1From 98b00a403cbf2ba6833d1ac0499871b27a08eb77 Mon Sep 17 00:00:00 2001 2From: Javier Martinez Canillas <javierm@redhat.com> 3Date: Mon, 28 Sep 2020 20:08:29 +0200 4Subject: [PATCH] efi: Lockdown the GRUB when the UEFI Secure Boot is enabled 5 6If the UEFI Secure Boot is enabled then the GRUB must be locked down 7to prevent executing code that can potentially be used to subvert its 8verification mechanisms. 9 10Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> 11Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 12Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 13--- 14 grub-core/kern/efi/init.c | 12 ++++++++++-- 15 1 file changed, 10 insertions(+), 2 deletions(-) 16 17diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c 18index b683bec..1333465 100644 19--- a/grub-core/kern/efi/init.c 20+++ b/grub-core/kern/efi/init.c 21@@ -21,6 +21,7 @@ 22 #include <grub/efi/console.h> 23 #include <grub/efi/disk.h> 24 #include <grub/efi/sb.h> 25+#include <grub/lockdown.h> 26 #include <grub/term.h> 27 #include <grub/misc.h> 28 #include <grub/env.h> 29@@ -40,8 +41,15 @@ grub_efi_init (void) 30 /* Initialize the memory management system. */ 31 grub_efi_mm_init (); 32 33- /* Register the shim_lock verifier if UEFI Secure Boot is enabled. */ 34- grub_shim_lock_verifier_setup (); 35+ /* 36+ * Lockdown the GRUB and register the shim_lock verifier 37+ * if the UEFI Secure Boot is enabled. 38+ */ 39+ if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED) 40+ { 41+ grub_lockdown (); 42+ grub_shim_lock_verifier_setup (); 43+ } 44 45 efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer, 46 0, 0, 0, NULL); 47-- 482.14.2 49 50