From a3995a0267ef95e8c0032bf2a7b820c381e8f64e Mon Sep 17 00:00:00 2001 From: longpanda Date: Mon, 29 Jun 2026 13:46:17 +0800 Subject: [PATCH] Optimization for secure boot process. --- .../MdeModulePkg/Application/Ventoy/Ventoy.c | 68 ------------------ .../Application/VtoyUtil/VtoyUtil.c | 69 ------------------- .../grub-2.04/grub-core/ventoy/ventoy.c | 26 +++---- 3 files changed, 11 insertions(+), 152 deletions(-) diff --git a/EDK2/edk2_mod/edk2-edk2-stable201911/MdeModulePkg/Application/Ventoy/Ventoy.c b/EDK2/edk2_mod/edk2-edk2-stable201911/MdeModulePkg/Application/Ventoy/Ventoy.c index b316605f..65342013 100644 --- a/EDK2/edk2_mod/edk2-edk2-stable201911/MdeModulePkg/Application/Ventoy/Ventoy.c +++ b/EDK2/edk2_mod/edk2-edk2-stable201911/MdeModulePkg/Application/Ventoy/Ventoy.c @@ -1231,65 +1231,6 @@ EFI_STATUS EFIAPI ventoy_boot(IN EFI_HANDLE ImageHandle) return EFI_SUCCESS; } -#if defined (MDE_CPU_X64) - -STATIC BOOLEAN EFIAPI IsSecureBootEnabled(VOID) -{ - UINT8 SecureBoot = 0; - UINTN DataSize; - EFI_STATUS Status; - - DataSize = sizeof(SecureBoot); - Status = gST->RuntimeServices->GetVariable(L"SecureBoot", &gEfiGlobalVariableGuid, NULL, - &DataSize, &SecureBoot); - if (EFI_ERROR(Status)) - { - return FALSE; - } - - return SecureBoot ? TRUE : FALSE; -} - -STATIC BOOLEAN EFIAPI IsSetupMode(VOID) -{ - UINT8 SetupMode = 0; - UINTN DataSize; - EFI_STATUS Status; - - DataSize = sizeof(SetupMode); - Status = gST->RuntimeServices->GetVariable(L"SetupMode", &gEfiGlobalVariableGuid, NULL, - &DataSize, &SetupMode); - if (EFI_ERROR(Status)) - { - return FALSE; - } - - return SetupMode ? TRUE : FALSE; -} - -STATIC BOOLEAN EFIAPI CheckVtoyShim(VOID) -{ - EFI_STATUS Status; - EFI_GUID Guid = VTOY_SHIM_POLICY_GUID; - VOID *Prot = NULL; - - /* If secure boot is not enabled or in SetupMode, nothing needed */ - if (!IsSecureBootEnabled() || IsSetupMode()) - { - return TRUE; - } - - Status = gBS->LocateProtocol(&Guid, NULL, (VOID**)&Prot); - if (EFI_ERROR(Status)) - { - VtoyDebug("Failed to locate Vtoy Shim Protocol %lx\r\n", Status); - return FALSE; - } - - return TRUE; -} -#endif - EFI_STATUS EFIAPI VentoyEfiMain ( IN EFI_HANDLE ImageHandle, @@ -1299,15 +1240,6 @@ EFI_STATUS EFIAPI VentoyEfiMain EFI_STATUS Status = EFI_SUCCESS; EFI_SIMPLE_TEXT_INPUT_EX_PROTOCOL *Protocol; -#if defined (MDE_CPU_X64) - /* check that Ventoy Shim must exist */ - if (!CheckVtoyShim()) - { - sleep(5); - return EFI_NOT_FOUND; - } -#endif - g_sector_flag_num = 512; /* initial value */ g_sector_flag = AllocatePool(g_sector_flag_num * sizeof(ventoy_sector_flag)); diff --git a/EDK2/edk2_mod/edk2-edk2-stable201911/MdeModulePkg/Application/VtoyUtil/VtoyUtil.c b/EDK2/edk2_mod/edk2-edk2-stable201911/MdeModulePkg/Application/VtoyUtil/VtoyUtil.c index cfaf43f8..9b1b14a3 100644 --- a/EDK2/edk2_mod/edk2-edk2-stable201911/MdeModulePkg/Application/VtoyUtil/VtoyUtil.c +++ b/EDK2/edk2_mod/edk2-edk2-stable201911/MdeModulePkg/Application/VtoyUtil/VtoyUtil.c @@ -145,66 +145,6 @@ STATIC EFI_STATUS