pool/grub2
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
5e123d509e
grub2/grub2-secureboot-no-insmod-on-sb.patch
Stephan Kulow c4bfec4a4c Accepting request 212884 from Base:System 
I think it is good time to update to 2.02 so it can get more testing.
Although internal changes are pretty extensive, externally it should be
pretty much the same. The main user visible changes are

 - autogen is not used anymore, so we can finally simplify patches
   and recreate files during RPM build. So generated files need not be
   patched and shipped any more.

 - GRUB_HIDDEN_TIMEOUT is deprecated, we should use GRUB_TIMEOUT_STYLE
   instead. This will need perl-Bootloader and YaST changes. Old config
   is still accpepted so nothing should be broken.

 - native pvgrub2 support for Xen PV guests.

 - ARM support (32 and 64 bit), although it has rough edges. (forwarded request 212604 from arvidjaar)

OBS-URL: https://build.opensuse.org/request/show/212884
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/grub2?expand=0&rev=79
2014-01-10 20:19:21 +00:00

102 lines
3.0 KiB
Diff
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From 29c89e27805f7a6a22bce11ed9bb430e19c972a9 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@ubuntu.com>
Date: Tue, 23 Oct 2012 10:40:49 -0400
Subject: [PATCH 449/482] Don't allow insmod when secure boot is enabled.
References: fate#314485
Patch-Mainline: no
Signed-off-by: Michael Chang <mchang@suse.com>
---
grub-core/kern/dl.c | 17 +++++++++++++++++
grub-core/kern/efi/efi.c | 28 ++++++++++++++++++++++++++++
include/grub/efi/efi.h | 1 +
3 files changed, 46 insertions(+)
Index: grub-2.02~beta2/grub-core/kern/dl.c
===================================================================
--- grub-2.02~beta2.orig/grub-core/kern/dl.c
+++ grub-2.02~beta2/grub-core/kern/dl.c
@@ -38,6 +38,10 @@
#define GRUB_MODULES_MACHINE_READONLY
#endif
+#ifdef GRUB_MACHINE_EFI
+#include <grub/efi/efi.h>
+#endif
+
#pragma GCC diagnostic ignored "-Wcast-align"
@@ -682,6 +686,19 @@ grub_dl_load_file (const char *filename)
grub_boot_time ("Loading module %s", filename);
+#ifdef GRUB_MACHINE_EFI
+ if (grub_efi_secure_boot ())
+ {
+#if 0
+ /* This is an error, but grub2-mkconfig still generates a pile of
+ * insmod commands, so emitting it would be mostly just obnoxious. */
+ grub_error (GRUB_ERR_ACCESS_DENIED,
+ "Secure Boot forbids loading module from %s", filename);
+#endif
+ return 0;
+ }
+#endif
+
file = grub_file_open (filename);
if (! file)
return 0;
Index: grub-2.02~beta2/grub-core/kern/efi/efi.c
===================================================================
--- grub-2.02~beta2.orig/grub-core/kern/efi/efi.c
+++ grub-2.02~beta2/grub-core/kern/efi/efi.c
@@ -259,6 +259,34 @@ grub_efi_get_variable (const char *var,
return NULL;
}
+grub_efi_boolean_t
+grub_efi_secure_boot (void)
+{
+ grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
+ grub_size_t datasize;
+ char *secure_boot = NULL;
+ char *setup_mode = NULL;
+ grub_efi_boolean_t ret = 0;
+
+ secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);
+
+ if (datasize != 1 || !secure_boot)
+ goto out;
+
+ setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize);
+
+ if (datasize != 1 || !setup_mode)
+ goto out;
+
+ if (*secure_boot && !*setup_mode)
+ ret = 1;
+
+ out:
+ grub_free (secure_boot);
+ grub_free (setup_mode);
+ return ret;
+}
+
#pragma GCC diagnostic ignored "-Wcast-align"
/* Search the mods section from the PE32/PE32+ image. This code uses
Index: grub-2.02~beta2/include/grub/efi/efi.h
===================================================================
--- grub-2.02~beta2.orig/include/grub/efi/efi.h
+++ grub-2.02~beta2/include/grub/efi/efi.h
@@ -72,6 +72,7 @@ EXPORT_FUNC (grub_efi_set_variable) (con
const grub_efi_guid_t *guid,
void *data,
grub_size_t datasize);
+grub_efi_boolean_t EXPORT_FUNC (grub_efi_secure_boot) (void);
int
EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1,
const grub_efi_device_path_t *dp2);
Reference in New Issue View Git Blame Copy Permalink