rpm/grub2
SHA256
1
0
Fork 0
forked from pool/grub2
Code Pull Requests Activity

Accepting request 829926 from home:michael-chang:branches:Base:System

Browse Source 
- Fix verification requested but nobody cares error when loading external
  module in secure boot off (bsc#1175766)
  * 0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch

OBS-URL: https://build.opensuse.org/request/show/829926
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=363
This commit is contained in:
Michael Chang 2020-08-28 04:34:19 +00:00 committed by Git OBS Bridge
parent 67e6feecbf
commit 9d81a73a54
3 changed files with 50 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch Normal file
View File

@ -0,0 +1,41 @@
From a60cfeacdeefb21215d35c4cad025e57de900352 Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Thu, 27 Aug 2020 13:18:25 +0800
Subject: [PATCH] shim_lock: Disable GRUB_VERIFY_FLAGS_DEFER_AUTH if secure
boot off
The GRUB_VERIFY_FLAGS_DEFER_AUTH is enabled regardless secure boot
status that will cause error [1] on loading external grub modules if
secure boot turned off in which shim protocol itself did not verify
images so should not request verification for external modules either.
This patch fixed the problem by adding the secure boot status check
before requesting other verifiers to verify external module, therefore
external module loading can work after shim_lock module loaded and
secure boot turned off.
[1] error: verification requested but nobody cares:
(hd0,gpt10)/boot/grub2/x86_64-efi/linux.mod.
Signed-off-by: Michael Chang <mchang@suse.com>
---
grub-core/commands/efi/shim_lock.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/grub-core/commands/efi/shim_lock.c b/grub-core/commands/efi/shim_lock.c
index 764098cfc..18d121297 100644
--- a/grub-core/commands/efi/shim_lock.c
+++ b/grub-core/commands/efi/shim_lock.c
@@ -82,7 +82,8 @@ shim_lock_init (grub_file_t io, enum grub_file_type type,
case GRUB_FILE_TYPE_ACPI_TABLE:
case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
- *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
+ if (grub_efi_secure_boot())
+ *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
return GRUB_ERR_NONE;
--
2.26.2

7
grub2.changes
View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Thu Aug 27 06:58:37 UTC 2020 - Michael Chang <mchang@suse.com>
- Fix verification requested but nobody cares error when loading external
module in secure boot off (bsc#1175766)
* 0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch
------------------------------------------------------------------- -------------------------------------------------------------------
Sat Aug 22 02:41:49 UTC 2020 - Michael Chang <mchang@suse.com> Sat Aug 22 02:41:49 UTC 2020 - Michael Chang <mchang@suse.com>

2
grub2.spec
View File

@ -330,6 +330,7 @@ Patch716: 0002-cmdline-Provide-cmdline-functions-as-module.patch
Patch717: 0001-ieee1275-powerpc-implements-fibre-channel-discovery-.patch Patch717: 0001-ieee1275-powerpc-implements-fibre-channel-discovery-.patch
Patch718: 0002-ieee1275-powerpc-enables-device-mapper-discovery.patch Patch718: 0002-ieee1275-powerpc-enables-device-mapper-discovery.patch
Patch719: 0001-Unify-the-check-to-enable-btrfs-relative-path.patch Patch719: 0001-Unify-the-check-to-enable-btrfs-relative-path.patch
Patch720: 0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch
Requires: gettext-runtime Requires: gettext-runtime
%if 0%{?suse_version} >= 1140 %if 0%{?suse_version} >= 1140
@ -651,6 +652,7 @@ swap partition while in resuming
%patch717 -p1 %patch717 -p1
%patch718 -p1 %patch718 -p1
%patch719 -p1 %patch719 -p1
%patch720 -p1
%build %build
# collect evidence to debug spurious build failure on SLE15 # collect evidence to debug spurious build failure on SLE15