forked from bottlerocket-os/bottlerocket
-
Notifications
You must be signed in to change notification settings - Fork 0
/
0046-Revert-sb-Add-fallback-to-EFI-LoadImage-if-shim_lock.patch
96 lines (87 loc) · 3.29 KB
/
0046-Revert-sb-Add-fallback-to-EFI-LoadImage-if-shim_lock.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
From 2773f01f5d9292c68b08f9392a8ae0bf9c2e3e30 Mon Sep 17 00:00:00 2001
From: Ben Cressey <[email protected]>
Date: Tue, 13 Feb 2024 22:20:16 +0000
Subject: [PATCH] Revert "sb: Add fallback to EFI LoadImage if shim_lock is
absent"
For Secure Boot in Bottlerocket, we expect that shim_lock will always
be present, and don't need a fallback.
Signed-off-by: Ben Cressey <[email protected]>
---
grub-core/Makefile.core.def | 1 -
grub-core/kern/efi/sb.c | 43 +++----------------------------------
2 files changed, 3 insertions(+), 41 deletions(-)
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index 5b8728e..3096cd4 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -214,7 +214,6 @@ kernel = {
efi = kern/efi/sb.c;
efi = kern/lockdown.c;
efi = lib/envblk.c;
- efi = lib/crc.c;
i386_coreboot = kern/i386/pc/acpi.c;
i386_multiboot = kern/i386/pc/acpi.c;
i386_coreboot = kern/acpi.c;
diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
index 70f9d9d..db42c25 100644
--- a/grub-core/kern/efi/sb.c
+++ b/grub-core/kern/efi/sb.c
@@ -29,7 +29,6 @@
#include <grub/mm.h>
#include <grub/types.h>
#include <grub/verify.h>
-#include <grub/lib/crc.h>
static grub_efi_guid_t shim_lock_guid = GRUB_EFI_SHIM_LOCK_GUID;
@@ -171,50 +170,14 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)),
}
}
-static int grub_shim_lock_load_image_fallback(void *data, grub_uint32_t size)
-{
- grub_efi_memory_mapped_device_path_t *mempath;
- grub_efi_handle_t image_handle = 0;
- grub_efi_boot_services_t *b;
- grub_efi_status_t status;
- int len;
-
- mempath = grub_malloc (2 * sizeof (grub_efi_memory_mapped_device_path_t));
- if (!mempath)
- return grub_errno;
-
- mempath[0].header.type = GRUB_EFI_HARDWARE_DEVICE_PATH_TYPE;
- mempath[0].header.subtype = GRUB_EFI_MEMORY_MAPPED_DEVICE_PATH_SUBTYPE;
- mempath[0].header.length = grub_cpu_to_le16_compile_time (sizeof (*mempath));
- mempath[0].memory_type = GRUB_EFI_LOADER_DATA;
- mempath[0].start_address = (grub_addr_t)data;
- mempath[0].end_address = (grub_addr_t)data + size;
-
- mempath[1].header.type = GRUB_EFI_END_DEVICE_PATH_TYPE;
- mempath[1].header.subtype = GRUB_EFI_END_ENTIRE_DEVICE_PATH_SUBTYPE;
- mempath[1].header.length = sizeof (grub_efi_device_path_t);
-
- b = grub_efi_system_table->boot_services;
- status = efi_call_6 (b->load_image, 0, grub_efi_image_handle,
- (grub_efi_device_path_t *) mempath,
- data, size, &image_handle);
- if (status != GRUB_EFI_SUCCESS) {
- return grub_error (GRUB_ERR_ACCESS_DENIED,
- "Cannot verify image, EFI err: %ld", (long)status);
- }
- efi_call_1 (b->unload_image, image_handle);
- return GRUB_ERR_NONE;
-}
-
static grub_err_t
shim_lock_verifier_write (void *context __attribute__ ((unused)), void *buf, grub_size_t size)
{
grub_efi_shim_lock_protocol_t *sl = grub_efi_locate_protocol (&shim_lock_guid, 0);
- if (!sl) {
- grub_dprintf ("secureboot", "shim not available, trying UEFI validation\n");
- return grub_shim_lock_load_image_fallback(buf, size);
- }
+ if (!sl)
+ return grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock protocol not found"));
+
if (sl->verify (buf, size) != GRUB_EFI_SUCCESS)
return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad shim signature"));
--
2.43.0