[PATCH v3 3/5] efi/sb: Add API for retrieving shim loader image handles

Tue, 01 Apr 2025 03:28:21 -0700 

Not reusing these handles will result in image measurements showing up
twice in the event log.

Signed-off-by: Mate Kukri <mate.ku...@canonical.com>
---
 grub-core/kern/efi/sb.c | 16 ++++++++++++++++
 include/grub/efi/sb.h   |  4 ++++
 2 files changed, 20 insertions(+)

diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
index 34ba323ee..6c4dd5f85 100644
--- a/grub-core/kern/efi/sb.c
+++ b/grub-core/kern/efi/sb.c
@@ -36,6 +36,8 @@ static grub_guid_t shim_loader_guid = 
GRUB_EFI_SHIM_IMAGE_LOADER_GUID;
 static grub_efi_loader_t *shim_loader = NULL;
 static grub_efi_shim_lock_protocol_t *shim_lock = NULL;
 
+static grub_efi_handle_t last_verified_image_handle;
+
 /*
  * Determine whether we're in secure boot mode.
  *
@@ -181,10 +183,16 @@ shim_lock_verifier_write (void *context __attribute__ 
((unused)), void *buf, gru
 
   if (shim_loader)
     {
+      if (last_verified_image_handle)
+        {
+          shim_loader->unload_image (last_verified_image_handle);
+          last_verified_image_handle = NULL;
+        }
 
       if (shim_loader->load_image (false, grub_efi_image_handle, NULL, buf, 
size, &image_handle) != GRUB_EFI_SUCCESS)
         return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad shim signature"));
 
+      last_verified_image_handle = image_handle;
       return GRUB_ERR_NONE;
     }
   if (shim_lock)
@@ -242,3 +250,11 @@ grub_is_using_legacy_shim_lock_protocol (void)
 {
   return !shim_loader && shim_lock;
 }
+
+grub_efi_handle_t
+grub_efi_get_last_verified_image_handle (void)
+{
+  grub_efi_handle_t tmp = last_verified_image_handle;
+  last_verified_image_handle = NULL;
+  return tmp;
+}
diff --git a/include/grub/efi/sb.h b/include/grub/efi/sb.h
index 4cae88376..149005ced 100644
--- a/include/grub/efi/sb.h
+++ b/include/grub/efi/sb.h
@@ -21,6 +21,7 @@
 
 #include <grub/types.h>
 #include <grub/dl.h>
+#include <grub/efi/api.h>
 
 #define GRUB_EFI_SECUREBOOT_MODE_UNSET         0
 #define GRUB_EFI_SECUREBOOT_MODE_UNKNOWN       1
@@ -34,6 +35,9 @@ EXPORT_FUNC (grub_efi_get_secureboot) (void);
 extern bool
 EXPORT_FUNC (grub_is_using_legacy_shim_lock_protocol) (void);
 
+extern grub_efi_handle_t
+EXPORT_FUNC (grub_efi_get_last_verified_image_handle) (void);
+
 extern void
 grub_shim_lock_verifier_setup (void);
 #else
-- 
2.39.5


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to