nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0008-Make-any-of-the-loaders-that-link-in-efi-mode-honor-.patch

5593c8
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
5593c8
From: Peter Jones <pjones@redhat.com>
5593c8
Date: Tue, 6 Oct 2015 16:09:25 -0400
5593c8
Subject: [PATCH] Make any of the loaders that link in efi mode honor secure
5593c8
 boot.
5593c8
5593c8
And in this case "honor" means "even if somebody does link this in, they
5593c8
won't register commands if SB is enabled."
5593c8
5593c8
Signed-off-by: Peter Jones <pjones@redhat.com>
5593c8
---
5593c8
 grub-core/commands/iorw.c          |  7 +++++++
5593c8
 grub-core/commands/memrw.c         |  7 +++++++
5593c8
 grub-core/kern/dl.c                |  3 ++-
5593c8
 grub-core/kern/efi/efi.c           | 34 ----------------------------------
5593c8
 grub-core/loader/efi/appleloader.c |  7 +++++++
5593c8
 grub-core/loader/efi/chainloader.c |  1 +
5593c8
 grub-core/loader/i386/bsd.c        |  7 +++++++
5593c8
 grub-core/loader/i386/linux.c      |  7 +++++++
5593c8
 grub-core/loader/i386/pc/linux.c   |  7 +++++++
5593c8
 grub-core/loader/multiboot.c       |  7 +++++++
5593c8
 grub-core/loader/xnu.c             |  7 +++++++
5593c8
 include/grub/efi/efi.h             |  1 -
5593c8
 include/grub/ia64/linux.h          |  0
5593c8
 include/grub/mips/linux.h          |  0
5593c8
 include/grub/powerpc/linux.h       |  0
5593c8
 include/grub/sparc64/linux.h       |  0
5593c8
 16 files changed, 59 insertions(+), 36 deletions(-)
5593c8
 create mode 100644 include/grub/ia64/linux.h
5593c8
 create mode 100644 include/grub/mips/linux.h
5593c8
 create mode 100644 include/grub/powerpc/linux.h
5593c8
 create mode 100644 include/grub/sparc64/linux.h
5593c8
5593c8
diff --git a/grub-core/commands/iorw.c b/grub-core/commands/iorw.c
5593c8
index 584baec8f91..7b2999b14b5 100644
5593c8
--- a/grub-core/commands/iorw.c
5593c8
+++ b/grub-core/commands/iorw.c
5593c8
@@ -24,6 +24,7 @@
5593c8
 #include <grub/cpu/io.h>
5593c8
 #include <grub/i18n.h>
5593c8
 #include <grub/lockdown.h>
5593c8
+#include <grub/efi/sb.h>
5593c8
 
5593c8
 GRUB_MOD_LICENSE ("GPLv3+");
5593c8
 
5593c8
@@ -119,6 +120,9 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
5593c8
 
5593c8
 GRUB_MOD_INIT(memrw)
5593c8
 {
5593c8
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
5593c8
+    return;
5593c8
+
5593c8
   cmd_read_byte =
5593c8
     grub_register_extcmd ("inb", grub_cmd_read, 0,
5593c8
 			  N_("PORT"), N_("Read 8-bit value from PORT."),
5593c8
@@ -147,6 +151,9 @@ GRUB_MOD_INIT(memrw)
5593c8
 
5593c8
 GRUB_MOD_FINI(memrw)
5593c8
 {
5593c8
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
5593c8
+    return;
5593c8
+
5593c8
   grub_unregister_extcmd (cmd_read_byte);
5593c8
   grub_unregister_extcmd (cmd_read_word);
5593c8
   grub_unregister_extcmd (cmd_read_dword);
5593c8
diff --git a/grub-core/commands/memrw.c b/grub-core/commands/memrw.c
5593c8
index d401a6db0ef..39cf3a06dbd 100644
5593c8
--- a/grub-core/commands/memrw.c
5593c8
+++ b/grub-core/commands/memrw.c
5593c8
@@ -23,6 +23,7 @@
5593c8
 #include <grub/env.h>
5593c8
 #include <grub/i18n.h>
5593c8
 #include <grub/lockdown.h>
5593c8
+#include <grub/efi/sb.h>
5593c8
 
