halmartin/quark-patch.patch

## quark-patch.patch
--- a/work/efi/ia32/loader/linux.c	2017-01-24 22:11:35.266806622 +0000
+++ b/work/efi/ia32/loader/linux.c	2017-01-24 22:14:19.473474756 +0000
@@ -401,21 +401,9 @@
       goto fail1;
     }

-  if (grub_quark_secure)
-    {
-       if (! grub_quark_fetch_sbh (GRUB_QUARK_ASSET_KERNEL_CSBH, kernel, &quark_sbh))
-         {
-           if(ERR_FILE_NOT_FOUND == errnum
-               && ! grub_quark_linux_spi)
-             errnum = ERR_SGN_FILE_NOT_FOUND;
-           goto fail1;
-         }
-       sbh_len = quark_sbh.security_header.header_len;
-    }
-
   if (! grub_quark_asset_open (GRUB_QUARK_ASSET_KERNEL, kernel))
     goto fail1;
-
+
   if (grub_quark_asset_read (GRUB_QUARK_ASSET_KERNEL, (grub_uint8_t *) &params_buf, sizeof (params_buf))
       != sizeof (params_buf))
     {
@@ -458,24 +446,7 @@
   img_size = grub_quark_asset_size (GRUB_QUARK_ASSET_KERNEL);
   real_size = 0x1000 + grub_strlen(arg);

-  /* Grub allocates distinct memory regions for the so-called "real mode" and
-     "protected mode" portions of bzImage.  The linux entry point is located
-     at the base address of the protected mode section
-     (GRUB_LINUX_BZIMAGE_ADDR).
-     In order to perform signature verification, Quark secure boot requires
-     the whole bzImage to be allocated contiguously, with its CSBH prepended.
-     Consequently, the signed image is placed in a contiguous region starting
-     from GRUB_LINUX_BZIMAGE_ADDR, and the entry point offset is updated
-     accordingly.  */
-  if (grub_quark_secure)
-    {
-      prot_size = img_size + sbh_len;
-      code32_start_offs += (setup_sects << SECTOR_BITS) + SECTOR_SIZE
-                           + sbh_len;
-	}
-
-  else
-    prot_size = img_size - (setup_sects << SECTOR_BITS) - SECTOR_SIZE;
+  prot_size = img_size - (setup_sects << SECTOR_BITS) - SECTOR_SIZE;

   if (! allocate_pages (real_size, prot_size))
     goto fail;
@@ -640,17 +611,7 @@
   grub_stpcpy ((char *) real_mode_mem + CMDLINE_OFFS,
                grub_quark_linux_spi ? arg : skip_to (0, arg));

-  /* If Quark secure boot path, copy over CSBH + bzImage into "protected
-     mode" section.  */
-  if (grub_quark_secure)
-    {
-      grub_quark_asset_seek (0);
-      prot_size -= sbh_len;
-      grub_memcpy (prot_mode_mem, &quark_sbh, sizeof (quark_sbh));
-      prot_mode_offs += sbh_len;
-    }
-  else
-    grub_quark_asset_seek ((setup_sects << SECTOR_BITS) + SECTOR_SIZE);
+  grub_quark_asset_seek ((setup_sects << SECTOR_BITS) + SECTOR_SIZE);

   len = prot_size;
   if (grub_quark_asset_read (GRUB_QUARK_ASSET_KERNEL,
@@ -662,13 +623,6 @@
       goto fail;
     }

-  /* Verify the kernel signature.  */
-  if (grub_quark_secure &&
-      ! grub_quark_verify_asset_signature ((grub_uint8_t *) prot_mode_mem))
-    {
-      errnum = ERR_QUARK_VERIFICATION;
-    }
-
   if (errnum == ERR_NONE)
     {
       loaded = 1;
@@ -718,28 +672,8 @@
       goto fail1;
     }

