262 lines
9.3 KiB
Diff
262 lines
9.3 KiB
Diff
|
From 836337d9b895da32bcbc451c84bc3a7865a15963 Mon Sep 17 00:00:00 2001
|
||
|
From: Michael Chang <mchang@suse.com>
|
||
|
Date: Mon, 18 Apr 2022 22:16:49 +0800
|
||
|
Subject: [PATCH 32/32] Use grub_loader_set_ex() for secureboot chainloader
|
||
|
|
||
|
This is required as many distributions, including SUSE, has been
|
||
|
shipping a variation to load and start image using native functions than
|
||
|
calling out efi protocols when secure boot is enabled and shim lock is
|
||
|
used to verify image.
|
||
|
|
||
|
Signed-off-by: Michael Chang <mchang@suse.com>
|
||
|
---
|
||
|
grub-core/loader/efi/chainloader.c | 100 +++++++++++++++++++----------
|
||
|
1 file changed, 66 insertions(+), 34 deletions(-)
|
||
|
|
||
|
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
|
||
|
index b3e1e89302..48d69c7795 100644
|
||
|
--- a/grub-core/loader/efi/chainloader.c
|
||
|
+++ b/grub-core/loader/efi/chainloader.c
|
||
|
@@ -53,10 +53,6 @@ GRUB_MOD_LICENSE ("GPLv3+");
|
||
|
|
||
|
static grub_dl_t my_mod;
|
||
|
|
||
|
-static grub_ssize_t fsize;
|
||
|
-static grub_ssize_t cmdline_len;
|
||
|
-static grub_efi_handle_t dev_handle;
|
||
|
-
|
||
|
#ifdef SUPPORT_SECURE_BOOT
|
||
|
static grub_efi_boolean_t debug_secureboot = 0;
|
||
|
static grub_efi_status_t (*entry_point) (grub_efi_handle_t image_handle, grub_efi_system_table_t *system_table);
|
||
|
@@ -76,8 +72,6 @@ grub_chainloader_unload (void *context)
|
||
|
b = grub_efi_system_table->boot_services;
|
||
|
efi_call_1 (b->unload_image, image_handle);
|
||
|
|
||
|
- dev_handle = 0;
|
||
|
-
|
||
|
grub_dl_unref (my_mod);
|
||
|
return GRUB_ERR_NONE;
|
||
|
}
|
||
|
@@ -254,6 +248,17 @@ struct pe_coff_loader_image_context
|
||
|
struct grub_pe32_header_no_msdos_stub *pe_hdr;
|
||
|
};
|
||
|
|
||
|
+struct grub_secureboot_chainloader_context
|
||
|
+{
|
||
|
+ grub_efi_physical_address_t address;
|
||
|
+ grub_efi_uintn_t pages;
|
||
|
+ grub_ssize_t fsize;
|
||
|
+ grub_efi_device_path_t *file_path;
|
||
|
+ grub_efi_char16_t *cmdline;
|
||
|
+ grub_ssize_t cmdline_len;
|
||
|
+ grub_efi_handle_t dev_handle;
|
||
|
+};
|
||
|
+
|
||
|
typedef struct pe_coff_loader_image_context pe_coff_loader_image_context_t;
|
||
|
|
||
|
struct grub_efi_shim_lock
|
||
|
@@ -477,11 +482,13 @@ grub_efi_get_media_file_path (grub_efi_device_path_t *dp)
|
||
|
}
|
||
|
|
||
|
static grub_efi_boolean_t
|
||
|
-handle_image (void *data, grub_efi_uint32_t datasize)
|
||
|
+handle_image (struct grub_secureboot_chainloader_context *load_context)
|
||
|
{
|
||
|
grub_efi_boot_services_t *b;
|
||
|
grub_efi_loaded_image_t *li, li_bak;
|
||
|
grub_efi_status_t efi_status;
|
||
|
+ void *data = (void *)(unsigned long)load_context->address;
|
||
|
+ grub_efi_uint32_t datasize = load_context->fsize;
|
||
|
char *buffer = NULL;
|
||
|
char *buffer_aligned = NULL;
|
||
|
grub_efi_uint32_t i, size;
|
||
|
@@ -571,10 +578,10 @@ handle_image (void *data, grub_efi_uint32_t datasize)
|
||
|
grub_memcpy (&li_bak, li, sizeof (grub_efi_loaded_image_t));
|
||
|
li->image_base = buffer_aligned;
|
||
|
li->image_size = context.image_size;
|
||
|
- li->load_options = cmdline;
|
||
|
- li->load_options_size = cmdline_len;
|
||
|
- li->file_path = grub_efi_get_media_file_path (file_path);
|
||
|
- li->device_handle = dev_handle;
|
||
|
+ li->load_options = load_context->cmdline;
|
||
|
+ li->load_options_size = load_context->cmdline_len;
|
||
|
