grub

Merge ~juliank/grub/+git/ubuntu:ubuntu into ~ubuntu-core-dev/grub/+git/ubuntu:ubuntu

  1. Git
  2. lp:~juliank/grub/+git/ubuntu
  3. ubuntu
  4. Merge into ubuntu
Proposed by Julian Andres Klode
Status: Merged
Merged at revision: f334ceef8d79d9389737e2ddff3eb39c6674ec41
Proposed branch: ~juliank/grub/+git/ubuntu:ubuntu
Merge into: ~ubuntu-core-dev/grub/+git/ubuntu:ubuntu
Diff against target: 302 lines (+186/-30)
7 files modified
debian/.git-dpm (+2/-2)
debian/changelog (+3/-1)
debian/patches/0077-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch (+118/-0)
debian/patches/0078-ubuntu-Update-the-linux-boot-protocol-version-check.patch (+25/-0)
debian/patches/series (+2/-0)
grub-core/loader/i386/efi/linux.c (+10/-6)
grub-core/loader/i386/linux.c (+26/-21)
Reviewer Review Type Date Requested Status
Dimitri John Ledkov Pending
Review via email: mp+380563@code.launchpad.net
To post a comment you must log in.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/.git-dpm b/debian/.git-dpm
2index 89761e2..f4a174d 100644
3--- a/debian/.git-dpm
4+++ b/debian/.git-dpm
5@@ -1,6 +1,6 @@
6 # see git-dpm(1) from git-dpm package
7-79d4ae1df7b63ef106a85ad18bfedb6d709ef29a
8-79d4ae1df7b63ef106a85ad18bfedb6d709ef29a
9+e13f71514b0b6ca3b3e15cb8013a8db1e47d3ea9
10+e13f71514b0b6ca3b3e15cb8013a8db1e47d3ea9
11 578bb115fbd47e1c464696f1f8d6183e5443975d
12 578bb115fbd47e1c464696f1f8d6183e5443975d
13 grub2_2.04.orig.tar.xz
14diff --git a/debian/changelog b/debian/changelog
15index aa3f194..4ccc769 100644
16--- a/debian/changelog
17+++ b/debian/changelog
18@@ -1,8 +1,10 @@
19 grub2 (2.04-1ubuntu22) UNRELEASED; urgency=medium
20
21 * smbios: Add a --linux argument to apply linux modalias-like filtering
22+ * Make the linux command in EFI grub always try EFI handover; thanks
23+ to Chris Coulson for the patches (LP: #1864533)
24
25- -- Julian Andres Klode <juliank@ubuntu.com> Wed, 11 Mar 2020 14:16:40 +0100
26+ -- Julian Andres Klode <juliank@ubuntu.com> Wed, 11 Mar 2020 16:47:03 +0100
27
28 grub2 (2.04-1ubuntu21) focal; urgency=medium
29
30diff --git a/debian/patches/0077-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch b/debian/patches/0077-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch
31new file mode 100644
32index 0000000..97f0f56
33--- /dev/null
34+++ b/debian/patches/0077-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch
35@@ -0,0 +1,118 @@
36+From a9ec17dcc442a6a0b09e480ca864746438cc3fad Mon Sep 17 00:00:00 2001
37+From: Chris Coulson <chris.coulson@canonical.com>
38+Date: Wed, 11 Mar 2020 16:46:00 +0100
39+Subject: ubuntu: Make the linux command in EFI grub always try EFI handover
40+
41+The previous implementation only boots via the EFI handover protocol when
42+secure boot is enabled. This means that disabling secure boot breaks some
43+features that depend on the kernel being booted via the EFI handover entry
44+point, such as retrieval of the TCG event log.
45+
46+Update the linux command to always attempt to defer to linuxefi in EFI grub
47+builds, regardless of whether secure boot is enabled or not. This also allows
48+a fallback to the non-EFI handover path on kernels that don't support it, but
49+only if secure boot is disabled.
