1*4882a593SmuzhiyunFrom 578c95298bcc46e0296f4c786db64c2ff26ce2cc Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Javier Martinez Canillas <javierm@redhat.com> 3*4882a593SmuzhiyunDate: Mon, 28 Sep 2020 20:08:02 +0200 4*4882a593SmuzhiyunSubject: [PATCH] kern: Add lockdown support 5*4882a593Smuzhiyun 6*4882a593SmuzhiyunWhen the GRUB starts on a secure boot platform, some commands can be 7*4882a593Smuzhiyunused to subvert the protections provided by the verification mechanism and 8*4882a593Smuzhiyuncould lead to booting untrusted system. 9*4882a593Smuzhiyun 10*4882a593SmuzhiyunTo prevent that situation, allow GRUB to be locked down. That way the code 11*4882a593Smuzhiyunmay check if GRUB has been locked down and further restrict the commands 12*4882a593Smuzhiyunthat are registered or what subset of their functionality could be used. 13*4882a593Smuzhiyun 14*4882a593SmuzhiyunThe lockdown support adds the following components: 15*4882a593Smuzhiyun 16*4882a593Smuzhiyun* The grub_lockdown() function which can be used to lockdown GRUB if, 17*4882a593Smuzhiyun e.g., UEFI Secure Boot is enabled. 18*4882a593Smuzhiyun 19*4882a593Smuzhiyun* The grub_is_lockdown() function which can be used to check if the GRUB 20*4882a593Smuzhiyun was locked down. 21*4882a593Smuzhiyun 22*4882a593Smuzhiyun* A verifier that flags OS kernels, the GRUB modules, Device Trees and ACPI 23*4882a593Smuzhiyun tables as GRUB_VERIFY_FLAGS_DEFER_AUTH to defer verification to other 24*4882a593Smuzhiyun verifiers. These files are only successfully verified if another registered 25*4882a593Smuzhiyun verifier returns success. Otherwise, the whole verification process fails. 26*4882a593Smuzhiyun 27*4882a593Smuzhiyun For example, PE/COFF binaries verification can be done by the shim_lock 28*4882a593Smuzhiyun verifier which validates the signatures using the shim_lock protocol. 29*4882a593Smuzhiyun However, the verification is not deferred directly to the shim_lock verifier. 30*4882a593Smuzhiyun The shim_lock verifier is hooked into the verification process instead. 31*4882a593Smuzhiyun 32*4882a593Smuzhiyun* A set of grub_{command,extcmd}_lockdown functions that can be used by 33*4882a593Smuzhiyun code registering command handlers, to only register unsafe commands if 34*4882a593Smuzhiyun the GRUB has not been locked down. 35*4882a593Smuzhiyun 36*4882a593SmuzhiyunSigned-off-by: Javier Martinez Canillas <javierm@redhat.com> 37*4882a593SmuzhiyunReviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 38*4882a593Smuzhiyun[Add changes to generated files] 39*4882a593SmuzhiyunSigned-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 40*4882a593Smuzhiyun--- 41*4882a593Smuzhiyun Makefile.in | 2 ++ 42*4882a593Smuzhiyun conf/Makefile.common | 2 ++ 43*4882a593Smuzhiyun docs/grub-dev.texi | 27 +++++++++++++++ 44*4882a593Smuzhiyun docs/grub.texi | 8 +++++ 45*4882a593Smuzhiyun grub-core/Makefile.am | 5 ++- 46*4882a593Smuzhiyun grub-core/Makefile.core.am | 14 ++++---- 47*4882a593Smuzhiyun grub-core/Makefile.core.def | 1 + 48*4882a593Smuzhiyun grub-core/Makefile.in | 73 ++++++++++++++++++++++++++++++----------- 49*4882a593Smuzhiyun grub-core/commands/extcmd.c | 23 +++++++++++++ 50*4882a593Smuzhiyun grub-core/kern/command.c | 24 ++++++++++++++ 51*4882a593Smuzhiyun grub-core/kern/lockdown.c | 80 +++++++++++++++++++++++++++++++++++++++++++++ 52*4882a593Smuzhiyun include/grub/command.h | 5 +++ 53*4882a593Smuzhiyun include/grub/extcmd.h | 7 ++++ 54*4882a593Smuzhiyun include/grub/lockdown.h | 44 +++++++++++++++++++++++++ 55*4882a593Smuzhiyun po/POTFILES.in | 2 ++ 56*4882a593Smuzhiyun 15 files changed, 290 insertions(+), 27 deletions(-) 57*4882a593Smuzhiyun create mode 100644 grub-core/kern/lockdown.c 58*4882a593Smuzhiyun create mode 100644 include/grub/lockdown.h 59*4882a593Smuzhiyun 60*4882a593Smuzhiyundiff --git a/Makefile.in b/Makefile.in 61*4882a593Smuzhiyunindex e6a185b..ecb3278 100644 62*4882a593Smuzhiyun--- a/Makefile.in 63*4882a593Smuzhiyun+++ b/Makefile.in 64*4882a593Smuzhiyun@@ -2617,7 +2617,9 @@ CPPFLAGS_PARTTOOL_LIST = -Dgrub_parttool_register=PARTTOOL_LIST_MARKER 65*4882a593Smuzhiyun CPPFLAGS_TERMINAL_LIST = '-Dgrub_term_register_input(...)=INPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)' \ 66*4882a593Smuzhiyun '-Dgrub_term_register_output(...)=OUTPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)' 67*4882a593Smuzhiyun CPPFLAGS_COMMAND_LIST = '-Dgrub_register_command(...)=COMMAND_LIST_MARKER(__VA_ARGS__)' \ 68*4882a593Smuzhiyun+ '-Dgrub_register_command_lockdown(...)=COMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)' \ 69*4882a593Smuzhiyun '-Dgrub_register_extcmd(...)=EXTCOMMAND_LIST_MARKER(__VA_ARGS__)' \ 70*4882a593Smuzhiyun+ '-Dgrub_register_extcmd_lockdown(...)=EXTCOMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)' \ 71*4882a593Smuzhiyun '-Dgrub_register_command_p1(...)=P1COMMAND_LIST_MARKER(__VA_ARGS__)' 72*4882a593Smuzhiyun CPPFLAGS_FDT_LIST := '-Dgrub_fdtbus_register(...)=FDT_DRIVER_LIST_MARKER(__VA_ARGS__)' 73*4882a593Smuzhiyun CPPFLAGS_MARKER = $(CPPFLAGS_FS_LIST) $(CPPFLAGS_VIDEO_LIST) \ 74*4882a593Smuzhiyundiff --git a/conf/Makefile.common b/conf/Makefile.common 75*4882a593Smuzhiyunindex 6cd71cb..2a1a886 100644 76*4882a593Smuzhiyun--- a/conf/Makefile.common 77*4882a593Smuzhiyun+++ b/conf/Makefile.common 78*4882a593Smuzhiyun@@ -84,7 +84,9 @@ CPPFLAGS_PARTTOOL_LIST = -Dgrub_parttool_register=PARTTOOL_LIST_MARKER 79*4882a593Smuzhiyun CPPFLAGS_TERMINAL_LIST = '-Dgrub_term_register_input(...)=INPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)' 80*4882a593Smuzhiyun CPPFLAGS_TERMINAL_LIST += '-Dgrub_term_register_output(...)=OUTPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)' 81*4882a593Smuzhiyun CPPFLAGS_COMMAND_LIST = '-Dgrub_register_command(...)=COMMAND_LIST_MARKER(__VA_ARGS__)' 82*4882a593Smuzhiyun+CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_lockdown(...)=COMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)' 83*4882a593Smuzhiyun CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd(...)=EXTCOMMAND_LIST_MARKER(__VA_ARGS__)' 84*4882a593Smuzhiyun+CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd_lockdown(...)=EXTCOMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)' 85*4882a593Smuzhiyun CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_p1(...)=P1COMMAND_LIST_MARKER(__VA_ARGS__)' 86*4882a593Smuzhiyun CPPFLAGS_FDT_LIST := '-Dgrub_fdtbus_register(...)=FDT_DRIVER_LIST_MARKER(__VA_ARGS__)' 87*4882a593Smuzhiyun CPPFLAGS_MARKER = $(CPPFLAGS_FS_LIST) $(CPPFLAGS_VIDEO_LIST) \ 88*4882a593Smuzhiyundiff --git a/docs/grub-dev.texi b/docs/grub-dev.texi 89*4882a593Smuzhiyunindex ee389fd..635ec72 100644 90*4882a593Smuzhiyun--- a/docs/grub-dev.texi 91*4882a593Smuzhiyun+++ b/docs/grub-dev.texi 92*4882a593Smuzhiyun@@ -86,6 +86,7 @@ This edition documents version @value{VERSION}. 