grub-lakitu: REDHAT: MASTER-SB: Make any of the loaders that link in efi mode honor secure boot.
And in this case "honor" means "even if somebody does link this in, they
won't register commands if SB is enabled."
Signed-off-by: Peter Jones <pjones@redhat.com>
(cherry picked from commit babb9e25977ac0d8353493182cbef1ca4cf74a50)
(from master-sb branch of https://github.com/rhboot/grub2)
BUG=b:69569602
TEST=TBD
Change-Id: I0971dbb2cacb0e1aef95fd67a9cdf6f493d0520a
Reviewed-on: https://chromium-review.googlesource.com/945894
Reviewed-by: Edward Jee <edjee@google.com>
Commit-Queue: Edward Jee <edjee@google.com>
Tested-by: Edward Jee <edjee@google.com>
Trybot-Ready: Edward Jee <edjee@google.com>
diff --git a/grub-lakitu/grub-core/Makefile.am b/grub-lakitu/grub-core/Makefile.am
index 1045138..f7b4d29 100644
--- a/grub-lakitu/grub-core/Makefile.am
+++ b/grub-lakitu/grub-core/Makefile.am
@@ -71,6 +71,7 @@
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/device.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/disk.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/dl.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/efi/sb.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/env.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/env_private.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/err.h
diff --git a/grub-lakitu/grub-core/Makefile.core.def b/grub-lakitu/grub-core/Makefile.core.def
index ef5863a..4bc649d 100644
--- a/grub-lakitu/grub-core/Makefile.core.def
+++ b/grub-lakitu/grub-core/Makefile.core.def
@@ -195,6 +195,7 @@
i386_multiboot = kern/i386/pc/acpi.c;
i386_coreboot = kern/acpi.c;
i386_multiboot = kern/acpi.c;
+ common = kern/efi/sb.c;
x86 = kern/i386/tsc.c;
x86 = kern/i386/tsc_pit.c;
diff --git a/grub-lakitu/grub-core/commands/iorw.c b/grub-lakitu/grub-core/commands/iorw.c
index a0c164e..41a7f3f 100644
--- a/grub-lakitu/grub-core/commands/iorw.c
+++ b/grub-lakitu/grub-core/commands/iorw.c
@@ -23,6 +23,7 @@
#include <grub/env.h>
#include <grub/cpu/io.h>
#include <grub/i18n.h>
+#include <grub/efi/sb.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -118,6 +119,9 @@
GRUB_MOD_INIT(memrw)
{
+ if (grub_efi_secure_boot())
+ return;
+
cmd_read_byte =
grub_register_extcmd ("inb", grub_cmd_read, 0,
N_("PORT"), N_("Read 8-bit value from PORT."),
@@ -146,6 +150,9 @@
GRUB_MOD_FINI(memrw)
{
+ if (grub_efi_secure_boot())
+ return;
+
grub_unregister_extcmd (cmd_read_byte);
grub_unregister_extcmd (cmd_read_word);
grub_unregister_extcmd (cmd_read_dword);
diff --git a/grub-lakitu/grub-core/commands/memrw.c b/grub-lakitu/grub-core/commands/memrw.c
index 98769ea..088cbe9 100644
--- a/grub-lakitu/grub-core/commands/memrw.c
+++ b/grub-lakitu/grub-core/commands/memrw.c
@@ -22,6 +22,7 @@
#include <grub/extcmd.h>
#include <grub/env.h>
#include <grub/i18n.h>
+#include <grub/efi/sb.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -120,6 +121,9 @@
GRUB_MOD_INIT(memrw)
{
+ if (grub_efi_secure_boot())
+ return;
+
cmd_read_byte =
grub_register_extcmd ("read_byte", grub_cmd_read, 0,
N_("ADDR"), N_("Read 8-bit value from ADDR."),
@@ -148,6 +152,9 @@
GRUB_MOD_FINI(memrw)
{
+ if (grub_efi_secure_boot())
+ return;
+
