-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathno-devicetree-if-secure-boot.patch
79 lines (70 loc) · 2.73 KB
/
no-devicetree-if-secure-boot.patch
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
From 269cf7f9c74d192d33dc899cadcd4ee120e494e1 Mon Sep 17 00:00:00 2001
From: Peter Jones <[email protected]>
Date: Wed, 24 Apr 2019 10:03:04 -0400
Subject: Forbid the "devicetree" command when Secure Boot is enabled.
Signed-off-by: Peter Jones <[email protected]>
Signed-off-by: Steve McIntyre <[email protected]>
Origin: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927888#15
Bug-Debian: https://bugs.debian.org/927888
Last-Update: 2019-05-04
Patch-Name: no-devicetree-if-secure-boot.patch
---
grub-core/loader/arm/linux.c | 12 ++++++++++++
grub-core/loader/efi/fdt.c | 8 ++++++++
2 files changed, 20 insertions(+)
diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c
index ed23dc7..3a32f76 100644
--- a/grub-core/loader/arm/linux.c
+++ b/grub-core/loader/arm/linux.c
@@ -30,6 +30,12 @@
#include <grub/linux.h>
#include <grub/verify.h>
+#ifdef GRUB_MACHINE_EFI
+#include <grub/efi/efi.h>
+/* mheese: this import is necessary to find GRUB_EFI_SECUREBOOT_MODE_ENABLED */
+#include <grub/efi/sb.h>
+#endif
+
GRUB_MOD_LICENSE ("GPLv3+");
static grub_dl_t my_mod;
@@ -471,6 +477,15 @@ grub_cmd_devicetree (grub_command_t cmd __attribute__ ((unused)),
if (argc != 1)
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
+#ifdef GRUB_MACHINE_EFI
+ /* mheese: exchanging call to `grub_efi_secureboot()` with comparison call to `grub_efi_get_secureboot()` as grub_efi_secureboot is not exported any longer */
+ if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+ {
+ return grub_error (GRUB_ERR_ACCESS_DENIED,
+ "Secure Boot forbids loading devicetree from %s", argv[0]);
+ }
+#endif
+
dtb = grub_file_open (argv[0], GRUB_FILE_TYPE_DEVICE_TREE_IMAGE);
if (!dtb)
return grub_errno;
diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c
index c572415..c32bf6b 100644
--- a/grub-core/loader/efi/fdt.c
+++ b/grub-core/loader/efi/fdt.c
@@ -25,6 +25,7 @@
#include <grub/efi/efi.h>
#include <grub/efi/fdtload.h>
#include <grub/efi/memory.h>
+#include <grub/efi/sb.h>
#include <grub/cpu/efi/memory.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -129,6 +130,15 @@ grub_cmd_devicetree (grub_command_t cmd __attribute__ ((unused)),
return GRUB_ERR_NONE;
}
+#ifdef GRUB_MACHINE_EFI
+ /* mheese: exchanging call to `grub_efi_secureboot()` with comparison call to `grub_efi_get_secureboot()` as grub_efi_secureboot is not exported any longer */
+ if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+ {
+ return grub_error (GRUB_ERR_ACCESS_DENIED,
+ "Secure Boot forbids loading devicetree from %s", argv[0]);
+ }
+#endif
+
dtb = grub_file_open (argv[0], GRUB_FILE_TYPE_DEVICE_TREE_IMAGE);
if (!dtb)
goto out;