debian/patches/shim-before-loadimage: Use direct verification first

before LoadImage.  Addresses an issue where Lenovo's SecureBoot
implementation pops an error message on any verification failure - avoid
calling LoadImage at all unless we have to.

3 files changed, 79 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index ea990109..8ff58b07 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+shim (0~20120906.bcd0a4e8-0ubuntu4) UNRELEASED; urgency=low
+
+  * debian/patches/shim-before-loadimage: Use direct verification first
+    before LoadImage.  Addresses an issue where Lenovo's SecureBoot
+    implementation pops an error message on any verification failure - avoid
+    calling LoadImage at all unless we have to.
+
+ -- Steve Langasek <steve.langasek@ubuntu.com>  Wed, 10 Oct 2012 15:23:08 -0700
+
 shim (0~20120906.bcd0a4e8-0ubuntu3) quantal; urgency=low
 
   * debian/patches/second-stage-path: Chainload grubx64.efi, not
diff --git a/debian/patches/series b/debian/patches/series
index 42f8afa0..3943d4c4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
 prototypes
 second-stage-path
+shim-before-loadimage
diff --git a/debian/patches/shim-before-loadimage b/debian/patches/shim-before-loadimage
new file mode 100644
index 00000000..e7352ea9
--- /dev/null
+++ b/debian/patches/shim-before-loadimage
@@ -0,0 +1,69 @@
+Description: Use direct verification first before LoadImage
+ Some implementations of LoadImage (i.e., Lenovo) don't fail silently, but
+ instead pop an error message on the screen requiring user interaction.  So
+ since LoadImage is *expected* to fail in normal use, give precedence to
+ direct loading of the bootloader and use LoadImage as the fallback.
+Author: Steve Langasek <steve.langasek@ubuntu.com>
+
+Index: shim/shim.c
+===================================================================
+--- shim.orig/shim.c
++++ shim/shim.c
+@@ -879,39 +879,39 @@
+ 		goto done;
+ 	}
+ 
+-	efi_status = uefi_call_wrapper(BS->LoadImage, 6, FALSE, image_handle,
+-				       grubpath, NULL, 0, &grub_handle);
+-
+-
+-	if (efi_status == EFI_SUCCESS) {
+-		/* Image validates - start it */
+-		Print(L"Starting file via StartImage\n");
+-		efi_status = uefi_call_wrapper(BS->StartImage, 3, grub_handle, NULL,
+-					       NULL);
+-		uefi_call_wrapper(BS->UnloadImage, 1, grub_handle);
+-		goto done;
+-	}
+-
+ 	efi_status = load_grub(li, &data, &datasize, PathName);
+ 
+ 	if (efi_status != EFI_SUCCESS) {
+ 		Print(L"Failed to load grub\n");
+-		goto done;
++		goto load_image_fallback;
+ 	}
+ 
+ 	CopyMem(&li_bak, li, sizeof(li_bak));
+ 
+ 	efi_status = handle_grub(data, datasize, li);
+ 
+-	if (efi_status != EFI_SUCCESS) {
+-		Print(L"Failed to load grub\n");
++	if (efi_status == EFI_SUCCESS) {
++		efi_status = uefi_call_wrapper(entry_point, 3, image_handle, systab);
+ 		CopyMem(li, &li_bak, sizeof(li_bak));
+ 		goto done;
+ 	}
+ 
+-	efi_status = uefi_call_wrapper(entry_point, 3, image_handle, systab);
+-
++	Print(L"Failed to load grub\n");
+ 	CopyMem(li, &li_bak, sizeof(li_bak));
++
++load_image_fallback:
++	efi_status = uefi_call_wrapper(BS->LoadImage, 6, FALSE, image_handle,
++				       grubpath, NULL, 0, &grub_handle);
++
++
++	if (efi_status == EFI_SUCCESS) {
++		/* Image validates - start it */
++		Print(L"Starting file via StartImage\n");
++		efi_status = uefi_call_wrapper(BS->StartImage, 3, grub_handle, NULL,
++					       NULL);
++		uefi_call_wrapper(BS->UnloadImage, 1, grub_handle);
++	}
++
+ done:
+ 
+ 	return efi_status;