Accepting request 827964 from home:michael-chang:branches:Base:System

- Fix for CVE-2020-15705 (bsc#1174421) * 0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch * 0002-cmdline-Provide-cmdline-functions-as-module.patch OBS-URL: https://build.opensuse.org/request/show/827964 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=360
2020-08-20 03:33:06 +00:00 · 2020-08-20 03:33:06 +00:00 · 575991c6e5
commit 575991c6e5
parent 395f4bd1a9
4 changed files with 120 additions and 0 deletions
--- a/0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch
+++ b/0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch
@ -0,0 +1,53 @@
+From 1b4f4b2f5cd9b804a5bb66861b659d05d9a4f35a Mon Sep 17 00:00:00 2001
+From: Michael Chang <mchang@suse.com>
+Date: Mon, 17 Aug 2020 17:09:01 +0800
+Subject: [PATCH 1/2] linuxefi: fail kernel validation without shim protocol.
+
+If certificates that signed grub are installed into db, grub can be
+booted directly. It will then boot any kernel without signature
+validation. The booted kernel will think it was booted in secureboot
+mode and will implement lockdown, yet it could have been tampered.
+
+This version of the patch skips calling verification, when booted
+without secureboot.
+
+CVE-2020-15705
+
+Reported-by: Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>
+Also-by: Dimitri John Ledkov <xnox@ubuntu.com>
+Signed-off-by: Michael Chang <mchang@suse.com>
+---
+ grub-core/loader/i386/efi/linux.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
+index 61b2d5177..8017e8c05 100644
+--- a/grub-core/loader/i386/efi/linux.c
+++ b/grub-core/loader/i386/efi/linux.c
+@@ -172,6 +172,23 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+       goto fail;
+     }
+ 
+  if (grub_efi_secure_boot())
+    {
+      grub_dl_t mod;
+
+      mod = grub_dl_get ("shim_lock");
+      if (!mod)
+	{
+	  grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock module is not loaded"));
+	  goto fail;
+	}
+      if (!grub_dl_is_persistent (mod))
+	{
+	  grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock protocol is not available"));
+	  goto fail;
+	}
+    }
+
+   file = grub_file_open (argv[0], GRUB_FILE_TYPE_LINUX_KERNEL);
+   if (! file)
+     goto fail;
+-- 
+2.26.2
+
--- a/0002-cmdline-Provide-cmdline-functions-as-module.patch
+++ b/0002-cmdline-Provide-cmdline-functions-as-module.patch
@ -0,0 +1,54 @@
+From 42cb0ebbffd660608612f9e32150a6596c6933c4 Mon Sep 17 00:00:00 2001
+From: Michael Chang <mchang@suse.com>
+Date: Mon, 17 Aug 2020 17:25:56 +0800
+Subject: [PATCH 2/2] cmdline: Provide cmdline functions as module
+
+The command line processing is needed by many loader modules, hence we should
+make it a sharable one rather than belonging to linux loader. This can cut the
+dependency to linux module among multiple loaders like multiboot linuxefi and
+so on to make custom boot image much more flexible to compose.
+
+Signed-off-by: Michael Chang <mchang@suse.com>
+---
+ grub-core/Makefile.core.def | 6 +++++-
+ grub-core/lib/cmdline.c     | 3 +++
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
+index c413267a0..6045da47b 100644
+--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
+@@ -1790,7 +1790,6 @@ module = {
+   riscv64 = loader/riscv/linux.c;
+   emu = loader/emu/linux.c;
+   common = loader/linux.c;
+-  common = lib/cmdline.c;
+ };
+ 
+ module = {
+@@ -2518,3 +2517,8 @@ module = {
+   common = commands/i386/wrmsr.c;
+   enable = x86;
+ };
+
+module = {
+  name = cmdline;
+  common = lib/cmdline.c;
+};
+diff --git a/grub-core/lib/cmdline.c b/grub-core/lib/cmdline.c
+index ed0b149dc..bd392e30f 100644
+--- a/grub-core/lib/cmdline.c
+++ b/grub-core/lib/cmdline.c
+@@ -19,6 +19,9 @@
+ 
+ #include <grub/lib/cmdline.h>
+ #include <grub/misc.h>
+#include <grub/dl.h>
+
+GRUB_MOD_LICENSE ("GPLv3+");
+ 
+ static unsigned int check_arg (char *c, int *has_space)
+ {
+-- 
+2.26.2
+
--- a/grub2.changes
+++ b/grub2.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Aug 18 06:02:21 UTC 2020 - Michael Chang <mchang@suse.com>
+
+- Fix for CVE-2020-15705 (bsc#1174421) 
+  * 0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch
+  * 0002-cmdline-Provide-cmdline-functions-as-module.patch
+
 -------------------------------------------------------------------
 Thu Aug 13 06:41:16 UTC 2020 - Michael Chang <mchang@suse.com>

--- a/grub2.spec
+++ b/grub2.spec
@ -321,6 +321,10 @@ Patch712:       0009-script-Avoid-a-use-after-free-when-redefining-a-func.patch
 # overflows in initrd size handling
 Patch713:       0010-linux-Fix-integer-overflows-in-initrd-size-handling.patch
 Patch714:       0001-kern-mm.c-Make-grub_calloc-inline.patch
+# bsc#1174421 VUL-0: CVE-2020-15705: grub2: linuxefi: fail kernel validation
+# without shim protocol
+Patch715:       0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch
+Patch716:       0002-cmdline-Provide-cmdline-functions-as-module.patch

 Requires:       gettext-runtime
 %if 0%{?suse_version} >= 1140
@ -637,6 +641,8 @@ swap partition while in resuming
 %patch712 -p1
 %patch713 -p1
 %patch714 -p1
+%patch715 -p1
+%patch716 -p1

 %build
 # collect evidence to debug spurious build failure on SLE15