proxmox-mirrors/grub2
1
0
Fork 0
mirror of https://git.proxmox.com/git/grub2 synced 2025-07-21 00:22:56 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
9c5565135f
grub2/include/grub
History
Javier Martinez Canillas 578c95298b kern: Add lockdown support 
When the GRUB starts on a secure boot platform, some commands can be
used to subvert the protections provided by the verification mechanism and
could lead to booting untrusted system.

To prevent that situation, allow GRUB to be locked down. That way the code
may check if GRUB has been locked down and further restrict the commands
that are registered or what subset of their functionality could be used.

The lockdown support adds the following components:

* The grub_lockdown() function which can be used to lockdown GRUB if,
  e.g., UEFI Secure Boot is enabled.

* The grub_is_lockdown() function which can be used to check if the GRUB
  was locked down.

* A verifier that flags OS kernels, the GRUB modules, Device Trees and ACPI
  tables as GRUB_VERIFY_FLAGS_DEFER_AUTH to defer verification to other
  verifiers. These files are only successfully verified if another registered
  verifier returns success. Otherwise, the whole verification process fails.

  For example, PE/COFF binaries verification can be done by the shim_lock
  verifier which validates the signatures using the shim_lock protocol.
  However, the verification is not deferred directly to the shim_lock verifier.
  The shim_lock verifier is hooked into the verification process instead.

* A set of grub_{command,extcmd}_lockdown functions that can be used by
  code registering command handlers, to only register unsafe commands if
  the GRUB has not been locked down.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2021-03-02 15:54:15 +01:00
..
arc arc: Do not create spurious variable grub_arc_memory_type_t. 2017-08-30 15:18:24 +02:00
arm include/grub/arm/system.h: Include missing <grub/symbol.h> header 2020-11-20 15:33:40 +01:00
arm64 include/grub/arm64/linux.h: Include missing <grub/types.h> header 2020-11-20 15:33:40 +01:00
coreboot coreboot: Split parts that are platform-independent. 2017-05-08 19:10:24 +02:00
efi efi: Move the shim_lock verifier to the GRUB core 2021-03-02 15:54:15 +01:00
efiemu Fix packed-not-aligned error on GCC 8 2018-04-04 21:51:42 +02:00
emu calloc: Make sure we always have an overflow-checking calloc() available 2020-07-29 16:55:47 +02:00
gcry Import gcrypt public-key cryptography and implement signature checking. 2013-01-11 21:32:42 +01:00
gcrypt Remove autogenerated files from VCS 2013-01-12 16:17:31 +01:00
i386 loader/linux: Report the UEFI Secure Boot status to the Linux kernel 2020-12-12 01:19:03 +01:00
ia64 ia64: Add support for R_IA64_GPREL64I. 2017-01-31 12:39:01 +01:00
ieee1275 ieee1275: obdisk driver 2019-03-12 20:04:07 +01:00
lib verifiers: Add possibility to verify kernel and modules command lines 2018-11-09 13:25:31 +01:00
mips multiboot fixup 2017-08-14 16:24:05 +02:00
net Add Virtual LAN support. 2017-05-03 13:03:50 +02:00
osdep grub-editenv: Add grub_util_readlink() 2020-02-18 15:14:13 +01:00
powerpc * grub-core/lib/powerpc/setjmp.S (grub_setjmp): Save r31. 2013-11-18 02:35:32 +01:00
riscv32 RISC-V: Add auxiliary files 2019-02-25 14:01:59 +01:00
