1 files changed, 431 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_2.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_2.patch
new file mode 100644
index 0000000000..a98b5d0455
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_2.patch
@@ -0,0 +1,431 @@
+From d8aac4517fef0f0188a60a2a8ff9cafdd9c7ca42 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Mon, 28 Sep 2020 20:08:02 +0200
+Subject: [PATCH] kern: Add lockdown support
+When the GRUB starts on a secure boot platform, some commands can be
+used to subvert the protections provided by the verification mechanism and
+could lead to booting untrusted system.
+To prevent that situation, allow GRUB to be locked down. That way the code
+may check if GRUB has been locked down and further restrict the commands
+that are registered or what subset of their functionality could be used.
+The lockdown support adds the following components:
+* The grub_lockdown() function which can be used to lockdown GRUB if,
+  e.g., UEFI Secure Boot is enabled.
+* The grub_is_lockdown() function which can be used to check if the GRUB
+  was locked down.
+* A verifier that flags OS kernels, the GRUB modules, Device Trees and ACPI
+  tables as GRUB_VERIFY_FLAGS_DEFER_AUTH to defer verification to other
+  verifiers. These files are only successfully verified if another registered
+  verifier returns success. Otherwise, the whole verification process fails.
+  For example, PE/COFF binaries verification can be done by the shim_lock
+  verifier which validates the signatures using the shim_lock protocol.
+  However, the verification is not deferred directly to the shim_lock verifier.
+  The shim_lock verifier is hooked into the verification process instead.
+* A set of grub_{command,extcmd}_lockdown functions that can be used by
+  code registering command handlers, to only register unsafe commands if
+  the GRUB has not been locked down.
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=578c95298bcc46e0296f4c786db64c2ff26ce2cc]
+CVE: CVE-2020-14372
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ conf/Makefile.common        |  2 +
+ docs/grub-dev.texi          | 27 +++++++++++++
+ docs/grub.texi              |  8 ++++
+ grub-core/Makefile.am       |  5 ++-
+ grub-core/Makefile.core.def |  1 +
+ grub-core/commands/extcmd.c | 23 +++++++++++
+ grub-core/kern/command.c    | 24 +++++++++++
+ grub-core/kern/lockdown.c   | 80 +++++++++++++++++++++++++++++++++++++
+ include/grub/command.h      |  5 +++
+ include/grub/extcmd.h       |  7 ++++
+ include/grub/lockdown.h     | 44 ++++++++++++++++++++
+ 11 files changed, 225 insertions(+), 1 deletion(-)
+ create mode 100644 grub-core/kern/lockdown.c
+ create mode 100644 include/grub/lockdown.h
+diff --git a/conf/Makefile.common b/conf/Makefile.common
+index 6cd71cb..2a1a886 100644
+--- a/conf/Makefile.common
+++ b/conf/Makefile.common
+@@ -84,7 +84,9 @@ CPPFLAGS_PARTTOOL_LIST = -Dgrub_parttool_register=PARTTOOL_LIST_MARKER
+ CPPFLAGS_TERMINAL_LIST = '-Dgrub_term_register_input(...)=INPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_TERMINAL_LIST += '-Dgrub_term_register_output(...)=OUTPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_COMMAND_LIST = '-Dgrub_register_command(...)=COMMAND_LIST_MARKER(__VA_ARGS__)'
+CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_lockdown(...)=COMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd(...)=EXTCOMMAND_LIST_MARKER(__VA_ARGS__)'
+CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd_lockdown(...)=EXTCOMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_p1(...)=P1COMMAND_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_FDT_LIST := '-Dgrub_fdtbus_register(...)=FDT_DRIVER_LIST_MARKER(__VA_ARGS__)'
+ CPPFLAGS_MARKER = $(CPPFLAGS_FS_LIST) $(CPPFLAGS_VIDEO_LIST) \
+diff --git a/docs/grub-dev.texi b/docs/grub-dev.texi
+index ee389fd..635ec72 100644
+--- a/docs/grub-dev.texi
+++ b/docs/grub-dev.texi
+@@ -86,6 +86,7 @@ This edition documents version @value{VERSION}.
+ * PFF2 Font File Format::
+ * Graphical Menu Software Design::
+ * Verifiers framework::
+* Lockdown framework::
+ * Copying This Manual::         Copying This Manual
+ * Index::
+ @end menu
+@@ -2086,6 +2087,32 @@ Optionally at the end of the file @samp{fini}, if it exists, is called with just
+ the context. If you return no error during any of @samp{init}, @samp{write} and
+ @samp{fini} then the file is considered as having succeded verification.
+ 
+@node Lockdown framework
+@chapter Lockdown framework
+
+The GRUB can be locked down, which is a restricted mode where some operations
+are not allowed. For instance, some commands cannot be used when the GRUB is
+locked down.
+
+The function
+@code{grub_lockdown()} is used to lockdown GRUB and the function
+@code{grub_is_lockdown()} function can be used to check whether lockdown is
+enabled or not. When enabled, the function returns @samp{GRUB_LOCKDOWN_ENABLED}
+and @samp{GRUB_LOCKDOWN_DISABLED} when is not enabled.
+
+The following functions can be used to register the commands that can only be
+used when lockdown is disabled:
+
+@itemize
+
+@item @code{grub_cmd_lockdown()} registers command which should not run when the
+GRUB is in lockdown mode.
+
+@item @code{grub_cmd_lockdown()} registers extended command which should not run
+when the GRUB is in lockdown mode.
+
+@end itemize
+
+ @node Copying This Manual
+ @appendix Copying This Manual
+ 
+diff --git a/docs/grub.texi b/docs/grub.texi
+index 8779507..d778bfb 100644
+--- a/docs/grub.texi
+++ b/docs/grub.texi
+@@ -5581,6 +5581,7 @@ environment variables and commands are listed in the same order.
+ * Using digital signatures::         Booting digitally signed code
+ * UEFI secure boot and shim::        Booting digitally signed PE files
+ * Measured Boot::                    Measuring boot components
+* Lockdown::                         Lockdown when booting on a secure setup
+ @end menu
+ 
+ @node Authentication and authorisation
+@@ -5794,6 +5795,13 @@ into @file{core.img} in order to avoid a potential gap in measurement between
+ 
+ Measured boot is currently only supported on EFI platforms.
+ 
+@node Lockdown
+@section Lockdown when booting on a secure setup
+
+The GRUB can be locked down when booted on a secure boot environment, for example
+if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will
+be restricted and some operations/commands cannot be executed.
+
+ @node Platform limitations
+ @chapter Platform limitations
+ 
+diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
+index 375c30d..3096241 100644
+--- a/grub-core/Makefile.am
+++ b/grub-core/Makefile.am
+@@ -79,6 +79,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/fs.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/i18n.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/kernel.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/list.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/lockdown.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/misc.h
+ if COND_emu
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/compiler-rt-emu.h
+@@ -376,8 +377,10 @@ command.lst: $(MARKER_FILES)
+          b=`basename $$pp .marker`; \
+          sed -n \
+            -e "/EXTCOMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
+           -e "/EXTCOMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
+            -e "/P1COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
+-           -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \
+           -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" \
+           -e "/COMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \
+        done) | sort -u > $@
+ platform_DATA += command.lst
+ CLEANFILES += command.lst
+diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
+index cff02f2..651ea2a 100644
+--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
+@@ -204,6 +204,7 @@ kernel = {
+   efi = term/efi/console.c;
+   efi = kern/acpi.c;
+   efi = kern/efi/acpi.c;
+  efi = kern/lockdown.c;
+   i386_coreboot = kern/i386/pc/acpi.c;
+   i386_multiboot = kern/i386/pc/acpi.c;
+   i386_coreboot = kern/acpi.c;
+diff --git a/grub-core/commands/extcmd.c b/grub-core/commands/extcmd.c
+index 69574e2..90a5ca2 100644
+--- a/grub-core/commands/extcmd.c
+++ b/grub-core/commands/extcmd.c
+@@ -19,6 +19,7 @@
+ 
+ #include <grub/mm.h>
+ #include <grub/list.h>
+#include <grub/lockdown.h>
+ #include <grub/misc.h>
+ #include <grub/extcmd.h>
+ #include <grub/script_sh.h>
+@@ -110,6 +111,28 @@ grub_register_extcmd (const char *name, grub_extcmd_func_t func,
+                                    summary, description, parser, 1);
+ }
+ 
+static grub_err_t
+grub_extcmd_lockdown (grub_extcmd_context_t ctxt __attribute__ ((unused)),
+                      int argc __attribute__ ((unused)),
