[grub2: 7/8] Update to 2.00 release.
Peter Jones
pjones at fedoraproject.org
Thu Jun 28 19:02:30 UTC 2012
commit 4ce656b37051aa6d3ac2b41bf9ea4c64a0ba79a7
Author: Peter Jones <pjones at redhat.com>
Date: Thu Jun 28 14:50:33 2012 -0400
Update to 2.00 release.
...-2.00-who-trusts-you-and-who-do-you-trust.patch | 217 ++++++++++++++++++++
grub2.spec | 7 +-
sources | 2 +-
3 files changed, 222 insertions(+), 4 deletions(-)
---
diff --git a/grub-2.00-who-trusts-you-and-who-do-you-trust.patch b/grub-2.00-who-trusts-you-and-who-do-you-trust.patch
new file mode 100644
index 0000000..6a0b922
--- /dev/null
+++ b/grub-2.00-who-trusts-you-and-who-do-you-trust.patch
@@ -0,0 +1,217 @@
+From 44cee23d139fe8faaca2622cc09041b1d684265b Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones at redhat.com>
+Date: Tue, 5 Jun 2012 09:23:25 -0400
+Subject: [PATCH] Support secure boot.
+
+If SecureBoot is enabled, treat all authentications as failure, and also
+use shim's verify routine to verify the kernel before loading.
+---
+ grub-core/loader/i386/linux.c | 26 +++++++++++++
+ grub-core/normal/auth.c | 85 +++++++++++++++++++++++++++++++++++++++++
+ grub-core/normal/main.c | 4 +-
+ grub-core/normal/menu_entry.c | 5 ++-
+ include/grub/auth.h | 3 ++
+ 5 files changed, 121 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
+index 6e8238e..090484c 100644
+--- a/grub-core/loader/i386/linux.c
++++ b/grub-core/loader/i386/linux.c
+@@ -34,6 +34,7 @@
+ #include <grub/i386/relocator.h>
+ #include <grub/i18n.h>
+ #include <grub/lib/cmdline.h>
++#include <grub/auth.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -681,6 +682,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+ int relocatable;
+ grub_uint64_t preffered_address = GRUB_LINUX_BZIMAGE_ADDR;
+
++ void *buffer;
++ grub_err_t verified;
++
+ grub_dl_ref (my_mod);
+
+ if (argc == 0)
+@@ -693,6 +697,28 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+ if (! file)
+ goto fail;
+
++ buffer = grub_malloc(grub_file_size(file));
++ if (!buffer)
++ return grub_errno;
++
++ if (grub_file_read (file, buffer, grub_file_size(file)))
++ {
++ if (!grub_errno)
++ grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
++ argv[0]);
++ goto fail;
++ }
++
++ verified = grub_auth_verify_signature(buffer, grub_file_size(file));
++ grub_free(buffer);
++ if (verified != GRUB_ERR_NONE)
++ {
++ grub_errno = verified;
++ goto fail;
++ }
++
++ grub_free(buffer);
++ grub_file_seek(file, 0);
+ if (grub_file_read (file, &lh, sizeof (lh)) != sizeof (lh))
+ {
+ if (!grub_errno)
+diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c
+index c6bd96e..3e83ee8 100644
+--- a/grub-core/normal/auth.c
++++ b/grub-core/normal/auth.c
+@@ -24,6 +24,8 @@
+ #include <grub/normal.h>
+ #include <grub/time.h>
+ #include <grub/i18n.h>
++#include <grub/efi/api.h>
++#include <grub/efi/efi.h>
+
+ struct grub_auth_user
+ {
+@@ -198,6 +200,89 @@ grub_username_get (char buf[], unsigned buf_size)
+ }
+
+ grub_err_t
++grub_auth_secure_boot (void)
++{
++#ifdef GRUB_MACHINE_EFI
++ grub_size_t datasize = 0;
++ grub_uint8_t *data;
++ grub_efi_guid_t guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
++ unsigned int x;
++
++ data = grub_efi_get_variable ("SecureBoots", &guid, &datasize);
++ if (!data)
++ return GRUB_ERR_NONE;
++
++ for (x = 0; x < datasize; x++)
++ if (data[x] == 1)
++ return GRUB_ACCESS_DENIED;
++#endif
++
++ return GRUB_ERR_NONE;
++}
++
++int
++grub_is_secure_boot (void)
++{
++ return grub_auth_secure_boot() == GRUB_ACCESS_DENIED;
++}
++
++#define SHIM_LOCK_GUID \
++ { 0x605dab50, 0xe046, 0x4300, {0xab,0xb6,0x3d,0xd8,0x10,0xdd,0x8b,0x23} }
++
++typedef grub_efi_status_t (*EFI_SHIM_LOCK_VERIFY)(void *buffer, grub_efi_uint32_t size);
++
++typedef struct _SHIM_LOCK {
++ EFI_SHIM_LOCK_VERIFY Verify;
++} SHIM_LOCK;
++
++grub_err_t
