6b2dd0
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
b9efc5
From: Peter Jones <pjones@redhat.com>
b9efc5
Date: Tue, 6 Oct 2015 16:09:25 -0400
752ceb
Subject: [PATCH] Make any of the loaders that link in efi mode honor secure
752ceb
 boot.
b9efc5
b9efc5
And in this case "honor" means "even if somebody does link this in, they
b9efc5
won't register commands if SB is enabled."
b9efc5
b9efc5
Signed-off-by: Peter Jones <pjones@redhat.com>
b9efc5
---
b9efc5
 grub-core/Makefile.core.def        |  1 +
b9efc5
 grub-core/commands/iorw.c          |  7 +++++
b9efc5
 grub-core/commands/memrw.c         |  7 +++++
ad4aff
 grub-core/kern/dl.c                |  1 +
ad4aff
 grub-core/kern/efi/efi.c           | 34 --------------------
ad4aff
 grub-core/kern/efi/sb.c            | 64 ++++++++++++++++++++++++++++++++++++++
b9efc5
 grub-core/loader/efi/appleloader.c |  7 +++++
b9efc5
 grub-core/loader/efi/chainloader.c |  1 +
b9efc5
 grub-core/loader/i386/bsd.c        |  7 +++++
b9efc5
 grub-core/loader/i386/linux.c      |  7 +++++
b9efc5
 grub-core/loader/i386/pc/linux.c   |  7 +++++
b9efc5
 grub-core/loader/multiboot.c       |  7 +++++
b9efc5
 grub-core/loader/xnu.c             |  7 +++++
b9efc5
 include/grub/efi/efi.h             |  1 -
ad4aff
 include/grub/efi/sb.h              | 29 +++++++++++++++++
9d15b4
 include/grub/ia64/linux.h          |  0
9d15b4
 include/grub/mips/linux.h          |  0
9d15b4
 include/grub/powerpc/linux.h       |  0
9d15b4
 include/grub/sparc64/linux.h       |  0
ec4acb
 grub-core/Makefile.am              |  1 +
ad4aff
 20 files changed, 153 insertions(+), 35 deletions(-)
b9efc5
 create mode 100644 grub-core/kern/efi/sb.c
b9efc5
 create mode 100644 include/grub/efi/sb.h
9d15b4
 create mode 100644 include/grub/ia64/linux.h
9d15b4
 create mode 100644 include/grub/mips/linux.h
171351
 create mode 100644 include/grub/powerpc/linux.h
9d15b4
 create mode 100644 include/grub/sparc64/linux.h
b9efc5
b9efc5
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
15a207
index 0b4b0c2122d..e92a7ef322f 100644
b9efc5
--- a/grub-core/Makefile.core.def
b9efc5
+++ b/grub-core/Makefile.core.def
ad4aff
@@ -195,6 +195,7 @@ kernel = {
b9efc5
   i386_multiboot = kern/i386/pc/acpi.c;
b9efc5
   i386_coreboot = kern/acpi.c;
b9efc5
   i386_multiboot = kern/acpi.c;
b9efc5
+  common = kern/efi/sb.c;
b9efc5
 
b9efc5
   x86 = kern/i386/tsc.c;
b9efc5
   x86 = kern/i386/tsc_pit.c;
b9efc5
diff --git a/grub-core/commands/iorw.c b/grub-core/commands/iorw.c
ec4acb
index a0c164e54f0..41a7f3f0466 100644
b9efc5
--- a/grub-core/commands/iorw.c
b9efc5
+++ b/grub-core/commands/iorw.c
b9efc5
@@ -23,6 +23,7 @@
b9efc5
 #include <grub env.h="">
b9efc5
 #include <grub cpu="" io.h="">
b9efc5
 #include <grub i18n.h="">
b9efc5
+#include <grub efi="" sb.h="">
b9efc5
 