-
-  if (grub_quark_secure)
-    {
-      if (! grub_quark_fetch_sbh (GRUB_QUARK_ASSET_INITRD_CSBH, initrd, &quark_sbh))
-        {
-          if (ERR_FILE_NOT_FOUND == errnum
-              && ! grub_quark_initrd_spi)
-            errnum = ERR_SGN_FILE_NOT_FOUND;
-          goto fail1;
-        }
-      sbh_len = quark_sbh.security_header.header_len;
-    }
-
-  if (! grub_quark_asset_open (GRUB_QUARK_ASSET_INITRD, initrd))
-    goto fail1;
-
   size = grub_quark_asset_size (GRUB_QUARK_ASSET_INITRD);

-  /* If Quark secure boot, make room for CSBH (dedicated page).  */
-  if (grub_quark_secure)
-    size += PAGE_SIZE;
-
   initrd_pages = (page_align (size) >> 12);

   params = (struct linux_kernel_params *) real_mode_mem;
@@ -808,26 +742,6 @@
     grub_fatal ("cannot allocate pages: %x@%x", (unsigned) initrd_pages,
                 (unsigned) addr);

-  /*
-     Quark secure boot requires the CSBH to be prepended to the Initrd.
-     Since Linux requires the Initrd to be page-aligned, do the following:
-     1. copy Initrd to the 2nd allocated page
-     2. copy the CSBH to the 1st allocated page at an offset such that
-        CSBH and Initrd are adjacent
-   */
-  if (grub_quark_secure)
-    {
-      /*
-         We're using the first page here to populate the CSBH, so subtract the
-         previously added page, copy CSBH and offset the initrd start address.
-       */
-      size -= PAGE_SIZE;
-      grub_memcpy ((grub_uint8_t *) initrd_mem + PAGE_SIZE - sbh_len,
-                   &quark_sbh, sizeof (quark_sbh));
-      initrd_mem = (grub_uint8_t *) initrd_mem + PAGE_SIZE;
-      addr += PAGE_SIZE;
-    }
-
   if (grub_quark_asset_read (GRUB_QUARK_ASSET_INITRD, initrd_mem, size) != size)
     {
       errnum = ERR_EXEC_FORMAT;
@@ -839,21 +753,6 @@
                grub_quark_initrd_spi ? " SPI" : "",
                (unsigned int) addr, (unsigned int) size);

-  if (grub_quark_secure)
-    {
-      /* Verify the initrd signature.  */
-      if (! grub_quark_verify_asset_signature ((grub_uint8_t *)
-                                             initrd_mem - sbh_len))
-        {
-          errnum = ERR_QUARK_VERIFICATION;
-          goto fail;
-        }
-
-      /* Free up page allocated to CSBH.  */
-      grub_efi_free_pages ((grub_addr_t)
-                           ((grub_uint8_t *) initrd_mem - PAGE_SIZE), 1);
-    }
-
   params->hdr.ramdisk_image = addr;
   params->hdr.ramdisk_size = size;

--- a/work/efi/quark/boot_settings.c	2017-01-24 22:11:35.266806622 +0000
+++ b/work/efi/quark/boot_settings.c	2017-01-24 22:17:56.046810025 +0000
@@ -181,17 +181,6 @@
       return;
     }

-  if (grub_quark_secure)
-    {
-      sbh = (struct grub_quark_sbh *)cfg_buffer;
-      if (! grub_quark_fetch_sbh (GRUB_QUARK_ASSET_CONFIG_CSBH, config_file, sbh))
-        {
-          errnum = ERR_SGN_FILE_NOT_FOUND;
-          return;
-        }
-      sbh_len = sbh->security_header.header_len;
-    }
-
   /* Reopen Grub config.  (Grub supports a single file instance at a time) */
   if (! do_open_config(source))
     {
@@ -223,13 +212,4 @@
       return;
     }

-  if (grub_quark_secure)
-    {
-      /* Validate configuration file.  */
-      if (! grub_quark_verify_asset_signature ((grub_uint8_t *) cfg_buffer))
-        errnum = ERR_QUARK_VERIFICATION;
-
-      /* Mask out the CSBH to the configuration file parser.  */
-      *cfg_file_buffer += sbh_len;
-    }
 }
	--- a/work/efi/ia32/loader/linux.c 2017-01-24 22:11:35.266806622 +0000
	+++ b/work/efi/ia32/loader/linux.c 2017-01-24 22:14:19.473474756 +0000
	@@ -401,21 +401,9 @@
	goto fail1;
	}

