diff options
Diffstat (limited to 'meta/recipes-bsp/grub/files/CVE-2020-14372_3.patch')
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2020-14372_3.patch | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_3.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_3.patch new file mode 100644 index 0000000000..93fdd2cb1a --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_3.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | From bfb9c44298aa202c176fef8dc5ea48f9b0e76e5e Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Tue, 2 Feb 2021 19:59:48 +0100 | ||
4 | Subject: [PATCH] kern/lockdown: Set a variable if the GRUB is locked down | ||
5 | |||
6 | It may be useful for scripts to determine whether the GRUB is locked | ||
7 | down or not. Add the lockdown variable which is set to "y" when the GRUB | ||
8 | is locked down. | ||
9 | |||
10 | Suggested-by: Dimitri John Ledkov <xnox@ubuntu.com> | ||
11 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
12 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
13 | |||
14 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=d90367471779c240e002e62edfb6b31fc85b4908] | ||
15 | CVE: CVE-2020-14372 | ||
16 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
17 | --- | ||
18 | docs/grub.texi | 3 +++ | ||
19 | grub-core/kern/lockdown.c | 4 ++++ | ||
20 | 2 files changed, 7 insertions(+) | ||
21 | |||
22 | diff --git a/docs/grub.texi b/docs/grub.texi | ||
23 | index d778bfb..5e6cace 100644 | ||
24 | --- a/docs/grub.texi | ||
25 | +++ b/docs/grub.texi | ||
26 | @@ -5802,6 +5802,9 @@ The GRUB can be locked down when booted on a secure boot environment, for exampl | ||
27 | if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will | ||
28 | be restricted and some operations/commands cannot be executed. | ||
29 | |||
30 | +The @samp{lockdown} variable is set to @samp{y} when the GRUB is locked down. | ||
31 | +Otherwise it does not exit. | ||
32 | + | ||
33 | @node Platform limitations | ||
34 | @chapter Platform limitations | ||
35 | |||
36 | diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c | ||
37 | index 1e56c0b..0bc70fd 100644 | ||
38 | --- a/grub-core/kern/lockdown.c | ||
39 | +++ b/grub-core/kern/lockdown.c | ||
40 | @@ -18,6 +18,7 @@ | ||
41 | */ | ||
42 | |||
43 | #include <grub/dl.h> | ||
44 | +#include <grub/env.h> | ||
45 | #include <grub/file.h> | ||
46 | #include <grub/lockdown.h> | ||
47 | #include <grub/verify.h> | ||
48 | @@ -71,6 +72,9 @@ grub_lockdown (void) | ||
49 | lockdown = GRUB_LOCKDOWN_ENABLED; | ||
50 | |||
51 | grub_verifier_register (&lockdown_verifier); | ||
52 | + | ||
53 | + grub_env_set ("lockdown", "y"); | ||
54 | + grub_env_export ("lockdown"); | ||
55 | } | ||
56 | |||
57 | int | ||