From 8aecaf14b63c7ba3675af4f578b65b94bbcdb316862e314b7ea1182cd59b4fc4 Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Wed, 20 Mar 2024 06:15:31 +0000
Subject: [PATCH] Accepting request 1159260 from
 home:gary_lin:branches:Base:System

- Add grub2-bsc1220338-key_protector-implement-the-blocklist.patch
  to implement a blocklist in the key protector and check the
  unwanted UEFI variables (bsc#1220338)

OBS-URL: https://build.opensuse.org/request/show/1159260
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=494
---
 ...ey_protector-implement-the-blocklist.patch | 93 +++++++++++++++++++
 grub2.changes                                 |  7 ++
 grub2.spec                                    |  1 +
 3 files changed, 101 insertions(+)
 create mode 100644 grub2-bsc1220338-key_protector-implement-the-blocklist.patch

diff --git a/grub2-bsc1220338-key_protector-implement-the-blocklist.patch b/grub2-bsc1220338-key_protector-implement-the-blocklist.patch
new file mode 100644
index 0000000..c754b1e
--- /dev/null
+++ b/grub2-bsc1220338-key_protector-implement-the-blocklist.patch
@@ -0,0 +1,93 @@
+From 139dc1c2590683cb8c0c1c13424d2436b81bffb7 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Mon, 18 Mar 2024 14:53:11 +0800
+Subject: [PATCH] key_protector: implement the blocklist
+
+Some architectures may need to do the additional check to avoid leaking
+the recovered key. This commit adds an additional check for the EFI
+system to detect the deprecated SystemdOptions variable. Once the
+variable is spotted, key_protector just returns without the further
+action for the key recovery.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ grub-core/kern/protectors.c | 31 +++++++++++++++++++++++++++++++
+ include/grub/efi/api.h      |  5 +++++
+ 2 files changed, 36 insertions(+)
+
+Index: grub-2.12/grub-core/kern/protectors.c
+===================================================================
+--- grub-2.12.orig/grub-core/kern/protectors.c
++++ grub-2.12/grub-core/kern/protectors.c
+@@ -21,6 +21,10 @@
+ #include <grub/mm.h>
+ #include <grub/protector.h>
+ 
++#ifdef GRUB_MACHINE_EFI
++#include <grub/efi/efi.h>
++#endif
++
+ struct grub_key_protector *grub_key_protectors = NULL;
+ 
+ grub_err_t
+@@ -51,11 +55,34 @@ grub_key_protector_unregister (struct gr
+   return GRUB_ERR_NONE;
+ }
+ 
++static grub_err_t
++grub_key_protector_check_blocklist (void)
++{
++#ifdef GRUB_MACHINE_EFI
++  static grub_guid_t systemd_guid = GRUB_EFI_SYSTEMD_GUID;
++  grub_efi_status_t status;
++  grub_size_t size = 0;
++  grub_uint8_t *systemdoptions = NULL;
++
++  /* SystemdOptions may contain malicious kernel command lines. */
++  status = grub_efi_get_variable ("SystemdOptions", &systemd_guid,
++				  &size, (void **) &systemdoptions);
++  if (status != GRUB_EFI_NOT_FOUND)
++  {
++    grub_free (systemdoptions);
++    return grub_error (GRUB_ERR_ACCESS_DENIED, N_("SystemdOptions detected"));
++  }
++#endif
++
++  return GRUB_ERR_NONE;
++}
++
+ grub_err_t
+ grub_key_protector_recover_key (const char *protector, grub_uint8_t **key,
+ 				grub_size_t *key_size)
+ {
+   struct grub_key_protector *kp = NULL;
++  grub_err_t err;
+ 
+   if (grub_key_protectors == NULL)
+     return GRUB_ERR_OUT_OF_RANGE;
+@@ -71,5 +98,9 @@ grub_key_protector_recover_key (const ch
+ 			  "Is the name spelled correctly and is the "
+ 			  "corresponding module loaded?"), protector);
+ 
++  err = grub_key_protector_check_blocklist ();
++  if (err != GRUB_ERR_NONE)
++    return err;
++
+   return kp->recover_key (key, key_size);
+ }
+Index: grub-2.12/include/grub/efi/api.h
+===================================================================
+--- grub-2.12.orig/include/grub/efi/api.h
++++ grub-2.12/include/grub/efi/api.h
+@@ -389,6 +389,11 @@
+       { 0x89, 0x29, 0x48, 0xbc, 0xd9, 0x0a, 0xd3, 0x1a } \
+   }
+ 
++#define GRUB_EFI_SYSTEMD_GUID \
++  { 0x8cf2644b, 0x4b0b, 0x428f, \
++    { 0x93, 0x87, 0x6d, 0x87, 0x60, 0x50, 0xdc, 0x67 } \
++  }
++
+ struct grub_efi_sal_system_table
+ {
+   grub_uint32_t signature;
diff --git a/grub2.changes b/grub2.changes
index 23a472d..d8bd6cd 100644
--- a/grub2.changes
+++ b/grub2.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Mar 19 07:08:02 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
+
+- Add grub2-bsc1220338-key_protector-implement-the-blocklist.patch
+  to implement a blocklist in the key protector and check the
+  unwanted UEFI variables (bsc#1220338)
+
 -------------------------------------------------------------------
 Tue Mar  5 06:53:25 UTC 2024 - Michael Chang <mchang@suse.com>
 
diff --git a/grub2.spec b/grub2.spec
index bd30138..1cf83c3 100644
--- a/grub2.spec
+++ b/grub2.spec
@@ -402,6 +402,7 @@ Patch208:       0006-Follow-the-device-where-blscfg-is-discovered.patch
 Patch209:       0007-grub-switch-to-blscfg-adapt-to-openSUSE.patch
 Patch210:       0008-blscfg-reading-bls-fragments-if-boot-present.patch
 Patch211:       0009-10_linux-Some-refinement-for-BLS.patch
+Patch212:       grub2-bsc1220338-key_protector-implement-the-blocklist.patch
 
 Requires:       gettext-runtime
 %if 0%{?suse_version} >= 1140