nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0375-efi-Lockdown-the-GRUB-when-the-UEFI-Secure-Boot-is-e.patch

9723a8
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
9723a8
From: Javier Martinez Canillas <javierm@redhat.com>
9723a8
Date: Mon, 28 Sep 2020 20:08:29 +0200
9723a8
Subject: [PATCH] efi: Lockdown the GRUB when the UEFI Secure Boot is enabled
9723a8
9723a8
If the UEFI Secure Boot is enabled then the GRUB must be locked down
9723a8
to prevent executing code that can potentially be used to subvert its
9723a8
verification mechanisms.
9723a8
9723a8
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
9723a8
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
9723a8
---
9723a8
 grub-core/kern/efi/init.c | 19 +++++++++++++++++++
9723a8
 1 file changed, 19 insertions(+)
9723a8
9723a8
diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
9723a8
index 79243b364a1..97bf36906a4 100644
9723a8
--- a/grub-core/kern/efi/init.c
9723a8
+++ b/grub-core/kern/efi/init.c
9723a8
@@ -20,6 +20,8 @@
9723a8
 #include <grub/efi/efi.h>
9723a8
 #include <grub/efi/console.h>
9723a8
 #include <grub/efi/disk.h>
9723a8
+#include <grub/efi/sb.h>
9723a8
+#include <grub/lockdown.h>
9723a8
 #include <grub/term.h>
9723a8
 #include <grub/misc.h>
9723a8
 #include <grub/env.h>
9723a8
@@ -93,6 +95,23 @@ grub_efi_init (void)
9723a8
   /* Initialize the memory management system.  */
9723a8
   grub_efi_mm_init ();
9723a8
 
9723a8
+  /*
9723a8
+   * Lockdown the GRUB and register the shim_lock verifier
9723a8
+   * if the UEFI Secure Boot is enabled.
9723a8
+   */
9723a8
+  if (grub_efi_secure_boot ())
9723a8
+    {
9723a8
+      grub_lockdown ();
9723a8
+
9723a8
+      /*
9723a8
+       * TODO: Move GRUB to using the shim_lock verifier and
9723a8
+       * enable the lockdown verifier.
9723a8
+       */
9723a8
+#if 0
9723a8
+      grub_shim_lock_verifier_setup ();
9723a8
+#endif
9723a8
+    }
9723a8
+
9723a8
   efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer,
9723a8
 	      0, 0, 0, NULL);
9723a8