Blame SOURCES/0376-efi-Use-grub_is_lockdown-instead-of-hardcoding-a-dis.patch

80913e
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
80913e
From: Javier Martinez Canillas <javierm@redhat.com>
80913e
Date: Mon, 28 Sep 2020 20:08:33 +0200
80913e
Subject: [PATCH] efi: Use grub_is_lockdown() instead of hardcoding a disabled
80913e
 modules list
80913e
80913e
Now the GRUB can check if it has been locked down and this can be used to
80913e
prevent executing commands that can be utilized to circumvent the UEFI
80913e
Secure Boot mechanisms. So, instead of hardcoding a list of modules that
80913e
have to be disabled, prevent the usage of commands that can be dangerous.
80913e
80913e
This not only allows the commands to be disabled on other platforms, but
80913e
also properly separate the concerns. Since the shim_lock verifier logic
80913e
should be only about preventing to run untrusted binaries and not about
80913e
defining these kind of policies.
80913e
80913e
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
80913e
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
80913e
---
80913e
 grub-core/commands/iorw.c  | 26 ++++++++++----------------
80913e
 grub-core/commands/memrw.c | 26 ++++++++++----------------
80913e
 2 files changed, 20 insertions(+), 32 deletions(-)
80913e
80913e
diff --git a/grub-core/commands/iorw.c b/grub-core/commands/iorw.c
b32e65
index 41a7f3f04..584baec8f 100644
80913e
--- a/grub-core/commands/iorw.c
80913e
+++ b/grub-core/commands/iorw.c
80913e
@@ -23,7 +23,7 @@
80913e
 #include <grub/env.h>
80913e
 #include <grub/cpu/io.h>
80913e
 #include <grub/i18n.h>
80913e
-#include <grub/efi/sb.h>
80913e
+#include <grub/lockdown.h>
80913e
 
80913e
 GRUB_MOD_LICENSE ("GPLv3+");
80913e
 
80913e
@@ -119,9 +119,6 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
80913e
 
80913e
 GRUB_MOD_INIT(memrw)
80913e
 {
80913e
-  if (grub_efi_secure_boot())
80913e
-    return;
80913e
-
80913e
   cmd_read_byte =
80913e
     grub_register_extcmd ("inb", grub_cmd_read, 0,
80913e
 			  N_("PORT"), N_("Read 8-bit value from PORT."),
80913e
@@ -135,24 +132,21 @@ GRUB_MOD_INIT(memrw)
80913e
 			  N_("PORT"), N_("Read 32-bit value from PORT."),
80913e
 			  options);
80913e
   cmd_write_byte =
80913e
-    grub_register_command ("outb", grub_cmd_write,
80913e
-			   N_("PORT VALUE [MASK]"),
80913e
-			   N_("Write 8-bit VALUE to PORT."));
80913e
+    grub_register_command_lockdown ("outb", grub_cmd_write,
80913e
+                                    N_("PORT VALUE [MASK]"),
80913e
+                                    N_("Write 8-bit VALUE to PORT."));
80913e
   cmd_write_word =
80913e
-    grub_register_command ("outw", grub_cmd_write,
80913e
-			   N_("PORT VALUE [MASK]"),
80913e
-			   N_("Write 16-bit VALUE to PORT."));
80913e
+    grub_register_command_lockdown ("outw", grub_cmd_write,
80913e
+                                    N_("PORT VALUE [MASK]"),
80913e
+                                    N_("Write 16-bit VALUE to PORT."));
80913e
   cmd_write_dword =
80913e
-    grub_register_command ("outl", grub_cmd_write,
80913e
-			   N_("ADDR VALUE [MASK]"),
80913e
-			   N_("Write 32-bit VALUE to PORT."));
80913e
+    grub_register_command_lockdown ("outl", grub_cmd_write,
80913e
+                                    N_("ADDR VALUE [MASK]"),
80913e
+                                    N_("Write 32-bit VALUE to PORT."));
80913e
 }
80913e
 
80913e
 GRUB_MOD_FINI(memrw)
80913e
 {
80913e
-  if (grub_efi_secure_boot())
80913e
-    return;
80913e
-
80913e
   grub_unregister_extcmd (cmd_read_byte);
80913e
   grub_unregister_extcmd (cmd_read_word);
80913e
   grub_unregister_extcmd (cmd_read_dword);
80913e
diff --git a/grub-core/commands/memrw.c b/grub-core/commands/memrw.c
b32e65
index 088cbe9e2..d401a6db0 100644
80913e
--- a/grub-core/commands/memrw.c
80913e
+++ b/grub-core/commands/memrw.c
80913e
@@ -22,7 +22,7 @@
80913e
 #include <grub/extcmd.h>
80913e
 #include <grub/env.h>
80913e
 #include <grub/i18n.h>
80913e
-#include <grub/efi/sb.h>
80913e
+#include <grub/lockdown.h>
80913e
 
80913e
 GRUB_MOD_LICENSE ("GPLv3+");
80913e
 
80913e
@@ -121,9 +121,6 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
80913e
 
80913e
 GRUB_MOD_INIT(memrw)
80913e
 {
80913e
-  if (grub_efi_secure_boot())
80913e
-    return;
80913e
-
80913e
   cmd_read_byte =
80913e
     grub_register_extcmd ("read_byte", grub_cmd_read, 0,
80913e
 			  N_("ADDR"), N_("Read 8-bit value from ADDR."),
80913e
@@ -137,24 +134,21 @@ GRUB_MOD_INIT(memrw)
80913e
 			  N_("ADDR"), N_("Read 32-bit value from ADDR."),
80913e
 			  options);
80913e
   cmd_write_byte =
80913e
-    grub_register_command ("write_byte", grub_cmd_write,
80913e
-			   N_("ADDR VALUE [MASK]"),
80913e
-			   N_("Write 8-bit VALUE to ADDR."));
80913e
+    grub_register_command_lockdown ("write_byte", grub_cmd_write,
80913e
+                                    N_("ADDR VALUE [MASK]"),
80913e
+                                    N_("Write 8-bit VALUE to ADDR."));
80913e
   cmd_write_word =
80913e
-    grub_register_command ("write_word", grub_cmd_write,
80913e
-			   N_("ADDR VALUE [MASK]"),
80913e
-			   N_("Write 16-bit VALUE to ADDR."));
80913e
+    grub_register_command_lockdown ("write_word", grub_cmd_write,
80913e
+                                    N_("ADDR VALUE [MASK]"),
80913e
+                                    N_("Write 16-bit VALUE to ADDR."));
80913e
   cmd_write_dword =
80913e
-    grub_register_command ("write_dword", grub_cmd_write,
80913e
-			   N_("ADDR VALUE [MASK]"),
80913e
-			   N_("Write 32-bit VALUE to ADDR."));
80913e
+    grub_register_command_lockdown ("write_dword", grub_cmd_write,
80913e
+                                    N_("ADDR VALUE [MASK]"),
80913e
+                                    N_("Write 32-bit VALUE to ADDR."));
80913e
 }
80913e
 
80913e
 GRUB_MOD_FINI(memrw)
80913e
 {
80913e
-  if (grub_efi_secure_boot())
80913e
-    return;
80913e
-
80913e
   grub_unregister_extcmd (cmd_read_byte);
80913e
   grub_unregister_extcmd (cmd_read_word);
80913e
   grub_unregister_extcmd (cmd_read_dword);