b9efc5
 GRUB_MOD_LICENSE ("GPLv3+");
b9efc5
 
b9efc5
@@ -118,6 +119,9 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
b9efc5
 
b9efc5
 GRUB_MOD_INIT(memrw)
b9efc5
 {
b9efc5
+  if (grub_efi_secure_boot())
b9efc5
+    return;
b9efc5
+
b9efc5
   cmd_read_byte =
b9efc5
     grub_register_extcmd ("inb", grub_cmd_read, 0,
b9efc5
 			  N_("PORT"), N_("Read 8-bit value from PORT."),
b9efc5
@@ -146,6 +150,9 @@ GRUB_MOD_INIT(memrw)
b9efc5
 
b9efc5
 GRUB_MOD_FINI(memrw)
b9efc5
 {
b9efc5
+  if (grub_efi_secure_boot())
b9efc5
+    return;
b9efc5
+
b9efc5
   grub_unregister_extcmd (cmd_read_byte);
b9efc5
   grub_unregister_extcmd (cmd_read_word);
b9efc5
   grub_unregister_extcmd (cmd_read_dword);
b9efc5
diff --git a/grub-core/commands/memrw.c b/grub-core/commands/memrw.c
ec4acb
index 98769eadb34..088cbe9e2bc 100644
b9efc5
--- a/grub-core/commands/memrw.c
b9efc5
+++ b/grub-core/commands/memrw.c
b9efc5
@@ -22,6 +22,7 @@
b9efc5
 #include <grub extcmd.h="">
b9efc5
 #include <grub env.h="">
b9efc5
 #include <grub i18n.h="">
b9efc5
+#include <grub efi="" sb.h="">
b9efc5
 
b9efc5
 GRUB_MOD_LICENSE ("GPLv3+");
b9efc5
 
b9efc5
@@ -120,6 +121,9 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
b9efc5
 
b9efc5
 GRUB_MOD_INIT(memrw)
b9efc5
 {
b9efc5
+  if (grub_efi_secure_boot())
b9efc5
+    return;
b9efc5
+
b9efc5
   cmd_read_byte =
b9efc5
     grub_register_extcmd ("read_byte", grub_cmd_read, 0,
b9efc5
 			  N_("ADDR"), N_("Read 8-bit value from ADDR."),
b9efc5
@@ -148,6 +152,9 @@ GRUB_MOD_INIT(memrw)
b9efc5
 
b9efc5
 GRUB_MOD_FINI(memrw)
b9efc5
 {
b9efc5
+  if (grub_efi_secure_boot())
b9efc5
+    return;
b9efc5
+
b9efc5
   grub_unregister_extcmd (cmd_read_byte);
b9efc5
   grub_unregister_extcmd (cmd_read_word);
b9efc5
   grub_unregister_extcmd (cmd_read_dword);
ad4aff
diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
ad4aff
index 04e804d1668..621070918d4 100644
ad4aff
--- a/grub-core/kern/dl.c
ad4aff
+++ b/grub-core/kern/dl.c
ad4aff
@@ -32,6 +32,7 @@
ad4aff
 #include <grub env.h="">
ad4aff
 #include <grub cache.h="">
ad4aff
 #include <grub i18n.h="">
ad4aff
+#include <grub efi="" sb.h="">
ad4aff
 
ad4aff
 /* Platforms where modules are in a readonly area of memory.  */
ad4aff
 #if defined(GRUB_MACHINE_QEMU)
b9efc5
diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
ad4aff
index 91129e33566..708581fcbde 100644
b9efc5
--- a/grub-core/kern/efi/efi.c
b9efc5
+++ b/grub-core/kern/efi/efi.c
ad4aff
@@ -273,40 +273,6 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
b9efc5
   return NULL;
b9efc5
 }
b9efc5
 
