|
 |
d41074 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
a85e8e |
From: Peter Jones <pjones@redhat.com>
|
|
|
a85e8e |
Date: Tue, 6 Oct 2015 16:09:25 -0400
|
|
|
d41074 |
Subject: [PATCH] Make any of the loaders that link in efi mode honor secure
|
|
|
d41074 |
boot.
|
|
|
a85e8e |
|
|
|
a85e8e |
And in this case "honor" means "even if somebody does link this in, they
|
|
|
a85e8e |
won't register commands if SB is enabled."
|
|
|
a85e8e |
|
|
|
a85e8e |
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
|
a85e8e |
---
|
|
|
a85e8e |
grub-core/Makefile.core.def | 2 ++
|
|
|
a85e8e |
grub-core/commands/iorw.c | 7 +++++
|
|
|
a85e8e |
grub-core/commands/memrw.c | 7 +++++
|
|
|
a85e8e |
grub-core/kern/efi/efi.c | 28 ------------------
|
|
|
a85e8e |
grub-core/kern/efi/sb.c | 58 ++++++++++++++++++++++++++++++++++++++
|
|
|
a85e8e |
grub-core/loader/efi/appleloader.c | 7 +++++
|
|
|
a85e8e |
grub-core/loader/efi/chainloader.c | 1 +
|
|
|
a85e8e |
grub-core/loader/i386/bsd.c | 7 +++++
|
|
|
a85e8e |
grub-core/loader/i386/linux.c | 7 +++++
|
|
|
a85e8e |
grub-core/loader/i386/pc/linux.c | 7 +++++
|
|
|
a85e8e |
grub-core/loader/multiboot.c | 7 +++++
|
|
|
a85e8e |
grub-core/loader/xnu.c | 7 +++++
|
|
|
a85e8e |
include/grub/efi/efi.h | 1 -
|
|
|
a85e8e |
include/grub/efi/sb.h | 29 +++++++++++++++++++
|
|
|
a85e8e |
include/grub/ia64/linux.h | 0
|
|
|
a85e8e |
include/grub/mips/linux.h | 0
|
|
|
a85e8e |
include/grub/powerpc/linux.h | 0
|
|
|
a85e8e |
include/grub/sparc64/linux.h | 0
|
|
|
d41074 |
grub-core/Makefile.am | 1 +
|
|
|
a85e8e |
19 files changed, 147 insertions(+), 29 deletions(-)
|
|
|
a85e8e |
create mode 100644 grub-core/kern/efi/sb.c
|
|
|
a85e8e |
create mode 100644 include/grub/efi/sb.h
|
|
|
a85e8e |
create mode 100644 include/grub/ia64/linux.h
|
|
|
a85e8e |
create mode 100644 include/grub/mips/linux.h
|
|
|
a85e8e |
create mode 100644 include/grub/powerpc/linux.h
|
|
|
a85e8e |
create mode 100644 include/grub/sparc64/linux.h
|
|
|
a85e8e |
|
|
|
a85e8e |
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
|
|
|
d41074 |
index 4fc74393335..b340ceeec7f 100644
|
|
|
a85e8e |
--- a/grub-core/Makefile.core.def
|
|
|
a85e8e |
+++ b/grub-core/Makefile.core.def
|
|
|
a85e8e |
@@ -175,6 +175,8 @@ kernel = {
|
|
|
a85e8e |
efi = term/efi/console.c;
|
|
|
a85e8e |
efi = lib/envblk.c;
|
|
|
a85e8e |
|
|
|
a85e8e |
+ common = kern/efi/sb.c;
|
|
|
a85e8e |
+
|
|
|
a85e8e |
x86 = kern/i386/tsc.c;
|
|
|
a85e8e |
|
|
|
a85e8e |
i386_efi = kern/i386/efi/init.c;
|
|
|
a85e8e |
