Update to 2.00 release.

2012-06-28 14:50:33 -04:00 · 2012-06-28 14:50:33 -04:00 · 4ce656b370
commit 4ce656b370
parent 3734d8af18
3 changed files with 222 additions and 4 deletions
--- a/grub-2.00-who-trusts-you-and-who-do-you-trust.patch
+++ b/grub-2.00-who-trusts-you-and-who-do-you-trust.patch
@ -0,0 +1,217 @@
+From 44cee23d139fe8faaca2622cc09041b1d684265b Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Tue, 5 Jun 2012 09:23:25 -0400
+Subject: [PATCH] Support secure boot.
+
+If SecureBoot is enabled, treat all authentications as failure, and also
+use shim's verify routine to verify the kernel before loading.
+---
+ grub-core/loader/i386/linux.c |   26 +++++++++++++
+ grub-core/normal/auth.c       |   85 +++++++++++++++++++++++++++++++++++++++++
+ grub-core/normal/main.c       |    4 +-
+ grub-core/normal/menu_entry.c |    5 ++-
+ include/grub/auth.h           |    3 ++
+ 5 files changed, 121 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
+index 6e8238e..090484c 100644
+--- a/grub-core/loader/i386/linux.c
+++ b/grub-core/loader/i386/linux.c
+@@ -34,6 +34,7 @@
+ #include <grub/i386/relocator.h>
+ #include <grub/i18n.h>
+ #include <grub/lib/cmdline.h>
+#include <grub/auth.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -681,6 +682,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+   int relocatable;
+   grub_uint64_t preffered_address = GRUB_LINUX_BZIMAGE_ADDR;
+ 
+  void *buffer;
+  grub_err_t verified;
+
+   grub_dl_ref (my_mod);
+ 
+   if (argc == 0)
+@@ -693,6 +697,28 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+   if (! file)
+     goto fail;
+ 
+  buffer = grub_malloc(grub_file_size(file));
+  if (!buffer)
+    return grub_errno;
+
+  if (grub_file_read (file, buffer, grub_file_size(file)))
+    {
+      if (!grub_errno)
+	grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
+		    argv[0]);
+      goto fail;
+    }
+
+  verified = grub_auth_verify_signature(buffer, grub_file_size(file));
+  grub_free(buffer);
+  if (verified != GRUB_ERR_NONE)
+    {
+      grub_errno = verified;
+      goto fail;
+    }
+
+  grub_free(buffer);
+  grub_file_seek(file, 0);
+   if (grub_file_read (file, &lh, sizeof (lh)) != sizeof (lh))
+     {
+       if (!grub_errno)
+diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c
+index c6bd96e..3e83ee8 100644
+--- a/grub-core/normal/auth.c
+++ b/grub-core/normal/auth.c
+@@ -24,6 +24,8 @@
+ #include <grub/normal.h>
+ #include <grub/time.h>
+ #include <grub/i18n.h>
+#include <grub/efi/api.h>
+#include <grub/efi/efi.h>
+ 
+ struct grub_auth_user
+ {
+@@ -198,6 +200,89 @@ grub_username_get (char buf[], unsigned buf_size)
+ }
+ 
+ grub_err_t
+grub_auth_secure_boot (void)
+{
+#ifdef GRUB_MACHINE_EFI
+  grub_size_t datasize = 0;
+  grub_uint8_t *data;
+  grub_efi_guid_t guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
+  unsigned int x;
+
+  data = grub_efi_get_variable ("SecureBoots", &guid, &datasize);
+  if (!data)
+    return GRUB_ERR_NONE;
+
+  for (x = 0; x < datasize; x++)
+    if (data[x] == 1)
+      return GRUB_ACCESS_DENIED;
+#endif
+
+  return GRUB_ERR_NONE;
+}
+
+int
+grub_is_secure_boot (void)
+{
+  return grub_auth_secure_boot() == GRUB_ACCESS_DENIED;
+}
+
+#define SHIM_LOCK_GUID \
+  { 0x605dab50, 0xe046, 0x4300, {0xab,0xb6,0x3d,0xd8,0x10,0xdd,0x8b,0x23} }
+
+typedef grub_efi_status_t (*EFI_SHIM_LOCK_VERIFY)(void *buffer, grub_efi_uint32_t size);
+
+typedef struct _SHIM_LOCK {
+    EFI_SHIM_LOCK_VERIFY Verify;
+} SHIM_LOCK;
+
+grub_err_t
+grub_auth_verify_signature (void *buffer, grub_uint32_t size)
+{
+#ifdef GRUB_MACHINE_EFI
+  grub_efi_guid_t shim_guid = SHIM_LOCK_GUID;