+                      char **argv __attribute__ ((unused)))
+{
+  return grub_error (GRUB_ERR_ACCESS_DENIED,
+                     N_("%s: the command is not allowed when lockdown is enforced"),
+                     ctxt->extcmd->cmd->name);
+}
+
+grub_extcmd_t
+grub_register_extcmd_lockdown (const char *name, grub_extcmd_func_t func,
+                               grub_command_flags_t flags, const char *summary,
+                               const char *description,
+                               const struct grub_arg_option *parser)
+{
+  if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
+    func = grub_extcmd_lockdown;
+
+  return grub_register_extcmd (name, func, flags, summary, description, parser);
+}
+
+ void
+ grub_unregister_extcmd (grub_extcmd_t ext)
+ {
+diff --git a/grub-core/kern/command.c b/grub-core/kern/command.c
+index acd7218..4aabcd4 100644
+--- a/grub-core/kern/command.c
+++ b/grub-core/kern/command.c
+@@ -17,6 +17,7 @@
+  *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+  */
+ 
+#include <grub/lockdown.h>
+ #include <grub/mm.h>
+ #include <grub/command.h>
+ 
+@@ -77,6 +78,29 @@ grub_register_command_prio (const char *name,
+   return cmd;
+ }
+ 
+static grub_err_t
+grub_cmd_lockdown (grub_command_t cmd __attribute__ ((unused)),
+                   int argc __attribute__ ((unused)),
+                   char **argv __attribute__ ((unused)))
+
+{
+  return grub_error (GRUB_ERR_ACCESS_DENIED,
+                     N_("%s: the command is not allowed when lockdown is enforced"),
+                     cmd->name);
+}
+
+grub_command_t
+grub_register_command_lockdown (const char *name,
+                                grub_command_func_t func,
+                                const char *summary,
+                                const char *description)
+{
+  if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
+    func = grub_cmd_lockdown;
+
+  return grub_register_command_prio (name, func, summary, description, 0);
+}
+
+ void
+ grub_unregister_command (grub_command_t cmd)
+ {
+diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c
+new file mode 100644
+index 0000000..1e56c0b
+--- /dev/null
+++ b/grub-core/kern/lockdown.c
+@@ -0,0 +1,80 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2020  Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+#include <grub/dl.h>
+#include <grub/file.h>
+#include <grub/lockdown.h>
+#include <grub/verify.h>
+
+static int lockdown = GRUB_LOCKDOWN_DISABLED;
+
+static grub_err_t
+lockdown_verifier_init (grub_file_t io __attribute__ ((unused)),
+                    enum grub_file_type type,
+                    void **context __attribute__ ((unused)),
+                    enum grub_verify_flags *flags)
+{
+  *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
+
+  switch (type & GRUB_FILE_TYPE_MASK)
+    {
+    case GRUB_FILE_TYPE_GRUB_MODULE:
+    case GRUB_FILE_TYPE_LINUX_KERNEL:
+    case GRUB_FILE_TYPE_MULTIBOOT_KERNEL:
+    case GRUB_FILE_TYPE_XEN_HYPERVISOR:
+    case GRUB_FILE_TYPE_BSD_KERNEL:
+    case GRUB_FILE_TYPE_XNU_KERNEL:
+    case GRUB_FILE_TYPE_PLAN9_KERNEL:
+    case GRUB_FILE_TYPE_NTLDR:
+    case GRUB_FILE_TYPE_TRUECRYPT:
+    case GRUB_FILE_TYPE_FREEDOS:
+    case GRUB_FILE_TYPE_PXECHAINLOADER:
+    case GRUB_FILE_TYPE_PCCHAINLOADER:
+    case GRUB_FILE_TYPE_COREBOOT_CHAINLOADER:
+    case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:
+    case GRUB_FILE_TYPE_ACPI_TABLE:
+    case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
+      *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
+
+      /* Fall through. */
+
+    default:
+      return GRUB_ERR_NONE;
+    }
+}
+
+struct grub_file_verifier lockdown_verifier =
+  {
+    .name = "lockdown_verifier",
+    .init = lockdown_verifier_init,
+  };
+
+void
+grub_lockdown (void)
+{
+  lockdown = GRUB_LOCKDOWN_ENABLED;
+
+  grub_verifier_register (&lockdown_verifier);
+}
+
+int
+grub_is_lockdown (void)
+{
+  return lockdown;
+}
+diff --git a/include/grub/command.h b/include/grub/command.h
+index eee4e84..2a6f7f8 100644
+--- a/include/grub/command.h
+++ b/include/grub/command.h
+@@ -86,6 +86,11 @@ EXPORT_FUNC(grub_register_command_prio) (const char *name,
+                                         const char *summary,
+                                         const char *description,
