diff options
Diffstat (limited to 'meta/recipes-bsp/grub/files/CVE-2020-14372_2.patch')
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2020-14372_2.patch | 431 |
1 files changed, 431 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_2.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_2.patch new file mode 100644 index 0000000000..a98b5d0455 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_2.patch | |||
@@ -0,0 +1,431 @@ | |||
1 | From d8aac4517fef0f0188a60a2a8ff9cafdd9c7ca42 Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Mon, 28 Sep 2020 20:08:02 +0200 | ||
4 | Subject: [PATCH] kern: Add lockdown support | ||
5 | |||
6 | When the GRUB starts on a secure boot platform, some commands can be | ||
7 | used to subvert the protections provided by the verification mechanism and | ||
8 | could lead to booting untrusted system. | ||
9 | |||
10 | To prevent that situation, allow GRUB to be locked down. That way the code | ||
11 | may check if GRUB has been locked down and further restrict the commands | ||
12 | that are registered or what subset of their functionality could be used. | ||
13 | |||
14 | The lockdown support adds the following components: | ||
15 | |||
16 | * The grub_lockdown() function which can be used to lockdown GRUB if, | ||
17 | e.g., UEFI Secure Boot is enabled. | ||
18 | |||
19 | * The grub_is_lockdown() function which can be used to check if the GRUB | ||
20 | was locked down. | ||
21 | |||
22 | * A verifier that flags OS kernels, the GRUB modules, Device Trees and ACPI | ||
23 | tables as GRUB_VERIFY_FLAGS_DEFER_AUTH to defer verification to other | ||
24 | verifiers. These files are only successfully verified if another registered | ||
25 | verifier returns success. Otherwise, the whole verification process fails. | ||
26 | |||
27 | For example, PE/COFF binaries verification can be done by the shim_lock | ||
28 | verifier which validates the signatures using the shim_lock protocol. | ||
29 | However, the verification is not deferred directly to the shim_lock verifier. | ||
30 | The shim_lock verifier is hooked into the verification process instead. | ||
31 | |||
32 | * A set of grub_{command,extcmd}_lockdown functions that can be used by | ||
33 | code registering command handlers, to only register unsafe commands if | ||
34 | the GRUB has not been locked down. | ||
35 | |||
36 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
37 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
38 | |||
39 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=578c95298bcc46e0296f4c786db64c2ff26ce2cc] | ||
40 | CVE: CVE-2020-14372 | ||
41 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
42 | --- | ||
43 | conf/Makefile.common | 2 + | ||
44 | docs/grub-dev.texi | 27 +++++++++++++ | ||
45 | docs/grub.texi | 8 ++++ | ||
46 | grub-core/Makefile.am | 5 ++- | ||
47 | grub-core/Makefile.core.def | 1 + | ||
48 | grub-core/commands/extcmd.c | 23 +++++++++++ | ||
49 | grub-core/kern/command.c | 24 +++++++++++ | ||
50 | grub-core/kern/lockdown.c | 80 +++++++++++++++++++++++++++++++++++++ | ||
51 | include/grub/command.h | 5 +++ | ||
52 | include/grub/extcmd.h | 7 ++++ | ||
53 | include/grub/lockdown.h | 44 ++++++++++++++++++++ | ||
54 | 11 files changed, 225 insertions(+), 1 deletion(-) | ||
55 | create mode 100644 grub-core/kern/lockdown.c | ||
56 | create mode 100644 include/grub/lockdown.h | ||
57 | |||
58 | diff --git a/conf/Makefile.common b/conf/Makefile.common | ||
59 | index 6cd71cb..2a1a886 100644 | ||
60 | --- a/conf/Makefile.common | ||
61 | +++ b/conf/Makefile.common | ||
62 | @@ -84,7 +84,9 @@ CPPFLAGS_PARTTOOL_LIST = -Dgrub_parttool_register=PARTTOOL_LIST_MARKER | ||
63 | CPPFLAGS_TERMINAL_LIST = '-Dgrub_term_register_input(...)=INPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)' | ||
64 | CPPFLAGS_TERMINAL_LIST += '-Dgrub_term_register_output(...)=OUTPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)' | ||
65 | CPPFLAGS_COMMAND_LIST = '-Dgrub_register_command(...)=COMMAND_LIST_MARKER(__VA_ARGS__)' | ||
