This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- a/work/efi/ia32/loader/linux.c 2017-01-24 22:11:35.266806622 +0000 | |
+++ b/work/efi/ia32/loader/linux.c 2017-01-24 22:14:19.473474756 +0000 | |
@@ -401,21 +401,9 @@ | |
goto fail1; | |
} | |
- if (grub_quark_secure) | |
- { | |
- if (! grub_quark_fetch_sbh (GRUB_QUARK_ASSET_KERNEL_CSBH, kernel, &quark_sbh)) | |
- { | |
- if(ERR_FILE_NOT_FOUND == errnum | |
- && ! grub_quark_linux_spi) | |
- errnum = ERR_SGN_FILE_NOT_FOUND; | |
- goto fail1; | |
- } | |
- sbh_len = quark_sbh.security_header.header_len; | |
- } | |
- | |
if (! grub_quark_asset_open (GRUB_QUARK_ASSET_KERNEL, kernel)) | |
goto fail1; | |
- | |
+ | |
if (grub_quark_asset_read (GRUB_QUARK_ASSET_KERNEL, (grub_uint8_t *) ¶ms_buf, sizeof (params_buf)) | |
!= sizeof (params_buf)) | |
{ | |
@@ -458,24 +446,7 @@ | |
img_size = grub_quark_asset_size (GRUB_QUARK_ASSET_KERNEL); | |
real_size = 0x1000 + grub_strlen(arg); | |
- /* Grub allocates distinct memory regions for the so-called "real mode" and | |
- "protected mode" portions of bzImage. The linux entry point is located | |
- at the base address of the protected mode section | |
- (GRUB_LINUX_BZIMAGE_ADDR). | |
- In order to perform signature verification, Quark secure boot requires | |
- the whole bzImage to be allocated contiguously, with its CSBH prepended. | |
- Consequently, the signed image is placed in a contiguous region starting | |
- from GRUB_LINUX_BZIMAGE_ADDR, and the entry point offset is updated | |
- accordingly. */ | |
- if (grub_quark_secure) | |
- { | |
- prot_size = img_size + sbh_len; | |
- code32_start_offs += (setup_sects << SECTOR_BITS) + SECTOR_SIZE | |
- + sbh_len; | |
- } | |
- | |
- else | |
- prot_size = img_size - (setup_sects << SECTOR_BITS) - SECTOR_SIZE; | |
+ prot_size = img_size - (setup_sects << SECTOR_BITS) - SECTOR_SIZE; | |
if (! allocate_pages (real_size, prot_size)) | |
goto fail; | |
@@ -640,17 +611,7 @@ | |
grub_stpcpy ((char *) real_mode_mem + CMDLINE_OFFS, | |
grub_quark_linux_spi ? arg : skip_to (0, arg)); | |
- /* If Quark secure boot path, copy over CSBH + bzImage into "protected | |
- mode" section. */ | |
- if (grub_quark_secure) | |
- { | |
- grub_quark_asset_seek (0); | |
- prot_size -= sbh_len; | |
- grub_memcpy (prot_mode_mem, &quark_sbh, sizeof (quark_sbh)); | |
- prot_mode_offs += sbh_len; | |
- } | |
- else | |
- grub_quark_asset_seek ((setup_sects << SECTOR_BITS) + SECTOR_SIZE); | |
+ grub_quark_asset_seek ((setup_sects << SECTOR_BITS) + SECTOR_SIZE); | |
len = prot_size; | |
if (grub_quark_asset_read (GRUB_QUARK_ASSET_KERNEL, | |
@@ -662,13 +623,6 @@ | |
goto fail; | |
} | |
- /* Verify the kernel signature. */ | |
- if (grub_quark_secure && | |
- ! grub_quark_verify_asset_signature ((grub_uint8_t *) prot_mode_mem)) | |
- { | |
- errnum = ERR_QUARK_VERIFICATION; | |
- } | |
- | |
if (errnum == ERR_NONE) | |
{ | |
loaded = 1; | |
@@ -718,28 +672,8 @@ | |
goto fail1; | |
} | |
- | |
- if (grub_quark_secure) | |
- { | |
- if (! grub_quark_fetch_sbh (GRUB_QUARK_ASSET_INITRD_CSBH, initrd, &quark_sbh)) | |
- { | |
- if (ERR_FILE_NOT_FOUND == errnum | |
- && ! grub_quark_initrd_spi) | |
