1 files changed, 52 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_4.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_4.patch
new file mode 100644
index 0000000000..ac509b63c7
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_4.patch
@@ -0,0 +1,52 @@
+From 0d809c0979ced9db4d0e500b3e812bba95e52972 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Mon, 28 Sep 2020 20:08:29 +0200
+Subject: [PATCH] efi: Lockdown the GRUB when the UEFI Secure Boot is enabled
+If the UEFI Secure Boot is enabled then the GRUB must be locked down
+to prevent executing code that can potentially be used to subvert its
+verification mechanisms.
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=98b00a403cbf2ba6833d1ac0499871b27a08eb77]
+CVE: CVE-2020-14372
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/kern/efi/init.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
+index 3dfdf2d..db84d82 100644
+--- a/grub-core/kern/efi/init.c
+++ b/grub-core/kern/efi/init.c
+@@ -20,6 +20,7 @@
+ #include <grub/efi/efi.h>
+ #include <grub/efi/console.h>
+ #include <grub/efi/disk.h>
+#include <grub/lockdown.h>
+ #include <grub/term.h>
+ #include <grub/misc.h>
+ #include <grub/env.h>
+@@ -39,6 +40,20 @@ grub_efi_init (void)
+   /* Initialize the memory management system.  */
+   grub_efi_mm_init ();
+ 
+  /*
+   * Lockdown the GRUB and register the shim_lock verifier
+   * if the UEFI Secure Boot is enabled.
+   */
+  if (grub_efi_secure_boot ())
+    {
+      grub_lockdown ();
+      /* NOTE: Our version does not have the shim_lock_verifier,
+       * need to update below if added */
+#if 0
+      grub_shim_lock_verifier_setup ();
+#endif
+    }
+
+   efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer,
+              0, 0, 0, NULL);
+

diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_4.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_4.patch new file mode 100644 index 0000000000..ac509b63c7 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_4.patch
@@ -0,0 +1,52 @@
	1	From 0d809c0979ced9db4d0e500b3e812bba95e52972 Mon Sep 17 00:00:00 2001
	2	From: Javier Martinez Canillas <javierm@redhat.com>
	3	Date: Mon, 28 Sep 2020 20:08:29 +0200
	4	Subject: [PATCH] efi: Lockdown the GRUB when the UEFI Secure Boot is enabled
	5
	6	If the UEFI Secure Boot is enabled then the GRUB must be locked down
	7	to prevent executing code that can potentially be used to subvert its
	8	verification mechanisms.
	9
	10	Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
	11	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	12
	13	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=98b00a403cbf2ba6833d1ac0499871b27a08eb77]
	14	CVE: CVE-2020-14372
	15	Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
	16	---
	17	grub-core/kern/efi/init.c \| 15 +++++++++++++++
	18	1 file changed, 15 insertions(+)
	19
	20	diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
	21	index 3dfdf2d..db84d82 100644
	22	--- a/grub-core/kern/efi/init.c
	23	+++ b/grub-core/kern/efi/init.c
	24	@@ -20,6 +20,7 @@
	25	#include <grub/efi/efi.h>
	26	#include <grub/efi/console.h>
	27	#include <grub/efi/disk.h>
	28	+#include <grub/lockdown.h>
	29	#include <grub/term.h>
	30	#include <grub/misc.h>
	31	#include <grub/env.h>
	32	@@ -39,6 +40,20 @@ grub_efi_init (void)
	33	/* Initialize the memory management system. */
	34	grub_efi_mm_init ();
	35
	36	+ /*
	37	+ * Lockdown the GRUB and register the shim_lock verifier
	38	+ * if the UEFI Secure Boot is enabled.
	39	+ */
	40	+ if (grub_efi_secure_boot ())
	41	+ {
	42	+ grub_lockdown ();
	43	+ /* NOTE: Our version does not have the shim_lock_verifier,
	44	+ * need to update below if added */
	45	+#if 0
	46	+ grub_shim_lock_verifier_setup ();
	47	+#endif
	48	+ }
	49	+
	50	efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer,
	51	0, 0, 0, NULL);
	52