riscv64 RISC-V: Add auxiliary files 2019-02-25 14:01:59 +01:00
sparc64 ieee1275: Include a.out header in assembly of sparc64 boot loader 2019-03-28 11:35:12 +01:00
uboot uboot: Add the missing disk write operation support 2019-01-22 15:23:51 +01:00
util mbr: Warn if MBR gap is small and user uses advanced modules 2020-12-12 01:19:03 +01:00
x86_64 asm: Replace "__asm__ __volatile__" with "asm volatile" 2019-03-12 20:04:07 +01:00
xen xen: modify page table construction 2016-10-27 16:22:06 +02:00
zfs zfs: Fix gcc10 error -Werror=zero-length-bounds 2020-03-31 12:17:03 +02:00
acorn_filecore.h working copy, wo nested packaging 2010-08-17 19:03:22 +05:30
acpi.h acpi: Fix gcc9 error -Waddress-of-packed-member 2019-04-23 11:37:08 +02:00
aout.h aout.h: Fix missing include. 2018-03-05 13:44:55 +01:00
archelp.h Support for cbfs. Also factor out the part which is common 2013-06-16 00:06:13 +02:00
at_keyboard.h at_keyboard: Fix falco chromebook case. 2017-05-09 14:27:52 +02:00
ata.h Remove nested functions from device iterators. 2013-01-20 15:52:15 +00:00
auth.h working copy, wo nested packaging 2010-08-17 19:03:22 +05:30
autoefi.h Remove grub_efi_allocate_pages. 2017-08-07 18:33:29 +02:00
backtrace.h Several cleanups 2012-02-26 19:10:52 +01:00
bitmap_scale.h * grub-core/gfxmenu/theme_loader.c: New global options for the 2013-10-02 18:17:33 +04:00
bitmap.h Detach optional parts of gfxterm and integrate in with coreboot init. 2013-05-31 00:42:33 +02:00
boottime.h * include/grub/boottime.h: Add missing file. 2013-03-20 16:58:07 +01:00
bsdlabel.h Add gcc_struct to all packed structures when compiling with mingw. 2013-12-15 14:14:30 +01:00
btrfs.h Add gcc_struct to all packed structures when compiling with mingw. 2013-12-15 14:14:30 +01:00
bufio.h verifiers: File type for fine-grained signature-verification controlling 2018-11-09 13:25:31 +01:00
cache.h ia64: build fix in cache.h 2019-06-07 15:37:55 +02:00
cbfs_core.h Add gcc_struct to all packed structures when compiling with mingw. 2013-12-15 14:14:30 +01:00
charset.h * grub-core/commands/cat.c: Show UTF-8 characters. 2013-05-08 11:09:08 +02:00
cmos.h * include/grub/cmos.h: Handle high CMOS addresses on sparc64. 2013-03-02 23:59:05 +01:00
color.h Detach optional parts of gfxterm and integrate in with coreboot init. 2013-05-31 00:42:33 +02:00
command.h kern: Add lockdown support 2021-03-02 15:54:15 +01:00
compiler-rt-emu.h RISC-V: Add __clzdi2 symbol 2019-09-23 13:17:15 +02:00
compiler-rt.h mips: Enable __clzdi2() 2020-12-18 23:04:36 +01:00
compiler.h safemath: Add some arithmetic primitives that check for overflow 2020-07-29 16:55:47 +02:00
crypto.h crypto: Remove GPG_ERROR_CFLAGS from gpg_err_code_t enum 2020-09-18 22:31:30 +02:00
cryptodisk.h cryptodisk: Properly handle non-512 byte sized sectors 2020-12-12 01:19:05 +01:00
cs5536.h Some CS5536 code 2011-10-01 22:51:12 +02:00
datetime.h * include/grub/datetime.h (grub_datetime2unixtime): Fix unixtime 2013-03-10 19:19:21 +01:00
decompressor.h MAke a separate scratch for decompressor 2010-09-21 19:39:51 +02:00
deflate.h Implement Truecrypt ISO loader. 2013-12-17 14:45:46 +01:00
device.h Remove nested functions from device iterators. 2013-01-20 15:52:15 +00:00
disk.h luks2: Better error handling when setting up the cryptodisk 2020-12-18 23:00:28 +01:00
