[PATCH 0/2] docs: Update Documentation for Lockdown Changes

[PATCH 0/2] docs: Update Documentation for Lockdown Changes

[Andrew Hamilton]

Make some updates to the GRUB documentation around which file systems
are allowed / disallowed in lockdown, as well as additional Commands
now blocked in lockdown mode.

Andrew Hamilton (2):
  docs: Document Restricted Filesystems in Lockdown
  docs: Capture Additional Commands Restricted by Lockdown

 docs/grub.texi | 98 ++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 96 insertions(+), 2 deletions(-)

-- 
2.39.5


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH 1/2] docs: Document Restricted Filesystems in Lockdown

[Andrew Hamilton]

Document which file systems are not allowed when lockdown
is enabled to align to recent GRUB changes.

Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
---
 docs/grub.texi | 89 ++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 87 insertions(+), 2 deletions(-)

diff --git a/docs/grub.texi b/docs/grub.texi
index e96f1579a..23eb3ad81 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -363,6 +363,8 @@ Fast FileSystem (AFFS)}, @dfn{AtheOS fs}, @dfn{BeFS},
 @dfn{BSD UFS/UFS2}, @dfn{XFS}, and @dfn{ZFS} (including lzjb, gzip,
 zle, mirror, stripe, raidz1/2/3 and encryption in AES-CCM and AES-GCM).
 @xref{Filesystem}, for more information.
+Note: Only a subset of filesystems are supported in lockdown mode (such
+as when secure boot is enabled, @pxref{Lockdown} for more information).
 
 @item Support automatic decompression
 Can decompress files which were compressed by @command{gzip} or
@@ -843,6 +845,8 @@ not use any additional partition maps to access @file{/boot}
    F2FS, HFS, uncompressed HFS+, ISO9660, JFS, Minix, Minix2, Minix3, NILFS2,
    NTFS, ReiserFS, ROMFS, SFS, tar, UDF, UFS1, UFS2, XFS
 @end itemize
+Note: Only a subset of filesystems are supported in lockdown mode (such
+as when secure boot is enabled, @pxref{Lockdown} for more information).
 
 MBR gap has few technical problems.  There is no way to reserve space in
 the embedding area with complete safety, and some proprietary software is
@@ -4198,10 +4202,14 @@ This is used as part of LZO decompression / compression.
 @node affs_module
 @section affs
 This module provides support for the Amiga Fast FileSystem (AFFS).
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node afs_module
 @section afs
 This module provides support for the AtheOS File System (AFS).
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node afsplitter_module
 @section afsplitter
@@ -4253,6 +4261,8 @@ to the terminal for the current call stack.
 @node bfs_module
 @section bfs
 This module provides support for the BeOS "Be File System" (BFS).
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node biosdisk_module
 @section biosdisk
@@ -4342,6 +4352,8 @@ content of a file to the terminal. Please @pxref{cat} for more info.
 @section cbfs
 This module provides support for the Coreboot File System (CBFS) which is an
 archive based file system.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node cbls_module
 @section cbls
@@ -4847,6 +4859,8 @@ contents of a file in hexadecimal. @xref{hexdump} for more information.
 @section hfs
 This module provides support for the Hierarchical File System (HFS) file system
 in GRUB.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node hfsplus_module
 @section hfsplus
@@ -4887,6 +4901,8 @@ longer names)
 @node jfs_module
 @section jfs
 This module provides support for the Journaled File System (JFS) file system.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node jpeg_module
 @section jpeg
@@ -5125,26 +5141,38 @@ modules.
 @node minix_module
 @section minix
 This module provides support for the Minix filesystem, version 1.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node minix2_module
 @section minix2
 This module provides support for the Minix filesystem, version 2.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node minix2_be_module
 @section minix2_be
 This module provides support for the Minix filesystem, version 2 big-endian.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node minix3_module
 @section minix3
 This module provides support for the Minix filesystem, version 3.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node minix3_be_module
 @section minix3_be
 This module provides support for the Minix filesystem, version 3 big-endian.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node minix_be_module
 @section minix_be
 This module provides support for the Minix filesystem, version 1 big-endian.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node mmap_module
 @section mmap
@@ -5278,6 +5306,8 @@ something like "ASCII cpio archive (SVR4 with CRC)"
 @section nilfs2
 This module provides support for the New Implementation of Log filesystem
 (nilfs2).
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node normal_module
 @section normal
@@ -5287,11 +5317,15 @@ more information.
 @node ntfs_module
 @section ntfs
 This module provides support for the New Technology File System (NTFS) in GRUB.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node ntfscomp_module
 @section ntfscomp
 This module provides support for compression with the New Technology File
 System (NTFS) in GRUB.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node ntldr_module
 @section ntldr
@@ -5517,6 +5551,8 @@ GRUB script wildcard translator. @xref{regexp} for more information.
 @node reiserfs_module
 @section reiserfs
 This module provides support for the ReiserFS File System in GRUB.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node relocator_module
 @section relocator
@@ -5526,6 +5562,8 @@ to the expected memory location(s) and jumping to (invoking) the executable.
 @node romfs_module
 @section romfs
 This module provides support for the Read-Only Memory File System (ROMFS).
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node scsi_module
 @section scsi
@@ -5594,6 +5632,8 @@ values from / to specified PCI / PCIe devices.
 @node sfs_module
 @section sfs
 This module provides support for the Amiga Smart File System (SFS) in GRUB.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node shift_test_module
 @section shift_test
@@ -5742,19 +5782,27 @@ information provided by a U-Boot bootloader.
 @section udf
 This module provides support for the Universal Disk Format (UDF) used on some
 newer optical disks.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node ufs1_module
 @section ufs1
 This module provides support for the Unix File System version 1 in GRUB.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node ufs1_be_module
 @section ufs1_be
 This module provides support for the Unix File System version 1 (big-endian) in
 GRUB.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node ufs2_module
 @section ufs2
 This module provides support for the Unix File System version 2 in GRUB.
+Note: This module is not allowed in lockdown mode, @pxref{Lockdown} for more
+information.
 
