1From 578c95298bcc46e0296f4c786db64c2ff26ce2cc Mon Sep 17 00:00:00 2001 2From: Javier Martinez Canillas <javierm@redhat.com> 3Date: Mon, 28 Sep 2020 20:08:02 +0200 4Subject: [PATCH] kern: Add lockdown support 5 6When the GRUB starts on a secure boot platform, some commands can be 7used to subvert the protections provided by the verification mechanism and 8could lead to booting untrusted system. 9 10To prevent that situation, allow GRUB to be locked down. That way the code 11may check if GRUB has been locked down and further restrict the commands 12that are registered or what subset of their functionality could be used. 13 14The lockdown support adds the following components: 15 16* The grub_lockdown() function which can be used to lockdown GRUB if, 17 e.g., UEFI Secure Boot is enabled. 18 19* The grub_is_lockdown() function which can be used to check if the GRUB 20 was locked down. 21 22* A verifier that flags OS kernels, the GRUB modules, Device Trees and ACPI 23 tables as GRUB_VERIFY_FLAGS_DEFER_AUTH to defer verification to other 24 verifiers. These files are only successfully verified if another registered 25 verifier returns success. Otherwise, the whole verification process fails. 26 27 For example, PE/COFF binaries verification can be done by the shim_lock 28 verifier which validates the signatures using the shim_lock protocol. 29 However, the verification is not deferred directly to the shim_lock verifier. 30 The shim_lock verifier is hooked into the verification process instead. 31 32* A set of grub_{command,extcmd}_lockdown functions that can be used by 33 code registering command handlers, to only register unsafe commands if 34 the GRUB has not been locked down. 35 36Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> 37Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 38[Add changes to generated files] 39Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 40--- 41 Makefile.in | 2 ++ 42 conf/Makefile.common | 2 ++ 43 docs/grub-dev.texi | 27 +++++++++++++++ 44 docs/grub.texi | 8 +++++ 45 grub-core/Makefile.am | 5 ++- 46 grub-core/Makefile.core.am | 14 ++++---- 47 grub-core/Makefile.core.def | 1 + 48 grub-core/Makefile.in | 73 ++++++++++++++++++++++++++++++----------- 49 grub-core/commands/extcmd.c | 23 +++++++++++++ 50 grub-core/kern/command.c | 24 ++++++++++++++ 51 grub-core/kern/lockdown.c | 80 +++++++++++++++++++++++++++++++++++++++++++++ 52 include/grub/command.h | 5 +++ 53 include/grub/extcmd.h | 7 ++++ 54 include/grub/lockdown.h | 44 +++++++++++++++++++++++++ 55 po/POTFILES.in | 2 ++ 56 15 files changed, 290 insertions(+), 27 deletions(-) 57 create mode 100644 grub-core/kern/lockdown.c 58 create mode 100644 include/grub/lockdown.h 59 60diff --git a/Makefile.in b/Makefile.in 61index e6a185b..ecb3278 100644 62--- a/Makefile.in 63+++ b/Makefile.in 64@@ -2617,7 +2617,9 @@ CPPFLAGS_PARTTOOL_LIST = -Dgrub_parttool_register=PARTTOOL_LIST_MARKER 65 CPPFLAGS_TERMINAL_LIST = '-Dgrub_term_register_input(...)=INPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)' \ 66 '-Dgrub_term_register_output(...)=OUTPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)' 67 CPPFLAGS_COMMAND_LIST = '-Dgrub_register_command(...)=COMMAND_LIST_MARKER(__VA_ARGS__)' \ 68+ '-Dgrub_register_command_lockdown(...)=COMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)' \ 69 '-Dgrub_register_extcmd(...)=EXTCOMMAND_LIST_MARKER(__VA_ARGS__)' \ 70+ '-Dgrub_register_extcmd_lockdown(...)=EXTCOMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)' \ 71 '-Dgrub_register_command_p1(...)=P1COMMAND_LIST_MARKER(__VA_ARGS__)' 72 CPPFLAGS_FDT_LIST := '-Dgrub_fdtbus_register(...)=FDT_DRIVER_LIST_MARKER(__VA_ARGS__)' 73 CPPFLAGS_MARKER = $(CPPFLAGS_FS_LIST) $(CPPFLAGS_VIDEO_LIST) \ 74diff --git a/conf/Makefile.common b/conf/Makefile.common 75index 6cd71cb..2a1a886 100644 76--- a/conf/Makefile.common 77+++ b/conf/Makefile.common 78@@ -84,7 +84,9 @@ CPPFLAGS_PARTTOOL_LIST = -Dgrub_parttool_register=PARTTOOL_LIST_MARKER 79 CPPFLAGS_TERMINAL_LIST = '-Dgrub_term_register_input(...)=INPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)' 80 CPPFLAGS_TERMINAL_LIST += '-Dgrub_term_register_output(...)=OUTPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)' 81 CPPFLAGS_COMMAND_LIST = '-Dgrub_register_command(...)=COMMAND_LIST_MARKER(__VA_ARGS__)' 82+CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_lockdown(...)=COMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)' 83 CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd(...)=EXTCOMMAND_LIST_MARKER(__VA_ARGS__)' 84+CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd_lockdown(...)=EXTCOMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)' 85 CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_p1(...)=P1COMMAND_LIST_MARKER(__VA_ARGS__)' 86 CPPFLAGS_FDT_LIST := '-Dgrub_fdtbus_register(...)=FDT_DRIVER_LIST_MARKER(__VA_ARGS__)' 87 CPPFLAGS_MARKER = $(CPPFLAGS_FS_LIST) $(CPPFLAGS_VIDEO_LIST) \ 88diff --git a/docs/grub-dev.texi b/docs/grub-dev.texi 89index ee389fd..635ec72 100644 90--- a/docs/grub-dev.texi 91+++ b/docs/grub-dev.texi 92@@ -86,6 +86,7 @@ This edition documents version @value{VERSION}. 