5593c8
 GRUB_MOD_LICENSE ("GPLv3+");
5593c8
 
5593c8
@@ -121,6 +122,9 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
5593c8
 
5593c8
 GRUB_MOD_INIT(memrw)
5593c8
 {
5593c8
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
5593c8
+    return;
5593c8
+
5593c8
   cmd_read_byte =
5593c8
     grub_register_extcmd ("read_byte", grub_cmd_read, 0,
5593c8
 			  N_("ADDR"), N_("Read 8-bit value from ADDR."),
5593c8
@@ -149,6 +153,9 @@ GRUB_MOD_INIT(memrw)
5593c8
 
5593c8
 GRUB_MOD_FINI(memrw)
5593c8
 {
5593c8
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
5593c8
+    return;
5593c8
+
5593c8
   grub_unregister_extcmd (cmd_read_byte);
5593c8
   grub_unregister_extcmd (cmd_read_word);
5593c8
   grub_unregister_extcmd (cmd_read_dword);
5593c8
diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
5593c8
index b7149370950..7afb9e6f724 100644
5593c8
--- a/grub-core/kern/dl.c
5593c8
+++ b/grub-core/kern/dl.c
5593c8
@@ -32,6 +32,7 @@
5593c8
 #include <grub/env.h>
5593c8
 #include <grub/cache.h>
5593c8
 #include <grub/i18n.h>
5593c8
+#include <grub/efi/sb.h>
5593c8
 
5593c8
 /* Platforms where modules are in a readonly area of memory.  */
5593c8
 #if defined(GRUB_MACHINE_QEMU)
5593c8
@@ -704,7 +705,7 @@ grub_dl_load_file (const char *filename)
5593c8
   grub_dl_t mod = 0;
5593c8
 
5593c8
 #ifdef GRUB_MACHINE_EFI
5593c8
-  if (grub_efi_secure_boot ())
5593c8
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
5593c8
     {
5593c8
 #if 0
5593c8
       /* This is an error, but grub2-mkconfig still generates a pile of
5593c8
diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
5593c8
index 4a2259aa1c7..8cff7be0289 100644
5593c8
--- a/grub-core/kern/efi/efi.c
5593c8
+++ b/grub-core/kern/efi/efi.c
5593c8
@@ -286,40 +286,6 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
5593c8
   return grub_efi_get_variable_with_attributes (var, guid, datasize_out, data_out, NULL);
5593c8
 }
5593c8
 
5593c8
-grub_efi_boolean_t
5593c8
-grub_efi_secure_boot (void)
5593c8
-{
5593c8
-  grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
5593c8
-  grub_size_t datasize;
5593c8
-  char *secure_boot = NULL;
5593c8
-  char *setup_mode = NULL;
5593c8
-  grub_efi_boolean_t ret = 0;
5593c8
-
5593c8
-  secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);
5593c8
-  if (datasize != 1 || !secure_boot)
5593c8
-    {
5593c8
-      grub_dprintf ("secureboot", "No SecureBoot variable\n");
5593c8
-      goto out;
5593c8
-    }
5593c8
-  grub_dprintf ("secureboot", "SecureBoot: %d\n", *secure_boot);
5593c8
-
5593c8
-  setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize);
5593c8
-  if (datasize != 1 || !setup_mode)
5593c8
-    {
5593c8
-      grub_dprintf ("secureboot", "No SetupMode variable\n");
5593c8
-      goto out;
5593c8
-    }
5593c8
-  grub_dprintf ("secureboot", "SetupMode: %d\n", *setup_mode);
5593c8
-
5593c8
-  if (*secure_boot && !*setup_mode)
5593c8
-    ret = 1;
5593c8
-
5593c8
- out:
5593c8
-  grub_free (secure_boot);
5593c8
-  grub_free (setup_mode);
5593c8
-  return ret;
5593c8
-}
5593c8
-
5593c8
 #pragma GCC diagnostic ignored "-Wcast-align"
5593c8
 
