97 lines
2.8 KiB
Diff
97 lines
2.8 KiB
Diff
|
From beb26b1be325ea55f3f9a230152d170a3faa85d5 Mon Sep 17 00:00:00 2001
|
||
|
From: Gary Lin <glin@suse.com>
|
||
|
Date: Mon, 18 Mar 2024 14:53:11 +0800
|
||
|
Subject: [PATCH] key_protector: implement the blocklist
|
||
|
|
||
|
Some architectures may need to do the additional check to avoid leaking
|
||
|
the recovered key. This commit adds an additional check for the EFI
|
||
|
system to detect the deprecated SystemdOptions variable. Once the
|
||
|
variable is spotted, key_protector just returns without the further
|
||
|
action for the key recovery.
|
||
|
|
||
|
Signed-off-by: Gary Lin <glin@suse.com>
|
||
|
---
|
||
|
grub-core/disk/key_protector.c | 31 +++++++++++++++++++++++++++++++
|
||
|
include/grub/efi/api.h | 5 +++++
|
||
|
2 files changed, 36 insertions(+)
|
||
|
|
||
|
diff --git a/grub-core/disk/key_protector.c b/grub-core/disk/key_protector.c
|
||
|
index b84afe1c7..3d630ca4f 100644
|
||
|
--- a/grub-core/disk/key_protector.c
|
||
|
+++ b/grub-core/disk/key_protector.c
|
||
|
@@ -24,6 +24,10 @@
|
||
|
|
||
|
GRUB_MOD_LICENSE ("GPLv3+");
|
||
|
|
||
|
+#ifdef GRUB_MACHINE_EFI
|
||
|
+#include <grub/efi/efi.h>
|
||
|
+#endif
|
||
|
+
|
||
|
struct grub_key_protector *grub_key_protectors = NULL;
|
||
|
|
||
|
grub_err_t
|
||
|
@@ -54,11 +58,34 @@ grub_key_protector_unregister (struct grub_key_protector *protector)
|
||
|
return GRUB_ERR_NONE;
|
||
|
}
|
||
|
|
||
|
+static grub_err_t
|
||
|
+grub_key_protector_check_blocklist (void)
|
||
|
+{
|
||
|
+#ifdef GRUB_MACHINE_EFI
|
||
|
+ static grub_guid_t systemd_guid = GRUB_EFI_SYSTEMD_GUID;
|
||
|
+ grub_efi_status_t status;
|
||
|
+ grub_size_t size = 0;
|
||
|
+ grub_uint8_t *systemdoptions = NULL;
|
||
|
+
|
||
|
+ /* SystemdOptions may contain malicious kernel command lines. */
|
||
|
+ status = grub_efi_get_variable ("SystemdOptions", &systemd_guid,
|
||
|
+ &size, (void **) &systemdoptions);
|
||
|
+ if (status != GRUB_EFI_NOT_FOUND)
|
||
|
+ {
|
||
|
+ grub_free (systemdoptions);
|
||
|
+ return grub_error (GRUB_ERR_ACCESS_DENIED, N_("SystemdOptions detected"));
|
||
|
+ }
|
||
|
+#endif
|
||
|
+
|
||
|
+ return GRUB_ERR_NONE;
|
||
|
+}
|
||
|
+
|
||
|
grub_err_t
|
||
|
grub_key_protector_recover_key (const char *protector, grub_uint8_t **key,
|
||
|
grub_size_t *key_size)
|
||
|
{
|
||
|
struct grub_key_protector *kp = NULL;
|
||
|
+ grub_err_t err;
|
||
|
|
||
|
if (grub_key_protectors == NULL)
|
||
|
return GRUB_ERR_OUT_OF_RANGE;
|
||
|
@@ -74,5 +101,9 @@ grub_key_protector_recover_key (const char *protector, grub_uint8_t **key,
|
||
|
"Is the name spelled correctly and is the "
|
||
|
"corresponding module loaded?"), protector);
|
||
|
|
||
|
+ err = grub_key_protector_check_blocklist ();
|
||
|
+ if (err != GRUB_ERR_NONE)
|
||
|
+ return err;
|
||
|
+
|
||
|
return kp->recover_key (key, key_size);
|
||
|
}
|
||
|
diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h
|
||
|
index 7947cf592..975b90b09 100644
|
||
|
--- a/include/grub/efi/api.h
|
||
|
+++ b/include/grub/efi/api.h
|
||
|
@@ -389,6 +389,11 @@
|
||
|
{ 0x89, 0x29, 0x48, 0xbc, 0xd9, 0x0a, 0xd3, 0x1a } \
|
||
|
}
|
||
|
|
||
|
+#define GRUB_EFI_SYSTEMD_GUID \
|
||
|
+ { 0x8cf2644b, 0x4b0b, 0x428f, \
|
||
|
+ { 0x93, 0x87, 0x6d, 0x87, 0x60, 0x50, 0xdc, 0x67 } \
|
||
|
+ }
|
||
|
+
|
||
|
struct grub_efi_sal_system_table
|
||
|
{
|
||
|
grub_uint32_t signature;
|
||
|
--
|
||
|
2.35.3
|
||
|
|