|
|
468bd4 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
468bd4 |
From: Javier Martinez Canillas <javierm@redhat.com>
|
|
|
468bd4 |
Date: Fri, 19 Feb 2021 10:33:54 +0100
|
|
|
468bd4 |
Subject: [PATCH] kern: Add lockdown support
|
|
|
468bd4 |
|
|
|
468bd4 |
When the GRUB starts on a secure boot platform, some commands can be
|
|
|
468bd4 |
used to subvert the protections provided by the verification mechanism and
|
|
|
468bd4 |
could lead to booting untrusted system.
|
|
|
468bd4 |
|
|
|
468bd4 |
To prevent that situation, allow GRUB to be locked down. That way the code
|
|
|
468bd4 |
may check if GRUB has been locked down and further restrict the commands
|
|
|
468bd4 |
that are registered or what subset of their functionality could be used.
|
|
|
468bd4 |
|
|
|
468bd4 |
The lockdown support adds the following components:
|
|
|
468bd4 |
|
|
|
468bd4 |
* The grub_lockdown() function which can be used to lockdown GRUB if,
|
|
|
468bd4 |
e.g., UEFI Secure Boot is enabled.
|
|
|
468bd4 |
|
|
|
468bd4 |
* The grub_is_lockdown() function which can be used to check if the GRUB
|
|
|
468bd4 |
was locked down.
|
|
|
468bd4 |
|
|
|
468bd4 |
* A verifier that flags OS kernels, the GRUB modules, Device Trees and ACPI
|
|
|
468bd4 |
tables as GRUB_VERIFY_FLAGS_DEFER_AUTH to defer verification to other
|
|
|
468bd4 |
verifiers. These files are only successfully verified if another registered
|
|
|
468bd4 |
verifier returns success. Otherwise, the whole verification process fails.
|
|
|
468bd4 |
|
|
|
468bd4 |
For example, PE/COFF binaries verification can be done by the shim_lock
|
|
|
468bd4 |
verifier which validates the signatures using the shim_lock protocol.
|
|
|
468bd4 |
However, the verification is not deferred directly to the shim_lock verifier.
|
|
|
468bd4 |
The shim_lock verifier is hooked into the verification process instead.
|
|
|
468bd4 |
|
|
|
468bd4 |
* A set of grub_{command,extcmd}_lockdown functions that can be used by
|
|
|
468bd4 |
code registering command handlers, to only register unsafe commands if
|
|
|
468bd4 |
the GRUB has not been locked down.
|
|
|
468bd4 |
|
|
|
468bd4 |
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
|
|
468bd4 |
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
|
468bd4 |
---
|
|
|
468bd4 |
grub-core/Makefile.core.def | 1 +
|
|
|
468bd4 |
grub-core/commands/extcmd.c | 23 +++++++++++
|
|
|
468bd4 |
grub-core/kern/command.c | 24 ++++++++++++
|
|
|
468bd4 |
grub-core/kern/lockdown.c | 93 +++++++++++++++++++++++++++++++++++++++++++++
|
|
|
468bd4 |
include/grub/command.h | 5 +++
|
|
|
468bd4 |
include/grub/extcmd.h | 7 ++++
|
|
|
468bd4 |
include/grub/lockdown.h | 44 +++++++++++++++++++++
|
|
|
468bd4 |
conf/Makefile.common | 2 +
|
|
|
468bd4 |
