|
|
8631a2 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
8631a2 |
From: Peter Jones <pjones@redhat.com>
|
|
|
8631a2 |
Date: Tue, 6 Oct 2015 16:09:25 -0400
|
|
|
8631a2 |
Subject: [PATCH] Make any of the loaders that link in efi mode honor secure
|
|
|
8631a2 |
boot.
|
|
|
8631a2 |
|
|
|
8631a2 |
And in this case "honor" means "even if somebody does link this in, they
|
|
|
8631a2 |
won't register commands if SB is enabled."
|
|
|
8631a2 |
|
|
|
8631a2 |
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
|
8631a2 |
---
|
|
|
8631a2 |
grub-core/Makefile.core.def | 1 +
|
|
|
8631a2 |
grub-core/commands/iorw.c | 7 +++++
|
|
|
8631a2 |
grub-core/commands/memrw.c | 7 +++++
|
|
|
8631a2 |
grub-core/kern/dl.c | 1 +
|
|
|
8631a2 |
grub-core/kern/efi/efi.c | 34 --------------------
|
|
|
8631a2 |
grub-core/kern/efi/sb.c | 64 ++++++++++++++++++++++++++++++++++++++
|
|
|
8631a2 |
grub-core/loader/efi/appleloader.c | 7 +++++
|
|
|
8631a2 |
grub-core/loader/efi/chainloader.c | 1 +
|
|
|
8631a2 |
grub-core/loader/i386/bsd.c | 7 +++++
|
|
|
8631a2 |
grub-core/loader/i386/linux.c | 7 +++++
|
|
|
8631a2 |
grub-core/loader/i386/pc/linux.c | 7 +++++
|
|
|
8631a2 |
grub-core/loader/multiboot.c | 7 +++++
|
|
|
8631a2 |
grub-core/loader/xnu.c | 7 +++++
|
|
|
8631a2 |
include/grub/efi/efi.h | 1 -
|
|
|
8631a2 |
include/grub/efi/sb.h | 29 +++++++++++++++++
|
|
|
8631a2 |
include/grub/ia64/linux.h | 0
|
|
|
8631a2 |
include/grub/mips/linux.h | 0
|
|
|
8631a2 |
include/grub/powerpc/linux.h | 0
|
|
|
8631a2 |
include/grub/sparc64/linux.h | 0
|
|
|
8631a2 |
grub-core/Makefile.am | 1 +
|
|
|
8631a2 |
20 files changed, 153 insertions(+), 35 deletions(-)
|
|
|
8631a2 |
create mode 100644 grub-core/kern/efi/sb.c
|
|
|
8631a2 |
create mode 100644 include/grub/efi/sb.h
|
|
|
8631a2 |
create mode 100644 include/grub/ia64/linux.h
|
|
|
8631a2 |
create mode 100644 include/grub/mips/linux.h
|
|
|
8631a2 |
create mode 100644 include/grub/powerpc/linux.h
|
|
|
8631a2 |
create mode 100644 include/grub/sparc64/linux.h
|
|
|
8631a2 |
|
|
|
8631a2 |
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
|
|
|
f6e916 |
index 0b4b0c212..e92a7ef32 100644
|
|
|
8631a2 |
--- a/grub-core/Makefile.core.def
|
|
|
8631a2 |
+++ b/grub-core/Makefile.core.def
|
|
|
8631a2 |
@@ -195,6 +195,7 @@ kernel = {
|
|
|
8631a2 |
i386_multiboot = kern/i386/pc/acpi.c;
|
|
|
8631a2 |
i386_coreboot = kern/acpi.c;
|
|
|
8631a2 |
i386_multiboot = kern/acpi.c;
|
|
|
8631a2 |
+ common = kern/efi/sb.c;
|
|
|
8631a2 |
|
|
|
8631a2 |
x86 = kern/i386/tsc.c;
|
|
|
8631a2 |
x86 = kern/i386/tsc_pit.c;
|
|
|
8631a2 |
diff --git a/grub-core/commands/iorw.c b/grub-core/commands/iorw.c
|
|
|
f6e916 |
index a0c164e54..41a7f3f04 100644
|
|
|
8631a2 |
--- a/grub-core/commands/iorw.c
|
|
|
8631a2 |
+++ b/grub-core/commands/iorw.c
|
|
|
8631a2 |
@@ -23,6 +23,7 @@
|
|
|
8631a2 |
