be3181b1eb
- VUL-0: grub2,shim: implement new SBAT method (bsc#1182057) * 0031-util-mkimage-Remove-unused-code-to-add-BSS-section.patch * 0032-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch * 0033-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch * 0034-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch * 0035-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch * 0036-util-mkimage-Improve-data_size-value-calculation.patch * 0037-util-mkimage-Refactor-section-setup-to-use-a-helper.patch * 0038-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch * 0039-grub-install-common-Add-sbat-option.patch - Fix CVE-2021-20225 (bsc#1182262) * 0022-lib-arg-Block-repeated-short-options-that-require-an.patch - Fix CVE-2020-27749 (bsc#1179264) * 0024-kern-parser-Fix-resource-leak-if-argc-0.patch * 0025-kern-parser-Fix-a-memory-leak.patch * 0026-kern-parser-Introduce-process_char-helper.patch * 0027-kern-parser-Introduce-terminate_arg-helper.patch * 0028-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch * 0029-kern-buffer-Add-variable-sized-heap-buffer.patch * 0030-kern-parser-Fix-a-stack-buffer-overflow.patch - Fix CVE-2021-20233 (bsc#1182263) * 0023-commands-menuentry-Fix-quoting-in-setparams_prefix.patch - Fix CVE-2020-25647 (bsc#1177883) * 0021-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch - Fix CVE-2020-25632 (bsc#1176711) * 0020-dl-Only-allow-unloading-modules-that-are-not-depende.patch - Fix CVE-2020-27779, CVE-2020-14372 (bsc#1179265) (bsc#1175970) * 0001-include-grub-i386-linux.h-Include-missing-grub-types.patch * 0002-efi-Make-shim_lock-GUID-and-protocol-type-public.patch * 0003-efi-Return-grub_efi_status_t-from-grub_efi_get_varia.patch OBS-URL: https://build.opensuse.org/request/show/876326 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=374
105 lines
4.1 KiB
Diff
105 lines
4.1 KiB
Diff
From d1a40f870dbcb55280f57673c1d9c2c7110df42a Mon Sep 17 00:00:00 2001
|
|
From: Javier Martinez Canillas <javierm@redhat.com>
|
|
Date: Wed, 24 Feb 2021 09:00:05 +0100
|
|
Subject: [PATCH 15/46] commands: Restrict commands that can load BIOS or DT
|
|
blobs when locked down
|
|
|
|
There are some more commands that should be restricted when the GRUB is
|
|
locked down. Following is the list of commands and reasons to restrict:
|
|
|
|
* fakebios: creates BIOS-like structures for backward compatibility with
|
|
existing OSes. This should not be allowed when locked down.
|
|
|
|
* loadbios: reads a BIOS dump from storage and loads it. This action
|
|
should not be allowed when locked down.
|
|
|
|
* devicetree: loads a Device Tree blob and passes it to the OS. It replaces
|
|
any Device Tree provided by the firmware. This also should
|
|
not be allowed when locked down.
|
|
|
|
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
---
|
|
docs/grub.texi | 3 +++
|
|
grub-core/commands/efi/loadbios.c | 16 ++++++++--------
|
|
grub-core/loader/arm/linux.c | 6 +++---
|
|
grub-core/loader/efi/fdt.c | 4 ++--
|
|
4 files changed, 16 insertions(+), 13 deletions(-)
|
|
|
|
diff --git a/docs/grub.texi b/docs/grub.texi
|
|
index 70bf91f40..cf29a1797 100644
|
|
--- a/docs/grub.texi
|
|
+++ b/docs/grub.texi
|
|
@@ -4236,6 +4236,9 @@ Load a device tree blob (.dtb) from a filesystem, for later use by a Linux
|
|
kernel. Does not perform merging with any device tree supplied by firmware,
|
|
but rather replaces it completely.
|
|
@ref{GNU/Linux}.
|
|
+
|
|
+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
|
|
+ This is done to prevent subverting various security mechanisms.
|
|
@end deffn
|
|
|
|
@node distrust
|
|
diff --git a/grub-core/commands/efi/loadbios.c b/grub-core/commands/efi/loadbios.c
|
|
index d41d521a4..5c7725f8b 100644
|
|
--- a/grub-core/commands/efi/loadbios.c
|
|
+++ b/grub-core/commands/efi/loadbios.c
|
|
@@ -205,14 +205,14 @@ static grub_command_t cmd_fakebios, cmd_loadbios;
|
|
|
|
GRUB_MOD_INIT(loadbios)
|
|
{
|
|
- cmd_fakebios = grub_register_command ("fakebios", grub_cmd_fakebios,
|
|
- 0, N_("Create BIOS-like structures for"
|
|
- " backward compatibility with"
|
|
- " existing OS."));
|
|
-
|
|
- cmd_loadbios = grub_register_command ("loadbios", grub_cmd_loadbios,
|
|
- N_("BIOS_DUMP [INT10_DUMP]"),
|
|
- N_("Load BIOS dump."));
|
|
+ cmd_fakebios = grub_register_command_lockdown ("fakebios", grub_cmd_fakebios,
|
|
+ 0, N_("Create BIOS-like structures for"
|
|
+ " backward compatibility with"
|
|
+ " existing OS."));
|
|
+
|
|
+ cmd_loadbios = grub_register_command_lockdown ("loadbios", grub_cmd_loadbios,
|
|
+ N_("BIOS_DUMP [INT10_DUMP]"),
|
|
+ N_("Load BIOS dump."));
|
|
}
|
|
|
|
GRUB_MOD_FINI(loadbios)
|
|
diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c
|
|
index d70c17486..ed23dc71e 100644
|
|
--- a/grub-core/loader/arm/linux.c
|
|
+++ b/grub-core/loader/arm/linux.c
|
|
@@ -493,9 +493,9 @@ GRUB_MOD_INIT (linux)
|
|
0, N_("Load Linux."));
|
|
cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd,
|
|
0, N_("Load initrd."));
|
|
- cmd_devicetree = grub_register_command ("devicetree", grub_cmd_devicetree,
|
|
- /* TRANSLATORS: DTB stands for device tree blob. */
|
|
- 0, N_("Load DTB file."));
|
|
+ cmd_devicetree = grub_register_command_lockdown ("devicetree", grub_cmd_devicetree,
|
|
+ /* TRANSLATORS: DTB stands for device tree blob. */
|
|
+ 0, N_("Load DTB file."));
|
|
my_mod = mod;
|
|
current_fdt = (const void *) grub_arm_firmware_get_boot_data ();
|
|
machine_type = grub_arm_firmware_get_machine_type ();
|
|
diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c
|
|
index ee9c5592c..003d07cd8 100644
|
|
--- a/grub-core/loader/efi/fdt.c
|
|
+++ b/grub-core/loader/efi/fdt.c
|
|
@@ -165,8 +165,8 @@ static grub_command_t cmd_devicetree;
|
|
GRUB_MOD_INIT (fdt)
|
|
{
|
|
cmd_devicetree =
|
|
- grub_register_command ("devicetree", grub_cmd_devicetree, 0,
|
|
- N_("Load DTB file."));
|
|
+ grub_register_command_lockdown ("devicetree", grub_cmd_devicetree, 0,
|
|
+ N_("Load DTB file."));
|
|
}
|
|
|
|
GRUB_MOD_FINI (fdt)
|
|
--
|
|
2.26.2
|
|
|