diff options
Diffstat (limited to 'meta/recipes-bsp/grub/files/CVE-2020-14372_3.patch')
| -rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2020-14372_3.patch | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_3.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_3.patch new file mode 100644 index 0000000000..93fdd2cb1a --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_3.patch | |||
| @@ -0,0 +1,57 @@ | |||
| 1 | From bfb9c44298aa202c176fef8dc5ea48f9b0e76e5e Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
| 3 | Date: Tue, 2 Feb 2021 19:59:48 +0100 | ||
| 4 | Subject: [PATCH] kern/lockdown: Set a variable if the GRUB is locked down | ||
| 5 | |||
| 6 | It may be useful for scripts to determine whether the GRUB is locked | ||
| 7 | down or not. Add the lockdown variable which is set to "y" when the GRUB | ||
| 8 | is locked down. | ||
| 9 | |||
| 10 | Suggested-by: Dimitri John Ledkov <xnox@ubuntu.com> | ||
| 11 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
| 12 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
| 13 | |||
| 14 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=d90367471779c240e002e62edfb6b31fc85b4908] | ||
| 15 | CVE: CVE-2020-14372 | ||
| 16 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
| 17 | --- | ||
| 18 | docs/grub.texi | 3 +++ | ||
| 19 | grub-core/kern/lockdown.c | 4 ++++ | ||
| 20 | 2 files changed, 7 insertions(+) | ||
| 21 | |||
| 22 | diff --git a/docs/grub.texi b/docs/grub.texi | ||
| 23 | index d778bfb..5e6cace 100644 | ||
| 24 | --- a/docs/grub.texi | ||
| 25 | +++ b/docs/grub.texi | ||
| 26 | @@ -5802,6 +5802,9 @@ The GRUB can be locked down when booted on a secure boot environment, for exampl | ||
| 27 | if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will | ||
| 28 | be restricted and some operations/commands cannot be executed. | ||
| 29 | |||
| 30 | +The @samp{lockdown} variable is set to @samp{y} when the GRUB is locked down. | ||
| 31 | +Otherwise it does not exit. | ||
| 32 | + | ||
| 33 | @node Platform limitations | ||
| 34 | @chapter Platform limitations | ||
| 35 | |||
| 36 | diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c | ||
| 37 | index 1e56c0b..0bc70fd 100644 | ||
| 38 | --- a/grub-core/kern/lockdown.c | ||
| 39 | +++ b/grub-core/kern/lockdown.c | ||
| 40 | @@ -18,6 +18,7 @@ | ||
| 41 | */ | ||
| 42 | |||
| 43 | #include <grub/dl.h> | ||
| 44 | +#include <grub/env.h> | ||
| 45 | #include <grub/file.h> | ||
| 46 | #include <grub/lockdown.h> | ||
| 47 | #include <grub/verify.h> | ||
| 48 | @@ -71,6 +72,9 @@ grub_lockdown (void) | ||
| 49 | lockdown = GRUB_LOCKDOWN_ENABLED; | ||
| 50 | |||
| 51 | grub_verifier_register (&lockdown_verifier); | ||
| 52 | + | ||
| 53 | + grub_env_set ("lockdown", "y"); | ||
| 54 | + grub_env_export ("lockdown"); | ||
| 55 | } | ||
| 56 | |||
| 57 | int | ||