docs/grub-dev.texi | 27 +++++++++++++
|
|
|
468bd4 |
docs/grub.texi | 8 ++++
|
|
|
468bd4 |
grub-core/Makefile.am | 5 ++-
|
|
|
468bd4 |
11 files changed, 238 insertions(+), 1 deletion(-)
|
|
|
468bd4 |
create mode 100644 grub-core/kern/lockdown.c
|
|
|
468bd4 |
create mode 100644 include/grub/lockdown.h
|
|
|
468bd4 |
|
|
|
468bd4 |
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
|
|
|
f6e916 |
index 8914083d1..02fbecd4b 100644
|
|
|
468bd4 |
--- a/grub-core/Makefile.core.def
|
|
|
468bd4 |
+++ b/grub-core/Makefile.core.def
|
|
|
468bd4 |
@@ -197,6 +197,7 @@ kernel = {
|
|
|
468bd4 |
efi = term/efi/console.c;
|
|
|
468bd4 |
efi = kern/acpi.c;
|
|
|
468bd4 |
efi = kern/efi/acpi.c;
|
|
|
468bd4 |
+ efi = kern/lockdown.c;
|
|
|
468bd4 |
efi = lib/envblk.c;
|
|
|
468bd4 |
efi = kern/efi/tpm.c;
|
|
|
468bd4 |
i386_coreboot = kern/i386/pc/acpi.c;
|
|
|
468bd4 |
diff --git a/grub-core/commands/extcmd.c b/grub-core/commands/extcmd.c
|
|
|
f6e916 |
index 69574e2b0..90a5ca24a 100644
|
|
|
468bd4 |
--- a/grub-core/commands/extcmd.c
|
|
|
468bd4 |
+++ b/grub-core/commands/extcmd.c
|
|
|
468bd4 |
@@ -19,6 +19,7 @@
|
|
|
468bd4 |
|
|
|
468bd4 |
#include <grub/mm.h>
|
|
|
468bd4 |
#include <grub/list.h>
|
|
|
468bd4 |
+#include <grub/lockdown.h>
|
|
|
468bd4 |
#include <grub/misc.h>
|
|
|
468bd4 |
#include <grub/extcmd.h>
|
|
|
468bd4 |
#include <grub/script_sh.h>
|
|
|
468bd4 |
@@ -110,6 +111,28 @@ grub_register_extcmd (const char *name, grub_extcmd_func_t func,
|
|
|
468bd4 |
summary, description, parser, 1);
|
|
|
468bd4 |
}
|
|
|
468bd4 |
|
|
|
468bd4 |
+static grub_err_t
|
|
|
468bd4 |
+grub_extcmd_lockdown (grub_extcmd_context_t ctxt __attribute__ ((unused)),
|
|
|
468bd4 |
+ int argc __attribute__ ((unused)),
|
|
|
468bd4 |
+ char **argv __attribute__ ((unused)))
|
|
|
468bd4 |
+{
|
|
|
468bd4 |
+ return grub_error (GRUB_ERR_ACCESS_DENIED,
|
|
|
468bd4 |
+ N_("%s: the command is not allowed when lockdown is enforced"),
|
|
|
468bd4 |
+ ctxt->extcmd->cmd->name);
|
|
|
468bd4 |
+}
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+grub_extcmd_t
|
|
|
468bd4 |
+grub_register_extcmd_lockdown (const char *name, grub_extcmd_func_t func,
|
|
|
468bd4 |
+ grub_command_flags_t flags, const char *summary,
|
|
|
468bd4 |
+ const char *description,
|
|
|
468bd4 |
+ const struct grub_arg_option *parser)
|
|
|
468bd4 |
+{
|
|
|
468bd4 |
+ if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
|
|
|
468bd4 |
+ func = grub_extcmd_lockdown;
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+ return grub_register_extcmd (name, func, flags, summary, description, parser);
|
|
|
468bd4 |
+}
|
|
|
468bd4 |
+
|
|
|
468bd4 |
void
|
|
|
468bd4 |
grub_unregister_extcmd (grub_extcmd_t ext)
|
|
|
468bd4 |
{
|
|
|
468bd4 |
