pool/grub2
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
a79c01f92a
grub2/0011-efi-Lockdown-the-GRUB-when-the-UEFI-Secure-Boot-is-e.patch
Michael Chang be3181b1eb Accepting request 876326 from home:michael-chang:branches:Base:System 
- VUL-0: grub2,shim: implement new SBAT method (bsc#1182057)
  * 0031-util-mkimage-Remove-unused-code-to-add-BSS-section.patch
  * 0032-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch
  * 0033-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch
  * 0034-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch
  * 0035-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch
  * 0036-util-mkimage-Improve-data_size-value-calculation.patch
  * 0037-util-mkimage-Refactor-section-setup-to-use-a-helper.patch
  * 0038-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch
  * 0039-grub-install-common-Add-sbat-option.patch
- Fix CVE-2021-20225 (bsc#1182262)
  * 0022-lib-arg-Block-repeated-short-options-that-require-an.patch
- Fix CVE-2020-27749 (bsc#1179264)
  * 0024-kern-parser-Fix-resource-leak-if-argc-0.patch
  * 0025-kern-parser-Fix-a-memory-leak.patch
  * 0026-kern-parser-Introduce-process_char-helper.patch
  * 0027-kern-parser-Introduce-terminate_arg-helper.patch
  * 0028-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch
  * 0029-kern-buffer-Add-variable-sized-heap-buffer.patch
  * 0030-kern-parser-Fix-a-stack-buffer-overflow.patch
- Fix CVE-2021-20233 (bsc#1182263)
  * 0023-commands-menuentry-Fix-quoting-in-setparams_prefix.patch
- Fix CVE-2020-25647 (bsc#1177883)
  * 0021-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch
- Fix CVE-2020-25632 (bsc#1176711)
  * 0020-dl-Only-allow-unloading-modules-that-are-not-depende.patch
- Fix CVE-2020-27779, CVE-2020-14372 (bsc#1179265) (bsc#1175970)
  * 0001-include-grub-i386-linux.h-Include-missing-grub-types.patch
  * 0002-efi-Make-shim_lock-GUID-and-protocol-type-public.patch
  * 0003-efi-Return-grub_efi_status_t-from-grub_efi_get_varia.patch

OBS-URL: https://build.opensuse.org/request/show/876326
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=374
2021-03-03 01:40:50 +00:00

50 lines
1.6 KiB
Diff
Raw Blame History

From a255fd33e08015335aeac619348536b5fda8303e Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Mon, 28 Sep 2020 20:08:29 +0200
Subject: [PATCH 11/46] efi: Lockdown the GRUB when the UEFI Secure Boot is
enabled
If the UEFI Secure Boot is enabled then the GRUB must be locked down
to prevent executing code that can potentially be used to subvert its
verification mechanisms.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/kern/efi/init.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
index 9c143eed7..08ef2b8f4 100644
--- a/grub-core/kern/efi/init.c
+++ b/grub-core/kern/efi/init.c
@@ -21,6 +21,7 @@
#include <grub/efi/console.h>
#include <grub/efi/disk.h>
#include <grub/efi/sb.h>
+#include <grub/lockdown.h>
#include <grub/term.h>
#include <grub/misc.h>
#include <grub/env.h>
@@ -41,8 +42,15 @@ grub_efi_init (void)
/* Initialize the memory management system. */
grub_efi_mm_init ();
- /* Register the shim_lock verifier if UEFI Secure Boot is enabled. */
- grub_shim_lock_verifier_setup ();
+ /*
+ * Lockdown the GRUB and register the shim_lock verifier
+ * if the UEFI Secure Boot is enabled.
+ */
+ if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+ {
+ grub_lockdown ();
+ grub_shim_lock_verifier_setup ();
+ }
efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer,
0, 0, 0, NULL);
--
2.26.2
Reference in New Issue View Git Blame Copy Permalink