forked from pool/grub2
be3181b1eb
- VUL-0: grub2,shim: implement new SBAT method (bsc#1182057) * 0031-util-mkimage-Remove-unused-code-to-add-BSS-section.patch * 0032-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch * 0033-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch * 0034-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch * 0035-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch * 0036-util-mkimage-Improve-data_size-value-calculation.patch * 0037-util-mkimage-Refactor-section-setup-to-use-a-helper.patch * 0038-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch * 0039-grub-install-common-Add-sbat-option.patch - Fix CVE-2021-20225 (bsc#1182262) * 0022-lib-arg-Block-repeated-short-options-that-require-an.patch - Fix CVE-2020-27749 (bsc#1179264) * 0024-kern-parser-Fix-resource-leak-if-argc-0.patch * 0025-kern-parser-Fix-a-memory-leak.patch * 0026-kern-parser-Introduce-process_char-helper.patch * 0027-kern-parser-Introduce-terminate_arg-helper.patch * 0028-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch * 0029-kern-buffer-Add-variable-sized-heap-buffer.patch * 0030-kern-parser-Fix-a-stack-buffer-overflow.patch - Fix CVE-2021-20233 (bsc#1182263) * 0023-commands-menuentry-Fix-quoting-in-setparams_prefix.patch - Fix CVE-2020-25647 (bsc#1177883) * 0021-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch - Fix CVE-2020-25632 (bsc#1176711) * 0020-dl-Only-allow-unloading-modules-that-are-not-depende.patch - Fix CVE-2020-27779, CVE-2020-14372 (bsc#1179265) (bsc#1175970) * 0001-include-grub-i386-linux.h-Include-missing-grub-types.patch * 0002-efi-Make-shim_lock-GUID-and-protocol-type-public.patch * 0003-efi-Return-grub_efi_status_t-from-grub_efi_get_varia.patch OBS-URL: https://build.opensuse.org/request/show/876326 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=374
58 lines
1.7 KiB
Diff
58 lines
1.7 KiB
Diff
From 959db537b12c5e76c244ccc51cbbed7f27b0abe2 Mon Sep 17 00:00:00 2001
|
|
From: Javier Martinez Canillas <javierm@redhat.com>
|
|
Date: Tue, 2 Feb 2021 19:59:48 +0100
|
|
Subject: [PATCH 10/46] kern/lockdown: Set a variable if the GRUB is locked
|
|
down
|
|
|
|
It may be useful for scripts to determine whether the GRUB is locked
|
|
down or not. Add the lockdown variable which is set to "y" when the GRUB
|
|
is locked down.
|
|
|
|
Suggested-by: Dimitri John Ledkov <xnox@ubuntu.com>
|
|
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
---
|
|
docs/grub.texi | 3 +++
|
|
grub-core/kern/lockdown.c | 4 ++++
|
|
2 files changed, 7 insertions(+)
|
|
|
|
diff --git a/docs/grub.texi b/docs/grub.texi
|
|
index a459a71e4..3a4d18e06 100644
|
|
--- a/docs/grub.texi
|
|
+++ b/docs/grub.texi
|
|
@@ -5820,6 +5820,9 @@ The GRUB can be locked down when booted on a secure boot environment, for exampl
|
|
if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will
|
|
be restricted and some operations/commands cannot be executed.
|
|
|
|
+The @samp{lockdown} variable is set to @samp{y} when the GRUB is locked down.
|
|
+Otherwise it does not exit.
|
|
+
|
|
@node Platform limitations
|
|
@chapter Platform limitations
|
|
|
|
diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c
|
|
index 1e56c0b80..0bc70fd42 100644
|
|
--- a/grub-core/kern/lockdown.c
|
|
+++ b/grub-core/kern/lockdown.c
|
|
@@ -18,6 +18,7 @@
|
|
*/
|
|
|
|
#include <grub/dl.h>
|
|
+#include <grub/env.h>
|
|
#include <grub/file.h>
|
|
#include <grub/lockdown.h>
|
|
#include <grub/verify.h>
|
|
@@ -71,6 +72,9 @@ grub_lockdown (void)
|
|
lockdown = GRUB_LOCKDOWN_ENABLED;
|
|
|
|
grub_verifier_register (&lockdown_verifier);
|
|
+
|
|
+ grub_env_set ("lockdown", "y");
|
|
+ grub_env_export ("lockdown");
|
|
}
|
|
|
|
int
|
|
--
|
|
2.26.2
|
|
|