1 files changed, 105 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_2.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_2.patch
new file mode 100644
index 0000000000..e33c96a05b
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_2.patch
@@ -0,0 +1,105 @@
+From 4ff1dfdf8c4c71bf4b0dd0488d9fa40ff2617f41 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 24 Feb 2021 09:00:05 +0100
+Subject: [PATCH] commands: Restrict commands that can load BIOS or DT blobs
+ when locked down
+There are some more commands that should be restricted when the GRUB is
+locked down. Following is the list of commands and reasons to restrict:
+  * fakebios:   creates BIOS-like structures for backward compatibility with
+                existing OSes. This should not be allowed when locked down.
+  * loadbios:   reads a BIOS dump from storage and loads it. This action
+                should not be allowed when locked down.
+  * devicetree: loads a Device Tree blob and passes it to the OS. It replaces
+                any Device Tree provided by the firmware. This also should
+                not be allowed when locked down.
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=468a5699b249fe6816b4e7e86c5dc9d325c9b09e]
+CVE: CVE-2020-27779
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ docs/grub.texi                    |  3 +++
+ grub-core/commands/efi/loadbios.c | 16 ++++++++--------
+ grub-core/loader/arm/linux.c      |  6 +++---
+ grub-core/loader/efi/fdt.c        |  4 ++--
+ 4 files changed, 16 insertions(+), 13 deletions(-)
+diff --git a/docs/grub.texi b/docs/grub.texi
+index a1aaee6..ccf1908 100644
+--- a/docs/grub.texi
+++ b/docs/grub.texi
+@@ -4236,6 +4236,9 @@ Load a device tree blob (.dtb) from a filesystem, for later use by a Linux
+ kernel. Does not perform merging with any device tree supplied by firmware,
+ but rather replaces it completely.
+ @ref{GNU/Linux}.
+
+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
+      This is done to prevent subverting various security mechanisms.
+ @end deffn
+ 
+ @node distrust
+diff --git a/grub-core/commands/efi/loadbios.c b/grub-core/commands/efi/loadbios.c
+index d41d521..5c7725f 100644
+--- a/grub-core/commands/efi/loadbios.c
+++ b/grub-core/commands/efi/loadbios.c
+@@ -205,14 +205,14 @@ static grub_command_t cmd_fakebios, cmd_loadbios;
+ 
+ GRUB_MOD_INIT(loadbios)
+ {
+-  cmd_fakebios = grub_register_command ("fakebios", grub_cmd_fakebios,
+-                                       0, N_("Create BIOS-like structures for"
+-                                             " backward compatibility with"
+-                                             " existing OS."));
+-
+-  cmd_loadbios = grub_register_command ("loadbios", grub_cmd_loadbios,
+-                                       N_("BIOS_DUMP [INT10_DUMP]"),
+-                                       N_("Load BIOS dump."));
+  cmd_fakebios = grub_register_command_lockdown ("fakebios", grub_cmd_fakebios,
+                                                0, N_("Create BIOS-like structures for"
+                                                      " backward compatibility with"
+                                                      " existing OS."));
+
+  cmd_loadbios = grub_register_command_lockdown ("loadbios", grub_cmd_loadbios,
+                                                N_("BIOS_DUMP [INT10_DUMP]"),
+                                                N_("Load BIOS dump."));
+ }
+ 
+ GRUB_MOD_FINI(loadbios)
+diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c
+index d70c174..ed23dc7 100644
+--- a/grub-core/loader/arm/linux.c
+++ b/grub-core/loader/arm/linux.c
+@@ -493,9 +493,9 @@ GRUB_MOD_INIT (linux)
+                                     0, N_("Load Linux."));
+   cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd,
+                                      0, N_("Load initrd."));
+-  cmd_devicetree = grub_register_command ("devicetree", grub_cmd_devicetree,
+-                                         /* TRANSLATORS: DTB stands for device tree blob.  */
+-                                         0, N_("Load DTB file."));
+  cmd_devicetree = grub_register_command_lockdown ("devicetree", grub_cmd_devicetree,
+                                                  /* TRANSLATORS: DTB stands for device tree blob. */
+                                                  0, N_("Load DTB file."));
+   my_mod = mod;
+   current_fdt = (const void *) grub_arm_firmware_get_boot_data ();
+   machine_type = grub_arm_firmware_get_machine_type ();
+diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c
+index ee9c559..003d07c 100644
+--- a/grub-core/loader/efi/fdt.c
+++ b/grub-core/loader/efi/fdt.c
+@@ -165,8 +165,8 @@ static grub_command_t cmd_devicetree;
+ GRUB_MOD_INIT (fdt)
+ {
+   cmd_devicetree =
+-    grub_register_command ("devicetree", grub_cmd_devicetree, 0,
+-                          N_("Load DTB file."));
+    grub_register_command_lockdown ("devicetree", grub_cmd_devicetree, 0,
+                                   N_("Load DTB file."));
+ }
+ 
+ GRUB_MOD_FINI (fdt)

diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_2.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_2.patch new file mode 100644 index 0000000000..e33c96a05b --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_2.patch
@@ -0,0 +1,105 @@
	1	From 4ff1dfdf8c4c71bf4b0dd0488d9fa40ff2617f41 Mon Sep 17 00:00:00 2001
	2	From: Javier Martinez Canillas <javierm@redhat.com>
	3	Date: Wed, 24 Feb 2021 09:00:05 +0100
	4	Subject: [PATCH] commands: Restrict commands that can load BIOS or DT blobs
	5	when locked down
	6
	7	There are some more commands that should be restricted when the GRUB is
	8	locked down. Following is the list of commands and reasons to restrict:
	9
	10	* fakebios: creates BIOS-like structures for backward compatibility with
	11	existing OSes. This should not be allowed when locked down.
