nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0005-Make-any-of-the-loaders-that-link-in-efi-mode-honor-.patch

d9d99f
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
d9d99f
From: Peter Jones <pjones@redhat.com>
d9d99f
Date: Tue, 6 Oct 2015 16:09:25 -0400
d9d99f
Subject: [PATCH] Make any of the loaders that link in efi mode honor secure
d9d99f
 boot.
d9d99f
d9d99f
And in this case "honor" means "even if somebody does link this in, they
d9d99f
won't register commands if SB is enabled."
d9d99f
d9d99f
Signed-off-by: Peter Jones <pjones@redhat.com>
d9d99f
---
d9d99f
 grub-core/Makefile.core.def        |  1 +
d9d99f
 grub-core/commands/iorw.c          |  7 +++++
d9d99f
 grub-core/commands/memrw.c         |  7 +++++
d9d99f
 grub-core/kern/dl.c                |  1 +
d9d99f
 grub-core/kern/efi/efi.c           | 34 --------------------
d9d99f
 grub-core/kern/efi/sb.c            | 64 ++++++++++++++++++++++++++++++++++++++
d9d99f
 grub-core/loader/efi/appleloader.c |  7 +++++
d9d99f
 grub-core/loader/efi/chainloader.c |  1 +
d9d99f
 grub-core/loader/i386/bsd.c        |  7 +++++
d9d99f
 grub-core/loader/i386/linux.c      |  7 +++++
d9d99f
 grub-core/loader/i386/pc/linux.c   |  7 +++++
d9d99f
 grub-core/loader/multiboot.c       |  7 +++++
d9d99f
 grub-core/loader/xnu.c             |  7 +++++
d9d99f
 include/grub/efi/efi.h             |  1 -
d9d99f
 include/grub/efi/sb.h              | 29 +++++++++++++++++
d9d99f
 include/grub/ia64/linux.h          |  0
d9d99f
 include/grub/mips/linux.h          |  0
d9d99f
 include/grub/powerpc/linux.h       |  0
d9d99f
 include/grub/sparc64/linux.h       |  0
d9d99f
 grub-core/Makefile.am              |  1 +
d9d99f
 20 files changed, 153 insertions(+), 35 deletions(-)
d9d99f
 create mode 100644 grub-core/kern/efi/sb.c
d9d99f
 create mode 100644 include/grub/efi/sb.h
d9d99f
 create mode 100644 include/grub/ia64/linux.h
d9d99f
 create mode 100644 include/grub/mips/linux.h
d9d99f
 create mode 100644 include/grub/powerpc/linux.h
d9d99f
 create mode 100644 include/grub/sparc64/linux.h
d9d99f
d9d99f
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
d9d99f
index 0b4b0c2122d..e92a7ef322f 100644
d9d99f
--- a/grub-core/Makefile.core.def
d9d99f
+++ b/grub-core/Makefile.core.def
d9d99f
@@ -195,6 +195,7 @@ kernel = {
d9d99f
   i386_multiboot = kern/i386/pc/acpi.c;
d9d99f
   i386_coreboot = kern/acpi.c;
d9d99f
   i386_multiboot = kern/acpi.c;
d9d99f
+  common = kern/efi/sb.c;
d9d99f
 
d9d99f
   x86 = kern/i386/tsc.c;
d9d99f
   x86 = kern/i386/tsc_pit.c;
d9d99f
diff --git a/grub-core/commands/iorw.c b/grub-core/commands/iorw.c
d9d99f
index a0c164e54f0..41a7f3f0466 100644
d9d99f
--- a/grub-core/commands/iorw.c
d9d99f
+++ b/grub-core/commands/iorw.c
d9d99f
@@ -23,6 +23,7 @@
d9d99f
 #include <grub/env.h>
d9d99f
 #include <grub/cpu/io.h>
d9d99f
 #include <grub/i18n.h>
d9d99f
+#include <grub/efi/sb.h>
d9d99f
 
d9d99f
 GRUB_MOD_LICENSE ("GPLv3+");
d9d99f
 
d9d99f
@@ -118,6 +119,9 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
d9d99f
 