66 | +CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_lockdown(...)=COMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)' | ||
67 | CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd(...)=EXTCOMMAND_LIST_MARKER(__VA_ARGS__)' | ||
68 | +CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd_lockdown(...)=EXTCOMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)' | ||
69 | CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_p1(...)=P1COMMAND_LIST_MARKER(__VA_ARGS__)' | ||
70 | CPPFLAGS_FDT_LIST := '-Dgrub_fdtbus_register(...)=FDT_DRIVER_LIST_MARKER(__VA_ARGS__)' | ||
71 | CPPFLAGS_MARKER = $(CPPFLAGS_FS_LIST) $(CPPFLAGS_VIDEO_LIST) \ | ||
72 | diff --git a/docs/grub-dev.texi b/docs/grub-dev.texi | ||
73 | index ee389fd..635ec72 100644 | ||
74 | --- a/docs/grub-dev.texi | ||
75 | +++ b/docs/grub-dev.texi | ||
76 | @@ -86,6 +86,7 @@ This edition documents version @value{VERSION}. | ||
77 | * PFF2 Font File Format:: | ||
78 | * Graphical Menu Software Design:: | ||
79 | * Verifiers framework:: | ||
80 | +* Lockdown framework:: | ||
81 | * Copying This Manual:: Copying This Manual | ||
82 | * Index:: | ||
83 | @end menu | ||
84 | @@ -2086,6 +2087,32 @@ Optionally at the end of the file @samp{fini}, if it exists, is called with just | ||
85 | the context. If you return no error during any of @samp{init}, @samp{write} and | ||
86 | @samp{fini} then the file is considered as having succeded verification. | ||
87 | |||
88 | +@node Lockdown framework | ||
89 | +@chapter Lockdown framework | ||
90 | + | ||
91 | +The GRUB can be locked down, which is a restricted mode where some operations | ||
92 | +are not allowed. For instance, some commands cannot be used when the GRUB is | ||
93 | +locked down. | ||
94 | + | ||
95 | +The function | ||
96 | +@code{grub_lockdown()} is used to lockdown GRUB and the function | ||
97 | +@code{grub_is_lockdown()} function can be used to check whether lockdown is | ||
98 | +enabled or not. When enabled, the function returns @samp{GRUB_LOCKDOWN_ENABLED} | ||
99 | +and @samp{GRUB_LOCKDOWN_DISABLED} when is not enabled. | ||
100 | + | ||
101 | +The following functions can be used to register the commands that can only be | ||
102 | +used when lockdown is disabled: | ||
103 | + | ||
104 | +@itemize | ||
105 | + | ||
106 | +@item @code{grub_cmd_lockdown()} registers command which should not run when the | ||
107 | +GRUB is in lockdown mode. | ||
108 | + | ||
109 | +@item @code{grub_cmd_lockdown()} registers extended command which should not run | ||
110 | +when the GRUB is in lockdown mode. | ||
111 | + | ||
112 | +@end itemize | ||
113 | + | ||
114 | @node Copying This Manual | ||
115 | @appendix Copying This Manual | ||
116 | |||
117 | diff --git a/docs/grub.texi b/docs/grub.texi | ||
118 | index 8779507..d778bfb 100644 | ||
119 | --- a/docs/grub.texi | ||
120 | +++ b/docs/grub.texi | ||
121 | @@ -5581,6 +5581,7 @@ environment variables and commands are listed in the same order. | ||
122 | * Using digital signatures:: Booting digitally signed code | ||
123 | * UEFI secure boot and shim:: Booting digitally signed PE files | ||
124 | * Measured Boot:: Measuring boot components | ||
125 | +* Lockdown:: Lockdown when booting on a secure setup | ||
126 | @end menu | ||
127 | |||
128 | @node Authentication and authorisation | ||
129 | @@ -5794,6 +5795,13 @@ into @file{core.img} in order to avoid a potential gap in measurement between | ||
130 | |||
131 | Measured boot is currently only supported on EFI platforms. | ||
132 | |||
133 | +@node Lockdown | ||
134 | +@section Lockdown when booting on a secure setup | ||
135 | + | ||
136 | +The GRUB can be locked down when booted on a secure boot environment, for example | ||
137 | +if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will | ||
138 | +be restricted and some operations/commands cannot be executed. | ||
139 | + | ||
140 | @node Platform limitations | ||
