48a2e836ff
This is done for moving packages that are related to secure boot
out of LAT and into integ.
Use grub version: 2.06-1 .
Port grub-efi from LAT and make its build independent from grub2.
The patches for code and changes for debian build are ported from
layers ( meta-lat and meta-secure-core ) of yocto upstream.
Make grub-efi independent from grub2 because some code changes
for secure boot can make grub-pc's build fail.
This porting of grub-efi customizes grub images and grub.cfg for
efi boot. Install those files customized to grub-efi-amd64 package.
Test Plan:
The tests are done with all the changes for this porting,
which involves efitools/shim/grub2/grub-efi/lat-sdk.sh, because
they are in a chain for secure boot verification.
- PASS: secure boot OK on qemu.
- PASS: secure boot OK on PowerEdge R430 lab.
- PASS: secure boot NG on qemu/hardware when shim/grub-efi images
are without the right signatures.
Story: 2009221
Task: 46402
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: Ia3b482c1959b5e6462fe54f0b0e59a69db1b1ca7
99 lines
3.1 KiB
Diff
99 lines
3.1 KiB
Diff
From 01120b5ec61ae7bbe550b1e2fe0f75c2d2073b1f Mon Sep 17 00:00:00 2001
|
|
From: Hongxu Jia <hongxu.jia@windriver.com>
|
|
Date: Fri, 6 May 2022 15:44:14 +0800
|
|
Subject: [PATCH] grub verify: Add skip_check_cfg variable
|
|
|
|
While check_signatures enabled, with skip_check_cfg set to 1
|
|
- Do not verify the signature on the file that has suffix `.cfg'
|
|
- Do not authenticate user and password if cfg is changed
|
|
|
|
Implement function grub_strendswith to find cfg file
|
|
|
|
Upstream-Status: Pending
|
|
|
|
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
|
---
|
|
grub-core/commands/pgp.c | 12 ++++++++++++
|
|
grub-core/kern/misc.c | 12 ++++++++++++
|
|
grub-core/normal/auth.c | 5 +++++
|
|
include/grub/misc.h | 1 +
|
|
4 files changed, 30 insertions(+)
|
|
|
|
diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c
|
|
index 5daa1e9..e60a29a 100644
|
|
--- a/grub-core/commands/pgp.c
|
|
+++ b/grub-core/commands/pgp.c
|
|
@@ -873,6 +873,18 @@ grub_pubkey_init (grub_file_t io, enum grub_file_type type __attribute__ ((unuse
|
|
char *fsuf, *ptr;
|
|
grub_err_t err;
|
|
struct grub_pubkey_context *ctxt;
|
|
+ const char *val;
|
|
+
|
|
+ /* SKip to check the signature of cfg */
|
|
+ val = grub_env_get ("skip_check_cfg");
|
|
+ if (val && (val[0] == '1'))
|
|
+ {
|
|
+ if (grub_strendswith (io->name, ".cfg"))
|
|
+ {
|
|
+ *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
|
|
+ return GRUB_ERR_NONE;
|
|
+ }
|
|
+ }
|
|
|
|
if (!sec)
|
|
{
|
|
diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c
|
|
index 3af336e..8bf1d90 100644
|
|
--- a/grub-core/kern/misc.c
|
|
+++ b/grub-core/kern/misc.c
|
|
@@ -280,6 +280,18 @@ grub_strncmp (const char *s1, const char *s2, grub_size_t n)
|
|
return (int) (grub_uint8_t) *s1 - (int) (grub_uint8_t) *s2;
|
|
}
|
|
|
|
+int
|
|
+grub_strendswith (const char *str, const char *suffix)
|
|
+{
|
|
+ if (!str || !suffix)
|
|
+ return 0;
|
|
+ grub_size_t lenstr = grub_strlen(str);
|
|
+ grub_size_t lensuffix = grub_strlen(suffix);
|
|
+ if (lensuffix > lenstr)
|
|
+ return 0;
|
|
+ return grub_strncmp(str + lenstr - lensuffix, suffix, lensuffix) == 0;
|
|
+}
|
|
+
|
|
char *
|
|
grub_strchr (const char *s, int c)
|
|
{
|
|
diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c
|
|
index 6be678c..57a1a42 100644
|
|
--- a/grub-core/normal/auth.c
|
|
+++ b/grub-core/normal/auth.c
|
|
@@ -136,6 +136,11 @@ is_authenticated (const char *userlist)
|
|
const char *superusers;
|
|
struct grub_auth_user *user;
|
|
|
|
+ /* SKip to authenticate grub cfg */
|
|
+ const char *val = grub_env_get ("skip_check_cfg");
|
|
+ if (val && (val[0] == '1'))
|
|
+ return 1;
|
|
+
|
|
superusers = grub_env_get ("superusers");
|
|
|
|
if (!superusers)
|
|
diff --git a/include/grub/misc.h b/include/grub/misc.h
|
|
index 7d2b551..cce29d7 100644
|
|
--- a/include/grub/misc.h
|
|
+++ b/include/grub/misc.h
|
|
@@ -82,6 +82,7 @@ grub_memcpy (void *dest, const void *src, grub_size_t n)
|
|
int EXPORT_FUNC(grub_memcmp) (const void *s1, const void *s2, grub_size_t n);
|
|
int EXPORT_FUNC(grub_strcmp) (const char *s1, const char *s2);
|
|
int EXPORT_FUNC(grub_strncmp) (const char *s1, const char *s2, grub_size_t n);
|
|
+int EXPORT_FUNC(grub_strendswith) (const char *str, const char *suffix);
|
|
|
|
char *EXPORT_FUNC(grub_strchr) (const char *s, int c);
|
|
char *EXPORT_FUNC(grub_strrchr) (const char *s, int c);
|
|
--
|
|
2.17.1
|
|
|