d9d99f
 GRUB_MOD_INIT(memrw)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
   cmd_read_byte =
d9d99f
     grub_register_extcmd ("inb", grub_cmd_read, 0,
d9d99f
 			  N_("PORT"), N_("Read 8-bit value from PORT."),
d9d99f
@@ -146,6 +150,9 @@ GRUB_MOD_INIT(memrw)
d9d99f
 
d9d99f
 GRUB_MOD_FINI(memrw)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
   grub_unregister_extcmd (cmd_read_byte);
d9d99f
   grub_unregister_extcmd (cmd_read_word);
d9d99f
   grub_unregister_extcmd (cmd_read_dword);
d9d99f
diff --git a/grub-core/commands/memrw.c b/grub-core/commands/memrw.c
d9d99f
index 98769eadb34..088cbe9e2bc 100644
d9d99f
--- a/grub-core/commands/memrw.c
d9d99f
+++ b/grub-core/commands/memrw.c
d9d99f
@@ -22,6 +22,7 @@
d9d99f
 #include <grub/extcmd.h>
d9d99f
 #include <grub/env.h>
d9d99f
 #include <grub/i18n.h>
d9d99f
+#include <grub/efi/sb.h>
d9d99f
 
d9d99f
 GRUB_MOD_LICENSE ("GPLv3+");
d9d99f
 
d9d99f
@@ -120,6 +121,9 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
d9d99f
 
d9d99f
 GRUB_MOD_INIT(memrw)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
   cmd_read_byte =
d9d99f
     grub_register_extcmd ("read_byte", grub_cmd_read, 0,
d9d99f
 			  N_("ADDR"), N_("Read 8-bit value from ADDR."),
d9d99f
@@ -148,6 +152,9 @@ GRUB_MOD_INIT(memrw)
d9d99f
 
d9d99f
 GRUB_MOD_FINI(memrw)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
   grub_unregister_extcmd (cmd_read_byte);
d9d99f
   grub_unregister_extcmd (cmd_read_word);
d9d99f
   grub_unregister_extcmd (cmd_read_dword);
d9d99f
diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
d9d99f
index 04e804d1668..621070918d4 100644
d9d99f
--- a/grub-core/kern/dl.c
d9d99f
+++ b/grub-core/kern/dl.c
d9d99f
@@ -32,6 +32,7 @@
d9d99f
 #include <grub/env.h>
d9d99f
 #include <grub/cache.h>
d9d99f
 #include <grub/i18n.h>
d9d99f
+#include <grub/efi/sb.h>
d9d99f
 
d9d99f
 /* Platforms where modules are in a readonly area of memory.  */
d9d99f
 #if defined(GRUB_MACHINE_QEMU)
d9d99f
diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
d9d99f
index 91129e33566..708581fcbde 100644
d9d99f
--- a/grub-core/kern/efi/efi.c
d9d99f
+++ b/grub-core/kern/efi/efi.c
d9d99f
@@ -273,40 +273,6 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
d9d99f
   return NULL;
d9d99f
 }
d9d99f
 
d9d99f
-grub_efi_boolean_t
d9d99f
-grub_efi_secure_boot (void)
d9d99f
-{
d9d99f
-  grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
d9d99f
-  grub_size_t datasize;
d9d99f
-  char *secure_boot = NULL;
d9d99f
-  char *setup_mode = NULL;
d9d99f
-  grub_efi_boolean_t ret = 0;
d9d99f
-
d9d99f
-  secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);
d9d99f
-  if (datasize != 1 || !secure_boot)
d9d99f
-    {
d9d99f
-      grub_dprintf ("secureboot", "No SecureBoot variable\n");
d9d99f
-      goto out;
d9d99f
-    }
d9d99f
-  grub_dprintf ("secureboot", "SecureBoot: %d\n", *secure_boot);
d9d99f
-
d9d99f
-  setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize);
d9d99f
-  if (datasize != 1 || !setup_mode)
d9d99f
-    {
d9d99f
-      grub_dprintf ("secureboot", "No SetupMode variable\n");
d9d99f
-      goto out;
d9d99f
-    }
d9d99f
-  grub_dprintf ("secureboot", "SetupMode: %d\n", *setup_mode);
d9d99f
-
d9d99f
-  if (*secure_boot && !*setup_mode)
d9d99f
-    ret = 1;
d9d99f
-
d9d99f
- out:
d9d99f
-  grub_free (secure_boot);
d9d99f
-  grub_free (setup_mode);
d9d99f
-  return ret;
d9d99f
-}
d9d99f
-
d9d99f
 #pragma GCC diagnostic ignored "-Wcast-align"
d9d99f
 
