multibooting Linux distros with UEFI Secure Boot
Hi, A given NVRAM entry points to a particular distro shim+GRUB, and it's not possible to use either chainloader or configfile to forward to another distro's GRUB. If GRUB wants to support the multiboot Linux case, it needs some way of discovering other distro's shim+GRUB comb in NVRAM and on the EFI system volume, to populate the GRUB menu. And then the user can select that distro in the GRUB menu, which causes GRUB to use --bootnext to do a one-time boot using that UEFI boot entry, thus loading that distro's signed shim+GRUB combo. Or, is this just not a priority for the foreseeable future, and users will have to use the UEFI firmware's built-in boot manager for this use case? This seems related to thread: "How to boot Windows when Bitlocker enabled with key sealed in TPM External" https://lists.gnu.org/archive/html/grub-devel/2022-02/msg00072.html Thanks, -- Chris Murphy ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
multibooting Linux distros with UEFI Secure Boot
This seems related to thread: "How to boot Windows when Bitlocker enabled with key sealed in TPM External" https://lists.gnu.org/archive/html/grub-devel/2022-02/msg00072.html A given NVRAM entry points to a particular distro shim+GRUB, and it's not possible to use either chainloader or configfile to forward to another distro's GRUB. If GRUB wants to support the multiboot Linux case, it needs some way of discovering other distro's shim+GRUB comb in NVRAM and on the EFI system volume, to populate the GRUB menu. And then the user can select that distro in the GRUB menu, which causes GRUB to use --bootnext to do a one-time boot using that UEFI boot entry, thus loading that distro's signed shim+GRUB combo. Or, is this just not a priority for the foreseeable future, and users will have to use the UEFI firmware's built-in boot manager for this use case? Thanks, -- Chris Murphy ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
[SECURITY PATCH 005/117] efi: Lockdown the GRUB when the UEFI Secure Boot is enabled
From: Javier Martinez Canillas If the UEFI Secure Boot is enabled then the GRUB must be locked down to prevent executing code that can potentially be used to subvert its verification mechanisms. Signed-off-by: Javier Martinez Canillas Reviewed-by: Daniel Kiper --- grub-core/kern/efi/init.c | 12 ++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c index b683bec5a..133346509 100644 --- a/grub-core/kern/efi/init.c +++ b/grub-core/kern/efi/init.c @@ -21,6 +21,7 @@ #include #include #include +#include #include #include #include @@ -40,8 +41,15 @@ grub_efi_init (void) /* Initialize the memory management system. */ grub_efi_mm_init (); - /* Register the shim_lock verifier if UEFI Secure Boot is enabled. */ - grub_shim_lock_verifier_setup (); + /* + * Lockdown the GRUB and register the shim_lock verifier + * if the UEFI Secure Boot is enabled. + */ + if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED) +{ + grub_lockdown (); + grub_shim_lock_verifier_setup (); +} efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer, 0, 0, 0, NULL); -- 2.11.0 ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Re: [PATCH 0/9] Add UEFI Secure Boot detection and report the status to Linux
On Thu, Dec 03, 2020 at 04:01:41PM +0100, Javier Martinez Canillas wrote: > > This patch series adds support for the GRUB to detect the UEFI Secure Boot > status using the SecureBoot and SetupMode EFI variables. It also reports > this to Linux by setting the .secure_boot field of struct boot_params. > > Besides that, it contains some cleanups and fixes mostly around EFI support. For all the patches: Reviewed-by: Daniel Kiper If there are no objections I will take them next week. Daniel ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH 9/9] loader/linux: Report the UEFI Secure Boot status to the Linux kernel
From: Daniel Kiper Now that the GRUB has a grub_efi_get_secureboot() function to check the UEFI Secure Boot status, use it to report that to the Linux kernel. Signed-off-by: Ignat Korchagin Signed-off-by: Daniel Kiper Signed-off-by: Marco A Benatto Signed-off-by: Javier Martinez Canillas --- grub-core/loader/i386/linux.c | 6 +- include/grub/i386/linux.h | 8 ++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c index 976af3fae87..d7e68658f43 100644 --- a/grub-core/loader/i386/linux.c +++ b/grub-core/loader/i386/linux.c @@ -46,6 +46,7 @@ GRUB_MOD_LICENSE ("GPLv3+"); #ifdef GRUB_MACHINE_EFI #include +#include #define HAS_VGA_TEXT 0 #define DEFAULT_VIDEO_MODE "auto" #define ACCEPTS_PURE_TEXT 0 @@ -583,6 +584,9 @@ grub_linux_boot (void) grub_efi_uintn_t efi_desc_size; grub_size_t efi_mmap_target; grub_efi_uint32_t efi_desc_version; + +ctx.params->secure_boot = grub_efi_get_secureboot (); + err = grub_efi_finish_boot_services (_mmap_size, efi_mmap_buf, NULL, _desc_size, _desc_version); if (err) @@ -794,7 +798,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), linux_params.code32_start = prot_mode_target + lh.code32_start - GRUB_LINUX_BZIMAGE_ADDR; linux_params.kernel_alignment = (1 << align); - linux_params.ps_mouse = linux_params.padding10 = 0; + linux_params.ps_mouse = linux_params.padding11 = 0; linux_params.type_of_loader = GRUB_LINUX_BOOT_LOADER_TYPE; /* These