From 0f630408b01a34d8b2ac33284aa5b49d6547bdbf2adbd4ab6a40d16befaa8e88 Mon Sep 17 00:00:00 2001 From: Michael Chang Date: Fri, 14 Jan 2022 08:55:34 +0000 Subject: [PATCH] Accepting request 946359 from home:michael-chang:branches:Base:System - Power guest secure boot with static keys: GRUB2 signing portion (jsc#SLE-18271) (bsc#1192764) * 0001-grub-install-Add-SUSE-signed-image-support-for-power.patch OBS-URL: https://build.opensuse.org/request/show/946359 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=402 --- ...-SUSE-signed-image-support-for-power.patch | 110 ++++++++++++++++++ grub2.changes | 7 ++ grub2.spec | 1 + 3 files changed, 118 insertions(+) create mode 100644 0001-grub-install-Add-SUSE-signed-image-support-for-power.patch diff --git a/0001-grub-install-Add-SUSE-signed-image-support-for-power.patch b/0001-grub-install-Add-SUSE-signed-image-support-for-power.patch new file mode 100644 index 0000000..082bb27 --- /dev/null +++ b/0001-grub-install-Add-SUSE-signed-image-support-for-power.patch @@ -0,0 +1,110 @@ +From 83a6f72e1896bd012b7fbca21317e96c2c22b327 Mon Sep 17 00:00:00 2001 +From: Michal Suchanek +Date: Wed, 12 Jan 2022 19:25:54 +0100 +Subject: [PATCH] grub-install: Add SUSE signed image support for powerpc. + +Signed-off-by: Michal Suchanek +--- + grub-core/osdep/linux/platform.c | 13 +++++++++++++ + include/grub/util/install.h | 3 +++ + util/grub-install.c | 29 ++++++++++++++++++++++++++--- + 3 files changed, 42 insertions(+), 3 deletions(-) + +diff --git a/grub-core/osdep/linux/platform.c b/grub-core/osdep/linux/platform.c +index e28a79dab..2a12ed867 100644 +--- a/grub-core/osdep/linux/platform.c ++++ b/grub-core/osdep/linux/platform.c +@@ -154,3 +154,16 @@ grub_install_get_default_x86_platform (void) + grub_util_info ("... not found"); + return "i386-pc"; + } ++ ++int ++grub_install_get_powerpc_secure_boot (void) ++{ ++ int32_t ret = -1; ++ FILE *fp = grub_util_fopen ("/proc/device-tree/ibm,secure-boot", "rb"); ++ if (fp) { ++ if (fread (&ret , 1, sizeof(ret), fp) > 0) ++ ret = grub_be_to_cpu32(ret); ++ fclose(fp); ++ } ++ return ret; ++} +diff --git a/include/grub/util/install.h b/include/grub/util/install.h +index c241a2a40..154487b72 100644 +--- a/include/grub/util/install.h ++++ b/include/grub/util/install.h +@@ -233,6 +233,9 @@ grub_install_get_default_arm_platform (void); + const char * + grub_install_get_default_x86_platform (void); + ++int ++grub_install_get_powerpc_secure_boot (void); ++ + int + grub_install_register_efi (grub_device_t efidir_grub_dev, + const char *efifile_path, +diff --git a/util/grub-install.c b/util/grub-install.c +index a2286b3dd..8fb5ea616 100644 +--- a/util/grub-install.c ++++ b/util/grub-install.c +@@ -321,10 +321,10 @@ static struct argp_option options[] = { + {"suse-enable-tpm", OPTION_SUSE_ENABLE_TPM, 0, 0, N_("install TPM modules"), 0}, + {"suse-force-signed", OPTION_SUSE_FORCE_SIGNED, 0, 0, + N_("force installation of signed grub" "%s." +- "This