grub: disable inside lockdown and shim_lock verifiers

The lockdown support[1] and secure boot detection[2] have been added to grub 2.06. These verifiers are registered when UEFI Secure Boot is enabled. Unfortunately, they conflict with the current MOK2 Verify mechanism. So disable them. Fixes grub error: error: failed to verify kernel /bzImage [1] http://git.savannah.gnu.org/cgit/grub.git/commit/?id=578c95298bcc46e0296f4c786db64c2ff26ce2cc [2] http://git.savannah.gnu.org/cgit/grub.git/commit/?id=d7e54b2e5feee95d2f83058ed30d883c450d1473 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
author: Yi Zhao <yi.zhao@windriver.com> 2021-04-07 13:27:01 +0800
committer: Jia Zhang <zhang.jia@linux.alibaba.com> 2021-04-21 12:57:22 +0800
commit: bc84821aa4de652c45614de7c5acd804d0ad5d54 (patch)
tree: 935836eae23fa44d194d55af52675eb229f5239d
parent: 9880c3ab33ca96daad6c9c63389ccbcfea63973b (diff)
download: meta-secure-core-bc84821aa4de652c45614de7c5acd804d0ad5d54.tar.gz
2 files changed, 48 insertions, 0 deletions
diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc
index c3e7a9c..2477a2e 100644
--- a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc
+++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc
@@ -28,6 +28,7 @@ SRC_URI_append_class-target += "\
    file://Grub-get-and-set-efi-variables.patch \
    file://uefi_verify.patch \
    file://0001-grub-verify-Add-strict_security-variable.patch \
+    file://0001-kern-efi-init.c-disable-inside-lockdown-and-shim_loc.patch \
    file://grub-efi.cfg \
    file://boot-menu.inc \
    ${@d.getVar('GRUB_MOKVERIFY_PATCH', True) if d.getVar('UEFI_SELOADER', True) == '1' else ''} \
diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/0001-kern-efi-init.c-disable-inside-lockdown-and-shim_loc.patch b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/0001-kern-efi-init.c-disable-inside-lockdown-and-shim_loc.patch
new file mode 100644
index 0000000..83f5899
--- /dev/null
+++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/0001-kern-efi-init.c-disable-inside-lockdown-and-shim_loc.patch
@@ -0,0 +1,47 @@
+From ca81ba93b6536916673b6cb9cb6aef7652aee971 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Wed, 7 Apr 2021 11:00:37 +0800
+Subject: [PATCH] kern/efi/init.c: disable inside lockdown and shim_lock
+ verifiers
+The lockdown support[1] and secure boot detection[2] have been added to
+grub 2.06. These verifiers are registered when UEFI Secure Boot is
+enabled. Unfortunately, they conflict with the current MOK2 Verify
+mechanism. So disable them when enable SELoader.
+Fixes grub error:
+error: failed to verify kernel /bzImage
+[1] http://git.savannah.gnu.org/cgit/grub.git/commit/?id=578c95298bcc46e0296f4c786db64c2ff26ce2cc
+[2] http://git.savannah.gnu.org/cgit/grub.git/commit/?id=d7e54b2e5feee95d2f83058ed30d883c450d1473
+Upstream-Status: Inappropriate [embedded specific]
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ grub-core/kern/efi/init.c | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
+index 7facacf..67b18e9 100644
+--- a/grub-core/kern/efi/init.c
+++ b/grub-core/kern/efi/init.c
+@@ -95,6 +95,7 @@ grub_efi_init (void)
+   /* Initialize the memory management system.  */
+   grub_efi_mm_init ();
+ 
+#if 0
+   /*
+    * Lockdown the GRUB and register the shim_lock verifier
+    * if the UEFI Secure Boot is enabled.
+@@ -104,6 +105,7 @@ grub_efi_init (void)
+       grub_lockdown ();
+       grub_shim_lock_verifier_setup ();
+     }
+#endif
+ 
+   efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer,
+              0, 0, 0, NULL);
+-- 
+2.17.1
author	Yi Zhao <yi.zhao@windriver.com>	2021-04-07 13:27:01 +0800
committer	Jia Zhang <zhang.jia@linux.alibaba.com>	2021-04-21 12:57:22 +0800
commit	bc84821aa4de652c45614de7c5acd804d0ad5d54 (patch)
tree	935836eae23fa44d194d55af52675eb229f5239d
parent	9880c3ab33ca96daad6c9c63389ccbcfea63973b (diff)
download	meta-secure-core-bc84821aa4de652c45614de7c5acd804d0ad5d54.tar.gz

diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc index c3e7a9c..2477a2e 100644 --- a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc +++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc
@@ -28,6 +28,7 @@ SRC_URI_append_class-target += "\
28	file://Grub-get-and-set-efi-variables.patch \	28	file://Grub-get-and-set-efi-variables.patch \
29	file://uefi_verify.patch \	29	file://uefi_verify.patch \
30	file://0001-grub-verify-Add-strict_security-variable.patch \	30	file://0001-grub-verify-Add-strict_security-variable.patch \
		31	file://0001-kern-efi-init.c-disable-inside-lockdown-and-shim_loc.patch \
31	file://grub-efi.cfg \	32	file://grub-efi.cfg \
32	file://boot-menu.inc \	33	file://boot-menu.inc \
33	${@d.getVar('GRUB_MOKVERIFY_PATCH', True) if d.getVar('UEFI_SELOADER', True) == '1' else ''} \	34	${@d.getVar('GRUB_MOKVERIFY_PATCH', True) if d.getVar('UEFI_SELOADER', True) == '1' else ''} \


diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/0001-kern-efi-init.c-disable-inside-lockdown-and-shim_loc.patch b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/0001-kern-efi-init.c-disable-inside-lockdown-and-shim_loc.patch new file mode 100644 index 0000000..83f5899 --- /dev/null +++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/0001-kern-efi-init.c-disable-inside-lockdown-and-shim_loc.patch
@@ -0,0 +1,47 @@
		1	From ca81ba93b6536916673b6cb9cb6aef7652aee971 Mon Sep 17 00:00:00 2001
		2	From: Yi Zhao <yi.zhao@windriver.com>
		3	Date: Wed, 7 Apr 2021 11:00:37 +0800
		4	Subject: [PATCH] kern/efi/init.c: disable inside lockdown and shim_lock
		5	verifiers
		6
		7	The lockdown support[1] and secure boot detection[2] have been added to
		8	grub 2.06. These verifiers are registered when UEFI Secure Boot is
		9	enabled. Unfortunately, they conflict with the current MOK2 Verify
		10	mechanism. So disable them when enable SELoader.
		11
		12	Fixes grub error:
		13	error: failed to verify kernel /bzImage
		14
		15	[1] http://git.savannah.gnu.org/cgit/grub.git/commit/?id=578c95298bcc46e0296f4c786db64c2ff26ce2cc
		16	[2] http://git.savannah.gnu.org/cgit/grub.git/commit/?id=d7e54b2e5feee95d2f83058ed30d883c450d1473
		17
		18	Upstream-Status: Inappropriate [embedded specific]
		19
		20	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		21	---
		22	grub-core/kern/efi/init.c \| 2 ++
		23	1 file changed, 2 insertions(+)
		24
		25	diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
		26	index 7facacf..67b18e9 100644
		27	--- a/grub-core/kern/efi/init.c
		28	+++ b/grub-core/kern/efi/init.c
		29	@@ -95,6 +95,7 @@ grub_efi_init (void)
		30	/* Initialize the memory management system. */
		31	grub_efi_mm_init ();
		32
		33	+#if 0
		34	/*
		35	* Lockdown the GRUB and register the shim_lock verifier
		36	* if the UEFI Secure Boot is enabled.
		37	@@ -104,6 +105,7 @@ grub_efi_init (void)
		38	grub_lockdown ();
		39	grub_shim_lock_verifier_setup ();
		40	}
		41	+#endif
		42
		43	efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer,
		44	0, 0, 0, NULL);
		45	--
		46	2.17.1
		47