Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Steve McIntyre <93sam@debian.org>
Origin: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927888#15
Bug-Debian: https://bugs.debian.org/927888
Last-Update: 2019-05-04
Patch-Name: no-devicetree-if-secure-boot.patch
#include <grub/linux.h>
#include <grub/verify.h>
+#ifdef GRUB_MACHINE_EFI
+#include <grub/efi/efi.h>
+#endif
+
GRUB_MOD_LICENSE ("GPLv3+");
static grub_dl_t my_mod;
if (argc != 1)
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
+#ifdef GRUB_MACHINE_EFI
+ if (grub_efi_secure_boot ())
+ {
+ return grub_error (GRUB_ERR_ACCESS_DENIED,
+ "Secure Boot forbids loading devicetree from %s", argv[0]);
+ }
+#endif
+
dtb = grub_file_open (argv[0], GRUB_FILE_TYPE_DEVICE_TREE_IMAGE);
if (!dtb)
return grub_errno;
return GRUB_ERR_NONE;
}
+#ifdef GRUB_MACHINE_EFI
+ if (grub_efi_secure_boot ())
+ {
+ return grub_error (GRUB_ERR_ACCESS_DENIED,
+ "Secure Boot forbids loading devicetree from %s", argv[0]);
+ }
+#endif
+
dtb = grub_file_open (argv[0], GRUB_FILE_TYPE_DEVICE_TREE_IMAGE);
if (!dtb)
goto out;