change version to 2.04-1ubuntu12.2 (UNRELEASED)

Make the linux command in EFI grub always try EFI handover; thanks
to Chris Coulson for the patches (LP: #1864533)

7 files changed, 190 insertions, 29 deletions

diff --git a/debian/.git-dpm b/debian/.git-dpm
index c33c760b0..d82e5894a 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-6d556f920f094cbae34bcc45be5f271a74b65f54
-6d556f920f094cbae34bcc45be5f271a74b65f54
+a23307b448748bcfdd39484906330bca9aacef80
+a23307b448748bcfdd39484906330bca9aacef80
 578bb115fbd47e1c464696f1f8d6183e5443975d
 578bb115fbd47e1c464696f1f8d6183e5443975d
 grub2_2.04.orig.tar.xz
diff --git a/debian/changelog b/debian/changelog
index c3476bab1..0e942daaa 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+grub2 (2.04-1ubuntu12.2) UNRELEASED; urgency=medium
+
+  * Make the linux command in EFI grub always try EFI handover; thanks
+    to Chris Coulson for the patches (LP: #1864533)
+
+ -- Julian Andres Klode <juliank@ubuntu.com>  Wed, 11 Mar 2020 16:55:47 +0100
+
 grub2 (2.04-1ubuntu12.1) eoan; urgency=medium
 
