From eb5199b3df642f5a4de81cae543cac838e4c9fef Mon Sep 17 00:00:00 2001 From: srs5694 Date: Sat, 8 Dec 2012 01:38:22 -0500 Subject: [PATCH] Implemented workaround to ELILO failure in Secure Boot mode. --- NEWS.txt | 12 +++++++++++- docs/refind/secureboot.html | 31 ++++++++++++++++++++----------- refind/main.c | 11 +++++++++-- refind/mok.c | 7 +++++-- 4 files changed, 45 insertions(+), 16 deletions(-) diff --git a/NEWS.txt b/NEWS.txt index 1a4d568..ca90d7e 100644 --- a/NEWS.txt +++ b/NEWS.txt @@ -1,4 +1,14 @@ -0.5.0 (12/?/2012): +0.5.1 (??/??/201?): +------------------- + +- Implemented a workaround to enable ELILO to launch with Secure Boot + active: Pass a "-C \path\to\elilo\elilo.conf" option to the program. + The user will need to explicitly provide the path to the Linux kernel and + initrd, not rely on the program to be able to read the files from the + current directory. In elilo.conf, the path should be specified with + forward slashes or doubled-up backslashes. + +0.5.0 (12/6/2012): ------------------ - Added the ability to include quote marks ('"') in refind.conf and diff --git a/docs/refind/secureboot.html b/docs/refind/secureboot.html index d723758..d193e87 100644 --- a/docs/refind/secureboot.html +++ b/docs/refind/secureboot.html @@ -15,7 +15,7 @@ href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com

Originally written: 11/13/2012; last Web page update: -12/6/2012, referencing rEFInd 0.5.0

+12/8/2012, referencing rEFInd 0.5.0.1

I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!