diskfilter.h btrfs: Make more generic the code for RAID 6 rebuilding 2018-10-31 12:07:29 +01:00
dl.h RISC-V: Add awareness for RISC-V reloations 2019-02-25 11:34:09 +01:00
dma.h arm_coreboot: Support DMA. 2017-05-08 22:06:04 +02:00
elf.h elf.h: Add RISC-V definitions 2019-02-25 11:28:44 +01:00
elfload.h verifiers: File type for fine-grained signature-verification controlling 2018-11-09 13:25:31 +01:00
env_private.h working copy, wo nested packaging 2010-08-17 19:03:22 +05:30
env.h * grub-core/kern/env.c, include/grub/env.h: Change iterator through 2013-03-03 01:34:27 +01:00
err.h Propagate GNU_PRINTF from gnulib vfprintf 2019-03-26 15:08:00 +01:00
exfat.h Add gcc_struct to all packed structures when compiling with mingw. 2013-12-15 14:14:30 +01:00
extcmd.h kern: Add lockdown support 2021-03-02 15:54:15 +01:00
fat.h chainloader: Fix wrong break condition (must be AND not, OR) 2018-02-23 22:32:55 +01:00
fbblit.h Move blit and fill dispatcher to appropriate files to decrease export 2013-05-30 22:06:28 +02:00
fbfill.h * grub-core/gfxmenu/gui_box.c: Updated to work with area status. 2013-11-08 15:42:38 +04:00
fbutil.h Detach optional parts of gfxterm and integrate in with coreboot init. 2013-05-31 00:42:33 +02:00
fdt.h linux, efi, arm*, fdt: Break FDT extra allocation space out into a #define 2019-01-23 10:16:32 +01:00
fdtbus.h fdtbus: Add ability to send/receive messages on parent busses. 2017-05-09 08:43:20 +02:00
file.h fdt: Treat device tree file type like ACPI 2019-02-25 14:02:06 +01:00
fileid.h Implement grub_file tool and use it to implement generating of config 2013-12-17 14:39:48 +01:00
font.h * grub-core/font/font.c, include/grub/font.h: Inline simple font 2013-05-30 21:58:24 +02:00
fontformat.h working copy, wo nested packaging 2010-08-17 19:03:22 +05:30
fs.h Change fs functions to add fs_ prefix 2019-04-09 10:03:29 +10:00
fshelp.h fshelp: Add handling of "." and ".." and grub_fshelp_find_file_lookup. 2015-07-27 12:45:35 +02:00
gdb.h Adjust types in gdb module to have intended unsigned shifts rather than 2013-03-10 18:36:39 +01:00
gfxmenu_model.h working copy, wo nested packaging 2010-08-17 19:03:22 +05:30
gfxmenu_view.h * grub-core/gfxmenu/theme_loader.c: New global options for the 2013-10-02 18:17:33 +04:00
gfxterm.h Detach optional parts of gfxterm and integrate in with coreboot init. 2013-05-31 00:42:33 +02:00
gfxwidgets.h Take into account the decorations the computing menu entry width. 2011-04-19 00:44:53 +02:00
gpt_partition.h disk: Update grub_gpt_partentry 2018-04-23 13:21:45 +02:00
gui_string_util.h Move gfxmenu color handling to video, so that gfxterm can use it 2010-12-10 16:45:58 +00:00
gui.h * include/grub/gui.h (grub_fixed_sfs_divide): Round rather than 2013-11-08 16:17:29 +01:00
hfs.h hfs: Fix gcc9 error -Waddress-of-packed-member 2019-04-23 11:37:08 +02:00
hfsplus.h hfsplus: Fix potential access to uninited memory on invalid FS 2015-03-06 22:33:20 +01:00
i18n.h Add missing format_arg attribute to check that printf with translated 2013-12-17 16:42:01 +01:00
icon_manager.h working copy, wo nested packaging 2010-08-17 19:03:22 +05:30
kernel.h xen: Prepare common code for Xen PVH support 2018-12-12 12:03:27 +01:00