5593c8
 /* Search the mods section from the PE32/PE32+ image. This code uses
5593c8
diff --git a/grub-core/loader/efi/appleloader.c b/grub-core/loader/efi/appleloader.c
5593c8
index 74888c463ba..585f2b57385 100644
5593c8
--- a/grub-core/loader/efi/appleloader.c
5593c8
+++ b/grub-core/loader/efi/appleloader.c
5593c8
@@ -24,6 +24,7 @@
5593c8
 #include <grub/misc.h>
5593c8
 #include <grub/efi/api.h>
5593c8
 #include <grub/efi/efi.h>
5593c8
+#include <grub/efi/sb.h>
5593c8
 #include <grub/command.h>
5593c8
 #include <grub/i18n.h>
5593c8
 
5593c8
@@ -227,6 +228,9 @@ static grub_command_t cmd;
5593c8
 
5593c8
 GRUB_MOD_INIT(appleloader)
5593c8
 {
5593c8
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
5593c8
+    return;
5593c8
+
5593c8
   cmd = grub_register_command ("appleloader", grub_cmd_appleloader,
5593c8
 			       N_("[OPTS]"),
5593c8
 			       /* TRANSLATORS: This command is used on EFI to
5593c8
@@ -238,5 +242,8 @@ GRUB_MOD_INIT(appleloader)
5593c8
 
5593c8
 GRUB_MOD_FINI(appleloader)
5593c8
 {
5593c8
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
5593c8
+    return;
5593c8
+
5593c8
   grub_unregister_command (cmd);
5593c8
 }
5593c8
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
5593c8
index b54cf6986fc..3ff305b1d32 100644
5593c8
--- a/grub-core/loader/efi/chainloader.c
5593c8
+++ b/grub-core/loader/efi/chainloader.c
5593c8
@@ -34,6 +34,7 @@
5593c8
 #include <grub/efi/disk.h>
5593c8
 #include <grub/efi/pe32.h>
5593c8
 #include <grub/efi/linux.h>
5593c8
+#include <grub/efi/sb.h>
5593c8
 #include <grub/command.h>
5593c8
 #include <grub/i18n.h>
5593c8
 #include <grub/net.h>
5593c8
diff --git a/grub-core/loader/i386/bsd.c b/grub-core/loader/i386/bsd.c
5593c8
index 5f3290ce17b..54befc26626 100644
5593c8
--- a/grub-core/loader/i386/bsd.c
5593c8
+++ b/grub-core/loader/i386/bsd.c
5593c8
@@ -40,6 +40,7 @@
5593c8
 #ifdef GRUB_MACHINE_PCBIOS
5593c8
 #include <grub/machine/int.h>
5593c8
 #endif
5593c8
+#include <grub/efi/sb.h>
5593c8
 
5593c8
 GRUB_MOD_LICENSE ("GPLv3+");
5593c8
 
5593c8
@@ -2137,6 +2138,9 @@ static grub_command_t cmd_netbsd_module_elf, cmd_openbsd_ramdisk;
5593c8
 
5593c8
 GRUB_MOD_INIT (bsd)
5593c8
 {
5593c8
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
5593c8
+    return;
5593c8
+
5593c8
   /* Net and OpenBSD kernels are often compressed.  */
5593c8
   grub_dl_load ("gzio");
5593c8
 