two are used (instead of cmd_line_ptr) by older versions of Linux, diff --git a/include/grub/i386/linux.h b/include/grub/i386/linux.h index 6da5f030fd1..eddf9251d9a 100644 --- a/include/grub/i386/linux.h +++ b/include/grub/i386/linux.h @@ -277,7 +277,11 @@ struct linux_kernel_params grub_uint8_t mmap_size; /* 1e8 */ - grub_uint8_t padding9[0x1f1 - 0x1e9]; + grub_uint8_t padding9[0x1ec - 0x1e9]; + + grub_uint8_t secure_boot; /* 1ec */ + + grub_uint8_t padding10[0x1f1 - 0x1ed]; /* Linux setup header copy - BEGIN. */ grub_uint8_t setup_sects;/* The size of the setup in sectors */ @@ -288,7 +292,7 @@ struct linux_kernel_params grub_uint16_t vid_mode; /* Video mode control */ grub_uint16_t root_dev; /* Default root device number */ - grub_uint8_t padding10; /* 1fe */ + grub_uint8_t padding11; /* 1fe */ grub_uint8_t ps_mouse; /* 1ff */ grub_uint16_t jump; /* Jump instruction */ -- 2.28.0 ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH 0/9] Add UEFI Secure Boot detection and report the status to Linux
This patch series adds support for the GRUB to detect the UEFI Secure Boot status using the SecureBoot and SetupMode EFI variables. It also reports this to Linux by setting the .secure_boot field of struct boot_params. Besides that, it contains some cleanups and fixes mostly around EFI support. Best regards, Javier Daniel Kiper (5): efi: Make shim_lock GUID and protocol type public efi: Return grub_efi_status_t from grub_efi_get_variable() efi: Add a function to read EFI variables with attributes efi: Add secure boot detection loader/linux: Report the UEFI Secure Boot status to the Linux kernel Javier Martinez Canillas (4): i386: Don't include in coreboot and ieee1275 startup.S include/grub/i386/linux.h: Include missing header arm/term: Fix linking error due multiple ps2_state definitions efi: Only register shim_lock verifier if shim_lock protocol is found and SB enabled grub-core/Makefile.am | 1 + grub-core/Makefile.core.def| 1 + grub-core/commands/efi/efifwsetup.c| 8 +- grub-core/commands/efi/shim_lock.c | 28 ++- grub-core/kern/efi/efi.c | 30 +-- grub-core/kern/efi/sb.c| 109 + grub-core/kern/i386/coreboot/startup.S | 1 - grub-core/kern/i386/ieee1275/startup.S | 1 - grub-core/loader/i386/linux.c | 6 +- grub-core/term/arm/cros.c | 2 +- grub-core/term/arm/pl050.c | 2 +- grub-core/video/efi_gop.c | 2 +- include/grub/efi/api.h | 19 - include/grub/efi/efi.h | 12 ++- include/grub/efi/sb.h | 40 + include/grub/i386/linux.h | 10 ++- 16 files changed, 225 insertions(+), 47 deletions(-) create mode 100644 grub-core/kern/efi/sb.c create mode 100644 include/grub/efi/sb.h -- 2.28.0 ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
[GRUB PATCH RFC 12/22] i386/efi: Report UEFI Secure Boot status to the Linux kernel
From: Norbert Kaminski Otherwise the kernel does not know its state and cannot enable various security features depending on UEFI Secure Boot. Signed-off-by: Ignat Korchagin Signed-off-by: Daniel Kiper Signed-off-by: Norbert Kaminski --- grub-core/loader/i386/linux.c | 86 ++- include/grub/i386/linux.h | 14 +- 2 files changed, 97 insertions(+), 3 deletions(-) diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c index 976af3fae873..940ce0f98bca 100644 --- a/grub-core/loader/i386/linux.c +++ b/grub-core/loader/i386/linux.c @@ -397,6 +397,87 @@ grub_linux_boot_mmap_fill (grub_uint64_t addr, grub_uint64_t size, return 0; } +#ifdef GRUB_MACHINE_EFI +/* + * Determine whether we're in secure boot mode. + * + * Please keep the logic in sync with the Linux kernel, + * drivers/firmware/efi/libstub/secureboot.c:efi_get_secureboot(). + */ +static grub_uint8_t +grub_efi_get_secureboot (void) +{ + grub_efi_guid_t efi_variable_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID; + grub_efi_guid_t efi_shim_lock_guid = GRUB_EFI_SHIM_LOCK_GUID; + grub_efi_status_t status; + grub_efi_uint32_t attr = 0; + grub_size_t size = 0; + grub_uint8_t *secboot = NULL; + grub_uint8_t *setupmode = NULL; + grub_uint8_t *moksbstate = NULL; + grub_uint8_t secureboot = GRUB_LINUX_EFI_SECUREBOOT_MODE_UNKNOWN; + const char *secureboot_str = "UNKNOWN"; + + status = grub_efi_get_variable ("SecureBoot", _variable_guid, + , (void **) ); + + if (status == GRUB_EFI_NOT_FOUND) +{ + secureboot = GRUB_LINUX_EFI_SECUREBOOT_MODE_DISABLED; + goto out; +} + + if (status != GRUB_EFI_SUCCESS) +goto out; + + status = grub_efi_get_variable ("SetupMode", _variable_guid, + , (void **) ); + + if (status != GRUB_EFI_SUCCESS) +goto out; + + if ((*secboot == 0) || (*setupmode == 1)) +{ + secureboot = GRUB_LINUX_EFI_SECUREBOOT_MODE_DISABLED; + goto out; +} + + /* + * See if a user has put the shim into insecure mode. If so, and if the + * variable doesn't have the runtime attribute set, we might as well + * honor that. + */ + status = grub_efi_get_variable_with_attributes ("MokSBState", _shim_lock_guid, + , (void **) , ); + + /* If it fails, we don't care why. Default to secure. */ + if (status != GRUB_EFI_SUCCESS) +{ + secureboot = GRUB_LINUX_EFI_SECUREBOOT_MODE_ENABLED; + goto out; +} + + if (!