From 9fe795257843fb5ed34ced8d7c21588eb01843cc Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Fri, 17 Apr 2015 17:32:24 -0700 Subject: [PATCH] Don't read OEM config data if Secure Boot is enabled We don't want untrusted configuration to be read if we're in Secure Boot mode, so skip the OEM config when Secure Boot is enabled and in User Mode. --- build_library/grub.cfg | 17 ++++++++++++++--- build_library/grub_install.sh | 2 +- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/build_library/grub.cfg b/build_library/grub.cfg index 3fb53d86ab..c315654e08 100644 --- a/build_library/grub.cfg +++ b/build_library/grub.cfg @@ -18,11 +18,22 @@ set linux_console="" # Anything else the OEM adds should use this variable. set linux_append="" +set secure_boot="0" + +if [ "$grub_platform" = "efi" ]; then + getenv -e SecureBoot -g 8be4df61-93ca-11d2-aa0d-00e098032b8c -b sb + getenv -e SetupMode -g 8be4df61-93ca-11d2-aa0d-00e098032b8c -b setupmode + if [ "$sb" = "01" -a "$setupmode" = "00" ]; then + set secure_boot="1" + fi +fi # Search for the OEM partition, load additional configuration if found. -search --no-floppy --set oem --part-label OEM --hint "$root" -if [ -n "$oem" -a -f "($oem)/grub.cfg" ]; then - source "($oem)/grub.cfg" +if [ "$secure_boot" = "0" ]; then + search --no-floppy --set oem --part-label OEM --hint "$root" + if [ -n "$oem" -a -f "($oem)/grub.cfg" ]; then + source "($oem)/grub.cfg" + fi fi # If no specific console has been set by the OEM then select based on diff --git a/build_library/grub_install.sh b/build_library/grub_install.sh index 844f3c6170..0179bd62a0 100755 --- a/build_library/grub_install.sh +++ b/build_library/grub_install.sh @@ -41,7 +41,7 @@ case "${FLAGS_target}" in CORE_NAME="core.img" ;; x86_64-efi) - CORE_MODULES+=( serial linuxefi efi_gop ) + CORE_MODULES+=( serial linuxefi efi_gop getenv ) CORE_NAME="core.efi" ;; x86_64-xen)