9b87c1a6f8
* 0007-grub-mkimage-Create-new-ELF-note-for-SBAT.patch * 0008-grub-mkimage-Add-SBAT-metadata-into-ELF-note-for-Pow.patch - Replaced patches * 0007-mkimage-create-new-ELF-Note-for-SBAT.patch * 0008-mkimage-adding-sbat-data-into-sbat-ELF-Note-on-power.patch - Fix missing requires in SLE package (bsc#1234264) (bsc#1234272) OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=526
94 lines
2.8 KiB
Diff
94 lines
2.8 KiB
Diff
From 32e07f7b99a1dbae933f4d916b0342a82e7ccf35 Mon Sep 17 00:00:00 2001
|
|
From: Gary Lin <glin@suse.com>
|
|
Date: Mon, 18 Mar 2024 14:53:11 +0800
|
|
Subject: [PATCH] key_protector: implement the blocklist
|
|
|
|
Some architectures may need to do the additional check to avoid leaking
|
|
the recovered key. This commit adds an additional check for the EFI
|
|
system to detect the deprecated SystemdOptions variable. Once the
|
|
variable is spotted, key_protector just returns without the further
|
|
action for the key recovery.
|
|
|
|
Signed-off-by: Gary Lin <glin@suse.com>
|
|
---
|
|
grub-core/disk/key_protector.c | 31 +++++++++++++++++++++++++++++++
|
|
include/grub/efi/api.h | 5 +++++
|
|
2 files changed, 36 insertions(+)
|
|
|
|
Index: grub-2.12/grub-core/disk/key_protector.c
|
|
===================================================================
|
|
--- grub-2.12.orig/grub-core/disk/key_protector.c
|
|
+++ grub-2.12/grub-core/disk/key_protector.c
|
|
@@ -25,6 +25,10 @@
|
|
|
|
GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
|
+#ifdef GRUB_MACHINE_EFI
|
|
+#include <grub/efi/efi.h>
|
|
+#endif
|
|
+
|
|
struct grub_key_protector *grub_key_protectors = NULL;
|
|
|
|
grub_err_t
|
|
@@ -53,11 +57,34 @@ grub_key_protector_unregister (struct gr
|
|
return GRUB_ERR_NONE;
|
|
}
|
|
|
|
+static grub_err_t
|
|
+grub_key_protector_check_blocklist (void)
|
|
+{
|
|
+#ifdef GRUB_MACHINE_EFI
|
|
+ static grub_guid_t systemd_guid = GRUB_EFI_SYSTEMD_GUID;
|
|
+ grub_efi_status_t status;
|
|
+ grub_size_t size = 0;
|
|
+ grub_uint8_t *systemdoptions = NULL;
|
|
+
|
|
+ /* SystemdOptions may contain malicious kernel command lines. */
|
|
+ status = grub_efi_get_variable ("SystemdOptions", &systemd_guid,
|
|
+ &size, (void **) &systemdoptions);
|
|
+ if (status != GRUB_EFI_NOT_FOUND)
|
|
+ {
|
|
+ grub_free (systemdoptions);
|
|
+ return grub_error (GRUB_ERR_ACCESS_DENIED, N_("SystemdOptions detected"));
|
|
+ }
|
|
+#endif
|
|
+
|
|
+ return GRUB_ERR_NONE;
|
|
+}
|
|
+
|
|
grub_err_t
|
|
grub_key_protector_recover_key (const char *protector, grub_uint8_t **key,
|
|
grub_size_t *key_size)
|
|
{
|
|
struct grub_key_protector *kp = NULL;
|
|
+ grub_err_t err;
|
|
|
|
if (grub_key_protectors == NULL)
|
|
return grub_error (GRUB_ERR_OUT_OF_RANGE, "No key protector registered");
|
|
@@ -69,5 +96,9 @@ grub_key_protector_recover_key (const ch
|
|
if (kp == NULL)
|
|
return grub_error (GRUB_ERR_OUT_OF_RANGE, "Key protector '%s' not found", protector);
|
|
|
|
+ err = grub_key_protector_check_blocklist ();
|
|
+ if (err != GRUB_ERR_NONE)
|
|
+ return err;
|
|
+
|
|
return kp->recover_key (key, key_size);
|
|
}
|
|
Index: grub-2.12/include/grub/efi/api.h
|
|
===================================================================
|
|
--- grub-2.12.orig/include/grub/efi/api.h
|
|
+++ grub-2.12/include/grub/efi/api.h
|
|
@@ -389,6 +389,11 @@
|
|
{ 0x89, 0x29, 0x48, 0xbc, 0xd9, 0x0a, 0xd3, 0x1a } \
|
|
}
|
|
|
|
+#define GRUB_EFI_SYSTEMD_GUID \
|
|
+ { 0x8cf2644b, 0x4b0b, 0x428f, \
|
|
+ { 0x93, 0x87, 0x6d, 0x87, 0x60, 0x50, 0xdc, 0x67 } \
|
|
+ }
|
|
+
|
|
struct grub_efi_sal_system_table
|
|
{
|
|
grub_uint32_t signature;
|