diff --git a/grub-core/commands/iorw.c b/grub-core/commands/iorw.c
|
|
|
d41074 |
index a0c164e54f0..41a7f3f0466 100644
|
|
|
a85e8e |
--- a/grub-core/commands/iorw.c
|
|
|
a85e8e |
+++ b/grub-core/commands/iorw.c
|
|
|
a85e8e |
@@ -23,6 +23,7 @@
|
|
|
a85e8e |
#include <grub/env.h>
|
|
|
a85e8e |
#include <grub/cpu/io.h>
|
|
|
a85e8e |
#include <grub/i18n.h>
|
|
|
a85e8e |
+#include <grub/efi/sb.h>
|
|
|
a85e8e |
|
|
|
a85e8e |
GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
a85e8e |
|
|
|
a85e8e |
@@ -118,6 +119,9 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
|
|
|
a85e8e |
|
|
|
a85e8e |
GRUB_MOD_INIT(memrw)
|
|
|
a85e8e |
{
|
|
|
a85e8e |
+ if (grub_efi_secure_boot())
|
|
|
a85e8e |
+ return;
|
|
|
a85e8e |
+
|
|
|
a85e8e |
cmd_read_byte =
|
|
|
a85e8e |
grub_register_extcmd ("inb", grub_cmd_read, 0,
|
|
|
a85e8e |
N_("PORT"), N_("Read 8-bit value from PORT."),
|
|
|
a85e8e |
@@ -146,6 +150,9 @@ GRUB_MOD_INIT(memrw)
|
|
|
a85e8e |
|
|
|
a85e8e |
GRUB_MOD_FINI(memrw)
|
|
|
a85e8e |
{
|
|
|
a85e8e |
+ if (grub_efi_secure_boot())
|
|
|
a85e8e |
+ return;
|
|
|
a85e8e |
+
|
|
|
a85e8e |
grub_unregister_extcmd (cmd_read_byte);
|
|
|
a85e8e |
grub_unregister_extcmd (cmd_read_word);
|
|
|
a85e8e |
grub_unregister_extcmd (cmd_read_dword);
|
|
|
a85e8e |
diff --git a/grub-core/commands/memrw.c b/grub-core/commands/memrw.c
|
|
|
d41074 |
index 98769eadb34..088cbe9e2bc 100644
|
|
|
a85e8e |
--- a/grub-core/commands/memrw.c
|
|
|
a85e8e |
+++ b/grub-core/commands/memrw.c
|
|
|
a85e8e |
@@ -22,6 +22,7 @@
|
|
|
a85e8e |
#include <grub/extcmd.h>
|
|
|
a85e8e |
#include <grub/env.h>
|
|
|
a85e8e |
#include <grub/i18n.h>
|
|
|
a85e8e |
+#include <grub/efi/sb.h>
|
|
|
a85e8e |
|
|
|
a85e8e |
GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
a85e8e |
|
|
|
a85e8e |
@@ -120,6 +121,9 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
|
|
|
a85e8e |
|
|
|
a85e8e |
GRUB_MOD_INIT(memrw)
|
|
|
a85e8e |
{
|
|
|
a85e8e |
+ if (grub_efi_secure_boot())
|
|
|
a85e8e |
+ return;
|
|
|
a85e8e |
+
|
|
|
a85e8e |
cmd_read_byte =
|
|
|
a85e8e |
grub_register_extcmd ("read_byte", grub_cmd_read, 0,
|
|
|
a85e8e |
N_("ADDR"), N_("Read 8-bit value from ADDR."),
|
|
|
a85e8e |
@@ -148,6 +152,9 @@ GRUB_MOD_INIT(memrw)
|
|
|
a85e8e |
|
|
|
a85e8e |
GRUB_MOD_FINI(memrw)
|
|
|
a85e8e |
{
|
|
|
a85e8e |
+ if (grub_efi_secure_boot())
|
|
|
a85e8e |
+ return;
|
|
|
a85e8e |
+
|
|
|
a85e8e |
grub_unregister_extcmd (cmd_read_byte);
|
|
|
a85e8e |
grub_unregister_extcmd (cmd_read_word);
|
|
|
a85e8e |
grub_unregister_extcmd (cmd_read_dword);
