From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Dimitri John Ledkov Date: Fri, 4 Mar 2022 11:29:31 +0100 Subject: [PATCH] grub-core/loader/arm64/linux.c: do not validate kernel twice Call to grub_file_open(, GRUB_FILE_TYPE_LINUX_KERNEL) already passes the kernel file through shim-lock verifier when secureboot is on. Thus there is no need to validate the kernel image again. And when doing so again, duplicate PCR measurement is performed, breaking measurements compatibility with 2.04+linuxefi. This patch must not be ported to older editions of grub code bases that do not have verifiers framework, or it is not builtin, or shim-lock-verifier is an optional module. Signed-off-by: Dimitri John Ledkov --- grub-core/loader/arm64/linux.c | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/grub-core/loader/arm64/linux.c b/grub-core/loader/arm64/linux.c index f18d90bd749..d2af47c2c0a 100644 --- a/grub-core/loader/arm64/linux.c +++ b/grub-core/loader/arm64/linux.c @@ -34,7 +34,6 @@ #include #include #include -#include GRUB_MOD_LICENSE ("GPLv3+"); @@ -341,7 +340,6 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), grub_off_t filelen; grub_uint32_t align; void *kernel = NULL; - int rc; grub_dl_ref (my_mod); @@ -370,17 +368,6 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), goto fail; } - if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED) - { - rc = grub_linuxefi_secure_validate (kernel, filelen); - if (rc <= 0) - { - grub_error (GRUB_ERR_INVALID_COMMAND, - N_("%s has invalid signature"), argv[0]); - goto fail; - } - } - if (grub_arch_efi_linux_check_image (kernel) != GRUB_ERR_NONE) goto fail; if (parse_pe_header (kernel, &kernel_size, &handover_offset, &align) != GRUB_ERR_NONE)