Make any of the loaders that link in efi mode honor secure boot.

And in this case "honor" means "even if somebody does link this in, they
won't register commands if SB is enabled."

Signed-off-by: Peter Jones <pjones@redhat.com>

grub-core/commands/iorw.c

@@ -24,6 +24,7 @@
 #include <grub/cpu/io.h>
 #include <grub/i18n.h>
 #include <grub/lockdown.h>
+#include <grub/efi/sb.h>
 
 GRUB_MOD_LICENSE ("GPLv3+");
 
@@ -119,6 +120,9 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
 
 GRUB_MOD_INIT(memrw)
 {
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+    return;
+
   cmd_read_byte =
     grub_register_extcmd ("inb", grub_cmd_read, 0,
 			  N_("PORT"), N_("Read 8-bit value from PORT."),
@@ -147,6 +151,9 @@ GRUB_MOD_INIT(memrw)
 
 GRUB_MOD_FINI(memrw)
 {
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+    return;
+
   grub_unregister_extcmd (cmd_read_byte);
   grub_unregister_extcmd (cmd_read_word);
   grub_unregister_extcmd (cmd_read_dword);

grub-core/commands/memrw.c

@@ -23,6 +23,7 @@
 #include <grub/env.h>
 #include <grub/i18n.h>
 #include <grub/lockdown.h>
+#include <grub/efi/sb.h>
 
 GRUB_MOD_LICENSE ("GPLv3+");
 
@@ -121,6 +122,9 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
 
 GRUB_MOD_INIT(memrw)
 {
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+    return;
+
   cmd_read_byte =
     grub_register_extcmd ("read_byte", grub_cmd_read, 0,
 			  N_("ADDR"), N_("Read 8-bit value from ADDR."),
@@ -149,6 +153,9 @@ GRUB_MOD_INIT(memrw)
 
 GRUB_MOD_FINI(memrw)
 {
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+    return;
+
   grub_unregister_extcmd (cmd_read_byte);
   grub_unregister_extcmd (cmd_read_word);
   grub_unregister_extcmd (cmd_read_dword);

grub-core/kern/dl.c

@@ -32,6 +32,7 @@
 #include <grub/env.h>
 #include <grub/cache.h>
 #include <grub/i18n.h>
+#include <grub/efi/sb.h>
 
 /* Platforms where modules are in a readonly area of memory.  */
 #if defined(GRUB_MACHINE_QEMU)
@@ -704,7 +705,7 @@ grub_dl_load_file (const char *filename)
   grub_dl_t mod = 0;
 
 #ifdef GRUB_MACHINE_EFI
-  if (grub_efi_secure_boot ())
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
     {
 #if 0
       /* This is an error, but grub2-mkconfig still generates a pile of

grub-core/kern/efi/efi.c

@@ -286,40 +286,6 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
   return grub_efi_get_variable_with_attributes (var, guid, datasize_out, data_out, NULL);
 }
 
-grub_efi_boolean_t
-grub_efi_secure_boot (void)
-{
-  grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
-  grub_size_t datasize;
-  char *secure_boot = NULL;
-  char *setup_mode = NULL;
-  grub_efi_boolean_t ret = 0;
-
-  secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);
-  if (datasize != 1 || !secure_boot)
-    {
-      grub_dprintf ("secureboot", "No SecureBoot variable\n");
-      goto out;
-    }
-  grub_dprintf ("secureboot", "SecureBoot: %d\n", *secure_boot);
-
-  setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize);
-  if (datasize != 1 || !setup_mode)
-    {
-      grub_dprintf ("secureboot", "No SetupMode variable\n");
-      goto out;
-    }
-  grub_dprintf ("secureboot", "SetupMode: %d\n", *setup_mode);
-
-  if (*secure_boot && !*setup_mode)
-    ret = 1;
-
- out:
-  grub_free (secure_boot);
-  grub_free (setup_mode);
-  return ret;
-}
-
 #pragma GCC diagnostic ignored "-Wcast-align"
 
 /* Search the mods section from the PE32/PE32+ image. This code uses

grub-core/loader/efi/appleloader.c

@@ -24,6 +24,7 @@
 #include <grub/misc.h>
 #include <grub/efi/api.h>
 #include <grub/efi/efi.h>
+#include <grub/efi/sb.h>
 #include <grub/command.h>
 #include <grub/i18n.h>
 
@@ -227,6 +228,9 @@ static grub_command_t cmd;
 
 GRUB_MOD_INIT(appleloader)
 {
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+    return;
+
   cmd = grub_register_command ("appleloader", grub_cmd_appleloader,
 			       N_("[OPTS]"),
 			       /* TRANSLATORS: This command is used on EFI to
@@ -238,5 +242,8 @@ GRUB_MOD_INIT(appleloader)
 
 GRUB_MOD_FINI(appleloader)
 {
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+    return;
+
   grub_unregister_command (cmd);
 }

grub-core/loader/efi/chainloader.c

@@ -34,6 +34,7 @@
 #include <grub/efi/disk.h>
 #include <grub/efi/pe32.h>
 #include <grub/efi/linux.h>
+#include <grub/efi/sb.h>
 #include <grub/command.h>
 #include <grub/i18n.h>
 #include <grub/net.h>

grub-core/loader/i386/bsd.c

@@ -40,6 +40,7 @@
 #ifdef GRUB_MACHINE_PCBIOS
 #include <grub/machine/int.h>
 #endif
+#include <grub/efi/sb.h>
 
