deleted file mode 100644

@@ -1,663 +0,0 @@

-From e5d5e5a259a9827e4d6e41e49085f730c773c178 Mon Sep 17 00:00:00 2001

-From: Alexey Makhalov <amakhalov@vmware.com>

-Date: Tue, 10 Jul 2012 11:58:52 -0400

-Subject: [PATCH] Secure Boot support

-

-New commands: linuxefi, initrdefi

-If running under secure boot use linuxefi loader only and linux

-command is fallback to linuxefi.

-Forbid dl file loading (insmod and similar) when secure boot is enabled.

- grub-core/Makefile.core.def       |   8 +

- grub-core/kern/dl.c               |  21 +++

- grub-core/kern/efi/efi.c          |  30 +++

- grub-core/kern/efi/mm.c           |  32 ++++

- grub-core/loader/i386/efi/linux.c | 387 ++++++++++++++++++++++++++++++++++++++

- grub-core/loader/i386/linux.c     |  45 +++++

- include/grub/efi/efi.h            |   4 +

- include/grub/i386/linux.h         |   1 +

- 8 files changed, 528 insertions(+)

- create mode 100644 grub-core/loader/i386/efi/linux.c

-

-diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def

-index 2dfa22a..68e47a7 100644

-+++ b/grub-core/Makefile.core.def

-@@ -1734,6 +1734,14 @@ module = {

- };

- 

- module = {

-+  name = linuxefi;

-+  efi = loader/i386/efi/linux.c;

-+  efi = lib/cmdline.c;

-+  enable = i386_efi;

-+  enable = x86_64_efi;

-+};

-+

-+module = {

-   name = chain;

-   efi = loader/efi/chainloader.c;

-   i386_pc = loader/i386/pc/chainloader.c;

-diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c

-index e394cd9..04e804d 100644

-+++ b/grub-core/kern/dl.c

-@@ -38,6 +38,14 @@

- #define GRUB_MODULES_MACHINE_READONLY

- #endif

- 

-+#ifdef GRUB_MACHINE_EMU

-+#include <sys/mman.h>

-+#endif

-+

-+#ifdef GRUB_MACHINE_EFI

-+#include <grub/efi/efi.h>

-+#endif

-+

- 

- 

- #pragma GCC diagnostic ignored "-Wcast-align"

-@@ -686,6 +694,19 @@ grub_dl_load_file (const char *filename)

-   void *core = 0;

-   grub_dl_t mod = 0;

- 

-+#ifdef GRUB_MACHINE_EFI

-+  if (grub_efi_secure_boot ())

-+    {

-+#if 0

-+      /* This is an error, but grub2-mkconfig still generates a pile of

-+       * insmod commands, so emitting it would be mostly just obnoxious. */

-+      grub_error (GRUB_ERR_ACCESS_DENIED,

-+		  "Secure Boot forbids loading module from %s", filename);

-+#endif

-+      return 0;

-+    }

-+#endif

-+

-   grub_boot_time ("Loading module %s", filename);

- 

-   file = grub_file_open (filename);

-diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c

-index d467785..270eba8 100644

-+++ b/grub-core/kern/efi/efi.c

-@@ -264,6 +264,36 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,

-   return NULL;

- }

- 

-+grub_efi_boolean_t

-+grub_efi_secure_boot (void)

-+{

-+  grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;

-+  grub_size_t datasize;

-+  char *secure_boot = NULL;

-+  char *setup_mode = NULL;

-+  grub_efi_boolean_t ret = 0;

-+

-+  secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);

-+

-+  if (datasize != 1 || !secure_boot)

-+    goto out;

-+

-+  setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize);

-+

-+  if (datasize != 1 || !setup_mode)

-+    goto out;

-+

-+  if (*secure_boot && !*setup_mode)

-+    ret = 1;

-+

-+  grub_dprintf ("secureboot", "secure_boot = %d, setup_mode = %d\n",

-+    *secure_boot, *setup_mode);

-+ out:

-+  grub_free (secure_boot);

-+  grub_free (setup_mode);

-+  return ret;

-+}

-+

- #pragma GCC diagnostic ignored "-Wcast-align"

