diff --git a/grub-core/commands/efi/shim_lock.c b/grub-core/commands/efi/shim_lock.c index d8f52d721..f7f3109d6 100644 --- a/grub-core/commands/efi/shim_lock.c +++ b/grub-core/commands/efi/shim_lock.c @@ -20,6 +20,7 @@ #include #include +#include #include #include #include @@ -28,7 +29,6 @@ GRUB_MOD_LICENSE ("GPLv3+"); static grub_efi_guid_t shim_lock_guid = GRUB_EFI_SHIM_LOCK_GUID; -static grub_efi_shim_lock_protocol_t *sl; /* List of modules which cannot be loaded if UEFI secure boot mode is enabled. */ static const char * const disabled_mods[] = {"iorw", "memrw", "wrmsr", NULL}; @@ -43,9 +43,6 @@ shim_lock_init (grub_file_t io, enum grub_file_type type, *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION; - if (!sl) - return GRUB_ERR_NONE; - switch (type & GRUB_FILE_TYPE_MASK) { case GRUB_FILE_TYPE_GRUB_MODULE: @@ -100,6 +97,11 @@ shim_lock_init (grub_file_t io, enum grub_file_type type, static grub_err_t shim_lock_write (void *context __attribute__ ((unused)), void *buf, grub_size_t size) { + grub_efi_shim_lock_protocol_t *sl = grub_efi_locate_protocol (&shim_lock_guid, 0); + + if (sl == NULL) + return grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock protocol not found")); + if (sl->verify (buf, size) != GRUB_EFI_SUCCESS) return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad shim signature")); @@ -115,12 +117,13 @@ struct grub_file_verifier shim_lock = GRUB_MOD_INIT(shim_lock) { - sl = grub_efi_locate_protocol (&shim_lock_guid, 0); - grub_verifier_register (&shim_lock); + grub_efi_shim_lock_protocol_t *sl = grub_efi_locate_protocol (&shim_lock_guid, 0); - if (!sl) + if (sl == NULL || grub_efi_get_secureboot () != GRUB_EFI_SECUREBOOT_MODE_ENABLED) return; + grub_verifier_register (&shim_lock); + grub_dl_set_persistent (mod); }