On Thu, Sep 19, 2024 at 5:33 PM Mate Kukri <mate.ku...@canonical.com> wrote:
>
> Signed-off-by: Mate Kukri <mate.ku...@canonical.com>
> ---
> grub-core/kern/efi/sb.c | 28 ++++++++++++++++++++++++++++
> grub-core/loader/efi/linux.c | 12 +++++++-----
> include/grub/efi/api.h | 2 ++
> include/grub/efi/sb.h | 2 ++
> 4 files changed, 39 insertions(+), 5 deletions(-)
>
> diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
> index d3de39599..abe08db6f 100644
> --- a/grub-core/kern/efi/sb.c
> +++ b/grub-core/kern/efi/sb.c
> @@ -225,3 +225,31 @@ grub_shim_lock_verifier_setup (void)
> grub_env_set ("shim_lock", "y");
> grub_env_export ("shim_lock");
> }
> +
> +int
Minor: why not using a boolean?
> +grub_efi_check_nx_required (void)
> +{
> + int nx_required = 1; /* assume required, unless we can prove otherwise */
> + grub_efi_status_t status;
> + grub_size_t mok_policy_sz = 0;
> + char *mok_policy = NULL;
> + grub_uint32_t mok_policy_attrs = 0;
> +
> + status = grub_efi_get_variable_with_attributes ("MokPolicy",
> + &(grub_guid_t)
> GRUB_EFI_SHIM_LOCK_GUID,
> + &mok_policy_sz,
> + (void **)&mok_policy,
> + &mok_policy_attrs);
> + if (status != GRUB_EFI_SUCCESS ||
> + mok_policy_sz != 1 ||
> + mok_policy == NULL ||
> + mok_policy_attrs != GRUB_EFI_VARIABLE_BOOTSERVICE_ACCESS)
> + goto out;
> +
> + nx_required = !!(mok_policy[0] & GRUB_MOK_POLICY_NX_REQUIRED);
> +
> + out:
> + grub_free (mok_policy);
> +
> + return nx_required;
> +}
> diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
> index d6860fdba..18a03d0c6 100644
> --- a/grub-core/loader/efi/linux.c
> +++ b/grub-core/loader/efi/linux.c
> @@ -473,21 +473,23 @@ grub_cmd_linux (grub_command_t cmd __attribute__
> ((unused)),
>
> kernel_size = grub_file_size (file);
>
> - if (grub_arch_efi_linux_load_image_header (file, &lh) != GRUB_ERR_NONE)
> #if !defined(__i386__) && !defined(__x86_64__)
> + if (grub_arch_efi_linux_load_image_header (file, &lh) != GRUB_ERR_NONE)
> goto fail;
> #else
> - goto fallback;
> -
> - if (!initrd_use_loadfile2)
> + if (grub_arch_efi_linux_load_image_header (file, &lh) != GRUB_ERR_NONE ||
> + !initrd_use_loadfile2)
> {
> + /* We cannot use the legacy loader when NX is required */
> + if (grub_efi_check_nx_required())
Minor, style: space after function name.
> + goto fail;
> +
> /*
> * This is a EFI stub image but it is too old to implement the
> LoadFile2
> * based initrd loading scheme, and Linux/x86 does not support the DT
> * based method either. So fall back to the x86-specific loader that
> * enters Linux in EFI mode but without going through its EFI stub.
> */
> -fallback:
> grub_file_close (file);
> return grub_cmd_linux_x86_legacy (cmd, argc, argv);
> }
...
Frediano
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
