1 files changed, 61 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_6.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_6.patch
new file mode 100644
index 0000000000..474826ade5
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_6.patch
@@ -0,0 +1,61 @@
+From 73f214761cff76a18a2a867976bdd3a9adb00b67 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 24 Feb 2021 14:44:38 +0100
+Subject: [PATCH] loader/xnu: Don't allow loading extension and packages when
+ locked down
+The shim_lock verifier validates the XNU kernels but no its extensions
+and packages. Prevent these to be loaded when the GRUB is locked down.
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c5565135f12400a925ee901b25984e7af4442f5]
+CVE: CVE-2020-27779
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/loader/xnu.c | 31 +++++++++++++++++--------------
+ 1 file changed, 17 insertions(+), 14 deletions(-)
+diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
+index 77d7060..07232d2 100644
+--- a/grub-core/loader/xnu.c
+++ b/grub-core/loader/xnu.c
+@@ -1482,20 +1482,23 @@ GRUB_MOD_INIT(xnu)
+                                      N_("Load XNU image."));
+   cmd_kernel64 = grub_register_command ("xnu_kernel64", grub_cmd_xnu_kernel64,
+                                        0, N_("Load 64-bit XNU image."));
+-  cmd_mkext = grub_register_command ("xnu_mkext", grub_cmd_xnu_mkext, 0,
+-                                    N_("Load XNU extension package."));
+-  cmd_kext = grub_register_command ("xnu_kext", grub_cmd_xnu_kext, 0,
+-                                   N_("Load XNU extension."));
+-  cmd_kextdir = grub_register_command ("xnu_kextdir", grub_cmd_xnu_kextdir,
+-                                      /* TRANSLATORS: OSBundleRequired is a
+-                                         variable name in xnu extensions
+-                                         manifests. It behaves mostly like
+-                                         GNU/Linux runlevels.
+-                                      */
+-                                      N_("DIRECTORY [OSBundleRequired]"),
+-                                      /* TRANSLATORS: There are many extensions
+-                                         in extension directory.  */
+-                                      N_("Load XNU extension directory."));
+  cmd_mkext = grub_register_command_lockdown ("xnu_mkext", grub_cmd_xnu_mkext, 0,
+                                             N_("Load XNU extension package."));
+  cmd_kext = grub_register_command_lockdown ("xnu_kext", grub_cmd_xnu_kext, 0,
+                                            N_("Load XNU extension."));
+  cmd_kextdir = grub_register_command_lockdown ("xnu_kextdir", grub_cmd_xnu_kextdir,
+                                               /*
+                                                * TRANSLATORS: OSBundleRequired is
+                                                * a variable name in xnu extensions
+                                                * manifests. It behaves mostly like
+                                                * GNU/Linux runlevels.
+                                                */
+                                               N_("DIRECTORY [OSBundleRequired]"),
+                                               /*
+                                                * TRANSLATORS: There are many extensions
+                                                * in extension directory.
+                                                */
+                                               N_("Load XNU extension directory."));
+   cmd_ramdisk = grub_register_command ("xnu_ramdisk", grub_cmd_xnu_ramdisk, 0,
+    /* TRANSLATORS: ramdisk here isn't identifier. It can be translated.  */
+                                       N_("Load XNU ramdisk. "

diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_6.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_6.patch new file mode 100644 index 0000000000..474826ade5 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_6.patch
@@ -0,0 +1,61 @@
	1	From 73f214761cff76a18a2a867976bdd3a9adb00b67 Mon Sep 17 00:00:00 2001
	2	From: Javier Martinez Canillas <javierm@redhat.com>
	3	Date: Wed, 24 Feb 2021 14:44:38 +0100
	4	Subject: [PATCH] loader/xnu: Don't allow loading extension and packages when
	5	locked down
	6
	7	The shim_lock verifier validates the XNU kernels but no its extensions
	8	and packages. Prevent these to be loaded when the GRUB is locked down.
	9
	10	Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
	11	Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
	12
	13	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c5565135f12400a925ee901b25984e7af4442f5]
	14	CVE: CVE-2020-27779
	15	Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
	16	---
	17	grub-core/loader/xnu.c \| 31 +++++++++++++++++--------------
	18	1 file changed, 17 insertions(+), 14 deletions(-)
	19
	20	diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
	21	index 77d7060..07232d2 100644
	22	--- a/grub-core/loader/xnu.c
	23	+++ b/grub-core/loader/xnu.c
	24	@@ -1482,20 +1482,23 @@ GRUB_MOD_INIT(xnu)
	25	N_("Load XNU image."));
	26	cmd_kernel64 = grub_register_command ("xnu_kernel64", grub_cmd_xnu_kernel64,
	27	0, N_("Load 64-bit XNU image."));
	28	- cmd_mkext = grub_register_command ("xnu_mkext", grub_cmd_xnu_mkext, 0,
	29	- N_("Load XNU extension package."));
	30	- cmd_kext = grub_register_command ("xnu_kext", grub_cmd_xnu_kext, 0,
	31	- N_("Load XNU extension."));
	32	- cmd_kextdir = grub_register_command ("xnu_kextdir", grub_cmd_xnu_kextdir,
	33	- /* TRANSLATORS: OSBundleRequired is a
	34	- variable name in xnu extensions
	35	- manifests. It behaves mostly like
	36	- GNU/Linux runlevels.
	37	- */
	38	- N_("DIRECTORY [OSBundleRequired]"),
	39	- /* TRANSLATORS: There are many extensions
	40	- in extension directory. */
	41	- N_("Load XNU extension directory."));
	42	+ cmd_mkext = grub_register_command_lockdown ("xnu_mkext", grub_cmd_xnu_mkext, 0,
	43	+ N_("Load XNU extension package."));
	44	+ cmd_kext = grub_register_command_lockdown ("xnu_kext", grub_cmd_xnu_kext, 0,
	45	+ N_("Load XNU extension."));
	46	+ cmd_kextdir = grub_register_command_lockdown ("xnu_kextdir", grub_cmd_xnu_kextdir,
	47	+ /*
	48	+ * TRANSLATORS: OSBundleRequired is
	49	+ * a variable name in xnu extensions
	50	+ * manifests. It behaves mostly like
	51	+ * GNU/Linux runlevels.
	52	+ */
	53	+ N_("DIRECTORY [OSBundleRequired]"),
	54	+ /*
	55	+ * TRANSLATORS: There are many extensions
	56	+ * in extension directory.
	57	+ */
	58	+ N_("Load XNU extension directory."));
	59	cmd_ramdisk = grub_register_command ("xnu_ramdisk", grub_cmd_xnu_ramdisk, 0,
	60	/* TRANSLATORS: ramdisk here isn't identifier. It can be translated. */
	61	N_("Load XNU ramdisk. "