From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Sudhakar Kuppusamy Date: Mon, 6 Oct 2025 12:54:54 +0530 Subject: [PATCH] powerpc/ieee1275: Enter lockdown based on /ibm, secure-boot Read secure boot mode from 'ibm,secure-boot' property and if the secure boot mode is set to 2 (enforce), enter lockdown. Else it is considered as disabled. There are three secure boot modes. They are 0 - disabled No signature verification is performed. This is the default. 1 - audit Signature verification is performed and if signature verification fails, display the errors and allow the boot to continue. 2 - enforce Lockdown the GRUB. Signature verification is performed and if signature verification fails, display the errors and stop the boot. Now, only support disabled and enforce. Signed-off-by: Daniel Axtens Signed-off-by: Sudhakar Kuppusamy Reviewed-by: Stefan Berger Reviewed-by: Avnish Chouhan Reviewed-by: Daniel Kiper --- grub-core/kern/ieee1275/init.c | 56 +++++++++++++++++++++++++++++++----------- 1 file changed, 42 insertions(+), 14 deletions(-) diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c index 482cad2..0c587d3 100644 --- a/grub-core/kern/ieee1275/init.c +++ b/grub-core/kern/ieee1275/init.c @@ -49,7 +49,14 @@ #if defined(__powerpc__) || defined(__i386__) #include #endif +#if defined(__powerpc__) #include +#endif + +#ifdef __powerpc__ +#define GRUB_SB_DISABLED ((grub_uint32_t) 0) +#define GRUB_SB_ENFORCE ((grub_uint32_t) 2) +#endif /* The maximum heap size we're going to claim. Not used by sparc. */ #ifdef __i386__ @@ -1009,30 +1016,49 @@ grub_parse_cmdline (void) } } +#ifdef __powerpc__ static void -grub_get_ieee1275_secure_boot (void) +grub_ieee1275_get_secure_boot (void) { grub_ieee1275_phandle_t root; - int rc; - grub_uint32_t is_sb; + grub_uint32_t sb_mode = GRUB_SB_DISABLED; + grub_int32_t rc; - grub_ieee1275_finddevice ("/", &root); + rc = grub_ieee1275_finddevice ("/", &root); + if (rc != 0) + { + grub_error (GRUB_ERR_UNKNOWN_DEVICE, "couldn't find / node"); + return; + } - rc = grub_ieee1275_get_integer_property (root, "ibm,secure-boot", &is_sb, - sizeof (is_sb), 0); - - /* ibm,secure-boot: + rc = grub_ieee1275_get_integer_property (root, "ibm,secure-boot", &sb_mode, sizeof (sb_mode), 0); + if (rc != 0) + { + grub_error (GRUB_ERR_UNKNOWN_DEVICE, "couldn't examine /ibm,secure-boot property"); + return; + } + /* + * Secure Boot Mode: * 0 - disabled + * No signature verification is performed. This is the default. * 1 - audit + * Signature verification is performed and if signature verification + * fails, display the errors and allow the boot to continue. * 2 - enforce - * 3 - enforce + OS-specific behaviour + * Lockdown the GRUB. Signature verification is performed and If + * signature verification fails, display the errors and stop the boot. * - * We only support enforce. + * Now, only support disabled and enforce. */ - if (rc >= 0 && is_sb >= 2) - grub_lockdown (); + if (sb_mode == GRUB_SB_ENFORCE) + { + grub_dprintf ("ieee1275", "Secure Boot Enabled\n"); + grub_lockdown (); + } + else + grub_dprintf ("ieee1275", "Secure Boot Disabled\n"); } - +#endif /* __powerpc__ */ grub_addr_t grub_modbase; void @@ -1059,7 +1085,9 @@ grub_machine_init (void) grub_install_get_time_ms (grub_rtc_get_time_ms); #endif - grub_get_ieee1275_secure_boot (); +#ifdef __powerpc__ + grub_ieee1275_get_secure_boot (); +#endif } void