(attr & GRUB_EFI_VARIABLE_RUNTIME_ACCESS) && *moksbstate == 1) +secureboot = GRUB_LINUX_EFI_SECUREBOOT_MODE_DISABLED; + + secureboot = GRUB_LINUX_EFI_SECUREBOOT_MODE_ENABLED; + + out: + grub_free (moksbstate); + grub_free (setupmode); + grub_free (secboot); + + if (secureboot == GRUB_LINUX_EFI_SECUREBOOT_MODE_DISABLED) +secureboot_str = "Disabled"; + else if (secureboot == GRUB_LINUX_EFI_SECUREBOOT_MODE_ENABLED) + secureboot_str = "Enabled"; + + grub_dprintf ("linux", "UEFI Secure Boot state: %s\n", secureboot_str); + + return secureboot; +} +#endif + static grub_err_t grub_linux_boot (void) { @@ -583,6 +664,9 @@ grub_linux_boot (void) grub_efi_uintn_t efi_desc_size; grub_size_t efi_mmap_target; grub_efi_uint32_t efi_desc_version; + +ctx.params->secure_boot = grub_efi_get_secureboot (); + err = grub_efi_finish_boot_services (_mmap_size, efi_mmap_buf, NULL, _desc_size, _desc_version); if (err) @@ -794,7 +878,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), linux_params.code32_start = prot_mode_target + lh.code32_start - GRUB_LINUX_BZIMAGE_ADDR; linux_params.kernel_alignment = (1 << align); - linux_params.ps_mouse = linux_params.padding10 = 0; + linux_params.ps_mouse = linux_params.padding11 = 0; linux_params.type_of_loader = GRUB_LINUX_BOOT_LOADER_TYPE; /* These two are used (instead of cmd_line_ptr) by older versions of Linux, diff --git a/include/grub/i386/linux.h b/include/grub/i386/linux.h index ce30e7fb01b9..6aea73ddb145 100644 --- a/include/grub/i386/linux.h +++ b/include/grub/i386/linux.h @@ -49,6 +49,12 @@ /* Maximum number of MBR signatures to store. */ #define EDD_MBR_SIG_MAX16 +/* Possible values for Linux secure_boot kernel parameter. */ +#define GRUB_LINUX_EFI_SECUREBOOT_MODE_UNSET 0 +#define GRUB_LINUX_EFI_SECUREBOOT_MODE_UNKNOWN 1 +#define GRUB_LINUX_EFI_SECUREBOOT_MODE_DISABLED2 +#define GRUB_LINUX_EFI_SECUREBOOT_MODE_ENABLED 3 + #ifdef __x86_64__ #define GRUB_LINUX_EFI_SIGNATURE \ @@ -275,7 +281,11 @@ struct linux_kernel_params grub_uint8_t mmap_size; /* 1e8 */ - grub_uint8_t padding9[0x1f1 - 0x1e9]; + grub_uint8_t padding9[0x1ec - 0x1e9]; + + grub_uint8_t secure_boot; /* 1ec */ +
Re: [GRUB PATCH RFC 12/18] i386/efi: Report UEFI Secure Boot status to the Linux kernel
On Wed, May 06, 2020 at 11:36:49AM -0700, Matthew Garrett wrote: > On Wed, May 6, 2020 at 6:33 AM Daniel Kiper wrote: > > > > On Tue, May 05, 2020 at 10:29:05AM -0700, Matthew Garrett wrote: > > > On Mon, May 4, 2020 at 4:25 PM Daniel Kiper > > > wrote: > > > > > > > > Otherwise the kernel does not know its state and cannot enable various > > > > security features depending on UEFI Secure Boot. > > > > > > I think this needs more context. If the kernel is loaded via the EFI > > > boot stub, the kernel is aware of the UEFI secure boot state. Why > > > duplicate this functionality in order to avoid the EFI stub? > > > > It seems to me that this issue was discussed here [1] and here [2]. > > So, if you want me to improve the commit message I am OK with that. > > Yes, I think just providing an explanation for why it's currently > necessary for you to duplicate this is reasonable. Sure, will do! Daniel ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Re: [GRUB PATCH RFC 12/18] i386/efi: Report UEFI Secure Boot status to the Linux kernel
On Wed, May 6, 2020 at 6:33 AM Daniel Kiper wrote: > > On Tue, May 05, 2020 at 10:29:05AM -0700, Matthew Garrett wrote: > > On Mon, May 4, 2020 at 4:25 PM Daniel Kiper wrote: > > > > > > Otherwise the kernel does not know its state and cannot enable various > > > security features depending on UEFI Secure Boot. > > > > I think this needs more context. If the kernel is loaded via the EFI > > boot stub, the kernel is aware of the UEFI secure boot state. Why > > duplicate this functionality in order to avoid the EFI stub? > > It seems to me that this issue was discussed here [1] and here [2]. > So, if you want me to improve the commit message I am OK with that. Yes, I think just providing an explanation for why it's currently necessary for you to duplicate this is reasonable. ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Re: [GRUB PATCH RFC 12/18] i386/efi: Report UEFI Secure Boot status to the Linux kernel
On Tue, May 05, 2020 at 10:29:05AM -0700, Matthew Garrett wrote: > On Mon, May 4, 2020 at 4:25 PM Daniel Kiper wrote: > > > > Otherwise the kernel does not know its state and cannot enable various > > security features depending on UEFI Secure Boot. > > I think this needs more context. If the kernel is loaded via the EFI > boot stub, the kernel is aware of the UEFI secure boot state. Why > duplicate this functionality in order to avoid the EFI stub? It seems to me that this issue was discussed here [1] and here [2]. So, if you want me to improve the commit message I am OK with that. Additionally, FYI I am not happy with that patch too. So, if somebody has better idea how to do that then I am happy to discuss it here. Daniel [1] https://lkml.org/lkml/2020/3/25/982 [2] https://lkml.org/lkml/2020/3/26/985 ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Re: [GRUB PATCH RFC 12/18] i386/efi: Report UEFI Secure Boot status to the Linux kernel
On Mon, May 4, 2020 at 4:25 PM Daniel Kiper wrote: > > Otherwise the kernel does not know its state and cannot enable various > security features depending on UEFI Secure Boot. I think this needs more context. If the kernel is loaded via the EFI boot stub, the kernel is aware of the UEFI secure boot state. Why duplicate this functionality in order to avoid the EFI stub? ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