 @node uhci_module
 @section uhci
@@ -8813,10 +8861,47 @@ platforms.
 
 The GRUB can be locked down when booted on a secure boot environment, for example
 if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will
-be restricted and some operations/commands cannot be executed.
+be restricted and some operations/commands cannot be executed. This also includes
+limiting which filesystems are supported to those thought to be more robust and
+widely used within GRUB.
+
+The filesystems currently allowed in lockdown mode include:
+@itemize @bullet
+@item BtrFS
+@item cpio
+@item exFAT
+@item Enhanced Read-Only File System (EROFS)
+@item Linux ext2/ext3/ext4
+@item F2FS
+@item DOS FAT12/FAT16/FAT32
+@item HFS+
+@item ISO9660
+@item Squash4
+@item tar
+@item XFS
+@item ZFS
+@end itemize
+
+The filesystems currently not allowed in lockdown mode include:
+@itemize @bullet
+@item Amiga Fast FileSystem (AFFS)
+@item AtheOS File System (AFS)
+@item Bee File System (BFS)
+@item Coreboot File System (CBFS)
+@item Hierarchical File System (HFS)
+@item Journaled File System (JFS)
+@item Minix filesystem
+@item New Implementation of Log filesystem (nilfs2)
+@item Windows New Technology File System (NTFS)
+@item ReiserFS
+@item Read-Only Memory File System (ROMFS)
+@item Amiga Smart File System (SFS)
+@item Universal Disk Format (UDF)
+@item Unix File System (UFS)
+@end itemize
 
 The @samp{lockdown} variable is set to @samp{y} when the GRUB is locked down.
-Otherwise it does not exit.
+Otherwise it does not exist.
 
 @node TPM2 key protector
 @section TPM2 key protector in GRUB
-- 
2.39.5


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH 2/2] docs: Capture Additional Commands Restricted by Lockdown

[Andrew Hamilton]

Update documentation to capture that all memrw commands, the
minicmd dump command, and raw memory dumping via hexdump
are restricted when lockdown is enabled. This aligns to recent
GRUB code updates.

Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
---
 docs/grub.texi | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/docs/grub.texi b/docs/grub.texi
index 23eb3ad81..d9b26fa36 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -5124,6 +5124,8 @@ This module provides support for commands @command{read_byte},
 write data to physical memory (addresses). The "read" commands accept one
 parameter to specify the source address. The "write" commands require either two
 or three parameters, with the order: address, value, <optional mask>.
+Note: The commands provided by this module are not allowed when lockdown is
+enforced (@pxref{Lockdown}).
 
 @node memtools_module
 @section memtools
@@ -5137,6 +5139,8 @@ including: @command{cat}, @command{help}, @command{dump}, @command{rmmod},
 @command{lsmod}, and @command{exit}. The version of the commands in this module
 are similar to their full-fledged counterparts implemented in other GRUB
 modules.
+Note: The @command{dump} command is not allowed when lockdown is enforced
+(@pxref{Lockdown}).
 
 @node minix_module
 @section minix
@@ -7196,6 +7200,11 @@ to be shown.
 
 If given the special device named @samp{(mem)}, then the @samp{offset} given to
 @option{--skip} is treated as the address of a memory location to dump from.
+
+Note: The dumping of RAM memory (by the (mem) argument) is not allowed when
+when lockdown is enforced (@pxref{Lockdown}). The dumping of disk or file
+data is allowed when lockdown is enforced.
+
 @end deffn
 
 
-- 
2.39.5


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Re: [PATCH 0/2] docs: Update Documentation for Lockdown Changes

[Daniel Kiper via Grub-devel]

On Fri, Feb 28, 2025 at 03:55:22PM -0600, Andrew Hamilton wrote:
> Make some updates to the GRUB documentation around which file systems
> are allowed / disallowed in lockdown, as well as additional Commands
> now blocked in lockdown mode.
>
> Andrew Hamilton (2):
>   docs: Document Restricted Filesystems in Lockdown
>   docs: Capture Additional Commands Restricted by Lockdown

Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

Daniel

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel