From: Daniel Kiper <daniel.kiper@oracle.com>
Date: Fri, 30 Jun 2023 14:02:15 +0000 (+0200)
Subject: efi: Fallback to legacy mode if shim is loaded on x86 archs
X-Git-Tag: grub-2.12-rc1~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6425c12cd77ad51ad24be84c092aefacf0875089;p=thirdparty%2Fgrub.git

efi: Fallback to legacy mode if shim is loaded on x86 archs

The LoadImage() provided by the shim does not consult MOK when loading
an image. So, simply signature verification fails when it should not.
This means we cannot use Linux EFI stub to start the kernel when the
shim is loaded. We have to fallback to legacy mode on x86 architectures.
This is not possible on other architectures due to lack of legacy mode.

This is workaround which should disappear when the shim provides
LoadImage() which looks up MOK during signature verification.

On the occasion align constants in include/grub/efi/sb.h.

Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
---

diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
index 80cfa0888..60550a6da 100644
--- a/grub-core/kern/efi/sb.c
+++ b/grub-core/kern/efi/sb.c
@@ -32,6 +32,8 @@
 
 static grub_guid_t shim_lock_guid = GRUB_EFI_SHIM_LOCK_GUID;
 
+static bool shim_lock_enabled = false;
+
 /*
  * Determine whether we're in secure boot mode.
  *
@@ -215,6 +217,14 @@ grub_shim_lock_verifier_setup (void)
   /* Enforce shim_lock_verifier. */
   grub_verifier_register (&shim_lock_verifier);
 
+  shim_lock_enabled = true;
+
   grub_env_set ("shim_lock", "y");
   grub_env_export ("shim_lock");
 }
+
+bool
+grub_is_shim_lock_enabled (void)
+{
+  return shim_lock_enabled;
+}
diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
index 43c4e2d3d..ab8fb35ad 100644
--- a/grub-core/loader/efi/linux.c
+++ b/grub-core/loader/efi/linux.c
@@ -29,6 +29,7 @@
 #include <grub/efi/fdtload.h>
 #include <grub/efi/memory.h>
 #include <grub/efi/pe32.h>
+#include <grub/efi/sb.h>
 #include <grub/i18n.h>
 #include <grub/lib/cmdline.h>
 #include <grub/verify.h>
@@ -458,6 +459,22 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
 
   grub_dl_ref (my_mod);
 
+  if (grub_is_shim_lock_enabled () == true)
+    {
+#if defined(__i386__) || defined(__x86_64__)
+      grub_dprintf ("linux", "shim_lock enabled, falling back to legacy Linux kernel loader\n");
+
+      err = grub_cmd_linux_x86_legacy (cmd, argc, argv);
+
+      if (err == GRUB_ERR_NONE)
+	return GRUB_ERR_NONE;
+      else
+	goto fail;
+#else
+      grub_dprintf ("linux", "shim_lock enabled, trying Linux kernel EFI stub loader\n");
+#endif
+    }
+
   if (argc == 0)
     {
       grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
diff --git a/include/grub/efi/sb.h b/include/grub/efi/sb.h
index 30c4335bb..49a9ad01c 100644
--- a/include/grub/efi/sb.h
+++ b/include/grub/efi/sb.h
@@ -22,7 +22,7 @@
 #include <grub/types.h>
 #include <grub/dl.h>
 
-#define GRUB_EFI_SECUREBOOT_MODE_UNSET	0
+#define GRUB_EFI_SECUREBOOT_MODE_UNSET		0
 #define GRUB_EFI_SECUREBOOT_MODE_UNKNOWN	1
 #define GRUB_EFI_SECUREBOOT_MODE_DISABLED	2
 #define GRUB_EFI_SECUREBOOT_MODE_ENABLED	3
@@ -31,6 +31,9 @@
 extern grub_uint8_t
 EXPORT_FUNC (grub_efi_get_secureboot) (void);
 
+extern bool
+EXPORT_FUNC (grub_is_shim_lock_enabled) (void);
+
 extern void
 grub_shim_lock_verifier_setup (void);
 #else