[GRUB PATCH RFC 12/18] i386/efi: Report UEFI Secure Boot status to the Linux kernel
Otherwise the kernel does not know its state and cannot enable various security features depending on UEFI Secure Boot. Signed-off-by: Ignat Korchagin Signed-off-by: Daniel Kiper --- grub-core/loader/i386/linux.c | 86 ++- include/grub/i386/linux.h | 14 ++- 2 files changed, 97 insertions(+), 3 deletions(-) diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c index ac1fae72e..952eb1191 100644 --- a/grub-core/loader/i386/linux.c +++ b/grub-core/loader/i386/linux.c @@ -397,6 +397,87 @@ grub_linux_boot_mmap_fill (grub_uint64_t addr, grub_uint64_t size, return 0; } +#ifdef GRUB_MACHINE_EFI +/* + * Determine whether we're in secure boot mode. + * + * Please keep the logic in sync with the Linux kernel, + * drivers/firmware/efi/libstub/secureboot.c:efi_get_secureboot(). + */ +static grub_uint8_t +grub_efi_get_secureboot (void) +{ + grub_efi_guid_t efi_variable_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID; + grub_efi_guid_t efi_shim_lock_guid = GRUB_EFI_SHIM_LOCK_GUID; + grub_efi_status_t status; + grub_efi_uint32_t attr = 0; + grub_size_t size = 0; + grub_uint8_t *secboot = NULL; + grub_uint8_t *setupmode = NULL; + grub_uint8_t *moksbstate = NULL; + grub_uint8_t secureboot = GRUB_LINUX_EFI_SECUREBOOT_MODE_UNKNOWN; + const char *secureboot_str = "UNKNOWN"; + + status = grub_efi_get_variable ("SecureBoot", _variable_guid, + , (void **) ); + + if (status == GRUB_EFI_NOT_FOUND) +{ + secureboot = GRUB_LINUX_EFI_SECUREBOOT_MODE_DISABLED; + goto out; +} + + if (status != GRUB_EFI_SUCCESS) +goto out; + + status = grub_efi_get_variable ("SetupMode", _variable_guid, + , (void **) ); + + if (status != GRUB_EFI_SUCCESS) +goto out; + + if ((*secboot == 0) || (*setupmode == 1)) +{ + secureboot = GRUB_LINUX_EFI_SECUREBOOT_MODE_DISABLED; + goto out; +} + + /* + * See if a user has put the shim into insecure mode. If so, and if the + * variable doesn't have the runtime attribute set, we might as well + * honor that. + */ + status = grub_efi_get_variable_with_attributes ("MokSBState", _shim_lock_guid, + , (void **) , ); + + /* If it fails, we don't care why. Default to secure. */ + if (status != GRUB_EFI_SUCCESS) +{ + secureboot = GRUB_LINUX_EFI_SECUREBOOT_MODE_ENABLED; + goto out; +} + + if (!(attr & GRUB_EFI_VARIABLE_RUNTIME_ACCESS) && *moksbstate == 1) +secureboot = GRUB_LINUX_EFI_SECUREBOOT_MODE_DISABLED; + + secureboot = GRUB_LINUX_EFI_SECUREBOOT_MODE_ENABLED; + + out: + grub_free (moksbstate); + grub_free (setupmode); + grub_free (secboot); + + if (secureboot == GRUB_LINUX_EFI_SECUREBOOT_MODE_DISABLED) +secureboot_str = "Disabled"; + else if (secureboot == GRUB_LINUX_EFI_SECUREBOOT_MODE_ENABLED) + secureboot_str = "Enabled"; + + grub_dprintf ("linux", "UEFI Secure Boot state: %s\n", secureboot_str); + + return secureboot; +} +#endif + static grub_err_t grub_linux_boot (void) { @@ -579,6 +660,9 @@ grub_linux_boot (void) grub_efi_uintn_t efi_desc_size; grub_size_t efi_mmap_target; grub_efi_uint32_t efi_desc_version; + +ctx.params->secure_boot = grub_efi_get_secureboot (); + err = grub_efi_finish_boot_services (_mmap_size, efi_mmap_buf, NULL, _desc_size, _desc_version); if (err) @@ -790,7 +874,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), linux_params.code32_start = prot_mode_target + lh.code32_start - GRUB_LINUX_BZIMAGE_ADDR; linux_params.kernel_alignment = (1 << align); - linux_params.ps_mouse = linux_params.padding10 = 0; + linux_params.ps_mouse = linux_params.padding11 = 0; linux_params.type_of_loader = GRUB_LINUX_BOOT_LOADER_TYPE; /* These two are used (instead of cmd_line_ptr) by older versions of Linux, diff --git a/include/grub/i386/linux.h b/include/grub/i386/linux.h index ce30e7fb0..6aea73ddb 100644 --- a/include/grub/i386/linux.h +++ b/include/grub/i386/linux.h @@ -49,6 +49,12 @@ /* Maximum number of MBR signatures to store. */ #define EDD_MBR_SIG_MAX16 +/* Possible values for Linux secure_boot kernel parameter. */ +#define GRUB_LINUX_EFI_SECUREBOOT_MODE_UNSET 0 +#define GRUB_LINUX_EFI_SECUREBOOT_MODE_UNKNOWN 1 +#define GRUB_LINUX_EFI_SECUREBOOT_MODE_DISABLED2 +#define GRUB_LINUX_EFI_SECUREBOOT_MODE_ENABLED 3 + #ifdef __x86_64__ #define GRUB_LINUX_EFI_SIGNATURE \ @@ -275,7 +281,11 @@ struct linux_kernel_params grub_uint8_t mmap_size; /* 1e8 */ - grub_uint8_t padding9[0x1f1 - 0x1e9]; + grub_uint8_t padding9[0x1ec - 0x1e9]; + + grub_uint8_t secure_boot; /* 1ec */ + + grub_uint8_t padding10[0x1f1 - 0x1ed]; /* Linux setu
Re: [PATCH v2 2/2] loader/i386/linux: report UEFI secure boot status to the Linux kernel