diff --git a/grub-core/kern/command.c b/grub-core/kern/command.c
|
|
|
f6e916 |
index acd721879..4aabcd4b5 100644
|
|
|
468bd4 |
--- a/grub-core/kern/command.c
|
|
|
468bd4 |
+++ b/grub-core/kern/command.c
|
|
|
468bd4 |
@@ -17,6 +17,7 @@
|
|
|
468bd4 |
* along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
|
|
468bd4 |
*/
|
|
|
468bd4 |
|
|
|
468bd4 |
+#include <grub/lockdown.h>
|
|
|
468bd4 |
#include <grub/mm.h>
|
|
|
468bd4 |
#include <grub/command.h>
|
|
|
468bd4 |
|
|
|
468bd4 |
@@ -77,6 +78,29 @@ grub_register_command_prio (const char *name,
|
|
|
468bd4 |
return cmd;
|
|
|
468bd4 |
}
|
|
|
468bd4 |
|
|
|
468bd4 |
+static grub_err_t
|
|
|
468bd4 |
+grub_cmd_lockdown (grub_command_t cmd __attribute__ ((unused)),
|
|
|
468bd4 |
+ int argc __attribute__ ((unused)),
|
|
|
468bd4 |
+ char **argv __attribute__ ((unused)))
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+{
|
|
|
468bd4 |
+ return grub_error (GRUB_ERR_ACCESS_DENIED,
|
|
|
468bd4 |
+ N_("%s: the command is not allowed when lockdown is enforced"),
|
|
|
468bd4 |
+ cmd->name);
|
|
|
468bd4 |
+}
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+grub_command_t
|
|
|
468bd4 |
+grub_register_command_lockdown (const char *name,
|
|
|
468bd4 |
+ grub_command_func_t func,
|
|
|
468bd4 |
+ const char *summary,
|
|
|
468bd4 |
+ const char *description)
|
|
|
468bd4 |
+{
|
|
|
468bd4 |
+ if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
|
|
|
468bd4 |
+ func = grub_cmd_lockdown;
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+ return grub_register_command_prio (name, func, summary, description, 0);
|
|
|
468bd4 |
+}
|
|
|
468bd4 |
+
|
|
|
468bd4 |
void
|
|
|
468bd4 |
grub_unregister_command (grub_command_t cmd)
|
|
|
468bd4 |
{
|
|
|
468bd4 |
diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c
|
|
|
468bd4 |
new file mode 100644
|
|
|
f6e916 |
index 000000000..f87ddaeb1
|
|
|
468bd4 |
--- /dev/null
|
|
|
468bd4 |
+++ b/grub-core/kern/lockdown.c
|
|
|
468bd4 |
@@ -0,0 +1,93 @@
|
|
|
468bd4 |
+/*
|
|
|
468bd4 |
+ * GRUB -- GRand Unified Bootloader
|
|
|
468bd4 |
+ * Copyright (C) 2020 Free Software Foundation, Inc.
|
|
|
468bd4 |
+ *
|
|
|
468bd4 |
+ * GRUB is free software: you can redistribute it and/or modify
|
|
|
468bd4 |
+ * it under the terms of the GNU General Public License as published by
|
|
|
468bd4 |
+ * the Free Software Foundation, either version 3 of the License, or
|
|
|
468bd4 |
+ * (at your option) any later version.
|
|
|
468bd4 |
+ *
|
|
|
468bd4 |
+ * GRUB is distributed in the hope that it will be useful,
|
|
|
468bd4 |
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
468bd4 |
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
468bd4 |
+ * GNU General Public License for more details.
