ad4c1853ad
- ship a Secure Boot UEFI compatible bootloader (fate#314485) - added secureboot patches which introduces new linuxefi module that is able to perform verifying signed images via exported protocol from shim. The insmod command will not function if secure boot enabled (as all modules should built in grub.efi and signed). - grub2-secureboot-add-linuxefi.patch - grub2-secureboot-use-linuxefi-on-uefi.patch - grub2-secureboot-no-insmod-on-sb.patch - grub2-secureboot-provide-linuxefi-config.patch - Makefile.core.am : support building linuxefi module - Make grub.efi image that is with all relevant modules incorporated and signed, it will be the second stage to the shim loader which will verified it when secureboot enabled. - Make grub.efi's path to align with shim loader's default loader lookup path. - The changes has been verified not affecting any factory instalation, but will allow us to run & test secure boot setup manually with shim. (forwarded request 143007 from michael-chang) OBS-URL: https://build.opensuse.org/request/show/143018 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/grub2?expand=0&rev=52
96 lines
2.8 KiB
Diff
96 lines
2.8 KiB
Diff
From 7a65d7b558974c89f19afaf0d78b54dc0327f56c Mon Sep 17 00:00:00 2001
|
|
From: Matthew Garrett <mjg@redhat.com>
|
|
Date: Wed, 15 Aug 2012 09:53:05 -0400
|
|
Subject: [PATCH] Don't permit insmod on secure boot
|
|
|
|
References: fate#314485
|
|
Patch-Mainline: no
|
|
|
|
Signed-off-by: Michael Chang <mchang@suse.com>
|
|
---
|
|
grub-core/kern/corecmd.c | 9 +++++++++
|
|
grub-core/kern/efi/efi.c | 28 ++++++++++++++++++++++++++++
|
|
include/grub/efi/efi.h | 1 +
|
|
3 files changed, 38 insertions(+)
|
|
|
|
Index: grub-2.00/grub-core/kern/corecmd.c
|
|
===================================================================
|
|
--- grub-2.00.orig/grub-core/kern/corecmd.c
|
|
+++ grub-2.00/grub-core/kern/corecmd.c
|
|
@@ -28,6 +28,10 @@
|
|
#include <grub/command.h>
|
|
#include <grub/i18n.h>
|
|
|
|
+#ifdef GRUB_MACHINE_EFI
|
|
+#include <grub/efi/efi.h>
|
|
+#endif
|
|
+
|
|
/* set ENVVAR=VALUE */
|
|
static grub_err_t
|
|
grub_core_cmd_set (struct grub_command *cmd __attribute__ ((unused)),
|
|
@@ -81,6 +85,13 @@ grub_core_cmd_insmod (struct grub_comman
|
|
{
|
|
grub_dl_t mod;
|
|
|
|
+#ifdef GRUB_MACHINE_EFI
|
|
+ if (grub_efi_secure_boot()) {
|
|
+ //grub_printf("%s\n", N_("Secure Boot forbids insmod"));
|
|
+ return 0;
|
|
+ }
|
|
+#endif
|
|
+
|
|
if (argc == 0)
|
|
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
|
|
|
|
Index: grub-2.00/grub-core/kern/efi/efi.c
|
|
===================================================================
|
|
--- grub-2.00.orig/grub-core/kern/efi/efi.c
|
|
+++ grub-2.00/grub-core/kern/efi/efi.c
|
|
@@ -229,6 +229,34 @@ grub_efi_get_variable (const char *var,
|
|
return NULL;
|
|
}
|
|
|
|
+grub_efi_boolean_t
|
|
+grub_efi_secure_boot (void)
|
|
+{
|
|
+ grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
|
|
+ grub_size_t datasize;
|
|
+ char *secure_boot = NULL;
|
|
+ char *setup_mode = NULL;
|
|
+ grub_efi_boolean_t ret = 0;
|
|
+
|
|
+ secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);
|
|
+
|
|
+ if (datasize != 1 || !secure_boot)
|
|
+ goto out;
|
|
+
|
|
+ setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize);
|
|
+
|
|
+ if (datasize != 1 || !setup_mode)
|
|
+ goto out;
|
|
+
|
|
+ if (*secure_boot && !*setup_mode)
|
|
+ ret = 1;
|
|
+
|
|
+ out:
|
|
+ grub_free (secure_boot);
|
|
+ grub_free (setup_mode);
|
|
+ return ret;
|
|
+}
|
|
+
|
|
#pragma GCC diagnostic ignored "-Wcast-align"
|
|
|
|
/* Search the mods section from the PE32/PE32+ image. This code uses
|
|
Index: grub-2.00/include/grub/efi/efi.h
|
|
===================================================================
|
|
--- grub-2.00.orig/include/grub/efi/efi.h
|
|
+++ grub-2.00/include/grub/efi/efi.h
|
|
@@ -67,6 +67,7 @@ grub_err_t EXPORT_FUNC (grub_efi_set_vir
|
|
void *EXPORT_FUNC (grub_efi_get_variable) (const char *variable,
|
|
const grub_efi_guid_t *guid,
|
|
grub_size_t *datasize_out);
|
|
+grub_efi_boolean_t EXPORT_FUNC (grub_efi_secure_boot) (void);
|
|
int
|
|
EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1,
|
|
const grub_efi_device_path_t *dp2);
|