nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0005-Make-any-of-the-loaders-that-link-in-efi-mode-honor-.patch

d9d99f
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
d9d99f
From: Peter Jones <pjones@redhat.com>
d9d99f
Date: Tue, 6 Oct 2015 16:09:25 -0400
d9d99f
Subject: [PATCH] Make any of the loaders that link in efi mode honor secure
d9d99f
 boot.
d9d99f
d9d99f
And in this case "honor" means "even if somebody does link this in, they
d9d99f
won't register commands if SB is enabled."
d9d99f
d9d99f
Signed-off-by: Peter Jones <pjones@redhat.com>
d9d99f
---
d9d99f
 grub-core/Makefile.core.def        |  1 +
d9d99f
 grub-core/commands/iorw.c          |  7 +++++
d9d99f
 grub-core/commands/memrw.c         |  7 +++++
d9d99f
 grub-core/kern/dl.c                |  1 +
d9d99f
 grub-core/kern/efi/efi.c           | 34 --------------------
d9d99f
 grub-core/kern/efi/sb.c            | 64 ++++++++++++++++++++++++++++++++++++++
d9d99f
 grub-core/loader/efi/appleloader.c |  7 +++++
d9d99f
 grub-core/loader/efi/chainloader.c |  1 +
d9d99f
 grub-core/loader/i386/bsd.c        |  7 +++++
d9d99f
 grub-core/loader/i386/linux.c      |  7 +++++
d9d99f
 grub-core/loader/i386/pc/linux.c   |  7 +++++
d9d99f
 grub-core/loader/multiboot.c       |  7 +++++
d9d99f
 grub-core/loader/xnu.c             |  7 +++++
d9d99f
 include/grub/efi/efi.h             |  1 -
d9d99f
 include/grub/efi/sb.h              | 29 +++++++++++++++++
d9d99f
 include/grub/ia64/linux.h          |  0
d9d99f
 include/grub/mips/linux.h          |  0
d9d99f
 include/grub/powerpc/linux.h       |  0
d9d99f
 include/grub/sparc64/linux.h       |  0
d9d99f
 grub-core/Makefile.am              |  1 +
d9d99f
 20 files changed, 153 insertions(+), 35 deletions(-)
d9d99f
 create mode 100644 grub-core/kern/efi/sb.c
d9d99f
 create mode 100644 include/grub/efi/sb.h
d9d99f
 create mode 100644 include/grub/ia64/linux.h
d9d99f
 create mode 100644 include/grub/mips/linux.h
d9d99f
 create mode 100644 include/grub/powerpc/linux.h
d9d99f
 create mode 100644 include/grub/sparc64/linux.h
d9d99f
d9d99f
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
b71686
index 0b4b0c212..e92a7ef32 100644
d9d99f
--- a/grub-core/Makefile.core.def
d9d99f
+++ b/grub-core/Makefile.core.def
d9d99f
@@ -195,6 +195,7 @@ kernel = {
d9d99f
   i386_multiboot = kern/i386/pc/acpi.c;
d9d99f
   i386_coreboot = kern/acpi.c;
d9d99f
   i386_multiboot = kern/acpi.c;
d9d99f
+  common = kern/efi/sb.c;
d9d99f
 
d9d99f
   x86 = kern/i386/tsc.c;
d9d99f
   x86 = kern/i386/tsc_pit.c;
d9d99f
diff --git a/grub-core/commands/iorw.c b/grub-core/commands/iorw.c
b71686
index a0c164e54..41a7f3f04 100644
d9d99f
--- a/grub-core/commands/iorw.c
d9d99f
+++ b/grub-core/commands/iorw.c
d9d99f
@@ -23,6 +23,7 @@
d9d99f
 #include <grub/env.h>
d9d99f
 #include <grub/cpu/io.h>
d9d99f
 #include <grub/i18n.h>
d9d99f
+#include <grub/efi/sb.h>
d9d99f
 
d9d99f
 GRUB_MOD_LICENSE ("GPLv3+");
d9d99f
 
d9d99f
@@ -118,6 +119,9 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
d9d99f
 
d9d99f
 GRUB_MOD_INIT(memrw)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
   cmd_read_byte =
d9d99f
     grub_register_extcmd ("inb", grub_cmd_read, 0,
d9d99f
 			  N_("PORT"), N_("Read 8-bit value from PORT."),
d9d99f
@@ -146,6 +150,9 @@ GRUB_MOD_INIT(memrw)
d9d99f
 
d9d99f
 GRUB_MOD_FINI(memrw)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
   grub_unregister_extcmd (cmd_read_byte);
d9d99f
   grub_unregister_extcmd (cmd_read_word);
d9d99f
   grub_unregister_extcmd (cmd_read_dword);
d9d99f
diff --git a/grub-core/commands/memrw.c b/grub-core/commands/memrw.c
b71686
index 98769eadb..088cbe9e2 100644
d9d99f
--- a/grub-core/commands/memrw.c
d9d99f
+++ b/grub-core/commands/memrw.c
d9d99f
@@ -22,6 +22,7 @@
d9d99f
 #include <grub/extcmd.h>
d9d99f
 #include <grub/env.h>
d9d99f
 #include <grub/i18n.h>
d9d99f
+#include <grub/efi/sb.h>
d9d99f
 
d9d99f
 GRUB_MOD_LICENSE ("GPLv3+");
d9d99f
 
d9d99f
@@ -120,6 +121,9 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
d9d99f
 
d9d99f
 GRUB_MOD_INIT(memrw)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
   cmd_read_byte =
d9d99f
     grub_register_extcmd ("read_byte", grub_cmd_read, 0,
d9d99f
 			  N_("ADDR"), N_("Read 8-bit value from ADDR."),
d9d99f
@@ -148,6 +152,9 @@ GRUB_MOD_INIT(memrw)
d9d99f
 
d9d99f
 GRUB_MOD_FINI(memrw)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
   grub_unregister_extcmd (cmd_read_byte);
d9d99f
   grub_unregister_extcmd (cmd_read_word);
d9d99f
   grub_unregister_extcmd (cmd_read_dword);
d9d99f
diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
b71686
index 04e804d16..621070918 100644
d9d99f
--- a/grub-core/kern/dl.c
d9d99f
+++ b/grub-core/kern/dl.c
d9d99f
@@ -32,6 +32,7 @@
d9d99f
 #include <grub/env.h>
d9d99f
 #include <grub/cache.h>
d9d99f
 #include <grub/i18n.h>
d9d99f
+#include <grub/efi/sb.h>
d9d99f
 
d9d99f
 /* Platforms where modules are in a readonly area of memory.  */
d9d99f
 #if defined(GRUB_MACHINE_QEMU)
d9d99f
diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
b71686
index 91129e335..708581fcb 100644
d9d99f
--- a/grub-core/kern/efi/efi.c
d9d99f
+++ b/grub-core/kern/efi/efi.c
d9d99f
@@ -273,40 +273,6 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
d9d99f
   return NULL;
d9d99f
 }
d9d99f
 
d9d99f
-grub_efi_boolean_t
d9d99f
-grub_efi_secure_boot (void)
d9d99f
-{
d9d99f
-  grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
d9d99f
-  grub_size_t datasize;
d9d99f
-  char *secure_boot = NULL;
d9d99f
-  char *setup_mode = NULL;
d9d99f
-  grub_efi_boolean_t ret = 0;
d9d99f
-
d9d99f
-  secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);
d9d99f
-  if (datasize != 1 || !secure_boot)
d9d99f
-    {
d9d99f
-      grub_dprintf ("secureboot", "No SecureBoot variable\n");
d9d99f
-      goto out;
d9d99f
-    }
d9d99f
-  grub_dprintf ("secureboot", "SecureBoot: %d\n", *secure_boot);
d9d99f
-
d9d99f
-  setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize);
d9d99f
-  if (datasize != 1 || !setup_mode)
d9d99f
-    {
d9d99f
-      grub_dprintf ("secureboot", "No SetupMode variable\n");
d9d99f
-      goto out;
d9d99f
-    }
d9d99f
-  grub_dprintf ("secureboot", "SetupMode: %d\n", *setup_mode);
d9d99f
-
d9d99f
-  if (*secure_boot && !*setup_mode)
d9d99f
-    ret = 1;
d9d99f
-
d9d99f
- out:
d9d99f
-  grub_free (secure_boot);
d9d99f
-  grub_free (setup_mode);
d9d99f
-  return ret;
d9d99f
-}
d9d99f
-
d9d99f
 #pragma GCC diagnostic ignored "-Wcast-align"
d9d99f
 