On Wed, Oct 17, 2018 at 06:01:46PM +, Ignat Korchagin wrote: > Linux kernel from 4.11 has secure_boot member as part of linux_kernel_params. > Currently, GRUB does not populate it, so the kernel reports > "Secure boot could not be determined" on boot. We can populate it in EFI mode, > so the kernel "knows" the status. > > Signed-off-by: Ignat Korchagin > --- > grub-core/loader/i386/linux.c | 54 > ++- > include/grub/i386/linux.h | 14 +-- > 2 files changed, 65 insertions(+), 3 deletions(-) > > diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c > index 4eab55a2d..7016974a6 100644 > --- a/grub-core/loader/i386/linux.c > +++ b/grub-core/loader/i386/linux.c > @@ -396,6 +396,57 @@ grub_linux_boot_mmap_fill (grub_uint64_t addr, > grub_uint64_t size, >return 0; > } > > +#ifdef GRUB_MACHINE_EFI > + > +/* from > https://github.com/rhboot/shim/blob/b953468e91eac48d2e3817f18cd604e20f39c56b/lib/guid.c#L39 > */ Just mention that this comes from UEFI shim project. This should suffice. > +#define GRUB_EFI_SHIM_LOCK_GUID \ > + { 0x605dab50, 0xe046, 0xe046, { 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, > 0x23 }} This is not Linux specific. Could you add this to include/grub/efi/api.h (Hmmm... I do not see better place)? And I am working on patchset which will this too. So, I will avoid some code shuffling. > + > +/* mostly taken from > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/drivers/firmware/efi/libstub/secureboot.c?h=linux-4.18.y=a7012bdbdf406bbaa4e3de0cc3d8eb0faaacbf93#n37 Stable version number will suffice here. > + except for the case, when "SecureBoot" variable is not found, because > + grub_efi_get_variable does not report EFI_STATUS to the caller */ So, I would like to ask you to change grub_efi_get_variable() accordingly (same for grub_efi_get_variable_with_attributes()). This will not be a big effort. It is called in a few places only. And I think that it should work like get_efi_var() in Linux kernel. So, EFI status should be returned and it should get pointer to variable store, e.g. _boot. And please add comment in the following way: /* * ... * */ > +static grub_uint8_t > +grub_efi_secureboot_mode (void) > +{ > + grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID; > + grub_size_t efi_var_size = 0; > + grub_efi_uint32_t attr = 0; > + grub_uint8_t *secure_boot; > + grub_uint8_t *setup_mode; > + grub_uint8_t *moksb_state; > + grub_uint8_t secureboot_mode = LINUX_EFI_SECUREBOOT_MODE_UNKNOWN; > + > + secure_boot = grub_efi_get_variable ("SecureBoot", _var_guid, > _var_size); > + setup_mode = grub_efi_get_variable ("SetupMode", _var_guid, > _var_size); > + efi_var_guid = GRUB_EFI_SHIM_LOCK_GUID; > + moksb_state = grub_efi_get_variable_with_attributes ("MokSBState", > _var_guid, _var_size, ); Please move these two lines... > + if (!secure_boot || !setup_mode) > +goto fail; > + > + if ((*secure_boot == 0) || (*setup_mode == 1)) > +secureboot_mode = LINUX_EFI_SECUREBOOT_MODE_DISABLED; > + else > +secureboot_mode = LINUX_EFI_SECUREBOOT_MODE_ENABLED; ...here. > + if (moksb_state) > +{ > + if (!(attr & GRUB_EFI_VARIABLE_RUNTIME_ACCESS) && *moksb_state == 1) > +secureboot_mode = LINUX_EFI_SECUREBOOT_MODE_DISABLED; > +} Curly brackets are not needed here. > +fail: > + if (moksb_state) > +grub_free (moksb_state); > + if (setup_mode) > +grub_free (setup_mode); > + if (secure_boot) > +grub_free (secure_boot); > + > + return secureboot_mode; > +} > +#endif > + > static grub_err_t > grub_linux_boot (void) > { > @@ -574,6 +625,7 @@ grub_linux_boot (void) > grub_efi_uintn_t efi_desc_size; > grub_size_t efi_mmap_target; > grub_efi_uint32_t efi_desc_version; > +ctx.params->secure_boot = grub_efi_secureboot_mode (); > err = grub_efi_finish_boot_services (_mmap_size, efi_mmap_buf, NULL, >_desc_size, _desc_version); > if (err) > @@ -760,7 +812,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ > ((unused)), > >linux_params.code32_start = prot_mode_target + lh.code32_start - > GRUB_LINUX_BZIMAGE_ADDR; >linux_params.kernel_alignment = (1 << align); > - linux_params.ps_mouse = linux_params.padding10 = 0; > + linux_params.ps_mouse = linux_params.padding11 = 0; > >len = sizeof (linux_params) - sizeof (lh); >if (grub_file_read (file, (char *) _params + sizeof (lh), len) != > len) > diff --git a/include/grub/i386/linux.h b/include/grub/i386/linux.h > index 60c7c3b5e..4d20abb2e 100644 > --- a/include/grub/i386/linux.h > +++ b/include/grub/i386/linux.h > @@ -87,6 +87,12 @@ enum > GRUB_VIDEO_LINUX_TYPE_SIMPLE = 0x70/* Linear framebuffer without any > additional functions. */ >}; > > +/* Possible values for Linux secure_boot kernel parameter */ > +#define LINUX_EFI_SECUREBOOT_MODE_UNSET0 > +#define
[PATCH v2 2/2] loader/i386/linux: report UEFI secure boot status to the Linux kernel
Linux kernel from 4.11 has secure_boot member as part of linux_kernel_params. Currently, GRUB does not populate it, so the kernel reports "Secure boot could not be determined" on boot. We can populate it in EFI mode, so the kernel "knows" the status. Signed-off-by: Ignat Korchagin --- grub-core/loader/i386/linux.c | 54 ++- include/grub/i386/linux.h | 14 +-- 2 files changed, 65 insertions(+), 3 deletions(-) diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c index 4eab55a2d..7016974a6 100644 --- a/grub-core/loader/i386/linux.c +++ b/grub-core/loader/i386/linux.c @@ -396,6 +396,57 @@ grub_linux_boot_mmap_fill (grub_uint64_t addr, grub_uint64_t size, return 0; } +#ifdef GRUB_MACHINE_EFI + +/* from https://github.com/rhboot/shim/blob/b953468e91eac48d2e3817f18cd604e20f39c56b/lib/guid.c#L39 */ +#define GRUB_EFI_SHIM_LOCK_GUID \ + { 0x605dab50, 0xe046, 0xe046, { 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 }} + +/* mostly taken from