|
|
|
a85e8e |
diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
|
|
|
d41074 |
index c80d85b677e..7dfe2ef1455 100644
|
|
|
a85e8e |
--- a/grub-core/kern/efi/efi.c
|
|
|
a85e8e |
+++ b/grub-core/kern/efi/efi.c
|
|
|
a85e8e |
@@ -260,34 +260,6 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
|
|
|
a85e8e |
return NULL;
|
|
|
a85e8e |
}
|
|
|
a85e8e |
|
|
|
a85e8e |
-grub_efi_boolean_t
|
|
|
a85e8e |
-grub_efi_secure_boot (void)
|
|
|
a85e8e |
-{
|
|
|
a85e8e |
- grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
|
|
|
a85e8e |
- grub_size_t datasize;
|
|
|
a85e8e |
- char *secure_boot = NULL;
|
|
|
a85e8e |
- char *setup_mode = NULL;
|
|
|
a85e8e |
- grub_efi_boolean_t ret = 0;
|
|
|
a85e8e |
-
|
|
|
a85e8e |
- secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);
|
|
|
a85e8e |
-
|
|
|
a85e8e |
- if (datasize != 1 || !secure_boot)
|
|
|
a85e8e |
- goto out;
|
|
|
a85e8e |
-
|
|
|
a85e8e |
- setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize);
|
|
|
a85e8e |
-
|
|
|
a85e8e |
- if (datasize != 1 || !setup_mode)
|
|
|
a85e8e |
- goto out;
|
|
|
a85e8e |
-
|
|
|
a85e8e |
- if (*secure_boot && !*setup_mode)
|
|
|
a85e8e |
- ret = 1;
|
|
|
a85e8e |
-
|
|
|
a85e8e |
- out:
|
|
|
a85e8e |
- grub_free (secure_boot);
|
|
|
a85e8e |
- grub_free (setup_mode);
|
|
|
a85e8e |
- return ret;
|
|
|
a85e8e |
-}
|
|
|
a85e8e |
-
|
|
|
a85e8e |
#pragma GCC diagnostic ignored "-Wcast-align"
|
|
|
a85e8e |
|
|
|
a85e8e |
/* Search the mods section from the PE32/PE32+ image. This code uses
|
|
|
a85e8e |
diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
|
|
|
a85e8e |
new file mode 100644
|
|
|
d41074 |
index 00000000000..a41b6c5b851
|
|
|
a85e8e |
--- /dev/null
|
|
|
a85e8e |
+++ b/grub-core/kern/efi/sb.c
|
|
|
a85e8e |
@@ -0,0 +1,58 @@
|
|
|
a85e8e |
+/*
|
|
|
a85e8e |
+ * GRUB -- GRand Unified Bootloader
|
|
|
a85e8e |
+ * Copyright (C) 2014 Free Software Foundation, Inc.
|
|
|
a85e8e |
+ *
|
|
|
a85e8e |
+ * GRUB is free software: you can redistribute it and/or modify
|
|
|
a85e8e |
+ * it under the terms of the GNU General Public License as published by
|
|
|
a85e8e |
+ * the Free Software Foundation, either version 3 of the License, or
|
|
|
a85e8e |
+ * (at your option) any later version.
|
|
|
a85e8e |
+ *
|
|
|
a85e8e |
+ * GRUB is distributed in the hope that it will be useful,
|
|
|
a85e8e |
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
a85e8e |
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
a85e8e |
+ * GNU General Public License for more details.
