Overview

File 0010-efi-sb-Add-API-for-retrieving-shim-loader-image-hand.patch of Package grub2

From b17a1c5cf97505093bb9d8f348edefd2f7f5ea9e Mon Sep 17 00:00:00 2001
From: Mate Kukri <mate.kukri@canonical.com>
Date: Tue, 1 Apr 2025 11:26:43 +0100
Subject: [PATCH 10/13] efi/sb: Add API for retrieving shim loader image
 handles

Not reusing these handles will result in image measurements showing up
twice in the event log.

Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
Link: https://lore.kernel.org/r/20250401102645.126390-4-mate.kukri@canonical.com
---
 grub-core/kern/efi/sb.c | 16 ++++++++++++++++
 include/grub/efi/sb.h   |  4 ++++
 2 files changed, 20 insertions(+)

diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
index 9c8811c987..1f8030587e 100644
--- a/grub-core/kern/efi/sb.c
+++ b/grub-core/kern/efi/sb.c
@@ -36,6 +36,8 @@ static grub_guid_t shim_loader_guid = GRUB_EFI_SHIM_IMAGE_LOADER_GUID;
 static grub_efi_loader_t *shim_loader = NULL;
 static grub_efi_shim_lock_protocol_t *shim_lock = NULL;
 
+static grub_efi_handle_t last_verified_image_handle;
+
 /*
  * Determine whether we're in secure boot mode.
  *
@@ -181,10 +183,16 @@ shim_lock_verifier_write (void *context __attribute__ ((unused)), void *buf, gru
 
   if (shim_loader)
     {
+      if (last_verified_image_handle)
+        {
+          shim_loader->unload_image (last_verified_image_handle);
+          last_verified_image_handle = NULL;
+        }
 
       if (shim_loader->load_image (false, grub_efi_image_handle, NULL, buf, size, &image_handle) != GRUB_EFI_SUCCESS)
         return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad shim signature"));
 
+      last_verified_image_handle = image_handle;
       return GRUB_ERR_NONE;
     }
   if (shim_lock)
@@ -242,3 +250,11 @@ grub_is_using_legacy_shim_lock_protocol (void)
 {
   return !shim_loader && shim_lock;
 }
+
+grub_efi_handle_t
+grub_efi_get_last_verified_image_handle (void)
+{
+  grub_efi_handle_t tmp = last_verified_image_handle;
+  last_verified_image_handle = NULL;
+  return tmp;
+}
diff --git a/include/grub/efi/sb.h b/include/grub/efi/sb.h
index 4cae883769..149005ced3 100644
--- a/include/grub/efi/sb.h
+++ b/include/grub/efi/sb.h
@@ -21,6 +21,7 @@
 
 #include <grub/types.h>
 #include <grub/dl.h>
+#include <grub/efi/api.h>
 
 #define GRUB_EFI_SECUREBOOT_MODE_UNSET		0
 #define GRUB_EFI_SECUREBOOT_MODE_UNKNOWN	1
@@ -34,6 +35,9 @@ EXPORT_FUNC (grub_efi_get_secureboot) (void);
 extern bool
 EXPORT_FUNC (grub_is_using_legacy_shim_lock_protocol) (void);
 
+extern grub_efi_handle_t
+EXPORT_FUNC (grub_efi_get_last_verified_image_handle) (void);
+
 extern void
 grub_shim_lock_verifier_setup (void);
 #else
-- 
2.49.0
openSUSE Build Service is sponsored by
Places