141 | @chapter Platform limitations | ||
142 | |||
143 | diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am | ||
144 | index 375c30d..3096241 100644 | ||
145 | --- a/grub-core/Makefile.am | ||
146 | +++ b/grub-core/Makefile.am | ||
147 | @@ -79,6 +79,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/fs.h | ||
148 | KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/i18n.h | ||
149 | KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/kernel.h | ||
150 | KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/list.h | ||
151 | +KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/lockdown.h | ||
152 | KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/misc.h | ||
153 | if COND_emu | ||
154 | KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/compiler-rt-emu.h | ||
155 | @@ -376,8 +377,10 @@ command.lst: $(MARKER_FILES) | ||
156 | b=`basename $$pp .marker`; \ | ||
157 | sed -n \ | ||
158 | -e "/EXTCOMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \ | ||
159 | + -e "/EXTCOMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \ | ||
160 | -e "/P1COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \ | ||
161 | - -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \ | ||
162 | + -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" \ | ||
163 | + -e "/COMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \ | ||
164 | done) | sort -u > $@ | ||
165 | platform_DATA += command.lst | ||
166 | CLEANFILES += command.lst | ||
167 | diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def | ||
168 | index cff02f2..651ea2a 100644 | ||
169 | --- a/grub-core/Makefile.core.def | ||
170 | +++ b/grub-core/Makefile.core.def | ||
171 | @@ -204,6 +204,7 @@ kernel = { | ||
172 | efi = term/efi/console.c; | ||
173 | efi = kern/acpi.c; | ||
174 | efi = kern/efi/acpi.c; | ||
175 | + efi = kern/lockdown.c; | ||
176 | i386_coreboot = kern/i386/pc/acpi.c; | ||
177 | i386_multiboot = kern/i386/pc/acpi.c; | ||
178 | i386_coreboot = kern/acpi.c; | ||
179 | diff --git a/grub-core/commands/extcmd.c b/grub-core/commands/extcmd.c | ||
180 | index 69574e2..90a5ca2 100644 | ||
181 | --- a/grub-core/commands/extcmd.c | ||
182 | +++ b/grub-core/commands/extcmd.c | ||
183 | @@ -19,6 +19,7 @@ | ||
184 | |||
185 | #include <grub/mm.h> | ||
186 | #include <grub/list.h> | ||
187 | +#include <grub/lockdown.h> | ||
188 | #include <grub/misc.h> | ||
189 | #include <grub/extcmd.h> | ||
190 | #include <grub/script_sh.h> | ||
191 | @@ -110,6 +111,28 @@ grub_register_extcmd (const char *name, grub_extcmd_func_t func, | ||
192 | summary, description, parser, 1); | ||
193 | } | ||
194 | |||
195 | +static grub_err_t | ||
196 | +grub_extcmd_lockdown (grub_extcmd_context_t ctxt __attribute__ ((unused)), | ||
197 | + int argc __attribute__ ((unused)), | ||
198 | + char **argv __attribute__ ((unused))) | ||
199 | +{ | ||
200 | + return grub_error (GRUB_ERR_ACCESS_DENIED, | ||
201 | + N_("%s: the command is not allowed when lockdown is enforced"), | ||
202 | + ctxt->extcmd->cmd->name); | ||
203 | +} | ||
204 | + | ||
205 | +grub_extcmd_t | ||
206 | +grub_register_extcmd_lockdown (const char *name, grub_extcmd_func_t func, | ||
207 | + grub_command_flags_t flags, const char *summary, | ||
208 | + const char *description, | ||
209 | + const struct grub_arg_option *parser) | ||
210 | +{ | ||
211 | + if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED) | ||
212 | + func = grub_extcmd_lockdown; | ||
213 | + | ||
214 | + return grub_register_extcmd (name, func, flags, summary, description, parser); | ||
215 | +} | ||
216 | + | ||
217 | void | ||
218 | grub_unregister_extcmd (grub_extcmd_t ext) | ||
219 | { | ||
220 | diff --git a/grub-core/kern/command.c b/grub-core/kern/command.c | ||
221 | index acd7218..4aabcd4 100644 | ||
222 | --- a/grub-core/kern/command.c | ||
223 | +++ b/grub-core/kern/command.c | ||
224 | @@ -17,6 +17,7 @@ | ||
225 | * along with GRUB. If not, see <http://www.gnu.org/licenses/>. | ||
226 | */ | ||
227 | |||
