From: Mate Kukri <mate.kukri@canonical.com>
To: grub-devel@gnu.org
Cc: Mate Kukri <mate.kukri@canonical.com>
Subject: [PATCH 14/15] efi: Use shim's loader protocol for EFI image verification and loading
Date: Fri, 24 May 2024 12:04:01 +0100 [thread overview]
Message-ID: <20240524110402.203880-15-mate.kukri@canonical.com> (raw)
In-Reply-To: <20240524110402.203880-1-mate.kukri@canonical.com>
Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
---
grub-core/kern/efi/sb.c | 39 +++++++++++++-----------------------
grub-core/loader/efi/linux.c | 16 ---------------
include/grub/efi/api.h | 5 +++++
include/grub/efi/efi.h | 19 +++++++++++-------
include/grub/efi/sb.h | 3 ---
5 files changed, 31 insertions(+), 51 deletions(-)
diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
index 8d3e41360..d3de39599 100644
--- a/grub-core/kern/efi/sb.c
+++ b/grub-core/kern/efi/sb.c
@@ -31,8 +31,9 @@
#include <grub/verify.h>
static grub_guid_t shim_lock_guid = GRUB_EFI_SHIM_LOCK_GUID;
+static grub_guid_t shim_loader_guid = GRUB_EFI_SHIM_IMAGE_LOADER_GUID;
-static bool shim_lock_enabled = false;
+static grub_efi_loader_t *shim_loader = NULL;
/*
* Determine whether we're in secure boot mode.
@@ -95,14 +96,6 @@ grub_efi_get_secureboot (void)
if (!(attr & GRUB_EFI_VARIABLE_RUNTIME_ACCESS) && *moksbstate == 1)
{
secureboot = GRUB_EFI_SECUREBOOT_MODE_DISABLED;
- /*
- * TODO: Replace this all with shim's LoadImage protocol, delegating policy to it.
- *
- * We need to set shim_lock_enabled here because we disabled secure boot
- * validation *inside* shim but not in the firmware, so we set this variable
- * here to trigger that code path, whereas the actual verifier is not enabled.
- */
- shim_lock_enabled = true;
goto out;
}
@@ -183,14 +176,16 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)),
static grub_err_t
shim_lock_verifier_write (void *context __attribute__ ((unused)), void *buf, grub_size_t size)
{
- grub_efi_shim_lock_protocol_t *sl = grub_efi_locate_protocol (&shim_lock_guid, 0);
+ grub_efi_handle_t image_handle;
- if (!sl)
- return grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock protocol not found"));
+ if (!shim_loader)
+ return grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim loader protocol not found"));
- if (sl->verify (buf, size) != GRUB_EFI_SUCCESS)
+ if (shim_loader->load_image (false, grub_efi_image_handle, NULL, buf, size, &image_handle) != GRUB_EFI_SUCCESS)
return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad shim signature"));
+ shim_loader->unload_image(image_handle);
+
return GRUB_ERR_NONE;
}
@@ -205,11 +200,10 @@ void
grub_shim_lock_verifier_setup (void)
{
struct grub_module_header *header;
- grub_efi_shim_lock_protocol_t *sl =
- grub_efi_locate_protocol (&shim_lock_guid, 0);
+ shim_loader = grub_efi_locate_protocol (&shim_loader_guid, 0);
- /* shim_lock is missing, check if GRUB image is built with --disable-shim-lock. */
- if (!sl)
+ /* shim loader protocol is missing, check if GRUB image is built with --disable-shim-lock. */
+ if (!shim_loader)
{
FOR_MODULES (header)
{
@@ -222,17 +216,12 @@ grub_shim_lock_verifier_setup (void)
if (grub_efi_get_secureboot () != GRUB_EFI_SECUREBOOT_MODE_ENABLED)
return;
+ /* register loader */
+ grub_efi_register_loader(shim_loader);
+
/* Enforce shim_lock_verifier. */
grub_verifier_register (&shim_lock_verifier);
- shim_lock_enabled = true;
-
grub_env_set ("shim_lock", "y");
grub_env_export ("shim_lock");
}
-
-bool
-grub_is_shim_lock_enabled (void)
-{
- return shim_lock_enabled;
-}
diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
index 58be3c9f8..99365536a 100644
--- a/grub-core/loader/efi/linux.c
+++ b/grub-core/loader/efi/linux.c
@@ -460,22 +460,6 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
grub_dl_ref (my_mod);
- if (grub_is_shim_lock_enabled () == true)
- {
-#if defined(__i386__) || defined(__x86_64__)
- grub_dprintf ("linux", "shim_lock enabled, falling back to legacy Linux kernel loader\n");
-
- err = grub_cmd_linux_x86_legacy (cmd, argc, argv);
-
- if (err == GRUB_ERR_NONE)
- return GRUB_ERR_NONE;
- else
- goto fail;
-#else
- grub_dprintf ("linux", "shim_lock enabled, trying Linux kernel EFI stub loader\n");
-#endif
- }
-
if (argc == 0)
{
grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h
index b686e8afe..9ae908729 100644
--- a/include/grub/efi/api.h
+++ b/include/grub/efi/api.h
@@ -364,6 +364,11 @@
{ 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 } \