|
|
|
468bd4 |
+ *
|
|
|
468bd4 |
+ * You should have received a copy of the GNU General Public License
|
|
|
468bd4 |
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
|
|
468bd4 |
+ *
|
|
|
468bd4 |
+ */
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+#include <grub/dl.h>
|
|
|
468bd4 |
+#include <grub/file.h>
|
|
|
468bd4 |
+#include <grub/lockdown.h>
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+/* There is no verifier framework in grub 2.02 */
|
|
|
468bd4 |
+#if 0
|
|
|
468bd4 |
+#include <grub/verify.h>
|
|
|
468bd4 |
+#endif
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+static int lockdown = GRUB_LOCKDOWN_DISABLED;
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+/* There is no verifier framework in grub 2.02 */
|
|
|
468bd4 |
+#if 0
|
|
|
468bd4 |
+static grub_err_t
|
|
|
468bd4 |
+lockdown_verifier_init (grub_file_t io __attribute__ ((unused)),
|
|
|
468bd4 |
+ enum grub_file_type type,
|
|
|
468bd4 |
+ void **context __attribute__ ((unused)),
|
|
|
468bd4 |
+ enum grub_verify_flags *flags)
|
|
|
468bd4 |
+{
|
|
|
468bd4 |
+ *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+ switch (type & GRUB_FILE_TYPE_MASK)
|
|
|
468bd4 |
+ {
|
|
|
468bd4 |
+ case GRUB_FILE_TYPE_GRUB_MODULE:
|
|
|
468bd4 |
+ case GRUB_FILE_TYPE_LINUX_KERNEL:
|
|
|
468bd4 |
+ case GRUB_FILE_TYPE_MULTIBOOT_KERNEL:
|
|
|
468bd4 |
+ case GRUB_FILE_TYPE_XEN_HYPERVISOR:
|
|
|
468bd4 |
+ case GRUB_FILE_TYPE_BSD_KERNEL:
|
|
|
468bd4 |
+ case GRUB_FILE_TYPE_XNU_KERNEL:
|
|
|
468bd4 |
+ case GRUB_FILE_TYPE_PLAN9_KERNEL:
|
|
|
468bd4 |
+ case GRUB_FILE_TYPE_NTLDR:
|
|
|
468bd4 |
+ case GRUB_FILE_TYPE_TRUECRYPT:
|
|
|
468bd4 |
+ case GRUB_FILE_TYPE_FREEDOS:
|
|
|
468bd4 |
+ case GRUB_FILE_TYPE_PXECHAINLOADER:
|
|
|
468bd4 |
+ case GRUB_FILE_TYPE_PCCHAINLOADER:
|
|
|
468bd4 |
+ case GRUB_FILE_TYPE_COREBOOT_CHAINLOADER:
|
|
|
468bd4 |
+ case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:
|
|
|
468bd4 |
+ case GRUB_FILE_TYPE_ACPI_TABLE:
|
|
|
468bd4 |
+ case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
|
|
|
468bd4 |
+ *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+ /* Fall through. */
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+ default:
|
|
|
468bd4 |
+ return GRUB_ERR_NONE;
|
|
|
468bd4 |
+ }
|
|
|
468bd4 |
+}
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+struct grub_file_verifier lockdown_verifier =
|
|
|
468bd4 |
+ {
|
|
|
468bd4 |
+ .name = "lockdown_verifier",
|
|
|
468bd4 |
+ .init = lockdown_verifier_init,
|
|
|
468bd4 |
+ };
|
|
|
468bd4 |
+#endif
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+void
|
|
|
468bd4 |
+grub_lockdown (void)
|
|
|
468bd4 |
+{
|
|
|
468bd4 |
+ lockdown = GRUB_LOCKDOWN_ENABLED;
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+ /*
|
|
|
468bd4 |
+ * XXX: The lockdown verifier doesn't make sense until
|
|
|
468bd4 |
+ * GRUB has moved to the shim_lock verifier.
