From 01120b5ec61ae7bbe550b1e2fe0f75c2d2073b1f Mon Sep 17 00:00:00 2001
From: Hongxu Jia <hongxu.jia@windriver.com>
Date: Fri, 6 May 2022 15:44:14 +0800
Subject: [PATCH] grub verify: Add skip_check_cfg variable

While check_signatures enabled, with skip_check_cfg set to 1
- Do not verify the signature on the file that has suffix `.cfg'
- Do not authenticate user and password if cfg is changed

Implement function grub_strendswith to find cfg file

Upstream-Status: Pending

Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
 grub-core/commands/pgp.c | 12 ++++++++++++
 grub-core/kern/misc.c    | 12 ++++++++++++
 grub-core/normal/auth.c  |  5 +++++
 include/grub/misc.h      |  1 +
 4 files changed, 30 insertions(+)

diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c
index 5daa1e9..e60a29a 100644
--- a/grub-core/commands/pgp.c
+++ b/grub-core/commands/pgp.c
@@ -873,6 +873,18 @@ grub_pubkey_init (grub_file_t io, enum grub_file_type type __attribute__ ((unuse
   char *fsuf, *ptr;
   grub_err_t err;
   struct grub_pubkey_context *ctxt;
+  const char *val;
+
+  /* SKip to check the signature of cfg */
+  val = grub_env_get ("skip_check_cfg");
+  if (val && (val[0] == '1'))
+    {
+      if (grub_strendswith (io->name, ".cfg"))
+        {
+          *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
+          return GRUB_ERR_NONE;
+        }
+    }
 
   if (!sec)
     {
diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c
index 3af336e..8bf1d90 100644
--- a/grub-core/kern/misc.c
+++ b/grub-core/kern/misc.c
@@ -280,6 +280,18 @@ grub_strncmp (const char *s1, const char *s2, grub_size_t n)
   return (int) (grub_uint8_t) *s1 - (int) (grub_uint8_t)  *s2;
 }
 
+int
+grub_strendswith (const char *str, const char *suffix)
+{
+    if (!str || !suffix)
+        return 0;
+    grub_size_t lenstr = grub_strlen(str);
+    grub_size_t lensuffix = grub_strlen(suffix);
+    if (lensuffix >  lenstr)
+        return 0;
+    return grub_strncmp(str + lenstr - lensuffix, suffix, lensuffix) == 0;
+}
+
 char *
 grub_strchr (const char *s, int c)
 {
diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c
index 6be678c..57a1a42 100644
--- a/grub-core/normal/auth.c
+++ b/grub-core/normal/auth.c
@@ -136,6 +136,11 @@ is_authenticated (const char *userlist)
   const char *superusers;
   struct grub_auth_user *user;
 
+  /* SKip to authenticate grub cfg */
+  const char *val = grub_env_get ("skip_check_cfg");
+  if (val && (val[0] == '1'))
+    return 1;
+
   superusers = grub_env_get ("superusers");
 
   if (!superusers)
diff --git a/include/grub/misc.h b/include/grub/misc.h
index 7d2b551..cce29d7 100644
--- a/include/grub/misc.h
+++ b/include/grub/misc.h
@@ -82,6 +82,7 @@ grub_memcpy (void *dest, const void *src, grub_size_t n)
 int EXPORT_FUNC(grub_memcmp) (const void *s1, const void *s2, grub_size_t n);
 int EXPORT_FUNC(grub_strcmp) (const char *s1, const char *s2);
 int EXPORT_FUNC(grub_strncmp) (const char *s1, const char *s2, grub_size_t n);
+int EXPORT_FUNC(grub_strendswith) (const char *str, const char *suffix);
 
 char *EXPORT_FUNC(grub_strchr) (const char *s, int c);
 char *EXPORT_FUNC(grub_strrchr) (const char *s, int c);
-- 
2.17.1