+                                         int prio);
+grub_command_t
+EXPORT_FUNC(grub_register_command_lockdown) (const char *name,
+                                             grub_command_func_t func,
+                                             const char *summary,
+                                             const char *description);
+ void EXPORT_FUNC(grub_unregister_command) (grub_command_t cmd);
+ 
+ static inline grub_command_t
+diff --git a/include/grub/extcmd.h b/include/grub/extcmd.h
+index 19fe592..fe9248b 100644
+--- a/include/grub/extcmd.h
+++ b/include/grub/extcmd.h
+@@ -62,6 +62,13 @@ grub_extcmd_t EXPORT_FUNC(grub_register_extcmd) (const char *name,
+                                                 const char *description,
+                                                 const struct grub_arg_option *parser);
+ 
+grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_lockdown) (const char *name,
+                                                          grub_extcmd_func_t func,
+                                                          grub_command_flags_t flags,
+                                                          const char *summary,
+                                                          const char *description,
+                                                          const struct grub_arg_option *parser);
+
+ grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_prio) (const char *name,
+                                                      grub_extcmd_func_t func,
+                                                      grub_command_flags_t flags,
+diff --git a/include/grub/lockdown.h b/include/grub/lockdown.h
+new file mode 100644
+index 0000000..40531fa
+--- /dev/null
+++ b/include/grub/lockdown.h
+@@ -0,0 +1,44 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2020  Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef GRUB_LOCKDOWN_H
+#define GRUB_LOCKDOWN_H 1
+
+#include <grub/symbol.h>
+
+#define GRUB_LOCKDOWN_DISABLED       0
+#define GRUB_LOCKDOWN_ENABLED        1
+
+#ifdef GRUB_MACHINE_EFI
+extern void
+EXPORT_FUNC (grub_lockdown) (void);
+extern int
+EXPORT_FUNC (grub_is_lockdown) (void);
+#else
+static inline void
+grub_lockdown (void)
+{
+}
+
+static inline int
+grub_is_lockdown (void)
+{
+  return GRUB_LOCKDOWN_DISABLED;
+}
+#endif
+#endif /* ! GRUB_LOCKDOWN_H */

diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_2.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_2.patch new file mode 100644 index 0000000000..a98b5d0455 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_2.patch
@@ -0,0 +1,431 @@
	1	From d8aac4517fef0f0188a60a2a8ff9cafdd9c7ca42 Mon Sep 17 00:00:00 2001
	2	From: Javier Martinez Canillas <javierm@redhat.com>
	3	Date: Mon, 28 Sep 2020 20:08:02 +0200
	4	Subject: [PATCH] kern: Add lockdown support
	5
	6	When the GRUB starts on a secure boot platform, some commands can be
	7	used to subvert the protections provided by the verification mechanism and
	8	could lead to booting untrusted system.
	9
	10	To prevent that situation, allow GRUB to be locked down. That way the code
	11	may check if GRUB has been locked down and further restrict the commands
	12	that are registered or what subset of their functionality could be used.
	13
	14	The lockdown support adds the following components:
	15
	16	* The grub_lockdown() function which can be used to lockdown GRUB if,
	17	e.g., UEFI Secure Boot is enabled.
	18
	19	* The grub_is_lockdown() function which can be used to check if the GRUB
	20	was locked down.
	21
	22	* A verifier that flags OS kernels, the GRUB modules, Device Trees and ACPI
	23	tables as GRUB_VERIFY_FLAGS_DEFER_AUTH to defer verification to other
	24	verifiers. These files are only successfully verified if another registered
	25	verifier returns success. Otherwise, the whole verification process fails.
	26
	27	For example, PE/COFF binaries verification can be done by the shim_lock
	28	verifier which validates the signatures using the shim_lock protocol.
	29	However, the verification is not deferred directly to the shim_lock verifier.
	30	The shim_lock verifier is hooked into the verification process instead.
	31
	32	* A set of grub_{command,extcmd}_lockdown functions that can be used by
	33	code registering command handlers, to only register unsafe commands if
	34	the GRUB has not been locked down.