|
|
|
a85e8e |
+ *
|
|
|
a85e8e |
+ * You should have received a copy of the GNU General Public License
|
|
|
a85e8e |
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
|
|
a85e8e |
+ */
|
|
|
a85e8e |
+
|
|
|
a85e8e |
+#include <grub/err.h>
|
|
|
a85e8e |
+#include <grub/mm.h>
|
|
|
a85e8e |
+#include <grub/types.h>
|
|
|
a85e8e |
+#include <grub/cpu/linux.h>
|
|
|
a85e8e |
+#include <grub/efi/efi.h>
|
|
|
a85e8e |
+#include <grub/efi/pe32.h>
|
|
|
a85e8e |
+#include <grub/efi/linux.h>
|
|
|
a85e8e |
+#include <grub/efi/sb.h>
|
|
|
a85e8e |
+
|
|
|
a85e8e |
+int
|
|
|
a85e8e |
+grub_efi_secure_boot (void)
|
|
|
a85e8e |
+{
|
|
|
a85e8e |
+#ifdef GRUB_MACHINE_EFI
|
|
|
a85e8e |
+ grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
|
|
|
a85e8e |
+ grub_size_t datasize;
|
|
|
a85e8e |
+ char *secure_boot = NULL;
|
|
|
a85e8e |
+ char *setup_mode = NULL;
|
|
|
a85e8e |
+ grub_efi_boolean_t ret = 0;
|
|
|
a85e8e |
+
|
|
|
a85e8e |
+ secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);
|
|
|
a85e8e |
+
|
|
|
a85e8e |
+ if (datasize != 1 || !secure_boot)
|
|
|
a85e8e |
+ goto out;
|
|
|
a85e8e |
+
|
|
|
a85e8e |
+ setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize);
|
|
|
a85e8e |
+
|
|
|
a85e8e |
+ if (datasize != 1 || !setup_mode)
|
|
|
a85e8e |
+ goto out;
|
|
|
a85e8e |
+
|
|
|
a85e8e |
+ if (*secure_boot && !*setup_mode)
|
|
|
a85e8e |
+ ret = 1;
|
|
|
a85e8e |
+
|
|
|
a85e8e |
+ out:
|
|
|
a85e8e |
+ grub_free (secure_boot);
|
|
|
a85e8e |
+ grub_free (setup_mode);
|
|
|
a85e8e |
+ return ret;
|
|
|
a85e8e |
+#else
|
|
|
a85e8e |
+ return 0;
|
|
|
a85e8e |
+#endif
|
|
|
a85e8e |
+}
|
|
|
a85e8e |
diff --git a/grub-core/loader/efi/appleloader.c b/grub-core/loader/efi/appleloader.c
|
|
|
d41074 |
index 74888c463ba..69c2a10d351 100644
|
|
|
a85e8e |
--- a/grub-core/loader/efi/appleloader.c
|
|
|
a85e8e |
+++ b/grub-core/loader/efi/appleloader.c
|
|
|
a85e8e |
@@ -24,6 +24,7 @@
|
|
|
a85e8e |
#include <grub/misc.h>
|
|
|
a85e8e |
#include <grub/efi/api.h>
|
|
|
a85e8e |
#include <grub/efi/efi.h>
|
|
|
a85e8e |
+#include <grub/efi/sb.h>
|
|
|
a85e8e |
#include <grub/command.h>
|
|
|
a85e8e |
#include <grub/i18n.h>
|
|
|
a85e8e |
|
|
|
a85e8e |
@@ -227,6 +228,9 @@ static grub_command_t cmd;
|
|
|
a85e8e |
|
|
|
a85e8e |
GRUB_MOD_INIT(appleloader)
|
|
|
a85e8e |
{
|
|
|
a85e8e |
+ if (grub_efi_secure_boot())
|
|
|
a85e8e |
+ return;
|
|
|
a85e8e |
+
|
|
|
a85e8e |
cmd = grub_register_command ("appleloader", grub_cmd_appleloader,
|
|
|
a85e8e |
N_("[OPTS]"),
|
|
|
a85e8e |
/* TRANSLATORS: This command is used on EFI to
|
|
|
a85e8e |
@@ -238,5 +242,8 @@ GRUB_MOD_INIT(appleloader)
|
|
|
a85e8e |
|
|
|
a85e8e |
GRUB_MOD_FINI(appleloader)
|
|
|
a85e8e |
