diff options
Diffstat (limited to 'meta/recipes-bsp/grub/files/no-insmod-on-sb.patch')
-rw-r--r-- | meta/recipes-bsp/grub/files/no-insmod-on-sb.patch | 107 |
1 files changed, 107 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/no-insmod-on-sb.patch b/meta/recipes-bsp/grub/files/no-insmod-on-sb.patch new file mode 100644 index 0000000000..504352b4e3 --- /dev/null +++ b/meta/recipes-bsp/grub/files/no-insmod-on-sb.patch | |||
@@ -0,0 +1,107 @@ | |||
1 | From b5a6aa7d77439bfeb75f200abffe15c6f685c907 Mon Sep 17 00:00:00 2001 | ||
2 | From: Matthew Garrett <mjg@redhat.com> | ||
3 | Date: Mon, 13 Jan 2014 12:13:09 +0000 | ||
4 | Subject: Don't permit loading modules on UEFI secure boot | ||
5 | |||
6 | Author: Colin Watson <cjwatson@ubuntu.com> | ||
7 | Origin: vendor, http://pkgs.fedoraproject.org/cgit/grub2.git/tree/grub-2.00-no-insmod-on-sb.patch | ||
8 | Forwarded: no | ||
9 | Last-Update: 2013-12-25 | ||
10 | |||
11 | Patch-Name: no-insmod-on-sb.patch | ||
12 | |||
13 | Upstream-Status: Inappropriate [other, https://salsa.debian.org/grub-team/grub/-/blob/debian/2.04-20/debian/patches/no-insmod-on-sb.patch] | ||
14 | |||
15 | Backport of a Debian (and Fedora) patch implementing a way to get secure boot status | ||
16 | for CVE-2020-14372_4.patch. The upstream solution has too many dependencies to backport. | ||
17 | Source: https://salsa.debian.org/grub-team/grub/-/blob/debian/2.04-20/debian/patches/no-insmod-on-sb.patch | ||
18 | |||
19 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
20 | --- | ||
21 | grub-core/kern/dl.c | 13 +++++++++++++ | ||
22 | grub-core/kern/efi/efi.c | 28 ++++++++++++++++++++++++++++ | ||
23 | include/grub/efi/efi.h | 1 + | ||
24 | 3 files changed, 42 insertions(+) | ||
25 | |||
26 | diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c | ||
27 | index 48eb5e7b6..074dfc3c6 100644 | ||
28 | --- a/grub-core/kern/dl.c | ||
29 | +++ b/grub-core/kern/dl.c | ||
30 | @@ -38,6 +38,10 @@ | ||
31 | #define GRUB_MODULES_MACHINE_READONLY | ||
32 | #endif | ||
33 | |||
34 | +#ifdef GRUB_MACHINE_EFI | ||
35 | +#include <grub/efi/efi.h> | ||
36 | +#endif | ||
37 | + | ||
38 | |||
39 | |||
40 | #pragma GCC diagnostic ignored "-Wcast-align" | ||
41 | @@ -686,6 +690,15 @@ grub_dl_load_file (const char *filename) | ||
42 | void *core = 0; | ||
43 | grub_dl_t mod = 0; | ||
44 | |||
45 | +#ifdef GRUB_MACHINE_EFI | ||
46 | + if (grub_efi_secure_boot ()) | ||
47 | + { | ||
48 | + grub_error (GRUB_ERR_ACCESS_DENIED, | ||
49 | + "Secure Boot forbids loading module from %s", filename); | ||
50 | + return 0; | ||
51 | + } | ||
52 | +#endif | ||
53 | + | ||
54 | grub_boot_time ("Loading module %s", filename); | ||
55 | |||
56 | file = grub_file_open (filename, GRUB_FILE_TYPE_GRUB_MODULE); | ||
57 | diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c | ||
58 | index 6e1ceb905..96204e39b 100644 | ||
59 | --- a/grub-core/kern/efi/efi.c | ||
60 | +++ b/grub-core/kern/efi/efi.c | ||
61 | @@ -273,6 +273,34 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid, | ||
62 | return NULL; | ||
63 | } | ||
64 | |||
65 | +grub_efi_boolean_t | ||
66 | +grub_efi_secure_boot (void) | ||
67 | +{ | ||
68 | + grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID; | ||
69 | + grub_size_t datasize; | ||
70 | + char *secure_boot = NULL; | ||
71 | + char *setup_mode = NULL; | ||
72 | + grub_efi_boolean_t ret = 0; | ||
73 | + | ||
74 | + secure_boot = grub_efi_get_variable ("SecureBoot", &efi_var_guid, &datasize); | ||
75 | + | ||
76 | + if (datasize != 1 || !secure_boot) | ||
77 | + goto out; | ||
78 | + | ||
79 | + setup_mode = grub_efi_get_variable ("SetupMode", &efi_var_guid, &datasize); | ||
80 | + | ||
81 | + if (datasize != 1 || !setup_mode) | ||
82 | + goto out; | ||
83 | + | ||
84 | + if (*secure_boot && !*setup_mode) | ||
85 | + ret = 1; | ||
86 | + | ||
87 | + out: | ||
88 | + grub_free (secure_boot); | ||
89 | + grub_free (setup_mode); | ||
90 | + return ret; | ||
91 | +} | ||
92 | + | ||
93 | #pragma GCC diagnostic ignored "-Wcast-align" | ||
94 | |||
95 | /* Search the mods section from the PE32/PE32+ image. This code uses | ||
96 | diff --git a/include/grub/efi/efi.h b/include/grub/efi/efi.h | ||
97 | index e90e00dc4..a237952b3 100644 | ||
98 | --- a/include/grub/efi/efi.h | ||
99 | +++ b/include/grub/efi/efi.h | ||
100 | @@ -82,6 +82,7 @@ EXPORT_FUNC (grub_efi_set_variable) (const char *var, | ||
101 | const grub_efi_guid_t *guid, | ||
102 | void *data, | ||
103 | grub_size_t datasize); | ||
104 | +grub_efi_boolean_t EXPORT_FUNC (grub_efi_secure_boot) (void); | ||
105 | int | ||
106 | EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1, | ||
107 | const grub_efi_device_path_t *dp2); | ||