1 files changed, 158 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_5.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_5.patch
new file mode 100644
index 0000000000..12ec4e1c17
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_5.patch
@@ -0,0 +1,158 @@
+From 1ad728b08ba2a21573e5f81a565114f74ca33988 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Mon, 28 Sep 2020 20:08:33 +0200
+Subject: [PATCH] efi: Use grub_is_lockdown() instead of hardcoding a disabled
+ modules list
+Now the GRUB can check if it has been locked down and this can be used to
+prevent executing commands that can be utilized to circumvent the UEFI
+Secure Boot mechanisms. So, instead of hardcoding a list of modules that
+have to be disabled, prevent the usage of commands that can be dangerous.
+This not only allows the commands to be disabled on other platforms, but
+also properly separate the concerns. Since the shim_lock verifier logic
+should be only about preventing to run untrusted binaries and not about
+defining these kind of policies.
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=8f73052885892bc0dbc01e297f79d7cf4925e491]
+CVE: CVE-2020-14372
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ docs/grub.texi                  | 10 ++++++++++
+ grub-core/commands/i386/wrmsr.c |  5 +++--
+ grub-core/commands/iorw.c       | 19 ++++++++++---------
+ grub-core/commands/memrw.c      | 19 ++++++++++---------
+ 4 files changed, 33 insertions(+), 20 deletions(-)
+diff --git a/docs/grub.texi b/docs/grub.texi
+index 5e6cace..0786427 100644
+--- a/docs/grub.texi
+++ b/docs/grub.texi
+@@ -5256,6 +5256,9 @@ only applies to the particular cpu/core/thread that runs the command.
+ Also, if you specify a reserved or unimplemented MSR address, it will
+ cause a general protection exception (which is not currently being handled)
+ and the system will reboot.
+
+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
+      This is done to prevent subverting various security mechanisms.
+ @end deffn
+ 
+ @node xen_hypervisor
+@@ -5758,6 +5761,13 @@ security reasons. All above mentioned requirements are enforced by the
+ shim_lock module. And itself it is a persistent module which means that
+ it cannot be unloaded if it was loaded into the memory.
+ 
+All GRUB modules not stored in the @file{core.img}, OS kernels, ACPI tables,
+Device Trees, etc. have to be signed, e.g, using PGP. Additionally, the commands
+that can be used to subvert the UEFI secure boot mechanism, such as @command{iorw}
+and @command{memrw} will not be available when the UEFI secure boot is enabled.
+This is done for security reasons and are enforced by the GRUB Lockdown mechanism
+(@pxref{Lockdown}).
+
+ @node Measured Boot
+ @section Measuring boot components
+ 
+diff --git a/grub-core/commands/i386/wrmsr.c b/grub-core/commands/i386/wrmsr.c
+index 9c5e510..56a29c2 100644
+--- a/grub-core/commands/i386/wrmsr.c
+++ b/grub-core/commands/i386/wrmsr.c
+@@ -24,6 +24,7 @@
+ #include <grub/env.h>
+ #include <grub/command.h>
+ #include <grub/extcmd.h>
+#include <grub/lockdown.h>
+ #include <grub/i18n.h>
+ #include <grub/i386/cpuid.h>
+ #include <grub/i386/wrmsr.h>
+@@ -83,8 +84,8 @@ grub_cmd_msr_write (grub_command_t cmd __attribute__ ((unused)), int argc, char
+ 
+ GRUB_MOD_INIT(wrmsr)
+ {
+-  cmd_write = grub_register_command ("wrmsr", grub_cmd_msr_write, N_("ADDR VALUE"),
+-                                    N_("Write a value to a CPU model specific register."));
+  cmd_write = grub_register_command_lockdown ("wrmsr", grub_cmd_msr_write, N_("ADDR VALUE"),
+                                              N_("Write a value to a CPU model specific register."));
+ }
+ 
+ GRUB_MOD_FINI(wrmsr)
+diff --git a/grub-core/commands/iorw.c b/grub-core/commands/iorw.c
+index a0c164e..584baec 100644
+--- a/grub-core/commands/iorw.c
+++ b/grub-core/commands/iorw.c
+@@ -23,6 +23,7 @@
+ #include <grub/env.h>
+ #include <grub/cpu/io.h>
+ #include <grub/i18n.h>
