pool/grub2
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
c1df6c7a1f
grub2/grub2-secureboot-no-insmod-on-sb.patch
Michael Chang 62e3547e57 Accepting request 741033 from home:michael-chang:devel 
- Version bump to 2.04
  * removed
    - translations-20170427.tar.xz
  * grub2.spec
    - Make signed grub-tpm.efi specific to x86_64-efi build, the platform
      currently shipped with tpm module from upstream codebase
    - Add shim_lock to signed grub.efi in x86_64-efi build
    - x86_64: linuxefi now depends on linux, both will verify kernel via
      shim_lock
    - Remove translation tarball and po file hacks as it's been included in
      upstream tarball
  * rediff
    - grub2-setup-try-fs-embed-if-mbr-gap-too-small.patch
    - grub2-commands-introduce-read_file-subcommand.patch
    - grub2-secureboot-add-linuxefi.patch
    - 0001-add-support-for-UEFI-network-protocols.patch
    - grub2-efi-HP-workaround.patch
    - grub2-secureboot-install-signed-grub.patch
    - grub2-linux.patch
    - use-grub2-as-a-package-name.patch
    - grub2-pass-corret-root-for-nfsroot.patch
    - grub2-secureboot-use-linuxefi-on-uefi.patch
    - grub2-secureboot-no-insmod-on-sb.patch
    - grub2-secureboot-provide-linuxefi-config.patch
    - grub2-secureboot-chainloader.patch
    - grub2-s390x-01-Changes-made-and-files-added-in-order-to-allow-s390x.patch
    - grub2-s390x-02-kexec-module-added-to-emu.patch
    - grub2-s390x-04-grub2-install.patch
    - grub2-btrfs-01-add-ability-to-boot-from-subvolumes.patch
    - grub2-efi-chainloader-root.patch

OBS-URL: https://build.opensuse.org/request/show/741033
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=340
2019-10-18 10:18:53 +00:00

102 lines
3.0 KiB
Diff
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From 29c89e27805f7a6a22bce11ed9bb430e19c972a9 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@ubuntu.com>
Date: Tue, 23 Oct 2012 10:40:49 -0400
Subject: [PATCH 449/482] Don't allow insmod when secure boot is enabled.
References: fate#314485
Patch-Mainline: no
Signed-off-by: Michael Chang <mchang@suse.com>
---
grub-core/kern/dl.c | 17 +++++++++++++++++
grub-core/kern/efi/efi.c | 28 ++++++++++++++++++++++++++++
include/grub/efi/efi.h | 1 +
3 files changed, 46 insertions(+)
Index: grub-2.04~rc1/grub-core/kern/dl.c
===================================================================
--- grub-2.04~rc1.orig/grub-core/kern/dl.c
+++ grub-2.04~rc1/grub-core/kern/dl.c
@@ -38,6 +38,10 @@
#define GRUB_MODULES_MACHINE_READONLY
#endif
+#ifdef GRUB_MACHINE_EFI
+#include <grub/efi/efi.h>
+#endif
+
#pragma GCC diagnostic ignored "-Wcast-align"
@@ -688,6 +692,19 @@ grub_dl_load_file (const char *filename)
grub_boot_time ("Loading module %s", filename);
+#ifdef GRUB_MACHINE_EFI
+ if (grub_efi_secure_boot ())
+ {
+#if 0
+ /* This is an error, but grub2-mkconfig still generates a pile of
+ * insmod commands, so emitting it would be mostly just obnoxious. */
+ grub_error (GRUB_ERR_ACCESS_DENIED,
+ "Secure Boot forbids loading module from %s", filename);
+#endif
+ return 0;
+ }
+#endif
+
file = grub_file_open (filename, GRUB_FILE_TYPE_GRUB_MODULE);
if (! file)
return 0;
Index: grub-2.04~rc1/grub-core/kern/efi/efi.c
===================================================================
--- grub-2.04~rc1.orig/grub-core/kern/efi/efi.c
+++ grub-2.04~rc1/grub-core/kern/efi/efi.c
@@ -273,6 +273,34 @@ grub_efi_get_variable (const char *var,
return NULL;
}
+grub_efi_boolean_t
+grub_efi_secure_boot (void)
+{
+ grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
+ grub_size_t datasize;
+ char *secure_boot = NULL;
+ char *setup_mode = NULL;
+ grub_efi_boolean_t ret = 0;
+
+ secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);
+
+ if (datasize != 1 || !secure_boot)
+ goto out;
+
+ setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize);
+
+ if (datasize != 1 || !setup_mode)
+ goto out;
+
+ if (*secure_boot && !*setup_mode)
+ ret = 1;
+
+ out:
+ grub_free (secure_boot);
+ grub_free (setup_mode);
+ return ret;
+}
+
#pragma GCC diagnostic ignored "-Wcast-align"
/* Search the mods section from the PE32/PE32+ image. This code uses
Index: grub-2.04~rc1/include/grub/efi/efi.h
===================================================================
--- grub-2.04~rc1.orig/include/grub/efi/efi.h
+++ grub-2.04~rc1/include/grub/efi/efi.h
@@ -85,6 +85,7 @@ EXPORT_FUNC (grub_efi_set_variable) (con
const grub_efi_guid_t *guid,
void *data,
grub_size_t datasize);
+grub_efi_boolean_t EXPORT_FUNC (grub_efi_secure_boot) (void);
int
EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1,
const grub_efi_device_path_t *dp2);
Reference in New Issue View Git Blame Copy Permalink