93*4882a593Smuzhiyun * PFF2 Font File Format:: 94*4882a593Smuzhiyun * Graphical Menu Software Design:: 95*4882a593Smuzhiyun * Verifiers framework:: 96*4882a593Smuzhiyun+* Lockdown framework:: 97*4882a593Smuzhiyun * Copying This Manual:: Copying This Manual 98*4882a593Smuzhiyun * Index:: 99*4882a593Smuzhiyun @end menu 100*4882a593Smuzhiyun@@ -2086,6 +2087,32 @@ Optionally at the end of the file @samp{fini}, if it exists, is called with just 101*4882a593Smuzhiyun the context. If you return no error during any of @samp{init}, @samp{write} and 102*4882a593Smuzhiyun @samp{fini} then the file is considered as having succeded verification. 103*4882a593Smuzhiyun 104*4882a593Smuzhiyun+@node Lockdown framework 105*4882a593Smuzhiyun+@chapter Lockdown framework 106*4882a593Smuzhiyun+ 107*4882a593Smuzhiyun+The GRUB can be locked down, which is a restricted mode where some operations 108*4882a593Smuzhiyun+are not allowed. For instance, some commands cannot be used when the GRUB is 109*4882a593Smuzhiyun+locked down. 110*4882a593Smuzhiyun+ 111*4882a593Smuzhiyun+The function 112*4882a593Smuzhiyun+@code{grub_lockdown()} is used to lockdown GRUB and the function 113*4882a593Smuzhiyun+@code{grub_is_lockdown()} function can be used to check whether lockdown is 114*4882a593Smuzhiyun+enabled or not. When enabled, the function returns @samp{GRUB_LOCKDOWN_ENABLED} 115*4882a593Smuzhiyun+and @samp{GRUB_LOCKDOWN_DISABLED} when is not enabled. 116*4882a593Smuzhiyun+ 117*4882a593Smuzhiyun+The following functions can be used to register the commands that can only be 118*4882a593Smuzhiyun+used when lockdown is disabled: 119*4882a593Smuzhiyun+ 120*4882a593Smuzhiyun+@itemize 121*4882a593Smuzhiyun+ 122*4882a593Smuzhiyun+@item @code{grub_cmd_lockdown()} registers command which should not run when the 123*4882a593Smuzhiyun+GRUB is in lockdown mode. 124*4882a593Smuzhiyun+ 125*4882a593Smuzhiyun+@item @code{grub_cmd_lockdown()} registers extended command which should not run 126*4882a593Smuzhiyun+when the GRUB is in lockdown mode. 127*4882a593Smuzhiyun+ 128*4882a593Smuzhiyun+@end itemize 129*4882a593Smuzhiyun+ 130*4882a593Smuzhiyun @node Copying This Manual 131*4882a593Smuzhiyun @appendix Copying This Manual 132*4882a593Smuzhiyun 133*4882a593Smuzhiyundiff --git a/docs/grub.texi b/docs/grub.texi 134*4882a593Smuzhiyunindex aefe032..a25459f 100644 135*4882a593Smuzhiyun--- a/docs/grub.texi 136*4882a593Smuzhiyun+++ b/docs/grub.texi 137*4882a593Smuzhiyun@@ -5581,6 +5581,7 @@ environment variables and commands are listed in the same order. 138*4882a593Smuzhiyun * Using digital signatures:: Booting digitally signed code 139*4882a593Smuzhiyun * UEFI secure boot and shim:: Booting digitally signed PE files 140*4882a593Smuzhiyun * Measured Boot:: Measuring boot components 141*4882a593Smuzhiyun+* Lockdown:: Lockdown when booting on a secure setup 142*4882a593Smuzhiyun @end menu 143*4882a593Smuzhiyun 144*4882a593Smuzhiyun @node Authentication and authorisation 145*4882a593Smuzhiyun@@ -5795,6 +5796,13 @@ into @file{core.img} in order to avoid a potential gap in measurement between 146*4882a593Smuzhiyun 147*4882a593Smuzhiyun Measured boot is currently only supported on EFI platforms. 148*4882a593Smuzhiyun 149*4882a593Smuzhiyun+@node Lockdown 150*4882a593Smuzhiyun+@section Lockdown when booting on a secure setup 151*4882a593Smuzhiyun+ 152*4882a593Smuzhiyun+The GRUB can be locked down when booted on a secure boot environment, for example 153*4882a593Smuzhiyun+if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will 154*4882a593Smuzhiyun+be restricted and some operations/commands cannot be executed. 155*4882a593Smuzhiyun+ 156*4882a593Smuzhiyun @node Platform limitations 157*4882a593Smuzhiyun @chapter Platform limitations 158*4882a593Smuzhiyun 159*4882a593Smuzhiyundiff --git a/grub-core/Makefile.am b/grub-core/Makefile.am 160*4882a593Smuzhiyunindex cc6fc7d..30e23ad 100644 161*4882a593Smuzhiyun--- a/grub-core/Makefile.am 162*4882a593Smuzhiyun+++ b/grub-core/Makefile.am 163*4882a593Smuzhiyun@@ -80,6 +80,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/fs.h 164*4882a593Smuzhiyun KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/i18n.h 165*4882a593Smuzhiyun KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/kernel.h 166*4882a593Smuzhiyun KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/list.h 167*4882a593Smuzhiyun+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/lockdown.h 168*4882a593Smuzhiyun KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/misc.h 169*4882a593Smuzhiyun if COND_emu 170*4882a593Smuzhiyun KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/compiler-rt-emu.h 171*4882a593Smuzhiyun@@ -377,8 +378,10 @@ command.lst: $(MARKER_FILES) 172*4882a593Smuzhiyun b=`basename $$pp .marker`; \ 173*4882a593Smuzhiyun sed -n \ 174*4882a593Smuzhiyun -e "/EXTCOMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \ 175*4882a593Smuzhiyun+ -e "/EXTCOMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \ 176*4882a593Smuzhiyun -e "/P1COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \ 177*4882a593Smuzhiyun- -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \ 178*4882a593Smuzhiyun+ -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" \ 179*4882a593Smuzhiyun+ -e "/COMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \ 180*4882a593Smuzhiyun done) | sort -u > $@ 181*4882a593Smuzhiyun platform_DATA += command.lst 182*4882a593Smuzhiyun CLEANFILES += command.lst 183*4882a593Smuzhiyundiff --git a/grub-core/Makefile.core.am b/grub-core/Makefile.core.am 184*4882a593Smuzhiyunindex 5623a5e..fbfb627 100644 185*4882a593Smuzhiyun--- a/grub-core/Makefile.core.am 186*4882a593Smuzhiyun+++ b/grub-core/Makefile.core.am 187*4882a593Smuzhiyun@@ -22378,7 +22378,7 @@ endif 188*4882a593Smuzhiyun if COND_i386_efi 189*4882a593Smuzhiyun platform_PROGRAMS += kernel.exec 190*4882a593Smuzhiyun kernel_exec_SOURCES = kern/i386/efi/startup.S 191*4882a593Smuzhiyun-kernel_exec_SOURCES += kern/i386/efi/tsc.c kern/i386/tsc_pmtimer.c kern/i386/efi/init.c bus/pci.c kern/i386/dl.c kern/i386/tsc.c kern/i386/tsc_pit.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 192*4882a593Smuzhiyun+kernel_exec_SOURCES += kern/i386/efi/tsc.c kern/i386/tsc_pmtimer.c kern/i386/efi/init.c bus/pci.c kern/i386/dl.c kern/i386/tsc.c kern/i386/tsc_pit.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 193*4882a593Smuzhiyun nodist_kernel_exec_SOURCES = symlist.c ## platform nodist sources 194*4882a593Smuzhiyun kernel_exec_LDADD = 195*4882a593Smuzhiyun kernel_exec_CFLAGS = $(AM_CFLAGS) $(CFLAGS_KERNEL) 196*4882a593Smuzhiyun@@ -22488,7 +22488,7 @@ endif 197*4882a593Smuzhiyun if COND_x86_64_efi 198*4882a593Smuzhiyun platform_PROGRAMS += kernel.exec 199*4882a593Smuzhiyun kernel_exec_SOURCES = kern/x86_64/efi/startup.S 200*4882a593Smuzhiyun-kernel_exec_SOURCES += kern/i386/efi/tsc.c kern/i386/tsc_pmtimer.c kern/x86_64/efi/callwrap.S kern/i386/efi/init.c bus/pci.c kern/x86_64/dl.c kern/i386/tsc.c kern/i386/tsc_pit.