diff options
Diffstat (limited to 'meta/recipes-bsp/grub/files/CVE-2020-27779_2.patch')
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2020-27779_2.patch | 105 |
1 files changed, 105 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_2.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_2.patch new file mode 100644 index 0000000000..e33c96a05b --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_2.patch | |||
@@ -0,0 +1,105 @@ | |||
1 | From 4ff1dfdf8c4c71bf4b0dd0488d9fa40ff2617f41 Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Wed, 24 Feb 2021 09:00:05 +0100 | ||
4 | Subject: [PATCH] commands: Restrict commands that can load BIOS or DT blobs | ||
5 | when locked down | ||
6 | |||
7 | There are some more commands that should be restricted when the GRUB is | ||
8 | locked down. Following is the list of commands and reasons to restrict: | ||
9 | |||
10 | * fakebios: creates BIOS-like structures for backward compatibility with | ||
11 | existing OSes. This should not be allowed when locked down. | ||
12 | |||
13 | * loadbios: reads a BIOS dump from storage and loads it. This action | ||
14 | should not be allowed when locked down. | ||
15 | |||
16 | * devicetree: loads a Device Tree blob and passes it to the OS. It replaces | ||
17 | any Device Tree provided by the firmware. This also should | ||
18 | not be allowed when locked down. | ||
19 | |||
20 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
21 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
22 | |||
23 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=468a5699b249fe6816b4e7e86c5dc9d325c9b09e] | ||
24 | CVE: CVE-2020-27779 | ||
25 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
26 | --- | ||
27 | docs/grub.texi | 3 +++ | ||
28 | grub-core/commands/efi/loadbios.c | 16 ++++++++-------- | ||
29 | grub-core/loader/arm/linux.c | 6 +++--- | ||
30 | grub-core/loader/efi/fdt.c | 4 ++-- | ||
31 | 4 files changed, 16 insertions(+), 13 deletions(-) | ||
32 | |||
33 | diff --git a/docs/grub.texi b/docs/grub.texi | ||
34 | index a1aaee6..ccf1908 100644 | ||
35 | --- a/docs/grub.texi | ||
36 | +++ b/docs/grub.texi | ||
37 | @@ -4236,6 +4236,9 @@ Load a device tree blob (.dtb) from a filesystem, for later use by a Linux | ||
38 | kernel. Does not perform merging with any device tree supplied by firmware, | ||
39 | but rather replaces it completely. | ||
40 | @ref{GNU/Linux}. | ||
41 | + | ||
42 | +Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}). | ||
43 | + This is done to prevent subverting various security mechanisms. | ||
44 | @end deffn | ||
45 | |||
46 | @node distrust | ||
47 | diff --git a/grub-core/commands/efi/loadbios.c b/grub-core/commands/efi/loadbios.c | ||
48 | index d41d521..5c7725f 100644 | ||
49 | --- a/grub-core/commands/efi/loadbios.c | ||
50 | +++ b/grub-core/commands/efi/loadbios.c | ||
51 | @@ -205,14 +205,14 @@ static grub_command_t cmd_fakebios, cmd_loadbios; | ||
52 | |||
53 | GRUB_MOD_INIT(loadbios) | ||
54 | { | ||
55 | - cmd_fakebios = grub_register_command ("fakebios", grub_cmd_fakebios, | ||
56 | - 0, N_("Create BIOS-like structures for" | ||
57 | - " backward compatibility with" | ||
58 | - " existing OS.")); | ||
59 | - | ||
60 | - cmd_loadbios = grub_register_command ("loadbios", grub_cmd_loadbios, | ||
61 | - N_("BIOS_DUMP [INT10_DUMP]"), | ||
62 | - N_("Load BIOS dump.")); | ||
63 | + cmd_fakebios = grub_register_command_lockdown ("fakebios", grub_cmd_fakebios, | ||
64 | + 0, N_("Create BIOS-like structures for" | ||
65 | + " backward compatibility with" | ||
66 | + " existing OS.")); | ||
67 | + | ||
68 | + cmd_loadbios = grub_register_command_lockdown ("loadbios", grub_cmd_loadbios, | ||
69 | + N_("BIOS_DUMP [INT10_DUMP]"), | ||
70 | + N_("Load BIOS dump.")); | ||
71 | } | ||
72 | |||
73 | GRUB_MOD_FINI(loadbios) | ||
74 | diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c | ||
75 | index d70c174..ed23dc7 100644 | ||
76 | --- a/grub-core/loader/arm/linux.c | ||
77 | +++ b/grub-core/loader/arm/linux.c | ||
78 | @@ -493,9 +493,9 @@ GRUB_MOD_INIT (linux) | ||
79 | 0, N_("Load Linux.")); | ||
80 | cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd, | ||
81 | 0, N_("Load initrd.")); | ||
82 | - cmd_devicetree = grub_register_command ("devicetree", grub_cmd_devicetree, | ||
83 | - /* TRANSLATORS: DTB stands for device tree blob. */ | ||
84 | - 0, N_("Load DTB file.")); | ||
85 | + cmd_devicetree = grub_register_command_lockdown ("devicetree", grub_cmd_devicetree, | ||
86 | + /* TRANSLATORS: DTB stands for device tree blob. */ | ||
87 | + 0, N_("Load DTB file.")); | ||
88 | my_mod = mod; | ||
89 | current_fdt = (const void *) grub_arm_firmware_get_boot_data (); | ||
90 | machine_type = grub_arm_firmware_get_machine_type (); | ||
91 | diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c | ||
92 | index ee9c559..003d07c 100644 | ||
93 | --- a/grub-core/loader/efi/fdt.c | ||
94 | +++ b/grub-core/loader/efi/fdt.c | ||
95 | @@ -165,8 +165,8 @@ static grub_command_t cmd_devicetree; | ||
96 | GRUB_MOD_INIT (fdt) | ||
97 | { | ||
98 | cmd_devicetree = | ||
99 | - grub_register_command ("devicetree", grub_cmd_devicetree, 0, | ||
100 | - N_("Load DTB file.")); | ||
101 | + grub_register_command_lockdown ("devicetree", grub_cmd_devicetree, 0, | ||
102 | + N_("Load DTB file.")); | ||
103 | } | ||
104 | |||
105 | GRUB_MOD_FINI (fdt) | ||