https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/drivers/firmware/efi/libstub/secureboot.c?h=linux-4.18.y=a7012bdbdf406bbaa4e3de0cc3d8eb0faaacbf93#n37 + except for the case, when "SecureBoot" variable is not found, because + grub_efi_get_variable does not report EFI_STATUS to the caller */ +static grub_uint8_t +grub_efi_secureboot_mode (void) +{ + grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID; + grub_size_t efi_var_size = 0; + grub_efi_uint32_t attr = 0; + grub_uint8_t *secure_boot; + grub_uint8_t *setup_mode; + grub_uint8_t *moksb_state; + grub_uint8_t secureboot_mode = LINUX_EFI_SECUREBOOT_MODE_UNKNOWN; + + secure_boot = grub_efi_get_variable ("SecureBoot", _var_guid, _var_size); + setup_mode = grub_efi_get_variable ("SetupMode", _var_guid, _var_size); + efi_var_guid = GRUB_EFI_SHIM_LOCK_GUID; + moksb_state = grub_efi_get_variable_with_attributes ("MokSBState", _var_guid, _var_size, ); + + if (!secure_boot || !setup_mode) +goto fail; + + if ((*secure_boot == 0) || (*setup_mode == 1)) +secureboot_mode = LINUX_EFI_SECUREBOOT_MODE_DISABLED; + else +secureboot_mode = LINUX_EFI_SECUREBOOT_MODE_ENABLED; + + if (moksb_state) +{ + if (!(attr & GRUB_EFI_VARIABLE_RUNTIME_ACCESS) && *moksb_state == 1) +secureboot_mode = LINUX_EFI_SECUREBOOT_MODE_DISABLED; +} + +fail: + if (moksb_state) +grub_free (moksb_state); + if (setup_mode) +grub_free (setup_mode); + if (secure_boot) +grub_free (secure_boot); + + return secureboot_mode; +} +#endif + static grub_err_t grub_linux_boot (void) { @@ -574,6 +625,7 @@ grub_linux_boot (void) grub_efi_uintn_t efi_desc_size; grub_size_t efi_mmap_target; grub_efi_uint32_t efi_desc_version; +ctx.params->secure_boot = grub_efi_secureboot_mode (); err = grub_efi_finish_boot_services (_mmap_size, efi_mmap_buf, NULL, _desc_size, _desc_version); if (err) @@ -760,7 +812,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), linux_params.code32_start = prot_mode_target + lh.code32_start - GRUB_LINUX_BZIMAGE_ADDR; linux_params.kernel_alignment = (1 << align); - linux_params.ps_mouse = linux_params.padding10 = 0; + linux_params.ps_mouse = linux_params.padding11 = 0; len = sizeof (linux_params) - sizeof (lh); if (grub_file_read (file, (char *) _params + sizeof (lh), len) != len) diff --git a/include/grub/i386/linux.h b/include/grub/i386/linux.h index 60c7c3b5e..4d20abb2e 100644 --- a/include/grub/i386/linux.h +++ b/include/grub/i386/linux.h @@ -87,6 +87,12 @@ enum GRUB_VIDEO_LINUX_TYPE_SIMPLE = 0x70/* Linear framebuffer without any additional functions. */ }; +/* Possible values for Linux secure_boot kernel parameter */ +#define LINUX_EFI_SECUREBOOT_MODE_UNSET0 +#define LINUX_EFI_SECUREBOOT_MODE_UNKNOWN 1 +#define LINUX_EFI_SECUREBOOT_MODE_DISABLED 2 +#define LINUX_EFI_SECUREBOOT_MODE_ENABLED 3 + /* For the Linux/i386 boot protocol version 2.10. */ struct linux_i386_kernel_header { @@ -270,7 +276,11 @@ struct linux_kernel_params grub_uint8_t mmap_size; /* 1e8 */ - grub_uint8_t padding9[0x1f1 - 0x1e9]; + grub_uint8_t padding9[0x1ec - 0x1e9]; + + grub_uint8_t secure_boot; /* 1ec */ + + grub_uint8_t padding10[0x1f1 - 0x1ed]; grub_uint8_t setup_sects;/* The size of the setup in sectors */ grub_uint16_t root_flags;/* If the root is mounted readonly */ @@ -280,7 +290,7 @@ struct linux_kernel_params grub_uint16_t vid_mode; /* Video mode control */ grub_uint16_t root_dev; /* Default root device number */ - grub_uint8_t padding10; /* 1fe */ + grub_uint8_t padding11; /* 1fe */ grub_uint8_t ps_mouse; /* 1ff */ grub_uint16_t jump; /* Jump instruction */ -- 2.11.0
Re: [PATCH] loader/i386/linux: report UEFI secure boot status to the Linux kernel
On Tue, Oct 09, 2018 at 04:04:03PM +, Ignat Korchagin wrote: > Linux kernel from 4.11 has secure_boot member as part of linux_kernel_params. > Currently, GRUB does not populate it, so the kernel reports > "Secure boot could not be determined" on boot. We can populate it in EFI mode, > so the kernel "knows" the status. > > Signed-off-by: Ignat Korchagin > --- > grub-core/loader/i386/linux.c | 34 +- > include/grub/i386/linux.h | 12 ++-- > 2 files changed, 43 insertions(+), 3 deletions(-) > > diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c > index 4eab55a2d..7fc188603 100644 > --- a/grub-core/loader/i386/linux.c > +++ b/grub-core/loader/i386/linux.c > @@ -396,6 +396,37 @@ grub_linux_boot_mmap_fill (grub_uint64_t addr, > grub_uint64_t size, >return 0; > } > > +#ifdef GRUB_MACHINE_EFI > +static grub_uint8_t > +grub_efi_secureboot_mode (void) > +{ > + grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID; > + grub_size_t efi_var_size = 0; > + grub_uint8_t *secure_boot; > + grub_uint8_t *setup_mode; > + grub_uint8_t secureboot_mode = LINUX_EFI_SECUREBOOT_MODE_UNSET; > + > + secure_boot = grub_efi_get_variable ("SecureBoot", _var_guid, > _var_size); > + setup_mode = grub_efi_get_variable ("SetupMode", _var_guid, > _var_size); > + > + if (!secure_boot || !setup_mode) > +goto fail; > + > + if ((*secure_boot == 0) || (*setup_mode == 1)) > +secureboot_mode = LINUX_EFI_SECUREBOOT_MODE_DISABLED; > + else > +secureboot_mode = LINUX_EFI_SECUREBOOT_MODE_ENABLED; > + > +fail: > + if (setup_mode) > +grub_free (setup_mode); > + if (secure_boot) > +grub_free (secure_boot); > + > + return secureboot_mode; May I ask you to duplicate the logic from