|
|
|
468bd4 |
+ */
|
|
|
468bd4 |
+#if 0
|
|
|
468bd4 |
+ grub_verifier_register (&lockdown_verifier);
|
|
|
468bd4 |
+#endif
|
|
|
468bd4 |
+}
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+int
|
|
|
468bd4 |
+grub_is_lockdown (void)
|
|
|
468bd4 |
+{
|
|
|
468bd4 |
+ return lockdown;
|
|
|
468bd4 |
+}
|
|
|
468bd4 |
diff --git a/include/grub/command.h b/include/grub/command.h
|
|
|
f6e916 |
index eee4e847e..2a6f7f846 100644
|
|
|
468bd4 |
--- a/include/grub/command.h
|
|
|
468bd4 |
+++ b/include/grub/command.h
|
|
|
468bd4 |
@@ -86,6 +86,11 @@ EXPORT_FUNC(grub_register_command_prio) (const char *name,
|
|
|
468bd4 |
const char *summary,
|
|
|
468bd4 |
const char *description,
|
|
|
468bd4 |
int prio);
|
|
|
468bd4 |
+grub_command_t
|
|
|
468bd4 |
+EXPORT_FUNC(grub_register_command_lockdown) (const char *name,
|
|
|
468bd4 |
+ grub_command_func_t func,
|
|
|
468bd4 |
+ const char *summary,
|
|
|
468bd4 |
+ const char *description);
|
|
|
468bd4 |
void EXPORT_FUNC(grub_unregister_command) (grub_command_t cmd);
|
|
|
468bd4 |
|
|
|
468bd4 |
static inline grub_command_t
|
|
|
468bd4 |
diff --git a/include/grub/extcmd.h b/include/grub/extcmd.h
|
|
|
f6e916 |
index 19fe59266..fe9248b8b 100644
|
|
|
468bd4 |
--- a/include/grub/extcmd.h
|
|
|
468bd4 |
+++ b/include/grub/extcmd.h
|
|
|
468bd4 |
@@ -62,6 +62,13 @@ grub_extcmd_t EXPORT_FUNC(grub_register_extcmd) (const char *name,
|
|
|
468bd4 |
const char *description,
|
|
|
468bd4 |
const struct grub_arg_option *parser);
|
|
|
468bd4 |
|
|
|
468bd4 |
+grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_lockdown) (const char *name,
|
|
|
468bd4 |
+ grub_extcmd_func_t func,
|
|
|
468bd4 |
+ grub_command_flags_t flags,
|
|
|
468bd4 |
+ const char *summary,
|
|
|
468bd4 |
+ const char *description,
|
|
|
468bd4 |
+ const struct grub_arg_option *parser);
|
|
|
468bd4 |
+
|
|
|
468bd4 |
grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_prio) (const char *name,
|
|
|
468bd4 |
grub_extcmd_func_t func,
|
|
|
468bd4 |
grub_command_flags_t flags,
|
|
|
468bd4 |
diff --git a/include/grub/lockdown.h b/include/grub/lockdown.h
|
|
|
468bd4 |
new file mode 100644
|
|
|
f6e916 |
index 000000000..40531fa82
|
|
|
468bd4 |
--- /dev/null
|
|
|
468bd4 |
+++ b/include/grub/lockdown.h
|
|
|
468bd4 |
@@ -0,0 +1,44 @@
|
|
|
468bd4 |
+/*
|
|
|
468bd4 |
+ * GRUB -- GRand Unified Bootloader
|
|
|
468bd4 |
+ * Copyright (C) 2020 Free Software Foundation, Inc.
|
|
|
468bd4 |
+ *
|
|
|
468bd4 |
+ * GRUB is free software: you can redistribute it and/or modify
|
|
|
468bd4 |
+ * it under the terms of the GNU General Public License as published by
|
|
|
468bd4 |
+ * the Free Software Foundation, either version 3 of the License, or
|
|
|
468bd4 |
+ * (at your option) any later version.
|
|
|
468bd4 |
+ *
|
|
|
468bd4 |
+ * GRUB is distributed in the hope that it will be useful,
|
|
|
468bd4 |
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
468bd4 |
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
468bd4 |
+ * GNU General Public License for more details.
|
|
|
468bd4 |
+ *
|
|
|
468bd4 |
+ * You should have received a copy of the GNU General Public License
|
|
|
468bd4 |
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
|
|
468bd4 |
+ */
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+#ifndef GRUB_LOCKDOWN_H
|
|
|
468bd4 |
+#define GRUB_LOCKDOWN_H 1
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+#include <grub/symbol.h>
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+#define GRUB_LOCKDOWN_DISABLED 0
|
|
|
468bd4 |
+#define GRUB_LOCKDOWN_ENABLED 1
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+#ifdef GRUB_MACHINE_EFI
|
|
|
468bd4 |
+extern void
|
|
|
468bd4 |
+EXPORT_FUNC (grub_lockdown) (void);
|
|
|
468bd4 |
+extern int
|
|
|
468bd4 |
+EXPORT_FUNC (grub_is_lockdown) (void);
|
|
|
468bd4 |
+#else
|
|
|
468bd4 |
+static inline void
|
|
|
468bd4 |
+grub_lockdown (void)
|
|
|
468bd4 |
+{
|
|
|
468bd4 |
+}
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+static inline int
|
|
|
468bd4 |
+grub_is_lockdown (void)
|
|
|
468bd4 |
+{
|
|
|
468bd4 |
+ return GRUB_LOCKDOWN_DISABLED;
|
|
|
468bd4 |
+}
|
|
|
468bd4 |
+#endif
|
|
|
468bd4 |
+#endif /* ! GRUB_LOCKDOWN_H */
|
|
|
468bd4 |
diff --git a/conf/Makefile.common b/conf/Makefile.common
|
|
|
f6e916 |
index b93879804..521cdda1f 100644
|
|
|
468bd4 |
--- a/conf/Makefile.common
|
|
|
468bd4 |
+++ b/conf/Makefile.common
|
|
|
468bd4 |
@@ -85,7 +85,9 @@ CPPFLAGS_PARTTOOL_LIST = -Dgrub_parttool_register=PARTTOOL_LIST_MARKER
|
|
|
468bd4 |
CPPFLAGS_TERMINAL_LIST = '-Dgrub_term_register_input(...)=INPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)'
|
|
|
468bd4 |
CPPFLAGS_TERMINAL_LIST += '-Dgrub_term_register_output(...)=OUTPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)'
|
|
|
468bd4 |
CPPFLAGS_COMMAND_LIST = '-Dgrub_register_command(...)=COMMAND_LIST_MARKER(__VA_ARGS__)'
|
|
|
468bd4 |
+CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_lockdown(...)=COMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)'
|
|
|
468bd4 |
CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd(...)=EXTCOMMAND_LIST_MARKER(__VA_ARGS__)'
|
|
|
468bd4 |
+CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd_lockdown(...)=EXTCOMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)'
|
|
|
468bd4 |
CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_p1(...)=P1COMMAND_LIST_MARKER(__VA_ARGS__)'
|
|
|
468bd4 |
CPPFLAGS_FDT_LIST := '-Dgrub_fdtbus_register(...)=FDT_DRIVER_LIST_MARKER(__VA_ARGS__)'
|
|
|
468bd4 |
CPPFLAGS_MARKER = $(CPPFLAGS_FS_LIST) $(CPPFLAGS_VIDEO_LIST) \
|
|
|
468bd4 |
diff --git a/docs/grub-dev.texi b/docs/grub-dev.texi
|
|
|
f6e916 |
index 3ce827ab7..421dd410e 100644
|
|
|
468bd4 |
--- a/docs/grub-dev.texi
|
|
|
468bd4 |
+++ b/docs/grub-dev.texi
|
|
|
468bd4 |
@@ -84,6 +84,7 @@ This edition documents version @value{VERSION}.
|
|
|
468bd4 |
* Video Subsystem::
|
|
|
468bd4 |
* PFF2 Font File Format::
|
|
|
468bd4 |
* Graphical Menu Software Design::
|
|
|
468bd4 |
+* Lockdown framework::
|
|
|
468bd4 |
* Copying This Manual:: Copying This Manual
|
|
|
468bd4 |
* Index::
|
|
|
468bd4 |
@end menu
|
|
|
468bd4 |
@@ -1949,6 +1950,32 @@ the graphics mode that was in use before @code{grub_video_setup()} was called
|
|
|
468bd4 |
might fix some of the problems.
|
|
|
468bd4 |
|
|
|
468bd4 |
|
|
|
468bd4 |
+@node Lockdown framework
|
|
|
468bd4 |
+@chapter Lockdown framework
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+The GRUB can be locked down, which is a restricted mode where some operations
|
|
|
468bd4 |
+are not allowed. For instance, some commands cannot be used when the GRUB is
|
|
|
468bd4 |
+locked down.
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+The function
|
|
|
468bd4 |
+@code{grub_lockdown()} is used to lockdown GRUB and the function
|
|
|
468bd4 |
+@code{grub_is_lockdown()} function can be used to check whether lockdown is
|
|
|
468bd4 |
+enabled or not. When enabled, the function returns @samp{GRUB_LOCKDOWN_ENABLED}
|
|
|
468bd4 |
+and @samp{GRUB_LOCKDOWN_DISABLED} when is not enabled.