50+---
51+ grub-core/loader/i386/efi/linux.c | 14 +++++----
52+ grub-core/loader/i386/linux.c | 47 +++++++++++++++++--------------
53+ 2 files changed, 35 insertions(+), 26 deletions(-)
54+
55+diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
56+index 6b6aef87f..fe3ca2c59 100644
57+--- a/grub-core/loader/i386/efi/linux.c
58++++ b/grub-core/loader/i386/efi/linux.c
59+@@ -27,6 +27,7 @@
60+ #include <grub/lib/cmdline.h>
61+ #include <grub/efi/efi.h>
62+ #include <grub/efi/linux.h>
63++#include <grub/efi/sb.h>
64+
65+ GRUB_MOD_LICENSE ("GPLv3+");
66+
67+@@ -195,12 +196,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
68+ goto fail;
69+ }
70+
71+- rc = grub_linuxefi_secure_validate (kernel, filelen);
72+- if (rc < 0)
73++ if (grub_efi_secure_boot ())
74+ {
75+- grub_error (GRUB_ERR_ACCESS_DENIED, N_("%s has invalid signature"),
76+- argv[0]);
77+- goto fail;
78++ rc = grub_linuxefi_secure_validate (kernel, filelen);
79++ if (rc < 0)
80++ {
81++ grub_error (GRUB_ERR_ACCESS_DENIED, N_("%s has invalid signature"),
82++ argv[0]);
83++ goto fail;
84++ }
85+ }
86+
87+ params = grub_efi_allocate_pages_max (0x3fffffff,
88+diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
89+index 4328bcbdb..991eb29db 100644
90+--- a/grub-core/loader/i386/linux.c
91++++ b/grub-core/loader/i386/linux.c
92+@@ -658,35 +658,40 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
93+
94+ #ifdef GRUB_MACHINE_EFI
95+ using_linuxefi = 0;
96+- if (grub_efi_secure_boot ())
97+- {
98+- /* linuxefi requires a successful signature check and then hand over
99+- to the kernel without calling ExitBootServices. */
100+- grub_dl_t mod;
101+- grub_command_t linuxefi_cmd;
102+
103+- grub_dprintf ("linux", "Secure Boot enabled: trying linuxefi\n");
104++ grub_dl_t mod;
105++ grub_command_t linuxefi_cmd;
106++
107++ grub_dprintf ("linux", "Trying linuxefi\n");
108+
109+- mod = grub_dl_load ("linuxefi");
110+- if (mod)
111++ mod = grub_dl_load ("linuxefi");
112++ if (mod)
113++ {
114++ grub_dl_ref (mod);
115++ linuxefi_cmd = grub_command_find ("linuxefi");
116++ initrdefi_cmd = grub_command_find ("initrdefi");
117++ if (linuxefi_cmd && initrdefi_cmd)
118+ {
119+- grub_dl_ref (mod);
120+- linuxefi_cmd = grub_command_find ("linuxefi");
121+- initrdefi_cmd = grub_command_find ("initrdefi");
122+- if (linuxefi_cmd && initrdefi_cmd)
123++ (linuxefi_cmd->func) (linuxefi_cmd, argc, argv);
124++ if (grub_errno == GRUB_ERR_NONE)
125++ {
126++ grub_dprintf ("linux", "Handing off to linuxefi\n");
127++ using_linuxefi = 1;
128++ return GRUB_ERR_NONE;
129++ }
130++ else if (grub_efi_secure_boot ())
131+ {
132+- (linuxefi_cmd->func) (linuxefi_cmd, argc, argv);
133+- if (grub_errno == GRUB_ERR_NONE)
134+- {
135+- grub_dprintf ("linux", "Handing off to linuxefi\n");
136+- using_linuxefi = 1;
137+- return GRUB_ERR_NONE;
138+- }
139+- grub_dprintf ("linux", "linuxefi failed (%d)\n", grub_errno);
140++ grub_dprintf ("linux", "linuxefi failed and secure boot is enabled (%d)\n", grub_errno);
141+ goto fail;
142+ }
143+ }
144+ }
145++
146++ if (grub_efi_secure_boot ())
147++ {
148++ grub_dprintf("linux", "Unable to hand off to linuxefi and secure boot is enabled\n");
149++ goto fail;
150++ }
151+ #endif
152+
153+ if (argc == 0)
154diff --git a/debian/patches/0078-ubuntu-Update-the-linux-boot-protocol-version-check.patch b/debian/patches/0078-ubuntu-Update-the-linux-boot-protocol-version-check.patch
155new file mode 100644
156index 0000000..0e8244a
157--- /dev/null
158+++ b/debian/patches/0078-ubuntu-Update-the-linux-boot-protocol-version-check.patch
159@@ -0,0 +1,25 @@
160+From e13f71514b0b6ca3b3e15cb8013a8db1e47d3ea9 Mon Sep 17 00:00:00 2001
161+From: Chris Coulson <chris.coulson@canonical.com>
162+Date: Wed, 11 Mar 2020 16:46:41 +0100
163+Subject: ubuntu: Update the linux boot protocol version check.
164+
165+The EFI implementation of grub_cmd_linux makes use of xloadflags which was
166+introduced in to version 2.12 of the kernel's boot protocol, so update the
167+check accordingly.