linux/drivers/firmware/efi/libstub/secureboot.c:efi_get_secureboot()? Additionally, please add the comment that it is taken from there. And it is also worth mentioning the Linux kernel version or commit id. > +} > +#endif > + > static grub_err_t > grub_linux_boot (void) > { > @@ -574,6 +605,7 @@ grub_linux_boot (void) > grub_efi_uintn_t efi_desc_size; > grub_size_t efi_mmap_target; > grub_efi_uint32_t efi_desc_version; > +ctx.params->secure_boot = grub_efi_secureboot_mode (); > err = grub_efi_finish_boot_services (_mmap_size, efi_mmap_buf, NULL, >_desc_size, _desc_version); > if (err) > @@ -760,7 +792,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ > ((unused)), > >linux_params.code32_start = prot_mode_target + lh.code32_start - > GRUB_LINUX_BZIMAGE_ADDR; >linux_params.kernel_alignment = (1 << align); > - linux_params.ps_mouse = linux_params.padding10 = 0; > + linux_params.ps_mouse = linux_params.padding11 = 0; > >len = sizeof (linux_params) - sizeof (lh); >if (grub_file_read (file, (char *) _params + sizeof (lh), len) != > len) > diff --git a/include/grub/i386/linux.h b/include/grub/i386/linux.h > index 60c7c3b5e..4493a3fdb 100644 > --- a/include/grub/i386/linux.h > +++ b/include/grub/i386/linux.h > @@ -270,7 +270,15 @@ struct linux_kernel_params > >grub_uint8_t mmap_size;/* 1e8 */ > > - grub_uint8_t padding9[0x1f1 - 0x1e9]; > + grub_uint8_t padding9[0x1ec - 0x1e9]; > + > + grub_uint8_t secure_boot; /* 1ec */ > +#define LINUX_EFI_SECUREBOOT_MODE_UNSET0 > +#define LINUX_EFI_SECUREBOOT_MODE_UNKNOWN 1 > +#define LINUX_EFI_SECUREBOOT_MODE_DISABLED 2 > +#define LINUX_EFI_SECUREBOOT_MODE_ENABLED 3 Please mov this to constants section above. Daniel ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
[PATCH] loader/i386/linux: report UEFI secure boot status to the Linux kernel
Linux kernel from 4.11 has secure_boot member as part of linux_kernel_params. Currently, GRUB does not populate it, so the kernel reports "Secure boot could not be determined" on boot. We can populate it in EFI mode, so the kernel "knows" the status. Signed-off-by: Ignat Korchagin --- grub-core/loader/i386/linux.c | 34 +- include/grub/i386/linux.h | 12 ++-- 2 files changed, 43 insertions(+), 3 deletions(-) diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c index 4eab55a2d..7fc188603 100644 --- a/grub-core/loader/i386/linux.c +++ b/grub-core/loader/i386/linux.c @@ -396,6 +396,37 @@ grub_linux_boot_mmap_fill (grub_uint64_t addr, grub_uint64_t size, return 0; } +#ifdef GRUB_MACHINE_EFI +static grub_uint8_t +grub_efi_secureboot_mode (void) +{ + grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID; + grub_size_t efi_var_size = 0; + grub_uint8_t *secure_boot; + grub_uint8_t *setup_mode; + grub_uint8_t secureboot_mode = LINUX_EFI_SECUREBOOT_MODE_UNSET; + + secure_boot = grub_efi_get_variable ("SecureBoot", _var_guid, _var_size); + setup_mode = grub_efi_get_variable ("SetupMode", _var_guid, _var_size); + + if (!secure_boot || !setup_mode) +goto fail; + + if ((*secure_boot == 0) || (*setup_mode == 1)) +secureboot_mode = LINUX_EFI_SECUREBOOT_MODE_DISABLED; + else +secureboot_mode = LINUX_EFI_SECUREBOOT_MODE_ENABLED; + +fail: + if (setup_mode) +grub_free (setup_mode); + if (secure_boot) +grub_free (secure_boot); + + return secureboot_mode; +} +#endif + static grub_err_t grub_linux_boot (void) { @@ -574,6 +605,7 @@ grub_linux_boot (void) grub_efi_uintn_t efi_desc_size; grub_size_t efi_mmap_target; grub_efi_uint32_t efi_desc_version; +ctx.params->secure_boot = grub_efi_secureboot_mode (); err = grub_efi_finish_boot_services (_mmap_size, efi_mmap_buf, NULL, _desc_size, _desc_version); if (err) @@ -760,7 +792,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), linux_params.code32_start = prot_mode_target + lh.code32_start - GRUB_LINUX_BZIMAGE_ADDR; linux_params.kernel_alignment = (1 << align); - linux_params.ps_mouse = linux_params.padding10 = 0; + linux_params.ps_mouse = linux_params.padding11 = 0; len = sizeof (linux_params) - sizeof (lh); if (grub_file_read (file, (char *) _params + sizeof (lh), len) != len) diff --git a/include/grub/i386/linux.h b/include/grub/i386/linux.h index 60c7c3b5e..4493a3fdb 100644 --- a/include/grub/i386/linux.h +++ b/include/grub/i386/linux.h @@ -270,7 +270,15 @@ struct linux_kernel_params grub_uint8_t mmap_size; /* 1e8 */ - grub_uint8_t padding9[0x1f1 - 0x1e9]; + grub_uint8_t padding9[0x1ec - 0x1e9]; + + grub_uint8_t secure_boot; /* 1ec */ +#define LINUX_EFI_SECUREBOOT_MODE_UNSET0 +#define LINUX_EFI_SECUREBOOT_MODE_UNKNOWN 1 +#define LINUX_EFI_SECUREBOOT_MODE_DISABLED 2 +#define LINUX_EFI_SECUREBOOT_MODE_ENABLED 3 + + grub_uint8_t padding10[0x1f1 - 0x1ed]; grub_uint8_t setup_sects;/* The size of the setup in sectors */ grub_uint16_t root_flags;/* If the root is mounted readonly */ @@ -280,7 +288,7 @@ struct linux_kernel_params grub_uint16_t vid_mode; /* Video mode control */ grub_uint16_t root_dev; /* Default root device number */ - grub_uint8_t padding10; /* 1fe */ + grub_uint8_t padding11; /* 1fe */ grub_uint8_t ps_mouse; /* 1ff */ grub_uint16_t jump; /* Jump instruction */ -- 2.11.0 ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Re: UEFI secure boot
