From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001

From: Dimitri John Ledkov <dimitri.ledkov@canonical.com>

Date: Fri, 4 Mar 2022 11:29:31 +0100

Subject: [PATCH] grub-core/loader/arm64/linux.c: do not validate kernel twice

Call to grub_file_open(, GRUB_FILE_TYPE_LINUX_KERNEL) already passes

the kernel file through shim-lock verifier when secureboot is on. Thus

there is no need to validate the kernel image again. And when doing so

again, duplicate PCR measurement is performed, breaking measurements

compatibility with 2.04+linuxefi.

This patch must not be ported to older editions of grub code bases

that do not have verifiers framework, or it is not builtin, or

shim-lock-verifier is an optional module.

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>

---

 grub-core/loader/arm64/linux.c | 13 -------------

 1 file changed, 13 deletions(-)

diff --git a/grub-core/loader/arm64/linux.c b/grub-core/loader/arm64/linux.c

index f18d90bd74..d2af47c2c0 100644

--- a/grub-core/loader/arm64/linux.c

+++ b/grub-core/loader/arm64/linux.c

@@ -34,7 +34,6 @@

 #include <grub/i18n.h>

 #include <grub/lib/cmdline.h>

 #include <grub/verify.h>

-#include <grub/efi/sb.h>

 GRUB_MOD_LICENSE ("GPLv3+");

@@ -341,7 +340,6 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),

   grub_off_t filelen;

   grub_uint32_t align;

   void *kernel = NULL;

-  int rc;

   grub_dl_ref (my_mod);

@@ -370,17 +368,6 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),

       goto fail;

     }

-  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)

-    {

-      rc = grub_linuxefi_secure_validate (kernel, filelen);

-      if (rc <= 0)

-	{

-	  grub_error (GRUB_ERR_INVALID_COMMAND,

-		      N_("%s has invalid signature"), argv[0]);

-	  goto fail;

-	}

-    }

-

   if (grub_arch_efi_linux_check_image (kernel) != GRUB_ERR_NONE)

     goto fail;

   if (parse_pe_header (kernel, &kernel_size, &handover_offset, &align) != GRUB_ERR_NONE)