[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 15/15] efi: Disallow fallback to legacy Linux loader when shim sa
|
From: |
Mate Kukri |
|
Subject: |
[PATCH 15/15] efi: Disallow fallback to legacy Linux loader when shim says NX is required. |
|
Date: |
Fri, 24 May 2024 12:04:02 +0100 |
Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
---
grub-core/loader/efi/linux.c | 41 +++++++++++++++++++++++++++++++-----
1 file changed, 36 insertions(+), 5 deletions(-)
diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
index 99365536a..e44692c92 100644
--- a/grub-core/loader/efi/linux.c
+++ b/grub-core/loader/efi/linux.c
@@ -450,6 +450,35 @@ grub_cmd_initrd (grub_command_t cmd __attribute__
((unused)),
return grub_errno;
}
+#define GRUB_MOK_POLICY_NX_REQUIRED 0x1
+
+static int
+grub_efi_check_nx_required (void)
+{
+ grub_efi_status_t status;
+ grub_guid_t guid = GRUB_EFI_SHIM_LOCK_GUID;
+ grub_size_t mok_policy_sz = 0;
+ char *mok_policy = NULL;
+ grub_uint32_t mok_policy_attrs = 0;
+
+ status = grub_efi_get_variable_with_attributes ("MokPolicy", &guid,
+ &mok_policy_sz,
+ (void **)&mok_policy,
+ &mok_policy_attrs);
+ if (status == GRUB_EFI_NOT_FOUND ||
+ mok_policy_sz == 0 ||
+ mok_policy == NULL)
+ return 1;
+
+ if (mok_policy_sz != 1 ||
+ (mok_policy[0] & GRUB_MOK_POLICY_NX_REQUIRED) ||
+ (mok_policy_attrs != (GRUB_EFI_VARIABLE_BOOTSERVICE_ACCESS |
+ GRUB_EFI_VARIABLE_RUNTIME_ACCESS)))
+ return 1;
+
+ return 0;
+}
+
static grub_err_t
grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
int argc, char *argv[])
@@ -472,21 +501,23 @@ grub_cmd_linux (grub_command_t cmd __attribute__
((unused)),
kernel_size = grub_file_size (file);
- if (grub_arch_efi_linux_load_image_header (file, &lh) != GRUB_ERR_NONE)
#if !defined(__i386__) && !defined(__x86_64__)
+ if (grub_arch_efi_linux_load_image_header (file, &lh) != GRUB_ERR_NONE)
goto fail;
#else
- goto fallback;
-
- if (!initrd_use_loadfile2)
+ if (grub_arch_efi_linux_load_image_header (file, &lh) != GRUB_ERR_NONE ||
+ !initrd_use_loadfile2)
{
+ /* We cannot use the legacy loader when NX is required */
+ if (grub_efi_check_nx_required())
+ goto fail;
+
/*
* This is a EFI stub image but it is too old to implement the LoadFile2
* based initrd loading scheme, and Linux/x86 does not support the DT
* based method either. So fall back to the x86-specific loader that
* enters Linux in EFI mode but without going through its EFI stub.
*/
-fallback:
grub_file_close (file);
return grub_cmd_linux_x86_legacy (cmd, argc, argv);
}
--
2.39.2
- Re: [PATCH 10/15] grub_dl_set_mem_attrs(): add self-check for the tramp/GOT sizes, (continued)
- [PATCH 11/15] grub_dl_set_mem_attrs(): fix format string, Mate Kukri, 2024/05/24
- [PATCH 09/15] grub_dl_load_segments(): page-align the tramp/GOT areas too, Mate Kukri, 2024/05/24
- [PATCH 01/15] modules: make .module_license read-only, Mate Kukri, 2024/05/24
- [PATCH 13/15] efi: Provide wrappers for load_image, start_image, unload_image, Mate Kukri, 2024/05/24
- [PATCH 03/15] modules: Don't allocate space for non-allocable sections., Mate Kukri, 2024/05/24
- [PATCH 15/15] efi: Disallow fallback to legacy Linux loader when shim says NX is required.,
Mate Kukri <=
- [PATCH 14/15] efi: Use shim's loader protocol for EFI image verification and loading, Mate Kukri, 2024/05/24
- [PATCH 12/15] mm: Fixup bogus assumptions about types sizes in format strings, Mate Kukri, 2024/05/24
- [PATCH 08/15] nx: set the nx compatible flag in EFI grub images, Mate Kukri, 2024/05/24
- [PATCH 07/15] nx: set page permissions for loaded modules., Mate Kukri, 2024/05/24
- [PATCH 02/15] modules: strip .llvm_addrsig sections and similar., Mate Kukri, 2024/05/24
- Re: [PATCH 00/15] UEFI NX support and NX Linux loader using shim loader protocol, Vladimir 'phcoder' Serbinenko, 2024/05/24