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+The following functions can be used to register the commands that can only be
|
|
|
468bd4 |
+used when lockdown is disabled:
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+@itemize
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+@item @code{grub_cmd_lockdown()} registers command which should not run when the
|
|
|
468bd4 |
+GRUB is in lockdown mode.
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+@item @code{grub_cmd_lockdown()} registers extended command which should not run
|
|
|
468bd4 |
+when the GRUB is in lockdown mode.
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+@end itemize
|
|
|
468bd4 |
+
|
|
|
468bd4 |
@node Copying This Manual
|
|
|
468bd4 |
@appendix Copying This Manual
|
|
|
468bd4 |
|
|
|
468bd4 |
diff --git a/docs/grub.texi b/docs/grub.texi
|
|
|
f6e916 |
index 97f0f47e0..f957535db 100644
|
|
|
468bd4 |
--- a/docs/grub.texi
|
|
|
468bd4 |
+++ b/docs/grub.texi
|
|
|
468bd4 |
@@ -5687,6 +5687,7 @@ environment variables and commands are listed in the same order.
|
|
|
468bd4 |
* Using GPG-style digital signatures:: Booting digitally signed code
|
|
|
468bd4 |
* Using appended signatures:: An alternative approach to booting digitally signed code
|
|
|
468bd4 |
* Signing GRUB itself:: Ensuring the integrity of the GRUB core image
|
|
|
468bd4 |
+* Lockdown:: Lockdown when booting on a secure setup
|
|
|
468bd4 |
@end menu
|
|
|
468bd4 |
|
|
|
468bd4 |
@node Authentication and authorisation
|
|
|
468bd4 |
@@ -5977,6 +5978,13 @@ As with UEFI secure boot, it is necessary to build in the required modules,
|
|
|
468bd4 |
or sign them separately.
|
|
|
468bd4 |
|
|
|
468bd4 |
|
|
|
468bd4 |
+@node Lockdown
|
|
|
468bd4 |
+@section Lockdown when booting on a secure setup
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+The GRUB can be locked down when booted on a secure boot environment, for example
|
|
|
468bd4 |
+if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will
|
|
|
468bd4 |
+be restricted and some operations/commands cannot be executed.
|
|
|
468bd4 |
+
|
|
|
468bd4 |
@node Platform limitations
|
|
|
468bd4 |
@chapter Platform limitations
|
|
|
468bd4 |
|
|
|
468bd4 |
diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
|
|
|
f6e916 |
index 406265250..a6f1b0dcd 100644
|
|
|
468bd4 |
--- a/grub-core/Makefile.am
|
|
|
468bd4 |
+++ b/grub-core/Makefile.am
|
|
|
468bd4 |
@@ -82,6 +82,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/fs.h
|
|
|
468bd4 |
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/i18n.h
|
|
|
468bd4 |
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/kernel.h
|
|
|
468bd4 |
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/list.h
|
|
|
468bd4 |
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/lockdown.h
|
|
|
468bd4 |
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/misc.h
|
|
|
468bd4 |
if COND_emu
|
|
|
468bd4 |
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/compiler-rt-emu.h
|
|
|
468bd4 |
@@ -350,8 +351,10 @@ command.lst: $(MARKER_FILES)
|
|
|
468bd4 |
b=`basename $$pp .marker`; \
|
|
|
468bd4 |
sed -n \
|
|
|
468bd4 |
-e "/EXTCOMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
|
|
|
468bd4 |
+ -e "/EXTCOMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
|
|
|
468bd4 |
-e "/P1COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
|
|
|
468bd4 |
- -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \
|
|
|
468bd4 |
+ -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" \
|
|
|
468bd4 |
+ -e "/COMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \
|
|
|
468bd4 |
done) | sort -u > $@
|
|
|
468bd4 |
platform_DATA += command.lst
|
|
|
468bd4 |
CLEANFILES += command.lst
|