Re: [PATCH 5/8] efi: Get the secure boot status [ver #6]

From: Matt Fleming
Date: Fri Jan 27 2017 - 09:03:20 EST

On Mon, 23 Jan, at 10:11:43PM, David Howells wrote:
> Matt Fleming <matt@xxxxxxxxxxxxxxxxxxx> wrote:
> > > (4) extract_kernel() calls sanitize_boot_params() which would otherwise clear
> > > the secure-boot flag.
> >
> > The ->sentinel flag should be clear (because you zero'd boot_params on
> > alloc), so the code inside of sanitize_boot_params() should never
> > trigger for the secure boot case.
> But it *does* trigger, otherwise I wouldn't've noticed this.

This looks like it's triggered because of a grub2 bug, if I'm reading
the code correctly (big if).

grub2 memcpy()'s 1024 bytes from the start of kernel image header into
the allocated (and zeroed) boot_params object. Unfortunately, it
should only be copying the second 512-byte chunk, not the first too.

The boot loader should only fill out those fields in the first 512
bytes that it understands. Everything else should be zero, which
allows us to add fields (and give them default non-zero values in the
header) in the future without breaking old boot loaders.

Something like this might fix it (not compiled tested). Could one of
the grub2 folks take a look?


diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
index 010bf98..fe5771e 100644
--- a/grub-core/loader/i386/efi/linux.c
+++ b/grub-core/loader/i386/efi/linux.c
@@ -269,7 +269,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),

lh.code32_start = (grub_uint32_t)(grub_uint64_t) kernel_mem;
- grub_memcpy (params, &lh, 2 * 512);
+ grub_memcpy (params, (grub_uint8_t *)&lh[512], 512);

params->type_of_loader = 0x21;