From: Javier Martinez Canillas <javi...@redhat.com> If the UEFI Secure Boot is enabled then the GRUB must be locked down to prevent executing code that can potentially be used to subvert its verification mechanisms.
Signed-off-by: Javier Martinez Canillas <javi...@redhat.com> Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com> --- grub-core/kern/efi/init.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c index b683bec5a..133346509 100644 --- a/grub-core/kern/efi/init.c +++ b/grub-core/kern/efi/init.c @@ -21,6 +21,7 @@ #include <grub/efi/console.h> #include <grub/efi/disk.h> #include <grub/efi/sb.h> +#include <grub/lockdown.h> #include <grub/term.h> #include <grub/misc.h> #include <grub/env.h> @@ -40,8 +41,15 @@ grub_efi_init (void) /* Initialize the memory management system. */ grub_efi_mm_init (); - /* Register the shim_lock verifier if UEFI Secure Boot is enabled. */ - grub_shim_lock_verifier_setup (); + /* + * Lockdown the GRUB and register the shim_lock verifier + * if the UEFI Secure Boot is enabled. + */ + if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED) + { + grub_lockdown (); + grub_shim_lock_verifier_setup (); + } efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer, 0, 0, 0, NULL); -- 2.11.0 _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel