From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001

From: Javier Martinez Canillas <javierm@redhat.com>

Date: Tue, 2 Feb 2021 19:59:48 +0100

Subject: [PATCH] kern/lockdown: Set a variable if the GRUB is locked down

It may be useful for scripts to determine whether the GRUB is locked

down or not. Add the lockdown variable which is set to "y" when the GRUB

is locked down.

Suggested-by: Dimitri John Ledkov <xnox@ubuntu.com>

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>

Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

---

 grub-core/kern/lockdown.c | 4 ++++

 docs/grub.texi            | 3 +++

 2 files changed, 7 insertions(+)

diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c

index f87ddaeb1ee..30cba7f5ea2 100644

--- a/grub-core/kern/lockdown.c

+++ b/grub-core/kern/lockdown.c

@@ -18,6 +18,7 @@

  */

 #include <grub/dl.h>

+#include <grub/env.h>

 #include <grub/file.h>

 #include <grub/lockdown.h>

@@ -84,6 +85,9 @@ grub_lockdown (void)

 #if 0

   grub_verifier_register (&lockdown_verifier);

 #endif

+

+  grub_env_set ("lockdown", "y");

+  grub_env_export ("lockdown");

 }

 int

diff --git a/docs/grub.texi b/docs/grub.texi

index cb52684367f..6f331422bd3 100644

--- a/docs/grub.texi

+++ b/docs/grub.texi

@@ -5635,6 +5635,9 @@ The GRUB can be locked down when booted on a secure boot environment, for exampl

 if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will

 be restricted and some operations/commands cannot be executed.

+The @samp{lockdown} variable is set to @samp{y} when the GRUB is locked down.

+Otherwise it does not exit.

+

 @node Platform limitations

 @chapter Platform limitations