#include <grub/env.h>
|
|
|
8631a2 |
#include <grub/cpu/io.h>
|
|
|
8631a2 |
#include <grub/i18n.h>
|
|
|
8631a2 |
+#include <grub/efi/sb.h>
|
|
|
8631a2 |
|
|
|
8631a2 |
GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
8631a2 |
|
|
|
8631a2 |
@@ -118,6 +119,9 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
|
|
|
8631a2 |
|
|
|
8631a2 |
GRUB_MOD_INIT(memrw)
|
|
|
8631a2 |
{
|
|
|
8631a2 |
+ if (grub_efi_secure_boot())
|
|
|
8631a2 |
+ return;
|
|
|
8631a2 |
+
|
|
|
8631a2 |
cmd_read_byte =
|
|
|
8631a2 |
grub_register_extcmd ("inb", grub_cmd_read, 0,
|
|
|
8631a2 |
N_("PORT"), N_("Read 8-bit value from PORT."),
|
|
|
8631a2 |
@@ -146,6 +150,9 @@ GRUB_MOD_INIT(memrw)
|
|
|
8631a2 |
|
|
|
8631a2 |
GRUB_MOD_FINI(memrw)
|
|
|
8631a2 |
{
|
|
|
8631a2 |
+ if (grub_efi_secure_boot())
|
|
|
8631a2 |
+ return;
|
|
|
8631a2 |
+
|
|
|
8631a2 |
grub_unregister_extcmd (cmd_read_byte);
|
|
|
8631a2 |
grub_unregister_extcmd (cmd_read_word);
|
|
|
8631a2 |
grub_unregister_extcmd (cmd_read_dword);
|
|
|
8631a2 |
diff --git a/grub-core/commands/memrw.c b/grub-core/commands/memrw.c
|
|
|
f6e916 |
index 98769eadb..088cbe9e2 100644
|
|
|
8631a2 |
--- a/grub-core/commands/memrw.c
|
|
|
8631a2 |
+++ b/grub-core/commands/memrw.c
|
|
|
8631a2 |
@@ -22,6 +22,7 @@
|
|
|
8631a2 |
#include <grub/extcmd.h>
|
|
|
8631a2 |
#include <grub/env.h>
|
|
|
8631a2 |
#include <grub/i18n.h>
|
|
|
8631a2 |
+#include <grub/efi/sb.h>
|
|
|
8631a2 |
|
|
|
8631a2 |
GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
8631a2 |
|
|
|
8631a2 |
@@ -120,6 +121,9 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
|
|
|
8631a2 |
|
|
|
8631a2 |
GRUB_MOD_INIT(memrw)
|
|
|
8631a2 |
{
|
|
|
8631a2 |
+ if (grub_efi_secure_boot())
|
|
|
8631a2 |
+ return;
|
|
|
8631a2 |
+
|
|
|
8631a2 |
cmd_read_byte =
|
|
|
8631a2 |
grub_register_extcmd ("read_byte", grub_cmd_read, 0,
|
|
|
8631a2 |
N_("ADDR"), N_("Read 8-bit value from ADDR."),
|
|
|
8631a2 |
@@ -148,6 +152,9 @@ GRUB_MOD_INIT(memrw)
|
|
|
8631a2 |
|
|
|
8631a2 |
GRUB_MOD_FINI(memrw)
|
|
|
8631a2 |
{
|
|
|
8631a2 |
+ if (grub_efi_secure_boot())
|
|
|
8631a2 |
+ return;
|
|
|
8631a2 |
+
|
|
|
8631a2 |
grub_unregister_extcmd (cmd_read_byte);
|
|
|
8631a2 |
grub_unregister_extcmd (cmd_read_word);
|
|
|
8631a2 |
grub_unregister_extcmd (cmd_read_dword);
|
|
|
8631a2 |
diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
|
|
|
f6e916 |
index 04e804d16..621070918 100644
|
|
|
8631a2 |
--- a/grub-core/kern/dl.c
|
|
|
8631a2 |
+++ b/grub-core/kern/dl.c
|
|
|
8631a2 |
@@ -32,6 +32,7 @@
|
|
|
8631a2 |
#include <grub/env.h>
|
|
|
8631a2 |
#include <grub/cache.h>
|
|
|
8631a2 |
#include <grub/i18n.h>
|
|
|
8631a2 |
+#include <grub/efi/sb.h>
|
|
|
8631a2 |
|
|
|
8631a2 |
/* Platforms where modules are in a readonly area of memory. */
|
|
|
8631a2 |
#if defined(GRUB_MACHINE_QEMU)
|
|
|
8631a2 |
diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
|
|
|
f6e916 |
index 91129e335..708581fcb 100644
|
|
|
8631a2 |
--- a/grub-core/kern/efi/efi.c
|
|
|
8631a2 |
+++ b/grub-core/kern/efi/efi.c
|
|
|
8631a2 |
@@ -273,40 +273,6 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
|
|
|
8631a2 |
return NULL;
|
|
|
8631a2 |
}
|
|
|
8631a2 |
|
|
|
8631a2 |
-grub_efi_boolean_t
|
|
|
8631a2 |
-grub_efi_secure_boot (void)
|
|
|
8631a2 |
-{
|
|
|
8631a2 |
- grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
|
|
|
8631a2 |
- grub_size_t datasize;
|
|
|
8631a2 |
- char *secure_boot = NULL;
|
|
|
8631a2 |
- char *setup_mode = NULL;
|
|
|
8631a2 |
- grub_efi_boolean_t ret = 0;
|
|
|
8631a2 |
-
|
|
|
8631a2 |
- secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);
|
|
|
8631a2 |
- if (datasize != 1 || !secure_boot)
|
|
|
8631a2 |
- {
|
|
|
8631a2 |
- grub_dprintf ("secureboot", "No SecureBoot variable\n");
|
|
|
8631a2 |
- goto out;
|
|
|
8631a2 |
- }
|
|
|
8631a2 |
- grub_dprintf ("secureboot", "SecureBoot: %d\n", *secure_boot);
|
|
|
8631a2 |
-
|
|
|
8631a2 |
- setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize);
|
|
|
8631a2 |
- if (datasize != 1 || !setup_mode)
|
|
|
8631a2 |
- {
|
|
|
8631a2 |
- grub_dprintf ("secureboot", "No SetupMode variable\n");
|
|
|
8631a2 |
- goto out;
|
|
|
8631a2 |
- }
|
|
|
8631a2 |
- grub_dprintf ("secureboot", "SetupMode: %d\n", *setup_mode);
|
|
|
8631a2 |
-
|
|
|
8631a2 |
- if (*secure_boot && !*setup_mode)
|
|
|
8631a2 |
- ret = 1;
|
|
|
8631a2 |
-
|
|
|
8631a2 |
- out:
|
|
|
8631a2 |
- grub_free (secure_boot);
|
|
|
8631a2 |
- grub_free (setup_mode);
|
|
|
8631a2 |
- return ret;
|
|
|
8631a2 |
-}
|
|
|
8631a2 |
-
|
|
|
8631a2 |
#pragma GCC diagnostic ignored "-Wcast-align"
|
|
|
8631a2 |
|
|
|
8631a2 |
/* Search the mods section from the PE32/PE32+ image. This code uses
|
|
|
8631a2 |
diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
|
|
|
8631a2 |
new file mode 100644
|
|
|
f6e916 |
index 000000000..d74778b0c
|
|
|
8631a2 |
--- /dev/null
|
|
|
8631a2 |
+++ b/grub-core/kern/efi/sb.c
|
|
|
8631a2 |
@@ -0,0 +1,64 @@
|
|
|
8631a2 |
+/*
|
|
|
8631a2 |
+ * GRUB -- GRand Unified Bootloader
|
|
|
8631a2 |
+ * Copyright (C) 2014 Free Software Foundation, Inc.
|
|
|
8631a2 |
+ *
|
|
|
8631a2 |
+ * GRUB is free software: you can redistribute it and/or modify
|
|
|
8631a2 |
+ * it under the terms of the GNU General Public License as published by
|
|
|
8631a2 |
+ * the Free Software Foundation, either version 3 of the License, or
|
|
|
8631a2 |
+ * (at your option) any later version.
|
|
|
8631a2 |
+ *
|
|
|
8631a2 |
+ * GRUB is distributed in the hope that it will be useful,
|
|
|
8631a2 |
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
8631a2 |
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
8631a2 |
+ * GNU General Public License for more details.
|
|
|
8631a2 |
+ *
|
|
|
8631a2 |
+ * You should have received a copy of the GNU General Public License
|
|
|
8631a2 |
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
|
|
8631a2 |
+ */
|
|
|
8631a2 |
+
|
|
|
8631a2 |
+#include <grub/err.h>
|
|
|
8631a2 |
+#include <grub/mm.h>
|
|
|
8631a2 |
+#include <grub/types.h>
|
|
|
8631a2 |
+#include <grub/cpu/linux.h>
|
|
|
8631a2 |
+#include <grub/efi/efi.h>
|
|
|
8631a2 |
+#include <grub/efi/pe32.h>
|
|
|
8631a2 |
+#include <grub/efi/linux.h>
|
|
|
8631a2 |
+#include <grub/efi/sb.h>
|
|
|
8631a2 |
+
|
|
|
8631a2 |
+int
|
|
|
8631a2 |
+grub_efi_secure_boot (void)
|
|
|
8631a2 |
+{
|
|
|
8631a2 |
+#ifdef GRUB_MACHINE_EFI
|
|
|
8631a2 |
+ grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
|
|
|
8631a2 |
+ grub_size_t datasize;
|
|
|
8631a2 |
+ char *secure_boot = NULL;
|
|
|
8631a2 |
+ char *setup_mode = NULL;
|
|
|
8631a2 |
+ grub_efi_boolean_t ret = 0;
|
|
|
8631a2 |
+
|
|
|
8631a2 |
+ secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);
|
|
|
8631a2 |
+ if (datasize != 1 || !secure_boot)
|
|
|
8631a2 |
+ {
|
|
|
8631a2 |
+ grub_dprintf ("secureboot", "No SecureBoot variable\n");
|
|
|
8631a2 |
+ goto out;
|
|
|
8631a2 |
+ }
|
|
|
8631a2 |
+ grub_dprintf ("secureboot", "SecureBoot: %d\n", *secure_boot);
|
|
|
8631a2 |
+
|
|
|
8631a2 |
+ setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize);
|
|
|
8631a2 |
+ if (datasize != 1 || !setup_mode)
|
|
|
8631a2 |
+ {
|
|
|
8631a2 |
+ grub_dprintf ("secureboot", "No SetupMode variable\n");
|
|
|
8631a2 |
+ goto out;
|
|
|
8631a2 |
+ }
|
|
|
8631a2 |
+ grub_dprintf ("secureboot", "SetupMode: %d\n", *setup_mode);
|
|
|
8631a2 |
+
|
|
|
8631a2 |
+ if (*secure_boot && !*setup_mode)
|
|
|
8631a2 |
+ ret = 1;
|
|
|
8631a2 |
+
|
|
|
8631a2 |
+ out:
|
|
|
8631a2 |
+ grub_free (secure_boot);
|
|
|
8631a2 |
+ grub_free (setup_mode);
|
|
|
8631a2 |
+ return ret;
|
|
|
8631a2 |
+#else
|
|
|
8631a2 |
+ return 0;
|
|
|
8631a2 |
+#endif
|
|
|
8631a2 |
+}
|
|
|
8631a2 |
diff --git a/grub-core/loader/efi/appleloader.c b/grub-core/loader/efi/appleloader.c
|
|
|
f6e916 |
index 74888c463..69c2a10d3 100644
|
|
|
8631a2 |
--- a/grub-core/loader/efi/appleloader.c
|
|
|
8631a2 |
+++ b/grub-core/loader/efi/appleloader.c
|
|
|
8631a2 |
@@ -24,6 +24,7 @@
|
|
|
8631a2 |
#include <grub/misc.h>
|
|
|
8631a2 |
#include <grub/efi/api.h>
|
|
|
8631a2 |
#include <grub/efi/efi.h>
|
|
|
8631a2 |
+#include <grub/efi/sb.h>
|
|
|
8631a2 |
#include <grub/command.h>
|
|
|
8631a2 |
#include <grub/i18n.h>
|
|
|
8631a2 |
|
|
|
8631a2 |
@@ -227,6 +228,9 @@ static grub_command_t cmd;
|
|
|
8631a2 |
|
|
|
8631a2 |
GRUB_MOD_INIT(appleloader)
|
|
|
8631a2 |
{
|
|
|
8631a2 |
+ if (grub_efi_secure_boot())
|
|
|
8631a2 |
+ return;
|
|
|
8631a2 |
+
|
|
|
8631a2 |
cmd = grub_register_command ("appleloader", grub_cmd_appleloader,
|
|
|
8631a2 |
N_("[OPTS]"),
|
|
|
8631a2 |
/* TRANSLATORS: This command is used on EFI to
|
|
|
8631a2 |
@@ -238,5 +242,8 @@ GRUB_MOD_INIT(appleloader)
|
|
|
8631a2 |
|
|
|
8631a2 |
GRUB_MOD_FINI(appleloader)
|
|
|
8631a2 |
{
|
|
|
8631a2 |
+ if (grub_efi_secure_boot())
|
|
|
8631a2 |
+ return;
|
|
|
8631a2 |
+
|
|
|
8631a2 |
grub_unregister_command (cmd);
|
|
|
8631a2 |
}
|
|
|
8631a2 |
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
|
|
|
f6e916 |
index af2189619..5cd9b6e08 100644
|
|
|
8631a2 |
--- a/grub-core/loader/efi/chainloader.c
|
|
|
8631a2 |
+++ b/grub-core/loader/efi/chainloader.c
|
|
|
8631a2 |
@@ -34,6 +34,7 @@
|
|
|
8631a2 |
#include <grub/efi/disk.h>
|
|
|
8631a2 |
#include <grub/efi/pe32.h>
|
|
|
8631a2 |
#include <grub/efi/linux.h>
|
|
|
8631a2 |
+#include <grub/efi/sb.h>
|
|
|
8631a2 |
#include <grub/command.h>
|
|
|
8631a2 |
#include <grub/i18n.h>
|
|
|
8631a2 |
#include <grub/net.h>
|
|
|
8631a2 |
diff --git a/grub-core/loader/i386/bsd.c b/grub-core/loader/i386/bsd.c
|
|
|
f6e916 |
index 7f96515da..87709aa23 100644
|
|
|
8631a2 |
--- a/grub-core/loader/i386/bsd.c
|
|
|
8631a2 |
+++ b/grub-core/loader/i386/bsd.c
|
|
|
8631a2 |
@@ -38,6 +38,7 @@
|
|
|
8631a2 |
#ifdef GRUB_MACHINE_PCBIOS
|
|
|
8631a2 |
#include <grub/machine/int.h>
|
|
|
8631a2 |
#endif
|
|
|
8631a2 |
+#include <grub/efi/sb.h>
|
|
|
8631a2 |
|
|
|
8631a2 |
GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
8631a2 |
|
|
|
8631a2 |
@@ -2124,6 +2125,9 @@ static grub_command_t cmd_netbsd_module_elf, cmd_openbsd_ramdisk;
|
|
|
8631a2 |
|
|
|
8631a2 |
GRUB_MOD_INIT (bsd)
|
|
|
8631a2 |
{
|
|
|
8631a2 |
+ if (grub_efi_secure_boot())
|
|
|
8631a2 |
+ return;
|
|
|
8631a2 |
+
|
|
|
8631a2 |
/* Net and OpenBSD kernels are often compressed. */
|
|
|
8631a2 |
grub_dl_load ("gzio");
|
|
|
8631a2 |
|
|
|
8631a2 |
@@ -2163,6 +2167,9 @@ GRUB_MOD_INIT (bsd)
|
|
|
8631a2 |
|
|
|
8631a2 |
GRUB_MOD_FINI (bsd)
|
|
|
8631a2 |
{
|
|
|
8631a2 |
+ if (grub_efi_secure_boot())
|
|
|
8631a2 |
+ return;
|
|
|
8631a2 |
+
|
|
|
8631a2 |
grub_unregister_extcmd (cmd_freebsd);
|
|
|
8631a2 |
grub_unregister_extcmd (cmd_openbsd);
|
|
|
8631a2 |
grub_unregister_extcmd (cmd_netbsd);
|
|
|
8631a2 |
diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
|
|
|
f6e916 |
index f7186be40..c84747ea8 100644
|
|
|
8631a2 |
--- a/grub-core/loader/i386/linux.c
|
|
|
8631a2 |
+++ b/grub-core/loader/i386/linux.c
|
|
|
8631a2 |
@@ -35,6 +35,7 @@
|
|
|
8631a2 |
#include <grub/i18n.h>
|
|
|
8631a2 |
#include <grub/lib/cmdline.h>
|
|
|
8631a2 |
#include <grub/linux.h>
|
|
|
8631a2 |
+#include <grub/efi/sb.h>
|
|
|
8631a2 |
|
|
|
8631a2 |
GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
8631a2 |
|
|
|
8631a2 |
@@ -1156,6 +1157,9 @@ static grub_command_t cmd_linux, cmd_initrd;
|
|
|
