From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001

From: Peter Jones <pjones@redhat.com>

Date: Tue, 6 Oct 2015 16:09:25 -0400

Subject: [PATCH] Make any of the loaders that link in efi mode honor secure

 boot.

And in this case "honor" means "even if somebody does link this in, they

won't register commands if SB is enabled."

Signed-off-by: Peter Jones <pjones@redhat.com>

---

 grub-core/commands/iorw.c          |  7 +++++++

 grub-core/commands/memrw.c         |  7 +++++++

 grub-core/kern/dl.c                |  3 ++-

 grub-core/kern/efi/efi.c           | 34 ----------------------------------

 grub-core/loader/efi/appleloader.c |  7 +++++++

 grub-core/loader/efi/chainloader.c |  1 +

 grub-core/loader/i386/bsd.c        |  7 +++++++

 grub-core/loader/i386/linux.c      |  7 +++++++

 grub-core/loader/i386/pc/linux.c   |  7 +++++++

 grub-core/loader/multiboot.c       |  7 +++++++

 grub-core/loader/xnu.c             |  7 +++++++

 include/grub/efi/efi.h             |  1 -

 include/grub/ia64/linux.h          |  0

 include/grub/mips/linux.h          |  0

 include/grub/powerpc/linux.h       |  0

 include/grub/sparc64/linux.h       |  0

 16 files changed, 59 insertions(+), 36 deletions(-)

 create mode 100644 include/grub/ia64/linux.h

 create mode 100644 include/grub/mips/linux.h

 create mode 100644 include/grub/powerpc/linux.h

 create mode 100644 include/grub/sparc64/linux.h

diff --git a/grub-core/commands/iorw.c b/grub-core/commands/iorw.c

index 584baec8f91..7b2999b14b5 100644

--- a/grub-core/commands/iorw.c

+++ b/grub-core/commands/iorw.c

@@ -24,6 +24,7 @@

 #include <grub/cpu/io.h>

 #include <grub/i18n.h>

 #include <grub/lockdown.h>

+#include <grub/efi/sb.h>

 GRUB_MOD_LICENSE ("GPLv3+");

@@ -119,6 +120,9 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)

 GRUB_MOD_INIT(memrw)

 {

+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)

+    return;

+

   cmd_read_byte =

     grub_register_extcmd ("inb", grub_cmd_read, 0,

 			  N_("PORT"), N_("Read 8-bit value from PORT."),

@@ -147,6 +151,9 @@ GRUB_MOD_INIT(memrw)

 GRUB_MOD_FINI(memrw)

 {

+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)

+    return;

+

   grub_unregister_extcmd (cmd_read_byte);

   grub_unregister_extcmd (cmd_read_word);

   grub_unregister_extcmd (cmd_read_dword);

diff --git a/grub-core/commands/memrw.c b/grub-core/commands/memrw.c

index d401a6db0ef..39cf3a06dbd 100644

--- a/grub-core/commands/memrw.c

+++ b/grub-core/commands/memrw.c

@@ -23,6 +23,7 @@

 #include <grub/env.h>

 #include <grub/i18n.h>

 #include <grub/lockdown.h>

+#include <grub/efi/sb.h>

 GRUB_MOD_LICENSE ("GPLv3+");

@@ -121,6 +122,9 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)

 GRUB_MOD_INIT(memrw)

 {

+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)

+    return;

+

   cmd_read_byte =

     grub_register_extcmd ("read_byte", grub_cmd_read, 0,

 			  N_("ADDR"), N_("Read 8-bit value from ADDR."),

@@ -149,6 +153,9 @@ GRUB_MOD_INIT(memrw)

 GRUB_MOD_FINI(memrw)

 {

+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)

+    return;

+

   grub_unregister_extcmd (cmd_read_byte);

   grub_unregister_extcmd (cmd_read_word);

   grub_unregister_extcmd (cmd_read_dword);

diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c

index b7149370950..7afb9e6f724 100644

--- a/grub-core/kern/dl.c

+++ b/grub-core/kern/dl.c

@@ -32,6 +32,7 @@

 #include <grub/env.h>

 #include <grub/cache.h>

 #include <grub/i18n.h>

+#include <grub/efi/sb.h>

 /* Platforms where modules are in a readonly area of memory.  */

 #if defined(GRUB_MACHINE_QEMU)

@@ -704,7 +705,7 @@ grub_dl_load_file (const char *filename)

   grub_dl_t mod = 0;

 #ifdef GRUB_MACHINE_EFI

-  if (grub_efi_secure_boot ())

+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)

     {

 #if 0

       /* This is an error, but grub2-mkconfig still generates a pile of

diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c

index 4a2259aa1c7..8cff7be0289 100644

--- a/grub-core/kern/efi/efi.c

+++ b/grub-core/kern/efi/efi.c

@@ -286,40 +286,6 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,

   return grub_efi_get_variable_with_attributes (var, guid, datasize_out, data_out, NULL);

