[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[RFC PATCH 4/4] kern/efi/sb: Use shim to verify font files
From: |
Zhang Boyang |
Subject: |
[RFC PATCH 4/4] kern/efi/sb: Use shim to verify font files |
Date: |
Mon, 5 Dec 2022 21:06:05 +0800 |
Since font files can be wrapped as PE images by grub-wrap, use shim to
verify font files if Secure Boot is enabled. To prevent other PE files
(e.g. kernel images) used as wrappers, it only allows files marked as
Windows GUI used as wrappers.
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
---
grub-core/kern/efi/sb.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
index 4fb751d8a..a86763232 100644
--- a/grub-core/kern/efi/sb.c
+++ b/grub-core/kern/efi/sb.c
@@ -141,6 +141,10 @@ static struct pe_requirements kernel_pe_requirements = {
.subsystem = GRUB_PE32_SUBSYSTEM_EFI_APPLICATION,
};
+static struct pe_requirements wrapper_pe_requirements = {
+ .subsystem = GRUB_PE32_SUBSYSTEM_WINDOWS_GUI,
+};
+
static grub_err_t
shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)),
enum grub_file_type type,
@@ -163,6 +167,11 @@ shim_lock_verifier_init (grub_file_t io __attribute__
((unused)),
*flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
return GRUB_ERR_NONE;
+ case GRUB_FILE_TYPE_FONT:
+ *context = &wrapper_pe_requirements;
+ *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
+ return GRUB_ERR_NONE;
+
/* Files that do not affect secureboot state. */
case GRUB_FILE_TYPE_NONE:
case GRUB_FILE_TYPE_LOOPBACK:
--
2.30.2