- 

- /* Search the mods section from the PE32/PE32+ image. This code uses

-diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c

-index 20a47aa..efb15cc 100644

-+++ b/grub-core/kern/efi/mm.c

-@@ -49,6 +49,38 @@ static grub_efi_uintn_t finish_desc_size;

- static grub_efi_uint32_t finish_desc_version;

- int grub_efi_is_finished = 0;

- 

-+/* Allocate pages below a specified address */

-+void *

-+grub_efi_allocate_pages_max (grub_efi_physical_address_t max,

-+			     grub_efi_uintn_t pages)

-+{

-+  grub_efi_status_t status;

-+  grub_efi_boot_services_t *b;

-+  grub_efi_physical_address_t address = max;

-+

-+  if (max > 0xffffffff)

-+    return 0;

-+

-+  b = grub_efi_system_table->boot_services;

-+  status = efi_call_4 (b->allocate_pages, GRUB_EFI_ALLOCATE_MAX_ADDRESS, GRUB_EFI_LOADER_DATA, pages, &address);

-+

-+  if (status != GRUB_EFI_SUCCESS)

-+    return 0;

-+

-+  if (address == 0)

-+    {

-+      /* Uggh, the address 0 was allocated... This is too annoying,

-+	 so reallocate another one.  */

-+      address = max;

-+      status = efi_call_4 (b->allocate_pages, GRUB_EFI_ALLOCATE_MAX_ADDRESS, GRUB_EFI_LOADER_DATA, pages, &address);

-+      grub_efi_free_pages (0, pages);

-+      if (status != GRUB_EFI_SUCCESS)

-+	return 0;

-+    }

-+

-+  return (void *) ((grub_addr_t) address);

-+}

-+

- /* Allocate pages. Return the pointer to the first of allocated pages.  */

- void *

- grub_efi_allocate_pages (grub_efi_physical_address_t address,

-diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c

-new file mode 100644

-index 0000000..78bc216

-+++ b/grub-core/loader/i386/efi/linux.c

-@@ -0,0 +1,387 @@

-+/*

-+ *  GRUB  --  GRand Unified Bootloader

-+ *  Copyright (C) 2012  Free Software Foundation, Inc.

-+ *

-+ *  GRUB is free software: you can redistribute it and/or modify

-+ *  it under the terms of the GNU General Public License as published by

-+ *  the Free Software Foundation, either version 3 of the License, or

-+ *  (at your option) any later version.

-+ *

-+ *  GRUB is distributed in the hope that it will be useful,

-+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

-+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

-+ *  GNU General Public License for more details.

-+ *

-+ *  You should have received a copy of the GNU General Public License

-+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.

-+ */

-+

-+#include <grub/loader.h>

-+#include <grub/file.h>

-+#include <grub/err.h>

-+#include <grub/misc.h>

-+#include <grub/types.h>

-+#include <grub/mm.h>

-+#include <grub/cpu/linux.h>

-+#include <grub/command.h>

-+#include <grub/i18n.h>

-+#include <grub/lib/cmdline.h>

-+#include <grub/efi/efi.h>

-+

-+GRUB_MOD_LICENSE ("GPLv3+");

-+

-+static grub_dl_t my_mod;

-+static int loaded;

-+static void *kernel_mem;

-+static grub_uint64_t kernel_size;

-+static grub_uint8_t *initrd_mem;

-+static grub_uint32_t handover_offset;

-+struct linux_kernel_params *params;

-+static char *linux_cmdline;

-+

-+#define BYTES_TO_PAGES(bytes)   (((bytes) + 0xfff) >> 12)

-+

-+#define SHIM_LOCK_GUID \

-+  { 0x605dab50, 0xe046, 0x4300, {0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23} }

-+

-+struct grub_efi_shim_lock

-+{

-+  grub_efi_status_t (*verify) (void *buffer, grub_uint32_t size);

-+};

-+typedef struct grub_efi_shim_lock grub_efi_shim_lock_t;

-+

-+static grub_efi_boolean_t

-+grub_linuxefi_secure_validate (void *data, grub_uint32_t size)

-+{

-+  grub_efi_guid_t guid = SHIM_LOCK_GUID;