8631a2 |
|
|
|
8631a2 |
GRUB_MOD_INIT(linux)
|
|
|
8631a2 |
{
|
|
|
8631a2 |
+ if (grub_efi_secure_boot())
|
|
|
8631a2 |
+ return;
|
|
|
8631a2 |
+
|
|
|
8631a2 |
cmd_linux = grub_register_command ("linux", grub_cmd_linux,
|
|
|
8631a2 |
0, N_("Load Linux."));
|
|
|
8631a2 |
cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd,
|
|
|
8631a2 |
@@ -1165,6 +1169,9 @@ GRUB_MOD_INIT(linux)
|
|
|
8631a2 |
|
|
|
8631a2 |
GRUB_MOD_FINI(linux)
|
|
|
8631a2 |
{
|
|
|
8631a2 |
+ if (grub_efi_secure_boot())
|
|
|
8631a2 |
+ return;
|
|
|
8631a2 |
+
|
|
|
8631a2 |
grub_unregister_command (cmd_linux);
|
|
|
8631a2 |
grub_unregister_command (cmd_initrd);
|
|
|
8631a2 |
}
|
|
|
8631a2 |
diff --git a/grub-core/loader/i386/pc/linux.c b/grub-core/loader/i386/pc/linux.c
|
|
|
f6e916 |
index caa76bee8..783a3cd93 100644
|
|
|
8631a2 |
--- a/grub-core/loader/i386/pc/linux.c
|
|
|
8631a2 |
+++ b/grub-core/loader/i386/pc/linux.c
|
|
|
8631a2 |
@@ -35,6 +35,7 @@
|
|
|
8631a2 |
#include <grub/i386/floppy.h>
|
|
|
8631a2 |
#include <grub/lib/cmdline.h>
|
|
|
8631a2 |
#include <grub/linux.h>
|
|
|
8631a2 |
+#include <grub/efi/sb.h>
|
|
|
8631a2 |
|
|
|
8631a2 |
GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
8631a2 |
|
|
|
8631a2 |
@@ -480,6 +481,9 @@ static grub_command_t cmd_linux, cmd_linux16, cmd_initrd, cmd_initrd16;
|
|
|
8631a2 |
|
|
|
8631a2 |
GRUB_MOD_INIT(linux16)
|
|
|
8631a2 |
{
|
|
|
8631a2 |
+ if (grub_efi_secure_boot())
|
|
|
8631a2 |
+ return;
|
|
|
8631a2 |
+
|
|
|
8631a2 |
cmd_linux =
|
|
|
8631a2 |
grub_register_command ("linux", grub_cmd_linux,
|
|
|
8631a2 |
0, N_("Load Linux."));
|
|
|
8631a2 |
@@ -497,6 +501,9 @@ GRUB_MOD_INIT(linux16)
|
|
|
8631a2 |
|
|
|
8631a2 |
GRUB_MOD_FINI(linux16)
|
|
|
8631a2 |
{
|
|
|
8631a2 |
+ if (grub_efi_secure_boot())
|
|
|
8631a2 |
+ return;
|
|
|
8631a2 |
+
|
|
|
8631a2 |
grub_unregister_command (cmd_linux);
|
|
|
8631a2 |
grub_unregister_command (cmd_linux16);
|
|
|
8631a2 |
grub_unregister_command (cmd_initrd);
|
|
|
8631a2 |
diff --git a/grub-core/loader/multiboot.c b/grub-core/loader/multiboot.c
|
|
|
f6e916 |
index 40c67e824..26df46a41 100644
|
|
|
8631a2 |
--- a/grub-core/loader/multiboot.c
|
|
|
8631a2 |
+++ b/grub-core/loader/multiboot.c
|
|
|
8631a2 |
@@ -50,6 +50,7 @@
|
|
|
8631a2 |
#include <grub/video.h>
|
|
|
8631a2 |
#include <grub/memory.h>
|
|
|
8631a2 |
#include <grub/i18n.h>
|
|
|
8631a2 |
+#include <grub/efi/sb.h>
|
|
|
8631a2 |
|
|
|
8631a2 |
GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
8631a2 |
|
|
|
8631a2 |
@@ -446,6 +447,9 @@ static grub_command_t cmd_multiboot, cmd_module;
|
|
|
8631a2 |
|
|
|
8631a2 |
GRUB_MOD_INIT(multiboot)
|
|
|
8631a2 |
{
|
|
|
8631a2 |
+ if (grub_efi_secure_boot())
|
|
|
8631a2 |
+ return;
|
|
|
8631a2 |
+
|
|
|
8631a2 |
cmd_multiboot =
|
|
|
8631a2 |
