pool/grub2
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
factory
grub2/grub2-secureboot-no-insmod-on-sb.patch
Michael Chang 8ee92f5194 Accepting request 1105405 from home:michael-chang:grub:2.12rc1 
- Implement NV index mode for TPM 2.0 key protector
  0001-protectors-Implement-NV-index.patch
- Fall back to passphrase mode when the key protector fails to
  unlock the disk
  0002-cryptodisk-Fallback-to-passphrase.patch
- Wipe out the cached key cleanly
  0003-cryptodisk-wipe-out-the-cached-keys-from-protectors.patch
- Make diskfiler to look up cryptodisk devices first
  0004-diskfilter-look-up-cryptodisk-devices-first.patch

- Version bump to 2.12~rc1
  * Added:
    - grub-2.12~rc1.tar.xz
  * Removed:
    - grub-2.06.tar.xz
  * Patch dropped merged by new version:
    - grub2-GRUB_CMDLINE_LINUX_RECOVERY-for-recovery-mode.patch
    - grub2-s390x-02-kexec-module-added-to-emu.patch
    - grub2-efi-chainloader-root.patch
    - grub2-Fix-incorrect-netmask-on-ppc64.patch
    - 0001-osdep-Introduce-include-grub-osdep-major.h-and-use-i.patch
    - 0002-osdep-linux-hostdisk-Use-stat-instead-of-udevadm-for.patch
    - 0002-net-read-bracketed-ipv6-addrs-and-port-numbers.patch
    - grub2-s390x-10-keep-network-at-kexec.patch
    - 0001-Fix-build-error-in-binutils-2.36.patch
    - 0001-emu-fix-executable-stack-marking.patch
    - 0046-squash-verifiers-Move-verifiers-API-to-kernel-image.patch
    - 0001-30_uefi-firmware-fix-printf-format-with-null-byte.patch
    - 0001-tpm-Pass-unknown-error-as-non-fatal-but-debug-print-.patch
    - 0001-Filter-out-POSIX-locale-for-translation.patch

OBS-URL: https://build.opensuse.org/request/show/1105405
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=458
2023-08-24 03:25:56 +00:00

52 lines
1.3 KiB
Diff
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From 29c89e27805f7a6a22bce11ed9bb430e19c972a9 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@ubuntu.com>
Date: Tue, 23 Oct 2012 10:40:49 -0400
Subject: [PATCH 449/482] Don't allow insmod when secure boot is enabled.
References: fate#314485
Patch-Mainline: no
v2:
Use grub_efi_get_secureboot to get secure boot status
Signed-off-by: Michael Chang <mchang@suse.com>
---
grub-core/kern/dl.c | 17 +++++++++++++++++
grub-core/kern/efi/efi.c | 28 ++++++++++++++++++++++++++++
include/grub/efi/efi.h | 1 +
3 files changed, 46 insertions(+)
--- a/grub-core/kern/dl.c
+++ b/grub-core/kern/dl.c
@@ -38,6 +38,10 @@
#define GRUB_MODULES_MACHINE_READONLY
#endif
+#ifdef GRUB_MACHINE_EFI
+#include <grub/efi/sb.h>
+#endif
+
#pragma GCC diagnostic ignored "-Wcast-align"
@@ -708,6 +712,19 @@
grub_boot_time ("Loading module %s", filename);
+#ifdef GRUB_MACHINE_EFI
+ if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+ {
+#if 0
+ /* This is an error, but grub2-mkconfig still generates a pile of
+ * insmod commands, so emitting it would be mostly just obnoxious. */
+ grub_error (GRUB_ERR_ACCESS_DENIED,
+ "Secure Boot forbids loading module from %s", filename);
+#endif
+ return 0;
+ }
+#endif
+
file = grub_file_open (filename, GRUB_FILE_TYPE_GRUB_MODULE);
if (! file)
return 0;
Reference in New Issue View Git Blame Copy Permalink