93 * PFF2 Font File Format:: 94 * Graphical Menu Software Design:: 95 * Verifiers framework:: 96+* Lockdown framework:: 97 * Copying This Manual:: Copying This Manual 98 * Index:: 99 @end menu 100@@ -2086,6 +2087,32 @@ Optionally at the end of the file @samp{fini}, if it exists, is called with just 101 the context. If you return no error during any of @samp{init}, @samp{write} and 102 @samp{fini} then the file is considered as having succeded verification. 103 104+@node Lockdown framework 105+@chapter Lockdown framework 106+ 107+The GRUB can be locked down, which is a restricted mode where some operations 108+are not allowed. For instance, some commands cannot be used when the GRUB is 109+locked down. 110+ 111+The function 112+@code{grub_lockdown()} is used to lockdown GRUB and the function 113+@code{grub_is_lockdown()} function can be used to check whether lockdown is 114+enabled or not. When enabled, the function returns @samp{GRUB_LOCKDOWN_ENABLED} 115+and @samp{GRUB_LOCKDOWN_DISABLED} when is not enabled. 116+ 117+The following functions can be used to register the commands that can only be 118+used when lockdown is disabled: 119+ 120+@itemize 121+ 122+@item @code{grub_cmd_lockdown()} registers command which should not run when the 123+GRUB is in lockdown mode. 124+ 125+@item @code{grub_cmd_lockdown()} registers extended command which should not run 126+when the GRUB is in lockdown mode. 127+ 128+@end itemize 129+ 130 @node Copying This Manual 131 @appendix Copying This Manual 132 133diff --git a/docs/grub.texi b/docs/grub.texi 134index aefe032..a25459f 100644 135--- a/docs/grub.texi 136+++ b/docs/grub.texi 137@@ -5581,6 +5581,7 @@ environment variables and commands are listed in the same order. 138 * Using digital signatures:: Booting digitally signed code 139 * UEFI secure boot and shim:: Booting digitally signed PE files 140 * Measured Boot:: Measuring boot components 141+* Lockdown:: Lockdown when booting on a secure setup 142 @end menu 143 144 @node Authentication and authorisation 145@@ -5795,6 +5796,13 @@ into @file{core.img} in order to avoid a potential gap in measurement between 146 147 Measured boot is currently only supported on EFI platforms. 148 149+@node Lockdown 150+@section Lockdown when booting on a secure setup 151+ 152+The GRUB can be locked down when booted on a secure boot environment, for example 153+if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will 154+be restricted and some operations/commands cannot be executed. 155+ 156 @node Platform limitations 157 @chapter Platform limitations 158 159diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am 160index cc6fc7d..30e23ad 100644 161--- a/grub-core/Makefile.am 162+++ b/grub-core/Makefile.am 163@@ -80,6 +80,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/fs.h 164 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/i18n.h 165 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/kernel.h 166 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/list.h 167+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/lockdown.h 168 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/misc.h 169 if COND_emu 170 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/compiler-rt-emu.h 171@@ -377,8 +378,10 @@ command.lst: $(MARKER_FILES) 172 b=`basename $$pp .marker`; \ 173 sed -n \ 174 -e "/EXTCOMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \ 175+ -e "/EXTCOMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \ 176 -e "/P1COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \ 177- -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \ 178+ -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" \ 179+ -e "/COMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \ 180 done) | sort -u > $@ 181 platform_DATA += command.lst 182 CLEANFILES += command.lst 183diff --git a/grub-core/Makefile.core.am b/grub-core/Makefile.core.am 184index 5623a5e..fbfb627 100644 185--- a/grub-core/Makefile.core.am 186+++ b/grub-core/Makefile.core.am 187@@ -22378,7 +22378,7 @@ endif 188 if COND_i386_efi 189 platform_PROGRAMS += kernel.exec 190 kernel_exec_SOURCES = kern/i386/efi/startup.S 191-kernel_exec_SOURCES += kern/i386/efi/tsc.c kern/i386/tsc_pmtimer.c kern/i386/efi/init.c bus/pci.c kern/i386/dl.c kern/i386/tsc.c kern/i386/tsc_pit.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 192+kernel_exec_SOURCES += kern/i386/efi/tsc.c kern/i386/tsc_pmtimer.c kern/i386/efi/init.c bus/pci.c kern/i386/dl.c kern/i386/tsc.c kern/i386/tsc_pit.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 193 nodist_kernel_exec_SOURCES = symlist.c ## platform nodist sources 194 kernel_exec_LDADD = 195 kernel_exec_CFLAGS = $(AM_CFLAGS) $(CFLAGS_KERNEL) 196@@ -22488,7 +22488,7 @@ endif 197 if COND_x86_64_efi 198 platform_PROGRAMS += kernel.exec 199 kernel_exec_SOURCES = kern/x86_64/efi/startup.S 200-kernel_exec_SOURCES += kern/i386/efi/tsc.c kern/i386/tsc_pmtimer.c kern/x86_64/efi/callwrap.S kern/i386/efi/init.c bus/pci.c kern/x86_64/dl.c kern/i386/tsc.c kern/i386/tsc_pit.