From 70b29cb739f258a8b90d59f581aeeceef4e22e19 Mon Sep 17 00:00:00 2001 From: Mate Kukri Date: Wed, 6 Dec 2023 15:49:42 +0000 Subject: [PATCH] d/p: Disable-the-Shell-when-SecureBoot-is-enabled.patch: Disable the Shell when SecureBoot is enabled and not in SetupMode (LP: #2040137) --- ...the-Shell-when-SecureBoot-is-enabled.patch | 94 +++++++++++++++++++ debian/patches/series | 1 + 2 files changed, 95 insertions(+) create mode 100644 debian/patches/Disable-the-Shell-when-SecureBoot-is-enabled.patch diff --git a/debian/patches/Disable-the-Shell-when-SecureBoot-is-enabled.patch b/debian/patches/Disable-the-Shell-when-SecureBoot-is-enabled.patch new file mode 100644 index 0000000000..45aeb8dbd8 --- /dev/null +++ b/debian/patches/Disable-the-Shell-when-SecureBoot-is-enabled.patch @@ -0,0 +1,94 @@ +From: Mate Kukri +Date: Wed, 6 Dec 2023 15:47:42 +0000 +Subject: Shell: Disable the Shell when SecureBoot is enabled and not in + SetupMode + +Signed-off-by: Mate Kukri +--- + ShellPkg/Application/Shell/Shell.c | 14 ++++++++++++++ + ShellPkg/Application/Shell/Shell.h | 3 +++ + ShellPkg/Application/Shell/Shell.inf | 2 ++ + ShellPkg/ShellPkg.dsc | 1 + + 4 files changed, 20 insertions(+) + +diff --git a/ShellPkg/Application/Shell/Shell.c b/ShellPkg/Application/Shell/Shell.c +index f95c799..502013d 100644 +--- a/ShellPkg/Application/Shell/Shell.c ++++ b/ShellPkg/Application/Shell/Shell.c +@@ -357,6 +357,20 @@ UefiMain ( + EFI_HANDLE ConInHandle; + EFI_SIMPLE_TEXT_INPUT_PROTOCOL *OldConIn; + SPLIT_LIST *Split; ++ UINT8 SetupMode; ++ ++ // ++ // Check for Secure Boot mode ++ // ++ if (IsSecureBootEnabled()) { ++ Status = GetSetupMode (&SetupMode); ++ if (EFI_ERROR (Status)) { ++ return (Status); ++ } ++ if (SetupMode != 1) { ++ return (EFI_SECURITY_VIOLATION); ++ } ++ } + + if (PcdGet8 (PcdShellSupportLevel) > 3) { + return (EFI_UNSUPPORTED); +diff --git a/ShellPkg/Application/Shell/Shell.h b/ShellPkg/Application/Shell/Shell.h +index 89b4ac6..595ec79 100644 +--- a/ShellPkg/Application/Shell/Shell.h ++++ b/ShellPkg/Application/Shell/Shell.h +@@ -11,9 +11,11 @@ + #define _SHELL_INTERNAL_HEADER_ + + #include ++#include + + #include + #include ++#include + + #include + #include +@@ -42,6 +44,7 @@ + #include + #include + #include ++#include + + #include "ShellParametersProtocol.h" + #include "ShellProtocol.h" +diff --git a/ShellPkg/Application/Shell/Shell.inf b/ShellPkg/Application/Shell/Shell.inf +index f1e41de..340585f 100644 +--- a/ShellPkg/Application/Shell/Shell.inf ++++ b/ShellPkg/Application/Shell/Shell.inf +@@ -47,6 +47,7 @@ + MdePkg/MdePkg.dec + ShellPkg/ShellPkg.dec + MdeModulePkg/MdeModulePkg.dec ++ SecurityPkg/SecurityPkg.dec + + [LibraryClasses] + BaseLib +@@ -66,6 +67,7 @@ + SortLib + HandleParsingLib + UefiHiiServicesLib ++ SecureBootVariableLib + + [Guids] + gShellVariableGuid ## SOMETIMES_CONSUMES ## GUID +diff --git a/ShellPkg/ShellPkg.dsc b/ShellPkg/ShellPkg.dsc +index dd0d886..28d6a87 100644 +--- a/ShellPkg/ShellPkg.dsc ++++ b/ShellPkg/ShellPkg.dsc +@@ -64,6 +64,7 @@ + DxeServicesTableLib|MdePkg/Library/DxeServicesTableLib/DxeServicesTableLib.inf + DxeServicesLib|MdePkg/Library/DxeServicesLib/DxeServicesLib.inf + ReportStatusCodeLib|MdePkg/Library/BaseReportStatusCodeLibNull/BaseReportStatusCodeLibNull.inf ++ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf + + [LibraryClasses.ARM,LibraryClasses.AARCH64] + # diff --git a/debian/patches/series b/debian/patches/series index c18b4e8e0e..acede6988d 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,4 @@ brotlicompress-disable.diff x64-baseline-abi.patch Revert-ArmVirtPkg-make-EFI_LOADER_DATA-non-executabl.patch ArmVirtPkg-disable-the-EFI_MEMORY_ATTRIBUTE-protocol.patch +Disable-the-Shell-when-SecureBoot-is-enabled.patch -- 2.39.2