keyboard_layouts.h Handle Japanese special keys. 2013-10-17 00:49:05 +02:00
legacy_parse.h * grub-core/tests/legacy_password_test.c: New test. 2013-11-12 02:38:33 +01:00
libpciaccess.h working copy, wo nested packaging 2010-08-17 19:03:22 +05:30
linux.h Add ability to generate newc additions on runtime. 2013-03-22 21:01:28 +01:00
list.h verifiers: Framework core 2018-11-09 13:25:31 +01:00
loader.h efi: Fix use-after-free in halt/reboot path 2020-07-29 16:55:48 +02:00
lockdown.h kern: Add lockdown support 2021-03-02 15:54:15 +01:00
lvm.h Add gcc_struct to all packed structures when compiling with mingw. 2013-12-15 14:14:30 +01:00
macho.h * grub-core/loader/machoXX.c: Fix compilation on non-i386. 2013-12-17 22:44:46 +01:00
machoload.h verifiers: File type for fine-grained signature-verification controlling 2018-11-09 13:25:31 +01:00
memory.h Translate UEFI persistent memory type 2015-12-15 10:25:34 +03:00
menu_viewer.h working copy, wo nested packaging 2010-08-17 19:03:22 +05:30
menu.h Fix menu title instability bug. 2012-03-04 14:55:13 +01:00
misc.h misc: Add grub_log2ull() macro for calculating log base 2 of 64-bit integers 2020-12-18 23:08:14 +01:00
mm_private.h fix grub-emu compilation 2010-08-28 14:52:25 +02:00
mm.h calloc: Make sure we always have an overflow-checking calloc() available 2020-07-29 16:55:47 +02:00
module_verifier.h grub-module-verifier: Report the filename or modname in errors 2018-09-12 13:24:36 +02:00
msdos_partition.h Add gcc_struct to all packed structures when compiling with mingw. 2013-12-15 14:14:30 +01:00
multiboot2.h Add a file missing in multiboot2 commit. 2017-09-05 23:13:55 +02:00
multiboot_loader.h working copy, wo nested packaging 2010-08-17 19:03:22 +05:30
multiboot.h multiboot: disentangle multiboot and multiboot2. 2017-08-14 14:08:54 +02:00
net.h normal/main: Search for specific config files for netboot 2020-02-18 15:12:06 +01:00
normal.h * grub-core/normal/main.c: Don't drop to rescue console in 2014-09-21 18:51:09 +02:00
ns8250.h Fix compilation on yeeloong 2010-08-29 13:45:36 +02:00
ntfs.h Add gcc_struct to all packed structures when compiling with mingw. 2013-12-15 14:14:30 +01:00
offsets.h xen: Add PVH specific defines to offset.h 2018-12-12 12:03:27 +01:00
parser.h * grub-core/disk/ldm.c: Rename variables and arguments to prevent 2013-10-18 16:54:57 +02:00
partition.h mbr: Warn if MBR gap is small and user uses advanced modules 2020-12-12 01:19:03 +01:00
parttool.h Add missing const qualifiers. 2011-11-30 16:20:13 +01:00
pci.h arm_coreboot: Support DMA. 2017-05-08 22:06:04 +02:00
pciutils.h working copy, wo nested packaging 2010-08-17 19:03:22 +05:30
priority_queue.h * tests/priority_queue_unit_test.cc: New test. 2013-05-07 11:30:48 +02:00
procfs.h fix include loop on MinGW due to libintl.h pulling stdio.h 2014-01-18 21:22:57 +04:00
ps2.h at_keyboard: Split protocol from controller code. 2017-05-08 21:41:22 +02:00
pubkey.h verifiers: fix double close on pgp's sig file descriptor 2018-11-21 14:46:53 +01:00
random.h Add RNG module. 2016-02-12 12:39:38 +01:00
reader.h Remove nested functions from script reading and parsing. 2013-01-15 12:03:25 +00:00
reed_solomon.h C part of Reed-Solomon 2010-09-24 14:05:47 +02:00
relocator_private.h Fix ppc compilation problems 2010-05-01 13:23:19 +02:00