{
|
|
|
a85e8e |
+ if (grub_efi_secure_boot())
|
|
|
a85e8e |
+ return;
|
|
|
a85e8e |
+
|
|
|
a85e8e |
grub_unregister_command (cmd);
|
|
|
a85e8e |
}
|
|
|
a85e8e |
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
|
|
|
d41074 |
index 87a91e16f17..aee8e6becf6 100644
|
|
|
a85e8e |
--- a/grub-core/loader/efi/chainloader.c
|
|
|
a85e8e |
+++ b/grub-core/loader/efi/chainloader.c
|
|
|
a85e8e |
@@ -34,6 +34,7 @@
|
|
|
a85e8e |
#include <grub/efi/disk.h>
|
|
|
a85e8e |
#include <grub/efi/pe32.h>
|
|
|
a85e8e |
#include <grub/efi/linux.h>
|
|
|
a85e8e |
+#include <grub/efi/sb.h>
|
|
|
a85e8e |
#include <grub/command.h>
|
|
|
a85e8e |
#include <grub/i18n.h>
|
|
|
a85e8e |
#include <grub/net.h>
|
|
|
a85e8e |
diff --git a/grub-core/loader/i386/bsd.c b/grub-core/loader/i386/bsd.c
|
|
|
d41074 |
index 8f691e0e2d1..b671f59b62a 100644
|
|
|
a85e8e |
--- a/grub-core/loader/i386/bsd.c
|
|
|
a85e8e |
+++ b/grub-core/loader/i386/bsd.c
|
|
|
a85e8e |
@@ -38,6 +38,7 @@
|
|
|
a85e8e |
#ifdef GRUB_MACHINE_PCBIOS
|
|
|
a85e8e |
#include <grub/machine/int.h>
|
|
|
a85e8e |
#endif
|
|
|
a85e8e |
+#include <grub/efi/sb.h>
|
|
|
a85e8e |
|
|
|
a85e8e |
GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
a85e8e |
|
|
|
a85e8e |
@@ -2111,6 +2112,9 @@ static grub_command_t cmd_netbsd_module_elf, cmd_openbsd_ramdisk;
|
|
|
a85e8e |
|
|
|
a85e8e |
GRUB_MOD_INIT (bsd)
|
|
|
a85e8e |
{
|
|
|
a85e8e |
+ if (grub_efi_secure_boot())
|
|
|
a85e8e |
+ return;
|
|
|
a85e8e |
+
|
|
|
a85e8e |
/* Net and OpenBSD kernels are often compressed. */
|
|
|
a85e8e |
grub_dl_load ("gzio");
|
|
|
a85e8e |
|
|
|
a85e8e |
@@ -2150,6 +2154,9 @@ GRUB_MOD_INIT (bsd)
|
|
|
a85e8e |
|
|
|
a85e8e |
GRUB_MOD_FINI (bsd)
|
|
|
a85e8e |
{
|
|
|
a85e8e |
+ if (grub_efi_secure_boot())
|
|
|
a85e8e |
+ return;
|
|
|
a85e8e |
+
|
|
|
a85e8e |
grub_unregister_extcmd (cmd_freebsd);
|
|
|
a85e8e |
grub_unregister_extcmd (cmd_openbsd);
|
|
|
a85e8e |
grub_unregister_extcmd (cmd_netbsd);
|
|
|
a85e8e |
diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
|
|
|
d41074 |
index 2ae176315b6..bd37c69b5d0 100644
|
|
|
a85e8e |
--- a/grub-core/loader/i386/linux.c
|
|
|
a85e8e |
+++ b/grub-core/loader/i386/linux.c
|
|
|
a85e8e |
@@ -35,6 +35,7 @@
|
|
|
a85e8e |
#include <grub/i18n.h>
|
|
|
a85e8e |
#include <grub/lib/cmdline.h>
|
|
|
a85e8e |
#include <grub/linux.h>
|
|
|
a85e8e |
+#include <grub/efi/sb.h>
|
|
|
a85e8e |
|
|
|
a85e8e |
GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
a85e8e |
|
|
|
a85e8e |
@@ -1137,6 +1138,9 @@ static grub_command_t cmd_linux, cmd_initrd;
|
|
|
a85e8e |
|
|
|
a85e8e |
GRUB_MOD_INIT(linux)
|
|
|
a85e8e |
{
|
|
|
a85e8e |
+ if (grub_efi_secure_boot())
|
|
|
a85e8e |
+ return;
|
|
|
a85e8e |