	35
	36	Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
	37	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	38
	39	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=578c95298bcc46e0296f4c786db64c2ff26ce2cc]
	40	CVE: CVE-2020-14372
	41	Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
	42	---
	43	conf/Makefile.common \| 2 +
	44	docs/grub-dev.texi \| 27 +++++++++++++
	45	docs/grub.texi \| 8 ++++
	46	grub-core/Makefile.am \| 5 ++-
	47	grub-core/Makefile.core.def \| 1 +
	48	grub-core/commands/extcmd.c \| 23 +++++++++++
	49	grub-core/kern/command.c \| 24 +++++++++++
	50	grub-core/kern/lockdown.c \| 80 +++++++++++++++++++++++++++++++++++++
	51	include/grub/command.h \| 5 +++
	52	include/grub/extcmd.h \| 7 ++++
	53	include/grub/lockdown.h \| 44 ++++++++++++++++++++
	54	11 files changed, 225 insertions(+), 1 deletion(-)
	55	create mode 100644 grub-core/kern/lockdown.c
	56	create mode 100644 include/grub/lockdown.h
	57
	58	diff --git a/conf/Makefile.common b/conf/Makefile.common
	59	index 6cd71cb..2a1a886 100644
	60	--- a/conf/Makefile.common
	61	+++ b/conf/Makefile.common
	62	@@ -84,7 +84,9 @@ CPPFLAGS_PARTTOOL_LIST = -Dgrub_parttool_register=PARTTOOL_LIST_MARKER
	63	CPPFLAGS_TERMINAL_LIST = '-Dgrub_term_register_input(...)=INPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)'
	64	CPPFLAGS_TERMINAL_LIST += '-Dgrub_term_register_output(...)=OUTPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)'
	65	CPPFLAGS_COMMAND_LIST = '-Dgrub_register_command(...)=COMMAND_LIST_MARKER(__VA_ARGS__)'
	66	+CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_lockdown(...)=COMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)'
	67	CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd(...)=EXTCOMMAND_LIST_MARKER(__VA_ARGS__)'
	68	+CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd_lockdown(...)=EXTCOMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)'
	69	CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_p1(...)=P1COMMAND_LIST_MARKER(__VA_ARGS__)'
	70	CPPFLAGS_FDT_LIST := '-Dgrub_fdtbus_register(...)=FDT_DRIVER_LIST_MARKER(__VA_ARGS__)'
	71	CPPFLAGS_MARKER = $(CPPFLAGS_FS_LIST) $(CPPFLAGS_VIDEO_LIST) \
	72	diff --git a/docs/grub-dev.texi b/docs/grub-dev.texi
	73	index ee389fd..635ec72 100644
	74	--- a/docs/grub-dev.texi
	75	+++ b/docs/grub-dev.texi
	76	@@ -86,6 +86,7 @@ This edition documents version @value{VERSION}.
	77	* PFF2 Font File Format::
	78	* Graphical Menu Software Design::
	79	* Verifiers framework::
	80	+* Lockdown framework::
	81	* Copying This Manual:: Copying This Manual
	82	* Index::
	83	@end menu
	84	@@ -2086,6 +2087,32 @@ Optionally at the end of the file @samp{fini}, if it exists, is called with just
	85	the context. If you return no error during any of @samp{init}, @samp{write} and
	86	@samp{fini} then the file is considered as having succeded verification.
	87
	88	+@node Lockdown framework
	89	+@chapter Lockdown framework
	90	+
	91	+The GRUB can be locked down, which is a restricted mode where some operations
	92	+are not allowed. For instance, some commands cannot be used when the GRUB is
	93	+locked down.
	94	+
	95	+The function
	96	+@code{grub_lockdown()} is used to lockdown GRUB and the function
	97	+@code{grub_is_lockdown()} function can be used to check whether lockdown is
	98	+enabled or not. When enabled, the function returns @samp{GRUB_LOCKDOWN_ENABLED}
	99	+and @samp{GRUB_LOCKDOWN_DISABLED} when is not enabled.
	100	+
	101	+The following functions can be used to register the commands that can only be
	102	+used when lockdown is disabled:
	103	+
	104	+@itemize
	105	+
	106	+@item @code{grub_cmd_lockdown()} registers command which should not run when the
	107	+GRUB is in lockdown mode.
	108	+
	109	+@item @code{grub_cmd_lockdown()} registers extended command which should not run
	110	+when the GRUB is in lockdown mode.
	111	+
	112	+@end itemize
	113	+
	114	@node Copying This Manual
	115	@appendix Copying This Manual
	116
	117	diff --git a/docs/grub.texi b/docs/grub.texi
	118	index 8779507..d778bfb 100644
	119	--- a/docs/grub.texi
	120	+++ b/docs/grub.texi
	121	@@ -5581,6 +5581,7 @@ environment variables and commands are listed in the same order.
