efi: Lockdown the GRUB when the UEFI Secure Boot is enabled

If the UEFI Secure Boot is enabled then the GRUB must be locked down to prevent executing code that can potentially be used to subvert its verification mechanisms. Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2020-09-28 20:08:29 +02:00 · 2020-09-28 20:08:29 +02:00 · 98b00a403c
commit 98b00a403c
parent d903674717
1 changed files with 10 additions and 2 deletions
--- a/grub-core/kern/efi/init.c
+++ b/grub-core/kern/efi/init.c
@ -21,6 +21,7 @@
 #include <grub/efi/console.h>
 #include <grub/efi/disk.h>
 #include <grub/efi/sb.h>
+#include <grub/lockdown.h>
 #include <grub/term.h>
 #include <grub/misc.h>
 #include <grub/env.h>
@ -40,8 +41,15 @@ grub_efi_init (void)
  /* Initialize the memory management system.  */
  grub_efi_mm_init ();

-  /* Register the shim_lock verifier if UEFI Secure Boot is enabled. */
-  grub_shim_lock_verifier_setup ();
+  /*
+   * Lockdown the GRUB and register the shim_lock verifier
+   * if the UEFI Secure Boot is enabled.
+   */
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+    {
+      grub_lockdown ();
+      grub_shim_lock_verifier_setup ();
+    }

  efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer,
 	      0, 0, 0, NULL);