proxmox-mirrors/grub2
1
0
Fork 0
mirror of https://git.proxmox.com/git/grub2 synced 2025-07-16 08:43:38 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
578c95298b
grub2/grub-core/commands
History
Javier Martinez Canillas 578c95298b kern: Add lockdown support 
When the GRUB starts on a secure boot platform, some commands can be
used to subvert the protections provided by the verification mechanism and
could lead to booting untrusted system.

To prevent that situation, allow GRUB to be locked down. That way the code
may check if GRUB has been locked down and further restrict the commands
that are registered or what subset of their functionality could be used.

The lockdown support adds the following components:

* The grub_lockdown() function which can be used to lockdown GRUB if,
  e.g., UEFI Secure Boot is enabled.

* The grub_is_lockdown() function which can be used to check if the GRUB
  was locked down.

* A verifier that flags OS kernels, the GRUB modules, Device Trees and ACPI
  tables as GRUB_VERIFY_FLAGS_DEFER_AUTH to defer verification to other
  verifiers. These files are only successfully verified if another registered
  verifier returns success. Otherwise, the whole verification process fails.

  For example, PE/COFF binaries verification can be done by the shim_lock
  verifier which validates the signatures using the shim_lock protocol.
  However, the verification is not deferred directly to the shim_lock verifier.
  The shim_lock verifier is hooked into the verification process instead.

