debian/patches/linuxefi-skip-validation-without-secure-boot.patch

   1 From 07aa820944e43e3e01a4ce9fcadd907e6986df73 Mon Sep 17 00:00:00 2001
   2 From: Matthew Garrett <mjg59@google.com>
   3 Date: Wed, 5 Dec 2018 15:07:21 -0800
   4 Subject: Don't enforce Shim signature validation if Secure Boot is disabled
   5
   6 The linuxefi command fails if used on a system without shim, even if
   7 Secure Boot is disabled. There's no need to do the validation if we're
   8 not in Secure Boot mode (an attacker could just boot a modified grub),
   9 so skip this to make it easier to use the Linux EFI entry point even on
  10 non-Secure Boot systems.
  11
  12 Last-Update: 2018-12-07
  13
  14 Patch-Name: linuxefi-skip-validation-without-secure-boot.patch
  15 ---
  16  grub-core/loader/i386/efi/linux.c | 6 ++++++
  17  1 file changed, 6 insertions(+)
  18
  19 diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
  20 index 7d94369be..34605dfed 100644
  21 --- a/grub-core/loader/i386/efi/linux.c
  22 +++ b/grub-core/loader/i386/efi/linux.c
  23 @@ -59,6 +59,12 @@ grub_linuxefi_secure_validate (void *data, grub_uint32_t size)
  24    grub_efi_shim_lock_t *shim_lock;
  25    grub_efi_status_t status;
  26
  27 +  if (! grub_efi_secure_boot())
  28 +    {
  29 +      grub_dprintf ("linuxefi", "secure boot not enabled, not validating");
  30 +      return 1;
  31 +    }
  32 +
  33    grub_dprintf ("linuxefi", "Locating shim protocol\n");
  34    shim_lock = grub_efi_locate_protocol(&guid, NULL);
  35