Create a gist now

Instantly share code, notes, and snippets.

@halmartin /quark-patch.patch
Last active Jan 24, 2017

Embed
What would you like to do?
Download ZIP
Raw
quark-patch.patch
--- a/work/efi/ia32/loader/linux.c 2017-01-24 22:11:35.266806622 +0000
+++ b/work/efi/ia32/loader/linux.c 2017-01-24 22:14:19.473474756 +0000
@@ -401,21 +401,9 @@
goto fail1;
}
- if (grub_quark_secure)
- {
- if (! grub_quark_fetch_sbh (GRUB_QUARK_ASSET_KERNEL_CSBH, kernel, &quark_sbh))
- {
- if(ERR_FILE_NOT_FOUND == errnum
- && ! grub_quark_linux_spi)
- errnum = ERR_SGN_FILE_NOT_FOUND;
- goto fail1;
- }
- sbh_len = quark_sbh.security_header.header_len;
- }
-
if (! grub_quark_asset_open (GRUB_QUARK_ASSET_KERNEL, kernel))
goto fail1;
-
+
if (grub_quark_asset_read (GRUB_QUARK_ASSET_KERNEL, (grub_uint8_t *) &params_buf, sizeof (params_buf))
!= sizeof (params_buf))
{
@@ -458,24 +446,7 @@
img_size = grub_quark_asset_size (GRUB_QUARK_ASSET_KERNEL);
real_size = 0x1000 + grub_strlen(arg);
- /* Grub allocates distinct memory regions for the so-called "real mode" and
- "protected mode" portions of bzImage. The linux entry point is located
- at the base address of the protected mode section
- (GRUB_LINUX_BZIMAGE_ADDR).
- In order to perform signature verification, Quark secure boot requires
- the whole bzImage to be allocated contiguously, with its CSBH prepended.
- Consequently, the signed image is placed in a contiguous region starting
- from GRUB_LINUX_BZIMAGE_ADDR, and the entry point offset is updated
- accordingly. */
- if (grub_quark_secure)
- {
- prot_size = img_size + sbh_len;
- code32_start_offs += (setup_sects << SECTOR_BITS) + SECTOR_SIZE
- + sbh_len;
- }
-
- else
- prot_size = img_size - (setup_sects << SECTOR_BITS) - SECTOR_SIZE;
+ prot_size = img_size - (setup_sects << SECTOR_BITS) - SECTOR_SIZE;
if (! allocate_pages (real_size, prot_size))
goto fail;
@@ -640,17 +611,7 @@
grub_stpcpy ((char *) real_mode_mem + CMDLINE_OFFS,
grub_quark_linux_spi ? arg : skip_to (0, arg));
- /* If Quark secure boot path, copy over CSBH + bzImage into "protected
- mode" section. */
- if (grub_quark_secure)
- {
- grub_quark_asset_seek (0);
- prot_size -= sbh_len;
- grub_memcpy (prot_mode_mem, &quark_sbh, sizeof (quark_sbh));
- prot_mode_offs += sbh_len;
- }
- else
- grub_quark_asset_seek ((setup_sects << SECTOR_BITS) + SECTOR_SIZE);
+ grub_quark_asset_seek ((setup_sects << SECTOR_BITS) + SECTOR_SIZE);
len = prot_size;
if (grub_quark_asset_read (GRUB_QUARK_ASSET_KERNEL,
@@ -662,13 +623,6 @@
goto fail;
}
- /* Verify the kernel signature. */
- if (grub_quark_secure &&
- ! grub_quark_verify_asset_signature ((grub_uint8_t *) prot_mode_mem))
- {
- errnum = ERR_QUARK_VERIFICATION;
- }
-
if (errnum == ERR_NONE)
{
loaded = 1;
@@ -718,28 +672,8 @@
goto fail1;
}
-
- if (grub_quark_secure)
- {
- if (! grub_quark_fetch_sbh (GRUB_QUARK_ASSET_INITRD_CSBH, initrd, &quark_sbh))
