rpm/grub2
SHA256
1
0
Fork 0
forked from pool/grub2
Code Pull Requests Activity

Accepting request 878247 from home:michael-chang:branches:Base:System

Browse Source 
- Fix chainloading windows on dual boot machine (bsc#1183073)
  * 0001-kern-efi-sb-Add-chainloaded-image-as-shim-s-verifiab.patch

OBS-URL: https://build.opensuse.org/request/show/878247
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=378
This commit is contained in:
Michael Chang 2021-03-11 03:22:49 +00:00 committed by Git OBS Bridge
parent a87715017f
commit 6366cfa9e7
3 changed files with 53 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
0001-kern-efi-sb-Add-chainloaded-image-as-shim-s-verifiab.patch Normal file
View File

@ -0,0 +1,45 @@
From 6d05264eeceaa2be991093d7fc31b78130bf5453 Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Fri, 5 Mar 2021 21:48:53 +0800
Subject: [PATCH] kern/efi/sb: Add chainloaded image as shim's verifiable
object
While attempting to dual boot Microsoft Windows with UEFI chainloader,
it failed with below error when UEFI Secure Boot was enabled:
error ../../grub-core/kern/verifiers.c:119:verification requested but
nobody cares: /EFI/Microsoft/Boot/bootmgfw.efi.
It is a regression, as previously it worked without any problem.
It turns out chainloading PE image has been locked down by commit
578c95298 (kern: Add lockdown support). However, we should consider it
as verifiable object by shim to allow booting in UEFI Secure Boot mode.
The chainloaded PE image could also have trusted signature created by
vendor with their pubkey cert in db. For that matters it's usage should
not be locked down under UEFI Secure Boot, and instead shim should be
allowed to validate a PE binary signature before running it.
Fixes: 578c95298 (kern: Add lockdown support)
Signed-off-by: Michael Chang <mchang@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/kern/efi/sb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
index 41dadcd14..96d237722 100644
--- a/grub-core/kern/efi/sb.c
+++ b/grub-core/kern/efi/sb.c
@@ -129,6 +129,7 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)),
case GRUB_FILE_TYPE_BSD_KERNEL:
case GRUB_FILE_TYPE_XNU_KERNEL:
case GRUB_FILE_TYPE_PLAN9_KERNEL:
+ case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:
*flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
/* Fall through. */
--
2.26.2

6
grub2.changes
View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Thu Mar 11 02:00:15 UTC 2021 - Michael Chang <mchang@suse.com>
- Fix chainloading windows on dual boot machine (bsc#1183073)
* 0001-kern-efi-sb-Add-chainloaded-image-as-shim-s-verifiab.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Fri Feb 26 06:52:18 UTC 2021 - Michael Chang <mchang@suse.com> Fri Feb 26 06:52:18 UTC 2021 - Michael Chang <mchang@suse.com>

2
grub2.spec
View File

@ -390,6 +390,7 @@ Patch783: 0043-squash-Don-t-allow-insmod-when-secure-boot-is-enable.patch
Patch784: 0044-squash-kern-Add-lockdown-support.patch Patch784: 0044-squash-kern-Add-lockdown-support.patch
Patch785: 0045-squash-Add-support-for-Linux-EFI-stub-loading-on-aar.patch Patch785: 0045-squash-Add-support-for-Linux-EFI-stub-loading-on-aar.patch
Patch786: 0046-squash-verifiers-Move-verifiers-API-to-kernel-image.patch Patch786: 0046-squash-verifiers-Move-verifiers-API-to-kernel-image.patch
Patch787: 0001-kern-efi-sb-Add-chainloaded-image-as-shim-s-verifiab.patch
Requires: gettext-runtime Requires: gettext-runtime
%if 0%{?suse_version} >= 1140 %if 0%{?suse_version} >= 1140
@ -769,6 +770,7 @@ swap partition while in resuming
%patch784 -p1 %patch784 -p1
%patch785 -p1 %patch785 -p1
%patch786 -p1 %patch786 -p1
%patch787 -p1
%build %build
# collect evidence to debug spurious build failure on SLE15 # collect evidence to debug spurious build failure on SLE15