	- if (grub_quark_secure)
	- {
	- if (! grub_quark_fetch_sbh (GRUB_QUARK_ASSET_KERNEL_CSBH, kernel, &quark_sbh))
	- {
	- if(ERR_FILE_NOT_FOUND == errnum
	- && ! grub_quark_linux_spi)
	- errnum = ERR_SGN_FILE_NOT_FOUND;
	- goto fail1;
	- }
	- sbh_len = quark_sbh.security_header.header_len;
	- }
	-
	if (! grub_quark_asset_open (GRUB_QUARK_ASSET_KERNEL, kernel))
	goto fail1;
	-
	+
	if (grub_quark_asset_read (GRUB_QUARK_ASSET_KERNEL, (grub_uint8_t *) &params_buf, sizeof (params_buf))
	!= sizeof (params_buf))
	{
	@@ -458,24 +446,7 @@
	img_size = grub_quark_asset_size (GRUB_QUARK_ASSET_KERNEL);
	real_size = 0x1000 + grub_strlen(arg);

	- /* Grub allocates distinct memory regions for the so-called "real mode" and
	- "protected mode" portions of bzImage. The linux entry point is located
	- at the base address of the protected mode section
	- (GRUB_LINUX_BZIMAGE_ADDR).
	- In order to perform signature verification, Quark secure boot requires
	- the whole bzImage to be allocated contiguously, with its CSBH prepended.
	- Consequently, the signed image is placed in a contiguous region starting
	- from GRUB_LINUX_BZIMAGE_ADDR, and the entry point offset is updated
	- accordingly. */
	- if (grub_quark_secure)
	- {
	- prot_size = img_size + sbh_len;
	- code32_start_offs += (setup_sects << SECTOR_BITS) + SECTOR_SIZE
	- + sbh_len;
	- }
	-
	- else
	- prot_size = img_size - (setup_sects << SECTOR_BITS) - SECTOR_SIZE;
	+ prot_size = img_size - (setup_sects << SECTOR_BITS) - SECTOR_SIZE;

	if (! allocate_pages (real_size, prot_size))
	goto fail;
	@@ -640,17 +611,7 @@
	grub_stpcpy ((char *) real_mode_mem + CMDLINE_OFFS,
	grub_quark_linux_spi ? arg : skip_to (0, arg));

	- /* If Quark secure boot path, copy over CSBH + bzImage into "protected
	- mode" section. */
	- if (grub_quark_secure)
	- {
	- grub_quark_asset_seek (0);
	- prot_size -= sbh_len;
	- grub_memcpy (prot_mode_mem, &quark_sbh, sizeof (quark_sbh));
	- prot_mode_offs += sbh_len;
	- }
	- else
	- grub_quark_asset_seek ((setup_sects << SECTOR_BITS) + SECTOR_SIZE);
	+ grub_quark_asset_seek ((setup_sects << SECTOR_BITS) + SECTOR_SIZE);

	len = prot_size;
	if (grub_quark_asset_read (GRUB_QUARK_ASSET_KERNEL,
	@@ -662,13 +623,6 @@
	goto fail;
	}

	- /* Verify the kernel signature. */
	- if (grub_quark_secure &&
	- ! grub_quark_verify_asset_signature ((grub_uint8_t *) prot_mode_mem))
	- {
	- errnum = ERR_QUARK_VERIFICATION;
	- }
	-
	if (errnum == ERR_NONE)
	{
	loaded = 1;
	@@ -718,28 +672,8 @@
	goto fail1;
	}

