@ -296,7 +319,9 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
       ptr += ALIGN_UP_OVERHEAD (cursize, 4);
-@@ -1149,6 +1224,11 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
-     grub_file_close (files[i]);
-   grub_free (files);
- 
-+#ifdef GRUB_MACHINE_EFI
-+  /* An unauthenticated initrd always causes a complete boot failure. */
-+  if (grub_is_secured () == 1 && grub_errno != GRUB_ERR_NONE)
-+    grub_loader_unset();
-+#endif
-   return grub_errno;
+       ptr = make_header (ptr, "TRAILER!!!", sizeof ("TRAILER!!!") - 1, 0, 0);
+     }
+
+fail:
+   free_dir (root);
+   root = 0;
+-  return GRUB_ERR_NONE;
+  return err;
 }
- 
 diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
-index 13473ec..f11ce2a 100644
+index 78a70a8..1058c97 100644
 --- a/grub-core/normal/main.c
 +++ b/grub-core/normal/main.c
-@@ -32,6 +32,9 @@
- #include <grub/i18n.h>
+@@ -33,6 +33,9 @@
 #include <grub/charset.h>
 #include <grub/script_sh.h>
+ #include <grub/bufio.h>
 +#ifdef GRUB_MACHINE_EFI
 +#include <grub/efi/mok2verify.h>
 +#endif
 
 GRUB_MOD_LICENSE ("GPLv3+");
 
-@@ -233,6 +236,16 @@ grub_normal_init_page (struct grub_term_output *term)
+@@ -195,6 +198,8 @@ read_config_file (const char *config)
+   return newmenu;
+ }
+ 
+#pragma GCC diagnostic ignored "-Wformat-nonliteral"
+
+ /* Initialize the screen.  */
+ void
+ grub_normal_init_page (struct grub_term_output *term,
+@@ -202,13 +207,24 @@ grub_normal_init_page (struct grub_term_output *term,
+ {
+   grub_ssize_t msg_len;
+   int posx;
+  const char *msg = _("GNU GRUB  version %s");
+   char *msg_formatted;
+   grub_uint32_t *unicode_msg;
+   grub_uint32_t *last_position;
  
   grub_term_cls (term);
 
+-  msg_formatted = grub_xasprintf (_("GNU GRUB  version %s"), PACKAGE_VERSION);
 +#ifdef GRUB_MACHINE_EFI
 +  if (grub_is_secured () == 1)
 +    {
@@ -471,10 +531,20 @@ index 13473ec..f11ce2a 100644
 +    }
 +#endif
 +
-   msg_formatted = grub_xasprintf (msg, PACKAGE_VERSION);
+  msg_formatted = grub_xasprintf (msg, PACKAGE_VERSION);
   if (!msg_formatted)
     return;
-@@ -294,6 +307,24 @@ grub_normal_execute (const char *config, int nested, int batch)
+  
+@@ -233,6 +249,8 @@ grub_normal_init_page (struct grub_term_output *term,
+   grub_free (unicode_msg);
+ }
+ 
+#pragma GCC diagnostic error "-Wformat-nonliteral"
+
+ static void
+ read_lists (const char *val)
+ {
+@@ -273,6 +291,24 @@ grub_normal_execute (const char *config, int nested, int batch)
 
   if (config)
     {
@@ -499,19 +569,19 @@ index 13473ec..f11ce2a 100644
       menu = read_config_file (config);
 
       /* Ignore any error.  */
-@@ -317,7 +348,10 @@ grub_enter_normal_mode (const char *config)
- {
+@@ -302,7 +338,10 @@ grub_enter_normal_mode (const char *config)
   nested_level++;
   grub_normal_execute (config, 0, 0);
-  grub_cmdline_run (0);
+   grub_boot_time ("Entering shell");
+-  grub_cmdline_run (0, 1);
 +#ifdef GRUB_MACHINE_EFI
 +  if (grub_is_locked () == 0)
 +#endif
-+    grub_cmdline_run (0);
+    grub_cmdline_run (0, 1);
   nested_level--;
   if (grub_normal_exit_level)
     grub_normal_exit_level--;
-@@ -352,6 +386,18 @@ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)),
+@@ -338,6 +377,18 @@ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)),
     grub_enter_normal_mode (argv[0]);
 
