|
|
124a375 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
3b94406 |
From: Peter Jones <pjones@redhat.com>
|
|
|
3b94406 |
Date: Wed, 24 Apr 2019 10:03:04 -0400
|
|
|
124a375 |
Subject: [PATCH] Forbid the "devicetree" command when Secure Boot is enabled.
|
|
|
3b94406 |
|
|
|
3b94406 |
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
|
3b94406 |
---
|
|
|
3b94406 |
grub-core/loader/arm/linux.c | 12 ++++++++++++
|
|
|
3b94406 |
grub-core/loader/efi/fdt.c | 12 ++++++++++++
|
|
|
3b94406 |
2 files changed, 24 insertions(+)
|
|
|
3b94406 |
|
|
|
3b94406 |
diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c
|
|
|
3b94406 |
index b4f609d2d01..5f5723b4b8f 100644
|
|
|
3b94406 |
--- a/grub-core/loader/arm/linux.c
|
|
|
3b94406 |
+++ b/grub-core/loader/arm/linux.c
|
|
|
3b94406 |
@@ -28,6 +28,7 @@
|
|
|
3b94406 |
#include <grub/cpu/linux.h>
|
|
|
3b94406 |
#include <grub/lib/cmdline.h>
|
|
|
3b94406 |
#include <grub/linux.h>
|
|
|
3b94406 |
+#include <grub/efi/sb.h>
|
|
|
3b94406 |
|
|
|
3b94406 |
GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
3b94406 |
|
|
|
3b94406 |
@@ -467,6 +468,17 @@ grub_cmd_devicetree (grub_command_t cmd __attribute__ ((unused)),
|
|
|
3b94406 |
if (argc != 1)
|
|
|
3b94406 |
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
|
|
|
3b94406 |
|
|
|
3b94406 |
+ if (grub_efi_secure_boot ())
|
|
|
3b94406 |
+ {
|
|
|
3b94406 |
+#if 0
|
|
|
3b94406 |
+ /* This is an error, but grub2-mkconfig still generates a pile of
|
|
|
3b94406 |
+ * insmod commands, so emitting it would be mostly just obnoxious. */
|
|
|
3b94406 |
+ grub_error (GRUB_ERR_ACCESS_DENIED,
|
|
|
3b94406 |
+ "Secure Boot forbids loading devicetree from %s", filename);
|
|
|
3b94406 |
+#endif
|
|
|
3b94406 |
+ return 0;
|
|
|
3b94406 |
+ }
|
|
|
3b94406 |
+
|
|
|
3b94406 |
dtb = grub_file_open (argv[0]);
|
|
|
3b94406 |
if (!dtb)
|
|
|
3b94406 |
return grub_errno;
|
|
|
3b94406 |
diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c
|
|
|
3b94406 |
index cecd617dccc..2c14a11fa6b 100644
|
|
|
3b94406 |
--- a/grub-core/loader/efi/fdt.c
|
|
|
3b94406 |
+++ b/grub-core/loader/efi/fdt.c
|
|
|
3b94406 |
@@ -25,6 +25,7 @@
|
|
|
3b94406 |
#include <grub/efi/efi.h>
|
|
|
3b94406 |
#include <grub/efi/fdtload.h>
|
|
|
3b94406 |
#include <grub/efi/memory.h>
|
|
|
3b94406 |
+#include <grub/efi/sb.h>
|
|
|
3b94406 |
|
|
|
3b94406 |
GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
3b94406 |
|
|
|
3b94406 |
@@ -125,6 +126,17 @@ grub_cmd_devicetree (grub_command_t cmd __attribute__ ((unused)),
|
|
|
3b94406 |
return GRUB_ERR_NONE;
|
|
|
3b94406 |
}
|
|
|
3b94406 |
|
|
|
3b94406 |
+ if (grub_efi_secure_boot ())
|
|
|
3b94406 |
+ {
|
|
|
3b94406 |
+#if 0
|
|
|
3b94406 |
+ /* This is an error, but grub2-mkconfig still generates a pile of
|
|
|
3b94406 |
+ * insmod commands, so emitting it would be mostly just obnoxious. */
|
|
|
3b94406 |
+ grub_error (GRUB_ERR_ACCESS_DENIED,
|
|
|
3b94406 |
+ "Secure Boot forbids loading devicetree from %s", filename);
|
|
|
3b94406 |
+#endif
|
|
|
3b94406 |
+ return 0;
|
|
|
3b94406 |
+ }
|
|
|
3b94406 |
+
|
|
|
3b94406 |
dtb = grub_file_open (argv[0]);
|
|
|
3b94406 |
if (!dtb)
|
|
|
3b94406 |
goto out;
|