Accepting request 829926 from home:michael-chang:branches:Base:System

- Fix verification requested but nobody cares error when loading external module in secure boot off (bsc#1175766) * 0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch OBS-URL: https://build.opensuse.org/request/show/829926 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=363
2020-08-28 04:34:19 +00:00 · 2020-08-28 04:34:19 +00:00 · 9d81a73a54
commit 9d81a73a54
parent 67e6feecbf
3 changed files with 50 additions and 0 deletions
--- a/0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch
+++ b/0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch
@ -0,0 +1,41 @@
+From a60cfeacdeefb21215d35c4cad025e57de900352 Mon Sep 17 00:00:00 2001
+From: Michael Chang <mchang@suse.com>
+Date: Thu, 27 Aug 2020 13:18:25 +0800
+Subject: [PATCH] shim_lock: Disable GRUB_VERIFY_FLAGS_DEFER_AUTH if secure
+ boot off
+
+The GRUB_VERIFY_FLAGS_DEFER_AUTH is enabled regardless secure boot
+status that will cause error [1] on loading external grub modules if
+secure boot turned off in which shim protocol itself did not verify
+images so should not request verification for external modules either.
+
+This patch fixed the problem by adding the secure boot status check
+before requesting other verifiers to verify external module, therefore
+external module loading can work after shim_lock module loaded and
+secure boot turned off.
+
+[1] error: verification requested but nobody cares:
+(hd0,gpt10)/boot/grub2/x86_64-efi/linux.mod.
+
+Signed-off-by: Michael Chang <mchang@suse.com>
+---
+ grub-core/commands/efi/shim_lock.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/commands/efi/shim_lock.c b/grub-core/commands/efi/shim_lock.c
+index 764098cfc..18d121297 100644
+--- a/grub-core/commands/efi/shim_lock.c
+++ b/grub-core/commands/efi/shim_lock.c
+@@ -82,7 +82,8 @@ shim_lock_init (grub_file_t io, enum grub_file_type type,
+ 
+     case GRUB_FILE_TYPE_ACPI_TABLE:
+     case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
+-      *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
+      if (grub_efi_secure_boot())
+	*flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
+ 
+       return GRUB_ERR_NONE;
+ 
+-- 
+2.26.2
+
--- a/grub2.changes
+++ b/grub2.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Thu Aug 27 06:58:37 UTC 2020 - Michael Chang <mchang@suse.com>
+
+- Fix verification requested but nobody cares error when loading external
+  module in secure boot off (bsc#1175766)
+  * 0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch
+
 -------------------------------------------------------------------
 Sat Aug 22 02:41:49 UTC 2020 - Michael Chang <mchang@suse.com>

--- a/grub2.spec
+++ b/grub2.spec
@ -330,6 +330,7 @@ Patch716:       0002-cmdline-Provide-cmdline-functions-as-module.patch
 Patch717:       0001-ieee1275-powerpc-implements-fibre-channel-discovery-.patch
 Patch718:       0002-ieee1275-powerpc-enables-device-mapper-discovery.patch
 Patch719:       0001-Unify-the-check-to-enable-btrfs-relative-path.patch
+Patch720:       0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch

 Requires:       gettext-runtime
 %if 0%{?suse_version} >= 1140
@ -651,6 +652,7 @@ swap partition while in resuming
 %patch717 -p1
 %patch718 -p1
 %patch719 -p1
+%patch720 -p1

 %build
 # collect evidence to debug spurious build failure on SLE15