d1a4631c13
root directory during PXE boot when grub is loaded from the tftp root
directory (bsc#1232391)
* 0001-kern-main-Fix-cmdpath-in-root-directory.patch
* grub2.spec: Refine PPC grub.elf early config to derive root from cmdpath
directly, avoiding the unneeded search
- Fix CVE-2024-49504 (bsc#1229163) (bsc#1229164)
- Restrict CLI access if the encrypted root device is automatically unlocked by
the TPM. LUKS password authentication is required for access to be granted
* 0001-cli_lock-Add-build-option-to-block-command-line-inte.patch
* 0002-Requiring-authentication-after-tpm-unlock-for-CLI-ac.patch
- Obsolete, as CLI access is now locked and granted access no longer requires
the previous restrictions
* 0002-Restrict-file-access-on-cryptodisk-print.patch
* 0003-Restrict-ls-and-auto-file-completion-on-cryptodisk-p.patch
- Rediff
* 0004-Key-revocation-on-out-of-bound-file-access.patch
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=519
169 lines
4.4 KiB
Diff
169 lines
4.4 KiB
Diff
From 6547d22fc9e20720d1a896be82b2d50d842f86b0 Mon Sep 17 00:00:00 2001
|
|
From: Michael Chang <mchang@suse.com>
|
|
Date: Mon, 20 Nov 2023 09:25:53 +0800
|
|
Subject: [PATCH 4/4] Key revocation on out of bound file access
|
|
|
|
After successful disk unlocking, grub now takes on the responsibility of
|
|
safeguarding passwords or TPM keys exclusively within authenticated
|
|
cryptodisk files. Any attempt to access boot-related files outside this
|
|
trust realm triggers immediate key revocation, preventing potential
|
|
compromise by out of bound access.
|
|
|
|
This patch strengthens security measures by restricting grub's access to
|
|
system boot files, except for essential internal processes like memdisk
|
|
and procfs, ensuring key protection against potential breaches due to
|
|
inadvertent customizations in grub.cfg.
|
|
|
|
Signed-Off-by Michael Chang <mchang@suse.com>
|
|
---
|
|
grub-core/commands/crypttab.c | 36 +++++++++++++++++++++++++++++++++++
|
|
include/grub/file.h | 1 +
|
|
2 files changed, 37 insertions(+)
|
|
|
|
--- a/grub-core/commands/crypttab.c
|
|
+++ b/grub-core/commands/crypttab.c
|
|
@@ -6,6 +6,7 @@
|
|
#include <grub/mm.h>
|
|
#include <grub/list.h>
|
|
#include <grub/crypttab.h>
|
|
+#include <grub/file.h>
|
|
|
|
GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
|
@@ -89,6 +90,41 @@
|
|
grub_cryptokey_discard();
|
|
}
|
|
|
|
+static grub_file_t
|
|
+grub_distrust_open (grub_file_t io,
|
|
+ enum grub_file_type type __attribute__ ((unused)))
|
|
+{
|
|
+ grub_disk_t disk = io->device->disk;
|
|
+
|
|
+ if (io->device->disk &&
|
|
+ (io->device->disk->dev->id == GRUB_DISK_DEVICE_MEMDISK_ID
|
|
+ || io->device->disk->dev->id == GRUB_DISK_DEVICE_PROCFS_ID))
|
|
+ return io;
|
|
+
|
|
+ /* Ensure second stage files is in a protected location or grub won't hand
|
|
+ * over the key and discards it */
|
|
+ switch (type & GRUB_FILE_TYPE_MASK)
|
|
+ {
|
|
+ case GRUB_FILE_TYPE_ACPI_TABLE:
|
|
+ case GRUB_FILE_TYPE_CONFIG:
|
|
+ case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
|
|
+ case GRUB_FILE_TYPE_FONT:
|
|
+ case GRUB_FILE_TYPE_GRUB_MODULE:
|
|
+ case GRUB_FILE_TYPE_GRUB_MODULE_LIST:
|
|
+ case GRUB_FILE_TYPE_LINUX_KERNEL:
|
|
+ case GRUB_FILE_TYPE_LINUX_INITRD:
|
|
+ case GRUB_FILE_TYPE_LOADENV:
|
|
+ case GRUB_FILE_TYPE_THEME:
|
|
+ if (!disk || !grub_disk_is_crypto (disk))
|
|
+ grub_cryptokey_discard ();
|
|
+ break;
|
|
+ default:
|
|
+ break;
|
|
+ }
|
|
+
|
|
+ return io;
|
|
+}
|
|
+
|
|
static grub_err_t
|
|
grub_cmd_crypttab_entry (grub_command_t cmd __attribute__ ((unused)),
|
|
int argc, char **argv)
|
|
@@ -121,6 +157,8 @@
|
|
{
|
|
cmd = grub_register_command ("crypttab_entry", grub_cmd_crypttab_entry,
|
|
N_("VOLUME-NAME ENCRYPTED-DEVICE KEY-FILE") , N_("No description"));
|
|
+ grub_file_filter_register (GRUB_FILE_FILTER_DISTRUST, grub_distrust_open);
|
|
+ grub_dl_set_persistent (mod);
|
|
}
|
|
|
|
GRUB_MOD_FINI(crypttab)
|
|
--- a/include/grub/file.h
|
|
+++ b/include/grub/file.h
|
|
@@ -185,6 +185,7 @@
|
|
/* Filters with lower ID are executed first. */
|
|
typedef enum grub_file_filter_id
|
|
{
|
|
+ GRUB_FILE_FILTER_DISTRUST,
|
|
GRUB_FILE_FILTER_VERIFY,
|
|
GRUB_FILE_FILTER_GZIO,
|
|
GRUB_FILE_FILTER_XZIO,
|
|
--- a/grub-core/disk/diskfilter.c
|
|
+++ b/grub-core/disk/diskfilter.c
|
|
@@ -558,6 +558,39 @@
|
|
return NULL;
|
|
}
|
|
|
|
+static int
|
|
+grub_diskfilter_has_cryptodisk (const struct grub_diskfilter_lv *lv)
|
|
+{
|
|
+ struct grub_diskfilter_pv *pv;
|
|
+
|
|
+ if (!lv)
|
|
+ return 0;
|
|
+
|
|
+ if (lv->vg->pvs)
|
|
+ for (pv = lv->vg->pvs; pv; pv = pv->next)
|
|
+ {
|
|
+ if (!pv->disk)
|
|
+ {
|
|
+ grub_dprintf ("diskfilter", _("Couldn't find physical volume `%s'."
|
|
+ " Some modules may be missing from core image."),
|
|
+ pv->name);
|
|
+ continue;
|
|
+ }
|
|
+
|
|
+ switch (pv->disk->dev->id)
|
|
+ {
|
|
+ case GRUB_DISK_DEVICE_CRYPTODISK_ID:
|
|
+ return 1;
|
|
+ case GRUB_DISK_DEVICE_DISKFILTER_ID:
|
|
+ return grub_diskfilter_has_cryptodisk (pv->disk->data);
|
|
+ default:
|
|
+ break;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ return 0;
|
|
+}
|
|
+
|
|
static grub_err_t
|
|
grub_diskfilter_open (const char *name, grub_disk_t disk)
|
|
{
|
|
@@ -589,6 +622,8 @@
|
|
|
|
disk->total_sectors = lv->size;
|
|
disk->max_agglomerate = GRUB_DISK_MAX_MAX_AGGLOMERATE;
|
|
+ disk->is_crypto_diskfilter = grub_diskfilter_has_cryptodisk (lv);
|
|
+
|
|
return 0;
|
|
}
|
|
|
|
--- a/include/grub/disk.h
|
|
+++ b/include/grub/disk.h
|
|
@@ -147,6 +147,8 @@
|
|
|
|
/* Device-specific data. */
|
|
void *data;
|
|
+
|
|
+ int is_crypto_diskfilter;
|
|
};
|
|
typedef struct grub_disk *grub_disk_t;
|
|
|
|
@@ -317,4 +319,12 @@
|
|
void grub_diskfilter_fini (void);
|
|
#endif
|
|
|
|
+static inline int
|
|
+grub_disk_is_crypto (grub_disk_t disk)
|
|
+{
|
|
+ return ((disk->is_crypto_diskfilter ||
|
|
+ disk->dev->id == GRUB_DISK_DEVICE_CRYPTODISK_ID) ?
|
|
+ 1 : 0);
|
|
+}
|
|
+
|
|
#endif /* ! GRUB_DISK_HEADER */
|