   * debian/patches/ubuntu-tpm-unknown-error-non-fatal.patch: treat "unknown"
diff --git a/debian/patches/0071-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch b/debian/patches/0071-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch
new file mode 100644
index 000000000..380bb80bf
--- /dev/null
+++ b/debian/patches/0071-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch
@@ -0,0 +1,118 @@
+From ffd5d8862d34dcab11452eeb057d3ffeb43d283a Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Wed, 11 Mar 2020 16:46:00 +0100
+Subject: ubuntu: Make the linux command in EFI grub always try EFI handover
+
+The previous implementation only boots via the EFI handover protocol when
+secure boot is enabled. This means that disabling secure boot breaks some
+features that depend on the kernel being booted via the EFI handover entry
+point, such as retrieval of the TCG event log.
+
+Update the linux command to always attempt to defer to linuxefi in EFI grub
+builds, regardless of whether secure boot is enabled or not. This also allows
+a fallback to the non-EFI handover path on kernels that don't support it, but
+only if secure boot is disabled.
+---
+ grub-core/loader/i386/efi/linux.c | 14 +++++----
+ grub-core/loader/i386/linux.c     | 47 +++++++++++++++++--------------
+ 2 files changed, 35 insertions(+), 26 deletions(-)
+
+diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
+index 6b6aef87f..fe3ca2c59 100644
+--- a/grub-core/loader/i386/efi/linux.c
++++ b/grub-core/loader/i386/efi/linux.c
+@@ -27,6 +27,7 @@
+ #include <grub/lib/cmdline.h>
+ #include <grub/efi/efi.h>
+ #include <grub/efi/linux.h>
++#include <grub/efi/sb.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -195,12 +196,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+       goto fail;
+     }
+ 
+-  rc = grub_linuxefi_secure_validate (kernel, filelen);
+-  if (rc < 0)
++  if (grub_efi_secure_boot ())
+     {
+-      grub_error (GRUB_ERR_ACCESS_DENIED, N_("%s has invalid signature"),
+-		  argv[0]);
+-      goto fail;
++      rc = grub_linuxefi_secure_validate (kernel, filelen);
++      if (rc < 0)
++	{
++	  grub_error (GRUB_ERR_ACCESS_DENIED, N_("%s has invalid signature"),
++		      argv[0]);
++	  goto fail;
++	}
+     }
+ 
+   params = grub_efi_allocate_pages_max (0x3fffffff,
+diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
+index 4328bcbdb..991eb29db 100644
+--- a/grub-core/loader/i386/linux.c
++++ b/grub-core/loader/i386/linux.c
+@@ -658,35 +658,40 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+ 
+ #ifdef GRUB_MACHINE_EFI
+   using_linuxefi = 0;
+-  if (grub_efi_secure_boot ())
+-    {
+-      /* linuxefi requires a successful signature check and then hand over
+-	 to the kernel without calling ExitBootServices. */
+-      grub_dl_t mod;
+-      grub_command_t linuxefi_cmd;
+ 
+-      grub_dprintf ("linux", "Secure Boot enabled: trying linuxefi\n");
++  grub_dl_t mod;
++  grub_command_t linuxefi_cmd;
++
++  grub_dprintf ("linux", "Trying linuxefi\n");
+ 
+-      mod = grub_dl_load ("linuxefi");
+-      if (mod)
++  mod = grub_dl_load ("linuxefi");
++  if (mod)
++    {
++      grub_dl_ref (mod);
++      linuxefi_cmd = grub_command_find ("linuxefi");
++      initrdefi_cmd = grub_command_find ("initrdefi");
++      if (linuxefi_cmd && initrdefi_cmd)
+ 	{
+-	  grub_dl_ref (mod);
+-	  linuxefi_cmd = grub_command_find ("linuxefi");
+-	  initrdefi_cmd = grub_command_find ("initrdefi");
+-	  if (linuxefi_cmd && initrdefi_cmd)
++	  (linuxefi_cmd->func) (linuxefi_cmd, argc, argv);
++	  if (grub_errno == GRUB_ERR_NONE)
++	    {
++	      grub_dprintf ("linux", "Handing off to linuxefi\n");
++	      using_linuxefi = 1;
++	      return GRUB_ERR_NONE;
++	    }
++	  else if (grub_efi_secure_boot ())
+ 	    {
+-	      (linuxefi_cmd->func) (linuxefi_cmd, argc, argv);
+-	      if (grub_errno == GRUB_ERR_NONE)
+-		{
+-		  grub_dprintf ("linux", "Handing off to linuxefi\n");
+-		  using_linuxefi = 1;
+-		  return GRUB_ERR_NONE;
+-		}
+-	      grub_dprintf ("linux", "linuxefi failed (%d)\n", grub_errno);
++	      grub_dprintf ("linux", "linuxefi failed and secure boot is enabled (%d)\n", grub_errno);
+ 	      goto fail;
+ 	    }
+ 	}
+     }
++
++  if (grub_efi_secure_boot ())
++    {
++      grub_dprintf("linux", "Unable to hand off to linuxefi and secure boot is enabled\n");
++      goto fail;
++    }
+ #endif
+ 
+   if (argc == 0)
diff --git a/debian/patches/0072-ubuntu-Update-the-linux-boot-protocol-version-check.patch b/debian/patches/0072-ubuntu-Update-the-linux-boot-protocol-version-check.patch
new file mode 100644
index 000000000..b889767d6
--- /dev/null
+++ b/debian/patches/0072-ubuntu-Update-the-linux-boot-protocol-version-check.patch
@@ -0,0 +1,25 @@
+From a23307b448748bcfdd39484906330bca9aacef80 Mon Sep 17 00:00:00 2001
+From: Chris Coulson <chris.coulson@canonical.com>
+Date: Wed, 11 Mar 2020 16:46:41 +0100
+Subject: ubuntu: Update the linux boot protocol version check.
+
+The EFI implementation of grub_cmd_linux makes use of xloadflags which was
+introduced in to version 2.12 of the kernel's boot protocol, so update the
+check accordingly.
+---
+ grub-core/loader/i386/efi/linux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
+index fe3ca2c59..2929da7a2 100644
+--- a/grub-core/loader/i386/efi/linux.c
++++ b/grub-core/loader/i386/efi/linux.c
+@@ -245,7 +245,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+     }
+ 
+   grub_dprintf ("linuxefi", "checking lh->version\n");
+-  if (lh->version < grub_cpu_to_le16 (0x020b))
++  if (lh->version < grub_cpu_to_le16 (0x020c))
+     {
+       grub_error (GRUB_ERR_BAD_OS, N_("kernel too old"));
+       goto fail;
diff --git a/debian/patches/series b/debian/patches/series
index 2a8f054aa..f9402a35c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -68,3 +68,5 @@ ubuntu-add-devicetree-command-support.patch
 ubuntu-boot-from-multipath-dependent-symlink.patch
 ubuntu-skip-disk-by-id-lvm-pvm-uuid-entries.patch
 ubuntu-tpm-unknown-error-non-fatal.patch
+0071-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch
+0072-ubuntu-Update-the-linux-boot-protocol-version-check.patch
diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
index 6b6aef87f..2929da7a2 100644
--- a/grub-core/loader/i386/efi/linux.c
+++ b/grub-core/loader/i386/efi/linux.c
@@ -27,6 +27,7 @@
 #include <grub/lib/cmdline.h>
 #include <grub/efi/efi.h>
 #include <grub/efi/linux.h>
+#include <grub/efi/sb.h>
 
