grub-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[PATCH requesting feedback] resuce: allow disabling of the grub resuce s

From: andreas
Subject: [PATCH requesting feedback] resuce: allow disabling of the grub resuce shell
Date: Thu, 2 May 2019 00:06:56 +0200 
From: Andreas Rammhold <address@hidden>

Kindly requesting your feedback on the below diff.

In some setups it might be desirable to disable access to the grub
rescue shell. One of those environments is when your all your
filesystems - besides a small EFI partition - are encrypted and you are
using secure boot to restrict the payloads that UEFI accepts.

The current implementation adds a new variable to the embedded
configuration sections. If the variable is present and starts with a
'y'-character the option is considered to be active. Upon entering the
rescue shell it will just spin in circles (while(1);) if the said option
is active. If the option is not set or set to a value that does not
start with a 'y' the old behaviour is unchanged.

I hacked this together very quickly and do not consider it fit for
merging yet. I would at least want a way to tell grub-install to toggle
the new environment variable. And it probably requires some kind of
documentation.
---
 grub-core/kern/rescue_reader.c | 34 +++++++++++++++++++++++-----------
 util/grub-install.c            |  1 +
 2 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/grub-core/kern/rescue_reader.c b/grub-core/kern/rescue_reader.c
index dcd7d4439..03a4e2852 100644
--- a/grub-core/kern/rescue_reader.c
+++ b/grub-core/kern/rescue_reader.c
@@ -78,21 +78,33 @@ grub_rescue_read_line (char **line, int cont,
 void __attribute__ ((noreturn))
 grub_rescue_run (void)
 {
-  grub_printf ("Entering rescue mode...\n");
+  const char *disable_rescue_mode;
 
-  while (1)
+  disable_rescue_mode = grub_env_get ("disable_rescue_mode");
+
+  if (!disable_rescue_mode || disable_rescue_mode[0] != 'y')
     {
-      char *line;
+      grub_printf ("Entering rescue mode...\n");
+
+      while (1)
+        {
+          char *line;
 
-      /* Print an error, if any.  */
-      grub_print_error ();
-      grub_errno = GRUB_ERR_NONE;
+          /* Print an error, if any.  */
+          grub_print_error ();
+          grub_errno = GRUB_ERR_NONE;
 
-      grub_rescue_read_line (&line, 0, NULL);
-      if (! line || line[0] == '\0')
-       continue;
+          grub_rescue_read_line (&line, 0, NULL);
+          if (! line || line[0] == '\0')
+            continue;
 
-      grub_rescue_parse_line (line, grub_rescue_read_line, NULL);
-      grub_free (line);
+          grub_rescue_parse_line (line, grub_rescue_read_line, NULL);
+          grub_free (line);
+        }
+    }
+  else
+    {
+      grub_printf ("Not entering rescue mode.\n");
+      while (1);
     }
 }
diff --git a/util/grub-install.c b/util/grub-install.c
index 4a0a66168..16eda74c3 100644
--- a/util/grub-install.c
+++ b/util/grub-install.c
@@ -530,6 +530,7 @@ probe_cryptodisk_uuid (grub_disk_t disk)
        load_cfg_f = grub_util_fopen (load_cfg, "wb");
       have_load_cfg = 1;
 
+      fprintf (load_cfg_f, "set disable_rescue_mode=yes\n");
       fprintf (load_cfg_f, "cryptomount -u %s\n",
              uuid);
     }
-- 
2.21.0
reply via email to
[Prev in Thread] Current Thread [Next in Thread]