Forbid the "devicetree" command when Secure Boot is enabled.

Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Steve McIntyre <93sam@debian.org>
Origin: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927888#15
Bug-Debian: https://bugs.debian.org/927888
Last-Update: 2019-05-04

Patch-Name: no-devicetree-if-secure-boot.patch

diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c
index 51684914cfc547386d410aeedac8e914b1ab44f4..092e8e307751446c95cf6a9ea1ba0dcb577fa8bc 100644 (file)
--- a/grub-core/loader/arm/linux.c
+++ b/grub-core/loader/arm/linux.c
@@ -30,6 +30,10 @@
 #include <grub/linux.h>
 #include <grub/verify.h>
 
+#ifdef GRUB_MACHINE_EFI
+#include <grub/efi/efi.h>
+#endif
+
 GRUB_MOD_LICENSE ("GPLv3+");
 
 static grub_dl_t my_mod;
@@ -471,6 +475,14 @@ grub_cmd_devicetree (grub_command_t cmd __attribute__ ((unused)),
   if (argc != 1)
     return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
 
+#ifdef GRUB_MACHINE_EFI
+  if (grub_efi_secure_boot ())
+    {
+      return grub_error (GRUB_ERR_ACCESS_DENIED,
+                 "Secure Boot forbids loading devicetree from %s", argv[0]);
+    }
+#endif
+
   dtb = grub_file_open (argv[0], GRUB_FILE_TYPE_DEVICE_TREE_IMAGE);
   if (!dtb)
     return grub_errno;

diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c
index ee9c5592c7008813649ff50840b930195b602fd8..f0c2d91be222d4074f2ac222f1ba80bb4621ccc7 100644 (file)
--- a/grub-core/loader/efi/fdt.c
+++ b/grub-core/loader/efi/fdt.c
@@ -123,6 +123,14 @@ grub_cmd_devicetree (grub_command_t cmd __attribute__ ((unused)),
       return GRUB_ERR_NONE;
     }
 
+#ifdef GRUB_MACHINE_EFI
+  if (grub_efi_secure_boot ())
+    {
+      return grub_error (GRUB_ERR_ACCESS_DENIED,
+                 "Secure Boot forbids loading devicetree from %s", argv[0]);
+    }
+#endif
+
   dtb = grub_file_open (argv[0], GRUB_FILE_TYPE_DEVICE_TREE_IMAGE);
   if (!dtb)
     goto out;