diff options
Diffstat (limited to 'meta/recipes-bsp/grub/files/CVE-2020-27779_6.patch')
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2020-27779_6.patch | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_6.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_6.patch new file mode 100644 index 0000000000..474826ade5 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_6.patch | |||
@@ -0,0 +1,61 @@ | |||
1 | From 73f214761cff76a18a2a867976bdd3a9adb00b67 Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Wed, 24 Feb 2021 14:44:38 +0100 | ||
4 | Subject: [PATCH] loader/xnu: Don't allow loading extension and packages when | ||
5 | locked down | ||
6 | |||
7 | The shim_lock verifier validates the XNU kernels but no its extensions | ||
8 | and packages. Prevent these to be loaded when the GRUB is locked down. | ||
9 | |||
10 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
11 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
12 | |||
13 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c5565135f12400a925ee901b25984e7af4442f5] | ||
14 | CVE: CVE-2020-27779 | ||
15 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
16 | --- | ||
17 | grub-core/loader/xnu.c | 31 +++++++++++++++++-------------- | ||
18 | 1 file changed, 17 insertions(+), 14 deletions(-) | ||
19 | |||
20 | diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c | ||
21 | index 77d7060..07232d2 100644 | ||
22 | --- a/grub-core/loader/xnu.c | ||
23 | +++ b/grub-core/loader/xnu.c | ||
24 | @@ -1482,20 +1482,23 @@ GRUB_MOD_INIT(xnu) | ||
25 | N_("Load XNU image.")); | ||
26 | cmd_kernel64 = grub_register_command ("xnu_kernel64", grub_cmd_xnu_kernel64, | ||
27 | 0, N_("Load 64-bit XNU image.")); | ||
28 | - cmd_mkext = grub_register_command ("xnu_mkext", grub_cmd_xnu_mkext, 0, | ||
29 | - N_("Load XNU extension package.")); | ||
30 | - cmd_kext = grub_register_command ("xnu_kext", grub_cmd_xnu_kext, 0, | ||
31 | - N_("Load XNU extension.")); | ||
32 | - cmd_kextdir = grub_register_command ("xnu_kextdir", grub_cmd_xnu_kextdir, | ||
33 | - /* TRANSLATORS: OSBundleRequired is a | ||
34 | - variable name in xnu extensions | ||
35 | - manifests. It behaves mostly like | ||
36 | - GNU/Linux runlevels. | ||
37 | - */ | ||
38 | - N_("DIRECTORY [OSBundleRequired]"), | ||
39 | - /* TRANSLATORS: There are many extensions | ||
40 | - in extension directory. */ | ||
41 | - N_("Load XNU extension directory.")); | ||
42 | + cmd_mkext = grub_register_command_lockdown ("xnu_mkext", grub_cmd_xnu_mkext, 0, | ||
43 | + N_("Load XNU extension package.")); | ||
44 | + cmd_kext = grub_register_command_lockdown ("xnu_kext", grub_cmd_xnu_kext, 0, | ||
45 | + N_("Load XNU extension.")); | ||
46 | + cmd_kextdir = grub_register_command_lockdown ("xnu_kextdir", grub_cmd_xnu_kextdir, | ||
47 | + /* | ||
48 | + * TRANSLATORS: OSBundleRequired is | ||
49 | + * a variable name in xnu extensions | ||
50 | + * manifests. It behaves mostly like | ||
51 | + * GNU/Linux runlevels. | ||
52 | + */ | ||
53 | + N_("DIRECTORY [OSBundleRequired]"), | ||
54 | + /* | ||
55 | + * TRANSLATORS: There are many extensions | ||
56 | + * in extension directory. | ||
57 | + */ | ||
58 | + N_("Load XNU extension directory.")); | ||
59 | cmd_ramdisk = grub_register_command ("xnu_ramdisk", grub_cmd_xnu_ramdisk, 0, | ||
60 | /* TRANSLATORS: ramdisk here isn't identifier. It can be translated. */ | ||
61 | N_("Load XNU ramdisk. " | ||