From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
To: grub-devel@gnu.org
Cc: dja@axtens.net, jan.setjeeilers@oracle.com,
julian.klode@canonical.com, mate.kukri@canonical.com,
pjones@redhat.com, msuchanek@suse.com, mlewando@redhat.com,
stefanb@linux.ibm.com, avnish@linux.ibm.com, nayna@linux.ibm.com,
ssrish@linux.ibm.com, Sudhakar Kuppusamy <sudhakar@linux.ibm.com>,
Daniel Kiper <daniel.kiper@oracle.com>
Subject: [PATCH v6 09/20] powerpc_ieee1275: Enter lockdown based on /ibm, secure-boot
Date: Tue, 29 Jul 2025 18:06:58 +0530 [thread overview]
Message-ID: <20250729123709.83349-10-sudhakar@linux.ibm.com> (raw)
In-Reply-To: <20250729123709.83349-1-sudhakar@linux.ibm.com>
Read secure boot mode from 'ibm,secure-boot' property and if
the secure boot mode is enforced, enter lockdown. Else it is
considered as disabled. There are three secure boot modes.
They are
0 - disabled
No signature verification is performed. This is the default.
1 - audit
Signature verification is performed and if signature verification
fails, post the errors and allow the boot to continue.
2 - enforced
Lockdown the GRUB. Signature verification is performed and
If signature verification fails, post the errors and stop the boot.
Now, only support disabled and enforced.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
docs/grub.texi | 2 +-
grub-core/Makefile.core.def | 1 +
grub-core/kern/ieee1275/init.c | 55 ++++++++++++++++++++++++++++++++
include/grub/ieee1275/ieee1275.h | 19 +++++++++++
include/grub/lockdown.h | 3 +-
5 files changed, 78 insertions(+), 2 deletions(-)
diff --git a/docs/grub.texi b/docs/grub.texi
index bdbc3b82e..15f087f27 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -8912,7 +8912,7 @@ platforms.
@section Lockdown when booting on a secure setup
The GRUB can be locked down when booted on a secure boot environment, for example
-if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will
+if the UEFI or Power secure boot is enabled. On a locked down configuration, the GRUB will
be restricted and some operations/commands cannot be executed. This also includes
limiting which filesystems are supported to those thought to be more robust and
widely used within GRUB.
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index b3f71196a..b72f322b1 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -331,6 +331,7 @@ kernel = {
powerpc_ieee1275 = kern/powerpc/cache.S;
powerpc_ieee1275 = kern/powerpc/dl.c;
powerpc_ieee1275 = kern/powerpc/compiler-rt.S;
+ powerpc_ieee1275 = kern/lockdown.c;
sparc64_ieee1275 = kern/sparc64/cache.S;
sparc64_ieee1275 = kern/sparc64/dl.c;
diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
index a5586f85b..0f0047d69 100644
--- a/grub-core/kern/ieee1275/init.c
+++ b/grub-core/kern/ieee1275/init.c
@@ -49,6 +49,9 @@
#if defined(__powerpc__) || defined(__i386__)
#include <grub/ieee1275/alloc.h>
#endif
+#if defined(__powerpc__)
+#include <grub/lockdown.h>
+#endif
/* The maximum heap size we're going to claim at boot. Not used by sparc. */
#ifdef __i386__
@@ -995,6 +998,54 @@ grub_parse_cmdline (void)
}
}
+#ifdef __powerpc__
+
+/* Secure Boot Mode. */
+static grub_uint32_t sb_mode = GRUB_SB_DISABLED;
+
+static void
+grub_ieee1275_get_secure_boot (void)
+{
+ grub_ieee1275_phandle_t root;
+ int rc;
+
+ rc = grub_ieee1275_finddevice ("/", &root);
+ if (rc != 0)
+ {
+ grub_error (GRUB_ERR_UNKNOWN_DEVICE, "couldn't find / node");
+ return;
+ }
+
+ rc = grub_ieee1275_get_integer_property (root, "ibm,secure-boot", &sb_mode, sizeof (sb_mode), 0);
+ if (rc != 0)
+ {
+ grub_error (GRUB_ERR_UNKNOWN_DEVICE, "couldn't examine /ibm,secure-boot property");
+ return;
+ }
+ /*
+ * Secure Boot Mode:
+ * 0 - disabled
+ * No signature verification is performed. This is the default.
+ * 1 - audit
+ * Signature verification is performed and if signature verification fails,
+ * post the errors and allow the boot to continue.
+ * 2 - enforced
+ * Lockdown the GRUB. Signature verification is performed and If signature verification fails,
+ * post the errors and stop the boot.
+ *
+ * Now, only support disabled and enforced.
+ */
+ if (sb_mode == GRUB_SB_ENFORCED)
+ grub_lockdown ();
+}
+
+grub_uint32_t
+grub_ieee1275_is_secure_boot (void)
+{
+ return sb_mode;
+}
+#endif
+
grub_addr_t grub_modbase;
void
@@ -1020,6 +1071,10 @@ grub_machine_init (void)
#else
grub_install_get_time_ms (grub_rtc_get_time_ms);
#endif
+
+#ifdef __powerpc__
+ grub_ieee1275_get_secure_boot ();
+#endif
}
void
diff --git a/include/grub/ieee1275/ieee1275.h b/include/grub/ieee1275/ieee1275.h
index c445d0499..6f7925168 100644
--- a/include/grub/ieee1275/ieee1275.h
+++ b/include/grub/ieee1275/ieee1275.h
@@ -261,4 +261,23 @@ char *EXPORT_FUNC(grub_ieee1275_get_boot_dev) (void);
(alias).name; \
grub_ieee1275_children_peer (&(alias)))
+
+#ifdef __powerpc__
+
+/*
+ * Secure Boot Mode:
+ * 0 - disabled
+ * No signature verification is performed. This is the default.