	122	* Using digital signatures:: Booting digitally signed code
	123	* UEFI secure boot and shim:: Booting digitally signed PE files
	124	* Measured Boot:: Measuring boot components
	125	+* Lockdown:: Lockdown when booting on a secure setup
	126	@end menu
	127
	128	@node Authentication and authorisation
	129	@@ -5794,6 +5795,13 @@ into @file{core.img} in order to avoid a potential gap in measurement between
	130
	131	Measured boot is currently only supported on EFI platforms.
	132
	133	+@node Lockdown
	134	+@section Lockdown when booting on a secure setup
	135	+
	136	+The GRUB can be locked down when booted on a secure boot environment, for example
	137	+if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will
	138	+be restricted and some operations/commands cannot be executed.
	139	+
	140	@node Platform limitations
	141	@chapter Platform limitations
	142
	143	diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
	144	index 375c30d..3096241 100644
	145	--- a/grub-core/Makefile.am
	146	+++ b/grub-core/Makefile.am
	147	@@ -79,6 +79,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/fs.h
	148	KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/i18n.h
	149	KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/kernel.h
	150	KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/list.h
	151	+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/lockdown.h
	152	KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/misc.h
	153	if COND_emu
	154	KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/compiler-rt-emu.h
	155	@@ -376,8 +377,10 @@ command.lst: $(MARKER_FILES)
	156	b=`basename $$pp .marker`; \
	157	sed -n \
	158	-e "/EXTCOMMAND_LIST_MARKER ( \"/{s/.( \"\([^\"]\)\"./*\1: $$b/;p;}" \
	159	+ -e "/EXTCOMMAND_LOCKDOWN_LIST_MARKER ( \"/{s/.( \"\([^\"]\)\"./*\1: $$b/;p;}" \
	160	-e "/P1COMMAND_LIST_MARKER ( \"/{s/.( \"\([^\"]\)\"./*\1: $$b/;p;}" \
	161	- -e "/COMMAND_LIST_MARKER ( \"/{s/.( \"\([^\"]\)\"./\1: $$b/;p;}" $$pp; \
	162	+ -e "/COMMAND_LIST_MARKER ( \"/{s/.( \"\([^\"]\)\"./\1: $$b/;p;}" \
	163	+ -e "/COMMAND_LOCKDOWN_LIST_MARKER ( \"/{s/.( \"\([^\"]\)\"./\1: $$b/;p;}" $$pp; \
	164	done) \| sort -u > $@
	165	platform_DATA += command.lst
	166	CLEANFILES += command.lst
	167	diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
	168	index cff02f2..651ea2a 100644
	169	--- a/grub-core/Makefile.core.def
	170	+++ b/grub-core/Makefile.core.def
	171	@@ -204,6 +204,7 @@ kernel = {
	172	efi = term/efi/console.c;
	173	efi = kern/acpi.c;
	174	efi = kern/efi/acpi.c;
	175	+ efi = kern/lockdown.c;
	176	i386_coreboot = kern/i386/pc/acpi.c;
	177	i386_multiboot = kern/i386/pc/acpi.c;
	178	i386_coreboot = kern/acpi.c;
	179	diff --git a/grub-core/commands/extcmd.c b/grub-core/commands/extcmd.c
	180	index 69574e2..90a5ca2 100644
	181	--- a/grub-core/commands/extcmd.c
	182	+++ b/grub-core/commands/extcmd.c
	183	@@ -19,6 +19,7 @@
	184
	185	#include <grub/mm.h>
	186	#include <grub/list.h>
	187	+#include <grub/lockdown.h>
	188	#include <grub/misc.h>
	189	#include <grub/extcmd.h>
	190	#include <grub/script_sh.h>
	191	@@ -110,6 +111,28 @@ grub_register_extcmd (const char *name, grub_extcmd_func_t func,
	192	summary, description, parser, 1);
	193	}
	194
	195	+static grub_err_t
	196	+grub_extcmd_lockdown (grub_extcmd_context_t ctxt __attribute__ ((unused)),
	197	+ int argc __attribute__ ((unused)),
	198	+ char **argv __attribute__ ((unused)))
	199	+{
	200	+ return grub_error (GRUB_ERR_ACCESS_DENIED,
	201	+ N_("%s: the command is not allowed when lockdown is enforced"),
	202	+ ctxt->extcmd->cmd->name);
	203	+}
	204	+
	205	+grub_extcmd_t
	206	+grub_register_extcmd_lockdown (const char *name, grub_extcmd_func_t func,
	207	+ grub_command_flags_t flags, const char *summary,
	208	+ const char *description,
	209	+ const struct grub_arg_option *parser)
	210	+{
	211	+ if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
	212	+ func = grub_extcmd_lockdown;
	213	+
	214	+ return grub_register_extcmd (name, func, flags, summary, description, parser);
	215	+}
	216	+
	217	void
	218	grub_unregister_extcmd (grub_extcmd_t ext)
	219	{
	220	diff --git a/grub-core/kern/command.c b/grub-core/kern/command.c
	221	index acd7218..4aabcd4 100644
	222	--- a/grub-core/kern/command.c
	223	+++ b/grub-core/kern/command.c
	224	@@ -17,6 +17,7 @@
	225	* along with GRUB. If not, see <http://www.gnu.org/licenses/>.