grub_unregister_extcmd (cmd_read_byte);
grub_unregister_extcmd (cmd_read_word);
grub_unregister_extcmd (cmd_read_dword);
diff --git a/grub-lakitu/grub-core/kern/dl.c b/grub-lakitu/grub-core/kern/dl.c
index f488f0f..996747b 100644
--- a/grub-lakitu/grub-core/kern/dl.c
+++ b/grub-lakitu/grub-core/kern/dl.c
@@ -32,6 +32,7 @@
#include <grub/env.h>
#include <grub/cache.h>
#include <grub/i18n.h>
+#include <grub/efi/sb.h>
/* Platforms where modules are in a readonly area of memory. */
#if defined(GRUB_MACHINE_QEMU)
diff --git a/grub-lakitu/grub-core/kern/efi/efi.c b/grub-lakitu/grub-core/kern/efi/efi.c
index bce251d..d467785 100644
--- a/grub-lakitu/grub-core/kern/efi/efi.c
+++ b/grub-lakitu/grub-core/kern/efi/efi.c
@@ -264,34 +264,6 @@
return NULL;
}
-grub_efi_boolean_t
-grub_efi_secure_boot (void)
-{
- grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
- grub_size_t datasize;
- char *secure_boot = NULL;
- char *setup_mode = NULL;
- grub_efi_boolean_t ret = 0;
-
- secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);
-
- if (datasize != 1 || !secure_boot)
- goto out;
-
- setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize);
-
- if (datasize != 1 || !setup_mode)
- goto out;
-
- if (*secure_boot && !*setup_mode)
- ret = 1;
-
- out:
- grub_free (secure_boot);
- grub_free (setup_mode);
- return ret;
-}
-
#pragma GCC diagnostic ignored "-Wcast-align"
/* Search the mods section from the PE32/PE32+ image. This code uses
diff --git a/grub-lakitu/grub-core/kern/efi/sb.c b/grub-lakitu/grub-core/kern/efi/sb.c
new file mode 100644
index 0000000..a41b6c5
--- /dev/null
+++ b/grub-lakitu/grub-core/kern/efi/sb.c
@@ -0,0 +1,58 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2014 Free Software Foundation, Inc.
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GRUB is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <grub/err.h>
+#include <grub/mm.h>
+#include <grub/types.h>
+#include <grub/cpu/linux.h>
+#include <grub/efi/efi.h>
+#include <grub/efi/pe32.h>
+#include <grub/efi/linux.h>
+#include <grub/efi/sb.h>
+
+int
+grub_efi_secure_boot (void)
+{
+#ifdef GRUB_MACHINE_EFI
+ grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
+ grub_size_t datasize;
+ char *secure_boot = NULL;
+ char *setup_mode = NULL;
+ grub_efi_boolean_t ret = 0;
+
+ secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);
+
+ if (datasize != 1 || !secure_boot)
+ goto out;
+
+ setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize);
+
+ if (datasize != 1 || !setup_mode)
+ goto out;
+
+ if (*secure_boot && !*setup_mode)
+ ret = 1;
+
+ out:
+ grub_free (secure_boot);
+ grub_free (setup_mode);
+ return ret;
+#else
+ return 0;
+#endif
+}
diff --git a/grub-lakitu/grub-core/loader/efi/appleloader.c b/grub-lakitu/grub-core/loader/efi/appleloader.c
index 74888c4..69c2a10 100644
--- a/grub-lakitu/grub-core/loader/efi/appleloader.c
+++ b/grub-lakitu/grub-core/loader/efi/appleloader.c
@@ -24,6 +24,7 @@
#include <grub/misc.h>
#include <grub/efi/api.h>
#include <grub/efi/efi.h>
+#include <grub/efi/sb.h>
#include <grub/command.h>
#include <grub/i18n.h>
@@ -227,6 +228,9 @@
GRUB_MOD_INIT(appleloader)
{
+ if (grub_efi_secure_boot())
+ return;
+
