boot/grub2/0035-kern-Add-lockdown-support.patch

4 Subject: [PATCH] kern: Add lockdown support
14 The lockdown support adds the following components:
16 * The grub_lockdown() function which can be used to lockdown GRUB if,
51  grub-core/kern/lockdown.c   | 80 +++++++++++++++++++++++++++++++++++++++++++++
54  include/grub/lockdown.h     | 44 +++++++++++++++++++++++++
57  create mode 100644 grub-core/kern/lockdown.c
58  create mode 100644 include/grub/lockdown.h
112 +@code{grub_lockdown()} is used to lockdown GRUB and the function
113 +@code{grub_is_lockdown()} function can be used to check whether lockdown is
118 +used when lockdown is disabled:
123 +GRUB is in lockdown mode.
126 +when the GRUB is in lockdown mode.
167 +KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/lockdown.h
192 …/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c kern/compiler-r…
201 …/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c kern/compiler-r…
210 …/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c kern/compiler-r…
219 …/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c kern/compiler-r…
228 …/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c kern/compiler-r…
237 …/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c kern/compiler-r…
246 …/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c kern/compiler-r…
258 +  efi = kern/lockdown.c;
277 +	kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c \
292 …efi_FALSE@@COND_sparc64_ieee1275_FALSE@@COND_x86_64_efi_TRUE@	kern/kernel_exec-lockdown.$(OBJEXT) \
300 …eee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_TRUE@	kern/kernel_exec-lockdown.$(OBJEXT) \
308 …ps_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_TRUE@	kern/kernel_exec-lockdown.$(OBJEXT) \
316 …_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_TRUE@	kern/kernel_exec-lockdown.$(OBJEXT) \
324 …COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_TRUE@	kern/kernel_exec-lockdown.$(OBJEXT) \
332 +@COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_TRUE@	kern/kernel_exec-lockdown.$(OBJ…
340 +@COND_arm64_efi_TRUE@	kern/kernel_exec-lockdown.$(OBJEXT) \
358 +	$(top_srcdir)/include/grub/lockdown.h \
367 +@COND_arm64_efi_TRUE@	kern/lockdown.c kern/compiler-rt.c \
377 +@COND_arm_efi_TRUE@	kern/lockdown.c kern/compiler-rt.c \
387 +@COND_i386_efi_TRUE@	kern/lockdown.c kern/compiler-rt.c \
397 +@COND_ia64_efi_TRUE@	kern/lockdown.c kern/compiler-rt.c \
408 +@COND_riscv32_efi_TRUE@	kern/lockdown.c kern/compiler-rt.c \
421 +@COND_riscv64_efi_TRUE@	kern/efi/sb.c kern/lockdown.c \
433 +@COND_x86_64_efi_TRUE@	kern/efi/sb.c kern/lockdown.c \
442 +kern/kernel_exec-lockdown.$(OBJEXT): kern/$(am__dirstamp) \
451 +@AMDEP_TRUE@@am__include@ @am__quote@kern/$(DEPDIR)/kernel_exec-lockdown.Po@am__quote@
459 +kern/kernel_exec-lockdown.o: kern/lockdown.c
460 …lockdown.o -MD -MP -MF kern/$(DEPDIR)/kernel_exec-lockdown.Tpo -c -o kern/kernel_exec-lockdown.o `…
461 …RUE@	$(AM_V_at)$(am__mv) kern/$(DEPDIR)/kernel_exec-lockdown.Tpo kern/$(DEPDIR)/kernel_exec-lockdo…
462 …DEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='kern/lockdown.c' object='kern/kernel_exec-lockdow…
464 …FLAGS) $(CFLAGS) -c -o kern/kernel_exec-lockdown.o `test -f 'kern/lockdown.c' || echo '$(srcdir)/'…
466 +kern/kernel_exec-lockdown.obj: kern/lockdown.c
467 …lockdown.obj -MD -MP -MF kern/$(DEPDIR)/kernel_exec-lockdown.Tpo -c -o kern/kernel_exec-lockdown.o…
468 …RUE@	$(AM_V_at)$(am__mv) kern/$(DEPDIR)/kernel_exec-lockdown.Tpo kern/$(DEPDIR)/kernel_exec-lockdo…
469 …DEP_TRUE@@am__fastdepCC_FALSE@	$(AM_V_CC)source='kern/lockdown.c' object='kern/kernel_exec-lockdow…
471 …rn/kernel_exec-lockdown.obj `if test -f 'kern/lockdown.c'; then $(CYGPATH_W) 'kern/lockdown.c'; el…
496 +#include <grub/lockdown.h>
510 +                     N_("%s: the command is not allowed when lockdown is enforced"),
537 +#include <grub/lockdown.h>
552 +                     N_("%s: the command is not allowed when lockdown is enforced"),
571 diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c
575 +++ b/grub-core/kern/lockdown.c
598 +#include <grub/lockdown.h>
601 +static int lockdown = GRUB_LOCKDOWN_DISABLED;
647 +  lockdown = GRUB_LOCKDOWN_ENABLED;
655 +  return lockdown;
691 diff --git a/include/grub/lockdown.h b/include/grub/lockdown.h
695 +++ b/include/grub/lockdown.h
749 +./grub-core/kern/lockdown.c
757 +./include/grub/lockdown.h