#ifdef GRUB_USE_MULTIBOOT2
|
|
|
8631a2 |
grub_register_command ("multiboot2", grub_cmd_multiboot,
|
|
|
8631a2 |
@@ -466,6 +470,9 @@ GRUB_MOD_INIT(multiboot)
|
|
|
8631a2 |
|
|
|
8631a2 |
GRUB_MOD_FINI(multiboot)
|
|
|
8631a2 |
{
|
|
|
8631a2 |
+ if (grub_efi_secure_boot())
|
|
|
8631a2 |
+ return;
|
|
|
8631a2 |
+
|
|
|
8631a2 |
grub_unregister_command (cmd_multiboot);
|
|
|
8631a2 |
grub_unregister_command (cmd_module);
|
|
|
8631a2 |
}
|
|
|
8631a2 |
diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
|
|
|
f6e916 |
index c9885b1bc..df8dfdb4b 100644
|
|
|
8631a2 |
--- a/grub-core/loader/xnu.c
|
|
|
8631a2 |
+++ b/grub-core/loader/xnu.c
|
|
|
8631a2 |
@@ -33,6 +33,7 @@
|
|
|
8631a2 |
#include <grub/extcmd.h>
|
|
|
8631a2 |
#include <grub/env.h>
|
|
|
8631a2 |
#include <grub/i18n.h>
|
|
|
8631a2 |
+#include <grub/efi/sb.h>
|
|
|
8631a2 |
|
|
|
8631a2 |
GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
8631a2 |
|
|
|
8631a2 |
@@ -1469,6 +1470,9 @@ static grub_extcmd_t cmd_splash;
|
|
|
8631a2 |
|
|
|
8631a2 |
GRUB_MOD_INIT(xnu)
|
|
|
8631a2 |
{
|
|
|
8631a2 |
+ if (grub_efi_secure_boot())
|
|
|
8631a2 |
+ return;
|
|
|
8631a2 |
+
|
|
|
8631a2 |
cmd_kernel = grub_register_command ("xnu_kernel", grub_cmd_xnu_kernel, 0,
|
|
|
8631a2 |
N_("Load XNU image."));
|
|
|
8631a2 |
cmd_kernel64 = grub_register_command ("xnu_kernel64", grub_cmd_xnu_kernel64,
|
|
|
8631a2 |
@@ -1509,6 +1513,9 @@ GRUB_MOD_INIT(xnu)
|
|
|
8631a2 |
|
|
|
8631a2 |
GRUB_MOD_FINI(xnu)
|
|
|
8631a2 |
{
|
|
|
8631a2 |
+ if (grub_efi_secure_boot())
|
|
|
8631a2 |
+ return;
|
|
|
8631a2 |
+
|
|
|
8631a2 |
#ifndef GRUB_MACHINE_EMU
|
|
|
8631a2 |
grub_unregister_command (cmd_resume);
|
|
|
8631a2 |
#endif
|
|
|
8631a2 |
diff --git a/include/grub/efi/efi.h b/include/grub/efi/efi.h
|
|
|
f6e916 |
index 1061aee97..39480b386 100644
|
|
|
8631a2 |
--- a/include/grub/efi/efi.h
|
|
|
8631a2 |
+++ b/include/grub/efi/efi.h
|
|
|
8631a2 |
@@ -85,7 +85,6 @@ EXPORT_FUNC (grub_efi_set_variable) (const char *var,
|
|
|
8631a2 |
const grub_efi_guid_t *guid,
|
|
|
8631a2 |
void *data,
|
|
|
8631a2 |
grub_size_t datasize);
|
|
|
8631a2 |
-grub_efi_boolean_t EXPORT_FUNC (grub_efi_secure_boot) (void);
|
|
|
8631a2 |
int
|
|
|
8631a2 |
EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1,
|
|
|
8631a2 |
const grub_efi_device_path_t *dp2);
|
|
|
8631a2 |
diff --git a/include/grub/efi/sb.h b/include/grub/efi/sb.h
|
|
|
8631a2 |
new file mode 100644
|
|
|
f6e916 |
index 000000000..9629fbb0f
|
|
|
8631a2 |
--- /dev/null
|
|
|
8631a2 |
+++ b/include/grub/efi/sb.h
|
|
|
8631a2 |
@@ -0,0 +1,29 @@
|
|
|
8631a2 |
+/* sb.h - declare functions for EFI Secure Boot support */
|
|
|
8631a2 |
+/*
|
|
|
8631a2 |
+ * GRUB -- GRand Unified Bootloader
|
|
|
8631a2 |
+ * Copyright (C) 2006,2007,2008,2009 Free Software Foundation, Inc.