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 201+kernel_exec_SOURCES += kern/i386/efi/tsc.c kern/i386/tsc_pmtimer.c kern/x86_64/efi/callwrap.S kern/i386/efi/init.c bus/pci.c kern/x86_64/dl.c kern/i386/tsc.c kern/i386/tsc_pit.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 202 nodist_kernel_exec_SOURCES = symlist.c ## platform nodist sources 203 kernel_exec_LDADD = 204 kernel_exec_CFLAGS = $(AM_CFLAGS) $(CFLAGS_KERNEL) 205@@ -22664,7 +22664,7 @@ endif 206 if COND_ia64_efi 207 platform_PROGRAMS += kernel.exec 208 kernel_exec_SOURCES = 209-kernel_exec_SOURCES += kern/ia64/efi/startup.S kern/ia64/efi/init.c kern/ia64/dl.c kern/ia64/dl_helper.c kern/ia64/cache.c lib/division.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 210+kernel_exec_SOURCES += kern/ia64/efi/startup.S kern/ia64/efi/init.c kern/ia64/dl.c kern/ia64/dl_helper.c kern/ia64/cache.c lib/division.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 211 nodist_kernel_exec_SOURCES = symlist.c ## platform nodist sources 212 kernel_exec_LDADD = 213 kernel_exec_CFLAGS = $(AM_CFLAGS) $(CFLAGS_KERNEL) -fno-builtin -fpic -minline-int-divide-max-throughput 214@@ -22730,7 +22730,7 @@ endif 215 if COND_arm_efi 216 platform_PROGRAMS += kernel.exec 217 kernel_exec_SOURCES = kern/arm/efi/startup.S 218-kernel_exec_SOURCES += kern/arm/efi/init.c kern/efi/fdt.c kern/arm/dl.c kern/arm/dl_helper.c kern/arm/cache_armv6.S kern/arm/cache_armv7.S kern/arm/cache.c kern/arm/compiler-rt.S lib/division.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 219+kernel_exec_SOURCES += kern/arm/efi/init.c kern/efi/fdt.c kern/arm/dl.c kern/arm/dl_helper.c kern/arm/cache_armv6.S kern/arm/cache_armv7.S kern/arm/cache.c kern/arm/compiler-rt.S lib/division.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 220 nodist_kernel_exec_SOURCES = symlist.c ## platform nodist sources 221 kernel_exec_LDADD = 222 kernel_exec_CFLAGS = $(AM_CFLAGS) $(CFLAGS_KERNEL) 223@@ -22752,7 +22752,7 @@ endif 224 if COND_arm64_efi 225 platform_PROGRAMS += kernel.exec 226 kernel_exec_SOURCES = kern/arm64/efi/startup.S 227-kernel_exec_SOURCES += kern/arm64/efi/init.c kern/efi/fdt.c kern/arm64/cache.c kern/arm64/cache_flush.S kern/arm64/dl.c kern/arm64/dl_helper.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 228+kernel_exec_SOURCES += kern/arm64/efi/init.c kern/efi/fdt.c kern/arm64/cache.c kern/arm64/cache_flush.S kern/arm64/dl.c kern/arm64/dl_helper.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 229 nodist_kernel_exec_SOURCES = symlist.c ## platform nodist sources 230 kernel_exec_LDADD = 231 kernel_exec_CFLAGS = $(AM_CFLAGS) $(CFLAGS_KERNEL) 232@@ -22796,7 +22796,7 @@ endif 233 if COND_riscv32_efi 234 platform_PROGRAMS += kernel.exec 235 kernel_exec_SOURCES = kern/riscv/efi/startup.S 236-kernel_exec_SOURCES += kern/riscv/efi/init.c kern/efi/fdt.c kern/riscv/cache.c kern/riscv/cache_flush.S kern/riscv/dl.c lib/division.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 237+kernel_exec_SOURCES += kern/riscv/efi/init.c kern/efi/fdt.c kern/riscv/cache.c kern/riscv/cache_flush.S kern/riscv/dl.c lib/division.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 238 nodist_kernel_exec_SOURCES = symlist.c ## platform nodist sources 239 kernel_exec_LDADD = 240 kernel_exec_CFLAGS = $(AM_CFLAGS) $(CFLAGS_KERNEL) 241@@ -22818,7 +22818,7 @@ endif 242 if COND_riscv64_efi 243 platform_PROGRAMS += kernel.exec 244 kernel_exec_SOURCES = kern/riscv/efi/startup.S 245-kernel_exec_SOURCES += kern/riscv/efi/init.c kern/efi/fdt.c kern/riscv/cache.c kern/riscv/cache_flush.S kern/riscv/dl.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 246+kernel_exec_SOURCES += kern/riscv/efi/init.c kern/efi/fdt.c kern/riscv/cache.c kern/riscv/cache_flush.S kern/riscv/dl.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 247 nodist_kernel_exec_SOURCES = symlist.c ## platform nodist sources 248 kernel_exec_LDADD = 249 kernel_exec_CFLAGS = $(AM_CFLAGS) $(CFLAGS_KERNEL) 250diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def 251index 4d380ed..ee8dc55 100644 252--- a/grub-core/Makefile.core.def 253+++ b/grub-core/Makefile.core.def 254@@ -205,6 +205,7 @@ kernel = { 255 efi = kern/acpi.c; 256 efi = kern/efi/acpi.c; 257 efi = kern/efi/sb.c; 258+ efi = kern/lockdown.c; 259 i386_coreboot = kern/i386/pc/acpi.c; 260 i386_multiboot = kern/i386/pc/acpi.c; 261 i386_coreboot = kern/acpi.c; 262diff --git a/grub-core/Makefile.in b/grub-core/Makefile.in 263index 09dc802..ac400ea 100644 264--- a/grub-core/Makefile.in 265+++ b/grub-core/Makefile.in 266@@ -10457,13 +10457,14 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \ 267 kern/arm64/cache_flush.S kern/arm64/dl.c \ 268 kern/arm64/dl_helper.c disk/efi/efidisk.c kern/efi/efi.c \ 269 kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c \ 270- kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c \ 271- kern/time.c kern/generic/millisleep.c kern/command.c \ 272- kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c \ 273- kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c \ 274- kern/misc.c kern/parser.c kern/partition.c \ 275- kern/rescue_parser.c kern/rescue_reader.c kern/term.c \ 276- kern/verifiers.c kern/arm/startup.S kern/arm/coreboot/init.c \ 277+ kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c \ 278+ kern/compiler-rt.c kern/mm.c kern/time.c \ 279+ kern/generic/millisleep.c kern/command.c kern/corecmd.c \ 280+ kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c \ 281+ kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c \ 282+ kern/parser.c kern/partition.c kern/rescue_parser.c \ 283+ kern/rescue_reader.c kern/term.c kern/verifiers.c \ 284+ kern/arm/startup.S kern/arm/coreboot/init.c \ 285 kern/arm/coreboot/timer.c kern/arm/coreboot/coreboot.S \ 286 lib/fdt.c bus/fdt.c term/ps2.c term/arm/pl050.c \ 287 term/arm/cros.c term/arm/cros_ec.c bus/spi/rk3288_spi.c \ 288@@ -10572,6 +10573,7 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \ 289 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_FALSE@@COND_sparc64_ieee1275_FALSE@@COND_x86_64_efi_TRUE@ kern/kernel_exec-acpi.$(OBJEXT) \ 290 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_FALSE@@COND_sparc64_ieee1275_FALSE@@COND_x86_64_efi_TRUE@ kern/efi/kernel_exec-acpi.$(OBJEXT) \ 291 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_FALSE@@COND_sparc64_ieee1275_FALSE@@COND_x86_64_efi_TRUE@ kern/efi/kernel_exec-sb.$(OBJEXT) \ 292+@COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_FALSE@@COND_sparc64_ieee1275_FALSE@@COND_x86_64_efi_TRUE@ kern/kernel_exec-lockdown.$(OBJEXT) \ 293 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_FALSE@@COND_sparc64_ieee1275_FALSE@@COND_x86_64_efi_TRUE@ kern/kernel_exec-compiler-rt.$(OBJEXT) \ 294 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_FALSE@@COND_sparc64_ieee1275_FALSE@@COND_x86_64_efi_TRUE@ kern/kernel_exec-mm.$(OBJEXT) \ 295 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_FALSE@@COND_sparc64_ieee1275_FALSE@@COND_x86_64_efi_TRUE@ kern/kernel_exec-time.$(OBJEXT) \ 296@@ -10646,6 +10648,7 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \ 297 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_TRUE@ kern/kernel_exec-acpi.$(OBJEXT) \ 298 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_TRUE@ kern/efi/kernel_exec-acpi.$(OBJEXT) \ 299 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_TRUE@ kern/efi/kernel_exec-sb.$(OBJEXT) \ 300+@COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_TRUE@ kern/kernel_exec-lockdown.$(OBJEXT) \ 301 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_TRUE@ kern/kernel_exec-compiler-rt.$(OBJEXT) \ 302 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_TRUE@ kern/kernel_exec-mm.$(OBJEXT) \ 303 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_TRUE@ kern/kernel_exec-time.$(OBJEXT) \ 304@@ -10683,6 +10686,7 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \ 305 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_TRUE@ kern/kernel_exec-acpi.$(OBJEXT) \ 306 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_TRUE@ kern/efi/kernel_exec-acpi.$(OBJEXT) \ 307 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_TRUE@ kern/efi/kernel_exec-sb.$(OBJEXT) \ 308+@COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_TRUE@ kern/kernel_exec-lockdown.$(OBJEXT) \ 309 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_TRUE@ kern/kernel_exec-compiler-rt.$(OBJEXT) \ 310 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_TRUE@ kern/kernel_exec-mm.$(OBJEXT) \ 311 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_TRUE@ kern/kernel_exec-time.$(OBJEXT) \ 312@@ -10884,6 +10888,7 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \ 313 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_TRUE@ kern/kernel_exec-acpi.$(OBJEXT) \ 314 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_TRUE@ kern/efi/kernel_exec-acpi.$(OBJEXT) \ 315 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_TRUE@ kern/efi/kernel_exec-sb.$(OBJEXT) \ 316+@COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_TRUE@ kern/kernel_exec-lockdown.$(OBJEXT) \ 317 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_TRUE@ kern/kernel_exec-compiler-rt.$(OBJEXT) \ 318 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_TRUE@ kern/kernel_exec-mm.$(OBJEXT) \ 319 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_TRUE@ kern/kernel_exec-time.$(OBJEXT) \ 320@@ -11120,6 +11125,7 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \ 321 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_TRUE@ kern/kernel_exec-acpi.$(OBJEXT) \ 322 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_TRUE@ kern/efi/kernel_exec-acpi.$(OBJEXT) \ 323 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_TRUE@ kern/efi/kernel_exec-sb.$(OBJEXT) \ 324+@COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_TRUE@ kern/kernel_exec-lockdown.$(OBJEXT) \ 325 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_TRUE@ kern/kernel_exec-compiler-rt.$(OBJEXT) \ 326 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_TRUE@ kern/kernel_exec-mm.$(OBJEXT) \ 327 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_TRUE@ kern/kernel_exec-time.$(OBJEXT) \ 328@@ -11287,6 +11293,7 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \ 329 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_TRUE@ kern/kernel_exec-acpi.