[PATCH] shim_lock: Disable GRUB_VERIFY_FLAGS_DEFER_AUTH if secure boot off

Thu, 10 Sep 2020 01:02:24 -0700 

The GRUB_VERIFY_FLAGS_DEFER_AUTH is enabled regardless secure boot
status that will cause error [1] on loading external grub modules if
secure boot turned off in which shim protocol itself did not verify
images so should not request verification for external modules either.

This patch fixed the problem by adding the secure boot status check
before requesting other verifiers to verify external module, therefore
external module loading can work after shim_lock module loaded and
secure boot turned off.

[1] error: verification requested but nobody cares:
(hd0,gpt10)/boot/grub2/x86_64-efi/linux.mod.

Signed-off-by: Michael Chang <mch...@suse.com>
---
 grub-core/commands/efi/shim_lock.c | 31 +++++++++++++++++++++++++++++-
 1 file changed, 30 insertions(+), 1 deletion(-)

diff --git a/grub-core/commands/efi/shim_lock.c 
b/grub-core/commands/efi/shim_lock.c
index 764098cfc..e0da81ce5 100644
--- a/grub-core/commands/efi/shim_lock.c
+++ b/grub-core/commands/efi/shim_lock.c
@@ -45,6 +45,34 @@ static grub_efi_shim_lock_protocol_t *sl;
 /* List of modules which cannot be loaded if UEFI secure boot mode is enabled. 
*/
 static const char * const disabled_mods[] = {"iorw", "memrw", "wrmsr", NULL};
 
+static grub_efi_boolean_t
+grub_efi_secure_boot (void)
+{
+  grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
+  grub_size_t datasize;
+  char *secure_boot = NULL;
+  char *setup_mode = NULL;
+  grub_efi_boolean_t ret = 0;
+
+  secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);
+
+  if (datasize != 1 || !secure_boot)
+    goto out;
+
+  setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize);
+
+  if (datasize != 1 || !setup_mode)
+    goto out;
+
+  if (*secure_boot && !*setup_mode)
+    ret = 1;
+
+ out:
+  grub_free (secure_boot);
+  grub_free (setup_mode);
+  return ret;
+}
+
 static grub_err_t
 shim_lock_init (grub_file_t io, enum grub_file_type type,
                void **context __attribute__ ((unused)),
@@ -82,7 +110,8 @@ shim_lock_init (grub_file_t io, enum grub_file_type type,
 
     case GRUB_FILE_TYPE_ACPI_TABLE:
     case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
-      *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
+      if (grub_efi_secure_boot())
+       *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
 
       return GRUB_ERR_NONE;
 
-- 
2.26.2


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to