b9efc5
-grub_efi_boolean_t
b9efc5
-grub_efi_secure_boot (void)
b9efc5
-{
b9efc5
-  grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
b9efc5
-  grub_size_t datasize;
b9efc5
-  char *secure_boot = NULL;
b9efc5
-  char *setup_mode = NULL;
b9efc5
-  grub_efi_boolean_t ret = 0;
b9efc5
-
b9efc5
-  secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);
b9efc5
-  if (datasize != 1 || !secure_boot)
ad4aff
-    {
ad4aff
-      grub_dprintf ("secureboot", "No SecureBoot variable\n");
ad4aff
-      goto out;
ad4aff
-    }
ad4aff
-  grub_dprintf ("secureboot", "SecureBoot: %d\n", *secure_boot);
b9efc5
-
b9efc5
-  setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize);
b9efc5
-  if (datasize != 1 || !setup_mode)
ad4aff
-    {
ad4aff
-      grub_dprintf ("secureboot", "No SetupMode variable\n");
ad4aff
-      goto out;
ad4aff
-    }
ad4aff
-  grub_dprintf ("secureboot", "SetupMode: %d\n", *setup_mode);
b9efc5
-
b9efc5
-  if (*secure_boot && !*setup_mode)
b9efc5
-    ret = 1;
b9efc5
-
b9efc5
- out:
b9efc5
-  grub_free (secure_boot);
b9efc5
-  grub_free (setup_mode);
b9efc5
-  return ret;
b9efc5
-}
b9efc5
-
b9efc5
 #pragma GCC diagnostic ignored "-Wcast-align"
b9efc5
 
b9efc5
 /* Search the mods section from the PE32/PE32+ image. This code uses
b9efc5
diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
b9efc5
new file mode 100644
ad4aff
index 00000000000..d74778b0cac
b9efc5
--- /dev/null
b9efc5
+++ b/grub-core/kern/efi/sb.c
ad4aff
@@ -0,0 +1,64 @@
b9efc5
+/*
b9efc5
+ *  GRUB  --  GRand Unified Bootloader
b9efc5
+ *  Copyright (C) 2014 Free Software Foundation, Inc.
b9efc5
+ *
b9efc5
+ *  GRUB is free software: you can redistribute it and/or modify
b9efc5
+ *  it under the terms of the GNU General Public License as published by
b9efc5
+ *  the Free Software Foundation, either version 3 of the License, or
b9efc5
+ *  (at your option) any later version.
b9efc5
+ *
b9efc5
+ *  GRUB is distributed in the hope that it will be useful,
b9efc5
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
b9efc5
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
b9efc5
+ *  GNU General Public License for more details.
b9efc5
+ *
b9efc5
+ *  You should have received a copy of the GNU General Public License
b9efc5
+ *  along with GRUB.  If not, see <http: www.gnu.org="" licenses=""/>.
b9efc5
+ */
b9efc5
+
b9efc5
+#include <grub err.h="">
b9efc5
+#include <grub mm.h="">
b9efc5
+#include <grub types.h="">
b9efc5
+#include <grub cpu="" linux.h="">
b9efc5
+#include <grub efi="" efi.h="">
b9efc5
+#include <grub efi="" pe32.h="">
b9efc5
+#include <grub efi="" linux.h="">
b9efc5
+#include <grub efi="" sb.h="">
b9efc5
+
b9efc5
+int
b9efc5
+grub_efi_secure_boot (void)
b9efc5
+{
b9efc5
+#ifdef GRUB_MACHINE_EFI
b9efc5
+  grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
b9efc5
+  grub_size_t datasize;
b9efc5
+  char *secure_boot = NULL;
b9efc5
+  char *setup_mode = NULL;
b9efc5
+  grub_efi_boolean_t ret = 0;
b9efc5
+
b9efc5
+  secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);
b9efc5
+  if (datasize != 1 || !secure_boot)
ad4aff
+    {
ad4aff
+      grub_dprintf ("secureboot", "No SecureBoot variable\n");
ad4aff
+      goto out;
ad4aff
+    }
ad4aff
+  grub_dprintf ("secureboot", "SecureBoot: %d\n", *secure_boot);
b9efc5
+
b9efc5
+  setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize);
b9efc5
+  if (datasize != 1 || !setup_mode)
ad4aff
+    {
ad4aff
+      grub_dprintf ("secureboot", "No SetupMode variable\n");
ad4aff
+      goto out;
ad4aff
+    }
ad4aff
+  grub_dprintf ("secureboot", "SetupMode: %d\n", *setup_mode);
b9efc5
+
b9efc5
+  if (*secure_boot && !*setup_mode)
b9efc5
+    ret = 1;
b9efc5
+
b9efc5
+ out:
b9efc5
+  grub_free (secure_boot);
b9efc5
+  grub_free (setup_mode);
b9efc5
+  return ret;
b9efc5
+#else
b9efc5
+  return 0;
b9efc5
+#endif
b9efc5
+}
b9efc5
diff --git a/grub-core/loader/efi/appleloader.c b/grub-core/loader/efi/appleloader.c
ec4acb
index 74888c463ba..69c2a10d351 100644
b9efc5
--- a/grub-core/loader/efi/appleloader.c
b9efc5
+++ b/grub-core/loader/efi/appleloader.c
b9efc5
@@ -24,6 +24,7 @@
b9efc5
 #include <grub misc.h="">
b9efc5
 #include <grub efi="" api.h="">
b9efc5
 #include <grub efi="" efi.h="">
b9efc5
+#include <grub efi="" sb.h="">
b9efc5
 #include <grub command.h="">
b9efc5
 #include <grub i18n.h="">
b9efc5
 
b9efc5
@@ -227,6 +228,9 @@ static grub_command_t cmd;
b9efc5
 
b9efc5
 GRUB_MOD_INIT(appleloader)
b9efc5
 {
b9efc5
+  if (grub_efi_secure_boot())
b9efc5
+    return;
b9efc5
+
b9efc5
   cmd = grub_register_command ("appleloader", grub_cmd_appleloader,
b9efc5
 			       N_("[OPTS]"),
b9efc5
 			       /* TRANSLATORS: This command is used on EFI to
b9efc5
@@ -238,5 +242,8 @@ GRUB_MOD_INIT(appleloader)
b9efc5
 
b9efc5
 GRUB_MOD_FINI(appleloader)
b9efc5
 {
b9efc5
+  if (grub_efi_secure_boot())
b9efc5
+    return;
b9efc5
+
b9efc5
   grub_unregister_command (cmd);
b9efc5
 }
b9efc5
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
ad4aff
index af2189619a3..5cd9b6e08a8 100644
b9efc5
--- a/grub-core/loader/efi/chainloader.c
b9efc5
+++ b/grub-core/loader/efi/chainloader.c
b9efc5
@@ -34,6 +34,7 @@
b9efc5
 #include <grub efi="" disk.h="">
b9efc5
 #include <grub efi="" pe32.h="">
b9efc5
 #include <grub efi="" linux.h="">
b9efc5
+#include <grub efi="" sb.h="">
b9efc5
 #include <grub command.h="">
b9efc5
 #include <grub i18n.h="">
b9efc5
 #include <grub net.h="">
b9efc5
diff --git a/grub-core/loader/i386/bsd.c b/grub-core/loader/i386/bsd.c
ec4acb
index 7f96515da65..87709aa23e8 100644
b9efc5
--- a/grub-core/loader/i386/bsd.c
b9efc5
+++ b/grub-core/loader/i386/bsd.c
b9efc5
@@ -38,6 +38,7 @@
b9efc5
 #ifdef GRUB_MACHINE_PCBIOS
b9efc5
 #include <grub machine="" int.h="">
b9efc5
 #endif
b9efc5
+#include <grub efi="" sb.h="">
b9efc5
 