-+  grub_efi_shim_lock_t *shim_lock;

-+  grub_efi_status_t status;

-+

-+  grub_dprintf ("linuxefi", "Locating shim protocol\n");

-+  shim_lock = grub_efi_locate_protocol(&guid, NULL);

-+

-+  if (!shim_lock)

-+    {

-+      grub_dprintf ("linuxefi", "shim not available\n");

-+      return 0;

-+    }

-+

-+  grub_dprintf ("linuxefi", "Asking shim to verify kernel signature\n");

-+  status = shim_lock->verify(data, size);

-+  if (status == GRUB_EFI_SUCCESS)

-+    {

-+      grub_dprintf ("linuxefi", "Kernel signature verification passed\n");

-+      return 1;

-+    }

-+

-+  grub_dprintf ("linuxefi", "Kernel signature verification failed (0x%lx)\n",

-+		(unsigned long) status);

-+

-+  return 0;

-+}

-+

-+typedef void(*handover_func)(void *, grub_efi_system_table_t *, struct linux_kernel_params *);

-+

-+static grub_err_t

-+grub_linuxefi_boot (void)

-+{

-+  handover_func hf;

-+  int offset = 0;

-+

-+#ifdef __x86_64__

-+  offset = 512;

-+#endif

-+

-+  hf = (handover_func)((char *)kernel_mem + handover_offset + offset);

-+

-+  asm volatile ("cli");

-+

-+  hf (grub_efi_image_handle, grub_efi_system_table, params);

-+

-+  /* Not reached */

-+  return GRUB_ERR_NONE;

-+}

-+

-+static grub_err_t

-+grub_linuxefi_unload (void)

-+{

-+  grub_dl_unref (my_mod);

-+  loaded = 0;

-+  if (initrd_mem)

-+    grub_efi_free_pages((grub_efi_physical_address_t)initrd_mem, BYTES_TO_PAGES(params->ramdisk_size));

-+  if (linux_cmdline)

-+    grub_efi_free_pages((grub_efi_physical_address_t)linux_cmdline, BYTES_TO_PAGES(params->cmdline_size + 1));

-+  if (kernel_mem)

-+    grub_efi_free_pages((grub_efi_physical_address_t)kernel_mem, BYTES_TO_PAGES(kernel_size));

-+  if (params)

-+    grub_efi_free_pages((grub_efi_physical_address_t)params, BYTES_TO_PAGES(16384));

-+  return GRUB_ERR_NONE;

-+}

-+

-+static grub_err_t

-+grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),

-+                 int argc, char *argv[])

-+{

-+  grub_file_t *files = 0;

-+  int i, nfiles = 0;

-+  grub_size_t size = 0;

-+  grub_uint8_t *ptr;

-+

-+  if (argc == 0)

-+    {

-+      grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));

-+      goto fail;

-+    }

-+

-+  if (!loaded)

-+    {

-+      grub_error (GRUB_ERR_BAD_ARGUMENT, N_("you need to load the kernel first"));

-+      goto fail;

-+    }

-+

-+  files = grub_zalloc (argc * sizeof (files[0]));

-+  if (!files)

-+    goto fail;

-+

-+  for (i = 0; i < argc; i++)

-+    {

-+      grub_file_filter_disable_compression ();

-+      files[i] = grub_file_open (argv[i]);

-+      if (! files[i])

-+        goto fail;

-+      nfiles++;

-+      size += ALIGN_UP (grub_file_size (files[i]), 4);

-+    }

-+

-+  initrd_mem = grub_efi_allocate_pages_max (0x3fffffff, BYTES_TO_PAGES(size));

-+

-+  if (!initrd_mem)

-+    {

-+      grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("can't allocate initrd"));

-+      goto fail;

-+    }

-+

-+  params->ramdisk_size = size;

-+  params->ramdisk_image = (grub_uint32_t)(grub_uint64_t) initrd_mem;

-+

-+  ptr = initrd_mem;

-+

-+  for (i = 0; i < nfiles; i++)

-+    {

-+      grub_ssize_t cursize = grub_file_size (files[i]);

-+      if (grub_file_read (files[i], ptr, cursize) != cursize)