relocator.h relocator: Protect grub_relocator_alloc_chunk_align() max_addr against integer underflow 2020-07-29 16:55:48 +02:00
safemath.h safemath: Add some arithmetic primitives that check for overflow 2020-07-29 16:55:47 +02:00
script_sh.h lexer: char const * should be const char * 2020-09-18 22:31:30 +02:00
scsi.h Remove nested functions from device iterators. 2013-01-20 15:52:15 +00:00
scsicmd.h Add gcc_struct to all packed structures when compiling with mingw. 2013-12-15 14:14:30 +01:00
sdl.h working copy, wo nested packaging 2010-08-17 19:03:22 +05:30
search.h support subpartition hints 2010-09-13 12:16:22 +02:00
serial.h * grub-core/term/serial.c: Add option for enabling/disabling 2013-11-08 18:20:20 +01:00
setjmp.h * include/grub/setjmp.h: Define RETURNS_TWICE. Keep it empty for 2013-10-18 16:38:36 +02:00
smbios.h smbios: Add a module for retrieving SMBIOS information 2019-07-11 21:06:12 +02:00
smbus.h working copy, wo nested packaging 2010-08-17 19:03:22 +05:30
speaker.h New terminal outputs using serial: morse and spkmodem. 2013-01-16 20:39:54 +01:00
symbol.h With Apple assembly in .macro environvemnt you have to use $$ instead 2013-11-24 07:08:18 +01:00
syslinux_parse.h Implement syslinux parser. 2013-12-18 05:28:05 +01:00
term.h kern/term: Accept ESC, F4 and holding SHIFT as user interrupt keys 2020-04-21 22:13:44 +02:00
terminfo.h Lift 255x255 erminal sie restriction to 65535x65535. Also change from 2013-10-19 23:59:32 +02:00
test.h * include/grub/test.h: Use gnu_printf rather than printf on GRUB 2013-12-15 14:39:21 +01:00
time.h Add a new "none" platform that only builds utilities 2014-09-23 12:06:30 +01:00
tparm.h Add missing const qualifiers. 2011-11-30 16:20:13 +01:00
tpm.h efi/tpm: Remove unused functions and structures 2020-09-18 22:31:29 +02:00
trig.h * grub-core/gentrigtables.c: Make tables const. 2013-03-01 11:15:09 +01:00
types.h cryptodisk: Add macros GRUB_TYPE_U_MAX/MIN(type) to replace literals 2020-12-12 01:19:04 +01:00
udf.h Split out blocklist retrieving from setup.c to 2013-10-15 17:02:26 +02:00
unicode.h calloc: Use calloc() at most places 2020-07-29 16:55:47 +02:00
usb.h arm_coreboot: Support EHCI. 2017-05-08 22:15:05 +02:00
usbdesc.h Add gcc_struct to all packed structures when compiling with mingw. 2013-12-15 14:14:30 +01:00
usbserial.h Implement USBDebug (full USB stack variant). 2013-02-01 21:49:29 +01:00
usbtrans.h Add gcc_struct to all packed structures when compiling with mingw. 2013-12-15 14:14:30 +01:00
verify.h verifiers: Move verifiers API to kernel image 2021-03-02 15:54:15 +01:00
vga.h Add monochrome text support (mda_text, aka `hercules' in grub-legacy). 2012-06-28 15:27:54 +02:00
vgaregs.h Add monochrome text support (mda_text, aka `hercules' in grub-legacy). 2012-06-28 15:27:54 +02:00
video_fb.h * grub-core/gfxmenu/gui_box.c: Updated to work with area status. 2013-11-08 15:42:38 +04:00
video.h * include/grub/video.h (grub_video_rgba_color_rgb): Fix prototype 2013-12-21 14:31:47 +01:00
xen_file.h xen: add capability to load p2m list outside of kernel mapping 2016-10-27 16:22:06 +02:00
xen.h xen: Add basic hooks for PVH in current code 2018-12-12 12:03:27 +01:00
xnu.h Add gcc_struct to all packed structures when compiling with mingw. 2013-12-15 14:14:30 +01:00