From eb5199b3df642f5a4de81cae543cac838e4c9fef Mon Sep 17 00:00:00 2001
From: srs5694
Date: Sat, 8 Dec 2012 01:38:22 -0500
Subject: [PATCH 1/1] Implemented workaround to ELILO failure in Secure Boot
mode.
---
NEWS.txt | 12 +++++++++++-
docs/refind/secureboot.html | 31 ++++++++++++++++++++-----------
refind/main.c | 11 +++++++++--
refind/mok.c | 7 +++++--
4 files changed, 45 insertions(+), 16 deletions(-)
diff --git a/NEWS.txt b/NEWS.txt
index 1a4d568..ca90d7e 100644
--- a/NEWS.txt
+++ b/NEWS.txt
@@ -1,4 +1,14 @@
-0.5.0 (12/?/2012):
+0.5.1 (??/??/201?):
+-------------------
+
+- Implemented a workaround to enable ELILO to launch with Secure Boot
+ active: Pass a "-C \path\to\elilo\elilo.conf" option to the program.
+ The user will need to explicitly provide the path to the Linux kernel and
+ initrd, not rely on the program to be able to read the files from the
+ current directory. In elilo.conf, the path should be specified with
+ forward slashes or doubled-up backslashes.
+
+0.5.0 (12/6/2012):
------------------
- Added the ability to include quote marks ('"') in refind.conf and
diff --git a/docs/refind/secureboot.html b/docs/refind/secureboot.html
index d723758..d193e87 100644
--- a/docs/refind/secureboot.html
+++ b/docs/refind/secureboot.html
@@ -15,7 +15,7 @@
href="mailto:rodsmith@rodsbooks.com">rodsmith@rodsbooks.com
Originally written: 11/13/2012; last Web page update:
-12/6/2012, referencing rEFInd 0.5.0
+12/8/2012, referencing rEFInd 0.5.0.1
I'm a technical writer and consultant specializing in Linux technologies. This Web page is provided free of charge and with no annoying outside ads; however, I did take time to prepare it, and Web hosting does cost money. If you find this Web page useful, please consider making a small donation to help keep this site up and running. Thanks!
@@ -226,16 +226,25 @@ Change Your Name to your own name or other identifying characteristics,
try to launch two drivers, rEFInd throws up an Access Denied
error for the second driver.
-ELILO can't find its configuration file when launched from rEFInd in
- Secure Boot mode. The same may be true of GRUB Legacy or other boot loaders,
- but I haven't tested them. (GRUB 2 seems fine.)
-
-Signing the Windows boot loader with a MOK won't work; it hangs, probably
- for reasons similar to the ones that cause ELILO to fail. Fortunately,
- the Windows 8 boot loader should work because it should be verified and
- launched via EFI calls rather than via the new shim-derived code. (I lack
- a Windows 8 installation for testing, though.) This limitation could affect
- you if you want to boot Windows 7 with Secure Boot active, though.
+ELILO can't find the directory from which it was launched when launched
+ from rEFInd in Secure Boot mode. This means that you must pass the
+ -C /path/to/binary/elilo.conf option
+ to ELILO. rEFInd does this automatically for the default ELILO option,
+ but you should bear the need in mind if you edit that option or use the
+ secondary boot options. Because of the same problem, you must specify
+ the complete path to your kernel and initial RAM disk file in
+ elilo.conf. Be sure to specify these paths using either
+ forward slashes (/) or doubled-up backslashes (\\).
+ It's possible that some other boot loaders will suffer from the same
+ problem.
+
+Signing the Windows boot loader with a MOK won't work; it hangs,
+ probably for reasons similar to the ones that cause ELILO to fail to
+ find its home directory. Fortunately, the Windows 8 boot loader should
+ work because it should be verified and launched via EFI calls rather
+ than via the new shim-derived code. (I lack a Windows 8 installation
+ for testing, though.) This limitation could affect you if you want to
+ boot Windows 7 with Secure Boot active, though.