-+        {

-+          if (!grub_errno)

-+            grub_error (GRUB_ERR_FILE_READ_ERROR, N_("premature end of file %s"),

-+                        argv[i]);

-+          goto fail;

-+        }

-+      ptr += cursize;

-+      grub_memset (ptr, 0, ALIGN_UP_OVERHEAD (cursize, 4));

-+      ptr += ALIGN_UP_OVERHEAD (cursize, 4);

-+    }

-+

-+  params->ramdisk_size = size;

-+

-+ fail:

-+  for (i = 0; i < nfiles; i++)

-+    grub_file_close (files[i]);

-+  grub_free (files);

-+

-+  if (initrd_mem && grub_errno)

-+    grub_efi_free_pages((grub_efi_physical_address_t)initrd_mem, BYTES_TO_PAGES(size));

-+

-+  return grub_errno;

-+}

-+

-+static grub_err_t

-+grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),

-+		int argc, char *argv[])

-+{

-+  grub_file_t file = 0;

-+  struct linux_kernel_header lh;

-+  grub_ssize_t len, start, filelen;

-+  void *kernel;

-+  grub_err_t fail_errno;

-+

-+  grub_dl_ref (my_mod);

-+

-+  if (argc == 0)

-+    {

-+      grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));

-+      goto fail;

-+    }

-+

-+  file = grub_file_open (argv[0]);

-+  if (! file)

-+    goto fail;

-+

-+  filelen = grub_file_size (file);

-+

-+  kernel = grub_malloc(filelen);

-+

-+  if (!kernel)

-+    {

-+      grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("cannot allocate kernel buffer"));

-+      goto fail;

-+    }

-+

-+  if (grub_file_read (file, kernel, filelen) != filelen)

-+    {

-+      grub_error (GRUB_ERR_FILE_READ_ERROR, N_("Can't read kernel %s"), argv[0]);

-+      grub_free (kernel);

-+      goto fail;

-+    }

-+

-+  if (! grub_linuxefi_secure_validate (kernel, filelen))

-+    {

-+      grub_error (GRUB_ERR_ACCESS_DENIED, N_("%s has invalid signature"), argv[0]);

-+      grub_free (kernel);

-+      goto fail;

-+    }

-+

-+  grub_file_seek (file, 0);

-+

-+  grub_free(kernel);

-+

-+  params = grub_efi_allocate_pages_max (0x3fffffff, BYTES_TO_PAGES(16384));

-+

-+  if (! params)

-+    {

-+      grub_error (GRUB_ERR_OUT_OF_MEMORY, "cannot allocate kernel parameters");

-+      goto fail;

-+    }

-+

-+  memset (params, 0, 16384);

-+

-+  if (grub_file_read (file, &lh, sizeof (lh)) != sizeof (lh))

-+    {

-+      if (!grub_errno)

-+	grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),

-+		    argv[0]);

-+      goto fail;

-+    }

-+

-+  if (lh.boot_flag != grub_cpu_to_le16 (0xaa55))

-+    {

-+      grub_error (GRUB_ERR_BAD_OS, N_("invalid magic number"));

-+      goto fail;

-+    }

-+

-+  if (lh.setup_sects > GRUB_LINUX_MAX_SETUP_SECTS)

-+    {

-+      grub_error (GRUB_ERR_BAD_OS, N_("too many setup sectors"));

-+      goto fail;

-+    }

-+

-+  if (lh.version < grub_cpu_to_le16 (0x020b))

-+    {

-+      grub_error (GRUB_ERR_BAD_OS, N_("kernel too old"));

-+      goto fail;

-+    }

-+

-+  if (!lh.handover_offset)

-+    {

-+      grub_error (GRUB_ERR_BAD_OS, N_("kernel doesn't support EFI handover"));

-+      goto fail;

-+    }

-+

-+  linux_cmdline = grub_efi_allocate_pages_max(0x3fffffff,

-+					 BYTES_TO_PAGES(lh.cmdline_size + 1));

-+

-+  if (!linux_cmdline)

-+    {

-+      grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("can't allocate cmdline"));

-+      goto fail;