cmd = grub_register_command ("appleloader", grub_cmd_appleloader,
N_("[OPTS]"),
/* TRANSLATORS: This command is used on EFI to
@@ -238,5 +242,8 @@
GRUB_MOD_FINI(appleloader)
{
+ if (grub_efi_secure_boot())
+ return;
+
grub_unregister_command (cmd);
}
diff --git a/grub-lakitu/grub-core/loader/efi/chainloader.c b/grub-lakitu/grub-core/loader/efi/chainloader.c
index afbe2b6..181f39c 100644
--- a/grub-lakitu/grub-core/loader/efi/chainloader.c
+++ b/grub-lakitu/grub-core/loader/efi/chainloader.c
@@ -34,6 +34,7 @@
#include <grub/efi/disk.h>
#include <grub/efi/pe32.h>
#include <grub/efi/linux.h>
+#include <grub/efi/sb.h>
#include <grub/command.h>
#include <grub/i18n.h>
#include <grub/net.h>
diff --git a/grub-lakitu/grub-core/loader/i386/bsd.c b/grub-lakitu/grub-core/loader/i386/bsd.c
index c26edb4..552f743 100644
--- a/grub-lakitu/grub-core/loader/i386/bsd.c
+++ b/grub-lakitu/grub-core/loader/i386/bsd.c
@@ -39,6 +39,7 @@
#ifdef GRUB_MACHINE_PCBIOS
#include <grub/machine/int.h>
#endif
+#include <grub/efi/sb.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -2130,6 +2131,9 @@
GRUB_MOD_INIT (bsd)
{
+ if (grub_efi_secure_boot())
+ return;
+
/* Net and OpenBSD kernels are often compressed. */
grub_dl_load ("gzio");
@@ -2169,6 +2173,9 @@
GRUB_MOD_FINI (bsd)
{
+ if (grub_efi_secure_boot())
+ return;
+
grub_unregister_extcmd (cmd_freebsd);
grub_unregister_extcmd (cmd_openbsd);
grub_unregister_extcmd (cmd_netbsd);
diff --git a/grub-lakitu/grub-core/loader/i386/linux.c b/grub-lakitu/grub-core/loader/i386/linux.c
index 2f3e082..fe4d0d6 100644
--- a/grub-lakitu/grub-core/loader/i386/linux.c
+++ b/grub-lakitu/grub-core/loader/i386/linux.c
@@ -35,6 +35,7 @@
#include <grub/i18n.h>
#include <grub/lib/cmdline.h>
#include <grub/linux.h>
+#include <grub/efi/sb.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -1145,6 +1146,9 @@
GRUB_MOD_INIT(linux)
{
+ if (grub_efi_secure_boot())
+ return;
+
cmd_linux = grub_register_command ("linux", grub_cmd_linux,
0, N_("Load Linux."));
cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd,
@@ -1154,6 +1158,9 @@
GRUB_MOD_FINI(linux)
{
+ if (grub_efi_secure_boot())
+ return;
+
grub_unregister_command (cmd_linux);
grub_unregister_command (cmd_initrd);
}
diff --git a/grub-lakitu/grub-core/loader/i386/pc/linux.c b/grub-lakitu/grub-core/loader/i386/pc/linux.c
index 89c6a74..48b64d3 100644
--- a/grub-lakitu/grub-core/loader/i386/pc/linux.c
+++ b/grub-lakitu/grub-core/loader/i386/pc/linux.c
@@ -35,6 +35,7 @@
#include <grub/i386/floppy.h>
#include <grub/lib/cmdline.h>
#include <grub/linux.h>
+#include <grub/efi/sb.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -475,6 +476,9 @@
GRUB_MOD_INIT(linux16)
{
+ if (grub_efi_secure_boot())
+ return;
+
cmd_linux =
grub_register_command ("linux16", grub_cmd_linux,
0, N_("Load Linux."));
@@ -486,6 +490,9 @@
GRUB_MOD_FINI(linux16)
{
+ if (grub_efi_secure_boot())
+ return;
+
grub_unregister_command (cmd_linux);
grub_unregister_command (cmd_initrd);
}
diff --git a/grub-lakitu/grub-core/loader/multiboot.c b/grub-lakitu/grub-core/loader/multiboot.c
index 084c9c4..37becd5 100644
--- a/grub-lakitu/grub-core/loader/multiboot.c
+++ b/grub-lakitu/grub-core/loader/multiboot.c