5593c8
@@ -2176,6 +2180,9 @@ GRUB_MOD_INIT (bsd)
5593c8
 
5593c8
 GRUB_MOD_FINI (bsd)
5593c8
 {
5593c8
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
5593c8
+    return;
5593c8
+
5593c8
   grub_unregister_extcmd (cmd_freebsd);
5593c8
   grub_unregister_extcmd (cmd_openbsd);
5593c8
   grub_unregister_extcmd (cmd_netbsd);
5593c8
diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
5593c8
index dccf3bb3005..4aeb0e4b9a6 100644
5593c8
--- a/grub-core/loader/i386/linux.c
5593c8
+++ b/grub-core/loader/i386/linux.c
5593c8
@@ -37,6 +37,7 @@
5593c8
 #include <grub/linux.h>
5593c8
 #include <grub/machine/kernel.h>
5593c8
 #include <grub/safemath.h>
5593c8
+#include <grub/efi/sb.h>
5593c8
 
5593c8
 GRUB_MOD_LICENSE ("GPLv3+");
5593c8
 
5593c8
@@ -1138,6 +1139,9 @@ static grub_command_t cmd_linux, cmd_initrd;
5593c8
 
5593c8
 GRUB_MOD_INIT(linux)
5593c8
 {
5593c8
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
5593c8
+    return;
5593c8
+
5593c8
   cmd_linux = grub_register_command ("linux", grub_cmd_linux,
5593c8
 				     0, N_("Load Linux."));
5593c8
   cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd,
5593c8
@@ -1147,6 +1151,9 @@ GRUB_MOD_INIT(linux)
5593c8
 
5593c8
 GRUB_MOD_FINI(linux)
5593c8
 {
5593c8
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
5593c8
+    return;
5593c8
+
5593c8
   grub_unregister_command (cmd_linux);
5593c8
   grub_unregister_command (cmd_initrd);
5593c8
 }
5593c8
diff --git a/grub-core/loader/i386/pc/linux.c b/grub-core/loader/i386/pc/linux.c
5593c8
index 4b1750e360e..e3fa1221e81 100644
5593c8
--- a/grub-core/loader/i386/pc/linux.c
5593c8
+++ b/grub-core/loader/i386/pc/linux.c
5593c8
@@ -36,6 +36,7 @@
5593c8
 #include <grub/lib/cmdline.h>
5593c8
 #include <grub/linux.h>
5593c8
 #include <grub/safemath.h>
5593c8
+#include <grub/efi/sb.h>
5593c8
 
5593c8
 GRUB_MOD_LICENSE ("GPLv3+");
5593c8
 
5593c8
@@ -487,6 +488,9 @@ static grub_command_t cmd_linux, cmd_linux16, cmd_initrd, cmd_initrd16;
5593c8
 
5593c8
 GRUB_MOD_INIT(linux16)
5593c8
 {
5593c8
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
5593c8
+    return;
5593c8
+
5593c8
   cmd_linux =
5593c8
     grub_register_command ("linux", grub_cmd_linux,
5593c8
 			   0, N_("Load Linux."));
5593c8
@@ -504,6 +508,9 @@ GRUB_MOD_INIT(linux16)
5593c8
 
5593c8
 GRUB_MOD_FINI(linux16)
5593c8
 {
5593c8
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
5593c8
+    return;
5593c8
+
5593c8
   grub_unregister_command (cmd_linux);
5593c8
   grub_unregister_command (cmd_linux16);
5593c8
   grub_unregister_command (cmd_initrd);
5593c8
diff --git a/grub-core/loader/multiboot.c b/grub-core/loader/multiboot.c
5593c8
index facb13f3d36..47e481f4576 100644
5593c8
--- a/grub-core/loader/multiboot.c
5593c8
+++ b/grub-core/loader/multiboot.c
5593c8
@@ -50,6 +50,7 @@
5593c8
 #include <grub/video.h>
5593c8
 #include <grub/memory.h>
5593c8
 #include <grub/i18n.h>
5593c8
+#include <grub/efi/sb.h>
5593c8
 