$(OBJEXT) \ 330 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_TRUE@ kern/efi/kernel_exec-acpi.$(OBJEXT) \ 331 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_TRUE@ kern/efi/kernel_exec-sb.$(OBJEXT) \ 332+@COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_TRUE@ kern/kernel_exec-lockdown.$(OBJEXT) \ 333 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_TRUE@ kern/kernel_exec-compiler-rt.$(OBJEXT) \ 334 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_TRUE@ kern/kernel_exec-mm.$(OBJEXT) \ 335 @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_TRUE@ kern/kernel_exec-time.$(OBJEXT) \ 336@@ -11379,6 +11386,7 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \ 337 @COND_arm64_efi_TRUE@ kern/kernel_exec-acpi.$(OBJEXT) \ 338 @COND_arm64_efi_TRUE@ kern/efi/kernel_exec-acpi.$(OBJEXT) \ 339 @COND_arm64_efi_TRUE@ kern/efi/kernel_exec-sb.$(OBJEXT) \ 340+@COND_arm64_efi_TRUE@ kern/kernel_exec-lockdown.$(OBJEXT) \ 341 @COND_arm64_efi_TRUE@ kern/kernel_exec-compiler-rt.$(OBJEXT) \ 342 @COND_arm64_efi_TRUE@ kern/kernel_exec-mm.$(OBJEXT) \ 343 @COND_arm64_efi_TRUE@ kern/kernel_exec-time.$(OBJEXT) \ 344@@ -15379,7 +15387,9 @@ CPPFLAGS_PARTTOOL_LIST = -Dgrub_parttool_register=PARTTOOL_LIST_MARKER 345 CPPFLAGS_TERMINAL_LIST = '-Dgrub_term_register_input(...)=INPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)' \ 346 '-Dgrub_term_register_output(...)=OUTPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)' 347 CPPFLAGS_COMMAND_LIST = '-Dgrub_register_command(...)=COMMAND_LIST_MARKER(__VA_ARGS__)' \ 348+ '-Dgrub_register_command_lockdown(...)=COMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)' \ 349 '-Dgrub_register_extcmd(...)=EXTCOMMAND_LIST_MARKER(__VA_ARGS__)' \ 350+ '-Dgrub_register_extcmd_lockdown(...)=EXTCOMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)' \ 351 '-Dgrub_register_command_p1(...)=P1COMMAND_LIST_MARKER(__VA_ARGS__)' 352 CPPFLAGS_FDT_LIST := '-Dgrub_fdtbus_register(...)=FDT_DRIVER_LIST_MARKER(__VA_ARGS__)' 353 CPPFLAGS_MARKER = $(CPPFLAGS_FS_LIST) $(CPPFLAGS_VIDEO_LIST) \ 354@@ -16387,6 +16397,7 @@ KERNEL_HEADER_FILES = $(top_srcdir)/include/grub/cache.h \ 355 $(top_srcdir)/include/grub/i18n.h \ 356 $(top_srcdir)/include/grub/kernel.h \ 357 $(top_srcdir)/include/grub/list.h \ 358+ $(top_srcdir)/include/grub/lockdown.h \ 359 $(top_srcdir)/include/grub/misc.h $(am__append_5794) \ 360 $(am__append_5795) $(top_srcdir)/include/grub/mm.h \ 361 $(top_srcdir)/include/grub/parser.h \ 362@@ -25594,7 +25605,8 @@ gcry_whirlpool_module_DEPENDENCIES = $(TARGET_OBJ2ELF) 363 @COND_arm64_efi_TRUE@ kern/efi/efi.c kern/efi/init.c \ 364 @COND_arm64_efi_TRUE@ kern/efi/mm.c term/efi/console.c \ 365 @COND_arm64_efi_TRUE@ kern/acpi.c kern/efi/acpi.c kern/efi/sb.c \ 366-@COND_arm64_efi_TRUE@ kern/compiler-rt.c kern/mm.c kern/time.c \ 367+@COND_arm64_efi_TRUE@ kern/lockdown.c kern/compiler-rt.c \ 368+@COND_arm64_efi_TRUE@ kern/mm.c kern/time.c \ 369 @COND_arm64_efi_TRUE@ kern/generic/millisleep.c kern/command.c \ 370 @COND_arm64_efi_TRUE@ kern/corecmd.c kern/device.c kern/disk.c \ 371 @COND_arm64_efi_TRUE@ kern/dl.c kern/env.c kern/err.c \ 372@@ -25645,7 +25657,8 @@ gcry_whirlpool_module_DEPENDENCIES = $(TARGET_OBJ2ELF) 373 @COND_arm_efi_TRUE@ kern/efi/init.c kern/efi/mm.c \ 374 @COND_arm_efi_TRUE@ term/efi/console.c kern/acpi.c \ 375 @COND_arm_efi_TRUE@ kern/efi/acpi.c kern/efi/sb.c \ 376-@COND_arm_efi_TRUE@ kern/compiler-rt.c kern/mm.c kern/time.c \ 377+@COND_arm_efi_TRUE@ kern/lockdown.c kern/compiler-rt.c \ 378+@COND_arm_efi_TRUE@ kern/mm.c kern/time.c \ 379 @COND_arm_efi_TRUE@ kern/generic/millisleep.c kern/command.c \ 380 @COND_arm_efi_TRUE@ kern/corecmd.c kern/device.c kern/disk.c \ 381 @COND_arm_efi_TRUE@ kern/dl.c kern/env.c kern/err.c kern/file.c \ 382@@ -25725,7 +25738,8 @@ gcry_whirlpool_module_DEPENDENCIES = $(TARGET_OBJ2ELF) 383 @COND_i386_efi_TRUE@ kern/efi/efi.c kern/efi/init.c \ 384 @COND_i386_efi_TRUE@ kern/efi/mm.c term/efi/console.c \ 385 @COND_i386_efi_TRUE@ kern/acpi.c kern/efi/acpi.c kern/efi/sb.c \ 386-@COND_i386_efi_TRUE@ kern/compiler-rt.c kern/mm.c kern/time.c \ 387+@COND_i386_efi_TRUE@ kern/lockdown.c kern/compiler-rt.c \ 388+@COND_i386_efi_TRUE@ kern/mm.c kern/time.c \ 389 @COND_i386_efi_TRUE@ kern/generic/millisleep.c kern/command.c \ 390 @COND_i386_efi_TRUE@ kern/corecmd.c kern/device.c kern/disk.c \ 391 @COND_i386_efi_TRUE@ kern/dl.c kern/env.c kern/err.c \ 392@@ -25843,7 +25857,8 @@ gcry_whirlpool_module_DEPENDENCIES = $(TARGET_OBJ2ELF) 393 @COND_ia64_efi_TRUE@ kern/efi/efi.c kern/efi/init.c \ 394 @COND_ia64_efi_TRUE@ kern/efi/mm.c term/efi/console.c \ 395 @COND_ia64_efi_TRUE@ kern/acpi.c kern/efi/acpi.c kern/efi/sb.c \ 396-@COND_ia64_efi_TRUE@ kern/compiler-rt.c kern/mm.c kern/time.c \ 397+@COND_ia64_efi_TRUE@ kern/lockdown.c kern/compiler-rt.c \ 398+@COND_ia64_efi_TRUE@ kern/mm.c kern/time.c \ 399 @COND_ia64_efi_TRUE@ kern/generic/millisleep.c kern/command.c \ 400 @COND_ia64_efi_TRUE@ kern/corecmd.c kern/device.c kern/disk.c \ 401 @COND_ia64_efi_TRUE@ kern/dl.c kern/env.c kern/err.c \ 402@@ -25956,8 +25971,9 @@ gcry_whirlpool_module_DEPENDENCIES = $(TARGET_OBJ2ELF) 403 @COND_riscv32_efi_TRUE@ kern/efi/init.c