From 9f18541245858f53fea72d8d60304f9015d88b5f Mon Sep 17 00:00:00 2001 From: Michael Chang Date: Fri, 17 Mar 2023 22:00:23 +0800 Subject: [PATCH 2/2] Restrict cryptsetup key file permission for better security GRUB's default permission 777 for concatenated initrd files was too permissive for the cryptsetup key file, causing a complaint from systemd-cryptsetup during boot. This commit replaces the 0777 permission with a more secure 0400 permission for the key file. Signed-off-by: Michael Chang --- grub-core/loader/linux.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c index e4018e65e..fc71a78d7 100644 --- a/grub-core/loader/linux.c +++ b/grub-core/loader/linux.c @@ -32,6 +32,7 @@ struct grub_linux_initrd_component char *buf; char *newc_name; grub_off_t size; + grub_uint32_t mode; }; struct dir @@ -202,6 +203,7 @@ grub_initrd_component (const char *buf, int bufsz, const char *newc_name, grub_memcpy (comp->buf, buf, bufsz); initrd_ctx->nfiles++; comp->size = bufsz; + comp->mode = 0100400; if (grub_add (initrd_ctx->size, comp->size, &initrd_ctx->size)) goto overflow; @@ -271,6 +273,7 @@ grub_initrd_init (int argc, char *argv[], grub_initrd_close (initrd_ctx); return grub_errno; } + initrd_ctx->components[i].mode = 0100777; name_len = grub_strlen (initrd_ctx->components[i].newc_name) + 1; if (grub_add (initrd_ctx->size, ALIGN_UP (sizeof (struct newc_head) + name_len, 4), @@ -372,6 +375,7 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx, if (initrd_ctx->components[i].newc_name) { grub_size_t dir_size; + grub_uint32_t mode = initrd_ctx->components[i].mode; if (insert_dir (initrd_ctx->components[i].newc_name, &root, ptr, &dir_size)) @@ -383,7 +387,7 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx, ptr += dir_size; ptr = make_header (ptr, initrd_ctx->components[i].newc_name, grub_strlen (initrd_ctx->components[i].newc_name) + 1, - 0100777, + mode, initrd_ctx->components[i].size); newc = 1; } -- 2.39.2