46 lines
1.7 KiB
Diff
46 lines
1.7 KiB
Diff
From b2c4515a832f82a4fe4ee8d32faa16b48de63d12 Mon Sep 17 00:00:00 2001
|
|
From: Luca Boccassi <bluca@debian.org>
|
|
Date: Tue, 15 May 2018 11:36:46 +0100
|
|
Subject: Do not overwrite sentinel byte in boot_params, breaks lockdown
|
|
|
|
grub currently copies the entire boot_params, which includes setting
|
|
sentinel byte to 0xff, which triggers sanitize_boot_params in the kernel
|
|
which in turn clears various boot_params variables, including the
|
|
indication that the bootloader chain is verified and thus the kernel
|
|
disables lockdown mode. According to the information on the Fedora bug
|
|
tracker, only the information from byte 0x1f1 is necessary, so start
|
|
copying from there instead.
|
|
|
|
Author: Luca Boccassi <bluca@debian.org>
|
|
Bug-Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1418360
|
|
Forwarded: no
|
|
|
|
Patch-Name: fix-lockdown.patch
|
|
---
|
|
grub-core/loader/i386/efi/linux.c | 5 ++++-
|
|
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
|
|
index 45b68c05a..532e4e512 100644
|
|
--- a/grub-core/loader/i386/efi/linux.c
|
|
+++ b/grub-core/loader/i386/efi/linux.c
|
|
@@ -29,6 +29,7 @@
|
|
#include <grub/linux.h>
|
|
#include <grub/efi/efi.h>
|
|
#include <grub/efi/sb.h>
|
|
+#include <stddef.h>
|
|
|
|
GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
|
@@ -336,7 +337,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
|
lh.code32_start = (grub_uint32_t)(grub_addr_t) kernel_mem;
|
|
}
|
|
|
|
- grub_memcpy (params, &lh, 2 * 512);
|
|
+ /* do not overwrite below boot_params->hdr to avoid setting the sentinel byte */
|
|
+ start = offsetof (struct linux_kernel_params, setup_sects);
|
|
+ grub_memcpy ((grub_uint8_t *)params + start, (grub_uint8_t *)&lh + start, 2 * 512 - start);
|
|
|
|
params->type_of_loader = 0x21;
|
|
|