d9d99f
 /* Search the mods section from the PE32/PE32+ image. This code uses
d9d99f
diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
d9d99f
new file mode 100644
b71686
index 000000000..d74778b0c
d9d99f
--- /dev/null
d9d99f
+++ b/grub-core/kern/efi/sb.c
d9d99f
@@ -0,0 +1,64 @@
d9d99f
+/*
d9d99f
+ *  GRUB  --  GRand Unified Bootloader
d9d99f
+ *  Copyright (C) 2014 Free Software Foundation, Inc.
d9d99f
+ *
d9d99f
+ *  GRUB is free software: you can redistribute it and/or modify
d9d99f
+ *  it under the terms of the GNU General Public License as published by
d9d99f
+ *  the Free Software Foundation, either version 3 of the License, or
d9d99f
+ *  (at your option) any later version.
d9d99f
+ *
d9d99f
+ *  GRUB is distributed in the hope that it will be useful,
d9d99f
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
d9d99f
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
d9d99f
+ *  GNU General Public License for more details.
d9d99f
+ *
d9d99f
+ *  You should have received a copy of the GNU General Public License
d9d99f
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
d9d99f
+ */
d9d99f
+
d9d99f
+#include <grub/err.h>
d9d99f
+#include <grub/mm.h>
d9d99f
+#include <grub/types.h>
d9d99f
+#include <grub/cpu/linux.h>
d9d99f
+#include <grub/efi/efi.h>
d9d99f
+#include <grub/efi/pe32.h>
d9d99f
+#include <grub/efi/linux.h>
d9d99f
+#include <grub/efi/sb.h>
d9d99f
+
d9d99f
+int
d9d99f
+grub_efi_secure_boot (void)
d9d99f
+{
d9d99f
+#ifdef GRUB_MACHINE_EFI
d9d99f
+  grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
d9d99f
+  grub_size_t datasize;
d9d99f
+  char *secure_boot = NULL;
d9d99f
+  char *setup_mode = NULL;
d9d99f
+  grub_efi_boolean_t ret = 0;
d9d99f
+
d9d99f
+  secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);
d9d99f
+  if (datasize != 1 || !secure_boot)
d9d99f
+    {
d9d99f
+      grub_dprintf ("secureboot", "No SecureBoot variable\n");
d9d99f
+      goto out;
d9d99f
+    }
d9d99f
+  grub_dprintf ("secureboot", "SecureBoot: %d\n", *secure_boot);
d9d99f
+
d9d99f
+  setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize);
d9d99f
+  if (datasize != 1 || !setup_mode)
d9d99f
+    {
d9d99f
+      grub_dprintf ("secureboot", "No SetupMode variable\n");
d9d99f
+      goto out;
d9d99f
+    }
d9d99f
+  grub_dprintf ("secureboot", "SetupMode: %d\n", *setup_mode);
d9d99f
+
d9d99f
+  if (*secure_boot && !*setup_mode)
d9d99f
+    ret = 1;
d9d99f
+
d9d99f
+ out:
d9d99f
+  grub_free (secure_boot);
d9d99f
+  grub_free (setup_mode);
d9d99f
+  return ret;
d9d99f
+#else
d9d99f
+  return 0;
d9d99f
+#endif
d9d99f
+}
d9d99f
diff --git a/grub-core/loader/efi/appleloader.c b/grub-core/loader/efi/appleloader.c
b71686
index 74888c463..69c2a10d3 100644
d9d99f
--- a/grub-core/loader/efi/appleloader.c
d9d99f
+++ b/grub-core/loader/efi/appleloader.c
d9d99f
@@ -24,6 +24,7 @@
d9d99f
 #include <grub/misc.h>
d9d99f
 #include <grub/efi/api.h>
d9d99f
 #include <grub/efi/efi.h>
d9d99f
+#include <grub/efi/sb.h>
d9d99f
 #include <grub/command.h>
d9d99f
 #include <grub/i18n.h>
d9d99f
 
d9d99f
@@ -227,6 +228,9 @@ static grub_command_t cmd;
d9d99f
 
d9d99f
 GRUB_MOD_INIT(appleloader)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
   cmd = grub_register_command ("appleloader", grub_cmd_appleloader,
d9d99f
 			       N_("[OPTS]"),
d9d99f
 			       /* TRANSLATORS: This command is used on EFI to
d9d99f
@@ -238,5 +242,8 @@ GRUB_MOD_INIT(appleloader)
d9d99f
 
d9d99f
 GRUB_MOD_FINI(appleloader)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
   grub_unregister_command (cmd);
d9d99f
 }
d9d99f
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
b71686
index af2189619..5cd9b6e08 100644
d9d99f
--- a/grub-core/loader/efi/chainloader.c
d9d99f
+++ b/grub-core/loader/efi/chainloader.c
d9d99f
@@ -34,6 +34,7 @@
d9d99f
 #include <grub/efi/disk.h>
d9d99f
 #include <grub/efi/pe32.h>
d9d99f
 #include <grub/efi/linux.h>
d9d99f
+#include <grub/efi/sb.h>
d9d99f
 #include <grub/command.h>
d9d99f
 #include <grub/i18n.h>
d9d99f
 #include <grub/net.h>
d9d99f
diff --git a/grub-core/loader/i386/bsd.c b/grub-core/loader/i386/bsd.c
b71686
index 7f96515da..87709aa23 100644
d9d99f
--- a/grub-core/loader/i386/bsd.c
d9d99f
+++ b/grub-core/loader/i386/bsd.c
d9d99f
@@ -38,6 +38,7 @@
d9d99f
 #ifdef GRUB_MACHINE_PCBIOS
d9d99f
 #include <grub/machine/int.h>
d9d99f
 #endif
d9d99f
+#include <grub/efi/sb.h>
d9d99f
 
d9d99f
 GRUB_MOD_LICENSE ("GPLv3+");
d9d99f
 
d9d99f
@@ -2124,6 +2125,9 @@ static grub_command_t cmd_netbsd_module_elf, cmd_openbsd_ramdisk;
d9d99f
 
d9d99f
 GRUB_MOD_INIT (bsd)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
   /* Net and OpenBSD kernels are often compressed.  */
d9d99f
   grub_dl_load ("gzio");
d9d99f
 
d9d99f
@@ -2163,6 +2167,9 @@ GRUB_MOD_INIT (bsd)
d9d99f
 
d9d99f
 GRUB_MOD_FINI (bsd)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
   grub_unregister_extcmd (cmd_freebsd);
d9d99f
   grub_unregister_extcmd (cmd_openbsd);
d9d99f
   grub_unregister_extcmd (cmd_netbsd);
d9d99f
diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
b71686
index f7186be40..c84747ea8 100644
d9d99f
--- a/grub-core/loader/i386/linux.c
d9d99f
+++ b/grub-core/loader/i386/linux.c
d9d99f
@@ -35,6 +35,7 @@
d9d99f
 #include <grub/i18n.h>
d9d99f
 #include <grub/lib/cmdline.h>
d9d99f
 #include <grub/linux.h>
d9d99f
+#include <grub/efi/sb.h>
d9d99f
 
d9d99f
 GRUB_MOD_LICENSE ("GPLv3+");
d9d99f
 
d9d99f
@@ -1156,6 +1157,9 @@ static grub_command_t cmd_linux, cmd_initrd;
d9d99f
 
d9d99f
 GRUB_MOD_INIT(linux)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
   cmd_linux = grub_register_command ("linux", grub_cmd_linux,
d9d99f
 				     0, N_("Load Linux."));
d9d99f
   cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd,
d9d99f
@@ -1165,6 +1169,9 @@ GRUB_MOD_INIT(linux)
d9d99f
 
