pool/grub2
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ab2369bc04
grub2/grub2-bsc1220338-key_protector-implement-the-blocklist.patch
Michael Chang 53da76e569 Accepting request 1174325 from home:gary_lin:branches:Base:System 
- Update to the latest upstreaming TPM2 patches
  * 0001-key_protector-Add-key-protectors-framework.patch
    - Replace 0001-protectors-Add-key-protectors-framework.patch
  * 0002-tpm2-Add-TPM-Software-Stack-TSS.patch
    - Merge other TSS patches
      * 0001-tpm2-Add-TPM2-types-structures-and-command-constants.patch
      * 0002-tpm2-Add-more-marshal-unmarshal-functions.patch
      * 0003-tpm2-Implement-more-TPM2-commands.patch
  * 0003-key_protector-Add-TPM2-Key-Protector.patch
    - Replace 0003-protectors-Add-TPM2-Key-Protector.patch
  * 0004-cryptodisk-Support-key-protectors.patch
  * 0005-util-grub-protect-Add-new-tool.patch
  * 0001-tpm2-Support-authorized-policy.patch
    - Replace 0004-tpm2-Support-authorized-policy.patch
  * 0001-tpm2-Add-extra-RSA-SRK-types.patch
  * 0001-tpm2-Implement-NV-index.patch
    - Replace 0001-protectors-Implement-NV-index.patch
  * 0002-cryptodisk-Fallback-to-passphrase.patch
  * 0003-cryptodisk-wipe-out-the-cached-keys-from-protectors.patch
  * 0004-diskfilter-look-up-cryptodisk-devices-first.patch
- Refresh affected patches
  * 0001-Improve-TPM-key-protection-on-boot-interruptions.patch
  * grub2-bsc1220338-key_protector-implement-the-blocklist.patch
- New manpage for grub2-protect

OBS-URL: https://build.opensuse.org/request/show/1174325
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=504
2024-05-16 07:26:55 +00:00

97 lines
2.8 KiB
Diff
Raw Blame History

From beb26b1be325ea55f3f9a230152d170a3faa85d5 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Mon, 18 Mar 2024 14:53:11 +0800
Subject: [PATCH] key_protector: implement the blocklist
Some architectures may need to do the additional check to avoid leaking
the recovered key. This commit adds an additional check for the EFI
system to detect the deprecated SystemdOptions variable. Once the
variable is spotted, key_protector just returns without the further
action for the key recovery.
Signed-off-by: Gary Lin <glin@suse.com>
---
grub-core/disk/key_protector.c | 31 +++++++++++++++++++++++++++++++
include/grub/efi/api.h | 5 +++++
2 files changed, 36 insertions(+)
diff --git a/grub-core/disk/key_protector.c b/grub-core/disk/key_protector.c
index b84afe1c7..3d630ca4f 100644
--- a/grub-core/disk/key_protector.c
+++ b/grub-core/disk/key_protector.c
@@ -24,6 +24,10 @@
GRUB_MOD_LICENSE ("GPLv3+");
+#ifdef GRUB_MACHINE_EFI
+#include <grub/efi/efi.h>
+#endif
+
struct grub_key_protector *grub_key_protectors = NULL;
grub_err_t
@@ -54,11 +58,34 @@ grub_key_protector_unregister (struct grub_key_protector *protector)
return GRUB_ERR_NONE;
}
+static grub_err_t
+grub_key_protector_check_blocklist (void)
+{
+#ifdef GRUB_MACHINE_EFI
+ static grub_guid_t systemd_guid = GRUB_EFI_SYSTEMD_GUID;
+ grub_efi_status_t status;
+ grub_size_t size = 0;
+ grub_uint8_t *systemdoptions = NULL;
+
+ /* SystemdOptions may contain malicious kernel command lines. */
+ status = grub_efi_get_variable ("SystemdOptions", &systemd_guid,
+ &size, (void **) &systemdoptions);
+ if (status != GRUB_EFI_NOT_FOUND)
+ {
+ grub_free (systemdoptions);
+ return grub_error (GRUB_ERR_ACCESS_DENIED, N_("SystemdOptions detected"));
+ }
+#endif
+
+ return GRUB_ERR_NONE;
+}
+
grub_err_t
grub_key_protector_recover_key (const char *protector, grub_uint8_t **key,
grub_size_t *key_size)
{
struct grub_key_protector *kp = NULL;
+ grub_err_t err;
if (grub_key_protectors == NULL)
return GRUB_ERR_OUT_OF_RANGE;
@@ -74,5 +101,9 @@ grub_key_protector_recover_key (const char *protector, grub_uint8_t **key,
"Is the name spelled correctly and is the "
"corresponding module loaded?"), protector);
+ err = grub_key_protector_check_blocklist ();
+ if (err != GRUB_ERR_NONE)
+ return err;
+
return kp->recover_key (key, key_size);
}
diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h
index 7947cf592..975b90b09 100644
--- a/include/grub/efi/api.h
+++ b/include/grub/efi/api.h
@@ -389,6 +389,11 @@
{ 0x89, 0x29, 0x48, 0xbc, 0xd9, 0x0a, 0xd3, 0x1a } \
}
+#define GRUB_EFI_SYSTEMD_GUID \
+ { 0x8cf2644b, 0x4b0b, 0x428f, \
+ { 0x93, 0x87, 0x6d, 0x87, 0x60, 0x50, 0xdc, 0x67 } \
+ }
+
struct grub_efi_sal_system_table
{
grub_uint32_t signature;
--
2.35.3
Reference in New Issue View Git Blame Copy Permalink