@@ -42,6 +42,7 @@
#include <grub/video.h>
#include <grub/memory.h>
#include <grub/i18n.h>
+#include <grub/efi/sb.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -431,6 +432,9 @@
GRUB_MOD_INIT(multiboot)
{
+ if (grub_efi_secure_boot())
+ return;
+
cmd_multiboot =
#ifdef GRUB_USE_MULTIBOOT2
grub_register_command ("multiboot2", grub_cmd_multiboot,
@@ -451,6 +455,9 @@
GRUB_MOD_FINI(multiboot)
{
+ if (grub_efi_secure_boot())
+ return;
+
grub_unregister_command (cmd_multiboot);
grub_unregister_command (cmd_module);
}
diff --git a/grub-lakitu/grub-core/loader/xnu.c b/grub-lakitu/grub-core/loader/xnu.c
index ff66be4..dc3250f 100644
--- a/grub-lakitu/grub-core/loader/xnu.c
+++ b/grub-lakitu/grub-core/loader/xnu.c
@@ -34,6 +34,7 @@
#include <grub/env.h>
#include <grub/i18n.h>
#include <grub/verify.h>
+#include <grub/efi/sb.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -1478,6 +1479,9 @@
GRUB_MOD_INIT(xnu)
{
+ if (grub_efi_secure_boot())
+ return;
+
cmd_kernel = grub_register_command ("xnu_kernel", grub_cmd_xnu_kernel, 0,
N_("Load XNU image."));
cmd_kernel64 = grub_register_command ("xnu_kernel64", grub_cmd_xnu_kernel64,
@@ -1518,6 +1522,9 @@
GRUB_MOD_FINI(xnu)
{
+ if (grub_efi_secure_boot())
+ return;
+
#ifndef GRUB_MACHINE_EMU
grub_unregister_command (cmd_resume);
#endif
diff --git a/grub-lakitu/include/grub/efi/efi.h b/grub-lakitu/include/grub/efi/efi.h
index 62a3d97..764cd11 100644
--- a/grub-lakitu/include/grub/efi/efi.h
+++ b/grub-lakitu/include/grub/efi/efi.h
@@ -76,7 +76,6 @@
const grub_efi_guid_t *guid,
void *data,
grub_size_t datasize);
-grub_efi_boolean_t EXPORT_FUNC (grub_efi_secure_boot) (void);
int
EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1,
const grub_efi_device_path_t *dp2);
diff --git a/grub-lakitu/include/grub/efi/sb.h b/grub-lakitu/include/grub/efi/sb.h
new file mode 100644
index 0000000..9629fbb
--- /dev/null
+++ b/grub-lakitu/include/grub/efi/sb.h
@@ -0,0 +1,29 @@
+/* sb.h - declare functions for EFI Secure Boot support */
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2006,2007,2008,2009 Free Software Foundation, Inc.
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GRUB is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef GRUB_EFI_SB_HEADER
+#define GRUB_EFI_SB_HEADER 1
+
+#include <grub/types.h>
+#include <grub/dl.h>
+
+/* Functions. */
+int EXPORT_FUNC (grub_efi_secure_boot) (void);
+
+#endif /* ! GRUB_EFI_SB_HEADER */
diff --git a/grub-lakitu/include/grub/ia64/linux.h b/grub-lakitu/include/grub/ia64/linux.h
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/grub-lakitu/include/grub/ia64/linux.h
diff --git a/grub-lakitu/include/grub/mips/linux.h b/grub-lakitu/include/grub/mips/linux.h
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/grub-lakitu/include/grub/mips/linux.h
diff --git a/grub-lakitu/include/grub/powerpc/linux.h b/grub-lakitu/include/grub/powerpc/linux.h
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/grub-lakitu/include/grub/powerpc/linux.h
diff --git a/grub-lakitu/include/grub/sparc64/linux.h b/grub-lakitu/include/grub/sparc64/linux.h
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/grub-lakitu/include/grub/sparc64/linux.h