kern/efi/mm.c \ 404 @COND_riscv32_efi_TRUE@ term/efi/console.c kern/acpi.c \ 405 @COND_riscv32_efi_TRUE@ kern/efi/acpi.c kern/efi/sb.c \ 406-@COND_riscv32_efi_TRUE@ kern/compiler-rt.c kern/mm.c \ 407-@COND_riscv32_efi_TRUE@ kern/time.c kern/generic/millisleep.c \ 408+@COND_riscv32_efi_TRUE@ kern/lockdown.c kern/compiler-rt.c \ 409+@COND_riscv32_efi_TRUE@ kern/mm.c kern/time.c \ 410+@COND_riscv32_efi_TRUE@ kern/generic/millisleep.c \ 411 @COND_riscv32_efi_TRUE@ kern/command.c kern/corecmd.c \ 412 @COND_riscv32_efi_TRUE@ kern/device.c kern/disk.c kern/dl.c \ 413 @COND_riscv32_efi_TRUE@ kern/env.c kern/err.c kern/file.c \ 414@@ -25974,9 +25990,9 @@ gcry_whirlpool_module_DEPENDENCIES = $(TARGET_OBJ2ELF) 415 @COND_riscv64_efi_TRUE@ kern/efi/efi.c kern/efi/init.c \ 416 @COND_riscv64_efi_TRUE@ kern/efi/mm.c term/efi/console.c \ 417 @COND_riscv64_efi_TRUE@ kern/acpi.c kern/efi/acpi.c \ 418-@COND_riscv64_efi_TRUE@ kern/efi/sb.c kern/compiler-rt.c \ 419-@COND_riscv64_efi_TRUE@ kern/mm.c kern/time.c \ 420-@COND_riscv64_efi_TRUE@ kern/generic/millisleep.c \ 421+@COND_riscv64_efi_TRUE@ kern/efi/sb.c kern/lockdown.c \ 422+@COND_riscv64_efi_TRUE@ kern/compiler-rt.c kern/mm.c \ 423+@COND_riscv64_efi_TRUE@ kern/time.c kern/generic/millisleep.c \ 424 @COND_riscv64_efi_TRUE@ kern/command.c kern/corecmd.c \ 425 @COND_riscv64_efi_TRUE@ kern/device.c kern/disk.c kern/dl.c \ 426 @COND_riscv64_efi_TRUE@ kern/env.c kern/err.c kern/file.c \ 427@@ -26022,8 +26038,8 @@ gcry_whirlpool_module_DEPENDENCIES = $(TARGET_OBJ2ELF) 428 @COND_x86_64_efi_TRUE@ kern/efi/efi.c kern/efi/init.c \ 429 @COND_x86_64_efi_TRUE@ kern/efi/mm.c term/efi/console.c \ 430 @COND_x86_64_efi_TRUE@ kern/acpi.c kern/efi/acpi.c \ 431-@COND_x86_64_efi_TRUE@ kern/efi/sb.c kern/compiler-rt.c \ 432-@COND_x86_64_efi_TRUE@ kern/mm.c kern/time.c \ 433+@COND_x86_64_efi_TRUE@ kern/efi/sb.c kern/lockdown.c \ 434+@COND_x86_64_efi_TRUE@ kern/compiler-rt.c kern/mm.c kern/time.c \ 435 @COND_x86_64_efi_TRUE@ kern/generic/millisleep.c kern/command.c \ 436 @COND_x86_64_efi_TRUE@ kern/corecmd.c kern/device.c kern/disk.c \ 437 @COND_x86_64_efi_TRUE@ kern/dl.c kern/env.c kern/err.c \ 438@@ -27994,6 +28010,8 @@ kern/efi/kernel_exec-acpi.$(OBJEXT): kern/efi/$(am__dirstamp) \ 439 kern/efi/$(DEPDIR)/$(am__dirstamp) 440 kern/efi/kernel_exec-sb.$(OBJEXT): kern/efi/$(am__dirstamp) \ 441 kern/efi/$(DEPDIR)/$(am__dirstamp) 442+kern/kernel_exec-lockdown.$(OBJEXT): kern/$(am__dirstamp) \ 443+ kern/$(DEPDIR)/$(am__dirstamp) 444 kern/kernel_exec-compiler-rt.$(OBJEXT): kern/$(am__dirstamp) \ 445 kern/$(DEPDIR)/$(am__dirstamp) 446 kern/kernel_exec-mm.$(OBJEXT): kern/$(am__dirstamp) \ 447@@ -30945,6 +30963,7 @@ distclean-compile: 448 @AMDEP_TRUE@@am__include@ @am__quote@kern/$(DEPDIR)/kernel_exec-file.Po@am__quote@ 449 @AMDEP_TRUE@@am__include@ @am__quote@kern/$(DEPDIR)/kernel_exec-fs.Po@am__quote@ 450 @AMDEP_TRUE@@am__include@ @am__quote@kern/$(DEPDIR)/kernel_exec-list.Po@am__quote@ 451+@AMDEP_TRUE@@am__include@ @am__quote@kern/$(DEPDIR)/kernel_exec-lockdown.Po@am__quote@ 452 @AMDEP_TRUE@@am__include@ @am__quote@kern/$(DEPDIR)/kernel_exec-main.Po@am__quote@ 453 @AMDEP_TRUE@@am__include@ @am__quote@kern/$(DEPDIR)/kernel_exec-misc.Po@am__quote@ 454 @AMDEP_TRUE@@am__include@ @am__quote@kern/$(DEPDIR)/kernel_exec-mm.Po@am__quote@ 455@@ -35293,6 +35312,20 @@ kern/efi/kernel_exec-sb.obj: kern/efi/sb.c 456 @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ 457 @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(kernel_exec_CPPFLAGS) $(CPPFLAGS) $(kernel_exec_CFLAGS) $(CFLAGS) -c -o kern/efi/kernel_exec-sb.obj `if test -f 'kern/efi/sb.c'; then $(CYGPATH_W) 'kern/efi/sb.c'; else $(CYGPATH_W) '$(srcdir)/kern/efi/sb.c'; fi` 458 459+kern/kernel_exec-lockdown.o: kern/lockdown.c 460+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(kernel_exec_CPPFLAGS) $(CPPFLAGS) $(kernel_exec_CFLAGS) $(CFLAGS) -MT kern/kernel_exec-lockdown.o -MD -MP -MF kern/$(DEPDIR)/kernel_exec-lockdown.Tpo -c -o kern/kernel_exec-lockdown.o `test -f 'kern/lockdown.c' || echo '$(srcdir)/'`kern/lockdown.c 461+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) kern/$(DEPDIR)/kernel_exec-lockdown.Tpo kern/$(DEPDIR)/kernel_exec-lockdown.Po 462+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='kern/lockdown.c' object='kern/kernel_exec-lockdown.o' libtool=no @AMDEPBACKSLASH@ 463+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ 464+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(kernel_exec_CPPFLAGS) $(CPPFLAGS) $(kernel_exec_CFLAGS) $(CFLAGS) -c -o kern/kernel_exec-lockdown.o `test -f 'kern/lockdown.c' || echo '$(srcdir)/'`kern/lockdown.c 465+ 466+kern/kernel_exec-lockdown.obj: kern/lockdown.c 467+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(kernel_exec_CPPFLAGS) $(CPPFLAGS) $(kernel_exec_CFLAGS) $(CFLAGS) -MT kern/kernel_exec-lockdown.obj -MD -MP -MF kern/$(DEPDIR)/kernel_exec-lockdown.Tpo -c -o kern/kernel_exec-lockdown.obj `if test -f 'kern/lockdown.c'; then $(CYGPATH_W) 'kern/lockdown.c'; else $(CYGPATH_W) '$(srcdir)/kern/lockdown.c'; fi` 468+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) kern/$(DEPDIR)/kernel_exec-lockdown.Tpo