b9efc5
 GRUB_MOD_LICENSE ("GPLv3+");
b9efc5
 
b9efc5
@@ -2124,6 +2125,9 @@ static grub_command_t cmd_netbsd_module_elf, cmd_openbsd_ramdisk;
b9efc5
 
b9efc5
 GRUB_MOD_INIT (bsd)
b9efc5
 {
b9efc5
+  if (grub_efi_secure_boot())
b9efc5
+    return;
b9efc5
+
b9efc5
   /* Net and OpenBSD kernels are often compressed.  */
b9efc5
   grub_dl_load ("gzio");
b9efc5
 
b9efc5
@@ -2163,6 +2167,9 @@ GRUB_MOD_INIT (bsd)
b9efc5
 
b9efc5
 GRUB_MOD_FINI (bsd)
b9efc5
 {
b9efc5
+  if (grub_efi_secure_boot())
b9efc5
+    return;
b9efc5
+
b9efc5
   grub_unregister_extcmd (cmd_freebsd);
b9efc5
   grub_unregister_extcmd (cmd_openbsd);
b9efc5
   grub_unregister_extcmd (cmd_netbsd);
b9efc5
diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
15a207
index f7186be4002..c84747ea857 100644
b9efc5
--- a/grub-core/loader/i386/linux.c
b9efc5
+++ b/grub-core/loader/i386/linux.c
b9efc5
@@ -35,6 +35,7 @@
b9efc5
 #include <grub i18n.h="">
b9efc5
 #include <grub lib="" cmdline.h="">
b9efc5
 #include <grub linux.h="">
b9efc5
+#include <grub efi="" sb.h="">
b9efc5
 
b9efc5
 GRUB_MOD_LICENSE ("GPLv3+");
b9efc5
 
15a207
@@ -1156,6 +1157,9 @@ static grub_command_t cmd_linux, cmd_initrd;
b9efc5
 
b9efc5
 GRUB_MOD_INIT(linux)
b9efc5
 {
b9efc5
+  if (grub_efi_secure_boot())
b9efc5
+    return;
b9efc5
+
b9efc5
   cmd_linux = grub_register_command ("linux", grub_cmd_linux,
b9efc5
 				     0, N_("Load Linux."));
b9efc5
   cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd,
15a207
@@ -1165,6 +1169,9 @@ GRUB_MOD_INIT(linux)
b9efc5
 
b9efc5
 GRUB_MOD_FINI(linux)
b9efc5
 {
b9efc5
+  if (grub_efi_secure_boot())
b9efc5
+    return;
b9efc5
+
b9efc5
   grub_unregister_command (cmd_linux);
b9efc5
   grub_unregister_command (cmd_initrd);
b9efc5
 }
b9efc5
diff --git a/grub-core/loader/i386/pc/linux.c b/grub-core/loader/i386/pc/linux.c
ad4aff
index caa76bee8af..783a3cd93bc 100644
b9efc5
--- a/grub-core/loader/i386/pc/linux.c
b9efc5
+++ b/grub-core/loader/i386/pc/linux.c
b9efc5
@@ -35,6 +35,7 @@
b9efc5
 #include <grub i386="" floppy.h="">
b9efc5
 #include <grub lib="" cmdline.h="">
b9efc5
 #include <grub linux.h="">
b9efc5
+#include <grub efi="" sb.h="">
b9efc5
 
b9efc5
 GRUB_MOD_LICENSE ("GPLv3+");
b9efc5
 
ad4aff
@@ -480,6 +481,9 @@ static grub_command_t cmd_linux, cmd_linux16, cmd_initrd, cmd_initrd16;
b9efc5
 
b9efc5
 GRUB_MOD_INIT(linux16)
b9efc5
 {
b9efc5
+  if (grub_efi_secure_boot())
b9efc5
+    return;
b9efc5
+
b9efc5
   cmd_linux =
ad4aff
     grub_register_command ("linux", grub_cmd_linux,
b9efc5
 			   0, N_("Load Linux."));
ad4aff
@@ -497,6 +501,9 @@ GRUB_MOD_INIT(linux16)
b9efc5
 
