pool/grub2
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
a3bdb368a2
grub2/grub2-secureboot-no-insmod-on-sb.patch
Michael Chang a3bdb368a2 Accepting request 904721 from home:michael-chang:grub:2.06 
- Version bump to 2.06
  * rediff
    - 0001-add-support-for-UEFI-network-protocols.patch
    - 0002-net-read-bracketed-ipv6-addrs-and-port-numbers.patch
    - 0003-Make-grub_error-more-verbose.patch
    - 0003-bootp-New-net_bootp6-command.patch
    - 0005-grub.texi-Add-net_bootp6-doument.patch
    - 0006-bootp-Add-processing-DHCPACK-packet-from-HTTP-Boot.patch
    - 0006-efi-Set-image-base-address-before-jumping-to-the-PE-.patch
    - 0008-efinet-Setting-DNS-server-from-UEFI-protocol.patch
    - 0046-squash-verifiers-Move-verifiers-API-to-kernel-image.patch
    - grub-install-force-journal-draining-to-ensure-data-i.patch
    - grub2-btrfs-01-add-ability-to-boot-from-subvolumes.patch
    - grub2-diskfilter-support-pv-without-metadatacopies.patch
    - grub2-efi-HP-workaround.patch
    - grub2-efi-xen-cfg-unquote.patch
    - grub2-efi-xen-chainload.patch
    - grub2-fix-menu-in-xen-host-server.patch
    - grub2-gfxmenu-support-scrolling-menu-entry-s-text.patch
    - grub2-install-remove-useless-check-PReP-partition-is-empty.patch
    - grub2-lvm-allocate-metadata-buffer-from-raw-contents.patch
    - grub2-mkconfig-default-entry-correction.patch
    - grub2-pass-corret-root-for-nfsroot.patch
    - grub2-s390x-03-output-7-bit-ascii.patch
    - grub2-s390x-04-grub2-install.patch
    - grub2-secureboot-install-signed-grub.patch
    - grub2-setup-try-fs-embed-if-mbr-gap-too-small.patch
    - use-grub2-as-a-package-name.patch
  * update by patch squashed:
    - 0001-Add-support-for-Linux-EFI-stub-loading-on-aarch64.patch

OBS-URL: https://build.opensuse.org/request/show/904721
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=386
2021-07-08 09:03:14 +00:00

54 lines
1.5 KiB
Diff
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From 29c89e27805f7a6a22bce11ed9bb430e19c972a9 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@ubuntu.com>
Date: Tue, 23 Oct 2012 10:40:49 -0400
Subject: [PATCH 449/482] Don't allow insmod when secure boot is enabled.
References: fate#314485
Patch-Mainline: no
v2:
Use grub_efi_get_secureboot to get secure boot status
Signed-off-by: Michael Chang <mchang@suse.com>
---
grub-core/kern/dl.c | 17 +++++++++++++++++
grub-core/kern/efi/efi.c | 28 ++++++++++++++++++++++++++++
include/grub/efi/efi.h | 1 +
3 files changed, 46 insertions(+)
Index: grub-2.04/grub-core/kern/dl.c
===================================================================
--- grub-2.04.orig/grub-core/kern/dl.c
+++ grub-2.04/grub-core/kern/dl.c
@@ -38,6 +38,10 @@
#define GRUB_MODULES_MACHINE_READONLY
#endif
+#ifdef GRUB_MACHINE_EFI
+#include <grub/efi/sb.h>
+#endif
+
#pragma GCC diagnostic ignored "-Wcast-align"
@@ -688,6 +692,19 @@ grub_dl_load_file (const char *filename)
grub_boot_time ("Loading module %s", filename);
+#ifdef GRUB_MACHINE_EFI
+ if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+ {
+#if 0
+ /* This is an error, but grub2-mkconfig still generates a pile of
+ * insmod commands, so emitting it would be mostly just obnoxious. */
+ grub_error (GRUB_ERR_ACCESS_DENIED,
+ "Secure Boot forbids loading module from %s", filename);
+#endif
+ return 0;
+ }
+#endif
+
file = grub_file_open (filename, GRUB_FILE_TYPE_GRUB_MODULE);
if (! file)
return 0;
Reference in New Issue View Git Blame Copy Permalink