From 575991c6e565fd9aa095e2b0d0c5addecb62207f355868f1f4c0217876ec3b1a Mon Sep 17 00:00:00 2001 From: Michael Chang Date: Thu, 20 Aug 2020 03:33:06 +0000 Subject: [PATCH] Accepting request 827964 from home:michael-chang:branches:Base:System - Fix for CVE-2020-15705 (bsc#1174421) * 0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch * 0002-cmdline-Provide-cmdline-functions-as-module.patch OBS-URL: https://build.opensuse.org/request/show/827964 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=360 --- ...rnel-validation-without-shim-protoco.patch | 53 ++++++++++++++++++ ...-Provide-cmdline-functions-as-module.patch | 54 +++++++++++++++++++ grub2.changes | 7 +++ grub2.spec | 6 +++ 4 files changed, 120 insertions(+) create mode 100644 0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch create mode 100644 0002-cmdline-Provide-cmdline-functions-as-module.patch diff --git a/0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch b/0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch new file mode 100644 index 0000000..2400a54 --- /dev/null +++ b/0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch @@ -0,0 +1,53 @@ +From 1b4f4b2f5cd9b804a5bb66861b659d05d9a4f35a Mon Sep 17 00:00:00 2001 +From: Michael Chang +Date: Mon, 17 Aug 2020 17:09:01 +0800 +Subject: [PATCH 1/2] linuxefi: fail kernel validation without shim protocol. + +If certificates that signed grub are installed into db, grub can be +booted directly. It will then boot any kernel without signature +validation. The booted kernel will think it was booted in secureboot +mode and will implement lockdown, yet it could have been tampered. + +This version of the patch skips calling verification, when booted +without secureboot. + +CVE-2020-15705 + +Reported-by: Mathieu Trudel-Lapierre +Also-by: Dimitri John Ledkov +Signed-off-by: Michael Chang +--- + grub-core/loader/i386/efi/linux.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c +index 61b2d5177..8017e8c05 100644 +--- a/grub-core/loader/i386/efi/linux.c ++++ b/grub-core/loader/i386/efi/linux.c +@@ -172,6 +172,23 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), + goto fail; + } + ++ if (grub_efi_secure_boot()) ++ { ++ grub_dl_t mod; ++ ++ mod = grub_dl_get ("shim_lock"); ++ if (!mod) ++ { ++ grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock module is not loaded")); ++ goto fail; ++ } ++ if (!grub_dl_is_persistent (mod)) ++ { ++ grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock protocol is not available")); ++ goto fail; ++ } ++ } ++ + file = grub_file_open (argv[0], GRUB_FILE_TYPE_LINUX_KERNEL); + if (! file) + goto fail; +-- +2.26.2 + diff --git a/0002-cmdline-Provide-cmdline-functions-as-module.patch b/0002-cmdline-Provide-cmdline-functions-as-module.patch new file mode 100644 index 0000000..12dae60 --- /dev/null +++ b/0002-cmdline-Provide-cmdline-functions-as-module.patch @@ -0,0 +1,54 @@ +From 42cb0ebbffd660608612f9e32150a6596c6933c4 Mon Sep 17 00:00:00 2001 +From: Michael Chang +Date: Mon, 17 Aug 2020 17:25:56 +0800 +Subject: [PATCH 2/2] cmdline: Provide cmdline functions as module + +The command line processing is needed by many loader modules, hence we should +make it a sharable one rather than belonging to linux loader. This can cut the +dependency to linux module among multiple loaders like multiboot linuxefi and +so on to make custom boot image much more flexible to compose. + +Signed-off-by: Michael Chang +--- + grub-core/Makefile.core.def | 6 +++++- + grub-core/lib/cmdline.c | 3 +++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def +index c413267a0..6045da47b 100644 +--- a/grub-core/Makefile.core.def ++++ b/grub-core/Makefile.core.def +@@ -1790,7 +1790,6 @@ module = { + riscv64 = loader/riscv/linux.c; + emu = loader/emu/linux.c; + common = loader/linux.c; +- common = lib/cmdline.c; + }; + + module = { +@@ -2518,3 +2517,8 @@ module = { + common = commands/i386/wrmsr.c; + enable = x86; + }; ++ ++module = { ++ name = cmdline; ++ common = lib/cmdline.c; ++}; +diff --git a/grub-core/lib/cmdline.c b/grub-core/lib/cmdline.c +index ed0b149dc..bd392e30f 100644 +--- a/grub-core/lib/cmdline.c ++++ b/grub-core/lib/cmdline.c +@@ -19,6 +19,9 @@ + + #include + #include ++#include ++ ++GRUB_MOD_LICENSE ("GPLv3+"); + + static unsigned int check_arg (char *c, int *has_space) + { +-- +2.26.2 + diff --git a/grub2.changes b/grub2.changes index 7a89503..f47cc30 100644 --- a/grub2.changes +++ b/grub2.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Aug 18 06:02:21 UTC 2020 - Michael Chang + +- Fix for CVE-2020-15705 (bsc#1174421) + * 0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch + * 0002-cmdline-Provide-cmdline-functions-as-module.patch + ------------------------------------------------------------------- Thu Aug 13 06:41:16 UTC 2020 - Michael Chang diff --git a/grub2.spec b/grub2.spec index e320615..06a89d4 100644 --- a/grub2.spec +++ b/grub2.spec @@ -321,6 +321,10 @@ Patch712: 0009-script-Avoid-a-use-after-free-when-redefining-a-func.patch # overflows in initrd size handling Patch713: 0010-linux-Fix-integer-overflows-in-initrd-size-handling.patch Patch714: 0001-kern-mm.c-Make-grub_calloc-inline.patch +# bsc#1174421 VUL-0: CVE-2020-15705: grub2: linuxefi: fail kernel validation +# without shim protocol +Patch715: 0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch +Patch716: 0002-cmdline-Provide-cmdline-functions-as-module.patch Requires: gettext-runtime %if 0%{?suse_version} >= 1140 @@ -637,6 +641,8 @@ swap partition while in resuming %patch712 -p1 %patch713 -p1 %patch714 -p1 +%patch715 -p1 +%patch716 -p1 %build # collect evidence to debug spurious build failure on SLE15