nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0375-efi-Lockdown-the-GRUB-when-the-UEFI-Secure-Boot-is-e.patch

80913e
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
80913e
From: Javier Martinez Canillas <javierm@redhat.com>
80913e
Date: Mon, 28 Sep 2020 20:08:29 +0200
80913e
Subject: [PATCH] efi: Lockdown the GRUB when the UEFI Secure Boot is enabled
80913e
80913e
If the UEFI Secure Boot is enabled then the GRUB must be locked down
80913e
to prevent executing code that can potentially be used to subvert its
80913e
verification mechanisms.
80913e
80913e
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
80913e
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
80913e
---
80913e
 grub-core/kern/efi/init.c | 19 +++++++++++++++++++
80913e
 1 file changed, 19 insertions(+)
80913e
80913e
diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
80913e
index 79243b364a1..97bf36906a4 100644
80913e
--- a/grub-core/kern/efi/init.c
80913e
+++ b/grub-core/kern/efi/init.c
80913e
@@ -20,6 +20,8 @@
80913e
 #include <grub/efi/efi.h>
80913e
 #include <grub/efi/console.h>
80913e
 #include <grub/efi/disk.h>
80913e
+#include <grub/efi/sb.h>
80913e
+#include <grub/lockdown.h>
80913e
 #include <grub/term.h>
80913e
 #include <grub/misc.h>
80913e
 #include <grub/env.h>
80913e
@@ -93,6 +95,23 @@ grub_efi_init (void)
80913e
   /* Initialize the memory management system.  */
80913e
   grub_efi_mm_init ();
80913e
 
80913e
+  /*
80913e
+   * Lockdown the GRUB and register the shim_lock verifier
80913e
+   * if the UEFI Secure Boot is enabled.
80913e
+   */
80913e
+  if (grub_efi_secure_boot ())
80913e
+    {
80913e
+      grub_lockdown ();
80913e
+
80913e
+      /*
80913e
+       * TODO: Move GRUB to using the shim_lock verifier and
80913e
+       * enable the lockdown verifier.
80913e
+       */
80913e
+#if 0
80913e
+      grub_shim_lock_verifier_setup ();
80913e
+#endif
80913e
+    }
80913e
+
80913e
   efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer,
80913e
 	      0, 0, 0, NULL);
80913e