- errnum = ERR_SGN_FILE_NOT_FOUND; | |
- goto fail1; | |
- } | |
- sbh_len = quark_sbh.security_header.header_len; | |
- } | |
- | |
- if (! grub_quark_asset_open (GRUB_QUARK_ASSET_INITRD, initrd)) | |
- goto fail1; | |
- | |
size = grub_quark_asset_size (GRUB_QUARK_ASSET_INITRD); | |
- /* If Quark secure boot, make room for CSBH (dedicated page). */ | |
- if (grub_quark_secure) | |
- size += PAGE_SIZE; | |
- | |
initrd_pages = (page_align (size) >> 12); | |
params = (struct linux_kernel_params *) real_mode_mem; | |
@@ -808,26 +742,6 @@ | |
grub_fatal ("cannot allocate pages: %x@%x", (unsigned) initrd_pages, | |
(unsigned) addr); | |
- /* | |
- Quark secure boot requires the CSBH to be prepended to the Initrd. | |
- Since Linux requires the Initrd to be page-aligned, do the following: | |
- 1. copy Initrd to the 2nd allocated page | |
- 2. copy the CSBH to the 1st allocated page at an offset such that | |
- CSBH and Initrd are adjacent | |
- */ | |
- if (grub_quark_secure) | |
- { | |
- /* | |
- We're using the first page here to populate the CSBH, so subtract the | |
- previously added page, copy CSBH and offset the initrd start address. | |
- */ | |
- size -= PAGE_SIZE; | |
- grub_memcpy ((grub_uint8_t *) initrd_mem + PAGE_SIZE - sbh_len, | |
- &quark_sbh, sizeof (quark_sbh)); | |
- initrd_mem = (grub_uint8_t *) initrd_mem + PAGE_SIZE; | |
- addr += PAGE_SIZE; | |
- } | |
- | |
if (grub_quark_asset_read (GRUB_QUARK_ASSET_INITRD, initrd_mem, size) != size) | |
{ | |
errnum = ERR_EXEC_FORMAT; | |
@@ -839,21 +753,6 @@ | |
grub_quark_initrd_spi ? " SPI" : "", | |
(unsigned int) addr, (unsigned int) size); | |
- if (grub_quark_secure) | |
- { | |
- /* Verify the initrd signature. */ | |
- if (! grub_quark_verify_asset_signature ((grub_uint8_t *) | |
- initrd_mem - sbh_len)) | |
- { | |
- errnum = ERR_QUARK_VERIFICATION; | |
- goto fail; | |
- } | |
- | |
- /* Free up page allocated to CSBH. */ | |
- grub_efi_free_pages ((grub_addr_t) | |
- ((grub_uint8_t *) initrd_mem - PAGE_SIZE), 1); | |
- } | |
- | |
params->hdr.ramdisk_image = addr; | |
params->hdr.ramdisk_size = size; | |
--- a/work/efi/quark/boot_settings.c 2017-01-24 22:11:35.266806622 +0000 | |
+++ b/work/efi/quark/boot_settings.c 2017-01-24 22:17:56.046810025 +0000 | |
@@ -181,17 +181,6 @@ | |
return; | |
} | |
- if (grub_quark_secure) | |
- { | |
- sbh = (struct grub_quark_sbh *)cfg_buffer; | |
- if (! grub_quark_fetch_sbh (GRUB_QUARK_ASSET_CONFIG_CSBH, config_file, sbh)) | |
- { | |
- errnum = ERR_SGN_FILE_NOT_FOUND; | |
- return; | |
- } | |
- sbh_len = sbh->security_header.header_len; | |
- } | |
- | |
/* Reopen Grub config. (Grub supports a single file instance at a time) */ | |
if (! do_open_config(source)) | |
{ | |
@@ -223,13 +212,4 @@ | |
return; | |
} | |
- if (grub_quark_secure) | |
- { | |
- /* Validate configuration file. */ | |
- if (! grub_quark_verify_asset_signature ((grub_uint8_t *) cfg_buffer)) | |
- errnum = ERR_QUARK_VERIFICATION; | |
- | |
- /* Mask out the CSBH to the configuration file parser. */ | |
- *cfg_file_buffer += sbh_len; | |
- } | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment