git.ipfire.org Git - thirdparty/grub.git/commit

author	Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
	Mon, 6 Oct 2025 07:24:54 +0000 (12:54 +0530)
committer	Daniel Kiper <daniel.kiper@oracle.com>
	Sat, 11 Oct 2025 13:36:37 +0000 (15:36 +0200)
commit	f8e8779d8e2bd30c990ed3551d0e170064ea1863
tree	516ebaf269bbc812a2b40af4bb12848fdbb38422	tree \| snapshot
parent	e95c52f1f48baf98cb64a204b681bee23265099f	commit \| diff

powerpc/ieee1275: Enter lockdown based on /ibm, secure-boot

Read secure boot mode from 'ibm,secure-boot' property and if the secure boot
mode is set to 2 (enforce), enter lockdown. Else it is considered as disabled.
There are three secure boot modes. They are

0 - disabled
     No signature verification is performed. This is the default.
1 - audit
     Signature verification is performed and if signature verification fails,
     display the errors and allow the boot to continue.
2 - enforce
     Lockdown the GRUB. Signature verification is performed and if signature
     verification fails, display the errors and stop the boot.

Now, only support disabled and enforce.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

docs/grub.texi		diff \| blob \| blame \| history
grub-core/Makefile.core.def		diff \| blob \| blame \| history
grub-core/kern/ieee1275/init.c		diff \| blob \| blame \| history
include/grub/lockdown.h		diff \| blob \| blame \| history