kern/lockdown: Set a variable if the GRUB is locked down

It may be useful for scripts to determine whether the GRUB is locked
down or not. Add the lockdown variable which is set to "y" when the GRUB
is locked down.

Suggested-by: Dimitri John Ledkov <xnox@ubuntu.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/docs/grub.texi b/docs/grub.texi
index fd3c78054e2ac54a3a5f2949873ba206d76076cd..4c980d356d134d160932fb56bad763cefddbaef2 100644 (file)
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -5966,6 +5966,9 @@ The GRUB can be locked down when booted on a secure boot environment, for exampl
 if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will
 be restricted and some operations/commands cannot be executed.
 
+The @samp{lockdown} variable is set to @samp{y} when the GRUB is locked down.
+Otherwise it does not exit.
+
 @node Platform limitations
 @chapter Platform limitations
 

diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c
index 1e56c0b8014ddba7f2dd7ccfcc258a1bff8df81d..0bc70fd42d60987d5564018a9d3e6ea61c9aecdc 100644 (file)
--- a/grub-core/kern/lockdown.c
+++ b/grub-core/kern/lockdown.c
@@ -18,6 +18,7 @@
  */
 
 #include <grub/dl.h>
+#include <grub/env.h>
 #include <grub/file.h>
 #include <grub/lockdown.h>
 #include <grub/verify.h>
@@ -71,6 +72,9 @@ grub_lockdown (void)
   lockdown = GRUB_LOCKDOWN_ENABLED;
 
   grub_verifier_register (&lockdown_verifier);
+
+  grub_env_set ("lockdown", "y");
+  grub_env_export ("lockdown");
 }
 
 int