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 201*4882a593Smuzhiyun+kernel_exec_SOURCES += kern/i386/efi/tsc.c kern/i386/tsc_pmtimer.c kern/x86_64/efi/callwrap.S kern/i386/efi/init.c bus/pci.c kern/x86_64/dl.c kern/i386/tsc.c kern/i386/tsc_pit.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 202*4882a593Smuzhiyun nodist_kernel_exec_SOURCES = symlist.c ## platform nodist sources 203*4882a593Smuzhiyun kernel_exec_LDADD = 204*4882a593Smuzhiyun kernel_exec_CFLAGS = $(AM_CFLAGS) $(CFLAGS_KERNEL) 205*4882a593Smuzhiyun@@ -22664,7 +22664,7 @@ endif 206*4882a593Smuzhiyun if COND_ia64_efi 207*4882a593Smuzhiyun platform_PROGRAMS += kernel.exec 208*4882a593Smuzhiyun kernel_exec_SOURCES = 209*4882a593Smuzhiyun-kernel_exec_SOURCES += kern/ia64/efi/startup.S kern/ia64/efi/init.c kern/ia64/dl.c kern/ia64/dl_helper.c kern/ia64/cache.c lib/division.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 210*4882a593Smuzhiyun+kernel_exec_SOURCES += kern/ia64/efi/startup.S kern/ia64/efi/init.c kern/ia64/dl.c kern/ia64/dl_helper.c kern/ia64/cache.c lib/division.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 211*4882a593Smuzhiyun nodist_kernel_exec_SOURCES = symlist.c ## platform nodist sources 212*4882a593Smuzhiyun kernel_exec_LDADD = 213*4882a593Smuzhiyun kernel_exec_CFLAGS = $(AM_CFLAGS) $(CFLAGS_KERNEL) -fno-builtin -fpic -minline-int-divide-max-throughput 214*4882a593Smuzhiyun@@ -22730,7 +22730,7 @@ endif 215*4882a593Smuzhiyun if COND_arm_efi 216*4882a593Smuzhiyun platform_PROGRAMS += kernel.exec 217*4882a593Smuzhiyun kernel_exec_SOURCES = kern/arm/efi/startup.S 218*4882a593Smuzhiyun-kernel_exec_SOURCES += kern/arm/efi/init.c kern/efi/fdt.c kern/arm/dl.c kern/arm/dl_helper.c kern/arm/cache_armv6.S kern/arm/cache_armv7.S kern/arm/cache.c kern/arm/compiler-rt.S lib/division.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 219*4882a593Smuzhiyun+kernel_exec_SOURCES += kern/arm/efi/init.c kern/efi/fdt.c kern/arm/dl.c kern/arm/dl_helper.c kern/arm/cache_armv6.S kern/arm/cache_armv7.S kern/arm/cache.c kern/arm/compiler-rt.S lib/division.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 220*4882a593Smuzhiyun nodist_kernel_exec_SOURCES = symlist.c ## platform nodist sources 221*4882a593Smuzhiyun kernel_exec_LDADD = 222*4882a593Smuzhiyun kernel_exec_CFLAGS = $(AM_CFLAGS) $(CFLAGS_KERNEL) 223*4882a593Smuzhiyun@@ -22752,7 +22752,7 @@ endif 224*4882a593Smuzhiyun if COND_arm64_efi 225*4882a593Smuzhiyun platform_PROGRAMS += kernel.exec 226*4882a593Smuzhiyun kernel_exec_SOURCES = kern/arm64/efi/startup.S 227*4882a593Smuzhiyun-kernel_exec_SOURCES += kern/arm64/efi/init.c kern/efi/fdt.c kern/arm64/cache.c kern/arm64/cache_flush.S kern/arm64/dl.c kern/arm64/dl_helper.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 228*4882a593Smuzhiyun+kernel_exec_SOURCES += kern/arm64/efi/init.c kern/efi/fdt.c kern/arm64/cache.c kern/arm64/cache_flush.S kern/arm64/dl.c kern/arm64/dl_helper.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 229*4882a593Smuzhiyun nodist_kernel_exec_SOURCES = symlist.c ## platform nodist sources 230*4882a593Smuzhiyun kernel_exec_LDADD = 231*4882a593Smuzhiyun kernel_exec_CFLAGS = $(AM_CFLAGS) $(CFLAGS_KERNEL) 232*4882a593Smuzhiyun@@ -22796,7 +22796,7 @@ endif 233*4882a593Smuzhiyun if COND_riscv32_efi 234*4882a593Smuzhiyun platform_PROGRAMS += kernel.exec 235*4882a593Smuzhiyun kernel_exec_SOURCES = kern/riscv/efi/startup.S 236*4882a593Smuzhiyun-kernel_exec_SOURCES += kern/riscv/efi/init.c kern/efi/fdt.c kern/riscv/cache.c kern/riscv/cache_flush.S kern/riscv/dl.c lib/division.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 237*4882a593Smuzhiyun+kernel_exec_SOURCES += kern/riscv/efi/init.c kern/efi/fdt.c kern/riscv/cache.c kern/riscv/cache_flush.S kern/riscv/dl.c lib/division.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 238*4882a593Smuzhiyun nodist_kernel_exec_SOURCES = symlist.c ## platform nodist sources 239*4882a593Smuzhiyun kernel_exec_LDADD = 240*4882a593Smuzhiyun kernel_exec_CFLAGS = $(AM_CFLAGS) $(CFLAGS_KERNEL) 241*4882a593Smuzhiyun@@ -22818,7 +22818,7 @@ endif 242*4882a593Smuzhiyun if COND_riscv64_efi 243*4882a593Smuzhiyun platform_PROGRAMS += kernel.exec 244*4882a593Smuzhiyun kernel_exec_SOURCES = kern/riscv/efi/startup.S 245*4882a593Smuzhiyun-kernel_exec_SOURCES += kern/riscv/efi/init.c kern/efi/fdt.c kern/riscv/cache.c kern/riscv/cache_flush.S kern/riscv/dl.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 246*4882a593Smuzhiyun+kernel_exec_SOURCES += kern/riscv/efi/init.c kern/efi/fdt.c kern/riscv/cache.c kern/riscv/cache_flush.S kern/riscv/dl.c disk/efi/efidisk.c kern/efi/efi.c kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c kern/compiler-rt.c kern/mm.c kern/time.c kern/generic/millisleep.c kern/command.c kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c kern/parser.c kern/partition.c kern/rescue_parser.c kern/rescue_reader.c kern/term.c kern/verifiers.c 247*4882a593Smuzhiyun nodist_kernel_exec_SOURCES = symlist.c ## platform nodist sources 248*4882a593Smuzhiyun kernel_exec_LDADD = 249*4882a593Smuzhiyun kernel_exec_CFLAGS = $(AM_CFLAGS) $(CFLAGS_KERNEL) 250*4882a593Smuzhiyundiff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def 251*4882a593Smuzhiyunindex 4d380ed..ee8dc55 100644 252*4882a593Smuzhiyun--- a/grub-core/Makefile.core.def 253*4882a593Smuzhiyun+++ b/grub-core/Makefile.core.def 254*4882a593Smuzhiyun@@ -205,6 +205,7 @@ kernel = { 255*4882a593Smuzhiyun efi = kern/acpi.c; 256*4882a593Smuzhiyun efi = kern/efi/acpi.c; 257*4882a593Smuzhiyun efi = kern/efi/sb.c; 258*4882a593Smuzhiyun+ efi = kern/lockdown.c; 259*4882a593Smuzhiyun i386_coreboot = kern/i386/pc/acpi.c; 260*4882a593Smuzhiyun i386_multiboot = kern/i386/pc/acpi.c; 261*4882a593Smuzhiyun i386_coreboot = kern/acpi.c; 262*4882a593Smuzhiyundiff --git a/grub-core/Makefile.in b/grub-core/Makefile.in 263*4882a593Smuzhiyunindex 09dc802..ac400ea 100644 264*4882a593Smuzhiyun--- a/grub-core/Makefile.in 265*4882a593Smuzhiyun+++ b/grub-core/Makefile.in 266*4882a593Smuzhiyun@@ -10457,13 +10457,14 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \ 267*4882a593Smuzhiyun kern/arm64/cache_flush.S kern/arm64/dl.c \ 268*4882a593Smuzhiyun kern/arm64/dl_helper.c disk/efi/efidisk.c kern/efi/efi.c \ 269*4882a593Smuzhiyun kern/efi/init.c kern/efi/mm.c term/efi/console.c kern/acpi.c \ 270*4882a593Smuzhiyun- kern/efi/acpi.c kern/efi/sb.c kern/compiler-rt.c kern/mm.c \ 271*4882a593Smuzhiyun- kern/time.c kern/generic/millisleep.c kern/command.c \ 272*4882a593Smuzhiyun- kern/corecmd.c kern/device.c kern/disk.c kern/dl.c kern/env.c \ 273*4882a593Smuzhiyun- kern/err.c kern/file.c kern/fs.c kern/list.c kern/main.c \ 274*4882a593Smuzhiyun- kern/misc.c kern/parser.c kern/partition.c \ 275*4882a593Smuzhiyun- kern/rescue_parser.c kern/rescue_reader.c kern/term.c \ 