efi: Lockdown the GRUB when the UEFI Secure Boot is enabled

If the UEFI Secure Boot is enabled then the GRUB must be locked down
to prevent executing code that can potentially be used to subvert its
verification mechanisms.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
index b683bec5a18b5b8982cf4a20c9cde3a306c7726f..13334650972a22652a9247a6c62e8f12475eda7c 100644 (file)
--- a/grub-core/kern/efi/init.c
+++ b/grub-core/kern/efi/init.c
@@ -21,6 +21,7 @@
 #include <grub/efi/console.h>
 #include <grub/efi/disk.h>
 #include <grub/efi/sb.h>
+#include <grub/lockdown.h>
 #include <grub/term.h>
 #include <grub/misc.h>
 #include <grub/env.h>
@@ -40,8 +41,15 @@ grub_efi_init (void)
   /* Initialize the memory management system.  */
   grub_efi_mm_init ();
 
-  /* Register the shim_lock verifier if UEFI Secure Boot is enabled. */
-  grub_shim_lock_verifier_setup ();
+  /*
+   * Lockdown the GRUB and register the shim_lock verifier
+   * if the UEFI Secure Boot is enabled.
+   */
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+    {
+      grub_lockdown ();
+      grub_shim_lock_verifier_setup ();
+    }
 
   efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer,
              0, 0, 0, NULL);