From a87715017f4c68ba7a865c90606ce1f9b392755f76e39d774e8fde6062315ece Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Fri, 5 Mar 2021 14:26:32 +0000
Subject: [PATCH 1/2] Accepting request 877250 from
 home:michael-chang:branches:Base:System

OBS-URL: https://build.opensuse.org/request/show/877250
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=377
---
 ...ed-image-as-shim-s-verifiable-object.patch | 41 -------------------
 grub2.changes                                 |  6 ---
 grub2.spec                                    |  2 -
 3 files changed, 49 deletions(-)
 delete mode 100644 0001-Add-chainloaded-image-as-shim-s-verifiable-object.patch

diff --git a/0001-Add-chainloaded-image-as-shim-s-verifiable-object.patch b/0001-Add-chainloaded-image-as-shim-s-verifiable-object.patch
deleted file mode 100644
index 4a33b1a..0000000
--- a/0001-Add-chainloaded-image-as-shim-s-verifiable-object.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From eaed36ac87c3f8edeea67bf333700819e80ac732 Mon Sep 17 00:00:00 2001
-From: Michael Chang <mchang@suse.com>
-Date: Fri, 5 Mar 2021 17:33:17 +0800
-Subject: [PATCH] Add chainloaded image as shim's verifiable object
-
-This fixed error in dual booting Microsoft Windows
-
-error ../../grub-core/kern/verifiers.c:119:verification requested but
-nobody cares: /EFI/Microsoft/Boot/bootmgfw.efi.
----
- grub-core/kern/efi/sb.c   | 1 +
- grub-core/kern/lockdown.c | 1 -
- 2 files changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
-index 41dadcd14..96d237722 100644
---- a/grub-core/kern/efi/sb.c
-+++ b/grub-core/kern/efi/sb.c
-@@ -129,6 +129,7 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)),
-     case GRUB_FILE_TYPE_BSD_KERNEL:
-     case GRUB_FILE_TYPE_XNU_KERNEL:
-     case GRUB_FILE_TYPE_PLAN9_KERNEL:
-+    case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:
-       *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
- 
-       /* Fall through. */
-diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c
-index 0bc70fd42..e1fd1c1e2 100644
---- a/grub-core/kern/lockdown.c
-+++ b/grub-core/kern/lockdown.c
-@@ -48,7 +48,6 @@ lockdown_verifier_init (grub_file_t io __attribute__ ((unused)),
-     case GRUB_FILE_TYPE_PXECHAINLOADER:
-     case GRUB_FILE_TYPE_PCCHAINLOADER:
-     case GRUB_FILE_TYPE_COREBOOT_CHAINLOADER:
--    case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:
-     case GRUB_FILE_TYPE_ACPI_TABLE:
-     case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
-       *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
--- 
-2.26.2
-
diff --git a/grub2.changes b/grub2.changes
index a510783..d4d30b4 100644
--- a/grub2.changes
+++ b/grub2.changes
@@ -1,9 +1,3 @@
--------------------------------------------------------------------
-Fri Mar  5 09:41:07 UTC 2021 - Michael Chang <mchang@suse.com>
-
-- Fix chainloading windows on dual boot machine (bsc#1183073)
-  * 0001-Add-chainloaded-image-as-shim-s-verifiable-object.patch
-
 -------------------------------------------------------------------
 Fri Feb 26 06:52:18 UTC 2021 - Michael Chang <mchang@suse.com>
 
diff --git a/grub2.spec b/grub2.spec
index d3b6f01..b1ad19c 100644
--- a/grub2.spec
+++ b/grub2.spec
@@ -390,7 +390,6 @@ Patch783:       0043-squash-Don-t-allow-insmod-when-secure-boot-is-enable.patch
 Patch784:       0044-squash-kern-Add-lockdown-support.patch
 Patch785:       0045-squash-Add-support-for-Linux-EFI-stub-loading-on-aar.patch
 Patch786:       0046-squash-verifiers-Move-verifiers-API-to-kernel-image.patch
-Patch787:       0001-Add-chainloaded-image-as-shim-s-verifiable-object.patch
 
 Requires:       gettext-runtime
 %if 0%{?suse_version} >= 1140
@@ -770,7 +769,6 @@ swap partition while in resuming
 %patch784 -p1
 %patch785 -p1
 %patch786 -p1
-%patch787 -p1
 
 %build
 # collect evidence to debug spurious build failure on SLE15

From 6366cfa9e7baa9c01a09fe9dba0243e72754f7b9decc4ff4e5b54a9874e75ed1 Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Thu, 11 Mar 2021 03:22:49 +0000
Subject: [PATCH 2/2] Accepting request 878247 from
 home:michael-chang:branches:Base:System

- Fix chainloading windows on dual boot machine (bsc#1183073)
  * 0001-kern-efi-sb-Add-chainloaded-image-as-shim-s-verifiab.patch

OBS-URL: https://build.opensuse.org/request/show/878247
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=378
---
 ...chainloaded-image-as-shim-s-verifiab.patch | 45 +++++++++++++++++++
 grub2.changes                                 |  6 +++
 grub2.spec                                    |  2 +
 3 files changed, 53 insertions(+)
 create mode 100644 0001-kern-efi-sb-Add-chainloaded-image-as-shim-s-verifiab.patch

diff --git a/0001-kern-efi-sb-Add-chainloaded-image-as-shim-s-verifiab.patch b/0001-kern-efi-sb-Add-chainloaded-image-as-shim-s-verifiab.patch
new file mode 100644
index 0000000..6805d64
--- /dev/null
+++ b/0001-kern-efi-sb-Add-chainloaded-image-as-shim-s-verifiab.patch
@@ -0,0 +1,45 @@
+From 6d05264eeceaa2be991093d7fc31b78130bf5453 Mon Sep 17 00:00:00 2001
+From: Michael Chang <mchang@suse.com>
+Date: Fri, 5 Mar 2021 21:48:53 +0800
+Subject: [PATCH] kern/efi/sb: Add chainloaded image as shim's verifiable
+ object
+
+While attempting to dual boot Microsoft Windows with UEFI chainloader,
+it failed with below error when UEFI Secure Boot was enabled:
+
+  error ../../grub-core/kern/verifiers.c:119:verification requested but
+  nobody cares: /EFI/Microsoft/Boot/bootmgfw.efi.
+
+It is a regression, as previously it worked without any problem.
+
+It turns out chainloading PE image has been locked down by commit
+578c95298 (kern: Add lockdown support). However, we should consider it
+as verifiable object by shim to allow booting in UEFI Secure Boot mode.
+The chainloaded PE image could also have trusted signature created by
+vendor with their pubkey cert in db. For that matters it's usage should
+not be locked down under UEFI Secure Boot, and instead shim should be
+allowed to validate a PE binary signature before running it.
+
+Fixes: 578c95298 (kern: Add lockdown support)
+
+Signed-off-by: Michael Chang <mchang@suse.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+---
+ grub-core/kern/efi/sb.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
+index 41dadcd14..96d237722 100644
+--- a/grub-core/kern/efi/sb.c
++++ b/grub-core/kern/efi/sb.c
+@@ -129,6 +129,7 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)),
+     case GRUB_FILE_TYPE_BSD_KERNEL:
+     case GRUB_FILE_TYPE_XNU_KERNEL:
+     case GRUB_FILE_TYPE_PLAN9_KERNEL:
++    case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:
+       *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
+ 
+       /* Fall through. */
+-- 
+2.26.2
+
diff --git a/grub2.changes b/grub2.changes
index d4d30b4..6326782 100644
--- a/grub2.changes
+++ b/grub2.changes
@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Mar 11 02:00:15 UTC 2021 - Michael Chang <mchang@suse.com>
+
+- Fix chainloading windows on dual boot machine (bsc#1183073)
+  * 0001-kern-efi-sb-Add-chainloaded-image-as-shim-s-verifiab.patch
+
 -------------------------------------------------------------------
 Fri Feb 26 06:52:18 UTC 2021 - Michael Chang <mchang@suse.com>
 
diff --git a/grub2.spec b/grub2.spec
index b1ad19c..b9652c2 100644
--- a/grub2.spec
+++ b/grub2.spec
@@ -390,6 +390,7 @@ Patch783:       0043-squash-Don-t-allow-insmod-when-secure-boot-is-enable.patch
 Patch784:       0044-squash-kern-Add-lockdown-support.patch
 Patch785:       0045-squash-Add-support-for-Linux-EFI-stub-loading-on-aar.patch
 Patch786:       0046-squash-verifiers-Move-verifiers-API-to-kernel-image.patch
+Patch787:       0001-kern-efi-sb-Add-chainloaded-image-as-shim-s-verifiab.patch
 
 Requires:       gettext-runtime
 %if 0%{?suse_version} >= 1140
@@ -769,6 +770,7 @@ swap partition while in resuming
 %patch784 -p1
 %patch785 -p1
 %patch786 -p1
+%patch787 -p1
 
 %build
 # collect evidence to debug spurious build failure on SLE15