From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
Date: Fri, 4 Mar 2022 11:29:31 +0100
Subject: [PATCH] grub-core/loader/arm64/linux.c: do not validate kernel twice

Call to grub_file_open(, GRUB_FILE_TYPE_LINUX_KERNEL) already passes
the kernel file through shim-lock verifier when secureboot is on. Thus
there is no need to validate the kernel image again. And when doing so
again, duplicate PCR measurement is performed, breaking measurements
compatibility with 2.04+linuxefi.

This patch must not be ported to older editions of grub code bases
that do not have verifiers framework, or it is not builtin, or
shim-lock-verifier is an optional module.

Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
---
 grub-core/loader/arm64/linux.c | 13 -------------
 1 file changed, 13 deletions(-)

diff --git a/grub-core/loader/arm64/linux.c b/grub-core/loader/arm64/linux.c
index f18d90bd74..d2af47c2c0 100644
--- a/grub-core/loader/arm64/linux.c
+++ b/grub-core/loader/arm64/linux.c
@@ -34,7 +34,6 @@
 #include <grub/i18n.h>
 #include <grub/lib/cmdline.h>
 #include <grub/verify.h>
-#include <grub/efi/sb.h>
 
 GRUB_MOD_LICENSE ("GPLv3+");
 
@@ -341,7 +340,6 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
   grub_off_t filelen;
   grub_uint32_t align;
   void *kernel = NULL;
-  int rc;
 
   grub_dl_ref (my_mod);
 
@@ -370,17 +368,6 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
       goto fail;
     }
 
-  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
-    {
-      rc = grub_linuxefi_secure_validate (kernel, filelen);
-      if (rc <= 0)
-	{
-	  grub_error (GRUB_ERR_INVALID_COMMAND,
-		      N_("%s has invalid signature"), argv[0]);
-	  goto fail;
-	}
-    }
-
   if (grub_arch_efi_linux_check_image (kernel) != GRUB_ERR_NONE)
     goto fail;
   if (parse_pe_header (kernel, &kernel_size, &handover_offset, &align) != GRUB_ERR_NONE)