Accepting request 946359 from home:michael-chang:branches:Base:System

- Power guest secure boot with static keys: GRUB2 signing portion (jsc#SLE-18271) (bsc#1192764) * 0001-grub-install-Add-SUSE-signed-image-support-for-power.patch OBS-URL: https://build.opensuse.org/request/show/946359 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=402
2022-01-14 08:55:34 +00:00 · 2022-01-14 08:55:34 +00:00 · 0f630408b0
commit 0f630408b0
parent d6d145b71a
3 changed files with 118 additions and 0 deletions
--- a/0001-grub-install-Add-SUSE-signed-image-support-for-power.patch
+++ b/0001-grub-install-Add-SUSE-signed-image-support-for-power.patch
@ -0,0 +1,110 @@
+From 83a6f72e1896bd012b7fbca21317e96c2c22b327 Mon Sep 17 00:00:00 2001
+From: Michal Suchanek <msuchanek@suse.de>
+Date: Wed, 12 Jan 2022 19:25:54 +0100
+Subject: [PATCH] grub-install: Add SUSE signed image support for powerpc.
+
+Signed-off-by: Michal Suchanek <msuchanek@suse.de>
+---
+ grub-core/osdep/linux/platform.c | 13 +++++++++++++
+ include/grub/util/install.h      |  3 +++
+ util/grub-install.c              | 29 ++++++++++++++++++++++++++---
+ 3 files changed, 42 insertions(+), 3 deletions(-)
+
+diff --git a/grub-core/osdep/linux/platform.c b/grub-core/osdep/linux/platform.c
+index e28a79dab..2a12ed867 100644
+--- a/grub-core/osdep/linux/platform.c
+++ b/grub-core/osdep/linux/platform.c
+@@ -154,3 +154,16 @@ grub_install_get_default_x86_platform (void)
+   grub_util_info ("... not found");
+   return "i386-pc";
+ }
+
+int
+grub_install_get_powerpc_secure_boot (void)
+{
+  int32_t ret = -1;
+  FILE *fp = grub_util_fopen ("/proc/device-tree/ibm,secure-boot", "rb");
+  if (fp) {
+    if (fread (&ret , 1, sizeof(ret), fp) > 0)
+      ret = grub_be_to_cpu32(ret);
+    fclose(fp);
+  }
+  return ret;
+}
+diff --git a/include/grub/util/install.h b/include/grub/util/install.h
+index c241a2a40..154487b72 100644
+--- a/include/grub/util/install.h
+++ b/include/grub/util/install.h
+@@ -233,6 +233,9 @@ grub_install_get_default_arm_platform (void);
+ const char *
+ grub_install_get_default_x86_platform (void);
+ 
+int
+grub_install_get_powerpc_secure_boot (void);
+
+ int
+ grub_install_register_efi (grub_device_t efidir_grub_dev,
+ 			   const char *efifile_path,
+diff --git a/util/grub-install.c b/util/grub-install.c
+index a2286b3dd..8fb5ea616 100644
+--- a/util/grub-install.c
+++ b/util/grub-install.c
+@@ -321,10 +321,10 @@ static struct argp_option options[] = {
+   {"suse-enable-tpm", OPTION_SUSE_ENABLE_TPM, 0, 0, N_("install TPM modules"), 0},
+   {"suse-force-signed", OPTION_SUSE_FORCE_SIGNED, 0, 0,
+    N_("force installation of signed grub" "%s."
+-      "This option is only available on ARM64 EFI targets."), 0},
+      "This option is only available on ARM64 EFI and powerpc targets."), 0},
+   {"suse-inhibit-signed", OPTION_SUSE_INHIBIT_SIGNED, 0, 0,
+    N_("inhibit installation of signed grub. "
+-      "This option is only available on ARM64 EFI targets."), 0},
+      "This option is only available on ARM64 EFI and powerpc targets."), 0},
+   {"debug", OPTION_DEBUG, 0, OPTION_HIDDEN, 0, 2},
+   {"no-floppy", OPTION_NO_FLOPPY, 0, OPTION_HIDDEN, 0, 2},
+   {"debug-image", OPTION_DEBUG_IMAGE, N_("STRING"), OPTION_HIDDEN, 0, 2},
+@@ -1724,6 +1724,7 @@ main (int argc, char *argv[])
+   char mkimage_target[200];
+   const char *core_name = NULL;
+   char *signed_imgfile = NULL;
+  int ppc_sb_state = -1;
+ 
+   switch (platform)
+     {
+@@ -1770,11 +1771,33 @@ main (int argc, char *argv[])
+ 		grub_install_get_platform_platform (platform));
+       break;
+ 
+
+    case GRUB_INSTALL_PLATFORM_POWERPC_IEEE1275:
+      ppc_sb_state = grub_install_get_powerpc_secure_boot();
+
+      if ((signed_grub_mode >= SIGNED_GRUB_FORCE) || ((signed_grub_mode == SIGNED_GRUB_AUTO) && (ppc_sb_state > 0)))
+	{
+	  signed_imgfile = grub_util_path_concat (2, grub_install_source_directory, "grub.elf");
+	  if (!grub_util_is_regular (signed_imgfile))
+	    {
+	      if ((signed_grub_mode >= SIGNED_GRUB_FORCE) || (ppc_sb_state > 1))
+		grub_util_error ("signed image `%s' does not exist\n", signed_imgfile);
+	      else
+		{
+		  free (signed_imgfile);
+		  signed_imgfile = NULL;
+		}
+	    }
+	}
+
+      if (signed_imgfile)
+	fprintf (stderr, _("Use signed file in %s for installation.\n"), signed_imgfile);
+
+      /* fallthrough.  */
+     case GRUB_INSTALL_PLATFORM_I386_COREBOOT:
+     case GRUB_INSTALL_PLATFORM_ARM_COREBOOT:
+     case GRUB_INSTALL_PLATFORM_I386_MULTIBOOT:
+     case GRUB_INSTALL_PLATFORM_I386_IEEE1275:
+-    case GRUB_INSTALL_PLATFORM_POWERPC_IEEE1275:
+     case GRUB_INSTALL_PLATFORM_I386_XEN:
+     case GRUB_INSTALL_PLATFORM_X86_64_XEN:
+     case GRUB_INSTALL_PLATFORM_I386_XEN_PVH:
+-- 
+2.31.1
+
--- a/grub2.changes
+++ b/grub2.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Fri Jan 14 08:39:36 UTC 2022 - Michael Chang <mchang@suse.com>
+
+- Power guest secure boot with static keys: GRUB2 signing portion
+  (jsc#SLE-18271) (bsc#1192764)
+  * 0001-grub-install-Add-SUSE-signed-image-support-for-power.patch
+
 -------------------------------------------------------------------
 Tue Jan 11 03:49:15 UTC 2022 - Michael Chang <mchang@suse.com>

--- a/grub2.spec
+++ b/grub2.spec
@ -352,6 +352,7 @@ Patch832:       0020-appended-signatures-verification-tests.patch
 Patch833:       0021-appended-signatures-documentation.patch
 Patch834:       0022-ieee1275-enter-lockdown-based-on-ibm-secure-boot.patch
 Patch835:       0023-x509-allow-Digitial-Signature-plus-other-Key-Usages.patch
+Patch836:       0001-grub-install-Add-SUSE-signed-image-support-for-power.patch

 Requires:       gettext-runtime
 %if 0%{?suse_version} >= 1140