Also, if you specify a reserved or unimplemented MSR address, it will
cause a general protection exception (which is not currently being handled)
and the system will reboot.
+
+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
+ This is done to prevent subverting various security mechanisms.
@end deffn
@node xen_hypervisor
is built into the @file{core.img} and is registered if the UEFI secure boot is
enabled.
-All modules not stored in the @file{core.img} and the ACPI tables for the
-@command{acpi} command have to be signed, e.g. using PGP. Additionally, the
-@command{iorw}, the @command{memrw} and the @command{wrmsr} commands are
-prohibited if the UEFI secure boot is enabled. This is done due to
-security reasons. All above mentioned requirements are enforced by the
-shim_lock verifier logic.
+All GRUB modules not stored in the @file{core.img}, OS kernels, ACPI tables,
+Device Trees, etc. have to be signed, e.g, using PGP. Additionally, the commands
+that can be used to subvert the UEFI secure boot mechanism, such as @command{iorw}
+and @command{memrw} will not be available when the UEFI secure boot is enabled.
+This is done for security reasons and are enforced by the GRUB Lockdown mechanism
+(@pxref{Lockdown}).
@node Measured Boot
@section Measuring boot components
#include <grub/env.h>
#include <grub/command.h>
#include <grub/extcmd.h>
+#include <grub/lockdown.h>
#include <grub/i18n.h>
#include <grub/i386/cpuid.h>
#include <grub/i386/wrmsr.h>
GRUB_MOD_INIT(wrmsr)
{
- cmd_write = grub_register_command ("wrmsr", grub_cmd_msr_write, N_("ADDR VALUE"),
- N_("Write a value to a CPU model specific register."));
+ cmd_write = grub_register_command_lockdown ("wrmsr", grub_cmd_msr_write, N_("ADDR VALUE"),
+ N_("Write a value to a CPU model specific register."));
}
GRUB_MOD_FINI(wrmsr)
#include <grub/env.h>
#include <grub/cpu/io.h>
#include <grub/i18n.h>
+#include <grub/lockdown.h>
GRUB_MOD_LICENSE ("GPLv3+");
N_("PORT"), N_("Read 32-bit value from PORT."),
options);
cmd_write_byte =
- grub_register_command ("outb", grub_cmd_write,
- N_("PORT VALUE [MASK]"),
- N_("Write 8-bit VALUE to PORT."));
+ grub_register_command_lockdown ("outb", grub_cmd_write,
+ N_("PORT VALUE [MASK]"),
+ N_("Write 8-bit VALUE to PORT."));
cmd_write_word =
- grub_register_command ("outw", grub_cmd_write,
- N_("PORT VALUE [MASK]"),
- N_("Write 16-bit VALUE to PORT."));
+ grub_register_command_lockdown ("outw", grub_cmd_write,
+ N_("PORT VALUE [MASK]"),
+ N_("Write 16-bit VALUE to PORT."));
cmd_write_dword =
- grub_register_command ("outl", grub_cmd_write,
- N_("ADDR VALUE [MASK]"),
- N_("Write 32-bit VALUE to PORT."));
+ grub_register_command_lockdown ("outl", grub_cmd_write,
+ N_("ADDR VALUE [MASK]"),
+ N_("Write 32-bit VALUE to PORT."));
}
GRUB_MOD_FINI(memrw)
#include <grub/extcmd.h>
#include <grub/env.h>
#include <grub/i18n.h>
+#include <grub/lockdown.h>
GRUB_MOD_LICENSE ("GPLv3+");
N_("ADDR"), N_("Read 32-bit value from ADDR."),
options);
cmd_write_byte =
- grub_register_command ("write_byte", grub_cmd_write,
- N_("ADDR VALUE [MASK]"),
- N_("Write 8-bit VALUE to ADDR."));
+ grub_register_command_lockdown ("write_byte", grub_cmd_write,
+ N_("ADDR VALUE [MASK]"),
+ N_("Write 8-bit VALUE to ADDR."));
cmd_write_word =
- grub_register_command ("write_word", grub_cmd_write,
- N_("ADDR VALUE [MASK]"),
- N_("Write 16-bit VALUE to ADDR."));
+ grub_register_command_lockdown ("write_word", grub_cmd_write,
+ N_("ADDR VALUE [MASK]"),
+ N_("Write 16-bit VALUE to ADDR."));
cmd_write_dword =
- grub_register_command ("write_dword", grub_cmd_write,
- N_("ADDR VALUE [MASK]"),
- N_("Write 32-bit VALUE to ADDR."));
+ grub_register_command_lockdown ("write_dword", grub_cmd_write,
+ N_("ADDR VALUE [MASK]"),
+ N_("Write 32-bit VALUE to ADDR."));
}
GRUB_MOD_FINI(memrw)
static grub_efi_guid_t shim_lock_guid = GRUB_EFI_SHIM_LOCK_GUID;
-/* List of modules which cannot be loaded if UEFI secure boot mode is enabled. */
-static const char * const disabled_mods[] = {"iorw", "memrw", "wrmsr", NULL};
-
/*
* Determine whether we're in secure boot mode.
*
void **context __attribute__ ((unused)),
enum grub_verify_flags *flags)
{
- const char *b, *e;
- int i;
-
*flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
switch (type & GRUB_FILE_TYPE_MASK)
{
- case GRUB_FILE_TYPE_GRUB_MODULE:
- /* Establish GRUB module name. */
- b = grub_strrchr (io->name, '/');
- e = grub_strrchr (io->name, '.');
-
- b = b ? (b + 1) : io->name;
- e = e ? e : io->name + grub_strlen (io->name);
- e = (e > b) ? e : io->name + grub_strlen (io->name);
-
- for (i = 0; disabled_mods[i]; i++)
- if (!grub_strncmp (b, disabled_mods[i], grub_strlen (b) - grub_strlen (e)))
- {
- grub_error (GRUB_ERR_ACCESS_DENIED,
- N_("module cannot be loaded in UEFI secure boot mode: %s"),
- io->name);
- return GRUB_ERR_ACCESS_DENIED;
- }
-
- /* Fall through. */
-
- case GRUB_FILE_TYPE_ACPI_TABLE:
- case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
- *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
-
- return GRUB_ERR_NONE;
-
case GRUB_FILE_TYPE_LINUX_KERNEL:
case GRUB_FILE_TYPE_MULTIBOOT_KERNEL:
case GRUB_FILE_TYPE_BSD_KERNEL:
case GRUB_FILE_TYPE_XNU_KERNEL:
case GRUB_FILE_TYPE_PLAN9_KERNEL:
- for (i = 0; disabled_mods[i]; i++)
- if (grub_dl_get (disabled_mods[i]))
- {
- grub_error (GRUB_ERR_ACCESS_DENIED,
- N_("cannot boot due to dangerous module in memory: %s"),
- disabled_mods[i]);
- return GRUB_ERR_ACCESS_DENIED;
- }
-
*flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
/* Fall through. */
projects / thirdparty / grub.git / commitdiff