@@ -226,16 +226,25 @@ Change Your Name to your own name or other identifying characteristics, try to launch two drivers, rEFInd throws up an Access Denied error for the second driver. -
  • ELILO can't find its configuration file when launched from rEFInd in - Secure Boot mode. The same may be true of GRUB Legacy or other boot loaders, - but I haven't tested them. (GRUB 2 seems fine.)
    • - -
  • Signing the Windows boot loader with a MOK won't work; it hangs, probably - for reasons similar to the ones that cause ELILO to fail. Fortunately, - the Windows 8 boot loader should work because it should be verified and - launched via EFI calls rather than via the new shim-derived code. (I lack - a Windows 8 installation for testing, though.) This limitation could affect - you if you want to boot Windows 7 with Secure Boot active, though.
    • +
  • ELILO can't find the directory from which it was launched when launched + from rEFInd in Secure Boot mode. This means that you must pass the + -C /path/to/binary/elilo.conf option + to ELILO. rEFInd does this automatically for the default ELILO option, + but you should bear the need in mind if you edit that option or use the + secondary boot options. Because of the same problem, you must specify + the complete path to your kernel and initial RAM disk file in + elilo.conf. Be sure to specify these paths using either + forward slashes (/) or doubled-up backslashes (\\). + It's possible that some other boot loaders will suffer from the same + problem.
    • + +
  • Signing the Windows boot loader with a MOK won't work; it hangs, + probably for reasons similar to the ones that cause ELILO to fail to + find its home directory. Fortunately, the Windows 8 boot loader should + work because it should be verified and launched via EFI calls rather + than via the new shim-derived code. (I lack a Windows 8 installation + for testing, though.) This limitation could affect you if you want to + boot Windows 7 with Secure Boot active, though.
  • Under certain circumstances, the time required to launch a boot loader can increase. This is unlikely to be noticeable for the average small diff --git a/refind/main.c b/refind/main.c index 18816e2..ffbcdb3 100644 --- a/refind/main.c +++ b/refind/main.c @@ -118,7 +118,7 @@ static VOID AboutrEFInd(VOID) if (AboutMenu.EntryCount == 0) { AboutMenu.TitleImage = BuiltinIcon(BUILTIN_ICON_FUNC_ABOUT); - AddMenuInfoLine(&AboutMenu, L"rEFInd Version 0.5.0"); + AddMenuInfoLine(&AboutMenu, L"rEFInd Version 0.5.0.1"); AddMenuInfoLine(&AboutMenu, L""); AddMenuInfoLine(&AboutMenu, L"Copyright (c) 2006-2010 Christoph Pfisterer"); AddMenuInfoLine(&AboutMenu, L"Copyright (c) 2012 Roderick W. Smith"); @@ -713,6 +713,7 @@ VOID SetLoaderDefaults(LOADER_ENTRY *Entry, CHAR16 *LoaderPath, IN REFIT_VOLUME Temp = FindLastDirName(LoaderPath); MergeStrings(&OSIconName, Temp, L','); MyFreePool(Temp); + Temp = NULL; if (OSIconName != NULL) { ShortcutLetter = OSIconName[0]; } @@ -739,9 +740,15 @@ VOID SetLoaderDefaults(LOADER_ENTRY *Entry, CHAR16 *LoaderPath, IN REFIT_VOLUME Entry->UseGraphicsMode = GlobalConfig.GraphicsFor & GRAPHICS_FOR_OSX; } else if (StriCmp(FileName, L"diags.efi") == 0) { MergeStrings(&OSIconName, L"hwtest", L','); - } else if (StriCmp(FileName, L"e.efi") == 0 || StriCmp(FileName, L"elilo.efi") == 0) { + } else if (StriCmp(FileName, L"e.efi") == 0 || StriCmp(FileName, L"elilo.efi") == 0 || StriSubCmp(L"elilo", FileName)) { MergeStrings(&OSIconName, L"elilo,linux", L','); Entry->OSType = 'E'; + if (secure_mode()) { // hack to enable ELILO to boot in secure mode + Temp = StrDuplicate(L"-C "); + MergeStrings(&Temp, PathOnly, 0); + MergeStrings(&Temp, L"elilo.conf", L'\\'); + Entry->LoadOptions = Temp; + } if (ShortcutLetter == 0) ShortcutLetter = 'L'; Entry->UseGraphicsMode = GlobalConfig.GraphicsFor & GRAPHICS_FOR_ELILO; diff --git a/refind/mok.c b/refind/mok.c index e9a2ad1..d97d877 100644 --- a/refind/mok.c +++ b/refind/mok.c @@ -357,7 +357,7 @@ static BOOLEAN ShimValidate (VOID *data, UINT32 size) * Once the image has been loaded it needs to be validated and relocated */ static EFI_STATUS handle_image (void *data, unsigned int datasize, EFI_LOADED_IMAGE *li, - CHAR16 *Options, REFIT_VOLUME *DeviceVolume, IN EFI_DEVICE_PATH *DevicePath) + CHAR16 *Options, REFIT_VOLUME *DeviceVolume, IN CHAR16 *FileName) { EFI_STATUS efi_status; char *buffer; @@ -365,6 +365,7 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, EFI_LOADED_IM EFI_IMAGE_SECTION_HEADER *Section; char *base, *end; GNUEFI_PE_COFF_LOADER_IMAGE_CONTEXT context; + EFI_DEVICE_PATH *DevicePath; /* * The binary header contains relevant context and section pointers @@ -434,6 +435,8 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, EFI_LOADED_IM * grub needs to know its location and size in memory, its location on * disk, and its load options, so fix up the loaded image protocol values */ + DevicePath = FileDevicePath(NULL, FileName); + DevicePath = FileDevicePath(DeviceVolume->DeviceHandle, FileName); li->DeviceHandle = DeviceVolume->DeviceHandle; li->FilePath = DevicePath; li->LoadOptionsSize = ((UINT32)StrLen(Options) + 1) * sizeof(CHAR16); @@ -492,7 +495,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath, VOID *data, U /* * Verify and, if appropriate, relocate and execute the executable */ - efi_status = handle_image(data, datasize, li, Options, DeviceVolume, DevicePath); + efi_status = handle_image(data, datasize, li, Options, DeviceVolume, ImagePath); if (efi_status != EFI_SUCCESS) { Print(L"Failed to load image\n"); -- 2.39.2