	226	*/
	227
	228	+#include <grub/lockdown.h>
	229	#include <grub/mm.h>
	230	#include <grub/command.h>
	231
	232	@@ -77,6 +78,29 @@ grub_register_command_prio (const char *name,
	233	return cmd;
	234	}
	235
	236	+static grub_err_t
	237	+grub_cmd_lockdown (grub_command_t cmd __attribute__ ((unused)),
	238	+ int argc __attribute__ ((unused)),
	239	+ char **argv __attribute__ ((unused)))
	240	+
	241	+{
	242	+ return grub_error (GRUB_ERR_ACCESS_DENIED,
	243	+ N_("%s: the command is not allowed when lockdown is enforced"),
	244	+ cmd->name);
	245	+}
	246	+
	247	+grub_command_t
	248	+grub_register_command_lockdown (const char *name,
	249	+ grub_command_func_t func,
	250	+ const char *summary,
	251	+ const char *description)
	252	+{
	253	+ if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
	254	+ func = grub_cmd_lockdown;
	255	+
	256	+ return grub_register_command_prio (name, func, summary, description, 0);
	257	+}
	258	+
	259	void
	260	grub_unregister_command (grub_command_t cmd)
	261	{
	262	diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c
	263	new file mode 100644
	264	index 0000000..1e56c0b
	265	--- /dev/null
	266	+++ b/grub-core/kern/lockdown.c
	267	@@ -0,0 +1,80 @@
	268	+/*
	269	+ * GRUB -- GRand Unified Bootloader
	270	+ * Copyright (C) 2020 Free Software Foundation, Inc.
	271	+ *
	272	+ * GRUB is free software: you can redistribute it and/or modify
	273	+ * it under the terms of the GNU General Public License as published by
	274	+ * the Free Software Foundation, either version 3 of the License, or
	275	+ * (at your option) any later version.
	276	+ *
	277	+ * GRUB is distributed in the hope that it will be useful,
	278	+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
	279	+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	280	+ * GNU General Public License for more details.
	281	+ *
	282	+ * You should have received a copy of the GNU General Public License
	283	+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
	284	+ *
	285	+ */
	286	+
	287	+#include <grub/dl.h>
	288	+#include <grub/file.h>
	289	+#include <grub/lockdown.h>
	290	+#include <grub/verify.h>
	291	+
	292	+static int lockdown = GRUB_LOCKDOWN_DISABLED;
	293	+
	294	+static grub_err_t
	295	+lockdown_verifier_init (grub_file_t io __attribute__ ((unused)),
	296	+ enum grub_file_type type,
	297	+ void **context __attribute__ ((unused)),
	298	+ enum grub_verify_flags *flags)
	299	+{
	300	+ *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
	301	+
	302	+ switch (type & GRUB_FILE_TYPE_MASK)
	303	+ {
	304	+ case GRUB_FILE_TYPE_GRUB_MODULE:
	305	+ case GRUB_FILE_TYPE_LINUX_KERNEL:
	306	+ case GRUB_FILE_TYPE_MULTIBOOT_KERNEL:
	307	+ case GRUB_FILE_TYPE_XEN_HYPERVISOR:
	308	+ case GRUB_FILE_TYPE_BSD_KERNEL:
	309	+ case GRUB_FILE_TYPE_XNU_KERNEL:
	310	+ case GRUB_FILE_TYPE_PLAN9_KERNEL:
	311	+ case GRUB_FILE_TYPE_NTLDR:
	312	+ case GRUB_FILE_TYPE_TRUECRYPT:
	313	+ case GRUB_FILE_TYPE_FREEDOS:
	314	+ case GRUB_FILE_TYPE_PXECHAINLOADER:
	315	+ case GRUB_FILE_TYPE_PCCHAINLOADER:
	316	+ case GRUB_FILE_TYPE_COREBOOT_CHAINLOADER:
	317	+ case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:
	318	+ case GRUB_FILE_TYPE_ACPI_TABLE:
	319	+ case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
	320	+ *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
	321	+
	322	+ /* Fall through. */
	323	+
	324	+ default:
	325	+ return GRUB_ERR_NONE;