ParseCmdline(IN EFI_HANDLE ImageHandle) return EFI_SUCCESS; } -#if defined (MDE_CPU_X64) - -STATIC BOOLEAN EFIAPI IsSecureBootEnabled(VOID) -{ - UINT8 SecureBoot = 0; - UINTN DataSize; - EFI_STATUS Status; - - DataSize = sizeof(SecureBoot); - Status = gST->RuntimeServices->GetVariable(L"SecureBoot", &gEfiGlobalVariableGuid, NULL, - &DataSize, &SecureBoot); - if (EFI_ERROR(Status)) - { - return FALSE; - } - - return SecureBoot ? TRUE : FALSE; -} - -STATIC BOOLEAN EFIAPI IsSetupMode(VOID) -{ - UINT8 SetupMode = 0; - UINTN DataSize; - EFI_STATUS Status; - - DataSize = sizeof(SetupMode); - Status = gST->RuntimeServices->GetVariable(L"SetupMode", &gEfiGlobalVariableGuid, NULL, - &DataSize, &SetupMode); - if (EFI_ERROR(Status)) - { - return FALSE; - } - - return SetupMode ? TRUE : FALSE; -} - - -STATIC BOOLEAN EFIAPI CheckVtoyShim(VOID) -{ - EFI_STATUS Status; - EFI_GUID Guid = VTOY_SHIM_POLICY_GUID; - VOID *Prot = NULL; - - /* If secure boot is not enabled or in SetupMode, nothing needed */ - if (!IsSecureBootEnabled() || IsSetupMode()) - { - return TRUE; - } - - Status = gBS->LocateProtocol(&Guid, NULL, (VOID**)&Prot); - if (EFI_ERROR(Status)) - { - gST->ConOut->OutputString(gST->ConOut, L"Can not locate Vtoy Shim\r\n"); - return FALSE; - } - - return TRUE; -} -#endif - EFI_STATUS EFIAPI VtoyUtilEfiMain ( IN EFI_HANDLE ImageHandle, @@ -214,15 +154,6 @@ EFI_STATUS EFIAPI VtoyUtilEfiMain UINTN i; UINTN Len; -#if defined (MDE_CPU_X64) - /* check that Ventoy Shim must exist */ - if (!CheckVtoyShim()) - { - gBS->Stall(5 * 1000000); - return EFI_NOT_FOUND; - } -#endif - ParseCmdline(ImageHandle); for (i = 0; gCurFeature && i < ARRAY_SIZE(gFeatureList); i++) diff --git a/GRUB2/MOD_SRC/grub-2.04/grub-core/ventoy/ventoy.c b/GRUB2/MOD_SRC/grub-2.04/grub-core/ventoy/ventoy.c index 2f8c5b2e..f48c68df 100644 --- a/GRUB2/MOD_SRC/grub-2.04/grub-core/ventoy/ventoy.c +++ b/GRUB2/MOD_SRC/grub-2.04/grub-core/ventoy/ventoy.c @@ -418,28 +418,24 @@ static int ventoy_secure_boot_init(void) } - /* - * When SecureBoot enabled, Ventoy grub must be launched by Ventoy Shim. - * Currently only x86_64 support this feature. - */ if (g_ventoy_plat_data == VTOY_PLAT_X86_64_UEFI) { g_vtoy_shim = grub_efi_locate_protocol(&ProtGuid, NULL); if (g_vtoy_shim == NULL || g_vtoy_shim->ByPassSB == NULL || g_vtoy_shim->CheckSB == NULL || g_vtoy_shim->Launched == NULL) { - grub_cls(); - grub_printf(VTOY_WARNING"\n"); - grub_printf(VTOY_WARNING"\n"); - grub_printf(VTOY_WARNING"\n\n\n"); - - grub_printf("Ventoy grub is not launched by Ventoy shim.\n\n"); - grub_refresh(); - - ventoy_prompt_end(); + /* + * Generally when SecureBoot enabled, Ventoy grub must be launched by Ventoy Shim. + * But there are some exceptions: + * 1. Ventoy key was enrolled directly to the UEFI DB + * 2. Some UEFI firmware (MSI) has Image Execution Policy as Always Execute which + * means Secure Boot is effectively disabled. + */ + } + else + { + g_vtoy_shim->Launched(); } - - g_vtoy_shim->Launched(); } return 0;