kern/$(DEPDIR)/kernel_exec-lockdown.Po 469+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='kern/lockdown.c' object='kern/kernel_exec-lockdown.obj' libtool=no @AMDEPBACKSLASH@ 470+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ 471+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(kernel_exec_CPPFLAGS) $(CPPFLAGS) $(kernel_exec_CFLAGS) $(CFLAGS) -c -o kern/kernel_exec-lockdown.obj `if test -f 'kern/lockdown.c'; then $(CYGPATH_W) 'kern/lockdown.c'; else $(CYGPATH_W) '$(srcdir)/kern/lockdown.c'; fi` 472+ 473 kern/kernel_exec-compiler-rt.o: kern/compiler-rt.c 474 @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(kernel_exec_CPPFLAGS) $(CPPFLAGS) $(kernel_exec_CFLAGS) $(CFLAGS) -MT kern/kernel_exec-compiler-rt.o -MD -MP -MF kern/$(DEPDIR)/kernel_exec-compiler-rt.Tpo -c -o kern/kernel_exec-compiler-rt.o `test -f 'kern/compiler-rt.c' || echo '$(srcdir)/'`kern/compiler-rt.c 475 @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) kern/$(DEPDIR)/kernel_exec-compiler-rt.Tpo kern/$(DEPDIR)/kernel_exec-compiler-rt.Po 476@@ -46650,8 +46683,10 @@ command.lst: $(MARKER_FILES) 477 b=`basename $$pp .marker`; \ 478 sed -n \ 479 -e "/EXTCOMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \ 480+ -e "/EXTCOMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \ 481 -e "/P1COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \ 482- -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \ 483+ -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" \ 484+ -e "/COMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \ 485 done) | sort -u > $@ 486 487 partmap.lst: $(MARKER_FILES) 488diff --git a/grub-core/commands/extcmd.c b/grub-core/commands/extcmd.c 489index 69574e2..90a5ca2 100644 490--- a/grub-core/commands/extcmd.c 491+++ b/grub-core/commands/extcmd.c 492@@ -19,6 +19,7 @@ 493 494 #include <grub/mm.h> 495 #include <grub/list.h> 496+#include <grub/lockdown.h> 497 #include <grub/misc.h> 498 #include <grub/extcmd.h> 499 #include <grub/script_sh.h> 500@@ -110,6 +111,28 @@ grub_register_extcmd (const char *name, grub_extcmd_func_t func, 501 summary, description, parser, 1); 502 } 503 504+static grub_err_t 505+grub_extcmd_lockdown (grub_extcmd_context_t ctxt __attribute__ ((unused)), 506+ int argc __attribute__ ((unused)), 507+ char **argv __attribute__ ((unused))) 508+{ 509+ return grub_error (GRUB_ERR_ACCESS_DENIED, 510+ N_("%s: the command is not allowed when lockdown is enforced"), 511+ ctxt->extcmd->cmd->name); 512+} 513+ 514+grub_extcmd_t 515+grub_register_extcmd_lockdown (const char *name, grub_extcmd_func_t func, 516+ grub_command_flags_t flags, const char *summary, 517+ const char *description, 518+ const struct grub_arg_option *parser) 519+{ 520+ if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED) 521+ func = grub_extcmd_lockdown; 522+ 523+ return grub_register_extcmd (name, func, flags, summary, description, parser); 524+} 525+ 526 void 527 grub_unregister_extcmd (grub_extcmd_t ext) 528 { 529diff --git a/grub-core/kern/command.c b/grub-core/kern/command.c 530index acd7218..4aabcd4 100644 531--- a/grub-core/kern/command.c 532+++ b/grub-core/kern/command.c 533@@ -17,6 +17,7 @@ 534 * along with GRUB. If not, see <http://www.gnu.org/licenses/>. 535 */ 536 537+#include <grub/lockdown.h> 538 #include <grub/mm.h> 539 #include <grub/command.h> 540 541@@ -77,6 +78,29 @@ grub_register_command_prio (const char *name, 542 return cmd; 543 } 544 545+static grub_err_t 546+grub_cmd_lockdown (grub_command_t cmd __attribute__ ((unused)), 547+ int argc __attribute__ ((unused)), 548+ char **argv __attribute__ ((unused))) 549+ 550+{ 551+ return grub_error (GRUB_ERR_ACCESS_DENIED, 552+ N_("%s: the command is not allowed when lockdown is enforced"), 553+ cmd->name); 554+} 555+ 556+grub_command_t 557+grub_register_command_lockdown (const char *name, 558+ grub_command_func_t func, 559+ const char *summary, 560+ const char *description) 561+{ 562+ if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED) 563+ func = grub_cmd_lockdown; 564+ 565+ return grub_register_command_prio (name, func, summary, description, 0); 566+} 567+ 568 void 569 grub_unregister_command (grub_command_t cmd) 570 { 571diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c 572new file mode 100644 573index 0000000..1e56c0b 574--- /dev/null 575+++ b/grub-core/kern/lockdown.c 576@@ -0,0 +1,80 @@ 577+/* 578+ * GRUB -- GRand Unified Bootloader 579+ * Copyright (C) 2020 Free Software Foundation, Inc. 580+ * 581+ * GRUB is free software: you can redistribute it and/or modify 582+ * it under the terms of the GNU General Public License as published by 583+ * the Free Software Foundation, either version 3 of the License, or 584+ * (at your option) any later version. 585+ * 586+ * GRUB is distributed in the hope that it will be useful, 587+ * but WITHOUT ANY WARRANTY; without even the implied warranty of 588+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 589+ * GNU General Public License for more details. 590+ * 591+ * You should have received a copy of the GNU General Public License 592+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>. 