Re: UEFI Secureboot not succeeding with Grub 2.06 and later version
Hi Sayanta, Sorry for late reply but I am just recovering after vacation... CC-ing Javier, Dimitri, Peter and Leif. On Thu, Jul 01, 2021 at 03:23:03PM +, Sayanta Pattanayak wrote: > Hi All, > I am new to grub and UEFI secure boot and so a beginners question. > UEFI secureboot on a Arm64 platform works fine with Grub 2.04 version. > The linux kernel image is authenticated and loaded. But the same with > Grub 2.06 version does not progress - following error messages are > displayed. > > error: shim_lock protocol not found. > error: you need to load the kernel first. > > With reference of > "https://www.mail-archive.com/help-grub@gnu.org/msg05375.html";, > created Grub image with "--disable-shim-lock" option. This change > solved the "shim_lock" error but then the following error message > started appearing- > > error: verification requested but nobody cares: /Image. > error: you need to load the kernel first. > Press any key to continue... > > A large set of patches addressing bootHole vulnerability > (https://lists.gnu.org/archive/html/grub-devel/2021-03/msg7.html) > have been merged in the Grub 2.06 version. Does this change the way > images are signed or is there any other change introduced that > required UEFI secure boot to be handled differently on the platform. > > Request any suggestion that would help validate UEFI secure boot with > Grub 2.06 and later version. Do you use GRUB 2.06 upstream or a Linux distribution variant? If upstream could you provide us commands used to build the GRUB and console output when debug is enabled, i.e. "set debug=all"? Daniel ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Re: [PATCH] fs/ext2: Ignore checksum seed incompat feature support
On Fri, Jun 11, 2021 at 09:36:16PM +0200, Javier Martinez Canillas wrote: > This incompat feature is used to denote that the filesystem stored its > metadata checksum seed in the superblock. This is used to allow tune2fs > to change the UUID on a mounted metadata_csum filesystem without having > to rewrite all the disk metadata. > > But GRUB doesn't use the metadata checksum in anyway, so can just ignore > this feature if is enabled. This is consistent with GRUB filesystem code > in general which just does a best effort to access the filesystem's data. > > It may be removed from the ignored list in the future if supports to do > metadata checksumming verification is added to the read-only FS driver. > > Suggested-by: Eric Sandeen > Suggested-by: Lukas Czerner > Signed-off-by: Javier Martinez Canillas Reviewed-by: Daniel Kiper Daniel ___ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel
Re: [PATCH 1/2] templates: Check for EFI at runtime instead of config generation time
On Tue, Jul 06, 2021 at 11:02:14AM +0200, Javier Martinez Canillas wrote:
> The 30_uefi-firmware template checks if an OsIndicationsSupported UEFI var
> exists and EFI_OS_INDICATIONS_BOOT_TO_FW_UI bit is set, to decide whether
> a "fwsetup" menu entry would be added or not to the GRUB menu.
>
> But this has the problem that it will only work if the configuration file
> was created on an UEFI machine that supports booting to a firmware UI.
>
> This for example doesn't support creating GRUB config files when executing
> on systems that support both UEFI and legacy BIOS booting. Since creating
> the config file from legacy BIOS wouldn't allow to access the firmware UI.
>
> To prevent this, make the template to unconditionally create the grub.cfg
> snippet but check at runtime if was booted through UEFI to decide if this
> entry should be added. That way it won't be added when booting with BIOS.
>
> There's no need to check if EFI_OS_INDICATIONS_BOOT_TO_FW_UI bit is set,
> since that's already done by the "fwsetup" command when is executed.
>
> Signed-off-by: Javier Martinez Canillas
> ---
>
> util/grub.d/30_uefi-firmware.in | 21 -
> 1 file changed, 8 insertions(+), 13 deletions(-)
>
> diff --git a/util/grub.d/30_uefi-firmware.in b/util/grub.d/30_uefi-firmware.in
> index d344d3883d7..b6041b55e2a 100644
> --- a/util/grub.d/30_uefi-firmware.in
> +++ b/util/grub.d/30_uefi-firmware.in
> @@ -26,19 +26,14 @@ export TEXTDOMAINDIR="@localedir@"
>
> . "$pkgdatadir/grub-mkconfig_lib"
>
> -EFI_VARS_DIR=/sys/firmware/efi/efivars
> -EFI_GLOBAL_VARIABLE=8be4df61-93ca-11d2-aa0d-00e098032b8c
> -OS_INDICATIONS="$EFI_VARS_DIR/OsIndicationsSupported-$EFI_GLOBAL_VARIABLE"
> +LABEL="UEFI Firmware Settings"
>
> -if [ -e "$OS_INDICATIONS" ] && \
> - [ "$(( $(printf 0x%x \'"$(cat $OS_INDICATIONS | cut -b5)"\') & 1 ))" = 1
> ]; then
> - LABEL="UEFI Firmware Settings"
> +gettext_printf "Adding boot menu entry for UEFI Firmware Settings ...\n" >&2
>
> - gettext_printf "Adding boot menu entry for UEFI Firmware Settings ...\n"
> >&2
> -
> - cat << EOF
> -menuentry '$LABEL' \$menuentry_id_option 'uefi-firmware' {
> - fwsetup
> -}
> -EOF
> +cat << EOF
> +if [ "\$grub_platform" = "efi" ]; then
> + menuentry '$LABEL' \$menuentry_id_option 'uefi-firmware' {
> + fwsetup
> + }
Should not we go further and enable this menu entry only if (UEFI)
firmware settings are available? Of course this requires exporting
relevant information to the GRUB shell.
Daniel
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
Re: [PATCH 2/2] efi: Print an error if boot to firmware setup is not supported
On Tue, Jul 06, 2021 at 11:02:15AM +0200, Javier Martinez Canillas wrote:
> The "fwsetup" command is only registered if the firmware supports booting
> to the firmware setup UI. But it could be possible that the GRUB config
> already contains a "fwsetup" entry, because it was generated in a machine
> that has support for this feature.
>
> To prevent users getting a "can't find command `fwsetup`" error if it is
> not supported by the firmware, let's just always register the command but
> print a more accurate message if the firmware doesn't support this option.
>
> Signed-off-by: Javier Martinez Canillas
> ---
>
> grub-core/commands/efi/efifwsetup.c | 43 +++--
> 1 file changed, 23 insertions(+), 20 deletions(-)
>
> diff --git a/grub-core/commands/efi/efifwsetup.c
> b/grub-core/commands/efi/efifwsetup.c
> index eaca0328388..328c45e82e0 100644
> --- a/grub-core/commands/efi/efifwsetup.c
> +++ b/grub-core/commands/efi/efifwsetup.c
> @@ -27,6 +27,25 @@
>
> GRUB_MOD_LICENSE ("GPLv3+");
>
> +static grub_efi_boolean_t
> +efifwsetup_is_supported (void)
> +{
> + grub_efi_uint64_t *os_indications_supported = NULL;
> + grub_size_t oi_size = 0;
> + grub_efi_guid_t global = GRUB_EFI_GLOBAL_VARIABLE_GUID;
static grub_efi_guid_t global = GRUB_EFI_GLOBAL_VARIABLE_GUID;
AFAICT this should generate smaller code. Hmmm... I think we should add
a preparatory patch which changes all GUID assignments like that one to
"static". Could you do that?
> + grub_efi_get_variable ("OsIndicationsSupported", &global, &oi_size,
> + (void **) &os_indications_supported);
> +
> + if (!os_indications_supported)
> +return 0;
> +
> + if (*os_indications_supported & GRUB_EFI_OS_INDICATIONS_BOOT_TO_FW_UI)
> +return 1;
> +
grub_free(os_indications_supported) call is missing in this function.
So, we need an additional patch which fixes this up front.
> + return 0;
> +}
> +
> static grub_err_t
> grub_cmd_fwsetup (grub_command_t cmd __attribute__ ((unused)),
> int argc __attribute__ ((unused)),
> @@ -38,6 +57,10 @@ grub_cmd_fwsetup (grub_command_t cmd __attribute__
> ((unused)),
>grub_size_t oi_size;
>grub_efi_guid_t global = GRUB_EFI_GLOBAL_VARIABLE_GUID;
>
> + if (!efifwsetup_is_supported ())
> + return grub_error (GRUB_ERR_INVALID_COMMAND,
> + N_("Reboot to firmware setup is not supported"));
Most error messages start with lower case. Please fix this.
Daniel
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
Re: [PATCH] Adjust deprecated QEMU device name.
On Sun, Jun 13, 2021 at 03:11:51PM +0200, Marius Bakke wrote:
> The 'ide-drive' device was removed in QEMU 6.0.
Could you add your Signed-off-by?
> * tests/ahci_test.in (outfile): s/ide-drive/ide-hd/
Please drop this.
> ---
> tests/ahci_test.in | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/tests/ahci_test.in b/tests/ahci_test.in
> index 7df560462..d844fe680 100644
> --- a/tests/ahci_test.in
> +++ b/tests/ahci_test.in
> @@ -41,7 +41,7 @@ echo "hello" > "$outfile"
>
> tar cf "$imgfile" "$outfile"
>
> -if [ "$(echo "nativedisk; source '(ahci0)/$outfile';" | "${grubshell}"
> --qemu-opts="-drive id=disk,file=$imgfile,if=none -device ahci,id=ahci
> -device ide-drive,drive=disk,bus=ahci.0 " | tail -n 1)" != "Hello World" ];
> then
> +if [ "$(echo "nativedisk; source '(ahci0)/$outfile';" | "${grubshell}"
> --qemu-opts="-drive id=disk,file=$imgfile,if=none -device ahci,id=ahci
> -device ide-hd,drive=disk,bus=ahci.0 " | tail -n 1)" != "Hello World" ]; then
Is it possible to check QEMU version here and use correct variant then?
Daniel
___
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