+
|
|
|
a85e8e |
cmd_linux = grub_register_command ("linux", grub_cmd_linux,
|
|
|
a85e8e |
0, N_("Load Linux."));
|
|
|
a85e8e |
cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd,
|
|
|
a85e8e |
@@ -1146,6 +1150,9 @@ GRUB_MOD_INIT(linux)
|
|
|
a85e8e |
|
|
|
a85e8e |
GRUB_MOD_FINI(linux)
|
|
|
a85e8e |
{
|
|
|
a85e8e |
+ if (grub_efi_secure_boot())
|
|
|
a85e8e |
+ return;
|
|
|
a85e8e |
+
|
|
|
a85e8e |
grub_unregister_command (cmd_linux);
|
|
|
a85e8e |
grub_unregister_command (cmd_initrd);
|
|
|
a85e8e |
}
|
|
|
a85e8e |
diff --git a/grub-core/loader/i386/pc/linux.c b/grub-core/loader/i386/pc/linux.c
|
|
|
d41074 |
index b481e466846..b19527e8e17 100644
|
|
|
a85e8e |
--- a/grub-core/loader/i386/pc/linux.c
|
|
|
a85e8e |
+++ b/grub-core/loader/i386/pc/linux.c
|
|
|
a85e8e |
@@ -35,6 +35,7 @@
|
|
|
a85e8e |
#include <grub/i386/floppy.h>
|
|
|
a85e8e |
#include <grub/lib/cmdline.h>
|
|
|
a85e8e |
#include <grub/linux.h>
|
|
|
a85e8e |
+#include <grub/efi/sb.h>
|
|
|
a85e8e |
|
|
|
a85e8e |
GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
a85e8e |
|
|
|
a85e8e |
@@ -469,6 +470,9 @@ static grub_command_t cmd_linux, cmd_initrd;
|
|
|
a85e8e |
|
|
|
a85e8e |
GRUB_MOD_INIT(linux16)
|
|
|
a85e8e |
{
|
|
|
a85e8e |
+ if (grub_efi_secure_boot())
|
|
|
a85e8e |
+ return;
|
|
|
a85e8e |
+
|
|
|
a85e8e |
cmd_linux =
|
|
|
a85e8e |
grub_register_command ("linux16", grub_cmd_linux,
|
|
|
a85e8e |
0, N_("Load Linux."));
|
|
|
a85e8e |
@@ -480,6 +484,9 @@ GRUB_MOD_INIT(linux16)
|
|
|
a85e8e |
|
|
|
a85e8e |
GRUB_MOD_FINI(linux16)
|
|
|
a85e8e |
{
|
|
|
a85e8e |
+ if (grub_efi_secure_boot())
|
|
|
a85e8e |
+ return;
|
|
|
a85e8e |
+
|
|
|
a85e8e |
grub_unregister_command (cmd_linux);
|
|
|
a85e8e |
grub_unregister_command (cmd_initrd);
|
|
|
a85e8e |
}
|
|
|
a85e8e |
diff --git a/grub-core/loader/multiboot.c b/grub-core/loader/multiboot.c
|
|
|
d41074 |
index 4b71f336353..e4e696e8f89 100644
|
|
|
a85e8e |
--- a/grub-core/loader/multiboot.c
|
|
|
a85e8e |
+++ b/grub-core/loader/multiboot.c
|
|
|
a85e8e |
@@ -42,6 +42,7 @@
|
|
|
a85e8e |
#include <grub/video.h>
|
|
|
a85e8e |
#include <grub/memory.h>
|
|
|
a85e8e |
#include <grub/i18n.h>
|
|
|
a85e8e |
+#include <grub/efi/sb.h>
|
|
|
a85e8e |
|
|
|
a85e8e |
GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
a85e8e |
|
|
|
a85e8e |
@@ -383,6 +384,9 @@ static grub_command_t cmd_multiboot, cmd_module;
|
|
|
a85e8e |
|
|
|
a85e8e |
GRUB_MOD_INIT(multiboot)
|
|
|
a85e8e |
{
|
|
|
a85e8e |
+ if (grub_efi_secure_boot())
|
|
|
a85e8e |
+ return;
|
|
|
a85e8e |
+
|
|
|
a85e8e |
cmd_multiboot =
|
|
|
a85e8e |
#ifdef GRUB_USE_MULTIBOOT2
|
|
|
a85e8e |
grub_register_command ("multiboot2", grub_cmd_multiboot,
|
|
|
a85e8e |
