nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone
Blob Blame History Raw
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
Date: Fri, 4 Mar 2022 09:31:43 +0100
Subject: [PATCH] grub-core/loader/efi/chainloader.c: do not validate
 chainloader twice

On secureboot systems, with shimlock verifier, call to
grub_file_open(, GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE) will already
pass the chainloader target through shim-lock protocol verify
call. And create a TPM measurement. If verification fails,
grub_cmd_chainloader will fail at file open time.

This makes previous code paths for negative, and zero return codes
from grub_linuxefi_secure_validate unreachable under secureboot. But
also breaking measurements compatibility with 2.04+linuxefi codebases,
as the chainloader file is passed through shim_lock->verify() twice
(via verifier & direct call to grub_linuxefi_secure_validate)
extending the PCRs twice.

This reduces grub_loader options to perform
grub_secureboot_chainloader when secureboot is on, and otherwise
attempt grub_chainloader_boot.

It means that booting with secureboot off, yet still with shim (which
always verifies things successfully), will stop choosing
grub_secureboot_chainloader, and opting for a more regular
loadimage/startimage codepath. If we want to use the
grub_secureboot_chainloader codepath in such scenarios we should adapt
the code to simply check for shim_lock protocol presence /
shim_lock->context() success?! But I am not sure if that is necessary.

This patch must not be ported to older editions of grub code bases
that do not have verifiers framework, or it is not builtin, or
shim-lock-verifier is an optional module.

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
---
 grub-core/loader/efi/chainloader.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
index 3af6b12292..644cd2e56f 100644
--- a/grub-core/loader/efi/chainloader.c
+++ b/grub-core/loader/efi/chainloader.c
@@ -906,7 +906,6 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
   grub_efi_device_path_t *dp = 0;
   char *filename;
   void *boot_image = 0;
-  int rc;
 
   if (argc == 0)
     return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
@@ -1082,9 +1081,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
       orig_dev = 0;
     }
 
-  rc = grub_linuxefi_secure_validate((void *)(unsigned long)address, fsize);
-  grub_dprintf ("chain", "linuxefi_secure_validate: %d\n", rc);
-  if (rc > 0)
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
     {
       grub_file_close (file);
       grub_device_close (dev);
@@ -1092,7 +1089,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
 		       grub_secureboot_chainloader_unload, 0);
       return 0;
     }
-  else if (rc == 0)
+  else
     {
       grub_load_and_start_image(boot_image);
       grub_file_close (file);
@@ -1101,7 +1098,6 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
 
       return 0;
     }
-  // -1 fall-through to fail
 
 fail:
   if (orig_dev)