+ li->file_path = grub_efi_get_media_file_path (load_context->file_path);
|
||
|
+ li->device_handle = load_context->dev_handle;
|
||
|
if (li->file_path)
|
||
|
{
|
||
|
grub_printf ("file path: ");
|
||
|
@@ -605,26 +612,27 @@ error_exit:
|
||
|
}
|
||
|
|
||
|
static grub_err_t
|
||
|
-grub_secureboot_chainloader_unload (void)
|
||
|
+grub_secureboot_chainloader_unload (void* context)
|
||
|
{
|
||
|
grub_efi_boot_services_t *b;
|
||
|
+ struct grub_secureboot_chainloader_context *sb_context = (struct grub_secureboot_chainloader_context *)context;
|
||
|
|
||
|
b = grub_efi_system_table->boot_services;
|
||
|
- efi_call_2 (b->free_pages, address, pages);
|
||
|
- grub_free (file_path);
|
||
|
- grub_free (cmdline);
|
||
|
- cmdline = 0;
|
||
|
- file_path = 0;
|
||
|
- dev_handle = 0;
|
||
|
+ efi_call_2 (b->free_pages, sb_context->address, sb_context->pages);
|
||
|
+ grub_free (sb_context->file_path);
|
||
|
+ grub_free (sb_context->cmdline);
|
||
|
+ grub_free (sb_context);
|
||
|
|
||
|
grub_dl_unref (my_mod);
|
||
|
return GRUB_ERR_NONE;
|
||
|
}
|
||
|
|
||
|
static grub_err_t
|
||
|
-grub_secureboot_chainloader_boot (void)
|
||
|
+grub_secureboot_chainloader_boot (void *context)
|
||
|
{
|
||
|
- handle_image ((void *)address, fsize);
|
||
|
+ struct grub_secureboot_chainloader_context *sb_context = (struct grub_secureboot_chainloader_context *)context;
|
||
|
+
|
||
|
+ handle_image (sb_context);
|
||
|
grub_loader_unset ();
|
||
|
return grub_errno;
|
||
|
}
|
||
|
@@ -635,6 +643,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
||
|
int argc, char *argv[])
|
||
|
{
|
||
|
grub_file_t file = 0;
|
||
|
+ grub_ssize_t size;
|
||
|
grub_efi_status_t status;
|
||
|
grub_efi_boot_services_t *b;
|
||
|
grub_device_t dev = 0;
|
||
|
@@ -646,6 +655,8 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
||
|
grub_efi_uintn_t pages = 0;
|
||
|
grub_efi_char16_t *cmdline = NULL;
|
||
|
grub_efi_handle_t image_handle = NULL;
|
||
|
+ grub_ssize_t cmdline_len = 0;
|
||
|
+ grub_efi_handle_t dev_handle = 0;
|
||
|
|
||
|
if (argc == 0)
|
||
|
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
|
||
|
@@ -653,8 +664,6 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
||
|
|
||
|
grub_dl_ref (my_mod);
|
||
|
|
||
|
- dev_handle = 0;
|
||
|
-
|
||
|
b = grub_efi_system_table->boot_services;
|
||
|
|
||
|
if (argc > 1)
|
||
|
@@ -732,14 +741,14 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
||
|
grub_printf ("file path: ");
|
||
|
grub_efi_print_device_path (file_path);
|
||
|
|
||
|
- fsize = grub_file_size (file);
|
||
|
- if (!fsize)
|
||
|
+ size = grub_file_size (file);
|
||
|
+ if (!size)
|
||
|
{
|
||
|
grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
|
||
|
filename);
|
||
|
goto fail;
|
||
|
}
|
||
|
- pages = (((grub_efi_uintn_t) fsize + ((1 << 12) - 1)) >> 12);
|
||
|
+ pages = (((grub_efi_uintn_t) size + ((1 << 12) - 1)) >> 12);
|
||
|
|
||
|
status = efi_call_4 (b->allocate_pages, GRUB_EFI_ALLOCATE_ANY_PAGES,
|
||
|
GRUB_EFI_LOADER_CODE,
|
||
|
@@ -753,7 +762,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
||
|
}
|
||
|
|
||
|
boot_image = (void *) ((grub_addr_t) address);
|
||
|
- if (grub_file_read (file, boot_image, fsize) != fsize)
|
||
|
+ if (grub_file_read (file, boot_image, size) != size)
|
||
|
{
|
||
|
if (grub_errno == GRUB_ERR_NONE)
|
||
|
grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
|
||
|
@@ -763,7 +772,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
||
|
}
|
||
|
|
||
|
