From 038c21e7a7609340734d044482f24fee7f9f7a8f Mon Sep 17 00:00:00 2001 From: Jason Wessel Date: Thu, 17 Oct 2019 12:35:01 -0700 Subject: [PATCH] grub shim verify: Report that the loaded object is verified When check_signatures is set to enforcing, the signatures of the loaded files have been checked, so the shim service should be informed that it is ok to execute the loaded file. Upstream-Status: Inappropriate Signed-off-by: Jason Wessel --- grub-core/loader/i386/linux.c | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c index 747cfe0..87469e7 100644 --- a/grub-core/loader/i386/linux.c +++ b/grub-core/loader/i386/linux.c @@ -21,6 +21,10 @@ #include #include #include +#include +#include +#include +#include #include #include #include @@ -647,6 +651,23 @@ grub_linux_unload (void) return GRUB_ERR_NONE; } +static grub_efi_guid_t grub_shim_protocol_guid = GRUB_EFI_SHIM_PROTOCOL_GUID; + +static grub_efi_status_t +grub_shim_verify (grub_addr_t addr, grub_ssize_t size) +{ + struct grub_shim_lock *shim_lock; + shim_lock = grub_efi_locate_protocol (&grub_shim_protocol_guid, 0); + if (!shim_lock) + { + grub_error (GRUB_ERR_BAD_OS, "could not load shim protocol"); + return GRUB_EFI_UNSUPPORTED; + } + + shim_lock->verify((void *) addr, size); + return GRUB_ERR_NONE; +} + static grub_err_t grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), int argc, char *argv[]) @@ -680,6 +701,10 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), argv[0]); goto fail; } + const char *ge_val = grub_env_get ("check_signatures"); + if (ge_val && (ge_val[0] == '1' || ge_val[0] == 'e')) + /* Verify was handled by .sig files, inform shim */ + grub_shim_verify((grub_addr_t)&lh, sizeof(lh)); if (lh.boot_flag != grub_cpu_to_le16_compile_time (0xaa55)) { -- 2.17.1