option is only available on ARM64 EFI targets."), 0}, ++ "This option is only available on ARM64 EFI and powerpc targets."), 0}, + {"suse-inhibit-signed", OPTION_SUSE_INHIBIT_SIGNED, 0, 0, + N_("inhibit installation of signed grub. " +- "This option is only available on ARM64 EFI targets."), 0}, ++ "This option is only available on ARM64 EFI and powerpc targets."), 0}, + {"debug", OPTION_DEBUG, 0, OPTION_HIDDEN, 0, 2}, + {"no-floppy", OPTION_NO_FLOPPY, 0, OPTION_HIDDEN, 0, 2}, + {"debug-image", OPTION_DEBUG_IMAGE, N_("STRING"), OPTION_HIDDEN, 0, 2}, +@@ -1724,6 +1724,7 @@ main (int argc, char *argv[]) + char mkimage_target[200]; + const char *core_name = NULL; + char *signed_imgfile = NULL; ++ int ppc_sb_state = -1; + + switch (platform) + { +@@ -1770,11 +1771,33 @@ main (int argc, char *argv[]) + grub_install_get_platform_platform (platform)); + break; + ++ ++ case GRUB_INSTALL_PLATFORM_POWERPC_IEEE1275: ++ ppc_sb_state = grub_install_get_powerpc_secure_boot(); ++ ++ if ((signed_grub_mode >= SIGNED_GRUB_FORCE) || ((signed_grub_mode == SIGNED_GRUB_AUTO) && (ppc_sb_state > 0))) ++ { ++ signed_imgfile = grub_util_path_concat (2, grub_install_source_directory, "grub.elf"); ++ if (!grub_util_is_regular (signed_imgfile)) ++ { ++ if ((signed_grub_mode >= SIGNED_GRUB_FORCE) || (ppc_sb_state > 1)) ++ grub_util_error ("signed image `%s' does not exist\n", signed_imgfile); ++ else ++ { ++ free (signed_imgfile); ++ signed_imgfile = NULL; ++ } ++ } ++ } ++ ++ if (signed_imgfile) ++ fprintf (stderr, _("Use signed file in %s for installation.\n"), signed_imgfile); ++ ++ /* fallthrough. */ + case GRUB_INSTALL_PLATFORM_I386_COREBOOT: + case GRUB_INSTALL_PLATFORM_ARM_COREBOOT: + case GRUB_INSTALL_PLATFORM_I386_MULTIBOOT: + case GRUB_INSTALL_PLATFORM_I386_IEEE1275: +- case GRUB_INSTALL_PLATFORM_POWERPC_IEEE1275: + case GRUB_INSTALL_PLATFORM_I386_XEN: + case GRUB_INSTALL_PLATFORM_X86_64_XEN: + case GRUB_INSTALL_PLATFORM_I386_XEN_PVH: +-- +2.31.1 + diff --git a/grub2.changes b/grub2.changes index aa45dad..63b7291 100644 --- a/grub2.changes +++ b/grub2.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Fri Jan 14 08:39:36 UTC 2022 - Michael Chang + +- Power guest secure boot with static keys: GRUB2 signing portion + (jsc#SLE-18271) (bsc#1192764) + * 0001-grub-install-Add-SUSE-signed-image-support-for-power.patch + ------------------------------------------------------------------- Tue Jan 11 03:49:15 UTC 2022 - Michael Chang diff --git a/grub2.spec b/grub2.spec index aa1719c..a47bda4 100644 --- a/grub2.spec +++ b/grub2.spec @@ -352,6 +352,7 @@ Patch832: 0020-appended-signatures-verification-tests.patch Patch833: 0021-appended-signatures-documentation.patch Patch834: 0022-ieee1275-enter-lockdown-based-on-ibm-secure-boot.patch Patch835: 0023-x509-allow-Digitial-Signature-plus-other-Key-Usages.patch +Patch836: 0001-grub-install-Add-SUSE-signed-image-support-for-power.patch Requires: gettext-runtime %if 0%{?suse_version} >= 1140