grub2/grub2-secureboot-no-insmod-on-sb.patch
Stephan Kulow ad4c1853ad Accepting request 143018 from devel:openSUSE:Factory
- ship a Secure Boot UEFI compatible bootloader (fate#314485)
- added secureboot patches which introduces new linuxefi module
  that is able to perform verifying signed images via exported
  protocol from shim. The insmod command will not function if
  secure boot enabled (as all modules should built in grub.efi
  and signed).
  - grub2-secureboot-add-linuxefi.patch
  - grub2-secureboot-use-linuxefi-on-uefi.patch
  - grub2-secureboot-no-insmod-on-sb.patch
  - grub2-secureboot-provide-linuxefi-config.patch
- Makefile.core.am : support building linuxefi module
- Make grub.efi image that is with all relevant modules incorporated
  and signed, it will be the second stage to the shim loader which
  will verified it when secureboot enabled.
- Make grub.efi's path to align with shim loader's default loader
  lookup path.
- The changes has been verified not affecting any factory instalation,
  but will allow us to run & test secure boot setup manually with shim. (forwarded request 143007 from michael-chang)

OBS-URL: https://build.opensuse.org/request/show/143018
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/grub2?expand=0&rev=52
2012-11-28 09:34:03 +00:00

96 lines
2.8 KiB
Diff

From 7a65d7b558974c89f19afaf0d78b54dc0327f56c Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Wed, 15 Aug 2012 09:53:05 -0400
Subject: [PATCH] Don't permit insmod on secure boot
References: fate#314485
Patch-Mainline: no
Signed-off-by: Michael Chang <mchang@suse.com>
---
grub-core/kern/corecmd.c | 9 +++++++++
grub-core/kern/efi/efi.c | 28 ++++++++++++++++++++++++++++
include/grub/efi/efi.h | 1 +
3 files changed, 38 insertions(+)
Index: grub-2.00/grub-core/kern/corecmd.c
===================================================================
--- grub-2.00.orig/grub-core/kern/corecmd.c
+++ grub-2.00/grub-core/kern/corecmd.c
@@ -28,6 +28,10 @@
#include <grub/command.h>
#include <grub/i18n.h>
+#ifdef GRUB_MACHINE_EFI
+#include <grub/efi/efi.h>
+#endif
+
/* set ENVVAR=VALUE */
static grub_err_t
grub_core_cmd_set (struct grub_command *cmd __attribute__ ((unused)),
@@ -81,6 +85,13 @@ grub_core_cmd_insmod (struct grub_comman
{
grub_dl_t mod;
+#ifdef GRUB_MACHINE_EFI
+ if (grub_efi_secure_boot()) {
+ //grub_printf("%s\n", N_("Secure Boot forbids insmod"));
+ return 0;
+ }
+#endif
+
if (argc == 0)
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
Index: grub-2.00/grub-core/kern/efi/efi.c
===================================================================
--- grub-2.00.orig/grub-core/kern/efi/efi.c
+++ grub-2.00/grub-core/kern/efi/efi.c
@@ -229,6 +229,34 @@ grub_efi_get_variable (const char *var,
return NULL;
}
+grub_efi_boolean_t
+grub_efi_secure_boot (void)
+{
+ grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
+ grub_size_t datasize;
+ char *secure_boot = NULL;
+ char *setup_mode = NULL;
+ grub_efi_boolean_t ret = 0;
+
+ secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);
+
+ if (datasize != 1 || !secure_boot)
+ goto out;
+
+ setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize);
+
+ if (datasize != 1 || !setup_mode)
+ goto out;
+
+ if (*secure_boot && !*setup_mode)
+ ret = 1;
+
+ out:
+ grub_free (secure_boot);
+ grub_free (setup_mode);
+ return ret;
+}
+
#pragma GCC diagnostic ignored "-Wcast-align"
/* Search the mods section from the PE32/PE32+ image. This code uses
Index: grub-2.00/include/grub/efi/efi.h
===================================================================
--- grub-2.00.orig/include/grub/efi/efi.h
+++ grub-2.00/include/grub/efi/efi.h
@@ -67,6 +67,7 @@ grub_err_t EXPORT_FUNC (grub_efi_set_vir
void *EXPORT_FUNC (grub_efi_get_variable) (const char *variable,
const grub_efi_guid_t *guid,
grub_size_t *datasize_out);
+grub_efi_boolean_t EXPORT_FUNC (grub_efi_secure_boot) (void);
int
EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1,
const grub_efi_device_path_t *dp2);