diff --git a/0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch b/0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch new file mode 100644 index 0000000..f1c6f2e --- /dev/null +++ b/0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch @@ -0,0 +1,41 @@ +From a60cfeacdeefb21215d35c4cad025e57de900352 Mon Sep 17 00:00:00 2001 +From: Michael Chang +Date: Thu, 27 Aug 2020 13:18:25 +0800 +Subject: [PATCH] shim_lock: Disable GRUB_VERIFY_FLAGS_DEFER_AUTH if secure + boot off + +The GRUB_VERIFY_FLAGS_DEFER_AUTH is enabled regardless secure boot +status that will cause error [1] on loading external grub modules if +secure boot turned off in which shim protocol itself did not verify +images so should not request verification for external modules either. + +This patch fixed the problem by adding the secure boot status check +before requesting other verifiers to verify external module, therefore +external module loading can work after shim_lock module loaded and +secure boot turned off. + +[1] error: verification requested but nobody cares: +(hd0,gpt10)/boot/grub2/x86_64-efi/linux.mod. + +Signed-off-by: Michael Chang +--- + grub-core/commands/efi/shim_lock.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/grub-core/commands/efi/shim_lock.c b/grub-core/commands/efi/shim_lock.c +index 764098cfc..18d121297 100644 +--- a/grub-core/commands/efi/shim_lock.c ++++ b/grub-core/commands/efi/shim_lock.c +@@ -82,7 +82,8 @@ shim_lock_init (grub_file_t io, enum grub_file_type type, + + case GRUB_FILE_TYPE_ACPI_TABLE: + case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE: +- *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH; ++ if (grub_efi_secure_boot()) ++ *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH; + + return GRUB_ERR_NONE; + +-- +2.26.2 + diff --git a/grub2.changes b/grub2.changes index aeef9a2..ac000af 100644 --- a/grub2.changes +++ b/grub2.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Aug 27 06:58:37 UTC 2020 - Michael Chang + +- Fix verification requested but nobody cares error when loading external + module in secure boot off (bsc#1175766) + * 0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch + ------------------------------------------------------------------- Sat Aug 22 02:41:49 UTC 2020 - Michael Chang diff --git a/grub2.spec b/grub2.spec index feed0e6..4a8e020 100644 --- a/grub2.spec +++ b/grub2.spec @@ -330,6 +330,7 @@ Patch716: 0002-cmdline-Provide-cmdline-functions-as-module.patch Patch717: 0001-ieee1275-powerpc-implements-fibre-channel-discovery-.patch Patch718: 0002-ieee1275-powerpc-enables-device-mapper-discovery.patch Patch719: 0001-Unify-the-check-to-enable-btrfs-relative-path.patch +Patch720: 0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch Requires: gettext-runtime %if 0%{?suse_version} >= 1140 @@ -651,6 +652,7 @@ swap partition while in resuming %patch717 -p1 %patch718 -p1 %patch719 -p1 +%patch720 -p1 %build # collect evidence to debug spurious build failure on SLE15