Blame SOURCES/0208-grub-core-loader-efi-chainloader.c-do-not-validate-c.patch

b35c50
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
b35c50
From: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
b35c50
Date: Fri, 4 Mar 2022 09:31:43 +0100
b35c50
Subject: [PATCH] grub-core/loader/efi/chainloader.c: do not validate
b35c50
 chainloader twice
b35c50
b35c50
On secureboot systems, with shimlock verifier, call to
b35c50
grub_file_open(, GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE) will already
b35c50
pass the chainloader target through shim-lock protocol verify
b35c50
call. And create a TPM measurement. If verification fails,
b35c50
grub_cmd_chainloader will fail at file open time.
b35c50
b35c50
This makes previous code paths for negative, and zero return codes
b35c50
from grub_linuxefi_secure_validate unreachable under secureboot. But
b35c50
also breaking measurements compatibility with 2.04+linuxefi codebases,
b35c50
as the chainloader file is passed through shim_lock->verify() twice
b35c50
(via verifier & direct call to grub_linuxefi_secure_validate)
b35c50
extending the PCRs twice.
b35c50
b35c50
This reduces grub_loader options to perform
b35c50
grub_secureboot_chainloader when secureboot is on, and otherwise
b35c50
attempt grub_chainloader_boot.
b35c50
b35c50
It means that booting with secureboot off, yet still with shim (which
b35c50
always verifies things successfully), will stop choosing
b35c50
grub_secureboot_chainloader, and opting for a more regular
b35c50
loadimage/startimage codepath. If we want to use the
b35c50
grub_secureboot_chainloader codepath in such scenarios we should adapt
b35c50
the code to simply check for shim_lock protocol presence /
b35c50
shim_lock->context() success?! But I am not sure if that is necessary.
b35c50
b35c50
This patch must not be ported to older editions of grub code bases
b35c50
that do not have verifiers framework, or it is not builtin, or
b35c50
shim-lock-verifier is an optional module.
b35c50
b35c50
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
b35c50
---
b35c50
 grub-core/loader/efi/chainloader.c | 8 ++------
b35c50
 1 file changed, 2 insertions(+), 6 deletions(-)
b35c50
b35c50
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
b35c50
index 3af6b12292..644cd2e56f 100644
b35c50
--- a/grub-core/loader/efi/chainloader.c
b35c50
+++ b/grub-core/loader/efi/chainloader.c
b35c50
@@ -906,7 +906,6 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
b35c50
   grub_efi_device_path_t *dp = 0;
b35c50
   char *filename;
b35c50
   void *boot_image = 0;
b35c50
-  int rc;
b35c50
 
b35c50
   if (argc == 0)
b35c50
     return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
b35c50
@@ -1082,9 +1081,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
b35c50
       orig_dev = 0;
b35c50
     }
b35c50
 
b35c50
-  rc = grub_linuxefi_secure_validate((void *)(unsigned long)address, fsize);
b35c50
-  grub_dprintf ("chain", "linuxefi_secure_validate: %d\n", rc);
b35c50
-  if (rc > 0)
b35c50
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
b35c50
     {
b35c50
       grub_file_close (file);
b35c50
       grub_device_close (dev);
b35c50
@@ -1092,7 +1089,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
b35c50
 		       grub_secureboot_chainloader_unload, 0);
b35c50
       return 0;
b35c50
     }
b35c50
-  else if (rc == 0)
b35c50
+  else
b35c50
     {
b35c50
       grub_load_and_start_image(boot_image);
b35c50
       grub_file_close (file);
b35c50
@@ -1101,7 +1098,6 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
b35c50
 
b35c50
       return 0;
b35c50
     }
b35c50
-  // -1 fall-through to fail
b35c50
 
b35c50
 fail:
b35c50
   if (orig_dev)