276*4882a593Smuzhiyun- kern/verifiers.c kern/arm/startup.S kern/arm/coreboot/init.c \ 277*4882a593Smuzhiyun+ kern/efi/acpi.c kern/efi/sb.c kern/lockdown.c \ 278*4882a593Smuzhiyun+ kern/compiler-rt.c kern/mm.c kern/time.c \ 279*4882a593Smuzhiyun+ kern/generic/millisleep.c kern/command.c kern/corecmd.c \ 280*4882a593Smuzhiyun+ kern/device.c kern/disk.c kern/dl.c kern/env.c kern/err.c \ 281*4882a593Smuzhiyun+ kern/file.c kern/fs.c kern/list.c kern/main.c kern/misc.c \ 282*4882a593Smuzhiyun+ kern/parser.c kern/partition.c kern/rescue_parser.c \ 283*4882a593Smuzhiyun+ kern/rescue_reader.c kern/term.c kern/verifiers.c \ 284*4882a593Smuzhiyun+ kern/arm/startup.S kern/arm/coreboot/init.c \ 285*4882a593Smuzhiyun kern/arm/coreboot/timer.c kern/arm/coreboot/coreboot.S \ 286*4882a593Smuzhiyun lib/fdt.c bus/fdt.c term/ps2.c term/arm/pl050.c \ 287*4882a593Smuzhiyun term/arm/cros.c term/arm/cros_ec.c bus/spi/rk3288_spi.c \ 288*4882a593Smuzhiyun@@ -10572,6 +10573,7 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \ 289*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_FALSE@@COND_sparc64_ieee1275_FALSE@@COND_x86_64_efi_TRUE@ kern/kernel_exec-acpi.$(OBJEXT) \ 290*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_FALSE@@COND_sparc64_ieee1275_FALSE@@COND_x86_64_efi_TRUE@ kern/efi/kernel_exec-acpi.$(OBJEXT) \ 291*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_FALSE@@COND_sparc64_ieee1275_FALSE@@COND_x86_64_efi_TRUE@ kern/efi/kernel_exec-sb.$(OBJEXT) \ 292*4882a593Smuzhiyun+@COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_FALSE@@COND_sparc64_ieee1275_FALSE@@COND_x86_64_efi_TRUE@ kern/kernel_exec-lockdown.$(OBJEXT) \ 293*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_FALSE@@COND_sparc64_ieee1275_FALSE@@COND_x86_64_efi_TRUE@ kern/kernel_exec-compiler-rt.$(OBJEXT) \ 294*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_FALSE@@COND_sparc64_ieee1275_FALSE@@COND_x86_64_efi_TRUE@ kern/kernel_exec-mm.$(OBJEXT) \ 295*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_FALSE@@COND_sparc64_ieee1275_FALSE@@COND_x86_64_efi_TRUE@ kern/kernel_exec-time.$(OBJEXT) \ 296*4882a593Smuzhiyun@@ -10646,6 +10648,7 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \ 297*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_TRUE@ kern/kernel_exec-acpi.$(OBJEXT) \ 298*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_TRUE@ kern/efi/kernel_exec-acpi.$(OBJEXT) \ 299*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_TRUE@ kern/efi/kernel_exec-sb.$(OBJEXT) \ 300*4882a593Smuzhiyun+@COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_TRUE@ kern/kernel_exec-lockdown.$(OBJEXT) \ 301*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_TRUE@ kern/kernel_exec-compiler-rt.$(OBJEXT) \ 302*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_TRUE@ kern/kernel_exec-mm.$(OBJEXT) \ 303*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_FALSE@@COND_riscv64_efi_TRUE@ kern/kernel_exec-time.$(OBJEXT) \ 304*4882a593Smuzhiyun@@ -10683,6 +10686,7 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \ 305*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_TRUE@ kern/kernel_exec-acpi.$(OBJEXT) \ 306*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_TRUE@ kern/efi/kernel_exec-acpi.$(OBJEXT) \ 307*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_TRUE@ kern/efi/kernel_exec-sb.$(OBJEXT) \ 308*4882a593Smuzhiyun+@COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_TRUE@ kern/kernel_exec-lockdown.$(OBJEXT) \ 309*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_TRUE@ kern/kernel_exec-compiler-rt.$(OBJEXT) \ 310*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_TRUE@ kern/kernel_exec-mm.$(OBJEXT) \ 311*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_FALSE@@COND_mips_arc_FALSE@@COND_mips_loongson_FALSE@@COND_mips_qemu_mips_FALSE@@COND_powerpc_ieee1275_FALSE@@COND_riscv32_efi_TRUE@ kern/kernel_exec-time.$(OBJEXT) \ 312*4882a593Smuzhiyun@@ -10884,6 +10888,7 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \ 313*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_TRUE@ kern/kernel_exec-acpi.$(OBJEXT) \ 314*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_TRUE@ kern/efi/kernel_exec-acpi.$(OBJEXT) \ 315*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_TRUE@ kern/efi/kernel_exec-sb.$(OBJEXT) \ 316*4882a593Smuzhiyun+@COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_TRUE@ kern/kernel_exec-lockdown.$(OBJEXT) \ 317*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_TRUE@ kern/kernel_exec-compiler-rt.$(OBJEXT) \ 318*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_TRUE@ kern/kernel_exec-mm.$(OBJEXT) \ 319*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_FALSE@@COND_i386_ieee1275_FALSE@@COND_i386_multiboot_FALSE@@COND_i386_pc_FALSE@@COND_i386_qemu_FALSE@@COND_i386_xen_FALSE@@COND_i386_xen_pvh_FALSE@@COND_ia64_efi_TRUE@ kern/kernel_exec-time.$(OBJEXT) \ 320*4882a593Smuzhiyun@@ -11120,6 +11125,7 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \ 321*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_TRUE@ kern/kernel_exec-acpi.$(OBJEXT) \ 322*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_TRUE@ kern/efi/kernel_exec-acpi.$(OBJEXT) \ 323*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_TRUE@ kern/efi/kernel_exec-sb.$(OBJEXT) \ 324*4882a593Smuzhiyun+@COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_TRUE@ kern/kernel_exec-lockdown.$(OBJEXT) \ 325*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_TRUE@ kern/kernel_exec-compiler-rt.$(OBJEXT) \ 326*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_TRUE@ kern/kernel_exec-mm.$(OBJEXT) \ 327*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_FALSE@@COND_arm_uboot_FALSE@@COND_emu_FALSE@@COND_i386_coreboot_FALSE@@COND_i386_efi_TRUE@ kern/kernel_exec-time.$(OBJEXT) \ 328*4882a593Smuzhiyun@@ -11287,6 +11293,7 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \ 329*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_TRUE@ kern/kernel_exec-acpi.$(OBJEXT) \ 330*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_TRUE@ kern/efi/kernel_exec-acpi.$(OBJEXT) \ 331*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_TRUE@ kern/efi/kernel_exec-sb.$(OBJEXT) \ 332*4882a593Smuzhiyun+@COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_TRUE@ kern/kernel_exec-lockdown.$(OBJEXT) \ 333*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_TRUE@ kern/kernel_exec-compiler-rt.$(OBJEXT) \ 334*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_TRUE@ kern/kernel_exec-mm.$(OBJEXT) \ 335*4882a593Smuzhiyun @COND_arm64_efi_FALSE@@COND_arm_coreboot_FALSE@@COND_arm_efi_TRUE@ kern/kernel_exec-time.$(OBJEXT) \ 336*4882a593Smuzhiyun@@ -11379,6 +11386,7 @@ am__kernel_exec_SOURCES_DIST = kern/arm64/efi/startup.S \ 337*4882a593Smuzhiyun @COND_arm64_efi_TRUE@ kern/kernel_exec-acpi.$(OBJEXT) \ 338*4882a593Smuzhiyun @COND_arm64_efi_TRUE@ kern/efi/kernel_exec-acpi.