diff --git a/grub2-secureboot-no-insmod-on-sb.patch b/grub2-secureboot-no-insmod-on-sb.patch index ddd895c..16f3821 100644 --- a/grub2-secureboot-no-insmod-on-sb.patch +++ b/grub2-secureboot-no-insmod-on-sb.patch @@ -1,47 +1,53 @@ -From 7a65d7b558974c89f19afaf0d78b54dc0327f56c Mon Sep 17 00:00:00 2001 -From: Matthew Garrett -Date: Wed, 15 Aug 2012 09:53:05 -0400 -Subject: [PATCH] Don't permit insmod on secure boot +From 29c89e27805f7a6a22bce11ed9bb430e19c972a9 Mon Sep 17 00:00:00 2001 +From: Colin Watson +Date: Tue, 23 Oct 2012 10:40:49 -0400 +Subject: [PATCH 449/482] Don't allow insmod when secure boot is enabled. References: fate#314485 Patch-Mainline: no Signed-off-by: Michael Chang --- - grub-core/kern/corecmd.c | 9 +++++++++ + grub-core/kern/dl.c | 17 +++++++++++++++++ grub-core/kern/efi/efi.c | 28 ++++++++++++++++++++++++++++ include/grub/efi/efi.h | 1 + - 3 files changed, 38 insertions(+) + 3 files changed, 46 insertions(+) -Index: grub-2.00/grub-core/kern/corecmd.c +Index: grub-2.00/grub-core/kern/dl.c =================================================================== ---- grub-2.00.orig/grub-core/kern/corecmd.c -+++ grub-2.00/grub-core/kern/corecmd.c -@@ -28,6 +28,10 @@ - #include - #include +--- grub-2.00.orig/grub-core/kern/dl.c ++++ grub-2.00/grub-core/kern/dl.c +@@ -42,6 +42,10 @@ + #include + #endif +#ifdef GRUB_MACHINE_EFI +#include +#endif + - /* set ENVVAR=VALUE */ - static grub_err_t - grub_core_cmd_set (struct grub_command *cmd __attribute__ ((unused)), -@@ -75,6 +79,13 @@ grub_core_cmd_insmod (struct grub_comman - { - grub_dl_t mod; + + + #pragma GCC diagnostic ignored "-Wcast-align" +@@ -665,6 +669,19 @@ grub_dl_load_file (const char *filename) + void *core = 0; + grub_dl_t mod = 0; +#ifdef GRUB_MACHINE_EFI -+ if (grub_efi_secure_boot()) { -+ //grub_printf("%s\n", N_("Secure Boot forbids insmod")); -+ return 0; -+ } ++ if (grub_efi_secure_boot ()) ++ { ++#if 0 ++ /* This is an error, but grub2-mkconfig still generates a pile of ++ * insmod commands, so emitting it would be mostly just obnoxious. */ ++ grub_error (GRUB_ERR_ACCESS_DENIED, ++ "Secure Boot forbids loading module from %s", filename); ++#endif ++ return 0; ++ } +#endif + - if (argc == 0) - return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected")); - + file = grub_file_open (filename); + if (! file) + return 0; Index: grub-2.00/grub-core/kern/efi/efi.c =================================================================== --- grub-2.00.orig/grub-core/kern/efi/efi.c diff --git a/grub2.changes b/grub2.changes index 187b7be..7a93635 100644 --- a/grub2.changes +++ b/grub2.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Wed Sep 11 07:17:07 UTC 2013 - mchang@suse.com + +- use new update-bootloader option --reinit to install and update + bootloader config +- refresh grub2-secureboot-no-insmod-on-sb.patch to fobid module + loading completely. + ------------------------------------------------------------------- Mon Sep 9 09:22:34 UTC 2013 - lnussel@suse.de diff --git a/grub2.spec b/grub2.spec index 7fc0a32..adf0f20 100644 --- a/grub2.spec +++ b/grub2.spec @@ -457,7 +457,11 @@ if [ "x${LOADER_TYPE}" = "xgrub" ]; then elif [ "x${LOADER_TYPE}" = "xgrub2" ]; then - # It's enought to call update-bootloader --refesh to install grub2 and update it's config + # It's enought to call update-bootloader to install grub2 and update it's config + # Use new --reinit, if not available use --refresh + # --reinit: install and update bootloader config + # --refresh: update bootloader config + /sbin/update-bootloader --reinit 2>&1 | grep -q 'Unknown option: reinit' && /sbin/update-bootloader --refresh || true fi %endif @@ -481,7 +485,11 @@ if [ "x${LOADER_TYPE}" = "xgrub2-efi" ]; then fi - # It's enough to call update-bootloader --refesh to install grub2 and update it's config + # It's enough to call update-bootloader to install grub2 and update it's config + # Use new --reinit, if not available use --refresh + # --reinit: install and update bootloader config + # --refresh: update bootloader config + /sbin/update-bootloader --reinit 2>&1 | grep -q 'Unknown option: reinit' && /sbin/update-bootloader --refresh || true fi