diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 16:29:51 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 16:29:51 +0000 |
commit | 6e7a315eb67cb6c113cf37e1d66c4f11a51a2b3e (patch) | |
tree | 32451fa3cdd9321fb2591fada9891b2cb70a9cd1 /grub-core/kern/lockdown.c | |
parent | Initial commit. (diff) | |
download | grub2-6e7a315eb67cb6c113cf37e1d66c4f11a51a2b3e.tar.xz grub2-6e7a315eb67cb6c113cf37e1d66c4f11a51a2b3e.zip |
Adding upstream version 2.06.upstream/2.06upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'grub-core/kern/lockdown.c')
-rw-r--r-- | grub-core/kern/lockdown.c | 84 |
1 files changed, 84 insertions, 0 deletions
diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c new file mode 100644 index 0000000..0bc70fd --- /dev/null +++ b/grub-core/kern/lockdown.c @@ -0,0 +1,84 @@ +/* + * GRUB -- GRand Unified Bootloader + * Copyright (C) 2020 Free Software Foundation, Inc. + * + * GRUB is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * GRUB is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GRUB. If not, see <http://www.gnu.org/licenses/>. + * + */ + +#include <grub/dl.h> +#include <grub/env.h> +#include <grub/file.h> +#include <grub/lockdown.h> +#include <grub/verify.h> + +static int lockdown = GRUB_LOCKDOWN_DISABLED; + +static grub_err_t +lockdown_verifier_init (grub_file_t io __attribute__ ((unused)), + enum grub_file_type type, + void **context __attribute__ ((unused)), + enum grub_verify_flags *flags) +{ + *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION; + + switch (type & GRUB_FILE_TYPE_MASK) + { + case GRUB_FILE_TYPE_GRUB_MODULE: + case GRUB_FILE_TYPE_LINUX_KERNEL: + case GRUB_FILE_TYPE_MULTIBOOT_KERNEL: + case GRUB_FILE_TYPE_XEN_HYPERVISOR: + case GRUB_FILE_TYPE_BSD_KERNEL: + case GRUB_FILE_TYPE_XNU_KERNEL: + case GRUB_FILE_TYPE_PLAN9_KERNEL: + case GRUB_FILE_TYPE_NTLDR: + case GRUB_FILE_TYPE_TRUECRYPT: + case GRUB_FILE_TYPE_FREEDOS: + case GRUB_FILE_TYPE_PXECHAINLOADER: + case GRUB_FILE_TYPE_PCCHAINLOADER: + case GRUB_FILE_TYPE_COREBOOT_CHAINLOADER: + case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE: + case GRUB_FILE_TYPE_ACPI_TABLE: + case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE: + *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH; + + /* Fall through. */ + + default: + return GRUB_ERR_NONE; + } +} + +struct grub_file_verifier lockdown_verifier = + { + .name = "lockdown_verifier", + .init = lockdown_verifier_init, + }; + +void +grub_lockdown (void) +{ + lockdown = GRUB_LOCKDOWN_ENABLED; + + grub_verifier_register (&lockdown_verifier); + + grub_env_set ("lockdown", "y"); + grub_env_export ("lockdown"); +} + +int +grub_is_lockdown (void) +{ + return lockdown; +} |