	12
	13	* loadbios: reads a BIOS dump from storage and loads it. This action
	14	should not be allowed when locked down.
	15
	16	* devicetree: loads a Device Tree blob and passes it to the OS. It replaces
	17	any Device Tree provided by the firmware. This also should
	18	not be allowed when locked down.
	19
	20	Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
	21	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	22
	23	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=468a5699b249fe6816b4e7e86c5dc9d325c9b09e]
	24	CVE: CVE-2020-27779
	25	Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
	26	---
	27	docs/grub.texi \| 3 +++
	28	grub-core/commands/efi/loadbios.c \| 16 ++++++++--------
	29	grub-core/loader/arm/linux.c \| 6 +++---
	30	grub-core/loader/efi/fdt.c \| 4 ++--
	31	4 files changed, 16 insertions(+), 13 deletions(-)
	32
	33	diff --git a/docs/grub.texi b/docs/grub.texi
	34	index a1aaee6..ccf1908 100644
	35	--- a/docs/grub.texi
	36	+++ b/docs/grub.texi
	37	@@ -4236,6 +4236,9 @@ Load a device tree blob (.dtb) from a filesystem, for later use by a Linux
	38	kernel. Does not perform merging with any device tree supplied by firmware,
	39	but rather replaces it completely.
	40	@ref{GNU/Linux}.
	41	+
	42	+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
	43	+ This is done to prevent subverting various security mechanisms.
	44	@end deffn
	45
	46	@node distrust
	47	diff --git a/grub-core/commands/efi/loadbios.c b/grub-core/commands/efi/loadbios.c
	48	index d41d521..5c7725f 100644
	49	--- a/grub-core/commands/efi/loadbios.c
	50	+++ b/grub-core/commands/efi/loadbios.c
	51	@@ -205,14 +205,14 @@ static grub_command_t cmd_fakebios, cmd_loadbios;
	52
	53	GRUB_MOD_INIT(loadbios)
	54	{
	55	- cmd_fakebios = grub_register_command ("fakebios", grub_cmd_fakebios,
	56	- 0, N_("Create BIOS-like structures for"
	57	- " backward compatibility with"
	58	- " existing OS."));
	59	-
	60	- cmd_loadbios = grub_register_command ("loadbios", grub_cmd_loadbios,
	61	- N_("BIOS_DUMP [INT10_DUMP]"),
	62	- N_("Load BIOS dump."));
	63	+ cmd_fakebios = grub_register_command_lockdown ("fakebios", grub_cmd_fakebios,
	64	+ 0, N_("Create BIOS-like structures for"
	65	+ " backward compatibility with"
	66	+ " existing OS."));
	67	+
	68	+ cmd_loadbios = grub_register_command_lockdown ("loadbios", grub_cmd_loadbios,
	69	+ N_("BIOS_DUMP [INT10_DUMP]"),
	70	+ N_("Load BIOS dump."));
	71	}
	72
	73	GRUB_MOD_FINI(loadbios)
	74	diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c
	75	index d70c174..ed23dc7 100644
	76	--- a/grub-core/loader/arm/linux.c
	77	+++ b/grub-core/loader/arm/linux.c
	78	@@ -493,9 +493,9 @@ GRUB_MOD_INIT (linux)
	79	0, N_("Load Linux."));
	80	cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd,
	81	0, N_("Load initrd."));
	82	- cmd_devicetree = grub_register_command ("devicetree", grub_cmd_devicetree,
	83	- /* TRANSLATORS: DTB stands for device tree blob. */
	84	- 0, N_("Load DTB file."));
	85	+ cmd_devicetree = grub_register_command_lockdown ("devicetree", grub_cmd_devicetree,
	86	+ /* TRANSLATORS: DTB stands for device tree blob. */
	87	+ 0, N_("Load DTB file."));
	88	my_mod = mod;
	89	current_fdt = (const void *) grub_arm_firmware_get_boot_data ();
	90	machine_type = grub_arm_firmware_get_machine_type ();
	91	diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c
	92	index ee9c559..003d07c 100644
	93	--- a/grub-core/loader/efi/fdt.c
	94	+++ b/grub-core/loader/efi/fdt.c
	95	@@ -165,8 +165,8 @@ static grub_command_t cmd_devicetree;
	96	GRUB_MOD_INIT (fdt)
	97	{
	98	cmd_devicetree =
	99	- grub_register_command ("devicetree", grub_cmd_devicetree, 0,
	100	- N_("Load DTB file."));
	101	+ grub_register_command_lockdown ("devicetree", grub_cmd_devicetree, 0,
	102	+ N_("Load DTB file."));
	103	}
	104
	105	GRUB_MOD_FINI (fdt)