File 0005-verify-initrd-in-shim-lock.patch of Package grub2

From 29e07d8295b25e964fb1220e7a07b5f764352c1d Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Thu, 2 Feb 2023 21:11:15 +0800
Subject: [PATCH 6/7] verify initrd in shim-lock

---
 grub-core/kern/efi/sb.c | 10 +++++++++-
 grub-core/kern/unwrap.c |  3 +++
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
index 68ad47cc9..6029ae011 100644
--- a/grub-core/kern/efi/sb.c
+++ b/grub-core/kern/efi/sb.c
@@ -141,6 +141,10 @@ static struct pe_requirements kernel_pe_requirements = {
   .subsystem = GRUB_PE32_SUBSYSTEM_EFI_APPLICATION,
 };
 
+static struct pe_requirements wrapper_pe_requirements = {
+  .subsystem = GRUB_PE32_SUBSYSTEM_WINDOWS_GUI,
+};
+
 static grub_err_t
 shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)),
 			 enum grub_file_type type,
@@ -163,10 +167,14 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)),
       *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
       return GRUB_ERR_NONE;
 
+    case GRUB_FILE_TYPE_LINUX_INITRD:
+      *context = &wrapper_pe_requirements;
+      *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
+      return GRUB_ERR_NONE;
+
     /* Files that do not affect secureboot state. */
     case GRUB_FILE_TYPE_NONE:
     case GRUB_FILE_TYPE_LOOPBACK:
-    case GRUB_FILE_TYPE_LINUX_INITRD:
     case GRUB_FILE_TYPE_OPENBSD_RAMDISK:
     case GRUB_FILE_TYPE_XNU_RAMDISK:
     case GRUB_FILE_TYPE_SIGNATURE:
diff --git a/grub-core/kern/unwrap.c b/grub-core/kern/unwrap.c
index dc32ccdad..43110cad3 100644
--- a/grub-core/kern/unwrap.c
+++ b/grub-core/kern/unwrap.c
@@ -131,6 +131,9 @@ grub_unwrap_open (grub_file_t io, enum grub_file_type type)
     case GRUB_FILE_TYPE_FONT:
       grub_strncpy(name, ".GRUBpf2", 8);
       break;
+    case GRUB_FILE_TYPE_LINUX_INITRD:
+      grub_strncpy(name, ".GRUBini", 8);
+      break;
 
     /* Don't touch other files. */
     default:
-- 
2.39.2