Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:michael-chang:15sp5
grub2
grub2-secureboot-no-insmod-on-sb.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File grub2-secureboot-no-insmod-on-sb.patch of Package grub2
From 29c89e27805f7a6a22bce11ed9bb430e19c972a9 Mon Sep 17 00:00:00 2001 From: Colin Watson <cjwatson@ubuntu.com> Date: Tue, 23 Oct 2012 10:40:49 -0400 Subject: [PATCH 449/482] Don't allow insmod when secure boot is enabled. References: fate#314485 Patch-Mainline: no v2: Use grub_efi_get_secureboot to get secure boot status Signed-off-by: Michael Chang <mchang@suse.com> --- grub-core/kern/dl.c | 17 +++++++++++++++++ grub-core/kern/efi/efi.c | 28 ++++++++++++++++++++++++++++ include/grub/efi/efi.h | 1 + 3 files changed, 46 insertions(+) --- a/grub-core/kern/dl.c +++ b/grub-core/kern/dl.c @@ -38,6 +38,10 @@ #define GRUB_MODULES_MACHINE_READONLY #endif +#ifdef GRUB_MACHINE_EFI +#include <grub/efi/sb.h> +#endif + #pragma GCC diagnostic ignored "-Wcast-align" @@ -708,6 +712,19 @@ grub_boot_time ("Loading module %s", filename); +#ifdef GRUB_MACHINE_EFI + if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED) + { +#if 0 + /* This is an error, but grub2-mkconfig still generates a pile of + * insmod commands, so emitting it would be mostly just obnoxious. */ + grub_error (GRUB_ERR_ACCESS_DENIED, + "Secure Boot forbids loading module from %s", filename); +#endif + return 0; + } +#endif + file = grub_file_open (filename, GRUB_FILE_TYPE_GRUB_MODULE); if (! file) return 0;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor