|
|
b35c50 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
b35c50 |
From: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
|
|
|
b35c50 |
Date: Fri, 4 Mar 2022 11:36:09 +0100
|
|
|
b35c50 |
Subject: [PATCH] grub-core/loader/efi/linux.c: drop now unused
|
|
|
b35c50 |
grub_linuxefi_secure_validate
|
|
|
b35c50 |
|
|
|
b35c50 |
Drop the now unused grub_linuxefi_secure_validate() as all prior users
|
|
|
b35c50 |
of this API now rely on the shim-lock-verifier codepath instead.
|
|
|
b35c50 |
|
|
|
b35c50 |
This patch must not be ported to older editions of grub code bases
|
|
|
b35c50 |
that do not have verifiers framework, or it is not builtin, or
|
|
|
b35c50 |
shim-lock-verifier is an optional module.
|
|
|
b35c50 |
|
|
|
b35c50 |
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
|
|
|
b35c50 |
---
|
|
|
b35c50 |
grub-core/loader/efi/linux.c | 40 ----------------------------------------
|
|
|
b35c50 |
include/grub/efi/linux.h | 2 --
|
|
|
b35c50 |
2 files changed, 42 deletions(-)
|
|
|
b35c50 |
|
|
|
b35c50 |
diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
|
|
|
b35c50 |
index 9260731c10..9265cf4200 100644
|
|
|
b35c50 |
--- a/grub-core/loader/efi/linux.c
|
|
|
b35c50 |
+++ b/grub-core/loader/efi/linux.c
|
|
|
b35c50 |
@@ -24,46 +24,6 @@
|
|
|
b35c50 |
#include <grub/efi/pe32.h>
|
|
|
b35c50 |
#include <grub/efi/linux.h>
|
|
|
b35c50 |
|
|
|
b35c50 |
-#define SHIM_LOCK_GUID \
|
|
|
b35c50 |
- { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} }
|
|
|
b35c50 |
-
|
|
|
b35c50 |
-struct grub_efi_shim_lock
|
|
|
b35c50 |
-{
|
|
|
b35c50 |
- grub_efi_status_t (*verify) (void *buffer, grub_uint32_t size);
|
|
|
b35c50 |
-};
|
|
|
b35c50 |
-typedef struct grub_efi_shim_lock grub_efi_shim_lock_t;
|
|
|
b35c50 |
-
|
|
|
b35c50 |
-// Returns 1 on success, -1 on error, 0 when not available
|
|
|
b35c50 |
-int
|
|
|
b35c50 |
-grub_linuxefi_secure_validate (void *data, grub_uint32_t size)
|
|
|
b35c50 |
-{
|
|
|
b35c50 |
- grub_efi_guid_t guid = SHIM_LOCK_GUID;
|
|
|
b35c50 |
- grub_efi_shim_lock_t *shim_lock;
|
|
|
b35c50 |
- grub_efi_status_t status;
|
|
|
b35c50 |
-
|
|
|
b35c50 |
- shim_lock = grub_efi_locate_protocol(&guid, NULL);
|
|
|
b35c50 |
- grub_dprintf ("secureboot", "shim_lock: %p\n", shim_lock);
|
|
|
b35c50 |
- if (!shim_lock)
|
|
|
b35c50 |
- {
|
|
|
b35c50 |
- grub_dprintf ("secureboot", "shim not available\n");
|
|
|
b35c50 |
- return 0;
|
|
|
b35c50 |
- }
|
|
|
b35c50 |
-
|
|
|
b35c50 |
- grub_dprintf ("secureboot", "Asking shim to verify kernel signature\n");
|
|
|
b35c50 |
- status = shim_lock->verify (data, size);
|
|
|
b35c50 |
- grub_dprintf ("secureboot", "shim_lock->verify(): %ld\n", (long int)status);
|
|
|
b35c50 |
- if (status == GRUB_EFI_SUCCESS)
|
|
|
b35c50 |
- {
|
|
|
b35c50 |
- grub_dprintf ("secureboot", "Kernel signature verification passed\n");
|
|
|
b35c50 |
- return 1;
|
|
|
b35c50 |
- }
|
|
|
b35c50 |
-
|
|
|
b35c50 |
- grub_dprintf ("secureboot", "Kernel signature verification failed (0x%lx)\n",
|
|
|
b35c50 |
- (unsigned long) status);
|
|
|
b35c50 |
-
|
|
|
b35c50 |
- return -1;
|
|
|
b35c50 |
-}
|
|
|
b35c50 |
-
|
|
|
b35c50 |
#pragma GCC diagnostic push
|
|
|
b35c50 |
#pragma GCC diagnostic ignored "-Wcast-align"
|
|
|
b35c50 |
|
|
|
b35c50 |
diff --git a/include/grub/efi/linux.h b/include/grub/efi/linux.h
|
|
|
b35c50 |
index 0033d9305a..887b02fd9f 100644
|
|
|
b35c50 |
--- a/include/grub/efi/linux.h
|
|
|
b35c50 |
+++ b/include/grub/efi/linux.h
|
|
|
b35c50 |
@@ -22,8 +22,6 @@
|
|
|
b35c50 |
#include <grub/err.h>
|
|
|
b35c50 |
#include <grub/symbol.h>
|
|
|
b35c50 |
|
|
|
b35c50 |
-int
|
|
|
b35c50 |
-EXPORT_FUNC(grub_linuxefi_secure_validate) (void *data, grub_uint32_t size);
|
|
|
b35c50 |
grub_err_t
|
|
|
b35c50 |
EXPORT_FUNC(grub_efi_linux_boot) (void *kernel_address, grub_off_t offset,
|
|
|
b35c50 |
void *kernel_param);
|