d9d99f
 GRUB_MOD_FINI(linux)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
   grub_unregister_command (cmd_linux);
d9d99f
   grub_unregister_command (cmd_initrd);
d9d99f
 }
d9d99f
diff --git a/grub-core/loader/i386/pc/linux.c b/grub-core/loader/i386/pc/linux.c
b71686
index caa76bee8..783a3cd93 100644
d9d99f
--- a/grub-core/loader/i386/pc/linux.c
d9d99f
+++ b/grub-core/loader/i386/pc/linux.c
d9d99f
@@ -35,6 +35,7 @@
d9d99f
 #include <grub/i386/floppy.h>
d9d99f
 #include <grub/lib/cmdline.h>
d9d99f
 #include <grub/linux.h>
d9d99f
+#include <grub/efi/sb.h>
d9d99f
 
d9d99f
 GRUB_MOD_LICENSE ("GPLv3+");
d9d99f
 
d9d99f
@@ -480,6 +481,9 @@ static grub_command_t cmd_linux, cmd_linux16, cmd_initrd, cmd_initrd16;
d9d99f
 
d9d99f
 GRUB_MOD_INIT(linux16)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
   cmd_linux =
d9d99f
     grub_register_command ("linux", grub_cmd_linux,
d9d99f
 			   0, N_("Load Linux."));
d9d99f
@@ -497,6 +501,9 @@ GRUB_MOD_INIT(linux16)
d9d99f
 
d9d99f
 GRUB_MOD_FINI(linux16)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
   grub_unregister_command (cmd_linux);
d9d99f
   grub_unregister_command (cmd_linux16);
d9d99f
   grub_unregister_command (cmd_initrd);
d9d99f
diff --git a/grub-core/loader/multiboot.c b/grub-core/loader/multiboot.c
b71686
index 40c67e824..26df46a41 100644
d9d99f
--- a/grub-core/loader/multiboot.c
d9d99f
+++ b/grub-core/loader/multiboot.c
d9d99f
@@ -50,6 +50,7 @@
d9d99f
 #include <grub/video.h>
d9d99f
 #include <grub/memory.h>
d9d99f
 #include <grub/i18n.h>
d9d99f
+#include <grub/efi/sb.h>
d9d99f
 
d9d99f
 GRUB_MOD_LICENSE ("GPLv3+");
d9d99f
 
d9d99f
@@ -446,6 +447,9 @@ static grub_command_t cmd_multiboot, cmd_module;
d9d99f
 
d9d99f
 GRUB_MOD_INIT(multiboot)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
   cmd_multiboot =
d9d99f
 #ifdef GRUB_USE_MULTIBOOT2
d9d99f
     grub_register_command ("multiboot2", grub_cmd_multiboot,
d9d99f
@@ -466,6 +470,9 @@ GRUB_MOD_INIT(multiboot)
d9d99f
 
d9d99f
 GRUB_MOD_FINI(multiboot)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
   grub_unregister_command (cmd_multiboot);
d9d99f
   grub_unregister_command (cmd_module);
d9d99f
 }
d9d99f
diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
b71686
index c9885b1bc..df8dfdb4b 100644
d9d99f
--- a/grub-core/loader/xnu.c
d9d99f
+++ b/grub-core/loader/xnu.c
d9d99f
@@ -33,6 +33,7 @@
d9d99f
 #include <grub/extcmd.h>
d9d99f
 #include <grub/env.h>
d9d99f
 #include <grub/i18n.h>
d9d99f
+#include <grub/efi/sb.h>
d9d99f
 
d9d99f
 GRUB_MOD_LICENSE ("GPLv3+");
d9d99f
 
d9d99f
@@ -1469,6 +1470,9 @@ static grub_extcmd_t cmd_splash;
d9d99f
 
d9d99f
 GRUB_MOD_INIT(xnu)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
   cmd_kernel = grub_register_command ("xnu_kernel", grub_cmd_xnu_kernel, 0,
d9d99f
 				      N_("Load XNU image."));
d9d99f
   cmd_kernel64 = grub_register_command ("xnu_kernel64", grub_cmd_xnu_kernel64,
d9d99f
@@ -1509,6 +1513,9 @@ GRUB_MOD_INIT(xnu)
d9d99f
 
