[PATCH 1/2] docs: Document Restricted Filesystems in Lockdown

From: Andrew Hamilton <adhamilt@gmail.com>
To: grub-devel@gnu.org
Cc: daniel.kiper@oracle.com, Andrew Hamilton <adhamilt@gmail.com>
Subject: [PATCH 1/2] docs: Document Restricted Filesystems in Lockdown
Date: Fri, 28 Feb 2025 15:55:23 -0600	[thread overview]
Message-ID: <20250228215524.45240-2-adhamilt@gmail.com> (raw)
In-Reply-To: <20250228215524.45240-1-adhamilt@gmail.com>

Document which file systems are not allowed when lockdown
is enabled to align to recent GRUB changes.

Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
---
 docs/grub.texi | 89 ++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 87 insertions(+), 2 deletions(-)

diff --git a/docs/grub.texi b/docs/grub.texi
index e96f1579a..23eb3ad81 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -363,6 +363,8 @@ Fast FileSystem (AFFS)}, @dfn{AtheOS fs}, @dfn{BeFS},
 @dfn{BSD UFS/UFS2}, @dfn{XFS}, and @dfn{ZFS} (including lzjb, gzip,
 zle, mirror, stripe, raidz1/2/3 and encryption in AES-CCM and AES-GCM).
 @xref{Filesystem}, for more information.
+Note: Only a subset of filesystems are supported in lockdown mode (such
+as when secure boot is enabled, @pxref{Lockdown} for more information).
 
 @item Support automatic decompression
 Can decompress files which were compressed by @command{gzip} or
@@ -843,6 +845,8 @@ not use any additional partition maps to access @file{/boot}
    F2FS, HFS, uncompressed HFS+, ISO9660, JFS, Minix, Minix2, Minix3, NILFS2,
    NTFS, ReiserFS, ROMFS, SFS, tar, UDF, UFS1, UFS2, XFS
 @end itemize
+Note: Only a subset of filesystems are supported in lockdown mode (such
+as when secure boot is enabled, @pxref{Lockdown} for more information).
 
 MBR gap has few technical problems.  There is no way to reserve space in
 the embedding area with complete safety, and some proprietary software is
@@ -4198,10 +4202,14 @@ This is used as part of LZO decompression / compression.
 @node affs_module
 @section affs
 This module provides support for the Amiga Fast FileSystem (AFFS).
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node afs_module
 @section afs
 This module provides support for the AtheOS File System (AFS).
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node afsplitter_module
 @section afsplitter
@@ -4253,6 +4261,8 @@ to the terminal for the current call stack.
 @node bfs_module
 @section bfs
 This module provides support for the BeOS "Be File System" (BFS).
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node biosdisk_module
 @section biosdisk
@@ -4342,6 +4352,8 @@ content of a file to the terminal. Please @pxref{cat} for more info.
 @section cbfs
 This module provides support for the Coreboot File System (CBFS) which is an
 archive based file system.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node cbls_module
 @section cbls
@@ -4847,6 +4859,8 @@ contents of a file in hexadecimal. @xref{hexdump} for more information.
 @section hfs
 This module provides support for the Hierarchical File System (HFS) file system
 in GRUB.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node hfsplus_module
 @section hfsplus
@@ -4887,6 +4901,8 @@ longer names)
 @node jfs_module
 @section jfs
 This module provides support for the Journaled File System (JFS) file system.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node jpeg_module
 @section jpeg
@@ -5125,26 +5141,38 @@ modules.
 @node minix_module
 @section minix
 This module provides support for the Minix filesystem, version 1.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node minix2_module
 @section minix2
 This module provides support for the Minix filesystem, version 2.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node minix2_be_module
 @section minix2_be
 This module provides support for the Minix filesystem, version 2 big-endian.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node minix3_module
 @section minix3
 This module provides support for the Minix filesystem, version 3.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node minix3_be_module
 @section minix3_be
 This module provides support for the Minix filesystem, version 3 big-endian.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node minix_be_module
 @section minix_be
 This module provides support for the Minix filesystem, version 1 big-endian.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node mmap_module
 @section mmap
@@ -5278,6 +5306,8 @@ something like "ASCII cpio archive (SVR4 with CRC)"
 @section nilfs2
 This module provides support for the New Implementation of Log filesystem
 (nilfs2).
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node normal_module
 @section normal
@@ -5287,11 +5317,15 @@ more information.
 @node ntfs_module
 @section ntfs
 This module provides support for the New Technology File System (NTFS) in GRUB.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node ntfscomp_module
 @section ntfscomp
 This module provides support for compression with the New Technology File
 System (NTFS) in GRUB.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node ntldr_module
 @section ntldr
@@ -5517,6 +5551,8 @@ GRUB script wildcard translator. @xref{regexp} for more information.
 @node reiserfs_module
 @section reiserfs
 This module provides support for the ReiserFS File System in GRUB.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node relocator_module
 @section relocator
@@ -5526,6 +5562,8 @@ to the expected memory location(s) and jumping to (invoking) the executable.
 @node romfs_module
 @section romfs
 This module provides support for the Read-Only Memory File System (ROMFS).
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node scsi_module
 @section scsi
@@ -5594,6 +5632,8 @@ values from / to specified PCI / PCIe devices.
 @node sfs_module
 @section sfs
 This module provides support for the Amiga Smart File System (SFS) in GRUB.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node shift_test_module
 @section shift_test
@@ -5742,19 +5782,27 @@ information provided by a U-Boot bootloader.
 @section udf
 This module provides support for the Universal Disk Format (UDF) used on some
 newer optical disks.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node ufs1_module
 @section ufs1
 This module provides support for the Unix File System version 1 in GRUB.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node ufs1_be_module
 @section ufs1_be
 This module provides support for the Unix File System version 1 (big-endian) in
 GRUB.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node ufs2_module
 @section ufs2
 This module provides support for the Unix File System version 2 in GRUB.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node uhci_module
 @section uhci
@@ -8813,10 +8861,47 @@ platforms.
 
 The GRUB can be locked down when booted on a secure boot environment, for example
 if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will
-be restricted and some operations/commands cannot be executed.
+be restricted and some operations/commands cannot be executed. This also includes
+limiting which filesystems are supported to those thought to be more robust and
+widely used within GRUB.
+
+The filesystems currently allowed in lockdown mode include:
+@itemize @bullet
+@item BtrFS
+@item cpio
+@item exFAT
+@item Enhanced Read-Only File System (EROFS)
+@item Linux ext2/ext3/ext4
+@item F2FS
+@item DOS FAT12/FAT16/FAT32
+@item HFS+
+@item ISO9660
+@item Squash4
+@item tar
+@item XFS
+@item ZFS
+@end itemize
+
+The filesystems currently not allowed in lockdown mode include:
+@itemize @bullet
+@item Amiga Fast FileSystem (AFFS)
+@item AtheOS File System (AFS)
+@item Bee File System (BFS)
+@item Coreboot File System (CBFS)
+@item Hierarchical File System (HFS)
+@item Journaled File System (JFS)
+@item Minix filesystem
+@item New Implementation of Log filesystem (nilfs2)
+@item Windows New Technology File System (NTFS)
+@item ReiserFS
+@item Read-Only Memory File System (ROMFS)
+@item Amiga Smart File System (SFS)
+@item Universal Disk Format (UDF)
+@item Unix File System (UFS)
+@end itemize
 
 The @samp{lockdown} variable is set to @samp{y} when the GRUB is locked down.
-Otherwise it does not exit.
+Otherwise it does not exist.
 
 @node TPM2 key protector
 @section TPM2 key protector in GRUB
-- 
2.39.5


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