+  SHIM_LOCK *shim = NULL;
+  grub_efi_handle_t *handles, shim_handle = NULL;
+  grub_efi_uintn_t num_handles, i;
+  grub_efi_status_t status;
+
+  if (!grub_is_secure_boot())
+    return GRUB_ERR_NONE;
+
+  handles = grub_efi_locate_handle (GRUB_EFI_BY_PROTOCOL, &shim_guid, NULL,
+				    &num_handles);
+  if (!handles || num_handles == 0)
+no_verify:
+    return grub_error (GRUB_ACCESS_DENIED, "Could not find signature verification routine");
+
+  for (i = 0; i < num_handles; i++)
+    {
+      shim_handle = handles[i];
+      shim = grub_efi_open_protocol (shim_handle, &shim_guid,
+				     GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL);
+      if (shim)
+	break;
+    }
+
+  if (!shim)
+    {
+      grub_free(handles);
+      goto no_verify;
+    }
+
+  status = shim->Verify(buffer, size);
+
+  grub_free(handles);
+
+  if (status == GRUB_EFI_SUCCESS)
+    return GRUB_ERR_NONE;
+
+  return grub_error (GRUB_ACCESS_DENIED, "Signature verification failed");
+#else
+  return GRUB_ERR_NONE;
+#endif
+}
+
+grub_err_t
+ grub_auth_check_authentication (const char *userlist)
+ {
+   char login[1024];
+diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
+index 193d7d3..1e321a4 100644
+--- a/grub-core/normal/main.c
+++ b/grub-core/normal/main.c
+@@ -455,7 +455,9 @@ grub_cmdline_run (int nested)
+ {
+   grub_err_t err = GRUB_ERR_NONE;
+ 
+-  err = grub_auth_check_authentication (NULL);
+  err = grub_auth_secure_boot ();
+  if (err == GRUB_ERR_NONE)
+    err = grub_auth_check_authentication (NULL);
+ 
+   if (err)
+     {
+diff --git a/grub-core/normal/menu_entry.c b/grub-core/normal/menu_entry.c
+index 7fc890d..4e7a08c 100644
+--- a/grub-core/normal/menu_entry.c
+++ b/grub-core/normal/menu_entry.c
+@@ -1287,7 +1287,10 @@ grub_menu_entry_run (grub_menu_entry_t entry)
+   unsigned i;
+   grub_term_output_t term;
+ 
+-  err = grub_auth_check_authentication (NULL);
+
+  err = grub_auth_secure_boot ();
+  if (err == GRUB_ERR_NONE)
+    err = grub_auth_check_authentication (NULL);
+ 
+   if (err)
+     {
+diff --git a/include/grub/auth.h b/include/grub/auth.h
+index 7473344..b933fa1 100644
+--- a/include/grub/auth.h
+++ b/include/grub/auth.h
+@@ -32,6 +32,9 @@ grub_err_t grub_auth_unregister_authentication (const char *user);
+ 
+ grub_err_t grub_auth_authenticate (const char *user);
+ grub_err_t grub_auth_deauthenticate (const char *user);
+grub_err_t grub_auth_secure_boot (void);
+int grub_is_secure_boot (void);
+grub_err_t grub_auth_verify_signature (void *buffer, grub_uint32_t size);
+ grub_err_t grub_auth_check_authentication (const char *userlist);
+ 
+ #endif /* ! GRUB_AUTH_HEADER */
+-- 
+1.7.10.2
+
--- a/grub2.spec
+++ b/grub2.spec
@ -33,13 +33,13 @@

 %endif

-%global tarversion 2.00~rc1
+%global tarversion 2.00
 %undefine _missing_build_ids_terminate_build

 Name:           grub2
 Epoch:          1
-Version:        2.0
-Release:        0.37.rc1%{?dist}
+Version:        2.00
+Release:        1%{?dist}
 Summary:        Bootloader with support for Linux, Multiboot and more

 Group:          System Environment/Base
@ -55,6 +55,7 @@ Patch5:		grub-1.99-ppc-terminfo.patch
 Patch10:	grub-2.00-add-fw_path-search.patch
 Patch11:	grub-2.00-Add-fwsetup.patch
 Patch13:	grub-2.00-Dont-set-boot-on-ppc.patch
+Patch19:	grub-2.00-who-trusts-you-and-who-do-you-trust.patch

 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)

--- a/2
+++ b/2
@ -1,3 +1,3 @@
 8c28087c5fcb3188f1244b390efffdbe  unifont-5.1.20080820.pcf.gz
 5e5c7bae1211f558e3c0a3011fef8609  theme.tar.bz2
-5e4e66785eef00384aedc29770e86f3d  grub-2.00~beta6.tar.xz
+a1043102fbc7bcedbf53e7ee3d17ab91  grub-2.00.tar.xz