diff options
author | Yi Zhao <yi.zhao@windriver.com> | 2021-04-07 13:27:01 +0800 |
---|---|---|
committer | Jia Zhang <zhang.jia@linux.alibaba.com> | 2021-04-21 12:57:22 +0800 |
commit | bc84821aa4de652c45614de7c5acd804d0ad5d54 (patch) | |
tree | 935836eae23fa44d194d55af52675eb229f5239d | |
parent | 9880c3ab33ca96daad6c9c63389ccbcfea63973b (diff) | |
download | meta-secure-core-bc84821aa4de652c45614de7c5acd804d0ad5d54.tar.gz |
grub: disable inside lockdown and shim_lock verifiers
The lockdown support[1] and secure boot detection[2] have been added to
grub 2.06. These verifiers are registered when UEFI Secure Boot is
enabled. Unfortunately, they conflict with the current MOK2 Verify
mechanism. So disable them.
Fixes grub error:
error: failed to verify kernel /bzImage
[1] http://git.savannah.gnu.org/cgit/grub.git/commit/?id=578c95298bcc46e0296f4c786db64c2ff26ce2cc
[2] http://git.savannah.gnu.org/cgit/grub.git/commit/?id=d7e54b2e5feee95d2f83058ed30d883c450d1473
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2 files changed, 48 insertions, 0 deletions
diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc index c3e7a9c..2477a2e 100644 --- a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc +++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc | |||
@@ -28,6 +28,7 @@ SRC_URI_append_class-target += "\ | |||
28 | file://Grub-get-and-set-efi-variables.patch \ | 28 | file://Grub-get-and-set-efi-variables.patch \ |
29 | file://uefi_verify.patch \ | 29 | file://uefi_verify.patch \ |
30 | file://0001-grub-verify-Add-strict_security-variable.patch \ | 30 | file://0001-grub-verify-Add-strict_security-variable.patch \ |
31 | file://0001-kern-efi-init.c-disable-inside-lockdown-and-shim_loc.patch \ | ||
31 | file://grub-efi.cfg \ | 32 | file://grub-efi.cfg \ |
32 | file://boot-menu.inc \ | 33 | file://boot-menu.inc \ |
33 | ${@d.getVar('GRUB_MOKVERIFY_PATCH', True) if d.getVar('UEFI_SELOADER', True) == '1' else ''} \ | 34 | ${@d.getVar('GRUB_MOKVERIFY_PATCH', True) if d.getVar('UEFI_SELOADER', True) == '1' else ''} \ |
diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/0001-kern-efi-init.c-disable-inside-lockdown-and-shim_loc.patch b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/0001-kern-efi-init.c-disable-inside-lockdown-and-shim_loc.patch new file mode 100644 index 0000000..83f5899 --- /dev/null +++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/0001-kern-efi-init.c-disable-inside-lockdown-and-shim_loc.patch | |||
@@ -0,0 +1,47 @@ | |||
1 | From ca81ba93b6536916673b6cb9cb6aef7652aee971 Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Wed, 7 Apr 2021 11:00:37 +0800 | ||
4 | Subject: [PATCH] kern/efi/init.c: disable inside lockdown and shim_lock | ||
5 | verifiers | ||
6 | |||
7 | The lockdown support[1] and secure boot detection[2] have been added to | ||
8 | grub 2.06. These verifiers are registered when UEFI Secure Boot is | ||
9 | enabled. Unfortunately, they conflict with the current MOK2 Verify | ||
10 | mechanism. So disable them when enable SELoader. | ||
11 | |||
12 | Fixes grub error: | ||
13 | error: failed to verify kernel /bzImage | ||
14 | |||
15 | [1] http://git.savannah.gnu.org/cgit/grub.git/commit/?id=578c95298bcc46e0296f4c786db64c2ff26ce2cc | ||
16 | [2] http://git.savannah.gnu.org/cgit/grub.git/commit/?id=d7e54b2e5feee95d2f83058ed30d883c450d1473 | ||
17 | |||
18 | Upstream-Status: Inappropriate [embedded specific] | ||
19 | |||
20 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
21 | --- | ||
22 | grub-core/kern/efi/init.c | 2 ++ | ||
23 | 1 file changed, 2 insertions(+) | ||
24 | |||
25 | diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c | ||
26 | index 7facacf..67b18e9 100644 | ||
27 | --- a/grub-core/kern/efi/init.c | ||
28 | +++ b/grub-core/kern/efi/init.c | ||
29 | @@ -95,6 +95,7 @@ grub_efi_init (void) | ||
30 | /* Initialize the memory management system. */ | ||
31 | grub_efi_mm_init (); | ||
32 | |||
33 | +#if 0 | ||
34 | /* | ||
35 | * Lockdown the GRUB and register the shim_lock verifier | ||
36 | * if the UEFI Secure Boot is enabled. | ||
37 | @@ -104,6 +105,7 @@ grub_efi_init (void) | ||
38 | grub_lockdown (); | ||
39 | grub_shim_lock_verifier_setup (); | ||
40 | } | ||
41 | +#endif | ||
42 | |||
43 | efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer, | ||
44 | 0, 0, 0, NULL); | ||
45 | -- | ||
46 | 2.17.1 | ||
47 | |||