53da76e569
- Update to the latest upstreaming TPM2 patches * 0001-key_protector-Add-key-protectors-framework.patch - Replace 0001-protectors-Add-key-protectors-framework.patch * 0002-tpm2-Add-TPM-Software-Stack-TSS.patch - Merge other TSS patches * 0001-tpm2-Add-TPM2-types-structures-and-command-constants.patch * 0002-tpm2-Add-more-marshal-unmarshal-functions.patch * 0003-tpm2-Implement-more-TPM2-commands.patch * 0003-key_protector-Add-TPM2-Key-Protector.patch - Replace 0003-protectors-Add-TPM2-Key-Protector.patch * 0004-cryptodisk-Support-key-protectors.patch * 0005-util-grub-protect-Add-new-tool.patch * 0001-tpm2-Support-authorized-policy.patch - Replace 0004-tpm2-Support-authorized-policy.patch * 0001-tpm2-Add-extra-RSA-SRK-types.patch * 0001-tpm2-Implement-NV-index.patch - Replace 0001-protectors-Implement-NV-index.patch * 0002-cryptodisk-Fallback-to-passphrase.patch * 0003-cryptodisk-wipe-out-the-cached-keys-from-protectors.patch * 0004-diskfilter-look-up-cryptodisk-devices-first.patch - Refresh affected patches * 0001-Improve-TPM-key-protection-on-boot-interruptions.patch * grub2-bsc1220338-key_protector-implement-the-blocklist.patch - New manpage for grub2-protect OBS-URL: https://build.opensuse.org/request/show/1174325 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=504
92 lines
3.0 KiB
Diff
92 lines
3.0 KiB
Diff
From 91a99dffbe78b91a0c18b32ebecf755ba9d74032 Mon Sep 17 00:00:00 2001
|
|
From: Gary Lin <glin@suse.com>
|
|
Date: Thu, 10 Aug 2023 10:19:29 +0800
|
|
Subject: [PATCH 4/4] diskfilter: look up cryptodisk devices first
|
|
|
|
When using disk auto-unlocking with TPM 2.0, the typical grub.cfg may
|
|
look like this:
|
|
|
|
tpm2_key_protector_init --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm
|
|
cryptomount -u <PART-UUID> -P tpm2
|
|
search --fs-uuid --set=root <FS-UUID>
|
|
|
|
Since the disk search order is based on the order of module loading, the
|
|
attacker could insert a malicious disk with the same FS-UUID root to
|
|
trick grub2 to boot into the malicious root and further dump memory to
|
|
steal the unsealed key.
|
|
|
|
Do defend against such an attack, we can specify the hint provided by
|
|
'grub-probe' to search the encrypted partition first:
|
|
|
|
search --fs-uuid --set=root --hint='cryptouuid/<PART-UUID>' <FS-UUID>
|
|
|
|
However, for LVM on an encrypted partition, the search hint provided by
|
|
'grub-probe' is:
|
|
|
|
--hint='lvmid/<VG-UUID>/<LV-UUID>'
|
|
|
|
It doesn't guarantee to look up the logical volume from the encrypted
|
|
partition, so the attacker may have the chance to fool grub2 to boot
|
|
into the malicious disk.
|
|
|
|
To minimize the attack surface, this commit tweaks the disk device search
|
|
in diskfilter to look up cryptodisk devices first and then others, so
|
|
that the auto-unlocked disk will be found first, not the attacker's disk.
|
|
|
|
Cc: Fabian Vogt <fvogt@suse.com>
|
|
Signed-off-by: Gary Lin <glin@suse.com>
|
|
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
|
|
---
|
|
grub-core/disk/diskfilter.c | 35 ++++++++++++++++++++++++++---------
|
|
1 file changed, 26 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/grub-core/disk/diskfilter.c b/grub-core/disk/diskfilter.c
|
|
index 41e177549..c45bef1ca 100644
|
|
--- a/grub-core/disk/diskfilter.c
|
|
+++ b/grub-core/disk/diskfilter.c
|
|
@@ -322,15 +322,32 @@ scan_devices (const char *arname)
|
|
int need_rescan;
|
|
|
|
for (pull = 0; pull < GRUB_DISK_PULL_MAX; pull++)
|
|
- for (p = grub_disk_dev_list; p; p = p->next)
|
|
- if (p->id != GRUB_DISK_DEVICE_DISKFILTER_ID
|
|
- && p->disk_iterate)
|
|
- {
|
|
- if ((p->disk_iterate) (scan_disk_hook, NULL, pull))
|
|
- return;
|
|
- if (arname && is_lv_readable (find_lv (arname), 1))
|
|
- return;
|
|
- }
|
|
+ {
|
|
+ /* look up the crytodisk devices first */
|
|
+ for (p = grub_disk_dev_list; p; p = p->next)
|
|
+ if (p->id == GRUB_DISK_DEVICE_CRYPTODISK_ID
|
|
+ && p->disk_iterate)
|
|
+ {
|
|
+ if ((p->disk_iterate) (scan_disk_hook, NULL, pull))
|
|
+ return;
|
|
+ if (arname && is_lv_readable (find_lv (arname), 1))
|
|
+ return;
|
|
+ break;
|
|
+ }
|
|
+
|
|
+ /* check the devices other than crytodisk */
|
|
+ for (p = grub_disk_dev_list; p; p = p->next)
|
|
+ if (p->id == GRUB_DISK_DEVICE_CRYPTODISK_ID)
|
|
+ continue;
|
|
+ else if (p->id != GRUB_DISK_DEVICE_DISKFILTER_ID
|
|
+ && p->disk_iterate)
|
|
+ {
|
|
+ if ((p->disk_iterate) (scan_disk_hook, NULL, pull))
|
|
+ return;
|
|
+ if (arname && is_lv_readable (find_lv (arname), 1))
|
|
+ return;
|
|
+ }
|
|
+ }
|
|
|
|
scan_depth = 0;
|
|
need_rescan = 1;
|
|
--
|
|
2.35.3
|
|
|