-+    }

-+

-+  grub_memcpy (linux_cmdline, LINUX_IMAGE, sizeof (LINUX_IMAGE));

-+  grub_create_loader_cmdline (argc, argv,

-+                              linux_cmdline + sizeof (LINUX_IMAGE) - 1,

-+			      lh.cmdline_size - (sizeof (LINUX_IMAGE) - 1));

-+

-+  lh.cmd_line_ptr = (grub_uint32_t)(grub_uint64_t)linux_cmdline;

-+

-+  handover_offset = lh.handover_offset;

-+

-+  start = (lh.setup_sects + 1) * 512;

-+  len = grub_file_size(file) - start;

-+

-+  kernel_mem = grub_efi_allocate_pages(lh.pref_address,

-+				       BYTES_TO_PAGES(lh.init_size));

-+

-+  if (!kernel_mem)

-+    kernel_mem = grub_efi_allocate_pages_max(0x3fffffff,

-+					     BYTES_TO_PAGES(lh.init_size));

-+

-+  if (!kernel_mem)

-+    {

-+      grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("can't allocate kernel"));

-+      goto fail;

-+    }

-+

-+  if (grub_file_seek (file, start) == (grub_off_t) -1)

-+    {

-+      grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),

-+		  argv[0]);

-+      goto fail;

-+    }

-+

-+  if (grub_file_read (file, kernel_mem, len) != len && !grub_errno)

-+    {

-+      grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),

-+		  argv[0]);

-+    }

-+

-+  if (grub_errno == GRUB_ERR_NONE)

-+    {

-+      grub_loader_set (grub_linuxefi_boot, grub_linuxefi_unload, 0);

-+      loaded = 1;

-+      lh.code32_start = (grub_uint32_t)(grub_uint64_t) kernel_mem;

-+    }

-+

-+  memcpy(params, &lh, 2 * 512);

-+

-+  params->type_of_loader = 0x21;

-+

-+ fail:

-+  fail_errno = grub_errno;

-+  if (file)

-+    grub_file_close (file);

-+

-+  if (fail_errno != GRUB_ERR_NONE)

-+    {

-+      grub_dl_unref (my_mod);

-+      loaded = 0;

-+    }

-+

-+  if (linux_cmdline && !loaded)

-+    grub_efi_free_pages((grub_efi_physical_address_t)linux_cmdline, BYTES_TO_PAGES(lh.cmdline_size + 1));

-+

-+  if (kernel_mem && !loaded)

-+    grub_efi_free_pages((grub_efi_physical_address_t)kernel_mem, BYTES_TO_PAGES(kernel_size));

-+

-+  if (params && !loaded)

-+    grub_efi_free_pages((grub_efi_physical_address_t)params, BYTES_TO_PAGES(16384));

-+

-+  return fail_errno;

-+}

-+

-+static grub_command_t cmd_linux, cmd_initrd;

-+

-+GRUB_MOD_INIT(linuxefi)

-+{

-+  cmd_linux =

-+    grub_register_command ("linuxefi", grub_cmd_linux,

-+                           0, N_("Load Linux."));

-+  cmd_initrd =

-+    grub_register_command ("initrdefi", grub_cmd_initrd,

-+                           0, N_("Load initrd."));

-+  my_mod = mod;

-+}

-+

-+GRUB_MOD_FINI(linuxefi)

-+{

-+  grub_unregister_command (cmd_linux);

-+  grub_unregister_command (cmd_initrd);

-+}

-diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c

-index b15b8cc..fce1b45 100644

-+++ b/grub-core/loader/i386/linux.c

-@@ -75,6 +75,8 @@ static grub_size_t maximal_cmdline_size;

- static struct linux_kernel_params linux_params;

- static char *linux_cmdline;

- #ifdef GRUB_MACHINE_EFI

-+static int using_linuxefi;

-+static grub_command_t initrdefi_cmd;

- static grub_efi_uintn_t efi_mmap_size;

- #else

- static const grub_size_t efi_mmap_size = 0;

-@@ -689,6 +691,43 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),

- 

-   grub_dl_ref (my_mod);

- 

-+#ifdef GRUB_MACHINE_EFI

-+  using_linuxefi = 0;

-+  if (grub_efi_secure_boot ())

-+    {

-+      /* Use linuxefi if SB is enabled, which will require a successful

-+         signature check and then hand over to the kernel without calling

-+         ExitBootServices.