* A set of grub_{command,extcmd}_lockdown functions that can be used by
  code registering command handlers, to only register unsafe commands if
  the GRUB has not been locked down.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2021-03-02 15:54:15 +01:00
..
arc Remove nested functions from device iterators. 2013-01-20 15:52:15 +00:00
efi efi: Move the shim_lock verifier to the GRUB core 2021-03-02 15:54:15 +01:00
i386 misc: Make grub_strtol() "end" pointers have safer const qualifiers 2020-02-28 12:41:29 +01:00
ieee1275 * grub-core/commands/gptsync.c: Fix typographic quoting. 2012-03-03 13:05:08 +01:00
mips/loongson * grub-core/commands/i386/pc/drivemap.c: Add TRANSLATORS comments. 2012-03-02 15:09:10 +01:00
xen Correct some translatable strings. 2013-12-21 03:03:31 +01:00
acpi.c verifiers: File type for fine-grained signature-verification controlling 2018-11-09 13:25:31 +01:00
acpihalt.c acpihalt: add GRUB_ACPI_OPCODE_CREATE_DWORD_FIELD (0x8a) 2016-01-02 21:33:18 +03:00
blocklist.c verifiers: File type for fine-grained signature-verification controlling 2018-11-09 13:25:31 +01:00
boot.c Add new ports: i386-xen and x86_64-xen. This allows running GRUB in 2013-11-09 21:29:11 +01:00
boottime.c Clarify several translatable messages. 2013-12-21 03:21:45 +01:00
cacheinfo.c cacheinfo: Add missing license information. 2015-03-20 11:13:58 +01:00
cat.c verifiers: File type for fine-grained signature-verification controlling 2018-11-09 13:25:31 +01:00
cmp.c verifiers: File type for fine-grained signature-verification controlling 2018-11-09 13:25:31 +01:00
configfile.c * grub-core/commands/configfile.c (GRUB_MOD_INIT): Correct 2012-10-12 15:34:33 +01:00
date.c misc: Make grub_strtol() "end" pointers have safer const qualifiers 2020-02-28 12:41:29 +01:00
echo.c Implement automatic module license checking according to new GNU 2011-04-11 23:01:51 +02:00
eval.c * grub-core/script/execute.c (grub_script_execute_sourcecode): Split 2013-06-07 18:40:37 +02:00
extcmd.c kern: Add lockdown support 2021-03-02 15:54:15 +01:00
file32.c Implement grub_file tool and use it to implement generating of config 2013-12-17 14:39:48 +01:00
file64.c Implement grub_file tool and use it to implement generating of config 2013-12-17 14:39:48 +01:00
file.c RISC-V: Add to build system 2019-02-25 14:02:05 +01:00
fileXX.c commands/fileXX: Fix remaining memory leak. 2015-01-25 16:36:30 +03:00
gptsync.c gptsync: Add missing device_close. 2015-01-24 20:52:02 +01:00
halt.c Add noreturn attributes and remove unreachable code. 2011-12-13 15:13:51 +01:00
hashsum.c verifiers: File type for fine-grained signature-verification controlling 2018-11-09 13:25:31 +01:00
hdparm.c i386, x86_64, ppc: fix switch fallthrough cases with GCC7 2017-04-04 19:23:55 +03:00
help.c * include/grub/list.h (FOR_LIST_ELEMENTS_SAFE): New macro. 2012-07-02 11:19:22 +02:00
hexdump.c verifiers: File type for fine-grained signature-verification controlling 2018-11-09 13:25:31 +01:00
iorw.c Replace grub_target_addr with more appropriate types. 2012-02-27 14:13:24 +01:00
keylayouts.c verifiers: File type for fine-grained signature-verification controlling 2018-11-09 13:25:31 +01:00
keystatus.c kern/term: Make grub_getkeystatus() helper function available everywhere 2020-04-21 22:08:52 +02:00
legacycfg.c malloc: Use overflow checking primitives where we do complex allocations 2020-07-29 16:55:47 +02:00
loadenv.c verifiers: File type for fine-grained signature-verification controlling 2018-11-09 13:25:31 +01:00
ls.c Change fs functions to add fs_ prefix 2019-04-09 10:03:29 +10:00
lsacpi.c * grub-core/commands/lsacpi.c: Fix types on 64-bit platform. 2013-02-06 17:37:29 +01:00
lsmmap.c Translate UEFI persistent memory type 2015-12-15 10:25:34 +03:00
lspci.c Remove nested functions from PCI iterators. 2013-01-13 01:10:41 +00:00
macbless.c Change fs functions to add fs_ prefix 2019-04-09 10:03:29 +10:00
memrw.c Replace grub_target_addr with more appropriate types. 2012-02-27 14:13:24 +01:00
menuentry.c calloc: Use calloc() at most places 2020-07-29 16:55:47 +02:00
minicmd.c dl: Add support for persistent modules 2018-11-09 13:25:31 +01:00
nativedisk.c calloc: Use calloc() at most places 2020-07-29 16:55:47 +02:00
parttool.c calloc: Use calloc() at most places 2020-07-29 16:55:47 +02:00
password_pbkdf2.c misc: Make grub_strtol() "end" pointers have safer const qualifiers 2020-02-28 12:41:29 +01:00
password.c Improve gettext support. Stylistic fixes and error handling fixes while 2012-02-08 19:26:01 +01:00
pcidump.c misc: Make grub_strtol() "end" pointers have safer const qualifiers 2020-02-28 12:41:29 +01:00
pgp.c Change fs functions to add fs_ prefix 2019-04-09 10:03:29 +10:00
probe.c probe: Support probing for msdos PARTUUID 2019-10-21 14:00:54 +02:00
read.c Implement automatic module license checking according to new GNU 2011-04-11 23:01:51 +02:00
reboot.c Add noreturn attributes and remove unreachable code. 2011-12-13 15:13:51 +01:00
regexp.c calloc: Use calloc() at most places 2020-07-29 16:55:47 +02:00
search_file.c * grub-core/commands/search_file.c (SEARCH_TARGET): Remove obsolete 2012-02-03 11:46:18 +01:00
search_label.c * grub-core/commands/search_file.c (SEARCH_TARGET): Remove obsolete 2012-02-03 11:46:18 +01:00
search_uuid.c * grub-core/commands/search_file.c (SEARCH_TARGET): Remove obsolete 2012-02-03 11:46:18 +01:00
search_wrap.c calloc: Use calloc() at most places 2020-07-29 16:55:47 +02:00
search.c Change fs functions to add fs_ prefix 2019-04-09 10:03:29 +10:00
setpci.c misc: Make grub_strtol() "end" pointers have safer const qualifiers 2020-02-28 12:41:29 +01:00
sleep.c kern/term: Accept ESC, F4 and holding SHIFT as user interrupt keys 2020-04-21 22:13:44 +02:00
smbios.c smbios: Add a --linux argument to apply linux modalias-like filtering 2020-03-10 21:35:02 +01:00
syslinuxcfg.c commands/syslinux: Add missing free. 2015-01-24 21:23:25 +01:00
terminal.c Fix USB devices not being detected when requested 2013-03-19 20:35:21 +01:00
test.c misc: Make grub_strtol() "end" pointers have safer const qualifiers 2020-02-28 12:41:29 +01:00
testload.c verifiers: File type for fine-grained signature-verification controlling 2018-11-09 13:25:31 +01:00
testspeed.c verifiers: File type for fine-grained signature-verification controlling 2018-11-09 13:25:31 +01:00
time.c Improve string. Gettextize. 2012-02-12 15:25:25 +01:00
tpm.c tpm: Rename function grub_tpm_log_event() to grub_tpm_measure() 2020-05-15 15:37:28 +02:00
tr.c commands/tr: Simplify and fix missing parameter test. 2015-01-24 21:25:42 +01:00
true.c * grub-core/commands/acpihalt.c: Add TRANSLATORS comments. 2012-03-03 12:59:28 +01:00
usbtest.c usbtest: Disable gcc9 -Waddress-of-packed-member 2019-04-23 11:37:08 +02:00
videoinfo.c misc: Make grub_strtol() "end" pointers have safer const qualifiers 2020-02-28 12:41:29 +01:00
videotest.c * grub-core/commands/videotest.c: Reduce flickering and draw 6 squares 2013-05-02 14:34:13 +02:00
wildcard.c malloc: Use overflow checking primitives where we do complex allocations 2020-07-29 16:55:47 +02:00
xnu_uuid.c * grub-core/commands/xnu_uuid.c: Remove variable length arrays. 2013-11-12 01:19:34 +01:00