54 lines
1.6 KiB
Diff
54 lines
1.6 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Javier Martinez Canillas <javierm@redhat.com>
|
|
Date: Mon, 28 Sep 2020 20:08:29 +0200
|
|
Subject: [PATCH] efi: Lockdown the GRUB when the UEFI Secure Boot is enabled
|
|
|
|
If the UEFI Secure Boot is enabled then the GRUB must be locked down
|
|
to prevent executing code that can potentially be used to subvert its
|
|
verification mechanisms.
|
|
|
|
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
---
|
|
grub-core/kern/efi/init.c | 19 +++++++++++++++++++
|
|
1 file changed, 19 insertions(+)
|
|
|
|
diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
|
|
index 2ffb520..634e3ac 100644
|
|
--- a/grub-core/kern/efi/init.c
|
|
+++ b/grub-core/kern/efi/init.c
|
|
@@ -20,6 +20,8 @@
|
|
#include <grub/efi/efi.h>
|
|
#include <grub/efi/console.h>
|
|
#include <grub/efi/disk.h>
|
|
+#include <grub/efi/sb.h>
|
|
+#include <grub/lockdown.h>
|
|
#include <grub/term.h>
|
|
#include <grub/misc.h>
|
|
#include <grub/env.h>
|
|
@@ -88,6 +90,23 @@ grub_efi_init (void)
|
|
/* Initialize the memory management system. */
|
|
grub_efi_mm_init ();
|
|
|
|
+ /*
|
|
+ * Lockdown the GRUB and register the shim_lock verifier
|
|
+ * if the UEFI Secure Boot is enabled.
|
|
+ */
|
|
+ if (grub_efi_secure_boot ())
|
|
+ {
|
|
+ grub_lockdown ();
|
|
+
|
|
+ /*
|
|
+ * TODO: Move GRUB to using the shim_lock verifier and
|
|
+ * enable the lockdown verifier.
|
|
+ */
|
|
+#if 0
|
|
+ grub_shim_lock_verifier_setup ();
|
|
+#endif
|
|
+ }
|
|
+
|
|
efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer,
|
|
0, 0, 0, NULL);
|
|
|
|
--
|
|
2.23.0
|