-+         If that fails, however, DO NOT fall back to original 'linux'

-+         command which boots an unsigned kernel.  */

-+      grub_dl_t mod;

-+      grub_command_t linuxefi_cmd;

-+

-+      grub_dprintf ("linux", "Secure Boot enabled: trying linuxefi\n");

-+

-+      mod = grub_dl_load ("linuxefi");

-+      if (mod)

-+	{

-+	  grub_dl_ref (mod);

-+	  linuxefi_cmd = grub_command_find ("linuxefi");

-+	  initrdefi_cmd = grub_command_find ("initrdefi");

-+	  if (linuxefi_cmd && initrdefi_cmd)

-+	    {

-+	      (linuxefi_cmd->func) (linuxefi_cmd, argc, argv);

-+	      if (grub_errno == GRUB_ERR_NONE)

-+		{

-+		  grub_dprintf ("linux", "Handing off to linuxefi\n");

-+		  using_linuxefi = 1;

-+		  return GRUB_ERR_NONE;

-+		}

-+	      grub_dprintf ("linux", "linuxefi failed (%d)\n", grub_errno);

-+	      grub_errno = GRUB_ERR_ACCESS_DENIED;

-+	    }

-+	}

-+      goto fail;

-+    }

-+#endif

-+

-   if (argc == 0)

-     {

-       grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));

-@@ -1051,6 +1090,12 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),

-   grub_err_t err;

-   struct grub_linux_initrd_context initrd_ctx = { 0, 0, 0 };

- 

-+#ifdef GRUB_MACHINE_EFI

-+  /* If we're using linuxefi, just forward to initrdefi.  */

-+  if (using_linuxefi && initrdefi_cmd)

-+    return (initrdefi_cmd->func) (initrdefi_cmd, argc, argv);

-+#endif

-+

-   if (argc == 0)

-     {

-       grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));

-diff --git a/include/grub/efi/efi.h b/include/grub/efi/efi.h

-index e9c601f..62a3d97 100644

-+++ b/include/grub/efi/efi.h

-@@ -40,6 +40,9 @@ void EXPORT_FUNC(grub_efi_stall) (grub_efi_uintn_t microseconds);

- void *

- EXPORT_FUNC(grub_efi_allocate_pages) (grub_efi_physical_address_t address,

- 				      grub_efi_uintn_t pages);

-+void *

-+EXPORT_FUNC(grub_efi_allocate_pages_max) (grub_efi_physical_address_t max,

-+					  grub_efi_uintn_t pages);

- void EXPORT_FUNC(grub_efi_free_pages) (grub_efi_physical_address_t address,

- 				       grub_efi_uintn_t pages);

- int

-@@ -73,6 +76,7 @@ EXPORT_FUNC (grub_efi_set_variable) (const char *var,

- 				     const grub_efi_guid_t *guid,

- 				     void *data,

- 				     grub_size_t datasize);

-+grub_efi_boolean_t EXPORT_FUNC (grub_efi_secure_boot) (void);

- int

- EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1,

- 					     const grub_efi_device_path_t *dp2);

-diff --git a/include/grub/i386/linux.h b/include/grub/i386/linux.h

-index da0ca3b..fc36bda 100644

-+++ b/include/grub/i386/linux.h

-@@ -139,6 +139,7 @@ struct linux_kernel_header

-   grub_uint64_t setup_data;

-   grub_uint64_t pref_address;

-   grub_uint32_t init_size;

-+  grub_uint32_t handover_offset;

- } GRUB_PACKED;

- 

- /* Boot parameters for Linux based on 2.6.12. This is used by the setup

-2.8.1

-

deleted file mode 100644

@@ -1,104 +0,0 @@

-%define debug_package %{nil}

-%define __os_install_post %{nil}

-Summary:    GRand Unified Bootloader

-Name:       grub2-efi

-Version:    2.02

-Release:    8%{?dist}

-License:    GPLv3+

-URL:        http://www.gnu.org/software/grub

-Group:      Applications/System

-Vendor:     VMware, Inc.