Under certain circumstances, the time required to launch a boot loader
can increase. This is unlikely to be noticeable for the average small
diff --git a/refind/main.c b/refind/main.c
index 18816e2..ffbcdb3 100644
--- a/refind/main.c
+++ b/refind/main.c
@@ -118,7 +118,7 @@ static VOID AboutrEFInd(VOID)
if (AboutMenu.EntryCount == 0) {
AboutMenu.TitleImage = BuiltinIcon(BUILTIN_ICON_FUNC_ABOUT);
- AddMenuInfoLine(&AboutMenu, L"rEFInd Version 0.5.0");
+ AddMenuInfoLine(&AboutMenu, L"rEFInd Version 0.5.0.1");
AddMenuInfoLine(&AboutMenu, L"");
AddMenuInfoLine(&AboutMenu, L"Copyright (c) 2006-2010 Christoph Pfisterer");
AddMenuInfoLine(&AboutMenu, L"Copyright (c) 2012 Roderick W. Smith");
@@ -713,6 +713,7 @@ VOID SetLoaderDefaults(LOADER_ENTRY *Entry, CHAR16 *LoaderPath, IN REFIT_VOLUME
Temp = FindLastDirName(LoaderPath);
MergeStrings(&OSIconName, Temp, L',');
MyFreePool(Temp);
+ Temp = NULL;
if (OSIconName != NULL) {
ShortcutLetter = OSIconName[0];
}
@@ -739,9 +740,15 @@ VOID SetLoaderDefaults(LOADER_ENTRY *Entry, CHAR16 *LoaderPath, IN REFIT_VOLUME
Entry->UseGraphicsMode = GlobalConfig.GraphicsFor & GRAPHICS_FOR_OSX;
} else if (StriCmp(FileName, L"diags.efi") == 0) {
MergeStrings(&OSIconName, L"hwtest", L',');
- } else if (StriCmp(FileName, L"e.efi") == 0 || StriCmp(FileName, L"elilo.efi") == 0) {
+ } else if (StriCmp(FileName, L"e.efi") == 0 || StriCmp(FileName, L"elilo.efi") == 0 || StriSubCmp(L"elilo", FileName)) {
MergeStrings(&OSIconName, L"elilo,linux", L',');
Entry->OSType = 'E';
+ if (secure_mode()) { // hack to enable ELILO to boot in secure mode
+ Temp = StrDuplicate(L"-C ");
+ MergeStrings(&Temp, PathOnly, 0);
+ MergeStrings(&Temp, L"elilo.conf", L'\\');
+ Entry->LoadOptions = Temp;
+ }
if (ShortcutLetter == 0)
ShortcutLetter = 'L';
Entry->UseGraphicsMode = GlobalConfig.GraphicsFor & GRAPHICS_FOR_ELILO;
diff --git a/refind/mok.c b/refind/mok.c
index e9a2ad1..d97d877 100644
--- a/refind/mok.c
+++ b/refind/mok.c
@@ -357,7 +357,7 @@ static BOOLEAN ShimValidate (VOID *data, UINT32 size)
* Once the image has been loaded it needs to be validated and relocated
*/
static EFI_STATUS handle_image (void *data, unsigned int datasize, EFI_LOADED_IMAGE *li,
- CHAR16 *Options, REFIT_VOLUME *DeviceVolume, IN EFI_DEVICE_PATH *DevicePath)
+ CHAR16 *Options, REFIT_VOLUME *DeviceVolume, IN CHAR16 *FileName)
{
EFI_STATUS efi_status;
char *buffer;
@@ -365,6 +365,7 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, EFI_LOADED_IM
EFI_IMAGE_SECTION_HEADER *Section;
char *base, *end;
GNUEFI_PE_COFF_LOADER_IMAGE_CONTEXT context;
+ EFI_DEVICE_PATH *DevicePath;
/*
* The binary header contains relevant context and section pointers
@@ -434,6 +435,8 @@ static EFI_STATUS handle_image (void *data, unsigned int datasize, EFI_LOADED_IM
* grub needs to know its location and size in memory, its location on
* disk, and its load options, so fix up the loaded image protocol values
*/
+ DevicePath = FileDevicePath(NULL, FileName);
+ DevicePath = FileDevicePath(DeviceVolume->DeviceHandle, FileName);
li->DeviceHandle = DeviceVolume->DeviceHandle;
li->FilePath = DevicePath;
li->LoadOptionsSize = ((UINT32)StrLen(Options) + 1) * sizeof(CHAR16);
@@ -492,7 +495,7 @@ EFI_STATUS start_image(EFI_HANDLE image_handle, CHAR16 *ImagePath, VOID *data, U
/*
* Verify and, if appropriate, relocate and execute the executable
*/
- efi_status = handle_image(data, datasize, li, Options, DeviceVolume, DevicePath);
+ efi_status = handle_image(data, datasize, li, Options, DeviceVolume, ImagePath);
if (efi_status != EFI_SUCCESS) {
Print(L"Failed to load image\n");
--
2.39.2