Created
July 8, 2019 17:27
-
-
Save Snawoot/d669d8302262e7b377ac7a9e65f90b89 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
From 3627951693d3e40b5d263ca567ef990edf7b7c2f Mon Sep 17 00:00:00 2001 | |
From: Linn Crosetto <linn@hpe.com> | |
Date: Tue, 5 Apr 2016 11:49:05 -0600 | |
Subject: Disallow unsigned kernels if UEFI Secure Boot is enabled | |
If UEFI Secure Boot is enabled and kernel signature verification fails, do not | |
boot the kernel. Before this change, if kernel signature verification failed | |
then GRUB would fall back to calling ExitBootServices() and continuing the | |
boot. | |
Patch-Name: linuxefi_disable_sb_fallback.patch | |
Signed-off-by: Linn Crosetto <linn@hpe.com> | |
--- | |
grub-core/loader/i386/linux.c | 8 +++----- | |
1 file changed, 3 insertions(+), 5 deletions(-) | |
Index: grub2-2.02+dfsg1/grub-core/loader/i386/linux.c | |
=================================================================== | |
--- grub2-2.02+dfsg1.orig/grub-core/loader/i386/linux.c | |
+++ grub2-2.02+dfsg1/grub-core/loader/i386/linux.c | |
@@ -695,10 +695,8 @@ grub_cmd_linux (grub_command_t cmd __att | |
using_linuxefi = 0; | |
if (grub_efi_secure_boot ()) | |
{ | |
- /* Try linuxefi first, which will require a successful signature check | |
- and then hand over to the kernel without calling ExitBootServices. | |
- If that fails, however, fall back to calling ExitBootServices | |
- ourselves and then booting an unsigned kernel. */ | |
+ /* linuxefi requires a successful signature check and then hand over | |
+ to the kernel without calling ExitBootServices. */ | |
grub_dl_t mod; | |
grub_command_t linuxefi_cmd; | |
@@ -720,7 +718,16 @@ grub_cmd_linux (grub_command_t cmd __att | |
return GRUB_ERR_NONE; | |
} | |
grub_dprintf ("linux", "linuxefi failed (%d)\n", grub_errno); | |
- grub_errno = GRUB_ERR_NONE; | |
+ /* Preserve default workflow if verify module is loaded and | |
+ signatures are being checked. Condition below is even with | |
+ code which parses "check_signatures" variable in verify.c */ | |
+ const char *env_chk_sig = grub_env_get ("check_signatures"); | |
+ if (env_chk_sig && | |
+ (env_chk_sig[0] == '1' || env_chk_sig[0] == 'e') && | |
+ grub_dl_get("verify")) | |
+ grub_errno = GRUB_ERR_NONE; | |
+ else | |
+ goto fail; | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment