efi: Fallback to legacy mode if shim is loaded on x86 archs

The LoadImage() provided by the shim does not consult MOK when loading
an image. So, simply signature verification fails when it should not.
This means we cannot use Linux EFI stub to start the kernel when the
shim is loaded. We have to fallback to legacy mode on x86 architectures.
This is not possible on other architectures due to lack of legacy mode.

This is workaround which should disappear when the shim provides
LoadImage() which looks up MOK during signature verification.

On the occasion align constants in include/grub/efi/sb.h.

Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>

diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
index 80cfa0888baa04682f71a41ce7c5057e1f6ba2b0..60550a6dae30ed8885c7856a00e7f4bf7d135d4d 100644 (file)
--- a/grub-core/kern/efi/sb.c
+++ b/grub-core/kern/efi/sb.c
@@ -32,6 +32,8 @@
 
 static grub_guid_t shim_lock_guid = GRUB_EFI_SHIM_LOCK_GUID;
 
+static bool shim_lock_enabled = false;
+
 /*
  * Determine whether we're in secure boot mode.
  *
@@ -215,6 +217,14 @@ grub_shim_lock_verifier_setup (void)
   /* Enforce shim_lock_verifier. */
   grub_verifier_register (&shim_lock_verifier);
 
+  shim_lock_enabled = true;
+
   grub_env_set ("shim_lock", "y");
   grub_env_export ("shim_lock");
 }
+
+bool
+grub_is_shim_lock_enabled (void)
+{
+  return shim_lock_enabled;
+}

diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
index 43c4e2d3dcacda7a21e948de09414718df97b2f7..ab8fb35adb05e88f3fd6954720eff1f75b31f688 100644 (file)
--- a/grub-core/loader/efi/linux.c
+++ b/grub-core/loader/efi/linux.c
@@ -29,6 +29,7 @@
 #include <grub/efi/fdtload.h>
 #include <grub/efi/memory.h>
 #include <grub/efi/pe32.h>
+#include <grub/efi/sb.h>
 #include <grub/i18n.h>
 #include <grub/lib/cmdline.h>
 #include <grub/verify.h>
@@ -458,6 +459,22 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
 
   grub_dl_ref (my_mod);
 
+  if (grub_is_shim_lock_enabled () == true)
+    {
+#if defined(__i386__) || defined(__x86_64__)
+      grub_dprintf ("linux", "shim_lock enabled, falling back to legacy Linux kernel loader\n");
+
+      err = grub_cmd_linux_x86_legacy (cmd, argc, argv);
+
+      if (err == GRUB_ERR_NONE)
+       return GRUB_ERR_NONE;
+      else
+       goto fail;
+#else
+      grub_dprintf ("linux", "shim_lock enabled, trying Linux kernel EFI stub loader\n");
+#endif
+    }
+
   if (argc == 0)
     {
       grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));

diff --git a/include/grub/efi/sb.h b/include/grub/efi/sb.h
index 30c4335bb1238e79ca048eef7509781cf13564a1..49a9ad01cc947b007ce0918133137dc9f09c86b7 100644 (file)
--- a/include/grub/efi/sb.h
+++ b/include/grub/efi/sb.h
@@ -22,7 +22,7 @@
 #include <grub/types.h>
 #include <grub/dl.h>
 
-#define GRUB_EFI_SECUREBOOT_MODE_UNSET 0
+#define GRUB_EFI_SECUREBOOT_MODE_UNSET         0
 #define GRUB_EFI_SECUREBOOT_MODE_UNKNOWN       1
 #define GRUB_EFI_SECUREBOOT_MODE_DISABLED      2
 #define GRUB_EFI_SECUREBOOT_MODE_ENABLED       3
@@ -31,6 +31,9 @@
 extern grub_uint8_t
 EXPORT_FUNC (grub_efi_get_secureboot) (void);
 
+extern bool
+EXPORT_FUNC (grub_is_shim_lock_enabled) (void);
+
 extern void
 grub_shim_lock_verifier_setup (void);
 #else