efi: Make use of the grub's prefix for detection #268
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
chrisccoulson
force-pushed
the
efi-use-grub-prefix-for-detection
branch
from
73d2efa to
3a7fd0b
Compare
chrisccoulson
added a commit
to chrisccoulson/secboot
that referenced
this pull request
Nov 28, 2023
Grub detection will be fixed separately in canonical#268
chrisccoulson
force-pushed
the
efi-use-grub-prefix-for-detection
branch
2 times, most recently
from
40fbab3 to
12a3c33
Compare
chrisccoulson
added a commit
that referenced
this pull request
Dec 1, 2023
…aries efi: Add support for shim binaries used during snapd spread tests. Snapd re-signs production shim and grub binaries (previously signed by Microsoft and Canonical) with a snakeoil key, so recognize this as part of the Microsoft hierarchy during testing. Some tests also recompile our patched shim v15, which we use an image digest match to recognize it as having patches backported from 15.2. Recognize any shim v15 signed with the snakeoil key as being supported during testing. #268 will contain changes required for grub.
Avoid relying on the signature in order to detect an Ubuntu production grub binary for binaries without a SBAT section, as this breaks test cases in snapd where grub is re-signed. Instead, obtain the prefix from the "mods" section (which is set to "/EFI/ubuntu" in Ubuntu).
chrisccoulson
force-pushed
the
efi-use-grub-prefix-for-detection
branch
from
12a3c33 to
8cace2b
Compare
chrisccoulson
force-pushed
the
efi-use-grub-prefix-for-detection
branch
from
3ab72af to
421f90a
Compare
pedronis
reviewed
Dec 4, 2023
Comment on lines
+109
to
+120
| case pe.IMAGE_FILE_MACHINE_ARM, pe.IMAGE_FILE_MACHINE_I386, pe.IMAGE_FILE_MACHINE_RISCV32: | ||
| var info grubModuleInfo32 | ||
| if err := binary.Read(section, binary.LittleEndian, &info); err != nil { | ||
| return nil, fmt.Errorf("cannot obtain modules info: %w", err) | ||
| } | ||
| if info.Magic != grubModuleMagic { | ||
| return nil, errors.New("invalid module magic") | ||
| } | ||
| if info.Size < info.Offset { | ||
| return nil, errors.New("invalid modules size") | ||
| } | ||
| r = io.NewSectionReader(section, int64(info.Offset), int64(info.Size)-int64(info.Offset)) |
| @@ -163,7 +163,7 @@ func makeMicrosoftUEFICASecureBootNamespaceRules() *secureBootNamespaceRules { | |||
| ), | |||
| imageMatchesAll( | |||
| imageSectionExists("mods"), | |||
| imageSignedByOrganization("Canonical Ltd."), | |||
| grubHasPrefix("/EFI/ubuntu"), | |||
There was a problem hiding this comment.
do we still need all the changes from the snakeoil PR?
efi/grub.go
Outdated
| if info.Magic != grubModuleMagic { | ||
| return nil, errors.New("invalid modules magic") | ||
| } | ||
| if info.Size > math.MaxInt64 { |
There was a problem hiding this comment.
This was addressed with 421f90a
chrisccoulson
force-pushed
the
efi-use-grub-prefix-for-detection
branch
from
2b485a2 to
8e2219e
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Avoid relying on the signature in order to detect an Ubuntu production
grub binary for binaries without a SBAT section, as this breaks test cases
in snapd where grub is re-signed. Instead, obtain the prefix from the
"mods" section (which is set to "/EFI/ubuntu" in Ubuntu).