nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0375-efi-Lockdown-the-GRUB-when-the-UEFI-Secure-Boot-is-e.patch

468bd4
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
468bd4
From: Javier Martinez Canillas <javierm@redhat.com>
468bd4
Date: Mon, 28 Sep 2020 20:08:29 +0200
468bd4
Subject: [PATCH] efi: Lockdown the GRUB when the UEFI Secure Boot is enabled
468bd4
468bd4
If the UEFI Secure Boot is enabled then the GRUB must be locked down
468bd4
to prevent executing code that can potentially be used to subvert its
468bd4
verification mechanisms.
468bd4
468bd4
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
468bd4
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
468bd4
---
468bd4
 grub-core/kern/efi/init.c | 19 +++++++++++++++++++
468bd4
 1 file changed, 19 insertions(+)
468bd4
468bd4
diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
468bd4
index 79243b364a1..97bf36906a4 100644
468bd4
--- a/grub-core/kern/efi/init.c
468bd4
+++ b/grub-core/kern/efi/init.c
468bd4
@@ -20,6 +20,8 @@
468bd4
 #include <grub/efi/efi.h>
468bd4
 #include <grub/efi/console.h>
468bd4
 #include <grub/efi/disk.h>
468bd4
+#include <grub/efi/sb.h>
468bd4
+#include <grub/lockdown.h>
468bd4
 #include <grub/term.h>
468bd4
 #include <grub/misc.h>
468bd4
 #include <grub/env.h>
468bd4
@@ -93,6 +95,23 @@ grub_efi_init (void)
468bd4
   /* Initialize the memory management system.  */
468bd4
   grub_efi_mm_init ();
468bd4
 
468bd4
+  /*
468bd4
+   * Lockdown the GRUB and register the shim_lock verifier
468bd4
+   * if the UEFI Secure Boot is enabled.
468bd4
+   */
468bd4
+  if (grub_efi_secure_boot ())
468bd4
+    {
468bd4
+      grub_lockdown ();
468bd4
+
468bd4
+      /*
468bd4
+       * TODO: Move GRUB to using the shim_lock verifier and
468bd4
+       * enable the lockdown verifier.
468bd4
+       */
468bd4
+#if 0
468bd4
+      grub_shim_lock_verifier_setup ();
468bd4
+#endif
468bd4
+    }
468bd4
+
468bd4
   efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer,
468bd4
 	      0, 0, 0, NULL);
468bd4