[PATCH v18 09/20] powerpc_ieee1275: Enter lockdown based on /ibm, secure-boot

From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
To: grub-devel@gnu.org
Cc: dja@axtens.net, jan.setjeeilers@oracle.com,
	julian.klode@canonical.com, mate.kukri@canonical.com,
	pjones@redhat.com, msuchanek@suse.com, mlewando@redhat.com,
	stefanb@linux.ibm.com, avnish@linux.ibm.com, nayna@linux.ibm.com,
	ssrish@linux.ibm.com, Sudhakar Kuppusamy <sudhakar@linux.ibm.com>,
	sridharm@linux.ibm.com, Daniel Kiper <daniel.kiper@oracle.com>
Subject: [PATCH v18 09/20] powerpc_ieee1275: Enter lockdown based on /ibm, secure-boot
Date: Mon,  6 Oct 2025 12:54:54 +0530	[thread overview]
Message-ID: <20251006072508.19088-10-sudhakar@linux.ibm.com> (raw)
In-Reply-To: <20251006072508.19088-1-sudhakar@linux.ibm.com>

Read secure boot mode from 'ibm,secure-boot' property and if the secure boot
mode is set to 2 (enforce), enter lockdown. Else it is considered as disabled.
There are three secure boot modes. They are

0 - disabled
     No signature verification is performed. This is the default.
1 - audit
     Signature verification is performed and if signature verification fails,
     display the errors and allow the boot to continue.
2 - enforce
     Lockdown the GRUB. Signature verification is performed and if signature
     verification fails, display the errors and stop the boot.

Now, only support disabled and enforce.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 docs/grub.texi                 |  2 +-
 grub-core/Makefile.core.def    |  1 +
 grub-core/kern/ieee1275/init.c | 54 ++++++++++++++++++++++++++++++++++
 include/grub/lockdown.h        |  3 +-
 4 files changed, 58 insertions(+), 2 deletions(-)

diff --git a/docs/grub.texi b/docs/grub.texi
index 37297fc2c..1c33b44e2 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -9144,7 +9144,7 @@ platforms.
 @section Lockdown when booting on a secure setup
 
 The GRUB can be locked down when booted on a secure boot environment, for example
-if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will
+if UEFI or Power secure boot is enabled. On a locked down configuration, the GRUB will
 be restricted and some operations/commands cannot be executed. This also includes
 limiting which filesystems are supported to those thought to be more robust and
 widely used within GRUB.
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index 0fcf67f9d..8e3929710 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -333,6 +333,7 @@ kernel = {
   powerpc_ieee1275 = kern/powerpc/cache.S;
   powerpc_ieee1275 = kern/powerpc/dl.c;
   powerpc_ieee1275 = kern/powerpc/compiler-rt.S;
+  powerpc_ieee1275 = kern/lockdown.c;
 
   sparc64_ieee1275 = kern/sparc64/cache.S;
   sparc64_ieee1275 = kern/sparc64/dl.c;
diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
index a5586f85b..28653a5a4 100644
--- a/grub-core/kern/ieee1275/init.c
+++ b/grub-core/kern/ieee1275/init.c
@@ -49,6 +49,14 @@
 #if defined(__powerpc__) || defined(__i386__)
 #include <grub/ieee1275/alloc.h>
 #endif
+#if defined(__powerpc__)
+#include <grub/lockdown.h>
+#endif
+
+#ifdef __powerpc__
+#define GRUB_SB_DISABLED        ((grub_uint32_t) 0)
+#define GRUB_SB_ENFORCE         ((grub_uint32_t) 2)
+#endif
 
 /* The maximum heap size we're going to claim at boot. Not used by sparc. */
 #ifdef __i386__
@@ -994,7 +1002,49 @@ grub_parse_cmdline (void)
 	}
     }
 }
+#ifdef __powerpc__
+static void
+grub_ieee1275_get_secure_boot (void)
+{
+  grub_ieee1275_phandle_t root;
+  grub_uint32_t sb_mode = GRUB_SB_DISABLED;
+  grub_int32_t rc;
+
+  rc = grub_ieee1275_finddevice ("/", &root);
+  if (rc != 0)
+    {
+      grub_error (GRUB_ERR_UNKNOWN_DEVICE, "couldn't find / node");
+      return;
+    }
 
+  rc = grub_ieee1275_get_integer_property (root, "ibm,secure-boot", &sb_mode, sizeof (sb_mode), 0);
+  if (rc != 0)
+    {
+      grub_error (GRUB_ERR_UNKNOWN_DEVICE, "couldn't examine /ibm,secure-boot property");
+      return;
+    }
+  /*
+   * Secure Boot Mode:
+   * 0 - disabled
+   *      No signature verification is performed. This is the default.
+   * 1 - audit
+   *      Signature verification is performed and if signature verification
+   *      fails, display the errors and allow the boot to continue.
+   * 2 - enforce
+   *      Lockdown the GRUB. Signature verification is performed and If
+   *      signature verification fails, display the errors and stop the boot.
+   *
+   * Now, only support disabled and enforce.
+   */
+  if (sb_mode == GRUB_SB_ENFORCE)
+    {
+      grub_dprintf ("ieee1275", "Secure Boot Enabled\n");
+      grub_lockdown ();
+    }
+  else
+    grub_dprintf ("ieee1275", "Secure Boot Disabled\n");
+}
+#endif /* __powerpc__ */
 grub_addr_t grub_modbase;
 
 void
@@ -1020,6 +1070,10 @@ grub_machine_init (void)
 #else
   grub_install_get_time_ms (grub_rtc_get_time_ms);
 #endif
+
+#ifdef __powerpc__
+  grub_ieee1275_get_secure_boot ();
+#endif
 }
 
 void
diff --git a/include/grub/lockdown.h b/include/grub/lockdown.h
index 40531fa82..ebfee4bf0 100644
--- a/include/grub/lockdown.h
+++ b/include/grub/lockdown.h
@@ -24,7 +24,8 @@
 #define GRUB_LOCKDOWN_DISABLED       0
 #define GRUB_LOCKDOWN_ENABLED        1
 
-#ifdef GRUB_MACHINE_EFI
+#if defined(GRUB_MACHINE_EFI) || \
+    (defined(__powerpc__) && defined(GRUB_MACHINE_IEEE1275))
 extern void
 EXPORT_FUNC (grub_lockdown) (void);
 extern int
-- 
2.50.1 (Apple Git-155)


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