 }

-grub_efi_boolean_t

-grub_efi_secure_boot (void)

-{

-  grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;

-  grub_size_t datasize;

-  char *secure_boot = NULL;

-  char *setup_mode = NULL;

-  grub_efi_boolean_t ret = 0;

-

-  secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);

-  if (datasize != 1 || !secure_boot)

-    {

-      grub_dprintf ("secureboot", "No SecureBoot variable\n");

-      goto out;

-    }

-  grub_dprintf ("secureboot", "SecureBoot: %d\n", *secure_boot);

-

-  setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize);

-  if (datasize != 1 || !setup_mode)

-    {

-      grub_dprintf ("secureboot", "No SetupMode variable\n");

-      goto out;

-    }

-  grub_dprintf ("secureboot", "SetupMode: %d\n", *setup_mode);

-

-  if (*secure_boot && !*setup_mode)

-    ret = 1;

-

- out:

-  grub_free (secure_boot);

-  grub_free (setup_mode);

-  return ret;

-}

-

 #pragma GCC diagnostic ignored "-Wcast-align"

 /* Search the mods section from the PE32/PE32+ image. This code uses

diff --git a/grub-core/loader/efi/appleloader.c b/grub-core/loader/efi/appleloader.c

index 74888c463ba..585f2b57385 100644

--- a/grub-core/loader/efi/appleloader.c

+++ b/grub-core/loader/efi/appleloader.c

@@ -24,6 +24,7 @@

 #include <grub/misc.h>

 #include <grub/efi/api.h>

 #include <grub/efi/efi.h>

+#include <grub/efi/sb.h>

 #include <grub/command.h>

 #include <grub/i18n.h>

@@ -227,6 +228,9 @@ static grub_command_t cmd;

 GRUB_MOD_INIT(appleloader)

 {

+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)

+    return;

+

   cmd = grub_register_command ("appleloader", grub_cmd_appleloader,

 			       N_("[OPTS]"),

 			       /* TRANSLATORS: This command is used on EFI to

@@ -238,5 +242,8 @@ GRUB_MOD_INIT(appleloader)

 GRUB_MOD_FINI(appleloader)

 {

+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)

+    return;

+

   grub_unregister_command (cmd);

 }

diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c

index b54cf6986fc..3ff305b1d32 100644

--- a/grub-core/loader/efi/chainloader.c

+++ b/grub-core/loader/efi/chainloader.c

@@ -34,6 +34,7 @@

 #include <grub/efi/disk.h>

 #include <grub/efi/pe32.h>

 #include <grub/efi/linux.h>

+#include <grub/efi/sb.h>

 #include <grub/command.h>

 #include <grub/i18n.h>

 #include <grub/net.h>

diff --git a/grub-core/loader/i386/bsd.c b/grub-core/loader/i386/bsd.c

index 5f3290ce17b..54befc26626 100644

--- a/grub-core/loader/i386/bsd.c

+++ b/grub-core/loader/i386/bsd.c

@@ -40,6 +40,7 @@

 #ifdef GRUB_MACHINE_PCBIOS

 #include <grub/machine/int.h>

 #endif

+#include <grub/efi/sb.h>

 GRUB_MOD_LICENSE ("GPLv3+");

@@ -2137,6 +2138,9 @@ static grub_command_t cmd_netbsd_module_elf, cmd_openbsd_ramdisk;

 GRUB_MOD_INIT (bsd)

 {

+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)

+    return;

+

   /* Net and OpenBSD kernels are often compressed.  */

   grub_dl_load ("gzio");

@@ -2176,6 +2180,9 @@ GRUB_MOD_INIT (bsd)

 GRUB_MOD_FINI (bsd)

 {

+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)

+    return;

+

   grub_unregister_extcmd (cmd_freebsd);

   grub_unregister_extcmd (cmd_openbsd);

   grub_unregister_extcmd (cmd_netbsd);

diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c

index dccf3bb3005..4aeb0e4b9a6 100644

--- a/grub-core/loader/i386/linux.c

+++ b/grub-core/loader/i386/linux.c

@@ -37,6 +37,7 @@

 #include <grub/linux.h>

 #include <grub/machine/kernel.h>

 #include <grub/safemath.h>

+#include <grub/efi/sb.h>

 GRUB_MOD_LICENSE ("GPLv3+");

@@ -1138,6 +1139,9 @@ static grub_command_t cmd_linux, cmd_initrd;

 GRUB_MOD_INIT(linux)

 {

+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)

+    return;

+

   cmd_linux = grub_register_command ("linux", grub_cmd_linux,

 				     0, N_("Load Linux."));

   cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd,

@@ -1147,6 +1151,9 @@ GRUB_MOD_INIT(linux)

 GRUB_MOD_FINI(linux)

 {

+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)

+    return;

+

   grub_unregister_command (cmd_linux);

   grub_unregister_command (cmd_initrd);

 }

diff --git a/grub-core/loader/i386/pc/linux.c b/grub-core/loader/i386/pc/linux.c

index 4b1750e360e..e3fa1221e81 100644

--- a/grub-core/loader/i386/pc/linux.c

+++ b/grub-core/loader/i386/pc/linux.c

@@ -36,6 +36,7 @@

 #include <grub/lib/cmdline.h>

 #include <grub/linux.h>

 #include <grub/safemath.h>

+#include <grub/efi/sb.h>

 GRUB_MOD_LICENSE ("GPLv3+");

@@ -487,6 +488,9 @@ static grub_command_t cmd_linux, cmd_linux16, cmd_initrd, cmd_initrd16;

 GRUB_MOD_INIT(linux16)

 {

+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)

+    return;

+

   cmd_linux =

     grub_register_command ("linux", grub_cmd_linux,

 			   0, N_("Load Linux."));

@@ -504,6 +508,9 @@ GRUB_MOD_INIT(linux16)

 GRUB_MOD_FINI(linux16)

 {

+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)

+    return;

+

   grub_unregister_command (cmd_linux);

   grub_unregister_command (cmd_linux16);

   grub_unregister_command (cmd_initrd);

diff --git a/grub-core/loader/multiboot.c b/grub-core/loader/multiboot.c

index facb13f3d36..47e481f4576 100644

--- a/grub-core/loader/multiboot.c

+++ b/grub-core/loader/multiboot.c

@@ -50,6 +50,7 @@

 #include <grub/video.h>

 #include <grub/memory.h>

 #include <grub/i18n.h>

+#include <grub/efi/sb.h>

 GRUB_MOD_LICENSE ("GPLv3+");

@@ -444,6 +445,9 @@ static grub_command_t cmd_multiboot, cmd_module;

 GRUB_MOD_INIT(multiboot)

 {

+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)

+    return;

+

   cmd_multiboot =

 #ifdef GRUB_USE_MULTIBOOT2

     grub_register_command ("multiboot2", grub_cmd_multiboot,

@@ -464,6 +468,9 @@ GRUB_MOD_INIT(multiboot)

 GRUB_MOD_FINI(multiboot)

 {

+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)

+    return;

+

   grub_unregister_command (cmd_multiboot);

   grub_unregister_command (cmd_module);

 }

diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c

index 1c0cf6a430a..baa54e652ab 100644

--- a/grub-core/loader/xnu.c

+++ b/grub-core/loader/xnu.c

@@ -35,6 +35,7 @@

 #include <grub/i18n.h>

 #include <grub/verify.h>

 #include <grub/safemath.h>

+#include <grub/efi/sb.h>

 GRUB_MOD_LICENSE ("GPLv3+");

@@ -1497,6 +1498,9 @@ static grub_extcmd_t cmd_splash;

 GRUB_MOD_INIT(xnu)

 {

+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)

+    return;

+

   cmd_kernel = grub_register_command ("xnu_kernel", grub_cmd_xnu_kernel, 0,

 				      N_("Load XNU image."));

   cmd_kernel64 = grub_register_command ("xnu_kernel64", grub_cmd_xnu_kernel64,

@@ -1540,6 +1544,9 @@ GRUB_MOD_INIT(xnu)

 GRUB_MOD_FINI(xnu)

 {

+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)

+    return;

+

 #ifndef GRUB_MACHINE_EMU

   grub_unregister_command (cmd_resume);

 #endif

diff --git a/include/grub/efi/efi.h b/include/grub/efi/efi.h

index 6295df85f3f..585fa6662b6 100644

--- a/include/grub/efi/efi.h

+++ b/include/grub/efi/efi.h

@@ -91,7 +91,6 @@ EXPORT_FUNC (grub_efi_set_variable) (const char *var,

 				     const grub_efi_guid_t *guid,

 				     void *data,

 				     grub_size_t datasize);

-grub_efi_boolean_t EXPORT_FUNC (grub_efi_secure_boot) (void);

 int

 EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1,

 					     const grub_efi_device_path_t *dp2);

diff --git a/include/grub/ia64/linux.h b/include/grub/ia64/linux.h

new file mode 100644

index 00000000000..e69de29bb2d

diff --git a/include/grub/mips/linux.h b/include/grub/mips/linux.h

new file mode 100644

index 00000000000..e69de29bb2d

diff --git a/include/grub/powerpc/linux.h b/include/grub/powerpc/linux.h

new file mode 100644

index 00000000000..e69de29bb2d

diff --git a/include/grub/sparc64/linux.h b/include/grub/sparc64/linux.h

new file mode 100644

index 00000000000..e69de29bb2d