I tried to submit a patch some time ago, where you can get SecureBoot and SetupMode variables from GRUB shell and config file: http://lists.gnu.org/archive/html/grub-devel/2016-01/msg00078.html It was abandoned for some reason. Also, I think recent patches proposed by Matthew Garrett also allow to do this On Fri, Feb 17, 2017 at 8:17 AM, Dennis Wassenberg < dennis.wassenb...@secunet.com> wrote: > Hi, Daniel, > > On 16.02.2017 23:03, Daniel Kiper wrote: > > On Thu, Feb 16, 2017 at 09:21:19AM +0100, Dennis Wassenberg wrote: > >> Hi all, > >> > >> I have a question regarding grub2 in relation with UEFI secure boot. I > >> do use a grub2 efi binary which is signed with sbsigntools. If the grub2 > >> starts I think there is in general no information about that the grub2 > >> is booted in secure boot environment. > > > > Why do you need that? > Just to show that it is booted in secure mode. In general there are only > a few devices which shows at the beginning that secureboot is active. So > maybe it makes sense to show it at the booted efi application. If a user > is interested in knowing if it is active or not he has to enter the > Setup. In case of Lenovo there it is not shown directly if secureboot is > active or not. At the secureboot tab there is shown that secureboot is > enabled or not and if secureboot is in custom mode or setup mode. I > believe that not every user known what this means. Thats why I think a > hint if secureboot is currently active or not would make sense. > > > >> Is there a possibility to show that in grub2? I found no way to do that. > > > > If there is an use case why not. > Would this be a use case? > > > >> Are you interested in having the possibility to show the uefi secure > >> boot status (e.g. EFI variable secureboot)? > > > > I am going to work on shim protocol verification for Multiboot2 > > compatible images. I hope that it will be taken into GRUB2 2.03. > Ah ok. > > > > Daniel > > Thank you for your response. > > Best regards, > Dennis > > > > ___ > > Grub-devel mailing list > > Grub-devel@gnu.org > > https://lists.gnu.org/mailman/listinfo/grub-devel > > > > ___ > Grub-devel mailing list > Grub-devel@gnu.org > https://lists.gnu.org/mailman/listinfo/grub-devel > ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Re: UEFI secure boot
Hi, Daniel, On 16.02.2017 23:03, Daniel Kiper wrote: > On Thu, Feb 16, 2017 at 09:21:19AM +0100, Dennis Wassenberg wrote: >> Hi all, >> >> I have a question regarding grub2 in relation with UEFI secure boot. I >> do use a grub2 efi binary which is signed with sbsigntools. If the grub2 >> starts I think there is in general no information about that the grub2 >> is booted in secure boot environment. > > Why do you need that? Just to show that it is booted in secure mode. In general there are only a few devices which shows at the beginning that secureboot is active. So maybe it makes sense to show it at the booted efi application. If a user is interested in knowing if it is active or not he has to enter the Setup. In case of Lenovo there it is not shown directly if secureboot is active or not. At the secureboot tab there is shown that secureboot is enabled or not and if secureboot is in custom mode or setup mode. I believe that not every user known what this means. Thats why I think a hint if secureboot is currently active or not would make sense. > >> Is there a possibility to show that in grub2? I found no way to do that. > > If there is an use case why not. Would this be a use case? > >> Are you interested in having the possibility to show the uefi secure >> boot status (e.g. EFI variable secureboot)? > > I am going to work on shim protocol verification for Multiboot2 > compatible images. I hope that it will be taken into GRUB2 2.03. Ah ok. > > Daniel Thank you for your response. Best regards, Dennis > > ___ > Grub-devel mailing list > Grub-devel@gnu.org > https://lists.gnu.org/mailman/listinfo/grub-devel > ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Re: UEFI secure boot
On Thu, Feb 16, 2017 at 09:21:19AM +0100, Dennis Wassenberg wrote: > Hi all, > > I have a question regarding grub2 in relation with UEFI secure boot. I > do use a grub2 efi binary which is signed with sbsigntools. If the grub2 > starts I think there is in general no information about that the grub2 > is booted in secure boot environment. Why do you need that? > Is there a possibility to show that in grub2? I found no way to do that. If there is an use case why not. > Are you interested in having the possibility to show the uefi secure > boot status (e.g. EFI variable secureboot)? I am going to work on shim protocol verification for Multiboot2 compatible images. I hope that it will be taken into GRUB2 2.03. Daniel ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
UEFI secure boot
Hi all, I have a question regarding grub2 in relation with UEFI secure boot. I do use a grub2 efi binary which is signed with sbsigntools. If the grub2 starts I think there is in general no information about that the grub2 is booted in secure boot environment. Is there a possibility to show that in grub2? I found no way to do that. Are you interested in having the possibility to show the uefi secure boot status (e.g. EFI variable secureboot)? Best regards, Dennis ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel