Accepting request 1159260 from home:gary_lin:branches:Base:System

- Add grub2-bsc1220338-key_protector-implement-the-blocklist.patch to implement a blocklist in the key protector and check the unwanted UEFI variables (bsc#1220338) OBS-URL: https://build.opensuse.org/request/show/1159260 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=494
2024-03-20 06:15:31 +00:00 · 2024-03-20 06:15:31 +00:00 · 8aecaf14b6
commit 8aecaf14b6
parent 7615045004
3 changed files with 101 additions and 0 deletions
--- a/grub2-bsc1220338-key_protector-implement-the-blocklist.patch
+++ b/grub2-bsc1220338-key_protector-implement-the-blocklist.patch
@ -0,0 +1,93 @@
+From 139dc1c2590683cb8c0c1c13424d2436b81bffb7 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Mon, 18 Mar 2024 14:53:11 +0800
+Subject: [PATCH] key_protector: implement the blocklist
+
+Some architectures may need to do the additional check to avoid leaking
+the recovered key. This commit adds an additional check for the EFI
+system to detect the deprecated SystemdOptions variable. Once the
+variable is spotted, key_protector just returns without the further
+action for the key recovery.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ grub-core/kern/protectors.c | 31 +++++++++++++++++++++++++++++++
+ include/grub/efi/api.h      |  5 +++++
+ 2 files changed, 36 insertions(+)
+
+Index: grub-2.12/grub-core/kern/protectors.c
+===================================================================
+--- grub-2.12.orig/grub-core/kern/protectors.c
+++ grub-2.12/grub-core/kern/protectors.c
+@@ -21,6 +21,10 @@
+ #include <grub/mm.h>
+ #include <grub/protector.h>
+ 
+#ifdef GRUB_MACHINE_EFI
+#include <grub/efi/efi.h>
+#endif
+
+ struct grub_key_protector *grub_key_protectors = NULL;
+ 
+ grub_err_t
+@@ -51,11 +55,34 @@ grub_key_protector_unregister (struct gr
+   return GRUB_ERR_NONE;
+ }
+ 
+static grub_err_t
+grub_key_protector_check_blocklist (void)
+{
+#ifdef GRUB_MACHINE_EFI
+  static grub_guid_t systemd_guid = GRUB_EFI_SYSTEMD_GUID;
+  grub_efi_status_t status;
+  grub_size_t size = 0;
+  grub_uint8_t *systemdoptions = NULL;
+
+  /* SystemdOptions may contain malicious kernel command lines. */
+  status = grub_efi_get_variable ("SystemdOptions", &systemd_guid,
+				  &size, (void **) &systemdoptions);
+  if (status != GRUB_EFI_NOT_FOUND)
+  {
+    grub_free (systemdoptions);
+    return grub_error (GRUB_ERR_ACCESS_DENIED, N_("SystemdOptions detected"));
+  }
+#endif
+
+  return GRUB_ERR_NONE;
+}
+
+ grub_err_t
+ grub_key_protector_recover_key (const char *protector, grub_uint8_t **key,
+ 				grub_size_t *key_size)
+ {
+   struct grub_key_protector *kp = NULL;
+  grub_err_t err;
+ 
+   if (grub_key_protectors == NULL)
+     return GRUB_ERR_OUT_OF_RANGE;
+@@ -71,5 +98,9 @@ grub_key_protector_recover_key (const ch
+ 			  "Is the name spelled correctly and is the "
+ 			  "corresponding module loaded?"), protector);
+ 
+  err = grub_key_protector_check_blocklist ();
+  if (err != GRUB_ERR_NONE)
+    return err;
+
+   return kp->recover_key (key, key_size);
+ }
+Index: grub-2.12/include/grub/efi/api.h
+===================================================================
+--- grub-2.12.orig/include/grub/efi/api.h
+++ grub-2.12/include/grub/efi/api.h
+@@ -389,6 +389,11 @@
+       { 0x89, 0x29, 0x48, 0xbc, 0xd9, 0x0a, 0xd3, 0x1a } \
+   }
+ 
+#define GRUB_EFI_SYSTEMD_GUID \
+  { 0x8cf2644b, 0x4b0b, 0x428f, \
+    { 0x93, 0x87, 0x6d, 0x87, 0x60, 0x50, 0xdc, 0x67 } \
+  }
+
+ struct grub_efi_sal_system_table
+ {
+   grub_uint32_t signature;
--- a/grub2.changes
+++ b/grub2.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Mar 19 07:08:02 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Add grub2-bsc1220338-key_protector-implement-the-blocklist.patch
+  to implement a blocklist in the key protector and check the
+  unwanted UEFI variables (bsc#1220338)
+
 -------------------------------------------------------------------
 Tue Mar  5 06:53:25 UTC 2024 - Michael Chang <mchang@suse.com>

--- a/grub2.spec
+++ b/grub2.spec
@ -402,6 +402,7 @@ Patch208:       0006-Follow-the-device-where-blscfg-is-discovered.patch
 Patch209:       0007-grub-switch-to-blscfg-adapt-to-openSUSE.patch
 Patch210:       0008-blscfg-reading-bls-fragments-if-boot-present.patch
 Patch211:       0009-10_linux-Some-refinement-for-BLS.patch
+Patch212:       grub2-bsc1220338-key_protector-implement-the-blocklist.patch

 Requires:       gettext-runtime
 %if 0%{?suse_version} >= 1140