File 0001-Make-disable-shim-lock-work-with-lockdown-... of Package grub2.27716

Overview Repositories Revisions Requests Users Attributes Meta

File 0001-Make-disable-shim-lock-work-with-lockdown-verifier.patch of Package grub2.27716

From 4913444acfa8c931ad18615fd60cb1df928cf4e3 Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Wed, 5 May 2021 10:27:39 +0800
Subject: [PATCH] Make --disable-shim-lock work with lockdown verifier

---
 grub-core/kern/lockdown.c | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c
index 0bc70fd42..7c6194dcf 100644
--- a/grub-core/kern/lockdown.c
+++ b/grub-core/kern/lockdown.c
@@ -20,10 +20,12 @@
 #include <grub/dl.h>
 #include <grub/env.h>
 #include <grub/file.h>
+#include <grub/kernel.h>
 #include <grub/lockdown.h>
 #include <grub/verify.h>
 
 static int lockdown = GRUB_LOCKDOWN_DISABLED;
+static int shim_disabled = 0;
 
 static grub_err_t
 lockdown_verifier_init (grub_file_t io __attribute__ ((unused)),
@@ -35,8 +37,13 @@ lockdown_verifier_init (grub_file_t io __attribute__ ((unused)),
 
   switch (type & GRUB_FILE_TYPE_MASK)
     {
-    case GRUB_FILE_TYPE_GRUB_MODULE:
     case GRUB_FILE_TYPE_LINUX_KERNEL:
+      /* if grub image is built with --disable-shim-lock very likely that no
+       * verifier will be available to the linux kernel */
+      if (shim_disabled)
+	return GRUB_ERR_NONE;
+      /* Fall through. */
+    case GRUB_FILE_TYPE_GRUB_MODULE:
     case GRUB_FILE_TYPE_MULTIBOOT_KERNEL:
     case GRUB_FILE_TYPE_XEN_HYPERVISOR:
     case GRUB_FILE_TYPE_BSD_KERNEL:
@@ -69,12 +76,20 @@ struct grub_file_verifier lockdown_verifier =
 void
 grub_lockdown (void)
 {
+  struct grub_module_header *header;
+
   lockdown = GRUB_LOCKDOWN_ENABLED;
 
   grub_verifier_register (&lockdown_verifier);
 
   grub_env_set ("lockdown", "y");
   grub_env_export ("lockdown");
+
+  FOR_MODULES (header)
+    {
+      if (header->type == OBJ_TYPE_DISABLE_SHIM_LOCK)
+	shim_disabled = 1;
+    }
 }
 
 int
-- 
2.26.2

Places

File 0001-Make-disable-shim-lock-work-with-lockdown-verifier.patch of Package grub2.27716

Places