@@ -403,6 +407,9 @@ GRUB_MOD_INIT(multiboot)
|
|
|
a85e8e |
|
|
|
a85e8e |
GRUB_MOD_FINI(multiboot)
|
|
|
a85e8e |
{
|
|
|
a85e8e |
+ if (grub_efi_secure_boot())
|
|
|
a85e8e |
+ return;
|
|
|
a85e8e |
+
|
|
|
a85e8e |
grub_unregister_command (cmd_multiboot);
|
|
|
a85e8e |
grub_unregister_command (cmd_module);
|
|
|
a85e8e |
}
|
|
|
a85e8e |
diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
|
|
|
d41074 |
index cdd9715cedd..faffccc9744 100644
|
|
|
a85e8e |
--- a/grub-core/loader/xnu.c
|
|
|
a85e8e |
+++ b/grub-core/loader/xnu.c
|
|
|
a85e8e |
@@ -33,6 +33,7 @@
|
|
|
a85e8e |
#include <grub/extcmd.h>
|
|
|
a85e8e |
#include <grub/env.h>
|
|
|
a85e8e |
#include <grub/i18n.h>
|
|
|
a85e8e |
+#include <grub/efi/sb.h>
|
|
|
a85e8e |
|
|
|
a85e8e |
GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
a85e8e |
|
|
|
a85e8e |
@@ -1466,6 +1467,9 @@ static grub_extcmd_t cmd_splash;
|
|
|
a85e8e |
|
|
|
a85e8e |
GRUB_MOD_INIT(xnu)
|
|
|
a85e8e |
{
|
|
|
a85e8e |
+ if (grub_efi_secure_boot())
|
|
|
a85e8e |
+ return;
|
|
|
a85e8e |
+
|
|
|
a85e8e |
cmd_kernel = grub_register_command ("xnu_kernel", grub_cmd_xnu_kernel, 0,
|
|
|
a85e8e |
N_("Load XNU image."));
|
|
|
a85e8e |
cmd_kernel64 = grub_register_command ("xnu_kernel64", grub_cmd_xnu_kernel64,
|
|
|
a85e8e |
@@ -1506,6 +1510,9 @@ GRUB_MOD_INIT(xnu)
|
|
|
a85e8e |
|
|
|
a85e8e |
GRUB_MOD_FINI(xnu)
|
|
|
a85e8e |
{
|
|
|
a85e8e |
+ if (grub_efi_secure_boot())
|
|
|
a85e8e |
+ return;
|
|
|
a85e8e |
+
|
|
|
a85e8e |
#ifndef GRUB_MACHINE_EMU
|
|
|
a85e8e |
grub_unregister_command (cmd_resume);
|
|
|
a85e8e |
#endif
|
|
|
a85e8e |
diff --git a/include/grub/efi/efi.h b/include/grub/efi/efi.h
|
|
|
d41074 |
index 22456327e13..9a2da0eb38d 100644
|
|
|
a85e8e |
--- a/include/grub/efi/efi.h
|
|
|
a85e8e |
+++ b/include/grub/efi/efi.h
|
|
|
a85e8e |
@@ -76,7 +76,6 @@ EXPORT_FUNC (grub_efi_set_variable) (const char *var,
|
|
|
a85e8e |
const grub_efi_guid_t *guid,
|
|
|
a85e8e |
void *data,
|
|
|
a85e8e |
grub_size_t datasize);
|
|
|
a85e8e |
-grub_efi_boolean_t EXPORT_FUNC (grub_efi_secure_boot) (void);
|
|
|
a85e8e |
int
|
|
|
a85e8e |
EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1,
|
|
|
a85e8e |
const grub_efi_device_path_t *dp2);
|
|
|
a85e8e |
diff --git a/include/grub/efi/sb.h b/include/grub/efi/sb.h
|
|
|
a85e8e |
new file mode 100644
|
|
|
d41074 |
index 00000000000..9629fbb0f9e
|
|
|
a85e8e |
--- /dev/null
|
|
|
a85e8e |
+++ b/include/grub/efi/sb.h
|
|
|
a85e8e |
@@ -0,0 +1,29 @@
|
|
|
a85e8e |
+/* sb.h - declare functions for EFI Secure Boot support */
|
|
|
a85e8e |
+/*
|
|
|
a85e8e |
+ * GRUB -- GRand Unified Bootloader
|
|
|
a85e8e |
+ * Copyright (C) 2006,2007,2008,2009 Free Software Foundation, Inc.