593+ * 594+ */ 595+ 596+#include <grub/dl.h> 597+#include <grub/file.h> 598+#include <grub/lockdown.h> 599+#include <grub/verify.h> 600+ 601+static int lockdown = GRUB_LOCKDOWN_DISABLED; 602+ 603+static grub_err_t 604+lockdown_verifier_init (grub_file_t io __attribute__ ((unused)), 605+ enum grub_file_type type, 606+ void **context __attribute__ ((unused)), 607+ enum grub_verify_flags *flags) 608+{ 609+ *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION; 610+ 611+ switch (type & GRUB_FILE_TYPE_MASK) 612+ { 613+ case GRUB_FILE_TYPE_GRUB_MODULE: 614+ case GRUB_FILE_TYPE_LINUX_KERNEL: 615+ case GRUB_FILE_TYPE_MULTIBOOT_KERNEL: 616+ case GRUB_FILE_TYPE_XEN_HYPERVISOR: 617+ case GRUB_FILE_TYPE_BSD_KERNEL: 618+ case GRUB_FILE_TYPE_XNU_KERNEL: 619+ case GRUB_FILE_TYPE_PLAN9_KERNEL: 620+ case GRUB_FILE_TYPE_NTLDR: 621+ case GRUB_FILE_TYPE_TRUECRYPT: 622+ case GRUB_FILE_TYPE_FREEDOS: 623+ case GRUB_FILE_TYPE_PXECHAINLOADER: 624+ case GRUB_FILE_TYPE_PCCHAINLOADER: 625+ case GRUB_FILE_TYPE_COREBOOT_CHAINLOADER: 626+ case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE: 627+ case GRUB_FILE_TYPE_ACPI_TABLE: 628+ case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE: 629+ *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH; 630+ 631+ /* Fall through. */ 632+ 633+ default: 634+ return GRUB_ERR_NONE; 635+ } 636+} 637+ 638+struct grub_file_verifier lockdown_verifier = 639+ { 640+ .name = "lockdown_verifier", 641+ .init = lockdown_verifier_init, 642+ }; 643+ 644+void 645+grub_lockdown (void) 646+{ 647+ lockdown = GRUB_LOCKDOWN_ENABLED; 648+ 649+ grub_verifier_register (&lockdown_verifier); 650+} 651+ 652+int 653+grub_is_lockdown (void) 654+{ 655+ return lockdown; 656+} 657diff --git a/include/grub/command.h b/include/grub/command.h 658index eee4e84..2a6f7f8 100644 659--- a/include/grub/command.h 660+++ b/include/grub/command.h 661@@ -86,6 +86,11 @@ EXPORT_FUNC(grub_register_command_prio) (const char *name, 662 const char *summary, 663 const char *description, 664 int prio); 665+grub_command_t 666+EXPORT_FUNC(grub_register_command_lockdown) (const char *name, 667+ grub_command_func_t func, 668+ const char *summary, 669+ const char *description); 670 void EXPORT_FUNC(grub_unregister_command) (grub_command_t cmd); 671 672 static inline grub_command_t 673diff --git a/include/grub/extcmd.h b/include/grub/extcmd.h 674index 19fe592..fe9248b 100644 675--- a/include/grub/extcmd.h 676+++ b/include/grub/extcmd.h 677@@ -62,6 +62,13 @@ grub_extcmd_t EXPORT_FUNC(grub_register_extcmd) (const char *name, 678 const char *description, 679 const struct grub_arg_option *parser); 680 681+grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_lockdown) (const char *name, 682+ grub_extcmd_func_t func, 683+ grub_command_flags_t flags, 684+ const char *summary, 685+ const char *description, 686+ const struct grub_arg_option *parser); 687+ 688 grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_prio) (const char *name, 689 grub_extcmd_func_t func, 690 grub_command_flags_t flags, 691diff --git a/include/grub/lockdown.h b/include/grub/lockdown.h 692new file mode 100644 693index 0000000..40531fa 694--- /dev/null 695+++ b/include/grub/lockdown.h 696@@ -0,0 +1,44 @@ 697+/* 698+ * GRUB -- GRand Unified Bootloader 699+ * Copyright (C) 2020 Free Software Foundation, Inc. 700+ * 701+ * GRUB is free software: you can redistribute it and/or modify 702+ * it under the terms of the GNU General Public License as published by 703+ * the Free Software Foundation, either version 3 of the License, or 704+ * (at your option) any later version. 705+ * 706+ * GRUB is distributed in the hope that it will be useful, 707+ * but WITHOUT ANY WARRANTY; without even the implied warranty of 708+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 709+ * GNU General Public License for more details. 710+ * 711+ * You should have received a copy of the GNU General Public License 712+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>. 713+ */ 714+ 715+#ifndef GRUB_LOCKDOWN_H 716+#define GRUB_LOCKDOWN_H 1 717+ 718+#include <grub/symbol.h> 719+ 720+#define GRUB_LOCKDOWN_DISABLED 0 721+#define GRUB_LOCKDOWN_ENABLED 1 722+ 723+#ifdef GRUB_MACHINE_EFI 724+extern void 725+EXPORT_FUNC (grub_lockdown) (void); 726+extern int 727+EXPORT_FUNC (grub_is_lockdown) (void); 728+#else 729+static inline void 730+grub_lockdown (void) 731+{ 732+} 733+ 734+static inline int 735+grub_is_lockdown (void) 736+{ 737+ return GRUB_LOCKDOWN_DISABLED; 738+} 739+#endif 740+#endif /* ! GRUB_LOCKDOWN_H */ 741diff --git a/po/POTFILES.in b/po/POTFILES.in 742index 49755d3..5e26845 100644 743--- a/po/POTFILES.in 744+++ b/po/POTFILES.in 745@@ -309,6 +309,7 @@ 746 ./grub-core/kern/ieee1275/mmap.c 747 ./grub-core/kern/ieee1275/openfw.c 748 ./grub-core/kern/list.c 749+./grub-core/kern/lockdown.c 750 ./grub-core/kern/main.c 751 ./grub-core/kern/mips/arc/init.c 752 ./grub-core/kern/mips/dl.c 753@@ -1207,6 +1208,7 @@ 754 ./include/grub/linux.h 755 ./include/grub/list.h 756 ./include/grub/loader.h 757+./include/grub/lockdown.h 758 ./include/grub/lvm.h 759 ./include/grub/macho.h 760 ./include/grub/machoload.h 761-- 7622.14.2 763 764