	326	+ }
	327	+}
	328	+
	329	+struct grub_file_verifier lockdown_verifier =
	330	+ {
	331	+ .name = "lockdown_verifier",
	332	+ .init = lockdown_verifier_init,
	333	+ };
	334	+
	335	+void
	336	+grub_lockdown (void)
	337	+{
	338	+ lockdown = GRUB_LOCKDOWN_ENABLED;
	339	+
	340	+ grub_verifier_register (&lockdown_verifier);
	341	+}
	342	+
	343	+int
	344	+grub_is_lockdown (void)
	345	+{
	346	+ return lockdown;
	347	+}
	348	diff --git a/include/grub/command.h b/include/grub/command.h
	349	index eee4e84..2a6f7f8 100644
	350	--- a/include/grub/command.h
	351	+++ b/include/grub/command.h
	352	@@ -86,6 +86,11 @@ EXPORT_FUNC(grub_register_command_prio) (const char *name,
	353	const char *summary,
	354	const char *description,
	355	int prio);
	356	+grub_command_t
	357	+EXPORT_FUNC(grub_register_command_lockdown) (const char *name,
	358	+ grub_command_func_t func,
	359	+ const char *summary,
	360	+ const char *description);
	361	void EXPORT_FUNC(grub_unregister_command) (grub_command_t cmd);
	362
	363	static inline grub_command_t
	364	diff --git a/include/grub/extcmd.h b/include/grub/extcmd.h
	365	index 19fe592..fe9248b 100644
	366	--- a/include/grub/extcmd.h
	367	+++ b/include/grub/extcmd.h
	368	@@ -62,6 +62,13 @@ grub_extcmd_t EXPORT_FUNC(grub_register_extcmd) (const char *name,
	369	const char *description,
	370	const struct grub_arg_option *parser);
	371
	372	+grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_lockdown) (const char *name,
	373	+ grub_extcmd_func_t func,
	374	+ grub_command_flags_t flags,
	375	+ const char *summary,
	376	+ const char *description,
	377	+ const struct grub_arg_option *parser);
	378	+
	379	grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_prio) (const char *name,
	380	grub_extcmd_func_t func,
	381	grub_command_flags_t flags,
	382	diff --git a/include/grub/lockdown.h b/include/grub/lockdown.h
	383	new file mode 100644
	384	index 0000000..40531fa
	385	--- /dev/null
	386	+++ b/include/grub/lockdown.h
	387	@@ -0,0 +1,44 @@
	388	+/*
	389	+ * GRUB -- GRand Unified Bootloader
	390	+ * Copyright (C) 2020 Free Software Foundation, Inc.
	391	+ *
	392	+ * GRUB is free software: you can redistribute it and/or modify
	393	+ * it under the terms of the GNU General Public License as published by
	394	+ * the Free Software Foundation, either version 3 of the License, or
	395	+ * (at your option) any later version.
	396	+ *
	397	+ * GRUB is distributed in the hope that it will be useful,
	398	+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
	399	+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	400	+ * GNU General Public License for more details.
	401	+ *
	402	+ * You should have received a copy of the GNU General Public License
	403	+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
	404	+ */
	405	+
	406	+#ifndef GRUB_LOCKDOWN_H
	407	+#define GRUB_LOCKDOWN_H 1
	408	+
	409	+#include <grub/symbol.h>
	410	+
	411	+#define GRUB_LOCKDOWN_DISABLED 0
	412	+#define GRUB_LOCKDOWN_ENABLED 1
	413	+
	414	+#ifdef GRUB_MACHINE_EFI
	415	+extern void
	416	+EXPORT_FUNC (grub_lockdown) (void);
	417	+extern int
	418	+EXPORT_FUNC (grub_is_lockdown) (void);
	419	+#else
	420	+static inline void
	421	+grub_lockdown (void)
	422	+{
	423	+}
	424	+
	425	+static inline int
	426	+grub_is_lockdown (void)
	427	+{
	428	+ return GRUB_LOCKDOWN_DISABLED;
	429	+}
	430	+#endif
	431	+#endif /* ! GRUB_LOCKDOWN_H */