+#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -131,17 +132,17 @@ GRUB_MOD_INIT(memrw)
+                          N_("PORT"), N_("Read 32-bit value from PORT."),
+                          options);
+   cmd_write_byte =
+-    grub_register_command ("outb", grub_cmd_write,
+-                          N_("PORT VALUE [MASK]"),
+-                          N_("Write 8-bit VALUE to PORT."));
+    grub_register_command_lockdown ("outb", grub_cmd_write,
+                                    N_("PORT VALUE [MASK]"),
+                                    N_("Write 8-bit VALUE to PORT."));
+   cmd_write_word =
+-    grub_register_command ("outw", grub_cmd_write,
+-                          N_("PORT VALUE [MASK]"),
+-                          N_("Write 16-bit VALUE to PORT."));
+    grub_register_command_lockdown ("outw", grub_cmd_write,
+                                    N_("PORT VALUE [MASK]"),
+                                    N_("Write 16-bit VALUE to PORT."));
+   cmd_write_dword =
+-    grub_register_command ("outl", grub_cmd_write,
+-                          N_("ADDR VALUE [MASK]"),
+-                          N_("Write 32-bit VALUE to PORT."));
+    grub_register_command_lockdown ("outl", grub_cmd_write,
+                                    N_("ADDR VALUE [MASK]"),
+                                    N_("Write 32-bit VALUE to PORT."));
+ }
+ 
+ GRUB_MOD_FINI(memrw)
+diff --git a/grub-core/commands/memrw.c b/grub-core/commands/memrw.c
+index 98769ea..d401a6d 100644
+--- a/grub-core/commands/memrw.c
+++ b/grub-core/commands/memrw.c
+@@ -22,6 +22,7 @@
+ #include <grub/extcmd.h>
+ #include <grub/env.h>
+ #include <grub/i18n.h>
+#include <grub/lockdown.h>
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -133,17 +134,17 @@ GRUB_MOD_INIT(memrw)
+                          N_("ADDR"), N_("Read 32-bit value from ADDR."),
+                          options);
+   cmd_write_byte =
+-    grub_register_command ("write_byte", grub_cmd_write,
+-                          N_("ADDR VALUE [MASK]"),
+-                          N_("Write 8-bit VALUE to ADDR."));
+    grub_register_command_lockdown ("write_byte", grub_cmd_write,
+                                    N_("ADDR VALUE [MASK]"),
+                                    N_("Write 8-bit VALUE to ADDR."));
+   cmd_write_word =
+-    grub_register_command ("write_word", grub_cmd_write,
+-                          N_("ADDR VALUE [MASK]"),
+-                          N_("Write 16-bit VALUE to ADDR."));
+    grub_register_command_lockdown ("write_word", grub_cmd_write,
+                                    N_("ADDR VALUE [MASK]"),
+                                    N_("Write 16-bit VALUE to ADDR."));
+   cmd_write_dword =
+-    grub_register_command ("write_dword", grub_cmd_write,
+-                          N_("ADDR VALUE [MASK]"),
+-                          N_("Write 32-bit VALUE to ADDR."));
+    grub_register_command_lockdown ("write_dword", grub_cmd_write,
+                                    N_("ADDR VALUE [MASK]"),
+                                    N_("Write 32-bit VALUE to ADDR."));
+ }
+ 
+ GRUB_MOD_FINI(memrw)

diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_5.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_5.patch new file mode 100644 index 0000000000..12ec4e1c17 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_5.patch
@@ -0,0 +1,158 @@
	1	From 1ad728b08ba2a21573e5f81a565114f74ca33988 Mon Sep 17 00:00:00 2001
	2	From: Javier Martinez Canillas <javierm@redhat.com>
	3	Date: Mon, 28 Sep 2020 20:08:33 +0200
	4	Subject: [PATCH] efi: Use grub_is_lockdown() instead of hardcoding a disabled
	5	modules list
	6
	7	Now the GRUB can check if it has been locked down and this can be used to
	8	prevent executing commands that can be utilized to circumvent the UEFI
	9	Secure Boot mechanisms. So, instead of hardcoding a list of modules that
	10	have to be disabled, prevent the usage of commands that can be dangerous.
	11
	12	This not only allows the commands to be disabled on other platforms, but
	13	also properly separate the concerns. Since the shim_lock verifier logic
	14	should be only about preventing to run untrusted binaries and not about
	15	defining these kind of policies.
	16
	17	Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
	18	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	19
	20	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=8f73052885892bc0dbc01e297f79d7cf4925e491]
	21	CVE: CVE-2020-14372
	22	Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
	23	---
	24	docs/grub.texi \| 10 ++++++++++
	25	grub-core/commands/i386/wrmsr.c \| 5 +++--
	26	grub-core/commands/iorw.c \| 19 ++++++++++---------
	27	grub-core/commands/memrw.c \| 19 ++++++++++---------
	28	4 files changed, 33 insertions(+), 20 deletions(-)
	29
	30	diff --git a/docs/grub.texi b/docs/grub.texi
	31	index 5e6cace..0786427 100644
	32	--- a/docs/grub.texi
	33	+++ b/docs/grub.texi
	34	@@ -5256,6 +5256,9 @@ only applies to the particular cpu/core/thread that runs the command.
	35	Also, if you specify a reserved or unimplemented MSR address, it will
	36	cause a general protection exception (which is not currently being handled)
	37	and the system will reboot.
	38	+
	39	+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
	40	+ This is done to prevent subverting various security mechanisms.
	41	@end deffn
	42
	43	@node xen_hypervisor
	44	@@ -5758,6 +5761,13 @@ security reasons. All above mentioned requirements are enforced by the
	45	shim_lock module. And itself it is a persistent module which means that
	46	it cannot be unloaded if it was loaded into the memory.
	47
	48	+All GRUB modules not stored in the @file{core.img}, OS kernels, ACPI tables,
	49	+Device Trees, etc. have to be signed, e.g, using PGP. Additionally, the commands
	50	+that can be used to subvert the UEFI secure boot mechanism, such as @command{iorw}
	51	+and @command{memrw} will not be available when the UEFI secure boot is enabled.
	52	+This is done for security reasons and are enforced by the GRUB Lockdown mechanism
	53	+(@pxref{Lockdown}).
	54	+
	55	@node Measured Boot
	56	@section Measuring boot components
	57
	58	diff --git a/grub-core/commands/i386/wrmsr.c b/grub-core/commands/i386/wrmsr.c
	59	index 9c5e510..56a29c2 100644
	60	--- a/grub-core/commands/i386/wrmsr.c
	61	+++ b/grub-core/commands/i386/wrmsr.c
	62	@@ -24,6 +24,7 @@
	63	#include <grub/env.h>
	64	#include <grub/command.h>
	65	#include <grub/extcmd.h>
	66	+#include <grub/lockdown.h>
	67	#include <grub/i18n.h>
	68	#include <grub/i386/cpuid.h>
	69	#include <grub/i386/wrmsr.h>
	70	@@ -83,8 +84,8 @@ grub_cmd_msr_write (grub_command_t cmd __attribute__ ((unused)), int argc, char
	71
	72	GRUB_MOD_INIT(wrmsr)
	73	{
	74	- cmd_write = grub_register_command ("wrmsr", grub_cmd_msr_write, N_("ADDR VALUE"),
	75	- N_("Write a value to a CPU model specific register."));
	76	+ cmd_write = grub_register_command_lockdown ("wrmsr", grub_cmd_msr_write, N_("ADDR VALUE"),
	77	+ N_("Write a value to a CPU model specific register."));
	78	}
	79
	80	GRUB_MOD_FINI(wrmsr)
	81	diff --git a/grub-core/commands/iorw.c b/grub-core/commands/iorw.c
	82	index a0c164e..584baec 100644
	83	--- a/grub-core/commands/iorw.c
	84	+++ b/grub-core/commands/iorw.c
	85	@@ -23,6 +23,7 @@
	86	#include <grub/env.h>
	87	#include <grub/cpu/io.h>
	88	#include <grub/i18n.h>
	89	+#include <grub/lockdown.h>
	90
	91	GRUB_MOD_LICENSE ("GPLv3+");
	92
	93	@@ -131,17 +132,17 @@ GRUB_MOD_INIT(memrw)
	94	N_("PORT"), N_("Read 32-bit value from PORT."),
	95	options);
	96	cmd_write_byte =
	97	- grub_register_command ("outb", grub_cmd_write,
	98	- N_("PORT VALUE [MASK]"),
	99	- N_("Write 8-bit VALUE to PORT."));
	100	+ grub_register_command_lockdown ("outb", grub_cmd_write,
	101	+ N_("PORT VALUE [MASK]"),
	102	+ N_("Write 8-bit VALUE to PORT."));
	103	cmd_write_word =
	104	- grub_register_command ("outw", grub_cmd_write,
	105	- N_("PORT VALUE [MASK]"),
	106	- N_("Write 16-bit VALUE to PORT."));
	107	+ grub_register_command_lockdown ("outw", grub_cmd_write,
	108	+ N_("PORT VALUE [MASK]"),
	109	+ N_("Write 16-bit VALUE to PORT."));
	110	cmd_write_dword =
	111	- grub_register_command ("outl", grub_cmd_write,
	112	- N_("ADDR VALUE [MASK]"),
	113	- N_("Write 32-bit VALUE to PORT."));
	114	+ grub_register_command_lockdown ("outl", grub_cmd_write,
	115	+ N_("ADDR VALUE [MASK]"),
	116	+ N_("Write 32-bit VALUE to PORT."));
	117	}
	118
	119	GRUB_MOD_FINI(memrw)
	120	diff --git a/grub-core/commands/memrw.c b/grub-core/commands/memrw.c
	121	index 98769ea..d401a6d 100644
	122	--- a/grub-core/commands/memrw.c
	123	+++ b/grub-core/commands/memrw.c
	124	@@ -22,6 +22,7 @@
	125	#include <grub/extcmd.h>
	126	#include <grub/env.h>
	127	#include <grub/i18n.h>
	128	+#include <grub/lockdown.h>
	129
	130	GRUB_MOD_LICENSE ("GPLv3+");
	131
	132	@@ -133,17 +134,17 @@ GRUB_MOD_INIT(memrw)
	133	N_("ADDR"), N_("Read 32-bit value from ADDR."),
	134	options);
	135	cmd_write_byte =
	136	- grub_register_command ("write_byte", grub_cmd_write,
	137	- N_("ADDR VALUE [MASK]"),
	138	- N_("Write 8-bit VALUE to ADDR."));
	139	+ grub_register_command_lockdown ("write_byte", grub_cmd_write,
	140	+ N_("ADDR VALUE [MASK]"),
	141	+ N_("Write 8-bit VALUE to ADDR."));
	142	cmd_write_word =
	143	- grub_register_command ("write_word", grub_cmd_write,
	144	- N_("ADDR VALUE [MASK]"),
	145	- N_("Write 16-bit VALUE to ADDR."));
	146	+ grub_register_command_lockdown ("write_word", grub_cmd_write,
	147	+ N_("ADDR VALUE [MASK]"),
	148	+ N_("Write 16-bit VALUE to ADDR."));
	149	cmd_write_dword =
	150	- grub_register_command ("write_dword", grub_cmd_write,
	151	- N_("ADDR VALUE [MASK]"),
	152	- N_("Write 32-bit VALUE to ADDR."));
	153	+ grub_register_command_lockdown ("write_dword", grub_cmd_write,
	154	+ N_("ADDR VALUE [MASK]"),
	155	+ N_("Write 32-bit VALUE to ADDR."));
	156	}
	157
	158	GRUB_MOD_FINI(memrw)