	-
	- if (grub_quark_secure)
	- {
	- if (! grub_quark_fetch_sbh (GRUB_QUARK_ASSET_INITRD_CSBH, initrd, &quark_sbh))
	- {
	- if (ERR_FILE_NOT_FOUND == errnum
	- && ! grub_quark_initrd_spi)
	- errnum = ERR_SGN_FILE_NOT_FOUND;
	- goto fail1;
	- }
	- sbh_len = quark_sbh.security_header.header_len;
	- }
	-
	- if (! grub_quark_asset_open (GRUB_QUARK_ASSET_INITRD, initrd))
	- goto fail1;
	-
	size = grub_quark_asset_size (GRUB_QUARK_ASSET_INITRD);

	- /* If Quark secure boot, make room for CSBH (dedicated page). */
	- if (grub_quark_secure)
	- size += PAGE_SIZE;
	-
	initrd_pages = (page_align (size) >> 12);

	params = (struct linux_kernel_params *) real_mode_mem;
	@@ -808,26 +742,6 @@
	grub_fatal ("cannot allocate pages: %x@%x", (unsigned) initrd_pages,
	(unsigned) addr);

	- /*
	- Quark secure boot requires the CSBH to be prepended to the Initrd.
	- Since Linux requires the Initrd to be page-aligned, do the following:
	- 1. copy Initrd to the 2nd allocated page
	- 2. copy the CSBH to the 1st allocated page at an offset such that
	- CSBH and Initrd are adjacent
	- */
	- if (grub_quark_secure)
	- {
	- /*
	- We're using the first page here to populate the CSBH, so subtract the
	- previously added page, copy CSBH and offset the initrd start address.
	- */
	- size -= PAGE_SIZE;
	- grub_memcpy ((grub_uint8_t *) initrd_mem + PAGE_SIZE - sbh_len,
	- &quark_sbh, sizeof (quark_sbh));
	- initrd_mem = (grub_uint8_t *) initrd_mem + PAGE_SIZE;
	- addr += PAGE_SIZE;
	- }
	-
	if (grub_quark_asset_read (GRUB_QUARK_ASSET_INITRD, initrd_mem, size) != size)
	{
	errnum = ERR_EXEC_FORMAT;
	@@ -839,21 +753,6 @@
	grub_quark_initrd_spi ? " SPI" : "",
	(unsigned int) addr, (unsigned int) size);

	- if (grub_quark_secure)
	- {
	- /* Verify the initrd signature. */
	- if (! grub_quark_verify_asset_signature ((grub_uint8_t *)
	- initrd_mem - sbh_len))
	- {
	- errnum = ERR_QUARK_VERIFICATION;
	- goto fail;
	- }
	-
	- /* Free up page allocated to CSBH. */
	- grub_efi_free_pages ((grub_addr_t)
	- ((grub_uint8_t *) initrd_mem - PAGE_SIZE), 1);
	- }
	-
	params->hdr.ramdisk_image = addr;
	params->hdr.ramdisk_size = size;

	--- a/work/efi/quark/boot_settings.c 2017-01-24 22:11:35.266806622 +0000
	+++ b/work/efi/quark/boot_settings.c 2017-01-24 22:17:56.046810025 +0000
	@@ -181,17 +181,6 @@
	return;
	}

	- if (grub_quark_secure)
	- {
	- sbh = (struct grub_quark_sbh *)cfg_buffer;
	- if (! grub_quark_fetch_sbh (GRUB_QUARK_ASSET_CONFIG_CSBH, config_file, sbh))
	- {
	- errnum = ERR_SGN_FILE_NOT_FOUND;
	- return;
	- }
	- sbh_len = sbh->security_header.header_len;
	- }
	-
	/* Reopen Grub config. (Grub supports a single file instance at a time) */
	if (! do_open_config(source))
	{
	@@ -223,13 +212,4 @@
	return;
	}

	- if (grub_quark_secure)
	- {
	- /* Validate configuration file. */
	- if (! grub_quark_verify_asset_signature ((grub_uint8_t *) cfg_buffer))
	- errnum = ERR_QUARK_VERIFICATION;
	-
	- /* Mask out the CSBH to the configuration file parser. */
	- *cfg_file_buffer += sbh_len;
	- }
	}