Accepting request 878247 from home:michael-chang:branches:Base:System

- Fix chainloading windows on dual boot machine (bsc#1183073) * 0001-kern-efi-sb-Add-chainloaded-image-as-shim-s-verifiab.patch OBS-URL: https://build.opensuse.org/request/show/878247 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=378
2021-03-11 03:22:49 +00:00 · 2021-03-11 03:22:49 +00:00 · 6366cfa9e7
commit 6366cfa9e7
parent a87715017f
3 changed files with 53 additions and 0 deletions
--- a/0001-kern-efi-sb-Add-chainloaded-image-as-shim-s-verifiab.patch
+++ b/0001-kern-efi-sb-Add-chainloaded-image-as-shim-s-verifiab.patch
@ -0,0 +1,45 @@
+From 6d05264eeceaa2be991093d7fc31b78130bf5453 Mon Sep 17 00:00:00 2001
+From: Michael Chang <mchang@suse.com>
+Date: Fri, 5 Mar 2021 21:48:53 +0800
+Subject: [PATCH] kern/efi/sb: Add chainloaded image as shim's verifiable
+ object
+
+While attempting to dual boot Microsoft Windows with UEFI chainloader,
+it failed with below error when UEFI Secure Boot was enabled:
+
+  error ../../grub-core/kern/verifiers.c:119:verification requested but
+  nobody cares: /EFI/Microsoft/Boot/bootmgfw.efi.
+
+It is a regression, as previously it worked without any problem.
+
+It turns out chainloading PE image has been locked down by commit
+578c95298 (kern: Add lockdown support). However, we should consider it
+as verifiable object by shim to allow booting in UEFI Secure Boot mode.
+The chainloaded PE image could also have trusted signature created by
+vendor with their pubkey cert in db. For that matters it's usage should
+not be locked down under UEFI Secure Boot, and instead shim should be
+allowed to validate a PE binary signature before running it.
+
+Fixes: 578c95298 (kern: Add lockdown support)
+
+Signed-off-by: Michael Chang <mchang@suse.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/efi/sb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
+index 41dadcd14..96d237722 100644
+--- a/grub-core/kern/efi/sb.c
+++ b/grub-core/kern/efi/sb.c
+@@ -129,6 +129,7 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)),
+     case GRUB_FILE_TYPE_BSD_KERNEL:
+     case GRUB_FILE_TYPE_XNU_KERNEL:
+     case GRUB_FILE_TYPE_PLAN9_KERNEL:
+    case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:
+       *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
+ 
+       /* Fall through. */
+-- 
+2.26.2
+
--- a/grub2.changes
+++ b/grub2.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Mar 11 02:00:15 UTC 2021 - Michael Chang <mchang@suse.com>
+
+- Fix chainloading windows on dual boot machine (bsc#1183073)
+  * 0001-kern-efi-sb-Add-chainloaded-image-as-shim-s-verifiab.patch
+
 -------------------------------------------------------------------
 Fri Feb 26 06:52:18 UTC 2021 - Michael Chang <mchang@suse.com>

--- a/grub2.spec
+++ b/grub2.spec
@ -390,6 +390,7 @@ Patch783:       0043-squash-Don-t-allow-insmod-when-secure-boot-is-enable.patch
 Patch784:       0044-squash-kern-Add-lockdown-support.patch
 Patch785:       0045-squash-Add-support-for-Linux-EFI-stub-loading-on-aar.patch
 Patch786:       0046-squash-verifiers-Move-verifiers-API-to-kernel-image.patch
+Patch787:       0001-kern-efi-sb-Add-chainloaded-image-as-shim-s-verifiab.patch

 Requires:       gettext-runtime
 %if 0%{?suse_version} >= 1140
@ -769,6 +770,7 @@ swap partition while in resuming
 %patch784 -p1
 %patch785 -p1
 %patch786 -p1
+%patch787 -p1

 %build
 # collect evidence to debug spurious build failure on SLE15