|
|
|
a85e8e |
+ *
|
|
|
a85e8e |
+ * GRUB is free software: you can redistribute it and/or modify
|
|
|
a85e8e |
+ * it under the terms of the GNU General Public License as published by
|
|
|
a85e8e |
+ * the Free Software Foundation, either version 3 of the License, or
|
|
|
a85e8e |
+ * (at your option) any later version.
|
|
|
a85e8e |
+ *
|
|
|
a85e8e |
+ * GRUB is distributed in the hope that it will be useful,
|
|
|
a85e8e |
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
a85e8e |
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
a85e8e |
+ * GNU General Public License for more details.
|
|
|
a85e8e |
+ *
|
|
|
a85e8e |
+ * You should have received a copy of the GNU General Public License
|
|
|
a85e8e |
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
|
|
a85e8e |
+ */
|
|
|
a85e8e |
+
|
|
|
a85e8e |
+#ifndef GRUB_EFI_SB_HEADER
|
|
|
a85e8e |
+#define GRUB_EFI_SB_HEADER 1
|
|
|
a85e8e |
+
|
|
|
a85e8e |
+#include <grub/types.h>
|
|
|
a85e8e |
+#include <grub/dl.h>
|
|
|
a85e8e |
+
|
|
|
a85e8e |
+/* Functions. */
|
|
|
a85e8e |
+int EXPORT_FUNC (grub_efi_secure_boot) (void);
|
|
|
a85e8e |
+
|
|
|
a85e8e |
+#endif /* ! GRUB_EFI_SB_HEADER */
|
|
|
a85e8e |
diff --git a/include/grub/ia64/linux.h b/include/grub/ia64/linux.h
|
|
|
a85e8e |
new file mode 100644
|
|
|
d41074 |
index 00000000000..e69de29bb2d
|
|
|
a85e8e |
diff --git a/include/grub/mips/linux.h b/include/grub/mips/linux.h
|
|
|
a85e8e |
new file mode 100644
|
|
|
d41074 |
index 00000000000..e69de29bb2d
|
|
|
a85e8e |
diff --git a/include/grub/powerpc/linux.h b/include/grub/powerpc/linux.h
|
|
|
a85e8e |
new file mode 100644
|
|
|
d41074 |
index 00000000000..e69de29bb2d
|
|
|
a85e8e |
diff --git a/include/grub/sparc64/linux.h b/include/grub/sparc64/linux.h
|
|
|
a85e8e |
new file mode 100644
|
|
|
d41074 |
index 00000000000..e69de29bb2d
|
|
|
d41074 |
diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
|
|
|
d41074 |
index cb7fd9f98e8..be29e327f77 100644
|
|
|
d41074 |
--- a/grub-core/Makefile.am
|
|
|
d41074 |
+++ b/grub-core/Makefile.am
|
|
|
d41074 |
@@ -67,6 +67,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/command.h
|
|
|
d41074 |
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/device.h
|
|
|
d41074 |
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/disk.h
|
|
|
d41074 |
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/dl.h
|
|
|
d41074 |
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/efi/sb.h
|
|
|
d41074 |
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/env.h
|
|
|
d41074 |
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/env_private.h
|
|
|
d41074 |
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/err.h
|