-Distribution:   Photon

-Source0:    http://alpha.gnu.org/gnu/grub/grub-2.02~rc2.tar.xz

-%define sha1 grub=4f6f3719fd7dbb0449a58547c1b08c9801337663

-Patch0:     0001-Secure-Boot-support.patch

-BuildRequires:  device-mapper-devel

-BuildRequires:  xz-devel

-BuildRequires:  systemd-devel

-Requires:   xz

-Requires:   device-mapper

-%description

-The GRUB package contains the GRand Unified Bootloader.

-

-%package lang

-Summary: Additional language files for grub

-Group: System Environment/Programming

-Requires: grub2 >= 2.00

-%description lang

-These are the additional language files of grub.

-

-

-%prep

-%setup -qn grub-2.02~rc2

-%patch0 -p1

-%build

-./autogen.sh

-./configure \

-    --prefix=%{_prefix} \

-    --sbindir=/sbin \

-    --sysconfdir=%{_sysconfdir} \

-    --disable-grub-emu-usb \

-    --disable-werror \

-    --disable-efiemu \

-    --program-transform-name=s,grub,%{name}, \

-    --with-grubdir=grub2 \

-    --with-platform=efi \

-    --target=x86_64 \

-    --with-program-prefix="" \

-    --with-bootdir="/boot" 

-

-make %{?_smp_mflags}

-

-%install

-make DESTDIR=%{buildroot} install

-mkdir %{buildroot}%{_sysconfdir}/default

-touch %{buildroot}%{_sysconfdir}/default/grub

-mkdir %{buildroot}%{_sysconfdir}/sysconfig

-ln -sf %{_sysconfdir}/default/grub %{buildroot}%{_sysconfdir}/sysconfig/grub

-mkdir -p %{buildroot}/boot/%{name}

-touch %{buildroot}/boot/%{name}/grub.cfg

-rm -rf %{buildroot}%{_infodir}

-%post   -p /sbin/ldconfig

-%postun -p /sbin/ldconfig

-%files

-%defattr(-,root,root)

-%dir %{_sysconfdir}/grub.d

-%config() %{_sysconfdir}/bash_completion.d/grub

-%config() %{_sysconfdir}/grub.d/00_header

-%config() %{_sysconfdir}/grub.d/10_linux

-%config() %{_sysconfdir}/grub.d/20_linux_xen

-%config() %{_sysconfdir}/grub.d/30_os-prober

-%config() %{_sysconfdir}/grub.d/40_custom

-%config() %{_sysconfdir}/grub.d/41_custom

-%config() %{_sysconfdir}/grub.d/README

-/sbin/*

-%{_bindir}/*

-%{_libdir}/grub/*

-%{_datarootdir}/grub/*

-%{_sysconfdir}/sysconfig/grub

-%{_sysconfdir}/default/grub

-%ghost %config(noreplace) /boot/%{name}/grub.cfg

-

-%files lang

-%defattr(-,root,root)

-/usr/share/locale/*

-

-%changelog

-*   Thu May 4 2017 Alexey Makhalov <amakhalov@vmware.com>  2.02-8

--   linuxefi: free allocated memory on error.

-*   Fri Apr 14 2017 Alexey Makhalov <amakhalov@vmware.com>  2.02-7

--   Version update to 2.02~rc2

--   SecureBoot hardening: forbid unsigned vmlinuz image

-*   Wed Mar 22 2017 Alexey Makhalov <amakhalov@vmware.com>  2.02-6

--   Version update to 2.02~beta3

--   SecureBoot support

-*   Fri Nov 18 2016 Anish Swaminathan <anishs@vmware.com>  2.02-5

--   Add fix for CVE-2015-8370

-*   Fri Nov 18 2016 Anish Swaminathan <anishs@vmware.com>  2.02-4

--   Change systemd dependency

-*   Thu Oct 06 2016 ChangLee <changlee@vmware.com> 2.02-3

--   Modified %check

-*   Tue May 24 2016 Priyesh Padmavilasom <ppadmavilasom@vmware.com> 2.02-2

--   GA - Bump release of all rpms

-*   Fri Jul 31 2015 Sharath George <sharathg@vmware.com> 2.02-1

--   Adding EFI support.

new file mode 100644

@@ -0,0 +1,663 @@

+From e5d5e5a259a9827e4d6e41e49085f730c773c178 Mon Sep 17 00:00:00 2001

+From: Alexey Makhalov <amakhalov@vmware.com>

+Date: Tue, 10 Jul 2012 11:58:52 -0400

+Subject: [PATCH] Secure Boot support

+

+New commands: linuxefi, initrdefi

+If running under secure boot use linuxefi loader only and linux

+command is fallback to linuxefi.