$(OBJEXT) \ 339*4882a593Smuzhiyun @COND_arm64_efi_TRUE@ kern/efi/kernel_exec-sb.$(OBJEXT) \ 340*4882a593Smuzhiyun+@COND_arm64_efi_TRUE@ kern/kernel_exec-lockdown.$(OBJEXT) \ 341*4882a593Smuzhiyun @COND_arm64_efi_TRUE@ kern/kernel_exec-compiler-rt.$(OBJEXT) \ 342*4882a593Smuzhiyun @COND_arm64_efi_TRUE@ kern/kernel_exec-mm.$(OBJEXT) \ 343*4882a593Smuzhiyun @COND_arm64_efi_TRUE@ kern/kernel_exec-time.$(OBJEXT) \ 344*4882a593Smuzhiyun@@ -15379,7 +15387,9 @@ CPPFLAGS_PARTTOOL_LIST = -Dgrub_parttool_register=PARTTOOL_LIST_MARKER 345*4882a593Smuzhiyun CPPFLAGS_TERMINAL_LIST = '-Dgrub_term_register_input(...)=INPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)' \ 346*4882a593Smuzhiyun '-Dgrub_term_register_output(...)=OUTPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)' 347*4882a593Smuzhiyun CPPFLAGS_COMMAND_LIST = '-Dgrub_register_command(...)=COMMAND_LIST_MARKER(__VA_ARGS__)' \ 348*4882a593Smuzhiyun+ '-Dgrub_register_command_lockdown(...)=COMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)' \ 349*4882a593Smuzhiyun '-Dgrub_register_extcmd(...)=EXTCOMMAND_LIST_MARKER(__VA_ARGS__)' \ 350*4882a593Smuzhiyun+ '-Dgrub_register_extcmd_lockdown(...)=EXTCOMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)' \ 351*4882a593Smuzhiyun '-Dgrub_register_command_p1(...)=P1COMMAND_LIST_MARKER(__VA_ARGS__)' 352*4882a593Smuzhiyun CPPFLAGS_FDT_LIST := '-Dgrub_fdtbus_register(...)=FDT_DRIVER_LIST_MARKER(__VA_ARGS__)' 353*4882a593Smuzhiyun CPPFLAGS_MARKER = $(CPPFLAGS_FS_LIST) $(CPPFLAGS_VIDEO_LIST) \ 354*4882a593Smuzhiyun@@ -16387,6 +16397,7 @@ KERNEL_HEADER_FILES = $(top_srcdir)/include/grub/cache.h \ 355*4882a593Smuzhiyun $(top_srcdir)/include/grub/i18n.h \ 356*4882a593Smuzhiyun $(top_srcdir)/include/grub/kernel.h \ 357*4882a593Smuzhiyun $(top_srcdir)/include/grub/list.h \ 358*4882a593Smuzhiyun+ $(top_srcdir)/include/grub/lockdown.h \ 359*4882a593Smuzhiyun $(top_srcdir)/include/grub/misc.h $(am__append_5794) \ 360*4882a593Smuzhiyun $(am__append_5795) $(top_srcdir)/include/grub/mm.h \ 361*4882a593Smuzhiyun $(top_srcdir)/include/grub/parser.h \ 362*4882a593Smuzhiyun@@ -25594,7 +25605,8 @@ gcry_whirlpool_module_DEPENDENCIES = $(TARGET_OBJ2ELF) 363*4882a593Smuzhiyun @COND_arm64_efi_TRUE@ kern/efi/efi.c kern/efi/init.c \ 364*4882a593Smuzhiyun @COND_arm64_efi_TRUE@ kern/efi/mm.c term/efi/console.c \ 365*4882a593Smuzhiyun @COND_arm64_efi_TRUE@ kern/acpi.c kern/efi/acpi.c kern/efi/sb.c \ 366*4882a593Smuzhiyun-@COND_arm64_efi_TRUE@ kern/compiler-rt.c kern/mm.c kern/time.c \ 367*4882a593Smuzhiyun+@COND_arm64_efi_TRUE@ kern/lockdown.c kern/compiler-rt.c \ 368*4882a593Smuzhiyun+@COND_arm64_efi_TRUE@ kern/mm.c kern/time.c \ 369*4882a593Smuzhiyun @COND_arm64_efi_TRUE@ kern/generic/millisleep.c kern/command.c \ 370*4882a593Smuzhiyun @COND_arm64_efi_TRUE@ kern/corecmd.c kern/device.c kern/disk.c \ 371*4882a593Smuzhiyun @COND_arm64_efi_TRUE@ kern/dl.c kern/env.c kern/err.c \ 372*4882a593Smuzhiyun@@ -25645,7 +25657,8 @@ gcry_whirlpool_module_DEPENDENCIES = $(TARGET_OBJ2ELF) 373*4882a593Smuzhiyun @COND_arm_efi_TRUE@ kern/efi/init.c kern/efi/mm.c \ 374*4882a593Smuzhiyun @COND_arm_efi_TRUE@ term/efi/console.c kern/acpi.c \ 375*4882a593Smuzhiyun @COND_arm_efi_TRUE@ kern/efi/acpi.c kern/efi/sb.c \ 376*4882a593Smuzhiyun-@COND_arm_efi_TRUE@ kern/compiler-rt.c kern/mm.c kern/time.c \ 377*4882a593Smuzhiyun+@COND_arm_efi_TRUE@ kern/lockdown.c kern/compiler-rt.c \ 378*4882a593Smuzhiyun+@COND_arm_efi_TRUE@ kern/mm.c kern/time.c \ 379*4882a593Smuzhiyun @COND_arm_efi_TRUE@ kern/generic/millisleep.c kern/command.c \ 380*4882a593Smuzhiyun @COND_arm_efi_TRUE@ kern/corecmd.c kern/device.c kern/disk.c \ 381*4882a593Smuzhiyun @COND_arm_efi_TRUE@ kern/dl.c kern/env.c kern/err.c kern/file.c \ 382*4882a593Smuzhiyun@@ -25725,7 +25738,8 @@ gcry_whirlpool_module_DEPENDENCIES = $(TARGET_OBJ2ELF) 383*4882a593Smuzhiyun @COND_i386_efi_TRUE@ kern/efi/efi.c kern/efi/init.c \ 384*4882a593Smuzhiyun @COND_i386_efi_TRUE@ kern/efi/mm.c term/efi/console.c \ 385*4882a593Smuzhiyun @COND_i386_efi_TRUE@ kern/acpi.c kern/efi/acpi.c kern/efi/sb.c \ 386*4882a593Smuzhiyun-@COND_i386_efi_TRUE@ kern/compiler-rt.c kern/mm.c kern/time.c \ 387*4882a593Smuzhiyun+@COND_i386_efi_TRUE@ kern/lockdown.c kern/compiler-rt.c \ 388*4882a593Smuzhiyun+@COND_i386_efi_TRUE@ kern/mm.c kern/time.c \ 389*4882a593Smuzhiyun @COND_i386_efi_TRUE@ kern/generic/millisleep.c kern/command.c \ 390*4882a593Smuzhiyun @COND_i386_efi_TRUE@ kern/corecmd.c kern/device.c kern/disk.c \ 391*4882a593Smuzhiyun @COND_i386_efi_TRUE@ kern/dl.c kern/env.c kern/err.c \ 392*4882a593Smuzhiyun@@ -25843,7 +25857,8 @@ gcry_whirlpool_module_DEPENDENCIES = $(TARGET_OBJ2ELF) 393*4882a593Smuzhiyun @COND_ia64_efi_TRUE@ kern/efi/efi.c kern/efi/init.c \ 394*4882a593Smuzhiyun @COND_ia64_efi_TRUE@ kern/efi/mm.c term/efi/console.c \ 395*4882a593Smuzhiyun @COND_ia64_efi_TRUE@ kern/acpi.c kern/efi/acpi.c kern/efi/sb.c \ 396*4882a593Smuzhiyun-@COND_ia64_efi_TRUE@ kern/compiler-rt.c kern/mm.c kern/time.c \ 397*4882a593Smuzhiyun+@COND_ia64_efi_TRUE@ kern/lockdown.c kern/compiler-rt.c \ 398*4882a593Smuzhiyun+@COND_ia64_efi_TRUE@ kern/mm.c kern/time.c \ 399*4882a593Smuzhiyun @COND_ia64_efi_TRUE@ kern/generic/millisleep.c kern/command.c \ 400*4882a593Smuzhiyun @COND_ia64_efi_TRUE@ kern/corecmd.c kern/device.c kern/disk.c \ 401*4882a593Smuzhiyun @COND_ia64_efi_TRUE@ kern/dl.c kern/env.c kern/err.c \ 402*4882a593Smuzhiyun@@ -25956,8 +25971,9 @@ gcry_whirlpool_module_DEPENDENCIES = $(TARGET_OBJ2ELF) 403*4882a593Smuzhiyun @COND_riscv32_efi_TRUE@ kern/efi/init.c kern/efi/mm.c \ 404*4882a593Smuzhiyun @COND_riscv32_efi_TRUE@ term/efi/console.c kern/acpi.c \ 405*4882a593Smuzhiyun @COND_riscv32_efi_TRUE@ kern/efi/acpi.c kern/efi/sb.c \ 406*4882a593Smuzhiyun-@COND_riscv32_efi_TRUE@ kern/compiler-rt.c kern/mm.c \ 407*4882a593Smuzhiyun-@COND_riscv32_efi_TRUE@ kern/time.c kern/generic/millisleep.c \ 408*4882a593Smuzhiyun+@COND_riscv32_efi_TRUE@ kern/lockdown.c kern/compiler-rt.c \ 409*4882a593Smuzhiyun+@COND_riscv32_efi_TRUE@ kern/mm.c kern/time.c \ 410*4882a593Smuzhiyun+@COND_riscv32_efi_TRUE@ kern/generic/millisleep.c \ 411*4882a593Smuzhiyun @COND_riscv32_efi_TRUE@ kern/command.c kern/corecmd.c \ 412*4882a593Smuzhiyun @COND_riscv32_efi_TRUE@ kern/device.c kern/disk.c kern/dl.c \ 413*4882a593Smuzhiyun @COND_riscv32_efi_TRUE@ kern/env.c kern/err.c kern/file.c \ 414*4882a593Smuzhiyun@@ -25974,9 +25990,9 @@ gcry_whirlpool_module_DEPENDENCIES = $(TARGET_OBJ2ELF) 415*4882a593Smuzhiyun @COND_riscv64_efi_TRUE@ kern/efi/efi.c kern/efi/init.c \ 416*4882a593Smuzhiyun @COND_riscv64_efi_TRUE@ kern/efi/mm.c term/efi/console.c \ 417*4882a593Smuzhiyun @COND_riscv64_efi_TRUE@ kern/acpi.c kern/efi/acpi.c \ 418*4882a593Smuzhiyun-@COND_riscv64_efi_TRUE@ kern/efi/sb.c kern/compiler-rt.c \ 419*4882a593Smuzhiyun-@COND_riscv64_efi_TRUE@ kern/mm.c kern/time.c \ 420*4882a593Smuzhiyun-@COND_riscv64_efi_TRUE@ kern/generic/millisleep.c \ 421*4882a593Smuzhiyun+@COND_riscv64_efi_TRUE@ kern/efi/sb.c kern/lockdown.c \ 422*4882a593Smuzhiyun+@COND_riscv64_efi_TRUE@ kern/compiler-rt.c kern/mm.c \ 423*4882a593Smuzhiyun+@COND_riscv64_efi_TRUE@ kern/time.c kern/generic/millisleep.c \ 424*4882a593Smuzhiyun @COND_riscv64_efi_TRUE@ kern/command.c kern/corecmd.c \ 425*4882a593Smuzhiyun @COND_riscv64_efi_TRUE@ kern/device.c kern/disk.c kern/dl.c \ 426*4882a593Smuzhiyun @COND_riscv64_efi_TRUE@ kern/env.c kern/err.c kern/file.c \ 427*4882a593Smuzhiyun@@ -26022,8 +26038,8 @@ gcry_whirlpool_module_DEPENDENCIES = $(TARGET_OBJ2ELF) 428*4882a593Smuzhiyun @COND_x86_64_efi_TRUE@ kern/efi/efi.c kern/efi/init.c \ 429*4882a593Smuzhiyun @COND_x86_64_efi_TRUE@ kern/efi/mm.c term/efi/console.c \ 430*4882a593Smuzhiyun @COND_x86_64_efi_TRUE@ kern/acpi.c kern/efi/acpi.c \ 431*4882a593Smuzhiyun-@COND_x86_64_efi_TRUE@ kern/efi/sb.c kern/compiler-rt.c \ 432*4882a593Smuzhiyun-@COND_x86_64_efi_TRUE@ kern/mm.c kern/time.c \ 433*4882a593Smuzhiyun+@COND_x86_64_efi_TRUE@ kern/efi/sb.c kern/lockdown.c \ 434*4882a593Smuzhiyun+@COND_x86_64_efi_TRUE@ kern/compiler-rt.c kern/mm.c kern/time.c \ 435*4882a593Smuzhiyun @COND_x86_64_efi_TRUE@ kern/generic/millisleep.c kern/command.c \ 436*4882a593Smuzhiyun @COND_x86_64_efi_TRUE@ kern/corecmd.c kern/device.c kern/disk.c \ 437*4882a593Smuzhiyun @COND_x86_64_efi_TRUE@ kern/dl.c kern/env.c kern/err.c \ 438*4882a593Smuzhiyun@@ -27994,6 +28010,8 @@ kern/efi/kernel_exec-acpi.$(OBJEXT): kern/efi/$(am__dirstamp) \ 439*4882a593Smuzhiyun kern/efi/$(DEPDIR)/$(am__dirstamp) 440*4882a593Smuzhiyun kern/efi/kernel_exec-sb.$(OBJEXT): kern/efi/$(am__dirstamp) \ 441*4882a593Smuzhiyun kern/efi/$(DEPDIR)/$(am__dirstamp) 442*4882a593Smuzhiyun+kern/kernel_exec-lockdown.$(OBJEXT): kern/$(am__dirstamp) \ 443*4882a593Smuzhiyun+ kern/$(DEPDIR)/$(am__dirstamp) 444*4882a593Smuzhiyun kern/kernel_exec-compiler-rt.$(OBJEXT): kern/$(am__dirstamp) \ 445*4882a593Smuzhiyun kern/$(DEPDIR)/$(am__dirstamp) 446*4882a593Smuzhiyun kern/kernel_exec-mm.$(OBJEXT): kern/$(am__dirstamp) \ 447*4882a593Smuzhiyun@@ -30945,6 +30963,7 @@ distclean-compile: 448*4882a593Smuzhiyun @AMDEP_TRUE@@am__include@ @am__quote@kern/$(DEPDIR)/kernel_exec-file.Po@am__quote@ 449*4882a593Smuzhiyun @AMDEP_TRUE@@am__include@ @am__quote@kern/$(DEPDIR)/kernel_exec-fs.Po@am__quote@ 450*4882a593Smuzhiyun @AMDEP_TRUE@@am__include@ @am__quote@kern/$(DEPDIR)/kernel_exec-list.Po@am__quote@ 451*4882a593Smuzhiyun+@AMDEP_TRUE@@am__include@ @am__quote@kern/$(DEPDIR)/kernel_exec-lockdown.Po@am__quote@ 452*4882a593Smuzhiyun @AMDEP_TRUE@@am__include@ @am__quote@kern/$(DEPDIR)/kernel_exec-main.Po@am__quote@ 453*4882a593Smuzhiyun @AMDEP_TRUE@@am__include@ @am__quote@kern/$(DEPDIR)/kernel_exec-misc.Po@am__quote@ 454*4882a593Smuzhiyun @AMDEP_TRUE@@am__include@ @am__quote@kern/$(DEPDIR)/kernel_exec-mm.Po@am__quote@ 455*4882a593Smuzhiyun@@ -35293,6 +35312,20 @@ kern/efi/kernel_exec-sb.obj: kern/efi/sb.c 456*4882a593Smuzhiyun @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ 457*4882a593Smuzhiyun @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(kernel_exec_CPPFLAGS) $(CPPFLAGS) $(kernel_exec_CFLAGS) $(CFLAGS) -c -o kern/efi/kernel_exec-sb.obj `if test -f 'kern/efi/sb.c'; then $(CYGPATH_W) 'kern/efi/sb.c'; else $(CYGPATH_W) '$(srcdir)/kern/efi/sb.c'; fi` 458*4882a593Smuzhiyun 459*4882a593Smuzhiyun+kern/kernel_exec-lockdown.o: kern/lockdown.c 460*4882a593Smuzhiyun+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(kernel_exec_CPPFLAGS) $(CPPFLAGS) $(kernel_exec_CFLAGS) $(CFLAGS) -MT kern/kernel_exec-lockdown.o -MD -MP -MF kern/$(DEPDIR)/kernel_exec-lockdown.Tpo -c -o kern/kernel_exec-lockdown.o `test -f 'kern/lockdown.c' || echo '$(srcdir)/'`kern/lockdown.c 461*4882a593Smuzhiyun+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) kern/$(DEPDIR)/kernel_exec-lockdown.Tpo kern/$(DEPDIR)/kernel_exec-lockdown.Po 462*4882a593Smuzhiyun+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='kern/lockdown.c' object='kern/kernel_exec-lockdown.o' libtool=no @AMDEPBACKSLASH@ 463*4882a593Smuzhiyun+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ 464*4882a593Smuzhiyun+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(kernel_exec_CPPFLAGS) $(CPPFLAGS) $(kernel_exec_CFLAGS) $(CFLAGS) -c -o kern/kernel_exec-lockdown.o `test -f 'kern/lockdown.c' || echo '$(srcdir)/'`kern/lockdown.c 465*4882a593Smuzhiyun+ 466*4882a593Smuzhiyun+kern/kernel_exec-lockdown.obj: kern/lockdown.c 467*4882a593Smuzhiyun+@am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(kernel_exec_CPPFLAGS) $(CPPFLAGS) $(kernel_exec_CFLAGS) $(CFLAGS) -MT kern/kernel_exec-lockdown.obj -MD -MP -MF kern/$(DEPDIR)/kernel_exec-lockdown.Tpo -c -o kern/kernel_exec-lockdown.obj `if test -f 'kern/lockdown.c'; then $(CYGPATH_W) 'kern/lockdown.c'; else $(CYGPATH_W) '$(srcdir)/kern/lockdown.c'; fi` 468*4882a593Smuzhiyun+@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) kern/$(DEPDIR)/kernel_exec-lockdown.Tpo kern/$(DEPDIR)/kernel_exec-lockdown.Po 469*4882a593Smuzhiyun+@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='kern/lockdown.c' object='kern/kernel_exec-lockdown.obj' libtool=no @AMDEPBACKSLASH@ 470*4882a593Smuzhiyun+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ 471*4882a593Smuzhiyun+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(kernel_exec_CPPFLAGS) $(CPPFLAGS) $(kernel_exec_CFLAGS) $(CFLAGS) -c -o kern/kernel_exec-lockdown.obj `if test -f 'kern/lockdown.c'; then $(CYGPATH_W) 'kern/lockdown.c'; else $(CYGPATH_W) '$(srcdir)/kern/lockdown.c'; fi` 472*4882a593Smuzhiyun+ 473*4882a593Smuzhiyun kern/kernel_exec-compiler-rt.o: kern/compiler-rt.c 474*4882a593Smuzhiyun @am__fastdepCC_TRUE@ $(AM_V_CC)$(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(kernel_exec_CPPFLAGS) $(CPPFLAGS) $(kernel_exec_CFLAGS) $(CFLAGS) -MT kern/kernel_exec-compiler-rt.o -MD -MP -MF kern/$(DEPDIR)/kernel_exec-compiler-rt.Tpo -c -o kern/kernel_exec-compiler-rt.o `test -f 'kern/compiler-rt.c' || echo '$(srcdir)/'`kern/compiler-rt.c 475*4882a593Smuzhiyun @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) kern/$(DEPDIR)/kernel_exec-compiler-rt.Tpo kern/$(DEPDIR)/kernel_exec-compiler-rt.Po 476*4882a593Smuzhiyun@@ -46650,8 +46683,10 @@ command.lst: $(MARKER_FILES) 477*4882a593Smuzhiyun b=`basename $$pp .marker`; \ 478*4882a593Smuzhiyun sed -n \ 479*4882a593Smuzhiyun -e "/EXTCOMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \ 480*4882a593Smuzhiyun+ -e "/EXTCOMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \ 481*4882a593Smuzhiyun -e "/P1COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \ 482*4882a593Smuzhiyun- -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \ 483*4882a593Smuzhiyun+ -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" \ 484*4882a593Smuzhiyun+ -e "/COMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \ 485*4882a593Smuzhiyun done) | sort -u > $@ 486*4882a593Smuzhiyun 487*4882a593Smuzhiyun partmap.lst: $(MARKER_FILES) 488*4882a593Smuzhiyundiff --git a/grub-core/commands/extcmd.c b/grub-core/commands/extcmd.c 489*4882a593Smuzhiyunindex 69574e2..90a5ca2 100644 490*4882a593Smuzhiyun--- a/grub-core/commands/extcmd.c 491*4882a593Smuzhiyun+++ b/grub-core/commands/extcmd.c 492*4882a593Smuzhiyun@@ -19,6 +19,7 @@ 493*4882a593Smuzhiyun 494*4882a593Smuzhiyun #include <grub/mm.h> 495*4882a593Smuzhiyun #include <grub/list.h> 496*4882a593Smuzhiyun+#include <grub/lockdown.h> 497*4882a593Smuzhiyun #include <grub/misc.h> 498*4882a593Smuzhiyun #include <grub/extcmd.h> 499*4882a593Smuzhiyun #include <grub/script_sh.h> 500*4882a593Smuzhiyun@@ -110,6 +111,28 @@ grub_register_extcmd (const char *name, grub_extcmd_func_t func, 501*4882a593Smuzhiyun summary, description, parser, 1); 502*4882a593Smuzhiyun } 503*4882a593Smuzhiyun 504*4882a593Smuzhiyun+static grub_err_t 505*4882a593Smuzhiyun+grub_extcmd_lockdown (grub_extcmd_context_t ctxt __attribute__ ((unused)), 506*4882a593Smuzhiyun+ int argc __attribute__ ((unused)), 507*4882a593Smuzhiyun+ char **argv __attribute__ ((unused))) 508*4882a593Smuzhiyun+{ 509*4882a593Smuzhiyun+ return grub_error (GRUB_ERR_ACCESS_DENIED, 510*4882a593Smuzhiyun+ N_("%s: the command is not allowed when lockdown is enforced"), 511*4882a593Smuzhiyun+ ctxt->extcmd->cmd->name); 512*4882a593Smuzhiyun+} 513*4882a593Smuzhiyun+ 514*4882a593Smuzhiyun+grub_extcmd_t 515*4882a593Smuzhiyun+grub_register_extcmd_lockdown (const char *name, grub_extcmd_func_t func, 516*4882a593Smuzhiyun+ grub_command_flags_t flags, const char *summary, 517*4882a593Smuzhiyun+ const char *description, 518*4882a593Smuzhiyun+ const struct grub_arg_option *parser) 519*4882a593Smuzhiyun+{ 520*4882a593Smuzhiyun+ if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED) 521*4882a593Smuzhiyun+ func = grub_extcmd_lockdown; 522*4882a593Smuzhiyun+ 523*4882a593Smuzhiyun+ return grub_register_extcmd (name, func, flags, summary, description, parser); 524*4882a593Smuzhiyun+} 525*4882a593Smuzhiyun+ 526*4882a593Smuzhiyun void 527*4882a593Smuzhiyun grub_unregister_extcmd (grub_extcmd_t ext) 528*4882a593Smuzhiyun { 529*4882a593Smuzhiyundiff --git a/grub-core/kern/command.c b/grub-core/kern/command.c 530*4882a593Smuzhiyunindex acd7218..4aabcd4 100644 531*4882a593Smuzhiyun--- a/grub-core/kern/command.c 532*4882a593Smuzhiyun+++ b/grub-core/kern/command.c 533*4882a593Smuzhiyun@@ -17,6 +17,7 @@ 534*4882a593Smuzhiyun * along with GRUB. If not, see <http://www.gnu.org/licenses/>. 535*4882a593Smuzhiyun */ 536*4882a593Smuzhiyun 537*4882a593Smuzhiyun+#include <grub/lockdown.h> 538*4882a593Smuzhiyun #include <grub/mm.h> 539*4882a593Smuzhiyun #include <grub/command.h> 540*4882a593Smuzhiyun 541*4882a593Smuzhiyun@@ -77,6 +78,29 @@ grub_register_command_prio (const char *name, 542*4882a593Smuzhiyun return cmd; 543*4882a593Smuzhiyun } 544*4882a593Smuzhiyun 545*4882a593Smuzhiyun+static grub_err_t 546*4882a593Smuzhiyun+grub_cmd_lockdown (grub_command_t cmd __attribute__ ((unused)), 547*4882a593Smuzhiyun+ int argc __attribute__ ((unused)), 548*4882a593Smuzhiyun+ char **argv __attribute__ ((unused))) 549*4882a593Smuzhiyun+ 550*4882a593Smuzhiyun+{ 551*4882a593Smuzhiyun+ return grub_error (GRUB_ERR_ACCESS_DENIED, 552*4882a593Smuzhiyun+ N_("%s: the command is not allowed when lockdown is enforced"), 553*4882a593Smuzhiyun+ cmd->name); 554*4882a593Smuzhiyun+} 555*4882a593Smuzhiyun+ 556*4882a593Smuzhiyun+grub_command_t 557*4882a593Smuzhiyun+grub_register_command_lockdown (const char *name, 558*4882a593Smuzhiyun+ grub_command_func_t func, 559*4882a593Smuzhiyun+ const char *summary, 560*4882a593Smuzhiyun+ const char *description) 561*4882a593Smuzhiyun+{ 562*4882a593Smuzhiyun+ if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED) 563*4882a593Smuzhiyun+ func = grub_cmd_lockdown; 564*4882a593Smuzhiyun+ 565*4882a593Smuzhiyun+ return grub_register_command_prio (name, func, summary, description, 0); 566*4882a593Smuzhiyun+} 567*4882a593Smuzhiyun+ 568*4882a593Smuzhiyun void 569*4882a593Smuzhiyun grub_unregister_command (grub_command_t cmd) 570*4882a593Smuzhiyun { 571*4882a593Smuzhiyundiff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c 572*4882a593Smuzhiyunnew file mode 100644 573*4882a593Smuzhiyunindex 0000000..1e56c0b 574*4882a593Smuzhiyun--- /dev/null 575*4882a593Smuzhiyun+++ b/grub-core/kern/lockdown.c 576*4882a593Smuzhiyun@@ -0,0 +1,80 @@ 577*4882a593Smuzhiyun+/* 578*4882a593Smuzhiyun+ * GRUB -- GRand Unified Bootloader 579*4882a593Smuzhiyun+ * Copyright (C) 2020 Free Software Foundation, Inc. 580*4882a593Smuzhiyun+ * 581*4882a593Smuzhiyun+ * GRUB is free software: you can redistribute it and/or modify 582*4882a593Smuzhiyun+ * it under the terms of the GNU General Public License as published by 583*4882a593Smuzhiyun+ * the Free Software Foundation, either version 3 of the License, or 584*4882a593Smuzhiyun+ * (at your option) any later version. 585*4882a593Smuzhiyun+ * 586*4882a593Smuzhiyun+ * GRUB is distributed in the hope that it will be useful, 587*4882a593Smuzhiyun+ * but WITHOUT ANY WARRANTY; without even the implied warranty of 588*4882a593Smuzhiyun+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 589*4882a593Smuzhiyun+ * GNU General Public License for more details. 590*4882a593Smuzhiyun+ * 591*4882a593Smuzhiyun+ * You should have received a copy of the GNU General Public License 592*4882a593Smuzhiyun+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>. 593*4882a593Smuzhiyun+ * 594*4882a593Smuzhiyun+ */ 595*4882a593Smuzhiyun+ 596*4882a593Smuzhiyun+#include <grub/dl.h> 597*4882a593Smuzhiyun+#include <grub/file.h> 598*4882a593Smuzhiyun+#include <grub/lockdown.h> 599*4882a593Smuzhiyun+#include <grub/verify.h> 600*4882a593Smuzhiyun+ 601*4882a593Smuzhiyun+static int lockdown = GRUB_LOCKDOWN_DISABLED; 602*4882a593Smuzhiyun+ 603*4882a593Smuzhiyun+static grub_err_t 604*4882a593Smuzhiyun+lockdown_verifier_init (grub_file_t io __attribute__ ((unused)), 605*4882a593Smuzhiyun+ enum grub_file_type type, 606*4882a593Smuzhiyun+ void **context __attribute__ ((unused)), 607*4882a593Smuzhiyun+ enum grub_verify_flags *flags) 608*4882a593Smuzhiyun+{ 609*4882a593Smuzhiyun+ *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION; 610*4882a593Smuzhiyun+ 611*4882a593Smuzhiyun+ switch (type & GRUB_FILE_TYPE_MASK) 612*4882a593Smuzhiyun+ { 613*4882a593Smuzhiyun+ case GRUB_FILE_TYPE_GRUB_MODULE: 614*4882a593Smuzhiyun+ case GRUB_FILE_TYPE_LINUX_KERNEL: 615*4882a593Smuzhiyun+ case GRUB_FILE_TYPE_MULTIBOOT_KERNEL: 616*4882a593Smuzhiyun+ case GRUB_FILE_TYPE_XEN_HYPERVISOR: 617*4882a593Smuzhiyun+ case GRUB_FILE_TYPE_BSD_KERNEL: 618*4882a593Smuzhiyun+ case GRUB_FILE_TYPE_XNU_KERNEL: 619*4882a593Smuzhiyun+ case GRUB_FILE_TYPE_PLAN9_KERNEL: 620*4882a593Smuzhiyun+ case GRUB_FILE_TYPE_NTLDR: 621*4882a593Smuzhiyun+ case