168+---
169+ grub-core/loader/i386/efi/linux.c | 2 +-
170+ 1 file changed, 1 insertion(+), 1 deletion(-)
171+
172+diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
173+index fe3ca2c59..2929da7a2 100644
174+--- a/grub-core/loader/i386/efi/linux.c
175++++ b/grub-core/loader/i386/efi/linux.c
176+@@ -245,7 +245,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
177+ }
178+
179+ grub_dprintf ("linuxefi", "checking lh->version\n");
180+- if (lh->version < grub_cpu_to_le16 (0x020b))
181++ if (lh->version < grub_cpu_to_le16 (0x020c))
182+ {
183+ grub_error (GRUB_ERR_BAD_OS, N_("kernel too old"));
184+ goto fail;
185diff --git a/debian/patches/series b/debian/patches/series
186index 4666699..d1dc6d3 100644
187--- a/debian/patches/series
188+++ b/debian/patches/series
189@@ -74,3 +74,5 @@ cherrypick-smbios-module.patch
190 cherrypick-lsefisystab-show-dtb.patch
191 0075-uefi-firmware-rename-fwsetup-menuentry-to-UEFI-Firmw.patch
192 0076-smbios-Add-a-linux-argument-to-apply-linux-modalias-.patch
193+0077-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch
194+0078-ubuntu-Update-the-linux-boot-protocol-version-check.patch
195diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
196index 6b6aef8..2929da7 100644
197--- a/grub-core/loader/i386/efi/linux.c
198+++ b/grub-core/loader/i386/efi/linux.c
199@@ -27,6 +27,7 @@
200 #include <grub/lib/cmdline.h>
201 #include <grub/efi/efi.h>
202 #include <grub/efi/linux.h>
203+#include <grub/efi/sb.h>
204
205 GRUB_MOD_LICENSE ("GPLv3+");
206
207@@ -195,12 +196,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
208 goto fail;
209 }
210
211- rc = grub_linuxefi_secure_validate (kernel, filelen);
212- if (rc < 0)
213+ if (grub_efi_secure_boot ())
214 {
215- grub_error (GRUB_ERR_ACCESS_DENIED, N_("%s has invalid signature"),
216- argv[0]);
217- goto fail;
218+ rc = grub_linuxefi_secure_validate (kernel, filelen);
219+ if (rc < 0)
220+ {
221+ grub_error (GRUB_ERR_ACCESS_DENIED, N_("%s has invalid signature"),
222+ argv[0]);
223+ goto fail;
224+ }
225 }
226
227 params = grub_efi_allocate_pages_max (0x3fffffff,
228@@ -241,7 +245,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
229 }
230
231 grub_dprintf ("linuxefi", "checking lh->version\n");
232- if (lh->version < grub_cpu_to_le16 (0x020b))
233+ if (lh->version < grub_cpu_to_le16 (0x020c))
234 {
235 grub_error (GRUB_ERR_BAD_OS, N_("kernel too old"));
236 goto fail;
237diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
238index 4328bcb..991eb29 100644
239--- a/grub-core/loader/i386/linux.c
240+++ b/grub-core/loader/i386/linux.c
241@@ -658,35 +658,40 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
242
243 #ifdef GRUB_MACHINE_EFI
244 using_linuxefi = 0;
245- if (grub_efi_secure_boot ())
246- {
247- /* linuxefi requires a successful signature check and then hand over
248- to the kernel without calling ExitBootServices. */
249- grub_dl_t mod;
250- grub_command_t linuxefi_cmd;
251
252- grub_dprintf ("linux", "Secure Boot enabled: trying linuxefi\n");
253+ grub_dl_t mod;
254+ grub_command_t linuxefi_cmd;
255+
256+ grub_dprintf ("linux", "Trying linuxefi\n");
257
258- mod = grub_dl_load ("linuxefi");
259- if (mod)
260+ mod = grub_dl_load ("linuxefi");
261+ if (mod)
262+ {
263+ grub_dl_ref (mod);
264+ linuxefi_cmd = grub_command_find ("linuxefi");
265+ initrdefi_cmd = grub_command_find ("initrdefi");
266+ if (linuxefi_cmd && initrdefi_cmd)
267 {
268- grub_dl_ref (mod);
269- linuxefi_cmd = grub_command_find ("linuxefi");
270- initrdefi_cmd = grub_command_find ("initrdefi");
271- if (linuxefi_cmd && initrdefi_cmd)
272+ (linuxefi_cmd->func) (linuxefi_cmd, argc, argv);
273+ if (grub_errno == GRUB_ERR_NONE)
274+ {
275+ grub_dprintf ("linux", "Handing off to linuxefi\n");
276+ using_linuxefi = 1;
277+ return GRUB_ERR_NONE;
278+ }
279+ else if (grub_efi_secure_boot ())
280 {
281- (linuxefi_cmd->func) (linuxefi_cmd, argc, argv);
282- if (grub_errno == GRUB_ERR_NONE)
283- {
284- grub_dprintf ("linux", "Handing off to linuxefi\n");
285- using_linuxefi = 1;
286- return GRUB_ERR_NONE;
287- }
288- grub_dprintf ("linux", "linuxefi failed (%d)\n", grub_errno);
289+ grub_dprintf ("linux", "linuxefi failed and secure boot is enabled (%d)\n", grub_errno);
290 goto fail;
291 }
292 }
293 }
294+
295+ if (grub_efi_secure_boot ())
296+ {
297+ grub_dprintf("linux", "Unable to hand off to linuxefi and secure boot is enabled\n");
298+ goto fail;
299+ }
300 #endif
301
302 if (argc == 0)

Subscribers

People subscribed via source and target branches