d9d99f
 GRUB_MOD_FINI(xnu)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
 #ifndef GRUB_MACHINE_EMU
d9d99f
   grub_unregister_command (cmd_resume);
d9d99f
 #endif
d9d99f
diff --git a/include/grub/efi/efi.h b/include/grub/efi/efi.h
b71686
index 1061aee97..39480b386 100644
d9d99f
--- a/include/grub/efi/efi.h
d9d99f
+++ b/include/grub/efi/efi.h
d9d99f
@@ -85,7 +85,6 @@ EXPORT_FUNC (grub_efi_set_variable) (const char *var,
d9d99f
 				     const grub_efi_guid_t *guid,
d9d99f
 				     void *data,
d9d99f
 				     grub_size_t datasize);
d9d99f
-grub_efi_boolean_t EXPORT_FUNC (grub_efi_secure_boot) (void);
d9d99f
 int
d9d99f
 EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1,
d9d99f
 					     const grub_efi_device_path_t *dp2);
d9d99f
diff --git a/include/grub/efi/sb.h b/include/grub/efi/sb.h
d9d99f
new file mode 100644
b71686
index 000000000..9629fbb0f
d9d99f
--- /dev/null
d9d99f
+++ b/include/grub/efi/sb.h
d9d99f
@@ -0,0 +1,29 @@
d9d99f
+/* sb.h - declare functions for EFI Secure Boot support */
d9d99f
+/*
d9d99f
+ *  GRUB  --  GRand Unified Bootloader
d9d99f
+ *  Copyright (C) 2006,2007,2008,2009  Free Software Foundation, Inc.
d9d99f
+ *
d9d99f
+ *  GRUB is free software: you can redistribute it and/or modify
d9d99f
+ *  it under the terms of the GNU General Public License as published by
d9d99f
+ *  the Free Software Foundation, either version 3 of the License, or
d9d99f
+ *  (at your option) any later version.
d9d99f
+ *
d9d99f
+ *  GRUB is distributed in the hope that it will be useful,
d9d99f
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
d9d99f
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
d9d99f
+ *  GNU General Public License for more details.
d9d99f
+ *
d9d99f
+ *  You should have received a copy of the GNU General Public License
d9d99f
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
d9d99f
+ */
d9d99f
+
d9d99f
+#ifndef GRUB_EFI_SB_HEADER
d9d99f
+#define GRUB_EFI_SB_HEADER	1
d9d99f
+
d9d99f
+#include <grub/types.h>
d9d99f
+#include <grub/dl.h>
d9d99f
+
d9d99f
+/* Functions.  */
d9d99f
+int EXPORT_FUNC (grub_efi_secure_boot) (void);
d9d99f
+
d9d99f
+#endif /* ! GRUB_EFI_SB_HEADER */
d9d99f
diff --git a/include/grub/ia64/linux.h b/include/grub/ia64/linux.h
d9d99f
new file mode 100644
b71686
index 000000000..e69de29bb
d9d99f
diff --git a/include/grub/mips/linux.h b/include/grub/mips/linux.h
d9d99f
new file mode 100644
b71686
index 000000000..e69de29bb
d9d99f
diff --git a/include/grub/powerpc/linux.h b/include/grub/powerpc/linux.h
d9d99f
new file mode 100644
b71686
index 000000000..e69de29bb
d9d99f
diff --git a/include/grub/sparc64/linux.h b/include/grub/sparc64/linux.h
d9d99f
new file mode 100644
b71686
index 000000000..e69de29bb
d9d99f
diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
b71686
index f4ff62b76..9c69aa886 100644
d9d99f
--- a/grub-core/Makefile.am
d9d99f
+++ b/grub-core/Makefile.am
d9d99f
@@ -71,6 +71,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/command.h
d9d99f
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/device.h
d9d99f
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/disk.h
d9d99f
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/dl.h
d9d99f
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/efi/sb.h
d9d99f
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/env.h
d9d99f
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/env_private.h
d9d99f
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/err.h