|
|
|
8631a2 |
+ *
|
|
|
8631a2 |
+ * GRUB is free software: you can redistribute it and/or modify
|
|
|
8631a2 |
+ * it under the terms of the GNU General Public License as published by
|
|
|
8631a2 |
+ * the Free Software Foundation, either version 3 of the License, or
|
|
|
8631a2 |
+ * (at your option) any later version.
|
|
|
8631a2 |
+ *
|
|
|
8631a2 |
+ * GRUB is distributed in the hope that it will be useful,
|
|
|
8631a2 |
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
8631a2 |
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
8631a2 |
+ * GNU General Public License for more details.
|
|
|
8631a2 |
+ *
|
|
|
8631a2 |
+ * You should have received a copy of the GNU General Public License
|
|
|
8631a2 |
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
|
|
8631a2 |
+ */
|
|
|
8631a2 |
+
|
|
|
8631a2 |
+#ifndef GRUB_EFI_SB_HEADER
|
|
|
8631a2 |
+#define GRUB_EFI_SB_HEADER 1
|
|
|
8631a2 |
+
|
|
|
8631a2 |
+#include <grub/types.h>
|
|
|
8631a2 |
+#include <grub/dl.h>
|
|
|
8631a2 |
+
|
|
|
8631a2 |
+/* Functions. */
|
|
|
8631a2 |
+int EXPORT_FUNC (grub_efi_secure_boot) (void);
|
|
|
8631a2 |
+
|
|
|
8631a2 |
+#endif /* ! GRUB_EFI_SB_HEADER */
|
|
|
8631a2 |
diff --git a/include/grub/ia64/linux.h b/include/grub/ia64/linux.h
|
|
|
8631a2 |
new file mode 100644
|
|
|
f6e916 |
index 000000000..e69de29bb
|
|
|
8631a2 |
diff --git a/include/grub/mips/linux.h b/include/grub/mips/linux.h
|
|
|
8631a2 |
new file mode 100644
|
|
|
f6e916 |
index 000000000..e69de29bb
|
|
|
8631a2 |
diff --git a/include/grub/powerpc/linux.h b/include/grub/powerpc/linux.h
|
|
|
8631a2 |
new file mode 100644
|
|
|
f6e916 |
index 000000000..e69de29bb
|
|
|
8631a2 |
diff --git a/include/grub/sparc64/linux.h b/include/grub/sparc64/linux.h
|
|
|
8631a2 |
new file mode 100644
|
|
|
f6e916 |
index 000000000..e69de29bb
|
|
|
8631a2 |
diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
|
|
|
f6e916 |
index f4ff62b76..9c69aa886 100644
|
|
|
8631a2 |
--- a/grub-core/Makefile.am
|
|
|
8631a2 |
+++ b/grub-core/Makefile.am
|
|
|
8631a2 |
@@ -71,6 +71,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/command.h
|
|
|
8631a2 |
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/device.h
|
|
|
8631a2 |
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/disk.h
|
|
|
8631a2 |
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/dl.h
|
|
|
8631a2 |
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/efi/sb.h
|
|
|
8631a2 |
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/env.h
|
|
|
8631a2 |
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/env_private.h
|
|
|
8631a2 |
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/err.h
|