From 0533bfb9bfa6f963dee0d39fc94c1d3969f824aa Mon Sep 17 00:00:00 2001
From: mickael e <mickael@freedom.press>
Date: Thu, 7 Nov 2019 11:45:00 -0500
Subject: [PATCH] Add noefi to kernel command line

Since we use CONFIG_PAX_KERNEXEC, it is recommended we pass noefi to the commandline as EFI runtime are mapped RWX.
---
 install_files/securedrop-grsec/DEBIAN/postinst | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/install_files/securedrop-grsec/DEBIAN/postinst b/install_files/securedrop-grsec/DEBIAN/postinst
index 526883bb009..6591a2b4d5f 100755
--- a/install_files/securedrop-grsec/DEBIAN/postinst
+++ b/install_files/securedrop-grsec/DEBIAN/postinst
@@ -23,6 +23,11 @@ case "$1" in
     # highest kernel version. Any kernel provided by apt.freedom.press must
     # suprecede the ones provided by Ubuntu.
     sed -i '/^GRUB_DEFAULT=/s/=.*/=0/' /etc/default/grub
+    # When using CONFIG_PAX_KERNEXEC, the grsecurity team recommends the kernel
+    # is booted with "noefi" on the kernel command line if "CONFIG_EFI" is
+    # enabled, as EFI runtime services are necessarily mapped as RWX.
+    sed -i '/^GRUB_CMDLINE_LINUX_DEFAULT=/s/=.*/=\"noefi\"/' /etc/default/grub
+
     update-grub
     ;;