From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001

From: Dimitri John Ledkov <dimitri.ledkov@canonical.com>

Date: Fri, 4 Mar 2022 09:31:43 +0100

Subject: [PATCH] grub-core/loader/efi/chainloader.c: do not validate

 chainloader twice

On secureboot systems, with shimlock verifier, call to

grub_file_open(, GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE) will already

pass the chainloader target through shim-lock protocol verify

call. And create a TPM measurement. If verification fails,

grub_cmd_chainloader will fail at file open time.

This makes previous code paths for negative, and zero return codes

from grub_linuxefi_secure_validate unreachable under secureboot. But

also breaking measurements compatibility with 2.04+linuxefi codebases,

as the chainloader file is passed through shim_lock->verify() twice

(via verifier & direct call to grub_linuxefi_secure_validate)

extending the PCRs twice.

This reduces grub_loader options to perform

grub_secureboot_chainloader when secureboot is on, and otherwise

attempt grub_chainloader_boot.

It means that booting with secureboot off, yet still with shim (which

always verifies things successfully), will stop choosing

grub_secureboot_chainloader, and opting for a more regular

loadimage/startimage codepath. If we want to use the

grub_secureboot_chainloader codepath in such scenarios we should adapt

the code to simply check for shim_lock protocol presence /

shim_lock->context() success?! But I am not sure if that is necessary.

This patch must not be ported to older editions of grub code bases

that do not have verifiers framework, or it is not builtin, or

shim-lock-verifier is an optional module.

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>

---

 grub-core/loader/efi/chainloader.c | 8 ++------

 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c

index 3af6b12292..644cd2e56f 100644

--- a/grub-core/loader/efi/chainloader.c

+++ b/grub-core/loader/efi/chainloader.c

@@ -906,7 +906,6 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),

   grub_efi_device_path_t *dp = 0;

   char *filename;

   void *boot_image = 0;

-  int rc;

   if (argc == 0)

     return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));

@@ -1082,9 +1081,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),

       orig_dev = 0;

     }

-  rc = grub_linuxefi_secure_validate((void *)(unsigned long)address, fsize);

-  grub_dprintf ("chain", "linuxefi_secure_validate: %d\n", rc);

-  if (rc > 0)

+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)

     {

       grub_file_close (file);

       grub_device_close (dev);

@@ -1092,7 +1089,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),

 		       grub_secureboot_chainloader_unload, 0);

       return 0;

     }

-  else if (rc == 0)

+  else

     {

       grub_load_and_start_image(boot_image);

       grub_file_close (file);

@@ -1101,7 +1098,6 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),

       return 0;

     }

-  // -1 fall-through to fail

 fail:

   if (orig_dev)