Commit f78e7a4b authored by Colin Watson's avatar Colin Watson

Don't enforce Shim signature validation if Secure Boot is disabled

parents 7981cb3a 614ea062
# see git-dpm(1) from git-dpm package
0eb3bf3318b2c6b964250f2d34feb45024f667bd
0eb3bf3318b2c6b964250f2d34feb45024f667bd
614ea0626131fc49f82d80e6459a200b8bc8e591
614ea0626131fc49f82d80e6459a200b8bc8e591
59aeb1cfaa3d5bfd7bbeeee0f0d37f6d9eed51fe
59aeb1cfaa3d5bfd7bbeeee0f0d37f6d9eed51fe
grub2_2.02+dfsg1.orig.tar.xz
......
grub2 (2.02+dfsg1-9) UNRELEASED; urgency=medium
[ Colin Watson ]
* Sync Maintainer/Uploaders in debian/signing-template/control.in with the
main packaging.
* Tell reportbug to submit bug reports against unsigned packages rather
......@@ -12,6 +13,9 @@ grub2 (2.02+dfsg1-9) UNRELEASED; urgency=medium
(closes: #907596, #909420, #915091).
* Build with GCC 8 (closes: #915735).
[ Matthew Garrett ]
* Don't enforce Shim signature validation if Secure Boot is disabled.
-- Colin Watson <cjwatson@debian.org> Fri, 02 Nov 2018 12:50:38 +0000
grub2 (2.02+dfsg1-8) unstable; urgency=medium
......
From 614ea0626131fc49f82d80e6459a200b8bc8e591 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@google.com>
Date: Wed, 5 Dec 2018 15:07:21 -0800
Subject: Don't enforce Shim signature validation if Secure Boot is disabled
The linuxefi command fails if used on a system without shim, even if
Secure Boot is disabled. There's no need to do the validation if we're
not in Secure Boot mode (an attacker could just boot a modified grub),
so skip this to make it easier to use the Linux EFI entry point even on
non-Secure Boot systems.
Last-Update: 2018-12-07
Patch-Name: linuxefi-skip-validation-without-secure-boot.patch
---
grub-core/loader/i386/efi/linux.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
index c2d77510f..0f4b0b4ab 100644
--- a/grub-core/loader/i386/efi/linux.c
+++ b/grub-core/loader/i386/efi/linux.c
@@ -58,6 +58,12 @@ grub_linuxefi_secure_validate (void *data, grub_uint32_t size)
grub_efi_shim_lock_t *shim_lock;
grub_efi_status_t status;
+ if (! grub_efi_secure_boot())
+ {
+ grub_dprintf ("linuxefi", "secure boot not enabled, not validating");
+ return 1;
+ }
+
grub_dprintf ("linuxefi", "Locating shim protocol\n");
shim_lock = grub_efi_locate_protocol(&guid, NULL);
......@@ -98,3 +98,4 @@ fdt-move-prop_entry_size-to-fdt-h.patch
efi-fdt-set-address-size-cells-to-2-for-empty-tree.patch
linuxefi-update-to-new-interfaces.patch
gcc-8-packed-not-aligned.patch
linuxefi-skip-validation-without-secure-boot.patch
......@@ -58,6 +58,12 @@ grub_linuxefi_secure_validate (void *data, grub_uint32_t size)
grub_efi_shim_lock_t *shim_lock;
grub_efi_status_t status;
if (! grub_efi_secure_boot())
{
grub_dprintf ("linuxefi", "secure boot not enabled, not validating");
return 1;
}
grub_dprintf ("linuxefi", "Locating shim protocol\n");
shim_lock = grub_efi_locate_protocol(&guid, NULL);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment