SHA256
1
0
forked from pool/grub2

Accepting request 198441 from home:michael-chang:branches:Base:System

- use new update-bootloader option --reinit to install and update
  bootloader config
- refresh grub2-secureboot-no-insmod-on-sb.patch to fobid module
  loading completely.

OBS-URL: https://build.opensuse.org/request/show/198441
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=52
This commit is contained in:
Dr. Werner Fink 2013-09-12 15:29:56 +00:00 committed by Git OBS Bridge
parent 8c1f2f807a
commit 13bae16139
3 changed files with 49 additions and 27 deletions

View File

@ -1,47 +1,53 @@
From 7a65d7b558974c89f19afaf0d78b54dc0327f56c Mon Sep 17 00:00:00 2001 From 29c89e27805f7a6a22bce11ed9bb430e19c972a9 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com> From: Colin Watson <cjwatson@ubuntu.com>
Date: Wed, 15 Aug 2012 09:53:05 -0400 Date: Tue, 23 Oct 2012 10:40:49 -0400
Subject: [PATCH] Don't permit insmod on secure boot Subject: [PATCH 449/482] Don't allow insmod when secure boot is enabled.
References: fate#314485 References: fate#314485
Patch-Mainline: no Patch-Mainline: no
Signed-off-by: Michael Chang <mchang@suse.com> Signed-off-by: Michael Chang <mchang@suse.com>
--- ---
grub-core/kern/corecmd.c | 9 +++++++++ grub-core/kern/dl.c | 17 +++++++++++++++++
grub-core/kern/efi/efi.c | 28 ++++++++++++++++++++++++++++ grub-core/kern/efi/efi.c | 28 ++++++++++++++++++++++++++++
include/grub/efi/efi.h | 1 + include/grub/efi/efi.h | 1 +
3 files changed, 38 insertions(+) 3 files changed, 46 insertions(+)
Index: grub-2.00/grub-core/kern/corecmd.c Index: grub-2.00/grub-core/kern/dl.c
=================================================================== ===================================================================
--- grub-2.00.orig/grub-core/kern/corecmd.c --- grub-2.00.orig/grub-core/kern/dl.c
+++ grub-2.00/grub-core/kern/corecmd.c +++ grub-2.00/grub-core/kern/dl.c
@@ -28,6 +28,10 @@ @@ -42,6 +42,10 @@
#include <grub/command.h> #include <sys/mman.h>
#include <grub/i18n.h> #endif
+#ifdef GRUB_MACHINE_EFI +#ifdef GRUB_MACHINE_EFI
+#include <grub/efi/efi.h> +#include <grub/efi/efi.h>
+#endif +#endif
+ +
/* set ENVVAR=VALUE */
static grub_err_t
grub_core_cmd_set (struct grub_command *cmd __attribute__ ((unused)), #pragma GCC diagnostic ignored "-Wcast-align"
@@ -75,6 +79,13 @@ grub_core_cmd_insmod (struct grub_comman @@ -665,6 +669,19 @@ grub_dl_load_file (const char *filename)
{ void *core = 0;
grub_dl_t mod; grub_dl_t mod = 0;
+#ifdef GRUB_MACHINE_EFI +#ifdef GRUB_MACHINE_EFI
+ if (grub_efi_secure_boot()) { + if (grub_efi_secure_boot ())
+ //grub_printf("%s\n", N_("Secure Boot forbids insmod")); + {
+#if 0
+ /* This is an error, but grub2-mkconfig still generates a pile of
+ * insmod commands, so emitting it would be mostly just obnoxious. */
+ grub_error (GRUB_ERR_ACCESS_DENIED,
+ "Secure Boot forbids loading module from %s", filename);
+#endif
+ return 0; + return 0;
+ } + }
+#endif +#endif
+ +
if (argc == 0) file = grub_file_open (filename);
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected")); if (! file)
return 0;
Index: grub-2.00/grub-core/kern/efi/efi.c Index: grub-2.00/grub-core/kern/efi/efi.c
=================================================================== ===================================================================
--- grub-2.00.orig/grub-core/kern/efi/efi.c --- grub-2.00.orig/grub-core/kern/efi/efi.c

View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Wed Sep 11 07:17:07 UTC 2013 - mchang@suse.com
- use new update-bootloader option --reinit to install and update
bootloader config
- refresh grub2-secureboot-no-insmod-on-sb.patch to fobid module
loading completely.
------------------------------------------------------------------- -------------------------------------------------------------------
Mon Sep 9 09:22:34 UTC 2013 - lnussel@suse.de Mon Sep 9 09:22:34 UTC 2013 - lnussel@suse.de

View File

@ -457,7 +457,11 @@ if [ "x${LOADER_TYPE}" = "xgrub" ]; then
elif [ "x${LOADER_TYPE}" = "xgrub2" ]; then elif [ "x${LOADER_TYPE}" = "xgrub2" ]; then
# It's enought to call update-bootloader --refesh to install grub2 and update it's config # It's enought to call update-bootloader to install grub2 and update it's config
# Use new --reinit, if not available use --refresh
# --reinit: install and update bootloader config
# --refresh: update bootloader config
/sbin/update-bootloader --reinit 2>&1 | grep -q 'Unknown option: reinit' &&
/sbin/update-bootloader --refresh || true /sbin/update-bootloader --refresh || true
fi fi
%endif %endif
@ -481,7 +485,11 @@ if [ "x${LOADER_TYPE}" = "xgrub2-efi" ]; then
fi fi
# It's enough to call update-bootloader --refesh to install grub2 and update it's config # It's enough to call update-bootloader to install grub2 and update it's config
# Use new --reinit, if not available use --refresh
# --reinit: install and update bootloader config
# --refresh: update bootloader config
/sbin/update-bootloader --reinit 2>&1 | grep -q 'Unknown option: reinit' &&
/sbin/update-bootloader --refresh || true /sbin/update-bootloader --refresh || true
fi fi