diff --git a/0001-kern-efi-sb-Add-chainloaded-image-as-shim-s-verifiab.patch b/0001-kern-efi-sb-Add-chainloaded-image-as-shim-s-verifiab.patch new file mode 100644 index 0000000..6805d64 --- /dev/null +++ b/0001-kern-efi-sb-Add-chainloaded-image-as-shim-s-verifiab.patch @@ -0,0 +1,45 @@ +From 6d05264eeceaa2be991093d7fc31b78130bf5453 Mon Sep 17 00:00:00 2001 +From: Michael Chang +Date: Fri, 5 Mar 2021 21:48:53 +0800 +Subject: [PATCH] kern/efi/sb: Add chainloaded image as shim's verifiable + object + +While attempting to dual boot Microsoft Windows with UEFI chainloader, +it failed with below error when UEFI Secure Boot was enabled: + + error ../../grub-core/kern/verifiers.c:119:verification requested but + nobody cares: /EFI/Microsoft/Boot/bootmgfw.efi. + +It is a regression, as previously it worked without any problem. + +It turns out chainloading PE image has been locked down by commit +578c95298 (kern: Add lockdown support). However, we should consider it +as verifiable object by shim to allow booting in UEFI Secure Boot mode. +The chainloaded PE image could also have trusted signature created by +vendor with their pubkey cert in db. For that matters it's usage should +not be locked down under UEFI Secure Boot, and instead shim should be +allowed to validate a PE binary signature before running it. + +Fixes: 578c95298 (kern: Add lockdown support) + +Signed-off-by: Michael Chang +Reviewed-by: Daniel Kiper +--- + grub-core/kern/efi/sb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c +index 41dadcd14..96d237722 100644 +--- a/grub-core/kern/efi/sb.c ++++ b/grub-core/kern/efi/sb.c +@@ -129,6 +129,7 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)), + case GRUB_FILE_TYPE_BSD_KERNEL: + case GRUB_FILE_TYPE_XNU_KERNEL: + case GRUB_FILE_TYPE_PLAN9_KERNEL: ++ case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE: + *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK; + + /* Fall through. */ +-- +2.26.2 + diff --git a/grub2.changes b/grub2.changes index d4d30b4..6326782 100644 --- a/grub2.changes +++ b/grub2.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Mar 11 02:00:15 UTC 2021 - Michael Chang + +- Fix chainloading windows on dual boot machine (bsc#1183073) + * 0001-kern-efi-sb-Add-chainloaded-image-as-shim-s-verifiab.patch + ------------------------------------------------------------------- Fri Feb 26 06:52:18 UTC 2021 - Michael Chang diff --git a/grub2.spec b/grub2.spec index b1ad19c..b9652c2 100644 --- a/grub2.spec +++ b/grub2.spec @@ -390,6 +390,7 @@ Patch783: 0043-squash-Don-t-allow-insmod-when-secure-boot-is-enable.patch Patch784: 0044-squash-kern-Add-lockdown-support.patch Patch785: 0045-squash-Add-support-for-Linux-EFI-stub-loading-on-aar.patch Patch786: 0046-squash-verifiers-Move-verifiers-API-to-kernel-image.patch +Patch787: 0001-kern-efi-sb-Add-chainloaded-image-as-shim-s-verifiab.patch Requires: gettext-runtime %if 0%{?suse_version} >= 1140 @@ -769,6 +770,7 @@ swap partition while in resuming %patch784 -p1 %patch785 -p1 %patch786 -p1 +%patch787 -p1 %build # collect evidence to debug spurious build failure on SLE15