[PATCH 15/15] efi: Disallow fallback to legacy Linux loader when shim says NX is required.

Fri, 24 May 2024 04:06:54 -0700 

Signed-off-by: Mate Kukri <mate.ku...@canonical.com>
---
 grub-core/loader/efi/linux.c | 41 +++++++++++++++++++++++++++++++-----
 1 file changed, 36 insertions(+), 5 deletions(-)

diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
index 99365536a..e44692c92 100644
--- a/grub-core/loader/efi/linux.c
+++ b/grub-core/loader/efi/linux.c
@@ -450,6 +450,35 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ 
((unused)),
   return grub_errno;
 }
 
+#define GRUB_MOK_POLICY_NX_REQUIRED   0x1
+
+static int
+grub_efi_check_nx_required (void)
+{
+  grub_efi_status_t status;
+  grub_guid_t guid = GRUB_EFI_SHIM_LOCK_GUID;
+  grub_size_t mok_policy_sz = 0;
+  char *mok_policy = NULL;
+  grub_uint32_t mok_policy_attrs = 0;
+
+  status = grub_efi_get_variable_with_attributes ("MokPolicy", &guid,
+                                                  &mok_policy_sz,
+                                                  (void **)&mok_policy,
+                                                  &mok_policy_attrs);
+  if (status == GRUB_EFI_NOT_FOUND ||
+      mok_policy_sz == 0 ||
+      mok_policy == NULL)
+    return 1;
+
+  if (mok_policy_sz != 1 ||
+      (mok_policy[0] & GRUB_MOK_POLICY_NX_REQUIRED) ||
+      (mok_policy_attrs != (GRUB_EFI_VARIABLE_BOOTSERVICE_ACCESS |
+                           GRUB_EFI_VARIABLE_RUNTIME_ACCESS)))
+    return 1;
+
+  return 0;
+}
+
 static grub_err_t
 grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
                int argc, char *argv[])
@@ -472,21 +501,23 @@ grub_cmd_linux (grub_command_t cmd __attribute__ 
((unused)),
 
   kernel_size = grub_file_size (file);
 
-  if (grub_arch_efi_linux_load_image_header (file, &lh) != GRUB_ERR_NONE)
 #if !defined(__i386__) && !defined(__x86_64__)
+  if (grub_arch_efi_linux_load_image_header (file, &lh) != GRUB_ERR_NONE)
     goto fail;
 #else
-    goto fallback;
-
-  if (!initrd_use_loadfile2)
+  if (grub_arch_efi_linux_load_image_header (file, &lh) != GRUB_ERR_NONE ||
+      !initrd_use_loadfile2)
     {
+      /* We cannot use the legacy loader when NX is required */
+      if (grub_efi_check_nx_required())
+        goto fail;
+
       /*
        * This is a EFI stub image but it is too old to implement the LoadFile2
        * based initrd loading scheme, and Linux/x86 does not support the DT
        * based method either. So fall back to the x86-specific loader that
        * enters Linux in EFI mode but without going through its EFI stub.
        */
-fallback:
       grub_file_close (file);
       return grub_cmd_linux_x86_legacy (cmd, argc, argv);
     }
-- 
2.39.2


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to