forked from pool/grub2
31d3c4f444
* 0009-squash-Add-support-for-linuxefi.patch OBS-URL: https://build.opensuse.org/request/show/867843 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=370
98 lines
3.1 KiB
Diff
98 lines
3.1 KiB
Diff
From 496890ebd2605eb1ff15f8d96c30b5d617f1bb85 Mon Sep 17 00:00:00 2001
|
|
From: Michael Chang <mchang@suse.com>
|
|
Date: Fri, 6 Nov 2020 11:19:06 +0000
|
|
Subject: [PATCH 7/9] linuxefi: fail kernel validation without shim protocol.
|
|
|
|
If certificates that signed grub are installed into db, grub can be
|
|
booted directly. It will then boot any kernel without signature
|
|
validation. The booted kernel will think it was booted in secureboot
|
|
mode and will implement lockdown, yet it could have been tampered.
|
|
|
|
This version of the patch skips calling verification, when booted
|
|
without secureboot. And is indented with gnu ident.
|
|
|
|
CVE-2020-15705
|
|
|
|
Reported-by: Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>
|
|
Signed-off-by: Michael Chang <mchang@suse.com>
|
|
---
|
|
grub-core/loader/arm64/efi/linux.c | 38 +++++++++++++++++++++++-------
|
|
1 file changed, 29 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/grub-core/loader/arm64/efi/linux.c b/grub-core/loader/arm64/efi/linux.c
|
|
index a4041be5c..0e5782caa 100644
|
|
--- a/grub-core/loader/arm64/efi/linux.c
|
|
+++ b/grub-core/loader/arm64/efi/linux.c
|
|
@@ -58,21 +58,35 @@ struct grub_efi_shim_lock
|
|
};
|
|
typedef struct grub_efi_shim_lock grub_efi_shim_lock_t;
|
|
|
|
-static grub_efi_boolean_t
|
|
+// Returns 1 on success, -1 on error, 0 when not available
|
|
+static int
|
|
grub_linuxefi_secure_validate (void *data, grub_uint32_t size)
|
|
{
|
|
grub_efi_guid_t guid = SHIM_LOCK_GUID;
|
|
grub_efi_shim_lock_t *shim_lock;
|
|
+ grub_efi_status_t status;
|
|
|
|
shim_lock = grub_efi_locate_protocol(&guid, NULL);
|
|
-
|
|
+ grub_dprintf ("secureboot", "shim_lock: %p\n", shim_lock);
|
|
if (!shim_lock)
|
|
- return 1;
|
|
+ {
|
|
+ grub_dprintf ("secureboot", "shim not available\n");
|
|
+ return 0;
|
|
+ }
|
|
|
|
- if (shim_lock->verify(data, size) == GRUB_EFI_SUCCESS)
|
|
- return 1;
|
|
+ grub_dprintf ("secureboot", "Asking shim to verify kernel signature\n");
|
|
+ status = shim_lock->verify (data, size);
|
|
+ grub_dprintf ("secureboot", "shim_lock->verify(): %ld\n", (long int)status);
|
|
+ if (status == GRUB_EFI_SUCCESS)
|
|
+ {
|
|
+ grub_dprintf ("secureboot", "Kernel signature verification passed\n");
|
|
+ return 1;
|
|
+ }
|
|
|
|
- return 0;
|
|
+ grub_dprintf ("secureboot", "Kernel signature verification failed (0x%lx)\n",
|
|
+ (unsigned long) status);
|
|
+
|
|
+ return -1;
|
|
}
|
|
|
|
#pragma GCC diagnostic push
|
|
@@ -399,6 +413,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
|
struct linux_arch_kernel_header lh;
|
|
struct grub_armxx_linux_pe_header *pe;
|
|
grub_err_t err;
|
|
+ int rc;
|
|
|
|
grub_dl_ref (my_mod);
|
|
|
|
@@ -443,10 +458,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
|
|
|
grub_dprintf ("linux", "kernel @ %p\n", kernel_addr);
|
|
|
|
- if (!grub_linuxefi_secure_validate (kernel_addr, kernel_size))
|
|
+ if (grub_efi_secure_boot ())
|
|
{
|
|
- grub_error (GRUB_ERR_INVALID_COMMAND, N_("%s has invalid signature"), argv[0]);
|
|
- goto fail;
|
|
+ rc = grub_linuxefi_secure_validate (kernel_addr, kernel_size);
|
|
+ if (rc <= 0)
|
|
+ {
|
|
+ grub_error (GRUB_ERR_INVALID_COMMAND,
|
|
+ N_("%s has invalid signature"), argv[0]);
|
|
+ goto fail;
|
|
+ }
|
|
}
|
|
|
|
pe = (void *)((unsigned long)kernel_addr + lh.hdr_offset);
|
|
--
|
|
2.26.2
|
|
|