5593c8
 GRUB_MOD_LICENSE ("GPLv3+");
5593c8
 
5593c8
@@ -444,6 +445,9 @@ static grub_command_t cmd_multiboot, cmd_module;
5593c8
 
5593c8
 GRUB_MOD_INIT(multiboot)
5593c8
 {
5593c8
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
5593c8
+    return;
5593c8
+
5593c8
   cmd_multiboot =
5593c8
 #ifdef GRUB_USE_MULTIBOOT2
5593c8
     grub_register_command ("multiboot2", grub_cmd_multiboot,
5593c8
@@ -464,6 +468,9 @@ GRUB_MOD_INIT(multiboot)
5593c8
 
5593c8
 GRUB_MOD_FINI(multiboot)
5593c8
 {
5593c8
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
5593c8
+    return;
5593c8
+
5593c8
   grub_unregister_command (cmd_multiboot);
5593c8
   grub_unregister_command (cmd_module);
5593c8
 }
5593c8
diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
5593c8
index 1c0cf6a430a..baa54e652ab 100644
5593c8
--- a/grub-core/loader/xnu.c
5593c8
+++ b/grub-core/loader/xnu.c
5593c8
@@ -35,6 +35,7 @@
5593c8
 #include <grub/i18n.h>
5593c8
 #include <grub/verify.h>
5593c8
 #include <grub/safemath.h>
5593c8
+#include <grub/efi/sb.h>
5593c8
 
5593c8
 GRUB_MOD_LICENSE ("GPLv3+");
5593c8
 
5593c8
@@ -1497,6 +1498,9 @@ static grub_extcmd_t cmd_splash;
5593c8
 
5593c8
 GRUB_MOD_INIT(xnu)
5593c8
 {
5593c8
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
5593c8
+    return;
5593c8
+
5593c8
   cmd_kernel = grub_register_command ("xnu_kernel", grub_cmd_xnu_kernel, 0,
5593c8
 				      N_("Load XNU image."));
5593c8
   cmd_kernel64 = grub_register_command ("xnu_kernel64", grub_cmd_xnu_kernel64,
5593c8
@@ -1540,6 +1544,9 @@ GRUB_MOD_INIT(xnu)
5593c8
 
5593c8
 GRUB_MOD_FINI(xnu)
5593c8
 {
5593c8
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
5593c8
+    return;
5593c8
+
5593c8
 #ifndef GRUB_MACHINE_EMU
5593c8
   grub_unregister_command (cmd_resume);
5593c8
 #endif
5593c8
diff --git a/include/grub/efi/efi.h b/include/grub/efi/efi.h
5593c8
index 6295df85f3f..585fa6662b6 100644
5593c8
--- a/include/grub/efi/efi.h
5593c8
+++ b/include/grub/efi/efi.h
5593c8
@@ -91,7 +91,6 @@ EXPORT_FUNC (grub_efi_set_variable) (const char *var,
5593c8
 				     const grub_efi_guid_t *guid,
5593c8
 				     void *data,
5593c8
 				     grub_size_t datasize);
5593c8
-grub_efi_boolean_t EXPORT_FUNC (grub_efi_secure_boot) (void);
5593c8
 int
5593c8
 EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1,
5593c8
 					     const grub_efi_device_path_t *dp2);
5593c8
diff --git a/include/grub/ia64/linux.h b/include/grub/ia64/linux.h
5593c8
new file mode 100644
5593c8
index 00000000000..e69de29bb2d
5593c8
diff --git a/include/grub/mips/linux.h b/include/grub/mips/linux.h
5593c8
new file mode 100644
5593c8
index 00000000000..e69de29bb2d
5593c8
diff --git a/include/grub/powerpc/linux.h b/include/grub/powerpc/linux.h
5593c8
new file mode 100644
5593c8
index 00000000000..e69de29bb2d
5593c8
diff --git a/include/grub/sparc64/linux.h b/include/grub/sparc64/linux.h
5593c8
new file mode 100644
5593c8
index 00000000000..e69de29bb2d