1From d90367471779c240e002e62edfb6b31fc85b4908 Mon Sep 17 00:00:00 2001 2From: Javier Martinez Canillas <javierm@redhat.com> 3Date: Tue, 2 Feb 2021 19:59:48 +0100 4Subject: [PATCH] kern/lockdown: Set a variable if the GRUB is locked down 5 6It may be useful for scripts to determine whether the GRUB is locked 7down or not. Add the lockdown variable which is set to "y" when the GRUB 8is locked down. 9 10Suggested-by: Dimitri John Ledkov <xnox@ubuntu.com> 11Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> 12Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 13Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 14--- 15 docs/grub.texi | 3 +++ 16 grub-core/kern/lockdown.c | 4 ++++ 17 2 files changed, 7 insertions(+) 18 19diff --git a/docs/grub.texi b/docs/grub.texi 20index a25459f..bdbb329 100644 21--- a/docs/grub.texi 22+++ b/docs/grub.texi 23@@ -5803,6 +5803,9 @@ The GRUB can be locked down when booted on a secure boot environment, for exampl 24 if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will 25 be restricted and some operations/commands cannot be executed. 26 27+The @samp{lockdown} variable is set to @samp{y} when the GRUB is locked down. 28+Otherwise it does not exit. 29+ 30 @node Platform limitations 31 @chapter Platform limitations 32 33diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c 34index 1e56c0b..0bc70fd 100644 35--- a/grub-core/kern/lockdown.c 36+++ b/grub-core/kern/lockdown.c 37@@ -18,6 +18,7 @@ 38 */ 39 40 #include <grub/dl.h> 41+#include <grub/env.h> 42 #include <grub/file.h> 43 #include <grub/lockdown.h> 44 #include <grub/verify.h> 45@@ -71,6 +72,9 @@ grub_lockdown (void) 46 lockdown = GRUB_LOCKDOWN_ENABLED; 47 48 grub_verifier_register (&lockdown_verifier); 49+ 50+ grub_env_set ("lockdown", "y"); 51+ grub_env_export ("lockdown"); 52 } 53 54 int 55-- 562.14.2 57 58