b9efc5
 GRUB_MOD_FINI(linux16)
b9efc5
 {
b9efc5
+  if (grub_efi_secure_boot())
b9efc5
+    return;
b9efc5
+
b9efc5
   grub_unregister_command (cmd_linux);
ad4aff
   grub_unregister_command (cmd_linux16);
b9efc5
   grub_unregister_command (cmd_initrd);
b9efc5
diff --git a/grub-core/loader/multiboot.c b/grub-core/loader/multiboot.c
752ceb
index 40c67e82489..26df46a4161 100644
b9efc5
--- a/grub-core/loader/multiboot.c
b9efc5
+++ b/grub-core/loader/multiboot.c
752ceb
@@ -50,6 +50,7 @@
b9efc5
 #include <grub video.h="">
b9efc5
 #include <grub memory.h="">
b9efc5
 #include <grub i18n.h="">
b9efc5
+#include <grub efi="" sb.h="">
b9efc5
 
b9efc5
 GRUB_MOD_LICENSE ("GPLv3+");
b9efc5
 
752ceb
@@ -446,6 +447,9 @@ static grub_command_t cmd_multiboot, cmd_module;
b9efc5
 
b9efc5
 GRUB_MOD_INIT(multiboot)
b9efc5
 {
b9efc5
+  if (grub_efi_secure_boot())
b9efc5
+    return;
b9efc5
+
b9efc5
   cmd_multiboot =
b9efc5
 #ifdef GRUB_USE_MULTIBOOT2
b9efc5
     grub_register_command ("multiboot2", grub_cmd_multiboot,
752ceb
@@ -466,6 +470,9 @@ GRUB_MOD_INIT(multiboot)
b9efc5
 
b9efc5
 GRUB_MOD_FINI(multiboot)
b9efc5
 {
b9efc5
+  if (grub_efi_secure_boot())
b9efc5
+    return;
b9efc5
+
b9efc5
   grub_unregister_command (cmd_multiboot);
b9efc5
   grub_unregister_command (cmd_module);
b9efc5
 }
b9efc5
diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
ec4acb
index c9885b1bcd7..df8dfdb4ba0 100644
b9efc5
--- a/grub-core/loader/xnu.c
b9efc5
+++ b/grub-core/loader/xnu.c
b9efc5
@@ -33,6 +33,7 @@
b9efc5
 #include <grub extcmd.h="">
b9efc5
 #include <grub env.h="">
b9efc5
 #include <grub i18n.h="">
b9efc5
+#include <grub efi="" sb.h="">
b9efc5
 
b9efc5
 GRUB_MOD_LICENSE ("GPLv3+");
b9efc5
 
b9efc5
@@ -1469,6 +1470,9 @@ static grub_extcmd_t cmd_splash;
b9efc5
 
b9efc5
 GRUB_MOD_INIT(xnu)
b9efc5
 {
b9efc5
+  if (grub_efi_secure_boot())
b9efc5
+    return;
b9efc5
+
b9efc5
   cmd_kernel = grub_register_command ("xnu_kernel", grub_cmd_xnu_kernel, 0,
b9efc5
 				      N_("Load XNU image."));
b9efc5
   cmd_kernel64 = grub_register_command ("xnu_kernel64", grub_cmd_xnu_kernel64,
b9efc5
@@ -1509,6 +1513,9 @@ GRUB_MOD_INIT(xnu)
b9efc5
 