#if defined (__i386__) || defined (__x86_64__)
|
||
|
- if (fsize >= (grub_ssize_t) sizeof (struct grub_macho_fat_header))
|
||
|
+ if (size >= (grub_ssize_t) sizeof (struct grub_macho_fat_header))
|
||
|
{
|
||
|
struct grub_macho_fat_header *head = boot_image;
|
||
|
if (head->magic
|
||
|
@@ -786,30 +795,42 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
||
|
> ~grub_cpu_to_le32 (archs[i].size)
|
||
|
|| grub_cpu_to_le32 (archs[i].offset)
|
||
|
+ grub_cpu_to_le32 (archs[i].size)
|
||
|
- > (grub_size_t) fsize)
|
||
|
+ > (grub_size_t) size)
|
||
|
{
|
||
|
grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
|
||
|
filename);
|
||
|
goto fail;
|
||
|
}
|
||
|
boot_image = (char *) boot_image + grub_cpu_to_le32 (archs[i].offset);
|
||
|
- fsize = grub_cpu_to_le32 (archs[i].size);
|
||
|
+ size = grub_cpu_to_le32 (archs[i].size);
|
||
|
}
|
||
|
}
|
||
|
#endif
|
||
|
|
||
|
#ifdef SUPPORT_SECURE_BOOT
|
||
|
/* FIXME is secure boot possible also with universal binaries? */
|
||
|
- if (debug_secureboot || (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED && grub_secure_validate ((void *)address, fsize)))
|
||
|
+ if (debug_secureboot || (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED && grub_secure_validate ((void *)address, size)))
|
||
|
{
|
||
|
+ struct grub_secureboot_chainloader_context *sb_context;
|
||
|
+
|
||
|
+ sb_context = grub_malloc (sizeof (*sb_context));
|
||
|
+ if (!sb_context)
|
||
|
+ goto fail;
|
||
|
+ sb_context->cmdline = cmdline;
|
||
|
+ sb_context->cmdline_len = cmdline_len;
|
||
|
+ sb_context->fsize = size;
|
||
|
+ sb_context->dev_handle = dev_handle;
|
||
|
+ sb_context->address = address;
|
||
|
+ sb_context->pages = pages;
|
||
|
+ sb_context->file_path = file_path;
|
||
|
grub_file_close (file);
|
||
|
- grub_loader_set (grub_secureboot_chainloader_boot, grub_secureboot_chainloader_unload, 0);
|
||
|
+ grub_loader_set_ex (grub_secureboot_chainloader_boot, grub_secureboot_chainloader_unload, sb_context, 0);
|
||
|
return 0;
|
||
|
}
|
||
|
#endif
|
||
|
|
||
|
status = efi_call_6 (b->load_image, 0, grub_efi_image_handle, file_path,
|
||
|
- boot_image, fsize,
|
||
|
+ boot_image, size,
|
||
|
&image_handle);
|
||
|
#ifdef SUPPORT_SECURE_BOOT
|
||
|
if (status == GRUB_EFI_SECURITY_VIOLATION && grub_efi_get_secureboot () != GRUB_EFI_SECUREBOOT_MODE_ENABLED)
|
||
|
@@ -817,10 +838,21 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
||
|
/* If it failed with security violation while not in secure boot mode,
|
||
|
the firmware might be broken. We try to workaround on that by forcing
|
||
|
the SB method! (bsc#887793) */
|
||
|
+ struct grub_secureboot_chainloader_context *sb_context;
|
||
|
+
|
||
|
grub_dprintf ("chain", "Possible firmware flaw! Security violation while not in secure boot mode.\n");
|
||
|
+ sb_context = grub_malloc (sizeof (*sb_context));
|
||
|
+ if (!sb_context)
|
||
|
+ goto fail;
|
||
|
+ sb_context->cmdline = cmdline;
|
||
|
+ sb_context->cmdline_len = cmdline_len;
|
||
|
+ sb_context->fsize = size;
|
||
|
+ sb_context->dev_handle = dev_handle;
|
||
|
+ sb_context->address = address;
|
||
|
+ sb_context->pages = pages;
|
||
|
grub_file_close (file);
|
||
|
- grub_loader_set (grub_secureboot_chainloader_boot,
|
||
|
- grub_secureboot_chainloader_unload, 0);
|
||
|
+ grub_loader_set_ex (grub_secureboot_chainloader_boot,
|
||
|
+ grub_secureboot_chainloader_unload, sb_context, 0);
|
||
|
return 0;
|
||
|
}
|
||
|
#endif
|
||
|
--
|
||
|
2.34.1
|
||
|
|