GRUB_FILE_TYPE_TRUECRYPT: 622*4882a593Smuzhiyun+ case GRUB_FILE_TYPE_FREEDOS: 623*4882a593Smuzhiyun+ case GRUB_FILE_TYPE_PXECHAINLOADER: 624*4882a593Smuzhiyun+ case GRUB_FILE_TYPE_PCCHAINLOADER: 625*4882a593Smuzhiyun+ case GRUB_FILE_TYPE_COREBOOT_CHAINLOADER: 626*4882a593Smuzhiyun+ case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE: 627*4882a593Smuzhiyun+ case GRUB_FILE_TYPE_ACPI_TABLE: 628*4882a593Smuzhiyun+ case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE: 629*4882a593Smuzhiyun+ *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH; 630*4882a593Smuzhiyun+ 631*4882a593Smuzhiyun+ /* Fall through. */ 632*4882a593Smuzhiyun+ 633*4882a593Smuzhiyun+ default: 634*4882a593Smuzhiyun+ return GRUB_ERR_NONE; 635*4882a593Smuzhiyun+ } 636*4882a593Smuzhiyun+} 637*4882a593Smuzhiyun+ 638*4882a593Smuzhiyun+struct grub_file_verifier lockdown_verifier = 639*4882a593Smuzhiyun+ { 640*4882a593Smuzhiyun+ .name = "lockdown_verifier", 641*4882a593Smuzhiyun+ .init = lockdown_verifier_init, 642*4882a593Smuzhiyun+ }; 643*4882a593Smuzhiyun+ 644*4882a593Smuzhiyun+void 645*4882a593Smuzhiyun+grub_lockdown (void) 646*4882a593Smuzhiyun+{ 647*4882a593Smuzhiyun+ lockdown = GRUB_LOCKDOWN_ENABLED; 648*4882a593Smuzhiyun+ 649*4882a593Smuzhiyun+ grub_verifier_register (&lockdown_verifier); 650*4882a593Smuzhiyun+} 651*4882a593Smuzhiyun+ 652*4882a593Smuzhiyun+int 653*4882a593Smuzhiyun+grub_is_lockdown (void) 654*4882a593Smuzhiyun+{ 655*4882a593Smuzhiyun+ return lockdown; 656*4882a593Smuzhiyun+} 657*4882a593Smuzhiyundiff --git a/include/grub/command.h b/include/grub/command.h 658*4882a593Smuzhiyunindex eee4e84..2a6f7f8 100644 659*4882a593Smuzhiyun--- a/include/grub/command.h 660*4882a593Smuzhiyun+++ b/include/grub/command.h 661*4882a593Smuzhiyun@@ -86,6 +86,11 @@ EXPORT_FUNC(grub_register_command_prio) (const char *name, 662*4882a593Smuzhiyun const char *summary, 663*4882a593Smuzhiyun const char *description, 664*4882a593Smuzhiyun int prio); 665*4882a593Smuzhiyun+grub_command_t 666*4882a593Smuzhiyun+EXPORT_FUNC(grub_register_command_lockdown) (const char *name, 667*4882a593Smuzhiyun+ grub_command_func_t func, 668*4882a593Smuzhiyun+ const char *summary, 669*4882a593Smuzhiyun+ const char *description); 670*4882a593Smuzhiyun void EXPORT_FUNC(grub_unregister_command) (grub_command_t cmd); 671*4882a593Smuzhiyun 672*4882a593Smuzhiyun static inline grub_command_t 673*4882a593Smuzhiyundiff --git a/include/grub/extcmd.h b/include/grub/extcmd.h 674*4882a593Smuzhiyunindex 19fe592..fe9248b 100644 675*4882a593Smuzhiyun--- a/include/grub/extcmd.h 676*4882a593Smuzhiyun+++ b/include/grub/extcmd.h 677*4882a593Smuzhiyun@@ -62,6 +62,13 @@ grub_extcmd_t EXPORT_FUNC(grub_register_extcmd) (const char *name, 678*4882a593Smuzhiyun const char *description, 679*4882a593Smuzhiyun const struct grub_arg_option *parser); 680*4882a593Smuzhiyun 681*4882a593Smuzhiyun+grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_lockdown) (const char *name, 682*4882a593Smuzhiyun+ grub_extcmd_func_t func, 683*4882a593Smuzhiyun+ grub_command_flags_t flags, 684*4882a593Smuzhiyun+ const char *summary, 685*4882a593Smuzhiyun+ const char *description, 686*4882a593Smuzhiyun+ const struct grub_arg_option *parser); 687*4882a593Smuzhiyun+ 688*4882a593Smuzhiyun grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_prio) (const char *name, 689*4882a593Smuzhiyun grub_extcmd_func_t func, 690*4882a593Smuzhiyun grub_command_flags_t flags, 691*4882a593Smuzhiyundiff --git a/include/grub/lockdown.h b/include/grub/lockdown.h 692*4882a593Smuzhiyunnew file mode 100644 693*4882a593Smuzhiyunindex 0000000..40531fa 694*4882a593Smuzhiyun--- /dev/null 695*4882a593Smuzhiyun+++ b/include/grub/lockdown.h 696*4882a593Smuzhiyun@@ -0,0 +1,44 @@ 697*4882a593Smuzhiyun+/* 698*4882a593Smuzhiyun+ * GRUB -- GRand Unified Bootloader 699*4882a593Smuzhiyun+ * Copyright (C) 2020 Free Software Foundation, Inc. 700*4882a593Smuzhiyun+ * 701*4882a593Smuzhiyun+ * GRUB is free software: you can redistribute it and/or modify 702*4882a593Smuzhiyun+ * it under the terms of the GNU General Public License as published by 703*4882a593Smuzhiyun+ * the Free Software Foundation, either version 3 of the License, or 704*4882a593Smuzhiyun+ * (at your option) any later version. 705*4882a593Smuzhiyun+ * 706*4882a593Smuzhiyun+ * GRUB is distributed in the hope that it will be useful, 707*4882a593Smuzhiyun+ * but WITHOUT ANY WARRANTY; without even the implied warranty of 708*4882a593Smuzhiyun+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 709*4882a593Smuzhiyun+ * GNU General Public License for more details. 710*4882a593Smuzhiyun+ * 711*4882a593Smuzhiyun+ * You should have received a copy of the GNU General Public License 712*4882a593Smuzhiyun+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>. 713*4882a593Smuzhiyun+ */ 714*4882a593Smuzhiyun+ 715*4882a593Smuzhiyun+#ifndef GRUB_LOCKDOWN_H 716*4882a593Smuzhiyun+#define GRUB_LOCKDOWN_H 1 717*4882a593Smuzhiyun+ 718*4882a593Smuzhiyun+#include <grub/symbol.h> 719*4882a593Smuzhiyun+ 720*4882a593Smuzhiyun+#define GRUB_LOCKDOWN_DISABLED 0 721*4882a593Smuzhiyun+#define GRUB_LOCKDOWN_ENABLED 1 722*4882a593Smuzhiyun+ 723*4882a593Smuzhiyun+#ifdef GRUB_MACHINE_EFI 724*4882a593Smuzhiyun+extern void 725*4882a593Smuzhiyun+EXPORT_FUNC (grub_lockdown) (void); 726*4882a593Smuzhiyun+extern int 727*4882a593Smuzhiyun+EXPORT_FUNC (grub_is_lockdown) (void); 728*4882a593Smuzhiyun+#else 729*4882a593Smuzhiyun+static inline void 730*4882a593Smuzhiyun+grub_lockdown (void) 731*4882a593Smuzhiyun+{ 732*4882a593Smuzhiyun+} 733*4882a593Smuzhiyun+ 734*4882a593Smuzhiyun+static inline int 735*4882a593Smuzhiyun+grub_is_lockdown (void) 736*4882a593Smuzhiyun+{ 737*4882a593Smuzhiyun+ return GRUB_LOCKDOWN_DISABLED; 738*4882a593Smuzhiyun+} 739*4882a593Smuzhiyun+#endif 740*4882a593Smuzhiyun+#endif /* ! GRUB_LOCKDOWN_H */ 741*4882a593Smuzhiyundiff --git a/po/POTFILES.in b/po/POTFILES.in 742*4882a593Smuzhiyunindex 49755d3..5e26845 100644 743*4882a593Smuzhiyun--- a/po/POTFILES.in 744*4882a593Smuzhiyun+++ b/po/POTFILES.in 745*4882a593Smuzhiyun@@ -309,6 +309,7 @@ 746*4882a593Smuzhiyun ./grub-core/kern/ieee1275/mmap.c 747*4882a593Smuzhiyun ./grub-core/kern/ieee1275/openfw.c 748*4882a593Smuzhiyun ./grub-core/kern/list.c 749*4882a593Smuzhiyun+./grub-core/kern/lockdown.c 750*4882a593Smuzhiyun ./grub-core/kern/main.c 751*4882a593Smuzhiyun ./grub-core/kern/mips/arc/init.c 752*4882a593Smuzhiyun ./grub-core/kern/mips/dl.c 753*4882a593Smuzhiyun@@ -1207,6 +1208,7 @@ 754*4882a593Smuzhiyun ./include/grub/linux.h 755*4882a593Smuzhiyun ./include/grub/list.h 756*4882a593Smuzhiyun ./include/grub/loader.h 757*4882a593Smuzhiyun+./include/grub/lockdown.h 758*4882a593Smuzhiyun ./include/grub/lvm.h 759*4882a593Smuzhiyun ./include/grub/macho.h 760*4882a593Smuzhiyun ./include/grub/machoload.h 761*4882a593Smuzhiyun-- 762*4882a593Smuzhiyun2.14.2 763*4882a593Smuzhiyun 764