 GRUB_MOD_LICENSE ("GPLv3+");
 
@@ -2137,6 +2138,9 @@ static grub_command_t cmd_netbsd_module_elf, cmd_openbsd_ramdisk;
 
 GRUB_MOD_INIT (bsd)
 {
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+    return;
+
   /* Net and OpenBSD kernels are often compressed.  */
   grub_dl_load ("gzio");
 
@@ -2176,6 +2180,9 @@ GRUB_MOD_INIT (bsd)
 
 GRUB_MOD_FINI (bsd)
 {
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+    return;
+
   grub_unregister_extcmd (cmd_freebsd);
   grub_unregister_extcmd (cmd_openbsd);
   grub_unregister_extcmd (cmd_netbsd);

grub-core/loader/i386/linux.c

@@ -37,6 +37,7 @@
 #include <grub/linux.h>
 #include <grub/machine/kernel.h>
 #include <grub/safemath.h>
+#include <grub/efi/sb.h>
 
 GRUB_MOD_LICENSE ("GPLv3+");
 
@@ -1138,6 +1139,9 @@ static grub_command_t cmd_linux, cmd_initrd;
 
 GRUB_MOD_INIT(linux)
 {
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+    return;
+
   cmd_linux = grub_register_command ("linux", grub_cmd_linux,
 				     0, N_("Load Linux."));
   cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd,
@@ -1147,6 +1151,9 @@ GRUB_MOD_INIT(linux)
 
 GRUB_MOD_FINI(linux)
 {
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+    return;
+
   grub_unregister_command (cmd_linux);
   grub_unregister_command (cmd_initrd);
 }

grub-core/loader/i386/pc/linux.c

@@ -36,6 +36,7 @@
 #include <grub/lib/cmdline.h>
 #include <grub/linux.h>
 #include <grub/safemath.h>
+#include <grub/efi/sb.h>
 
 GRUB_MOD_LICENSE ("GPLv3+");
 
@@ -487,6 +488,9 @@ static grub_command_t cmd_linux, cmd_linux16, cmd_initrd, cmd_initrd16;
 
 GRUB_MOD_INIT(linux16)
 {
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+    return;
+
   cmd_linux =
     grub_register_command ("linux", grub_cmd_linux,
 			   0, N_("Load Linux."));
@@ -504,6 +508,9 @@ GRUB_MOD_INIT(linux16)
 
 GRUB_MOD_FINI(linux16)
 {
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+    return;
+
   grub_unregister_command (cmd_linux);
   grub_unregister_command (cmd_linux16);
   grub_unregister_command (cmd_initrd);

grub-core/loader/multiboot.c

@@ -50,6 +50,7 @@
 #include <grub/video.h>
 #include <grub/memory.h>
 #include <grub/i18n.h>
+#include <grub/efi/sb.h>
 
 GRUB_MOD_LICENSE ("GPLv3+");
 
@@ -444,6 +445,9 @@ static grub_command_t cmd_multiboot, cmd_module;
 
 GRUB_MOD_INIT(multiboot)
 {
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+    return;
+
   cmd_multiboot =
 #ifdef GRUB_USE_MULTIBOOT2
     grub_register_command ("multiboot2", grub_cmd_multiboot,
@@ -464,6 +468,9 @@ GRUB_MOD_INIT(multiboot)
 
 GRUB_MOD_FINI(multiboot)
 {
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+    return;
+
   grub_unregister_command (cmd_multiboot);
   grub_unregister_command (cmd_module);
 }

grub-core/loader/xnu.c

@@ -35,6 +35,7 @@
 #include <grub/i18n.h>
 #include <grub/verify.h>
 #include <grub/safemath.h>
+#include <grub/efi/sb.h>
 
 GRUB_MOD_LICENSE ("GPLv3+");
 
@@ -1497,6 +1498,9 @@ static grub_extcmd_t cmd_splash;
 
 GRUB_MOD_INIT(xnu)
 {
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+    return;
+
   cmd_kernel = grub_register_command ("xnu_kernel", grub_cmd_xnu_kernel, 0,
 				      N_("Load XNU image."));
   cmd_kernel64 = grub_register_command ("xnu_kernel64", grub_cmd_xnu_kernel64,
@@ -1540,6 +1544,9 @@ GRUB_MOD_INIT(xnu)
 
 GRUB_MOD_FINI(xnu)
 {
+  if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+    return;
+
 #ifndef GRUB_MACHINE_EMU
   grub_unregister_command (cmd_resume);
 #endif

include/grub/efi/efi.h

@@ -91,7 +91,6 @@ EXPORT_FUNC (grub_efi_set_variable) (const char *var,
 				     const grub_efi_guid_t *guid,
 				     void *data,
 				     grub_size_t datasize);
-grub_efi_boolean_t EXPORT_FUNC (grub_efi_secure_boot) (void);
 int
 EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1,
 					     const grub_efi_device_path_t *dp2);