dcavalca / rpms / grub2

Forked from rpms/grub2 3 years ago
Clone

Blame SOURCES/0337-kern-lockdown-Set-a-variable-if-the-GRUB-is-locked-d.patch

b1bcb2
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
b1bcb2
From: Javier Martinez Canillas <javierm@redhat.com>
b1bcb2
Date: Tue, 2 Feb 2021 19:59:48 +0100
b1bcb2
Subject: [PATCH] kern/lockdown: Set a variable if the GRUB is locked down
b1bcb2
b1bcb2
It may be useful for scripts to determine whether the GRUB is locked
b1bcb2
down or not. Add the lockdown variable which is set to "y" when the GRUB
b1bcb2
is locked down.
b1bcb2
b1bcb2
Suggested-by: Dimitri John Ledkov <xnox@ubuntu.com>
b1bcb2
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
b1bcb2
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
b1bcb2
---
b1bcb2
 grub-core/kern/lockdown.c | 4 ++++
b1bcb2
 docs/grub.texi            | 3 +++
b1bcb2
 2 files changed, 7 insertions(+)
b1bcb2
b1bcb2
diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c
b1bcb2
index f87ddaeb1ee..30cba7f5ea2 100644
b1bcb2
--- a/grub-core/kern/lockdown.c
b1bcb2
+++ b/grub-core/kern/lockdown.c
b1bcb2
@@ -18,6 +18,7 @@
b1bcb2
  */
b1bcb2
 
b1bcb2
 #include <grub/dl.h>
b1bcb2
+#include <grub/env.h>
b1bcb2
 #include <grub/file.h>
b1bcb2
 #include <grub/lockdown.h>
b1bcb2
 
b1bcb2
@@ -84,6 +85,9 @@ grub_lockdown (void)
b1bcb2
 #if 0
b1bcb2
   grub_verifier_register (&lockdown_verifier);
b1bcb2
 #endif
b1bcb2
+
b1bcb2
+  grub_env_set ("lockdown", "y");
b1bcb2
+  grub_env_export ("lockdown");
b1bcb2
 }
b1bcb2
 
b1bcb2
 int
b1bcb2
diff --git a/docs/grub.texi b/docs/grub.texi
b1bcb2
index cb52684367f..6f331422bd3 100644
b1bcb2
--- a/docs/grub.texi
b1bcb2
+++ b/docs/grub.texi
b1bcb2
@@ -5635,6 +5635,9 @@ The GRUB can be locked down when booted on a secure boot environment, for exampl
b1bcb2
 if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will
b1bcb2
 be restricted and some operations/commands cannot be executed.
b1bcb2
 
b1bcb2
+The @samp{lockdown} variable is set to @samp{y} when the GRUB is locked down.
b1bcb2
+Otherwise it does not exit.
b1bcb2
+
b1bcb2
 @node Platform limitations
b1bcb2
 @chapter Platform limitations
b1bcb2