+ * 2 - enforced
+ * Lockdown the GRUB. Signature verification is performed and
+ * If signature verification fails, post the errors and stop the boot.
+ */
+#define GRUB_SB_DISABLED 0
+#define GRUB_SB_ENFORCED 2
+
+extern grub_uint32_t
+EXPORT_FUNC(grub_ieee1275_is_secure_boot) (void);
+
+#endif
+
#endif /* ! GRUB_IEEE1275_HEADER */
diff --git a/include/grub/lockdown.h b/include/grub/lockdown.h
index 40531fa82..ebfee4bf0 100644
--- a/include/grub/lockdown.h
+++ b/include/grub/lockdown.h
@@ -24,7 +24,8 @@
#define GRUB_LOCKDOWN_DISABLED 0
#define GRUB_LOCKDOWN_ENABLED 1
-#ifdef GRUB_MACHINE_EFI
+#if defined(GRUB_MACHINE_EFI) || \
+ (defined(__powerpc__) && defined(GRUB_MACHINE_IEEE1275))
extern void
EXPORT_FUNC (grub_lockdown) (void);
extern int
--
2.39.5 (Apple Git-154)
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
next prev parent reply other threads:[~2025-07-29 12:44 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-29 12:36 [PATCH v6 00/20] Appended Signature Secure Boot Support for PowerPC Sudhakar Kuppusamy
2025-07-29 12:36 ` [PATCH v6 01/20] powerpc-ieee1275: Add support for signing GRUB with an appended signature Sudhakar Kuppusamy
2025-07-29 12:36 ` [PATCH v6 02/20] crypto: Move storage for grub_crypto_pk_* to crypto.c Sudhakar Kuppusamy
2025-07-29 12:36 ` [PATCH v6 03/20] pgp: Rename OBJ_TYPE_PUBKEY to OBJ_TYPE_GPG_PUBKEY Sudhakar Kuppusamy
2025-07-29 12:36 ` [PATCH v6 04/20] grub-install: Support embedding x509 certificates Sudhakar Kuppusamy
2025-07-29 12:36 ` [PATCH v6 05/20] appended signatures: Import GNUTLS's ASN.1 description files Sudhakar Kuppusamy
2025-07-29 12:36 ` [PATCH v6 06/20] appended signatures: Parse ASN1 node Sudhakar Kuppusamy
2025-07-29 12:36 ` [PATCH v6 07/20] appended signatures: Parse PKCS#7 signedData Sudhakar Kuppusamy
2025-07-29 12:36 ` [PATCH v6 08/20] appended signatures: Parse X.509 certificates Sudhakar Kuppusamy
2025-07-29 12:36 ` Sudhakar Kuppusamy [this message]
2025-07-29 12:36 ` [PATCH v6 10/20] appended signatures: Support verifying appended signatures Sudhakar Kuppusamy
2025-07-29 12:37 ` [PATCH v6 11/20] powerpc_ieee1275: Read the db and dbx secure boot variables Sudhakar Kuppusamy
2025-07-29 12:37 ` [PATCH v6 12/20] appended signatures: Create db and dbx lists Sudhakar Kuppusamy
2025-07-29 12:37 ` [PATCH v6 13/20] appended signatures: Using db and dbx lists for signature verification Sudhakar Kuppusamy
2025-07-29 12:37 ` [PATCH v6 14/20] powerpc_ieee1275: Introduce use_static_keys flag Sudhakar Kuppusamy
2025-07-29 12:37 ` [PATCH v6 15/20] appended signatures: Read default db keys from the ELF Note Sudhakar Kuppusamy
2025-07-29 12:37 ` [PATCH v6 16/20] appended signatures: Introduce GRUB commands to access db and dbx Sudhakar Kuppusamy
2025-07-29 12:37 ` [PATCH v6 17/20] appended signatures: Verification tests Sudhakar Kuppusamy
2025-07-29 12:37 ` [PATCH v6 18/20] docs/grub: Document signing GRUB under UEFI Sudhakar Kuppusamy
2025-07-29 12:37 ` [PATCH v6 19/20] docs/grub: Document signing GRUB with an appended signature Sudhakar Kuppusamy
2025-07-29 12:37 ` [PATCH v6 20/20] docs/grub: Document " Sudhakar Kuppusamy
-- strict thread matches above, loose matches on Subject: below --
2025-07-29 14:51 [PATCH v6 00/20] Appended Signature Secure Boot Support for PowerPC Sudhakar Kuppusamy
2025-07-29 14:51 ` [PATCH v6 09/20] powerpc_ieee1275: Enter lockdown based on /ibm, secure-boot Sudhakar Kuppusamy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250729123709.83349-10-sudhakar@linux.ibm.com \
--to=sudhakar@linux.ibm.com \
--cc=avnish@linux.ibm.com \
--cc=daniel.kiper@oracle.com \
--cc=dja@axtens.net \
--cc=grub-devel@gnu.org \
--cc=jan.setjeeilers@oracle.com \
--cc=julian.klode@canonical.com \
--cc=mate.kukri@canonical.com \
--cc=mlewando@redhat.com \
--cc=msuchanek@suse.com \
--cc=nayna@linux.ibm.com \
--cc=pjones@redhat.com \
--cc=ssrish@linux.ibm.com \
--cc=stefanb@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).