d9d99f
 /* Search the mods section from the PE32/PE32+ image. This code uses
d9d99f
diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
d9d99f
new file mode 100644
d9d99f
index 00000000000..d74778b0cac
d9d99f
--- /dev/null
d9d99f
+++ b/grub-core/kern/efi/sb.c
d9d99f
@@ -0,0 +1,64 @@
d9d99f
+/*
d9d99f
+ *  GRUB  --  GRand Unified Bootloader
d9d99f
+ *  Copyright (C) 2014 Free Software Foundation, Inc.
d9d99f
+ *
d9d99f
+ *  GRUB is free software: you can redistribute it and/or modify
d9d99f
+ *  it under the terms of the GNU General Public License as published by
d9d99f
+ *  the Free Software Foundation, either version 3 of the License, or
d9d99f
+ *  (at your option) any later version.
d9d99f
+ *
d9d99f
+ *  GRUB is distributed in the hope that it will be useful,
d9d99f
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
d9d99f
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
d9d99f
+ *  GNU General Public License for more details.
d9d99f
+ *
d9d99f
+ *  You should have received a copy of the GNU General Public License
d9d99f
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
d9d99f
+ */
d9d99f
+
d9d99f
+#include <grub/err.h>
d9d99f
+#include <grub/mm.h>
d9d99f
+#include <grub/types.h>
d9d99f
+#include <grub/cpu/linux.h>
d9d99f
+#include <grub/efi/efi.h>
d9d99f
+#include <grub/efi/pe32.h>
d9d99f
+#include <grub/efi/linux.h>
d9d99f
+#include <grub/efi/sb.h>
d9d99f
+
d9d99f
+int
d9d99f
+grub_efi_secure_boot (void)
d9d99f
+{
d9d99f
+#ifdef GRUB_MACHINE_EFI
d9d99f
+  grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
d9d99f
+  grub_size_t datasize;
d9d99f
+  char *secure_boot = NULL;
d9d99f
+  char *setup_mode = NULL;
d9d99f
+  grub_efi_boolean_t ret = 0;
d9d99f
+
d9d99f
+  secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);
d9d99f
+  if (datasize != 1 || !secure_boot)
d9d99f
+    {
d9d99f
+      grub_dprintf ("secureboot", "No SecureBoot variable\n");
d9d99f
+      goto out;
d9d99f
+    }
d9d99f
+  grub_dprintf ("secureboot", "SecureBoot: %d\n", *secure_boot);
d9d99f
+
d9d99f
+  setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize);
d9d99f
+  if (datasize != 1 || !setup_mode)
d9d99f
+    {
d9d99f
+      grub_dprintf ("secureboot", "No SetupMode variable\n");
d9d99f
+      goto out;
d9d99f
+    }
d9d99f
+  grub_dprintf ("secureboot", "SetupMode: %d\n", *setup_mode);
d9d99f
+
d9d99f
+  if (*secure_boot && !*setup_mode)
d9d99f
+    ret = 1;
d9d99f
+
d9d99f
+ out:
d9d99f
+  grub_free (secure_boot);
d9d99f
+  grub_free (setup_mode);
d9d99f
+  return ret;
d9d99f
+#else
d9d99f
+  return 0;
d9d99f
+#endif
d9d99f
+}
d9d99f
diff --git a/grub-core/loader/efi/appleloader.c b/grub-core/loader/efi/appleloader.c
d9d99f
index 74888c463ba..69c2a10d351 100644
d9d99f
--- a/grub-core/loader/efi/appleloader.c
d9d99f
+++ b/grub-core/loader/efi/appleloader.c
d9d99f
@@ -24,6 +24,7 @@
d9d99f
 #include <grub/misc.h>
d9d99f
 #include <grub/efi/api.h>
d9d99f
 #include <grub/efi/efi.h>
d9d99f
+#include <grub/efi/sb.h>
d9d99f
 #include <grub/command.h>
d9d99f
 #include <grub/i18n.h>
d9d99f
 
d9d99f
@@ -227,6 +228,9 @@ static grub_command_t cmd;
d9d99f
 
d9d99f
 GRUB_MOD_INIT(appleloader)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
   cmd = grub_register_command ("appleloader", grub_cmd_appleloader,
d9d99f
 			       N_("[OPTS]"),
d9d99f
 			       /* TRANSLATORS: This command is used on EFI to
d9d99f
@@ -238,5 +242,8 @@ GRUB_MOD_INIT(appleloader)
d9d99f
 
d9d99f
 GRUB_MOD_FINI(appleloader)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
   grub_unregister_command (cmd);
d9d99f
 }
d9d99f
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
d9d99f
index af2189619a3..5cd9b6e08a8 100644
d9d99f
--- a/grub-core/loader/efi/chainloader.c
d9d99f
+++ b/grub-core/loader/efi/chainloader.c
d9d99f
@@ -34,6 +34,7 @@
d9d99f
 #include <grub/efi/disk.h>
d9d99f
 #include <grub/efi/pe32.h>
d9d99f
 #include <grub/efi/linux.h>
d9d99f
+#include <grub/efi/sb.h>
d9d99f
 #include <grub/command.h>
d9d99f
 #include <grub/i18n.h>
d9d99f
 #include <grub/net.h>
d9d99f
diff --git a/grub-core/loader/i386/bsd.c b/grub-core/loader/i386/bsd.c
d9d99f
index 7f96515da65..87709aa23e8 100644
d9d99f
--- a/grub-core/loader/i386/bsd.c
d9d99f
+++ b/grub-core/loader/i386/bsd.c
d9d99f
@@ -38,6 +38,7 @@
d9d99f
 #ifdef GRUB_MACHINE_PCBIOS
d9d99f
 #include <grub/machine/int.h>
d9d99f
 #endif
d9d99f
+#include <grub/efi/sb.h>
d9d99f
 
d9d99f
 GRUB_MOD_LICENSE ("GPLv3+");
d9d99f
 
d9d99f
@@ -2124,6 +2125,9 @@ static grub_command_t cmd_netbsd_module_elf, cmd_openbsd_ramdisk;
d9d99f
 
d9d99f
 GRUB_MOD_INIT (bsd)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
   /* Net and OpenBSD kernels are often compressed.  */
d9d99f
   grub_dl_load ("gzio");
d9d99f
 
d9d99f
@@ -2163,6 +2167,9 @@ GRUB_MOD_INIT (bsd)
d9d99f
 
d9d99f
 GRUB_MOD_FINI (bsd)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
   grub_unregister_extcmd (cmd_freebsd);
d9d99f
   grub_unregister_extcmd (cmd_openbsd);
d9d99f
   grub_unregister_extcmd (cmd_netbsd);
d9d99f
diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
d9d99f
index f7186be4002..c84747ea857 100644
d9d99f
--- a/grub-core/loader/i386/linux.c
d9d99f
+++ b/grub-core/loader/i386/linux.c
d9d99f
@@ -35,6 +35,7 @@
d9d99f
 #include <grub/i18n.h>
d9d99f
 #include <grub/lib/cmdline.h>
d9d99f
 #include <grub/linux.h>
d9d99f
+#include <grub/efi/sb.h>
d9d99f
 
d9d99f
 GRUB_MOD_LICENSE ("GPLv3+");
d9d99f
 
d9d99f
@@ -1156,6 +1157,9 @@ static grub_command_t cmd_linux, cmd_initrd;
d9d99f
 
d9d99f
 GRUB_MOD_INIT(linux)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
   cmd_linux = grub_register_command ("linux", grub_cmd_linux,
d9d99f
 				     0, N_("Load Linux."));
d9d99f
   cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd,
d9d99f
@@ -1165,6 +1169,9 @@ GRUB_MOD_INIT(linux)
d9d99f
 
d9d99f
 GRUB_MOD_FINI(linux)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
   grub_unregister_command (cmd_linux);
d9d99f
   grub_unregister_command (cmd_initrd);
d9d99f
 }
d9d99f
diff --git a/grub-core/loader/i386/pc/linux.c b/grub-core/loader/i386/pc/linux.c
d9d99f
index caa76bee8af..783a3cd93bc 100644
d9d99f
--- a/grub-core/loader/i386/pc/linux.c
d9d99f
+++ b/grub-core/loader/i386/pc/linux.c
d9d99f
@@ -35,6 +35,7 @@
d9d99f
 #include <grub/i386/floppy.h>
d9d99f
 #include <grub/lib/cmdline.h>
d9d99f
 #include <grub/linux.h>
d9d99f
+#include <grub/efi/sb.h>
d9d99f
 
d9d99f
 GRUB_MOD_LICENSE ("GPLv3+");
d9d99f
 
d9d99f
@@ -480,6 +481,9 @@ static grub_command_t cmd_linux, cmd_linux16, cmd_initrd, cmd_initrd16;
d9d99f
 
d9d99f
 GRUB_MOD_INIT(linux16)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
   cmd_linux =
d9d99f
     grub_register_command ("linux", grub_cmd_linux,
d9d99f
 			   0, N_("Load Linux."));
d9d99f
@@ -497,6 +501,9 @@ GRUB_MOD_INIT(linux16)
d9d99f
 
d9d99f
 GRUB_MOD_FINI(linux16)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
   grub_unregister_command (cmd_linux);
d9d99f
   grub_unregister_command (cmd_linux16);
d9d99f
   grub_unregister_command (cmd_initrd);
d9d99f
diff --git a/grub-core/loader/multiboot.c b/grub-core/loader/multiboot.c
d9d99f
index 40c67e82489..26df46a4161 100644
d9d99f
--- a/grub-core/loader/multiboot.c
d9d99f
+++ b/grub-core/loader/multiboot.c
d9d99f
@@ -50,6 +50,7 @@
d9d99f
 #include <grub/video.h>
d9d99f
 #include <grub/memory.h>
d9d99f
 #include <grub/i18n.h>
d9d99f
+#include <grub/efi/sb.h>
d9d99f
 
d9d99f
 GRUB_MOD_LICENSE ("GPLv3+");
d9d99f
 
d9d99f
@@ -446,6 +447,9 @@ static grub_command_t cmd_multiboot, cmd_module;
d9d99f
 
d9d99f
 GRUB_MOD_INIT(multiboot)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
   cmd_multiboot =
d9d99f
 #ifdef GRUB_USE_MULTIBOOT2
d9d99f
     grub_register_command ("multiboot2", grub_cmd_multiboot,
d9d99f
@@ -466,6 +470,9 @@ GRUB_MOD_INIT(multiboot)
d9d99f
 
d9d99f
 GRUB_MOD_FINI(multiboot)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
   grub_unregister_command (cmd_multiboot);
d9d99f
   grub_unregister_command (cmd_module);
d9d99f
 }
d9d99f
diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
d9d99f
index c9885b1bcd7..df8dfdb4ba0 100644
d9d99f
--- a/grub-core/loader/xnu.c
d9d99f
+++ b/grub-core/loader/xnu.c
d9d99f
@@ -33,6 +33,7 @@
d9d99f
 #include <grub/extcmd.h>
d9d99f
 #include <grub/env.h>
d9d99f
 #include <grub/i18n.h>
d9d99f
+#include <grub/efi/sb.h>
d9d99f
 
d9d99f
 GRUB_MOD_LICENSE ("GPLv3+");
d9d99f
 
d9d99f
@@ -1469,6 +1470,9 @@ static grub_extcmd_t cmd_splash;
d9d99f
 
d9d99f
 GRUB_MOD_INIT(xnu)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
   cmd_kernel = grub_register_command ("xnu_kernel", grub_cmd_xnu_kernel, 0,
d9d99f
 				      N_("Load XNU image."));
d9d99f
   cmd_kernel64 = grub_register_command ("xnu_kernel64", grub_cmd_xnu_kernel64,
d9d99f
@@ -1509,6 +1513,9 @@ GRUB_MOD_INIT(xnu)
d9d99f
 
d9d99f
 GRUB_MOD_FINI(xnu)
d9d99f
 {
d9d99f
+  if (grub_efi_secure_boot())
d9d99f
+    return;
d9d99f
+
d9d99f
 #ifndef GRUB_MACHINE_EMU
d9d99f
   grub_unregister_command (cmd_resume);
d9d99f
 #endif
d9d99f
diff --git a/include/grub/efi/efi.h b/include/grub/efi/efi.h
d9d99f
index 1061aee9726..39480b38674 100644
d9d99f
--- a/include/grub/efi/efi.h
d9d99f
+++ b/include/grub/efi/efi.h
d9d99f
@@ -85,7 +85,6 @@ EXPORT_FUNC (grub_efi_set_variable) (const char *var,
d9d99f
 				     const grub_efi_guid_t *guid,
d9d99f
 				     void *data,
d9d99f
 				     grub_size_t datasize);
d9d99f
-grub_efi_boolean_t EXPORT_FUNC (grub_efi_secure_boot) (void);
d9d99f
 int
d9d99f
 EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1,
d9d99f
 					     const grub_efi_device_path_t *dp2);
d9d99f
diff --git a/include/grub/efi/sb.h b/include/grub/efi/sb.h
d9d99f
new file mode 100644
d9d99f
index 00000000000..9629fbb0f9e
d9d99f
--- /dev/null
d9d99f
+++ b/include/grub/efi/sb.h
d9d99f
@@ -0,0 +1,29 @@
d9d99f
+/* sb.h - declare functions for EFI Secure Boot support */
d9d99f
+/*
d9d99f
+ *  GRUB  --  GRand Unified Bootloader
d9d99f
+ *  Copyright (C) 2006,2007,2008,2009  Free Software Foundation, Inc.
d9d99f
+ *
d9d99f
+ *  GRUB is free software: you can redistribute it and/or modify
d9d99f
+ *  it under the terms of the GNU General Public License as published by
d9d99f
+ *  the Free Software Foundation, either version 3 of the License, or
d9d99f
+ *  (at your option) any later version.
d9d99f
+ *
d9d99f
+ *  GRUB is distributed in the hope that it will be useful,
d9d99f
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
d9d99f
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
d9d99f
+ *  GNU General Public License for more details.
d9d99f
+ *
d9d99f
+ *  You should have received a copy of the GNU General Public License
d9d99f
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
d9d99f
+ */
d9d99f
+
d9d99f
+#ifndef GRUB_EFI_SB_HEADER
d9d99f
+#define GRUB_EFI_SB_HEADER	1
d9d99f
+
d9d99f
+#include <grub/types.h>
d9d99f
+#include <grub/dl.h>
d9d99f
+
d9d99f
+/* Functions.  */
d9d99f
+int EXPORT_FUNC (grub_efi_secure_boot) (void);
d9d99f
+
d9d99f
+#endif /* ! GRUB_EFI_SB_HEADER */
d9d99f
diff --git a/include/grub/ia64/linux.h b/include/grub/ia64/linux.h
d9d99f
new file mode 100644
d9d99f
index 00000000000..e69de29bb2d
d9d99f
diff --git a/include/grub/mips/linux.h b/include/grub/mips/linux.h
d9d99f
new file mode 100644
d9d99f
index 00000000000..e69de29bb2d
d9d99f
diff --git a/include/grub/powerpc/linux.h b/include/grub/powerpc/linux.h
d9d99f
new file mode 100644
d9d99f
index 00000000000..e69de29bb2d
d9d99f
diff --git a/include/grub/sparc64/linux.h b/include/grub/sparc64/linux.h
d9d99f
new file mode 100644
d9d99f
index 00000000000..e69de29bb2d
d9d99f
diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
d9d99f
index f4ff62b769a..9c69aa88626 100644
d9d99f
--- a/grub-core/Makefile.am
d9d99f
+++ b/grub-core/Makefile.am
d9d99f
@@ -71,6 +71,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/command.h
d9d99f
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/device.h
d9d99f
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/disk.h
d9d99f
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/dl.h
d9d99f
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/efi/sb.h
d9d99f
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/env.h
d9d99f
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/env_private.h
d9d99f
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/err.h