- {
- if (ERR_FILE_NOT_FOUND == errnum
- && ! grub_quark_initrd_spi)
- errnum = ERR_SGN_FILE_NOT_FOUND;
- goto fail1;
- }
- sbh_len = quark_sbh.security_header.header_len;
- }
-
- if (! grub_quark_asset_open (GRUB_QUARK_ASSET_INITRD, initrd))
- goto fail1;
-
size = grub_quark_asset_size (GRUB_QUARK_ASSET_INITRD);
- /* If Quark secure boot, make room for CSBH (dedicated page). */
- if (grub_quark_secure)
- size += PAGE_SIZE;
-
initrd_pages = (page_align (size) >> 12);
params = (struct linux_kernel_params *) real_mode_mem;
@@ -808,26 +742,6 @@
grub_fatal ("cannot allocate pages: %x@%x", (unsigned) initrd_pages,
(unsigned) addr);
- /*
- Quark secure boot requires the CSBH to be prepended to the Initrd.
- Since Linux requires the Initrd to be page-aligned, do the following:
- 1. copy Initrd to the 2nd allocated page
- 2. copy the CSBH to the 1st allocated page at an offset such that
- CSBH and Initrd are adjacent
- */
- if (grub_quark_secure)
- {
- /*
- We're using the first page here to populate the CSBH, so subtract the
- previously added page, copy CSBH and offset the initrd start address.
- */
- size -= PAGE_SIZE;
- grub_memcpy ((grub_uint8_t *) initrd_mem + PAGE_SIZE - sbh_len,
- &quark_sbh, sizeof (quark_sbh));
- initrd_mem = (grub_uint8_t *) initrd_mem + PAGE_SIZE;
- addr += PAGE_SIZE;
- }
-
if (grub_quark_asset_read (GRUB_QUARK_ASSET_INITRD, initrd_mem, size) != size)
{
errnum = ERR_EXEC_FORMAT;
@@ -839,21 +753,6 @@
grub_quark_initrd_spi ? " SPI" : "",
(unsigned int) addr, (unsigned int) size);
- if (grub_quark_secure)
- {
- /* Verify the initrd signature. */
- if (! grub_quark_verify_asset_signature ((grub_uint8_t *)
- initrd_mem - sbh_len))
- {
- errnum = ERR_QUARK_VERIFICATION;
- goto fail;
- }
-
- /* Free up page allocated to CSBH. */
- grub_efi_free_pages ((grub_addr_t)
- ((grub_uint8_t *) initrd_mem - PAGE_SIZE), 1);
- }
-
params->hdr.ramdisk_image = addr;
params->hdr.ramdisk_size = size;
--- a/work/efi/quark/boot_settings.c 2017-01-24 22:11:35.266806622 +0000
+++ b/work/efi/quark/boot_settings.c 2017-01-24 22:17:56.046810025 +0000
@@ -181,17 +181,6 @@
return;
}
- if (grub_quark_secure)
- {
- sbh = (struct grub_quark_sbh *)cfg_buffer;
- if (! grub_quark_fetch_sbh (GRUB_QUARK_ASSET_CONFIG_CSBH, config_file, sbh))
- {
- errnum = ERR_SGN_FILE_NOT_FOUND;
- return;
- }
- sbh_len = sbh->security_header.header_len;
- }
-
/* Reopen Grub config. (Grub supports a single file instance at a time) */
if (! do_open_config(source))
{
@@ -223,13 +212,4 @@
return;
}
- if (grub_quark_secure)
- {
- /* Validate configuration file. */
- if (! grub_quark_verify_asset_signature ((grub_uint8_t *) cfg_buffer))
- errnum = ERR_QUARK_VERIFICATION;
-
- /* Mask out the CSBH to the configuration file parser. */
- *cfg_file_buffer += sbh_len;
- }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment