Blob Blame History Raw
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Mon, 28 Sep 2020 11:11:17 +1000
Subject: [PATCH] ieee1275: link appended-signature enforcement to
 /ibm,secure-boot

If the 'ibm,secure-boot' property of the root node is 2 or greater,
require that the kernel pass appended-signature verification.

Do not consider the presence of a certificate to enforce verification.

Signed-off-by: Daniel Axtens <dja@axtens.net>
---
 grub-core/commands/appendedsig/appendedsig.c | 44 +++++++++++++++++++++-------
 grub-core/kern/ieee1275/init.c               | 26 ++++++++++++++++
 2 files changed, 60 insertions(+), 10 deletions(-)

diff --git a/grub-core/commands/appendedsig/appendedsig.c b/grub-core/commands/appendedsig/appendedsig.c
index 5d8897be5c8..4ef2ec2893c 100644
--- a/grub-core/commands/appendedsig/appendedsig.c
+++ b/grub-core/commands/appendedsig/appendedsig.c
@@ -95,10 +95,24 @@ static char *
 grub_env_write_sec (struct grub_env_var *var __attribute__((unused)),
 		    const char *val)
 {
+  if (check_sigs == 2)
+    return grub_strdup ("forced");
   check_sigs = (*val == '1') || (*val == 'e');
   return grub_strdup (check_sigs ? "enforce" : "no");
 }
 
+static const char *
+grub_env_read_sec (struct grub_env_var *var __attribute__ ((unused)),
+                         const char *val __attribute__ ((unused)))
+{
+  if (check_sigs == 2)
+    return "forced";
+  else if (check_sigs == 1)
+    return "enforce";
+  else
+    return "no";
+}
+
 static grub_err_t
 read_cert_from_file (grub_file_t f, struct x509_certificate *certificate)
 {
@@ -552,14 +566,20 @@ GRUB_MOD_INIT (appendedsig)
   val = grub_env_get ("check_appended_signatures");
   grub_dprintf ("appendedsig", "check_appended_signatures='%s'\n", val);
 
-  if (val && (val[0] == '1' || val[0] == 'e'))
-    check_sigs = 1;
-  else
-    check_sigs = 0;
+  if (val)
+  {
+    if (val[0] == '2' || val[0] == 'f')
+      check_sigs = 2;
+    else if (val[0] == '1' || val[0] == 'e')
+      check_sigs = 1;
+    else
+      check_sigs = 0;
+  }
 
   grub_trusted_key = NULL;
 
-  grub_register_variable_hook ("check_appended_signatures", 0,
+  grub_register_variable_hook ("check_appended_signatures",
+  			       grub_env_read_sec,
 			       grub_env_write_sec);
   grub_env_export ("check_appended_signatures");
 
@@ -603,11 +623,15 @@ GRUB_MOD_INIT (appendedsig)
     grub_trusted_key = pk;
   }
 
-  if (!val || val[0] == '\0')
-    {
-      grub_env_set ("check_appended_signatures",
-		    grub_trusted_key ? "enforce" : "no");
-    }
+  /*
+   * When controlled by ibm,secure-boot, we don't want the presence of
+   * a certificate to enforce secure boot.
+   * if (!val || val[0] == '\0')
+   * {
+   *    grub_env_set ("check_appended_signatures",
+   *		      grub_trusted_key ? "enforce" : "no");
+   * }
+   */
 
   cmd_trust =
     grub_register_command ("trust_certificate", grub_cmd_trust,
diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
index f8a4f8f4214..137a343bca7 100644
--- a/grub-core/kern/ieee1275/init.c
+++ b/grub-core/kern/ieee1275/init.c
@@ -266,6 +266,30 @@ grub_parse_cmdline (void)
     }
 }
 
+static void
+grub_get_ieee1275_secure_boot (void)
+{
+  grub_ieee1275_phandle_t root;
+  int rc;
+  grub_uint32_t is_sb;
+
+  grub_ieee1275_finddevice ("/", &root);
+
+  rc = grub_ieee1275_get_integer_property (root, "ibm,secure-boot", &is_sb,
+                                           sizeof (is_sb), 0);
+
+  /* ibm,secure-boot:
+   * 0 - disabled
+   * 1 - audit
+   * 2 - enforce
+   * 3 - enforce + OS-specific behaviour
+   *
+   * We only support enforce.
+   */
+  if (rc >= 0 && is_sb >= 2)
+    grub_env_set("check_appended_signatures", "forced");
+}
+
 grub_addr_t grub_modbase;
 
 void
@@ -288,6 +312,8 @@ grub_machine_init (void)
 #else
   grub_install_get_time_ms (grub_rtc_get_time_ms);
 #endif
+
+  grub_get_ieee1275_secure_boot ();
 }
 
 void