grub2/0001-ieee1275-adding-failure-check-condition-on-ibm-secur.patch

From 5025c64afc876d91d3947ce07bb59ffe9af7209d Mon Sep 17 00:00:00 2001
From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Date: Tue, 25 Feb 2025 19:14:24 +0530
Subject: [PATCH 1/9] ieee1275: adding failure check condition on
 /ibm,secure-boot

failure check condition is missing while finding device "/" and
get property "ibm,secure-boot". So, adding the failure check condition.

Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
---
 grub-core/kern/ieee1275/init.c | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
index f86543da0d..0e1cbf24c3 100644
--- a/grub-core/kern/ieee1275/init.c
+++ b/grub-core/kern/ieee1275/init.c
@@ -987,12 +987,20 @@ grub_get_ieee1275_secure_boot (void)
   int rc;
   grub_uint32_t is_sb;
 
-  grub_ieee1275_finddevice ("/", &root);
-
-  rc = grub_ieee1275_get_integer_property (root, "ibm,secure-boot", &is_sb,
-                                           sizeof (is_sb), 0);
+  if (grub_ieee1275_finddevice ("/", &root))
+    {
+      grub_error (GRUB_ERR_UNKNOWN_DEVICE, "couldn't find / node");
+      return;
+    }
 
-  /* ibm,secure-boot:
+  rc = grub_ieee1275_get_integer_property (root, "ibm,secure-boot", &is_sb, sizeof (is_sb), 0);
+  if (rc < 0)
+    {
+      grub_error (GRUB_ERR_UNKNOWN_DEVICE, "couldn't examine /ibm,secure-boot property");
+      return;
+    }
+  /*
+   * ibm,secure-boot:
    * 0 - disabled
    * 1 - audit
    * 2 - enforce
@@ -1000,7 +1008,7 @@ grub_get_ieee1275_secure_boot (void)
    *
    * We only support enforce.
    */
-  if (rc >= 0 && is_sb >= 2)
+  if (is_sb >= 2)
     grub_lockdown ();
 }
 
-- 
2.48.1
Accepting request 1252188 from home:michael-chang:branches:Base:System - Update patches for Power guest secure boot with key management (jsc#PED-3520) (jsc#PED-9892) * 0001-ieee1275-adding-failure-check-condition-on-ibm-secur.patch * 0002-ieee1275-Platform-Keystore-PKS-Support.patch * 0003-ieee1275-Read-the-DB-and-DBX-secure-boot-variables.patch * 0004-appendedsig-The-creation-of-trusted-and-distrusted-l.patch * 0005-appendedsig-While-verifying-the-kernel-use-trusted-a.patch * 0006-powerpc_ieee1275-set-use_static_keys-flag.patch * 0007-appendedsig-Reads-the-default-DB-keys-from-ELF-Note.patch * 0008-appendedsig-The-grub-command-s-trusted-and-distruste.patch * 0009-appendedsig-documentation.patch - Remove patches * 0001-ieee1275-Platform-Keystore-PKS-Support.patch * 0002-ieee1275-Read-the-DB-and-DBX-secure-boot-variables.patch * 0003-appendedsig-The-creation-of-trusted-and-distrusted-l.patch * 0004-appendedsig-While-verifying-the-kernel-use-trusted-a.patch * 0005-appendedsig-The-grub-command-s-trusted-and-distruste.patch * 0006-appendedsig-documentation.patch OBS-URL: https://build.opensuse.org/request/show/1252188 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=534 2025-03-12 04:31:40 +00:00			`From 5025c64afc876d91d3947ce07bb59ffe9af7209d Mon Sep 17 00:00:00 2001`
			`From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>`
			`Date: Tue, 25 Feb 2025 19:14:24 +0530`
			`Subject: [PATCH 1/9] ieee1275: adding failure check condition on`
			`/ibm,secure-boot`

			`failure check condition is missing while finding device "/" and`
			`get property "ibm,secure-boot". So, adding the failure check condition.`

			`Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>`
			`---`
			`grub-core/kern/ieee1275/init.c \| 20 ++++++++++++++------`
			`1 file changed, 14 insertions(+), 6 deletions(-)`

			`diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c`
			`index f86543da0d..0e1cbf24c3 100644`
			`--- a/grub-core/kern/ieee1275/init.c`
			`+++ b/grub-core/kern/ieee1275/init.c`
			`@@ -987,12 +987,20 @@ grub_get_ieee1275_secure_boot (void)`
			`int rc;`
			`grub_uint32_t is_sb;`

			`- grub_ieee1275_finddevice ("/", &root);`
			`-`
			`- rc = grub_ieee1275_get_integer_property (root, "ibm,secure-boot", &is_sb,`
			`- sizeof (is_sb), 0);`
			`+ if (grub_ieee1275_finddevice ("/", &root))`
			`+ {`
			`+ grub_error (GRUB_ERR_UNKNOWN_DEVICE, "couldn't find / node");`
			`+ return;`
			`+ }`

			`- /* ibm,secure-boot:`
			`+ rc = grub_ieee1275_get_integer_property (root, "ibm,secure-boot", &is_sb, sizeof (is_sb), 0);`
			`+ if (rc < 0)`
			`+ {`
			`+ grub_error (GRUB_ERR_UNKNOWN_DEVICE, "couldn't examine /ibm,secure-boot property");`
			`+ return;`
			`+ }`
			`+ /*`
			`+ * ibm,secure-boot:`
			`* 0 - disabled`
			`* 1 - audit`
			`* 2 - enforce`
			`@@ -1000,7 +1008,7 @@ grub_get_ieee1275_secure_boot (void)`
			`*`
			`* We only support enforce.`
			`*/`
			`- if (rc >= 0 && is_sb >= 2)`
			`+ if (is_sb >= 2)`
			`grub_lockdown ();`
			`}`

			`--`
			`2.48.1`