+Forbid dl file loading (insmod and similar) when secure boot is enabled.

+---

+ grub-core/Makefile.core.def       |   8 +

+ grub-core/kern/dl.c               |  21 +++

+ grub-core/kern/efi/efi.c          |  30 +++

+ grub-core/kern/efi/mm.c           |  32 ++++

+ grub-core/loader/i386/efi/linux.c | 387 ++++++++++++++++++++++++++++++++++++++

+ grub-core/loader/i386/linux.c     |  45 +++++

+ include/grub/efi/efi.h            |   4 +

+ include/grub/i386/linux.h         |   1 +

+ 8 files changed, 528 insertions(+)

+ create mode 100644 grub-core/loader/i386/efi/linux.c

+

+diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def

+index 2dfa22a..68e47a7 100644

+--- a/grub-core/Makefile.core.def

+@@ -1734,6 +1734,14 @@ module = {

+ };

+ 

+ module = {

++  name = linuxefi;

++  efi = loader/i386/efi/linux.c;

++  efi = lib/cmdline.c;

++  enable = i386_efi;

++  enable = x86_64_efi;

++};

++

++module = {

+   name = chain;

+   efi = loader/efi/chainloader.c;

+   i386_pc = loader/i386/pc/chainloader.c;

+diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c

+index e394cd9..04e804d 100644

+--- a/grub-core/kern/dl.c

+@@ -38,6 +38,14 @@

+ #define GRUB_MODULES_MACHINE_READONLY

+ #endif

+ 

++#ifdef GRUB_MACHINE_EMU

++#include <sys/mman.h>

++#endif

++

++#ifdef GRUB_MACHINE_EFI

++#include <grub/efi/efi.h>

++#endif

++

+ 

+ 

+ #pragma GCC diagnostic ignored "-Wcast-align"

+@@ -686,6 +694,19 @@ grub_dl_load_file (const char *filename)

+   void *core = 0;

+   grub_dl_t mod = 0;

+ 

++#ifdef GRUB_MACHINE_EFI

++  if (grub_efi_secure_boot ())

++    {

++#if 0

++      /* This is an error, but grub2-mkconfig still generates a pile of

++       * insmod commands, so emitting it would be mostly just obnoxious. */

++      grub_error (GRUB_ERR_ACCESS_DENIED,

++		  "Secure Boot forbids loading module from %s", filename);

++#endif

++      return 0;

++    }

++#endif

++

+   grub_boot_time ("Loading module %s", filename);

+ 

+   file = grub_file_open (filename);

+diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c

+index d467785..270eba8 100644

+--- a/grub-core/kern/efi/efi.c

+@@ -264,6 +264,36 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,

+   return NULL;

+ }

+ 

++grub_efi_boolean_t

++grub_efi_secure_boot (void)

++{

++  grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;

++  grub_size_t datasize;

++  char *secure_boot = NULL;

++  char *setup_mode = NULL;

++  grub_efi_boolean_t ret = 0;

++

++  secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);

++

++  if (datasize != 1 || !secure_boot)

++    goto out;

++

++  setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize);

++

++  if (datasize != 1 || !setup_mode)

++    goto out;

++

++  if (*secure_boot && !*setup_mode)

++    ret = 1;

++

++  grub_dprintf ("secureboot", "secure_boot = %d, setup_mode = %d\n",

++    *secure_boot, *setup_mode);

++ out:

++  grub_free (secure_boot);

++  grub_free (setup_mode);

++  return ret;

++}

++

+ #pragma GCC diagnostic ignored "-Wcast-align"

+