diff options
Diffstat (limited to '')
-rw-r--r-- | debian/patches/fix-lockdown.patch | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/debian/patches/fix-lockdown.patch b/debian/patches/fix-lockdown.patch new file mode 100644 index 0000000..54a7928 --- /dev/null +++ b/debian/patches/fix-lockdown.patch @@ -0,0 +1,45 @@ +From b2c4515a832f82a4fe4ee8d32faa16b48de63d12 Mon Sep 17 00:00:00 2001 +From: Luca Boccassi <bluca@debian.org> +Date: Tue, 15 May 2018 11:36:46 +0100 +Subject: Do not overwrite sentinel byte in boot_params, breaks lockdown + +grub currently copies the entire boot_params, which includes setting +sentinel byte to 0xff, which triggers sanitize_boot_params in the kernel +which in turn clears various boot_params variables, including the +indication that the bootloader chain is verified and thus the kernel +disables lockdown mode. According to the information on the Fedora bug +tracker, only the information from byte 0x1f1 is necessary, so start +copying from there instead. + +Author: Luca Boccassi <bluca@debian.org> +Bug-Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1418360 +Forwarded: no + +Patch-Name: fix-lockdown.patch +--- + grub-core/loader/i386/efi/linux.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c +index 45b68c05a..532e4e512 100644 +--- a/grub-core/loader/i386/efi/linux.c ++++ b/grub-core/loader/i386/efi/linux.c +@@ -29,6 +29,7 @@ + #include <grub/linux.h> + #include <grub/efi/efi.h> + #include <grub/efi/sb.h> ++#include <stddef.h> + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -336,7 +337,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), + lh.code32_start = (grub_uint32_t)(grub_addr_t) kernel_mem; + } + +- grub_memcpy (params, &lh, 2 * 512); ++ /* do not overwrite below boot_params->hdr to avoid setting the sentinel byte */ ++ start = offsetof (struct linux_kernel_params, setup_sects); ++ grub_memcpy ((grub_uint8_t *)params + start, (grub_uint8_t *)&lh + start, 2 * 512 - start); + + params->type_of_loader = 0x21; + |