1 files changed, 107 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/no-insmod-on-sb.patch b/meta/recipes-bsp/grub/files/no-insmod-on-sb.patch
new file mode 100644
index 0000000000..504352b4e3
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/no-insmod-on-sb.patch
@@ -0,0 +1,107 @@
+From b5a6aa7d77439bfeb75f200abffe15c6f685c907 Mon Sep 17 00:00:00 2001
+From: Matthew Garrett <mjg@redhat.com>
+Date: Mon, 13 Jan 2014 12:13:09 +0000
+Subject: Don't permit loading modules on UEFI secure boot
+Author: Colin Watson <cjwatson@ubuntu.com>
+Origin: vendor, http://pkgs.fedoraproject.org/cgit/grub2.git/tree/grub-2.00-no-insmod-on-sb.patch
+Forwarded: no
+Last-Update: 2013-12-25
+Patch-Name: no-insmod-on-sb.patch
+Upstream-Status: Inappropriate [other, https://salsa.debian.org/grub-team/grub/-/blob/debian/2.04-20/debian/patches/no-insmod-on-sb.patch]
+Backport of a Debian (and Fedora) patch implementing a way to get secure boot status
+for CVE-2020-14372_4.patch. The upstream solution has too many dependencies to backport.
+Source: https://salsa.debian.org/grub-team/grub/-/blob/debian/2.04-20/debian/patches/no-insmod-on-sb.patch
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ grub-core/kern/dl.c      | 13 +++++++++++++
+ grub-core/kern/efi/efi.c | 28 ++++++++++++++++++++++++++++
+ include/grub/efi/efi.h   |  1 +
+ 3 files changed, 42 insertions(+)
+diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
+index 48eb5e7b6..074dfc3c6 100644
+--- a/grub-core/kern/dl.c
+++ b/grub-core/kern/dl.c
+@@ -38,6 +38,10 @@
+ #define GRUB_MODULES_MACHINE_READONLY
+ #endif
+ 
+#ifdef GRUB_MACHINE_EFI
+#include <grub/efi/efi.h>
+#endif
+
+ 
+ 
+ #pragma GCC diagnostic ignored "-Wcast-align"
+@@ -686,6 +690,15 @@ grub_dl_load_file (const char *filename)
+   void *core = 0;
+   grub_dl_t mod = 0;
+ 
+#ifdef GRUB_MACHINE_EFI
+  if (grub_efi_secure_boot ())
+    {
+      grub_error (GRUB_ERR_ACCESS_DENIED,
+                 "Secure Boot forbids loading module from %s", filename);
+      return 0;
+    }
+#endif
+
+   grub_boot_time ("Loading module %s", filename);
+ 
+   file = grub_file_open (filename, GRUB_FILE_TYPE_GRUB_MODULE);
+diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
+index 6e1ceb905..96204e39b 100644
+--- a/grub-core/kern/efi/efi.c
+++ b/grub-core/kern/efi/efi.c
+@@ -273,6 +273,34 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
+   return NULL;
+ }
+ 
+grub_efi_boolean_t
+grub_efi_secure_boot (void)
+{
+  grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
+  grub_size_t datasize;
+  char *secure_boot = NULL;
+  char *setup_mode = NULL;
+  grub_efi_boolean_t ret = 0;
+
+  secure_boot = grub_efi_get_variable ("SecureBoot", &efi_var_guid, &datasize);
+
+  if (datasize != 1 || !secure_boot)
+    goto out;
+
+  setup_mode = grub_efi_get_variable ("SetupMode", &efi_var_guid, &datasize);
+
+  if (datasize != 1 || !setup_mode)
+    goto out;
+
+  if (*secure_boot && !*setup_mode)
+    ret = 1;
+
+ out:
+  grub_free (secure_boot);
+  grub_free (setup_mode);
+  return ret;
+}
+
+ #pragma GCC diagnostic ignored "-Wcast-align"
+ 
+ /* Search the mods section from the PE32/PE32+ image. This code uses
+diff --git a/include/grub/efi/efi.h b/include/grub/efi/efi.h
+index e90e00dc4..a237952b3 100644
+--- a/include/grub/efi/efi.h
+++ b/include/grub/efi/efi.h
+@@ -82,6 +82,7 @@ EXPORT_FUNC (grub_efi_set_variable) (const char *var,
+                                     const grub_efi_guid_t *guid,
+                                     void *data,
+                                     grub_size_t datasize);
+grub_efi_boolean_t EXPORT_FUNC (grub_efi_secure_boot) (void);
+ int
+ EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1,
+                                             const grub_efi_device_path_t *dp2);

diff --git a/meta/recipes-bsp/grub/files/no-insmod-on-sb.patch b/meta/recipes-bsp/grub/files/no-insmod-on-sb.patch new file mode 100644 index 0000000000..504352b4e3 --- /dev/null +++ b/meta/recipes-bsp/grub/files/no-insmod-on-sb.patch
@@ -0,0 +1,107 @@
	1	From b5a6aa7d77439bfeb75f200abffe15c6f685c907 Mon Sep 17 00:00:00 2001
	2	From: Matthew Garrett <mjg@redhat.com>
	3	Date: Mon, 13 Jan 2014 12:13:09 +0000
	4	Subject: Don't permit loading modules on UEFI secure boot
	5
	6	Author: Colin Watson <cjwatson@ubuntu.com>
	7	Origin: vendor, http://pkgs.fedoraproject.org/cgit/grub2.git/tree/grub-2.00-no-insmod-on-sb.patch
	8	Forwarded: no
	9	Last-Update: 2013-12-25
	10
	11	Patch-Name: no-insmod-on-sb.patch
	12
	13	Upstream-Status: Inappropriate [other, https://salsa.debian.org/grub-team/grub/-/blob/debian/2.04-20/debian/patches/no-insmod-on-sb.patch]
	14
	15	Backport of a Debian (and Fedora) patch implementing a way to get secure boot status
	16	for CVE-2020-14372_4.patch. The upstream solution has too many dependencies to backport.
	17	Source: https://salsa.debian.org/grub-team/grub/-/blob/debian/2.04-20/debian/patches/no-insmod-on-sb.patch
	18
	19	Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
	20	---
	21	grub-core/kern/dl.c \| 13 +++++++++++++
	22	grub-core/kern/efi/efi.c \| 28 ++++++++++++++++++++++++++++
	23	include/grub/efi/efi.h \| 1 +
	24	3 files changed, 42 insertions(+)
	25
	26	diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
	27	index 48eb5e7b6..074dfc3c6 100644
	28	--- a/grub-core/kern/dl.c
	29	+++ b/grub-core/kern/dl.c
	30	@@ -38,6 +38,10 @@
	31	#define GRUB_MODULES_MACHINE_READONLY
	32	#endif
	33
	34	+#ifdef GRUB_MACHINE_EFI
	35	+#include <grub/efi/efi.h>
	36	+#endif
	37	+
	38
	39
	40	#pragma GCC diagnostic ignored "-Wcast-align"
	41	@@ -686,6 +690,15 @@ grub_dl_load_file (const char *filename)
	42	void *core = 0;
	43	grub_dl_t mod = 0;
	44
	45	+#ifdef GRUB_MACHINE_EFI
	46	+ if (grub_efi_secure_boot ())
	47	+ {
	48	+ grub_error (GRUB_ERR_ACCESS_DENIED,
	49	+ "Secure Boot forbids loading module from %s", filename);
	50	+ return 0;
	51	+ }
	52	+#endif
	53	+
	54	grub_boot_time ("Loading module %s", filename);
	55
	56	file = grub_file_open (filename, GRUB_FILE_TYPE_GRUB_MODULE);
	57	diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
	58	index 6e1ceb905..96204e39b 100644
	59	--- a/grub-core/kern/efi/efi.c
	60	+++ b/grub-core/kern/efi/efi.c
	61	@@ -273,6 +273,34 @@ grub_efi_get_variable (const char var, const grub_efi_guid_t guid,
	62	return NULL;
	63	}
	64
	65	+grub_efi_boolean_t
	66	+grub_efi_secure_boot (void)
	67	+{
	68	+ grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
	69	+ grub_size_t datasize;
	70	+ char *secure_boot = NULL;
	71	+ char *setup_mode = NULL;
	72	+ grub_efi_boolean_t ret = 0;
	73	+
	74	+ secure_boot = grub_efi_get_variable ("SecureBoot", &efi_var_guid, &datasize);
	75	+
	76	+ if (datasize != 1 \|\| !secure_boot)
	77	+ goto out;
	78	+
	79	+ setup_mode = grub_efi_get_variable ("SetupMode", &efi_var_guid, &datasize);
	80	+
	81	+ if (datasize != 1 \|\| !setup_mode)
	82	+ goto out;
	83	+
	84	+ if (secure_boot && !setup_mode)
	85	+ ret = 1;
	86	+
	87	+ out:
	88	+ grub_free (secure_boot);
	89	+ grub_free (setup_mode);
	90	+ return ret;
	91	+}
	92	+
	93	#pragma GCC diagnostic ignored "-Wcast-align"
	94
	95	/* Search the mods section from the PE32/PE32+ image. This code uses
	96	diff --git a/include/grub/efi/efi.h b/include/grub/efi/efi.h
	97	index e90e00dc4..a237952b3 100644
	98	--- a/include/grub/efi/efi.h
	99	+++ b/include/grub/efi/efi.h
	100	@@ -82,6 +82,7 @@ EXPORT_FUNC (grub_efi_set_variable) (const char *var,
	101	const grub_efi_guid_t *guid,
	102	void *data,
	103	grub_size_t datasize);
	104	+grub_efi_boolean_t EXPORT_FUNC (grub_efi_secure_boot) (void);
	105	int
	106	EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1,
	107	const grub_efi_device_path_t *dp2);