 quit:
@@ -530,7 +600,7 @@ index 13473ec..f11ce2a 100644
   return 0;
 }
 
-@@ -527,8 +573,11 @@ GRUB_MOD_INIT(normal)
+@@ -525,8 +576,11 @@ GRUB_MOD_INIT(normal)
   /* Register a command "normal" for the rescue mode.  */
   grub_register_command ("normal", grub_cmd_normal,
 			 0, N_("Enter normal mode."));
@@ -545,7 +615,7 @@ index 13473ec..f11ce2a 100644
   /* Reload terminal colors when these variables are written to.  */
   grub_register_variable_hook ("color_normal", NULL, grub_env_write_color_normal);
 diff --git a/grub-core/normal/menu.c b/grub-core/normal/menu.c
-index 7e0a158..5ed9670 100644
+index 719e2fb..0665abc 100644
 --- a/grub-core/normal/menu.c
 +++ b/grub-core/normal/menu.c
@@ -32,6 +32,9 @@
@@ -558,21 +628,22 @@ index 7e0a158..5ed9670 100644
 
 /* Time to delay after displaying an error message about a default/fallback
    entry failing to boot.  */
-@@ -633,18 +636,28 @@ run_menu (grub_menu_t menu, int nested, int *auto_boot)
+@@ -772,18 +775,30 @@ run_menu (grub_menu_t menu, int nested, int *auto_boot)
 	      break;
 
 	    case 'c':
 -	      menu_fini ();
-	      grub_cmdline_run (1);
+-	      grub_cmdline_run (1, 0);
 -	      goto refresh;
 +#ifdef GRUB_MACHINE_EFI
 +	      if (grub_is_locked () == 0)
 +#endif
 +		{
 +		  menu_fini ();
-+		  grub_cmdline_run (1);
+		  grub_cmdline_run (1, 0);
 +		  goto refresh;
 +		}
+	      break;
 
 	    case 'e':
 -	      menu_fini ();
@@ -592,11 +663,12 @@ index 7e0a158..5ed9670 100644
 +		  goto refresh;
 		}
 -	      goto refresh;
+	      break;
 
 	    default:
 	      {
 diff --git a/grub-core/normal/menu_text.c b/grub-core/normal/menu_text.c
-index 1687c28..6e4fbfb 100644
+index e22bb91..28c675f 100644
 --- a/grub-core/normal/menu_text.c
 +++ b/grub-core/normal/menu_text.c
@@ -27,6 +27,9 @@
@@ -609,7 +681,15 @@ index 1687c28..6e4fbfb 100644
 
 static grub_uint8_t grub_color_menu_normal;
 static grub_uint8_t grub_color_menu_highlight;
-@@ -179,19 +182,32 @@ command-line or ESC to discard edits and return to the GRUB menu."),
+@@ -165,6 +168,7 @@ command-line or ESC to discard edits and return to the GRUB menu."),
+     }
+   else
+     {
+      const char *msg;
+       char *msg_translated;
+ 
+       msg_translated = grub_xasprintf (_("Use the %C and %C keys to select which "
+@@ -180,19 +184,32 @@ command-line or ESC to discard edits and return to the GRUB menu."),
 
       if (nested)
 	{
@@ -705,5 +785,5 @@ index 0000000..98ef2d4
 +
 +#endif	/* ! GRUB_EFI_MOK2_VERIFY_HEADER */
 -- 
-2.7.4
+2.7.5

@@ -17,7 +17,7 @@ SRC_URI += "\
    file://chainloader-Actually-find-the-relocations-correctly-.patch \
    file://efi-chainloader-implemented-for-32-bit.patch \
    file://Grub-get-and-set-efi-variables.patch \
-    file://mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch;apply=0 \
+    file://mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch \
    file://grub-efi.cfg \
    file://boot-menu.inc \
    ${EXTRA_SRC_URI} \
@@ -25,8 +25,8 @@ SRC_URI += "\

 EFI_BOOT_PATH = "/boot/efi/EFI/BOOT"

-# TODO: re-add mok2verify when refreshed
-GRUB_BUILDIN_append += " chain ${@'efivar password_pbkdf2' if d.getVar('UEFI_SB', True) == '1' else ''}"
+GRUB_BUILDIN_append += " chain ${@'efivar mok2verify password_pbkdf2' \
+                                  if d.getVar('UEFI_SB', True) == '1' else ''}"

 # For efi_call_foo and efi_shim_exit
 CFLAGS_append = " -fno-toplevel-reorder"