Blame SOURCES/0338-efi-Lockdown-the-GRUB-when-the-UEFI-Secure-Boot-is-e.patch

b1bcb2
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
b1bcb2
From: Javier Martinez Canillas <javierm@redhat.com>
b1bcb2
Date: Mon, 28 Sep 2020 20:08:29 +0200
b1bcb2
Subject: [PATCH] efi: Lockdown the GRUB when the UEFI Secure Boot is enabled
b1bcb2
b1bcb2
If the UEFI Secure Boot is enabled then the GRUB must be locked down
b1bcb2
to prevent executing code that can potentially be used to subvert its
b1bcb2
verification mechanisms.
b1bcb2
b1bcb2
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
b1bcb2
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
b1bcb2
---
b1bcb2
 grub-core/kern/efi/init.c | 19 +++++++++++++++++++
b1bcb2
 1 file changed, 19 insertions(+)
b1bcb2
b1bcb2
diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
b1bcb2
index e8bf993f6d4..ed33201f12a 100644
b1bcb2
--- a/grub-core/kern/efi/init.c
b1bcb2
+++ b/grub-core/kern/efi/init.c
b1bcb2
@@ -20,6 +20,8 @@
b1bcb2
 #include <grub/efi/efi.h>
b1bcb2
 #include <grub/efi/console.h>
b1bcb2
 #include <grub/efi/disk.h>
b1bcb2
+#include <grub/efi/sb.h>
b1bcb2
+#include <grub/lockdown.h>
b1bcb2
 #include <grub/term.h>
b1bcb2
 #include <grub/misc.h>
b1bcb2
 #include <grub/env.h>
b1bcb2
@@ -70,6 +72,23 @@ grub_efi_init (void)
b1bcb2
   /* Initialize the memory management system.  */
b1bcb2
   grub_efi_mm_init ();
b1bcb2
 
b1bcb2
+  /*
b1bcb2
+   * Lockdown the GRUB and register the shim_lock verifier
b1bcb2
+   * if the UEFI Secure Boot is enabled.
b1bcb2
+   */
b1bcb2
+  if (grub_efi_secure_boot ())
b1bcb2
+    {
b1bcb2
+      grub_lockdown ();
b1bcb2
+
b1bcb2
+      /*
b1bcb2
+       * TODO: Move GRUB to using the shim_lock verifier and
b1bcb2
+       * enable the lockdown verifier.
b1bcb2
+       */
b1bcb2
+#if 0
b1bcb2
+      grub_shim_lock_verifier_setup ();
b1bcb2
+#endif
b1bcb2
+    }
b1bcb2
+
b1bcb2
   efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer,
b1bcb2
 	      0, 0, 0, NULL);
b1bcb2