summaryrefslogtreecommitdiffstats
path: root/debian/patches/fix-lockdown.patch
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/patches/fix-lockdown.patch45
1 files changed, 45 insertions, 0 deletions
diff --git a/debian/patches/fix-lockdown.patch b/debian/patches/fix-lockdown.patch
new file mode 100644
index 0000000..54a7928
--- /dev/null
+++ b/debian/patches/fix-lockdown.patch
@@ -0,0 +1,45 @@
+From b2c4515a832f82a4fe4ee8d32faa16b48de63d12 Mon Sep 17 00:00:00 2001
+From: Luca Boccassi <bluca@debian.org>
+Date: Tue, 15 May 2018 11:36:46 +0100
+Subject: Do not overwrite sentinel byte in boot_params, breaks lockdown
+
+grub currently copies the entire boot_params, which includes setting
+sentinel byte to 0xff, which triggers sanitize_boot_params in the kernel
+which in turn clears various boot_params variables, including the
+indication that the bootloader chain is verified and thus the kernel
+disables lockdown mode. According to the information on the Fedora bug
+tracker, only the information from byte 0x1f1 is necessary, so start
+copying from there instead.
+
+Author: Luca Boccassi <bluca@debian.org>
+Bug-Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1418360
+Forwarded: no
+
+Patch-Name: fix-lockdown.patch
+---
+ grub-core/loader/i386/efi/linux.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
+index 45b68c05a..532e4e512 100644
+--- a/grub-core/loader/i386/efi/linux.c
++++ b/grub-core/loader/i386/efi/linux.c
+@@ -29,6 +29,7 @@
+ #include <grub/linux.h>
+ #include <grub/efi/efi.h>
+ #include <grub/efi/sb.h>
++#include <stddef.h>
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+@@ -336,7 +337,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+ lh.code32_start = (grub_uint32_t)(grub_addr_t) kernel_mem;
+ }
+
+- grub_memcpy (params, &lh, 2 * 512);
++ /* do not overwrite below boot_params->hdr to avoid setting the sentinel byte */
++ start = offsetof (struct linux_kernel_params, setup_sects);
++ grub_memcpy ((grub_uint8_t *)params + start, (grub_uint8_t *)&lh + start, 2 * 512 - start);
+
+ params->type_of_loader = 0x21;
+