grub-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH v2 09/10] efi: Use shim's loader protocol for EFI image verificat


From: Mate Kukri
Subject: [PATCH v2 09/10] efi: Use shim's loader protocol for EFI image verification and loading
Date: Thu, 30 May 2024 15:12:41 +0100

Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
---
 grub-core/kern/efi/sb.c      | 39 +++++++++++++-----------------------
 grub-core/loader/efi/linux.c | 16 ---------------
 include/grub/efi/api.h       |  5 +++++
 include/grub/efi/efi.h       | 19 +++++++++++-------
 include/grub/efi/sb.h        |  3 ---
 5 files changed, 31 insertions(+), 51 deletions(-)

diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
index 8d3e41360..d3de39599 100644
--- a/grub-core/kern/efi/sb.c
+++ b/grub-core/kern/efi/sb.c
@@ -31,8 +31,9 @@
 #include <grub/verify.h>
 
 static grub_guid_t shim_lock_guid = GRUB_EFI_SHIM_LOCK_GUID;
+static grub_guid_t shim_loader_guid = GRUB_EFI_SHIM_IMAGE_LOADER_GUID;
 
-static bool shim_lock_enabled = false;
+static grub_efi_loader_t *shim_loader = NULL;
 
 /*
  * Determine whether we're in secure boot mode.
@@ -95,14 +96,6 @@ grub_efi_get_secureboot (void)
   if (!(attr & GRUB_EFI_VARIABLE_RUNTIME_ACCESS) && *moksbstate == 1)
     {
       secureboot = GRUB_EFI_SECUREBOOT_MODE_DISABLED;
-      /*
-       * TODO: Replace this all with shim's LoadImage protocol, delegating 
policy to it.
-       *
-       * We need to set shim_lock_enabled here because we disabled secure boot
-       * validation *inside* shim but not in the firmware, so we set this 
variable
-       * here to trigger that code path, whereas the actual verifier is not 
enabled.
-       */
-      shim_lock_enabled = true;
       goto out;
     }
 
@@ -183,14 +176,16 @@ shim_lock_verifier_init (grub_file_t io __attribute__ 
((unused)),
 static grub_err_t
 shim_lock_verifier_write (void *context __attribute__ ((unused)), void *buf, 
grub_size_t size)
 {
-  grub_efi_shim_lock_protocol_t *sl = grub_efi_locate_protocol 
(&shim_lock_guid, 0);
+  grub_efi_handle_t image_handle;
 
-  if (!sl)
-    return grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock protocol not 
found"));
+  if (!shim_loader)
+    return grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim loader protocol not 
found"));
 
-  if (sl->verify (buf, size) != GRUB_EFI_SUCCESS)
+  if (shim_loader->load_image (false, grub_efi_image_handle, NULL, buf, size, 
&image_handle) != GRUB_EFI_SUCCESS)
     return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad shim signature"));
 
+  shim_loader->unload_image(image_handle);
+
   return GRUB_ERR_NONE;
 }
 
@@ -205,11 +200,10 @@ void
 grub_shim_lock_verifier_setup (void)
 {
   struct grub_module_header *header;
-  grub_efi_shim_lock_protocol_t *sl =
-    grub_efi_locate_protocol (&shim_lock_guid, 0);
+  shim_loader = grub_efi_locate_protocol (&shim_loader_guid, 0);
 
-  /* shim_lock is missing, check if GRUB image is built with 
--disable-shim-lock. */
-  if (!sl)
+  /* shim loader protocol is missing, check if GRUB image is built with 
--disable-shim-lock. */
+  if (!shim_loader)
     {
       FOR_MODULES (header)
        {
@@ -222,17 +216,12 @@ grub_shim_lock_verifier_setup (void)
   if (grub_efi_get_secureboot () != GRUB_EFI_SECUREBOOT_MODE_ENABLED)
     return;
 
+  /* register loader */
+  grub_efi_register_loader(shim_loader);
+
   /* Enforce shim_lock_verifier. */
   grub_verifier_register (&shim_lock_verifier);
 
-  shim_lock_enabled = true;
-
   grub_env_set ("shim_lock", "y");
   grub_env_export ("shim_lock");
 }
-
-bool
-grub_is_shim_lock_enabled (void)
-{
-  return shim_lock_enabled;
-}
diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
index 58be3c9f8..99365536a 100644
--- a/grub-core/loader/efi/linux.c
+++ b/grub-core/loader/efi/linux.c
@@ -460,22 +460,6 @@ grub_cmd_linux (grub_command_t cmd __attribute__ 
((unused)),
 
   grub_dl_ref (my_mod);
 
-  if (grub_is_shim_lock_enabled () == true)
-    {
-#if defined(__i386__) || defined(__x86_64__)
-      grub_dprintf ("linux", "shim_lock enabled, falling back to legacy Linux 
kernel loader\n");
-
-      err = grub_cmd_linux_x86_legacy (cmd, argc, argv);
-
-      if (err == GRUB_ERR_NONE)
-       return GRUB_ERR_NONE;
-      else
-       goto fail;
-#else
-      grub_dprintf ("linux", "shim_lock enabled, trying Linux kernel EFI stub 
loader\n");
-#endif
-    }
-
   if (argc == 0)
     {
       grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h
index b686e8afe..9ae908729 100644
--- a/include/grub/efi/api.h
+++ b/include/grub/efi/api.h
@@ -364,6 +364,11 @@
     { 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 } \
   }
 
+#define GRUB_EFI_SHIM_IMAGE_LOADER_GUID \
+  { 0x1f492041, 0xfadb, 0x4e59, \
+    {0x9e, 0x57, 0x7c, 0xaf, 0xe7, 0x3a, 0x55, 0xab } \
+  }
+
 #define GRUB_EFI_RNG_PROTOCOL_GUID \
   { 0x3152bca5, 0xeade, 0x433d, \
     { 0x86, 0x2e, 0xc0, 0x1c, 0xdc, 0x29, 0x1f, 0x44 } \
diff --git a/include/grub/efi/efi.h b/include/grub/efi/efi.h
index 7a98474a1..b79bf0962 100644
--- a/include/grub/efi/efi.h
+++ b/include/grub/efi/efi.h
@@ -150,15 +150,20 @@ EXPORT_FUNC (grub_efi_unload_image) (grub_efi_handle_t 
image_handle);
 typedef struct grub_efi_loader
 {
   grub_efi_status_t (__grub_efi_api *load_image) (grub_efi_boolean_t 
boot_policy,
-                                  grub_efi_handle_t parent_image_handle,
-                                  grub_efi_device_path_t *file_path,
-                                  void *source_buffer,
-                                  grub_efi_uintn_t source_size,
-                                  grub_efi_handle_t *image_handle);
+                                                 grub_efi_handle_t 
parent_image_handle,
+                                                 grub_efi_device_path_t 
*file_path,
+                                                 void *source_buffer,
+                                                 grub_efi_uintn_t source_size,
+                                                 grub_efi_handle_t 
*image_handle);
 
   grub_efi_status_t (__grub_efi_api *start_image) (grub_efi_handle_t 
image_handle,
-                                   grub_efi_uintn_t *exit_data_size,
-                                   grub_efi_char16_t **exit_data);
+                                                  grub_efi_uintn_t 
*exit_data_size,
+                                                  grub_efi_char16_t 
**exit_data);
+
+  grub_efi_status_t (__grub_efi_api *exit) (grub_efi_handle_t image_handle,
+                                           grub_efi_status_t exit_status,
+                                           grub_efi_uintn_t exit_data_size,
+                                           grub_efi_char16_t *exit_data);
 
   grub_efi_status_t (__grub_efi_api *unload_image) (grub_efi_handle_t 
image_handle);
 } grub_efi_loader_t;
diff --git a/include/grub/efi/sb.h b/include/grub/efi/sb.h
index 49a9ad01c..bf8d2db5f 100644
--- a/include/grub/efi/sb.h
+++ b/include/grub/efi/sb.h
@@ -31,9 +31,6 @@
 extern grub_uint8_t
 EXPORT_FUNC (grub_efi_get_secureboot) (void);
 
-extern bool
-EXPORT_FUNC (grub_is_shim_lock_enabled) (void);
-
 extern void
 grub_shim_lock_verifier_setup (void);
 #else
-- 
2.39.2




reply via email to

[Prev in Thread] Current Thread [Next in Thread]