1*4882a593SmuzhiyunFrom 98b00a403cbf2ba6833d1ac0499871b27a08eb77 Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Javier Martinez Canillas <javierm@redhat.com> 3*4882a593SmuzhiyunDate: Mon, 28 Sep 2020 20:08:29 +0200 4*4882a593SmuzhiyunSubject: [PATCH] efi: Lockdown the GRUB when the UEFI Secure Boot is enabled 5*4882a593Smuzhiyun 6*4882a593SmuzhiyunIf the UEFI Secure Boot is enabled then the GRUB must be locked down 7*4882a593Smuzhiyunto prevent executing code that can potentially be used to subvert its 8*4882a593Smuzhiyunverification mechanisms. 9*4882a593Smuzhiyun 10*4882a593SmuzhiyunSigned-off-by: Javier Martinez Canillas <javierm@redhat.com> 11*4882a593SmuzhiyunReviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 12*4882a593SmuzhiyunSigned-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 13*4882a593Smuzhiyun--- 14*4882a593Smuzhiyun grub-core/kern/efi/init.c | 12 ++++++++++-- 15*4882a593Smuzhiyun 1 file changed, 10 insertions(+), 2 deletions(-) 16*4882a593Smuzhiyun 17*4882a593Smuzhiyundiff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c 18*4882a593Smuzhiyunindex b683bec..1333465 100644 19*4882a593Smuzhiyun--- a/grub-core/kern/efi/init.c 20*4882a593Smuzhiyun+++ b/grub-core/kern/efi/init.c 21*4882a593Smuzhiyun@@ -21,6 +21,7 @@ 22*4882a593Smuzhiyun #include <grub/efi/console.h> 23*4882a593Smuzhiyun #include <grub/efi/disk.h> 24*4882a593Smuzhiyun #include <grub/efi/sb.h> 25*4882a593Smuzhiyun+#include <grub/lockdown.h> 26*4882a593Smuzhiyun #include <grub/term.h> 27*4882a593Smuzhiyun #include <grub/misc.h> 28*4882a593Smuzhiyun #include <grub/env.h> 29*4882a593Smuzhiyun@@ -40,8 +41,15 @@ grub_efi_init (void) 30*4882a593Smuzhiyun /* Initialize the memory management system. */ 31*4882a593Smuzhiyun grub_efi_mm_init (); 32*4882a593Smuzhiyun 33*4882a593Smuzhiyun- /* Register the shim_lock verifier if UEFI Secure Boot is enabled. */ 34*4882a593Smuzhiyun- grub_shim_lock_verifier_setup (); 35*4882a593Smuzhiyun+ /* 36*4882a593Smuzhiyun+ * Lockdown the GRUB and register the shim_lock verifier 37*4882a593Smuzhiyun+ * if the UEFI Secure Boot is enabled. 38*4882a593Smuzhiyun+ */ 39*4882a593Smuzhiyun+ if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED) 40*4882a593Smuzhiyun+ { 41*4882a593Smuzhiyun+ grub_lockdown (); 42*4882a593Smuzhiyun+ grub_shim_lock_verifier_setup (); 43*4882a593Smuzhiyun+ } 44*4882a593Smuzhiyun 45*4882a593Smuzhiyun efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer, 46*4882a593Smuzhiyun 0, 0, 0, NULL); 47*4882a593Smuzhiyun-- 48*4882a593Smuzhiyun2.14.2 49*4882a593Smuzhiyun 50