++grub_auth_verify_signature (void *buffer, grub_uint32_t size)
++{
++#ifdef GRUB_MACHINE_EFI
++ grub_efi_guid_t shim_guid = SHIM_LOCK_GUID;
++ SHIM_LOCK *shim = NULL;
++ grub_efi_handle_t *handles, shim_handle = NULL;
++ grub_efi_uintn_t num_handles, i;
++ grub_efi_status_t status;
++
++ if (!grub_is_secure_boot())
++ return GRUB_ERR_NONE;
++
++ handles = grub_efi_locate_handle (GRUB_EFI_BY_PROTOCOL, &shim_guid, NULL,
++ &num_handles);
++ if (!handles || num_handles == 0)
++no_verify:
++ return grub_error (GRUB_ACCESS_DENIED, "Could not find signature verification routine");
++
++ for (i = 0; i < num_handles; i++)
++ {
++ shim_handle = handles[i];
++ shim = grub_efi_open_protocol (shim_handle, &shim_guid,
++ GRUB_EFI_OPEN_PROTOCOL_GET_PROTOCOL);
++ if (shim)
++ break;
++ }
++
++ if (!shim)
++ {
++ grub_free(handles);
++ goto no_verify;
++ }
++
++ status = shim->Verify(buffer, size);
++
++ grub_free(handles);
++
++ if (status == GRUB_EFI_SUCCESS)
++ return GRUB_ERR_NONE;
++
++ return grub_error (GRUB_ACCESS_DENIED, "Signature verification failed");
++#else
++ return GRUB_ERR_NONE;
++#endif
++}
++
++grub_err_t
+ grub_auth_check_authentication (const char *userlist)
+ {
+ char login[1024];
+diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
+index 193d7d3..1e321a4 100644
+--- a/grub-core/normal/main.c
++++ b/grub-core/normal/main.c
+@@ -455,7 +455,9 @@ grub_cmdline_run (int nested)
+ {
+ grub_err_t err = GRUB_ERR_NONE;
+
+- err = grub_auth_check_authentication (NULL);
++ err = grub_auth_secure_boot ();
++ if (err == GRUB_ERR_NONE)
++ err = grub_auth_check_authentication (NULL);
+
+ if (err)
+ {
+diff --git a/grub-core/normal/menu_entry.c b/grub-core/normal/menu_entry.c
+index 7fc890d..4e7a08c 100644
+--- a/grub-core/normal/menu_entry.c
++++ b/grub-core/normal/menu_entry.c
+@@ -1287,7 +1287,10 @@ grub_menu_entry_run (grub_menu_entry_t entry)
+ unsigned i;
+ grub_term_output_t term;
+
+- err = grub_auth_check_authentication (NULL);
++
++ err = grub_auth_secure_boot ();
++ if (err == GRUB_ERR_NONE)
++ err = grub_auth_check_authentication (NULL);
+
+ if (err)
+ {
+diff --git a/include/grub/auth.h b/include/grub/auth.h
+index 7473344..b933fa1 100644
+--- a/include/grub/auth.h
++++ b/include/grub/auth.h
+@@ -32,6 +32,9 @@ grub_err_t grub_auth_unregister_authentication (const char *user);
+
+ grub_err_t grub_auth_authenticate (const char *user);
+ grub_err_t grub_auth_deauthenticate (const char *user);
++grub_err_t grub_auth_secure_boot (void);
++int grub_is_secure_boot (void);
++grub_err_t grub_auth_verify_signature (void *buffer, grub_uint32_t size);
+ grub_err_t grub_auth_check_authentication (const char *userlist);
+
+ #endif /* ! GRUB_AUTH_HEADER */
+--
+1.7.10.2
+
diff --git a/grub2.spec b/grub2.spec
index 7b52b18..21d5516 100644
--- a/grub2.spec
+++ b/grub2.spec
@@ -33,13 +33,13 @@
%endif
-%global tarversion 2.00~rc1
+%global tarversion 2.00
%undefine _missing_build_ids_terminate_build
Name: grub2
Epoch: 1
-Version: 2.0
-Release: 0.37.rc1%{?dist}
+Version: 2.00
+Release: 1%{?dist}
Summary: Bootloader with support for Linux, Multiboot and more
Group: System Environment/Base
@@ -55,6 +55,7 @@ Patch5: grub-1.99-ppc-terminfo.patch
Patch10: grub-2.00-add-fw_path-search.patch
Patch11: grub-2.00-Add-fwsetup.patch
Patch13: grub-2.00-Dont-set-boot-on-ppc.patch
+Patch19: grub-2.00-who-trusts-you-and-who-do-you-trust.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
diff --git a/sources b/sources
index 0fefdba..e02ad33 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
8c28087c5fcb3188f1244b390efffdbe unifont-5.1.20080820.pcf.gz
5e5c7bae1211f558e3c0a3011fef8609 theme.tar.bz2
-5e4e66785eef00384aedc29770e86f3d grub-2.00~beta6.tar.xz
+a1043102fbc7bcedbf53e7ee3d17ab91 grub-2.00.tar.xz
More information about the scm-commits
mailing list