b9efc5
 GRUB_MOD_FINI(xnu)
b9efc5
 {
b9efc5
+  if (grub_efi_secure_boot())
b9efc5
+    return;
b9efc5
+
b9efc5
 #ifndef GRUB_MACHINE_EMU
b9efc5
   grub_unregister_command (cmd_resume);
b9efc5
 #endif
b9efc5
diff --git a/include/grub/efi/efi.h b/include/grub/efi/efi.h
dbfd2e
index 1061aee9726..39480b38674 100644
b9efc5
--- a/include/grub/efi/efi.h
b9efc5
+++ b/include/grub/efi/efi.h
15a207
@@ -85,7 +85,6 @@ EXPORT_FUNC (grub_efi_set_variable) (const char *var,
b9efc5
 				     const grub_efi_guid_t *guid,
b9efc5
 				     void *data,
b9efc5
 				     grub_size_t datasize);
b9efc5
-grub_efi_boolean_t EXPORT_FUNC (grub_efi_secure_boot) (void);
b9efc5
 int
b9efc5
 EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1,
b9efc5
 					     const grub_efi_device_path_t *dp2);
b9efc5
diff --git a/include/grub/efi/sb.h b/include/grub/efi/sb.h
b9efc5
new file mode 100644
ec4acb
index 00000000000..9629fbb0f9e
b9efc5
--- /dev/null
b9efc5
+++ b/include/grub/efi/sb.h
b9efc5
@@ -0,0 +1,29 @@
b9efc5
+/* sb.h - declare functions for EFI Secure Boot support */
b9efc5
+/*
b9efc5
+ *  GRUB  --  GRand Unified Bootloader
b9efc5
+ *  Copyright (C) 2006,2007,2008,2009  Free Software Foundation, Inc.
b9efc5
+ *
b9efc5
+ *  GRUB is free software: you can redistribute it and/or modify
b9efc5
+ *  it under the terms of the GNU General Public License as published by
b9efc5
+ *  the Free Software Foundation, either version 3 of the License, or
b9efc5
+ *  (at your option) any later version.
b9efc5
+ *
b9efc5
+ *  GRUB is distributed in the hope that it will be useful,
b9efc5
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
b9efc5
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
b9efc5
+ *  GNU General Public License for more details.
b9efc5
+ *
b9efc5
+ *  You should have received a copy of the GNU General Public License
b9efc5
+ *  along with GRUB.  If not, see <http: www.gnu.org="" licenses=""/>.
b9efc5
+ */
b9efc5
+
b9efc5
+#ifndef GRUB_EFI_SB_HEADER
b9efc5
+#define GRUB_EFI_SB_HEADER	1
b9efc5
+
b9efc5
+#include <grub types.h="">
b9efc5
+#include <grub dl.h="">
b9efc5
+
b9efc5
+/* Functions.  */
b9efc5
+int EXPORT_FUNC (grub_efi_secure_boot) (void);
b9efc5
+
b9efc5
+#endif /* ! GRUB_EFI_SB_HEADER */
9d15b4
diff --git a/include/grub/ia64/linux.h b/include/grub/ia64/linux.h
9d15b4
new file mode 100644
ec4acb
index 00000000000..e69de29bb2d
9d15b4
diff --git a/include/grub/mips/linux.h b/include/grub/mips/linux.h
9d15b4
new file mode 100644
ec4acb
index 00000000000..e69de29bb2d
171351
diff --git a/include/grub/powerpc/linux.h b/include/grub/powerpc/linux.h
171351
new file mode 100644
ec4acb
index 00000000000..e69de29bb2d
9d15b4
diff --git a/include/grub/sparc64/linux.h b/include/grub/sparc64/linux.h
9d15b4
new file mode 100644
ec4acb
index 00000000000..e69de29bb2d
ec4acb
diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
15a207
index f4ff62b769a..9c69aa88626 100644
ec4acb
--- a/grub-core/Makefile.am
ec4acb
+++ b/grub-core/Makefile.am
ec4acb
@@ -71,6 +71,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/command.h
ec4acb
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/device.h
ec4acb
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/disk.h
ec4acb
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/dl.h
ec4acb
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/efi/sb.h
ec4acb
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/env.h
ec4acb
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/env_private.h
ec4acb
 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/err.h