 GRUB_MOD_LICENSE ("GPLv3+");
 
@@ -195,12 +196,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
       goto fail;
     }
 
-  rc = grub_linuxefi_secure_validate (kernel, filelen);
-  if (rc < 0)
+  if (grub_efi_secure_boot ())
     {
-      grub_error (GRUB_ERR_ACCESS_DENIED, N_("%s has invalid signature"),
-		  argv[0]);
-      goto fail;
+      rc = grub_linuxefi_secure_validate (kernel, filelen);
+      if (rc < 0)
+	{
+	  grub_error (GRUB_ERR_ACCESS_DENIED, N_("%s has invalid signature"),
+		      argv[0]);
+	  goto fail;
+	}
     }
 
   params = grub_efi_allocate_pages_max (0x3fffffff,
@@ -241,7 +245,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
     }
 
   grub_dprintf ("linuxefi", "checking lh->version\n");
-  if (lh->version < grub_cpu_to_le16 (0x020b))
+  if (lh->version < grub_cpu_to_le16 (0x020c))
     {
       grub_error (GRUB_ERR_BAD_OS, N_("kernel too old"));
       goto fail;
diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
index 4328bcbdb..991eb29db 100644
--- a/grub-core/loader/i386/linux.c
+++ b/grub-core/loader/i386/linux.c
@@ -658,35 +658,40 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
 
 #ifdef GRUB_MACHINE_EFI
   using_linuxefi = 0;
-  if (grub_efi_secure_boot ())
-    {
-      /* linuxefi requires a successful signature check and then hand over
-	 to the kernel without calling ExitBootServices. */
-      grub_dl_t mod;
-      grub_command_t linuxefi_cmd;
 
-      grub_dprintf ("linux", "Secure Boot enabled: trying linuxefi\n");
+  grub_dl_t mod;
+  grub_command_t linuxefi_cmd;
+
+  grub_dprintf ("linux", "Trying linuxefi\n");
 
-      mod = grub_dl_load ("linuxefi");
-      if (mod)
+  mod = grub_dl_load ("linuxefi");
+  if (mod)
+    {
+      grub_dl_ref (mod);
+      linuxefi_cmd = grub_command_find ("linuxefi");
+      initrdefi_cmd = grub_command_find ("initrdefi");
+      if (linuxefi_cmd && initrdefi_cmd)
 	{
-	  grub_dl_ref (mod);
-	  linuxefi_cmd = grub_command_find ("linuxefi");
-	  initrdefi_cmd = grub_command_find ("initrdefi");
-	  if (linuxefi_cmd && initrdefi_cmd)
+	  (linuxefi_cmd->func) (linuxefi_cmd, argc, argv);
+	  if (grub_errno == GRUB_ERR_NONE)
+	    {
+	      grub_dprintf ("linux", "Handing off to linuxefi\n");
+	      using_linuxefi = 1;
+	      return GRUB_ERR_NONE;
+	    }
+	  else if (grub_efi_secure_boot ())
 	    {
-	      (linuxefi_cmd->func) (linuxefi_cmd, argc, argv);
-	      if (grub_errno == GRUB_ERR_NONE)
-		{
-		  grub_dprintf ("linux", "Handing off to linuxefi\n");
-		  using_linuxefi = 1;
-		  return GRUB_ERR_NONE;
-		}
-	      grub_dprintf ("linux", "linuxefi failed (%d)\n", grub_errno);
+	      grub_dprintf ("linux", "linuxefi failed and secure boot is enabled (%d)\n", grub_errno);
 	      goto fail;
 	    }
 	}
     }
+
+  if (grub_efi_secure_boot ())
+    {
+      grub_dprintf("linux", "Unable to hand off to linuxefi and secure boot is enabled\n");
+      goto fail;
+    }
 #endif
 
   if (argc == 0)