}
+#define GRUB_EFI_SHIM_IMAGE_LOADER_GUID \
+ { 0x1f492041, 0xfadb, 0x4e59, \
+ {0x9e, 0x57, 0x7c, 0xaf, 0xe7, 0x3a, 0x55, 0xab } \
+ }
+
#define GRUB_EFI_RNG_PROTOCOL_GUID \
{ 0x3152bca5, 0xeade, 0x433d, \
{ 0x86, 0x2e, 0xc0, 0x1c, 0xdc, 0x29, 0x1f, 0x44 } \
diff --git a/include/grub/efi/efi.h b/include/grub/efi/efi.h
index 6b517a1ea..cf78f3d71 100644
--- a/include/grub/efi/efi.h
+++ b/include/grub/efi/efi.h
@@ -150,15 +150,20 @@ EXPORT_FUNC (grub_efi_unload_image) (grub_efi_handle_t image_handle);
typedef struct grub_efi_loader
{
grub_efi_status_t (__grub_efi_api *load_image) (grub_efi_boolean_t boot_policy,
- grub_efi_handle_t parent_image_handle,
- grub_efi_device_path_t *file_path,
- void *source_buffer,
- grub_efi_uintn_t source_size,
- grub_efi_handle_t *image_handle);
+ grub_efi_handle_t parent_image_handle,
+ grub_efi_device_path_t *file_path,
+ void *source_buffer,
+ grub_efi_uintn_t source_size,
+ grub_efi_handle_t *image_handle);
grub_efi_status_t (__grub_efi_api *start_image) (grub_efi_handle_t image_handle,
- grub_efi_uintn_t *exit_data_size,
- grub_efi_char16_t **exit_data);
+ grub_efi_uintn_t *exit_data_size,
+ grub_efi_char16_t **exit_data);
+
+ grub_efi_status_t (__grub_efi_api *exit) (grub_efi_handle_t image_handle,
+ grub_efi_status_t exit_status,
+ grub_efi_uintn_t exit_data_size,
+ grub_efi_char16_t *exit_data);
grub_efi_status_t (__grub_efi_api *unload_image) (grub_efi_handle_t image_handle);
} grub_efi_loader_t;
diff --git a/include/grub/efi/sb.h b/include/grub/efi/sb.h
index 49a9ad01c..bf8d2db5f 100644
--- a/include/grub/efi/sb.h
+++ b/include/grub/efi/sb.h
@@ -31,9 +31,6 @@
extern grub_uint8_t
EXPORT_FUNC (grub_efi_get_secureboot) (void);
-extern bool
-EXPORT_FUNC (grub_is_shim_lock_enabled) (void);
-
extern void
grub_shim_lock_verifier_setup (void);
#else
--
2.39.2
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
next prev parent reply other threads:[~2024-05-24 11:06 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-24 11:03 [PATCH 00/15] UEFI NX support and NX Linux loader using shim loader protocol Mate Kukri
2024-05-24 11:03 ` [PATCH 01/15] modules: make .module_license read-only Mate Kukri
2024-05-24 17:41 ` Vladimir 'phcoder' Serbinenko
2024-05-24 11:03 ` [PATCH 02/15] modules: strip .llvm_addrsig sections and similar Mate Kukri
2024-05-24 17:42 ` Vladimir 'phcoder' Serbinenko
2024-05-24 11:03 ` [PATCH 03/15] modules: Don't allocate space for non-allocable sections Mate Kukri
2024-05-24 17:45 ` Vladimir 'phcoder' Serbinenko
2024-05-24 11:03 ` [PATCH 04/15] pe: add the DOS header struct and fix some bad naming Mate Kukri
2024-05-24 17:49 ` Vladimir 'phcoder' Serbinenko
2024-05-24 11:03 ` [PATCH 05/15] modules: load module sections at page-aligned addresses Mate Kukri
2024-05-24 17:57 ` Vladimir 'phcoder' Serbinenko
2024-05-24 11:03 ` [PATCH 06/15] nx: add memory attribute get/set API Mate Kukri
2024-05-24 18:03 ` Vladimir 'phcoder' Serbinenko
2024-05-24 11:03 ` [PATCH 07/15] nx: set page permissions for loaded modules Mate Kukri
2024-05-24 18:10 ` Vladimir 'phcoder' Serbinenko
2024-05-24 11:03 ` [PATCH 08/15] nx: set the nx compatible flag in EFI grub images Mate Kukri
2024-05-24 18:11 ` Vladimir 'phcoder' Serbinenko
2024-05-24 11:03 ` [PATCH 09/15] grub_dl_load_segments(): page-align the tramp/GOT areas too Mate Kukri
2024-05-24 18:15 ` Vladimir 'phcoder' Serbinenko
2024-05-24 11:03 ` [PATCH 10/15] grub_dl_set_mem_attrs(): add self-check for the tramp/GOT sizes Mate Kukri
2024-05-24 18:16 ` Vladimir 'phcoder' Serbinenko
2024-05-24 11:03 ` [PATCH 11/15] grub_dl_set_mem_attrs(): fix format string Mate Kukri
2024-05-24 11:03 ` [PATCH 12/15] mm: Fixup bogus assumptions about types sizes in format strings Mate Kukri
2024-05-24 11:04 ` [PATCH 13/15] efi: Provide wrappers for load_image, start_image, unload_image Mate Kukri
2024-05-24 18:27 ` Vladimir 'phcoder' Serbinenko
2024-05-24 11:04 ` Mate Kukri [this message]
2024-05-24 11:04 ` [PATCH 15/15] efi: Disallow fallback to legacy Linux loader when shim says NX is required Mate Kukri
2024-05-24 18:23 ` [PATCH 00/15] UEFI NX support and NX Linux loader using shim loader protocol Vladimir 'phcoder' Serbinenko
2024-05-24 19:07 ` Mate Kukri
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240524110402.203880-15-mate.kukri@canonical.com \
--to=mate.kukri@canonical.com \
--cc=grub-devel@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).