You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
67 lines
2.2 KiB
67 lines
2.2 KiB
2 months ago
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||
|
From: Mate Kukri <mate.kukri@canonical.com>
|
||
|
Date: Wed, 10 Jul 2024 12:07:17 -0600
|
||
|
Subject: [PATCH] efi: Disallow fallback to legacy Linux loader when shim says
|
||
|
NX is required.
|
||
|
|
||
|
Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
|
||
|
---
|
||
|
grub-core/loader/efi/linux.c | 13 ++++++++-----
|
||
|
include/grub/efi/api.h | 2 ++
|
||
|
2 files changed, 10 insertions(+), 5 deletions(-)
|
||
|
|
||
|
diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
|
||
|
index fe48001442a..0d1804b602d 100644
|
||
|
--- a/grub-core/loader/efi/linux.c
|
||
|
+++ b/grub-core/loader/efi/linux.c
|
||
|
@@ -724,6 +724,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
||
|
void *kernel = NULL;
|
||
|
grub_err_t err;
|
||
|
int nx_supported = 1;
|
||
|
+ int nx_required = 0;
|
||
|
|
||
|
grub_dl_ref (my_mod);
|
||
|
|
||
|
@@ -772,21 +773,23 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
||
|
goto fail;
|
||
|
}
|
||
|
|
||
|
+#if !defined(__i386__) && !defined(__x86_64__)
|
||
|
if (grub_arch_efi_linux_load_image_header (file, &lh) != GRUB_ERR_NONE)
|
||
|
-#if !defined(__i386__) && !defined(__x86_64__)
|
||
|
goto fail;
|
||
|
#else
|
||
|
- goto fallback;
|
||
|
-
|
||
|
- if (!initrd_use_loadfile2)
|
||
|
+ if (grub_arch_efi_linux_load_image_header (file, &lh) != GRUB_ERR_NONE ||
|
||
|
+ !initrd_use_loadfile2)
|
||
|
{
|
||
|
+ /* We cannot use the legacy loader when NX is required */
|
||
|
+ if (grub_efi_check_nx_required(&nx_required))
|
||
|
+ goto fail;
|
||
|
+
|
||
|
/*
|
||
|
* This is a EFI stub image but it is too old to implement the LoadFile2
|
||
|
* based initrd loading scheme, and Linux/x86 does not support the DT
|
||
|
* based method either. So fall back to the x86-specific loader that
|
||
|
* enters Linux in EFI mode but without going through its EFI stub.
|
||
|
*/
|
||
|
-fallback:
|
||
|
grub_file_close (file);
|
||
|
return grub_cmd_linux_x86_legacy (cmd, argc, argv);
|
||
|
}
|
||
|
diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h
|
||
|
index 76c88fbdcb0..2376182d735 100644
|
||
|
--- a/include/grub/efi/api.h
|
||
|
+++ b/include/grub/efi/api.h
|
||
|
@@ -2006,6 +2006,8 @@ struct grub_efi_block_io
|
||
|
};
|
||
|
typedef struct grub_efi_block_io grub_efi_block_io_t;
|
||
|
|
||
|
+#define GRUB_MOK_POLICY_NX_REQUIRED 0x1
|
||
|
+
|
||
|
struct grub_efi_shim_lock_protocol
|
||
|
{
|
||
|
/*
|