On Mon, 8 Jul 2019 14:57:08 +0100 Colin Watson <cjwat...@debian.org>
wrote:
> I'm not aware of anyone working on it at the moment. I won't directly
> revert the patch that introduced this problem because doing so would
> have too much other fallout, but I'd be happy to help you if you're
> interested in working on a patch to make GRUB behave differently in
> the presence of check_signatures while preserving the current default
> workflow.
>
> --
> Colin Watson
> [cjwat...@debian.org]
>
>
Thanks!
Alright, here new version of linuxefi_disable_sb_fallback.patch
attached, which does what was discussed here.
I just tested it and it works. Here is gist link just in case if
bugtracker strips attaches:
https://gist.github.com/Snawoot/d669d8302262e7b377ac7a9e65f90b89
May I hope it'll be included into Debian updates?
--
Best Regards,
Vladislav Yarmak
>From 3627951693d3e40b5d263ca567ef990edf7b7c2f Mon Sep 17 00:00:00 2001
From: Linn Crosetto <l...@hpe.com>
Date: Tue, 5 Apr 2016 11:49:05 -0600
Subject: Disallow unsigned kernels if UEFI Secure Boot is enabled
If UEFI Secure Boot is enabled and kernel signature verification fails, do not
boot the kernel. Before this change, if kernel signature verification failed
then GRUB would fall back to calling ExitBootServices() and continuing the
boot.
Patch-Name: linuxefi_disable_sb_fallback.patch
Signed-off-by: Linn Crosetto <l...@hpe.com>
---
grub-core/loader/i386/linux.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
Index: grub2-2.02+dfsg1/grub-core/loader/i386/linux.c
===================================================================
--- grub2-2.02+dfsg1.orig/grub-core/loader/i386/linux.c
+++ grub2-2.02+dfsg1/grub-core/loader/i386/linux.c
@@ -695,10 +695,8 @@ grub_cmd_linux (grub_command_t cmd __att
using_linuxefi = 0;
if (grub_efi_secure_boot ())
{
- /* Try linuxefi first, which will require a successful signature check
- and then hand over to the kernel without calling ExitBootServices.
- If that fails, however, fall back to calling ExitBootServices
- ourselves and then booting an unsigned kernel. */
+ /* linuxefi requires a successful signature check and then hand over
+ to the kernel without calling ExitBootServices. */
grub_dl_t mod;
grub_command_t linuxefi_cmd;
@@ -720,7 +718,16 @@ grub_cmd_linux (grub_command_t cmd __att
return GRUB_ERR_NONE;
}
grub_dprintf ("linux", "linuxefi failed (%d)\n", grub_errno);
- grub_errno = GRUB_ERR_NONE;
+ /* Preserve default workflow if verify module is loaded and
+ signatures are being checked. Condition below is even with
+ code which parses "check_signatures" variable in verify.c */
+ const char *env_chk_sig = grub_env_get ("check_signatures");
+ if (env_chk_sig &&
+ (env_chk_sig[0] == '1' || env_chk_sig[0] == 'e') &&
+ grub_dl_get("verify"))
+ grub_errno = GRUB_ERR_NONE;
+ else
+ goto fail;
}
}
}