228 | +#include <grub/lockdown.h> | ||
229 | #include <grub/mm.h> | ||
230 | #include <grub/command.h> | ||
231 | |||
232 | @@ -77,6 +78,29 @@ grub_register_command_prio (const char *name, | ||
233 | return cmd; | ||
234 | } | ||
235 | |||
236 | +static grub_err_t | ||
237 | +grub_cmd_lockdown (grub_command_t cmd __attribute__ ((unused)), | ||
238 | + int argc __attribute__ ((unused)), | ||
239 | + char **argv __attribute__ ((unused))) | ||
240 | + | ||
241 | +{ | ||
242 | + return grub_error (GRUB_ERR_ACCESS_DENIED, | ||
243 | + N_("%s: the command is not allowed when lockdown is enforced"), | ||
244 | + cmd->name); | ||
245 | +} | ||
246 | + | ||
247 | +grub_command_t | ||
248 | +grub_register_command_lockdown (const char *name, | ||
249 | + grub_command_func_t func, | ||
250 | + const char *summary, | ||
251 | + const char *description) | ||
252 | +{ | ||
253 | + if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED) | ||
254 | + func = grub_cmd_lockdown; | ||
255 | + | ||
256 | + return grub_register_command_prio (name, func, summary, description, 0); | ||
257 | +} | ||
258 | + | ||
259 | void | ||
260 | grub_unregister_command (grub_command_t cmd) | ||
261 | { | ||
262 | diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c | ||
263 | new file mode 100644 | ||
264 | index 0000000..1e56c0b | ||
265 | --- /dev/null | ||
266 | +++ b/grub-core/kern/lockdown.c | ||
267 | @@ -0,0 +1,80 @@ | ||
268 | +/* | ||
269 | + * GRUB -- GRand Unified Bootloader | ||
270 | + * Copyright (C) 2020 Free Software Foundation, Inc. | ||
271 | + * | ||
272 | + * GRUB is free software: you can redistribute it and/or modify | ||
273 | + * it under the terms of the GNU General Public License as published by | ||
274 | + * the Free Software Foundation, either version 3 of the License, or | ||
275 | + * (at your option) any later version. | ||
276 | + * | ||
277 | + * GRUB is distributed in the hope that it will be useful, | ||
278 | + * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
279 | + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
280 | + * GNU General Public License for more details. | ||
281 | + * | ||
282 | + * You should have received a copy of the GNU General Public License | ||
283 | + * along with GRUB. If not, see <http://www.gnu.org/licenses/>. | ||
284 | + * | ||
285 | + */ | ||
286 | + | ||
287 | +#include <grub/dl.h> | ||
288 | +#include <grub/file.h> | ||
289 | +#include <grub/lockdown.h> | ||
290 | +#include <grub/verify.h> | ||
291 | + | ||
292 | +static int lockdown = GRUB_LOCKDOWN_DISABLED; | ||
293 | + | ||
294 | +static grub_err_t | ||
295 | +lockdown_verifier_init (grub_file_t io __attribute__ ((unused)), | ||
296 | + enum grub_file_type type, | ||
297 | + void **context __attribute__ ((unused)), | ||
298 | + enum grub_verify_flags *flags) | ||
299 | +{ | ||
300 | + *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION; | ||
301 | + | ||
302 | + switch (type & GRUB_FILE_TYPE_MASK) | ||
303 | + { | ||
304 | + case GRUB_FILE_TYPE_GRUB_MODULE: | ||
305 | + case GRUB_FILE_TYPE_LINUX_KERNEL: | ||
306 | + case GRUB_FILE_TYPE_MULTIBOOT_KERNEL: | ||
307 | + case GRUB_FILE_TYPE_XEN_HYPERVISOR: | ||
308 | + case GRUB_FILE_TYPE_BSD_KERNEL: | ||
309 | + case GRUB_FILE_TYPE_XNU_KERNEL: | ||
310 | + case GRUB_FILE_TYPE_PLAN9_KERNEL: | ||
311 | + case GRUB_FILE_TYPE_NTLDR: | ||
312 | + case GRUB_FILE_TYPE_TRUECRYPT: | ||
313 | + case GRUB_FILE_TYPE_FREEDOS: | ||
314 | + case GRUB_FILE_TYPE_PXECHAINLOADER: | ||
315 | + case GRUB_FILE_TYPE_PCCHAINLOADER: | ||
316 | + case GRUB_FILE_TYPE_COREBOOT_CHAINLOADER: | ||
317 | + case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE: | ||
318 | + case GRUB_FILE_TYPE_ACPI_TABLE: | ||
319 | + case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE: | ||
320 | + *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH; | ||
321 | + | ||
322 | + /* Fall through. */ | ||
323 | + | ||
324 | + default: | ||
325 | + return GRUB_ERR_NONE; | ||
326 | + } | ||
327 | +} | ||
328 | + | ||
329 | +struct grub_file_verifier lockdown_verifier = | ||
330 | + { | ||
331 | + .name = "lockdown_verifier", | ||
332 | + .init = lockdown_verifier_init, | ||
333 | + }; | ||
334 | + | ||
335 | +void | ||
336 | +grub_lockdown (void) | ||
337 | +{ | ||
338 | + lockdown = GRUB_LOCKDOWN_ENABLED; | ||
339 | + | ||
340 | + grub_verifier_register (&lockdown_verifier); | ||
341 | +} | ||
342 | + | ||
343 | +int | ||
344 | +grub_is_lockdown (void) | ||
345 | +{ | ||
346 | + return lockdown; | ||
347 | +} | ||
348 | diff --git a/include/grub/command.h b/include/grub/command.h | ||
349 | index eee4e84..2a6f7f8 100644 | ||
350 | --- a/include/grub/command.h | ||
351 | +++ b/include/grub/command.h | ||
352 | @@ -86,6 +86,11 @@ EXPORT_FUNC(grub_register_command_prio) (const char *name, | ||
353 | const char *summary, | ||
354 | const char *description, | ||
355 | int prio); | ||
356 | +grub_command_t | ||
357 | +EXPORT_FUNC(grub_register_command_lockdown) (const char *name, | ||
358 | + grub_command_func_t func, | ||
359 | + const char *summary, | ||
360 | + const char *description); | ||
361 | void EXPORT_FUNC(grub_unregister_command) (grub_command_t cmd); | ||
362 | |||
363 | static inline grub_command_t | ||
364 | diff --git a/include/grub/extcmd.h b/include/grub/extcmd.h | ||
365 | index 19fe592..fe9248b 100644 | ||
366 | --- a/include/grub/extcmd.h | ||
367 | +++ b/include/grub/extcmd.h | ||
368 | @@ -62,6 +62,13 @@ grub_extcmd_t EXPORT_FUNC(grub_register_extcmd) (const char *name, | ||
369 | const char *description, | ||
370 | const struct grub_arg_option *parser); | ||
371 | |||
372 | +grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_lockdown) (const char *name, | ||
373 | + grub_extcmd_func_t func, | ||
374 | + grub_command_flags_t flags, | ||
375 | + const char *summary, | ||
376 | + const char *description, | ||
377 | + const struct grub_arg_option *parser); | ||
378 | + | ||
379 | grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_prio) (const char *name, | ||
380 | grub_extcmd_func_t func, | ||
381 | grub_command_flags_t flags, | ||
382 | diff --git a/include/grub/lockdown.h b/include/grub/lockdown.h | ||
383 | new file mode 100644 | ||
384 | index 0000000..40531fa | ||
385 | --- /dev/null | ||
386 | +++ b/include/grub/lockdown.h | ||
387 | @@ -0,0 +1,44 @@ | ||
388 | +/* | ||
389 | + * GRUB -- GRand Unified Bootloader | ||
390 | + * Copyright (C) 2020 Free Software Foundation, Inc. | ||
391 | + * | ||
392 | + * GRUB is free software: you can redistribute it and/or modify | ||
393 | + * it under the terms of the GNU General Public License as published by | ||
394 | + * the Free Software Foundation, either version 3 of the License, or | ||
395 | + * (at your option) any later version. | ||
396 | + * | ||
397 | + * GRUB is distributed in the hope that it will be useful, | ||
398 | + * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
399 | + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
400 | + * GNU General Public License for more details. | ||
401 | + * | ||
402 | + * You should have received a copy of the GNU General Public License | ||
403 | + * along with GRUB. If not, see <http://www.gnu.org/licenses/>. | ||
404 | + */ | ||
405 | + | ||
406 | +#ifndef GRUB_LOCKDOWN_H | ||
407 | +#define GRUB_LOCKDOWN_H 1 | ||
408 | + | ||
409 | +#include <grub/symbol.h> | ||
410 | + | ||
411 | +#define GRUB_LOCKDOWN_DISABLED 0 | ||
412 | +#define GRUB_LOCKDOWN_ENABLED 1 | ||
413 | + | ||
414 | +#ifdef GRUB_MACHINE_EFI | ||
415 | +extern void | ||
416 | +EXPORT_FUNC (grub_lockdown) (void); | ||
417 | +extern int | ||
418 | +EXPORT_FUNC (grub_is_lockdown) (void); | ||
419 | +#else | ||
420 | +static inline void | ||
421 | +grub_lockdown (void) | ||
422 | +{ | ||
423 | +} | ||
424 | + | ||
425 | +static inline int | ||
426 | +grub_is_lockdown (void) | ||
427 | +{ | ||
428 | + return GRUB_LOCKDOWN_DISABLED; | ||
429 | +} | ||
430 | +#endif | ||
431 | +#endif /* ! GRUB_LOCKDOWN_H */ | ||