dcavalca / rpms / grub2

Forked from rpms/grub2 3 years ago
Clone

Blame SOURCES/0374-kern-lockdown-Set-a-variable-if-the-GRUB-is-locked-d.patch

468bd4
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
468bd4
From: Javier Martinez Canillas <javierm@redhat.com>
468bd4
Date: Tue, 2 Feb 2021 19:59:48 +0100
468bd4
Subject: [PATCH] kern/lockdown: Set a variable if the GRUB is locked down
468bd4
468bd4
It may be useful for scripts to determine whether the GRUB is locked
468bd4
down or not. Add the lockdown variable which is set to "y" when the GRUB
468bd4
is locked down.
468bd4
468bd4
Suggested-by: Dimitri John Ledkov <xnox@ubuntu.com>
468bd4
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
468bd4
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
468bd4
---
468bd4
 grub-core/kern/lockdown.c | 4 ++++
468bd4
 docs/grub.texi            | 3 +++
468bd4
 2 files changed, 7 insertions(+)
468bd4
468bd4
diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c
468bd4
index f87ddaeb1ee..30cba7f5ea2 100644
468bd4
--- a/grub-core/kern/lockdown.c
468bd4
+++ b/grub-core/kern/lockdown.c
468bd4
@@ -18,6 +18,7 @@
468bd4
  */
468bd4
 
468bd4
 #include <grub/dl.h>
468bd4
+#include <grub/env.h>
468bd4
 #include <grub/file.h>
468bd4
 #include <grub/lockdown.h>
468bd4
 
468bd4
@@ -84,6 +85,9 @@ grub_lockdown (void)
468bd4
 #if 0
468bd4
   grub_verifier_register (&lockdown_verifier);
468bd4
 #endif
468bd4
+
468bd4
+  grub_env_set ("lockdown", "y");
468bd4
+  grub_env_export ("lockdown");
468bd4
 }
468bd4
 
468bd4
 int
468bd4
diff --git a/docs/grub.texi b/docs/grub.texi
468bd4
index f957535dbea..755de88d7d8 100644
468bd4
--- a/docs/grub.texi
468bd4
+++ b/docs/grub.texi
468bd4
@@ -5985,6 +5985,9 @@ The GRUB can be locked down when booted on a secure boot environment, for exampl
468bd4
 if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will
468bd4
 be restricted and some operations/commands cannot be executed.
468bd4
 
468bd4
+The @samp{lockdown} variable is set to @samp{y} when the GRUB is locked down.
468bd4
+Otherwise it does not exit.
468bd4
+
468bd4
 @node Platform limitations
468bd4
 @chapter Platform limitations
468bd4