forked from pool/grub2
Accepting request 198441 from home:michael-chang:branches:Base:System
- use new update-bootloader option --reinit to install and update bootloader config - refresh grub2-secureboot-no-insmod-on-sb.patch to fobid module loading completely. OBS-URL: https://build.opensuse.org/request/show/198441 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=52
This commit is contained in:
parent
8c1f2f807a
commit
13bae16139
@ -1,47 +1,53 @@
|
|||||||
From 7a65d7b558974c89f19afaf0d78b54dc0327f56c Mon Sep 17 00:00:00 2001
|
From 29c89e27805f7a6a22bce11ed9bb430e19c972a9 Mon Sep 17 00:00:00 2001
|
||||||
From: Matthew Garrett <mjg@redhat.com>
|
From: Colin Watson <cjwatson@ubuntu.com>
|
||||||
Date: Wed, 15 Aug 2012 09:53:05 -0400
|
Date: Tue, 23 Oct 2012 10:40:49 -0400
|
||||||
Subject: [PATCH] Don't permit insmod on secure boot
|
Subject: [PATCH 449/482] Don't allow insmod when secure boot is enabled.
|
||||||
|
|
||||||
References: fate#314485
|
References: fate#314485
|
||||||
Patch-Mainline: no
|
Patch-Mainline: no
|
||||||
|
|
||||||
Signed-off-by: Michael Chang <mchang@suse.com>
|
Signed-off-by: Michael Chang <mchang@suse.com>
|
||||||
---
|
---
|
||||||
grub-core/kern/corecmd.c | 9 +++++++++
|
grub-core/kern/dl.c | 17 +++++++++++++++++
|
||||||
grub-core/kern/efi/efi.c | 28 ++++++++++++++++++++++++++++
|
grub-core/kern/efi/efi.c | 28 ++++++++++++++++++++++++++++
|
||||||
include/grub/efi/efi.h | 1 +
|
include/grub/efi/efi.h | 1 +
|
||||||
3 files changed, 38 insertions(+)
|
3 files changed, 46 insertions(+)
|
||||||
|
|
||||||
Index: grub-2.00/grub-core/kern/corecmd.c
|
Index: grub-2.00/grub-core/kern/dl.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- grub-2.00.orig/grub-core/kern/corecmd.c
|
--- grub-2.00.orig/grub-core/kern/dl.c
|
||||||
+++ grub-2.00/grub-core/kern/corecmd.c
|
+++ grub-2.00/grub-core/kern/dl.c
|
||||||
@@ -28,6 +28,10 @@
|
@@ -42,6 +42,10 @@
|
||||||
#include <grub/command.h>
|
#include <sys/mman.h>
|
||||||
#include <grub/i18n.h>
|
#endif
|
||||||
|
|
||||||
+#ifdef GRUB_MACHINE_EFI
|
+#ifdef GRUB_MACHINE_EFI
|
||||||
+#include <grub/efi/efi.h>
|
+#include <grub/efi/efi.h>
|
||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
/* set ENVVAR=VALUE */
|
|
||||||
static grub_err_t
|
|
||||||
grub_core_cmd_set (struct grub_command *cmd __attribute__ ((unused)),
|
#pragma GCC diagnostic ignored "-Wcast-align"
|
||||||
@@ -75,6 +79,13 @@ grub_core_cmd_insmod (struct grub_comman
|
@@ -665,6 +669,19 @@ grub_dl_load_file (const char *filename)
|
||||||
{
|
void *core = 0;
|
||||||
grub_dl_t mod;
|
grub_dl_t mod = 0;
|
||||||
|
|
||||||
+#ifdef GRUB_MACHINE_EFI
|
+#ifdef GRUB_MACHINE_EFI
|
||||||
+ if (grub_efi_secure_boot()) {
|
+ if (grub_efi_secure_boot ())
|
||||||
+ //grub_printf("%s\n", N_("Secure Boot forbids insmod"));
|
+ {
|
||||||
|
+#if 0
|
||||||
|
+ /* This is an error, but grub2-mkconfig still generates a pile of
|
||||||
|
+ * insmod commands, so emitting it would be mostly just obnoxious. */
|
||||||
|
+ grub_error (GRUB_ERR_ACCESS_DENIED,
|
||||||
|
+ "Secure Boot forbids loading module from %s", filename);
|
||||||
|
+#endif
|
||||||
+ return 0;
|
+ return 0;
|
||||||
+ }
|
+ }
|
||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
if (argc == 0)
|
file = grub_file_open (filename);
|
||||||
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
|
if (! file)
|
||||||
|
return 0;
|
||||||
Index: grub-2.00/grub-core/kern/efi/efi.c
|
Index: grub-2.00/grub-core/kern/efi/efi.c
|
||||||
===================================================================
|
===================================================================
|
||||||
--- grub-2.00.orig/grub-core/kern/efi/efi.c
|
--- grub-2.00.orig/grub-core/kern/efi/efi.c
|
||||||
|
@ -1,3 +1,11 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Sep 11 07:17:07 UTC 2013 - mchang@suse.com
|
||||||
|
|
||||||
|
- use new update-bootloader option --reinit to install and update
|
||||||
|
bootloader config
|
||||||
|
- refresh grub2-secureboot-no-insmod-on-sb.patch to fobid module
|
||||||
|
loading completely.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Mon Sep 9 09:22:34 UTC 2013 - lnussel@suse.de
|
Mon Sep 9 09:22:34 UTC 2013 - lnussel@suse.de
|
||||||
|
|
||||||
|
12
grub2.spec
12
grub2.spec
@ -457,7 +457,11 @@ if [ "x${LOADER_TYPE}" = "xgrub" ]; then
|
|||||||
|
|
||||||
elif [ "x${LOADER_TYPE}" = "xgrub2" ]; then
|
elif [ "x${LOADER_TYPE}" = "xgrub2" ]; then
|
||||||
|
|
||||||
# It's enought to call update-bootloader --refesh to install grub2 and update it's config
|
# It's enought to call update-bootloader to install grub2 and update it's config
|
||||||
|
# Use new --reinit, if not available use --refresh
|
||||||
|
# --reinit: install and update bootloader config
|
||||||
|
# --refresh: update bootloader config
|
||||||
|
/sbin/update-bootloader --reinit 2>&1 | grep -q 'Unknown option: reinit' &&
|
||||||
/sbin/update-bootloader --refresh || true
|
/sbin/update-bootloader --refresh || true
|
||||||
fi
|
fi
|
||||||
%endif
|
%endif
|
||||||
@ -481,7 +485,11 @@ if [ "x${LOADER_TYPE}" = "xgrub2-efi" ]; then
|
|||||||
|
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# It's enough to call update-bootloader --refesh to install grub2 and update it's config
|
# It's enough to call update-bootloader to install grub2 and update it's config
|
||||||
|
# Use new --reinit, if not available use --refresh
|
||||||
|
# --reinit: install and update bootloader config
|
||||||
|
# --refresh: update bootloader config
|
||||||
|
/sbin/update-bootloader --reinit 2>&1 | grep -q 'Unknown option: reinit' &&
|
||||||
/sbin/update-bootloader --refresh || true
|
/sbin/update-bootloader --refresh || true
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user