efi: Fallback to legacy mode if shim is loaded on x86 archs

Daniel Kiper · Daniel Kiper · commit 6425c12cd77a · 2023-07-03T14:29:22.000+02:00
The LoadImage() provided by the shim does not consult MOK when loading
an image. So, simply signature verification fails when it should not.
This means we cannot use Linux EFI stub to start the kernel when the
shim is loaded. We have to fallback to legacy mode on x86 architectures.
This is not possible on other architectures due to lack of legacy mode.

This is workaround which should disappear when the shim provides
LoadImage() which looks up MOK during signature verification.

On the occasion align constants in include/grub/efi/sb.h.

Signed-off-by: Daniel Kiper &lt;daniel.kiper@oracle.com&gt;
Reviewed-by: Ard Biesheuvel &lt;ardb@kernel.org&gt;
diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
@@ -32,6 +32,8 @@
 
 static grub_guid_t shim_lock_guid = GRUB_EFI_SHIM_LOCK_GUID;
 
+static bool shim_lock_enabled = false;
+
 /*
  * Determine whether we're in secure boot mode.
  *
@@ -215,6 +217,14 @@ grub_shim_lock_verifier_setup (void)
   /* Enforce shim_lock_verifier. */
   grub_verifier_register (&shim_lock_verifier);
 
+  shim_lock_enabled = true;
+
   grub_env_set ("shim_lock", "y");
   grub_env_export ("shim_lock");
 }
+
+bool
+grub_is_shim_lock_enabled (void)
+{
+  return shim_lock_enabled;
+}
diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
@@ -29,6 +29,7 @@
 #include <grub/efi/fdtload.h>
 #include <grub/efi/memory.h>
 #include <grub/efi/pe32.h>
+#include <grub/efi/sb.h>
 #include <grub/i18n.h>
 #include <grub/lib/cmdline.h>
 #include <grub/verify.h>
@@ -458,6 +459,22 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
 
   grub_dl_ref (my_mod);
 
+  if (grub_is_shim_lock_enabled () == true)
+    {
+#if defined(__i386__) || defined(__x86_64__)
+      grub_dprintf ("linux", "shim_lock enabled, falling back to legacy Linux kernel loader\n");
+
+      err = grub_cmd_linux_x86_legacy (cmd, argc, argv);
+
+      if (err == GRUB_ERR_NONE)
+	return GRUB_ERR_NONE;
+      else
+	goto fail;
+#else
+      grub_dprintf ("linux", "shim_lock enabled, trying Linux kernel EFI stub loader\n");
+#endif
+    }
+
   if (argc == 0)
     {
       grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
diff --git a/include/grub/efi/sb.h b/include/grub/efi/sb.h
@@ -22,7 +22,7 @@
 #include <grub/types.h>
 #include <grub/dl.h>
 
-#define GRUB_EFI_SECUREBOOT_MODE_UNSET	0
+#define GRUB_EFI_SECUREBOOT_MODE_UNSET		0
 #define GRUB_EFI_SECUREBOOT_MODE_UNKNOWN	1
 #define GRUB_EFI_SECUREBOOT_MODE_DISABLED	2
 #define GRUB_EFI_SECUREBOOT_MODE_ENABLED	3
@@ -31,6 +31,9 @@
 extern grub_uint8_t
 EXPORT_FUNC (grub_efi_get_secureboot) (void);
 
+extern bool
+EXPORT_FUNC (grub_is_shim_lock_enabled) (void);
+
 extern void
 grub_shim_lock_verifier_setup (void);
 #else
