diff options
Diffstat (limited to 'meta/recipes-bsp/grub/files')
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2020-14372.patch | 76 | ||||
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2020-14372_1.patch | 130 | ||||
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2020-14372_2.patch | 431 | ||||
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2020-14372_3.patch | 57 | ||||
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2020-14372_4.patch | 52 | ||||
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2020-14372_5.patch | 158 | ||||
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2020-27779.patch | 70 | ||||
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2020-27779_2.patch | 105 | ||||
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2020-27779_3.patch | 37 | ||||
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2020-27779_4.patch | 35 | ||||
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2020-27779_5.patch | 62 | ||||
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2020-27779_6.patch | 61 | ||||
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2020-27779_7.patch | 65 | ||||
-rw-r--r-- | meta/recipes-bsp/grub/files/no-insmod-on-sb.patch | 107 |
14 files changed, 1446 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372.patch new file mode 100644 index 0000000000..08e7666cde --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-14372.patch | |||
@@ -0,0 +1,76 @@ | |||
1 | From 0d237c0b90f0c6d4a3662c569b2371ae3ed69574 Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Mon, 28 Sep 2020 20:08:41 +0200 | ||
4 | Subject: [PATCH] acpi: Don't register the acpi command when locked down | ||
5 | MIME-Version: 1.0 | ||
6 | Content-Type: text/plain; charset=UTF-8 | ||
7 | Content-Transfer-Encoding: 8bit | ||
8 | |||
9 | The command is not allowed when lockdown is enforced. Otherwise an | ||
10 | attacker can instruct the GRUB to load an SSDT table to overwrite | ||
11 | the kernel lockdown configuration and later load and execute | ||
12 | unsigned code. | ||
13 | |||
14 | Fixes: CVE-2020-14372 | ||
15 | |||
16 | Reported-by: Máté Kukri <km@mkukri.xyz> | ||
17 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
18 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
19 | |||
20 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=3e8e4c0549240fa209acffceb473e1e509b50c95] | ||
21 | CVE: CVE-2020-14372 | ||
22 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
23 | --- | ||
24 | docs/grub.texi | 5 +++++ | ||
25 | grub-core/commands/acpi.c | 15 ++++++++------- | ||
26 | 2 files changed, 13 insertions(+), 7 deletions(-) | ||
27 | |||
28 | diff --git a/docs/grub.texi b/docs/grub.texi | ||
29 | index 0786427..47ac7ff 100644 | ||
30 | --- a/docs/grub.texi | ||
31 | +++ b/docs/grub.texi | ||
32 | @@ -3986,6 +3986,11 @@ Normally, this command will replace the Root System Description Pointer | ||
33 | (RSDP) in the Extended BIOS Data Area to point to the new tables. If the | ||
34 | @option{--no-ebda} option is used, the new tables will be known only to | ||
35 | GRUB, but may be used by GRUB's EFI emulation. | ||
36 | + | ||
37 | +Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}). | ||
38 | + Otherwise an attacker can instruct the GRUB to load an SSDT table to | ||
39 | + overwrite the kernel lockdown configuration and later load and execute | ||
40 | + unsigned code. | ||
41 | @end deffn | ||
42 | |||
43 | |||
44 | diff --git a/grub-core/commands/acpi.c b/grub-core/commands/acpi.c | ||
45 | index 5a1499a..1215f2a 100644 | ||
46 | --- a/grub-core/commands/acpi.c | ||
47 | +++ b/grub-core/commands/acpi.c | ||
48 | @@ -27,6 +27,7 @@ | ||
49 | #include <grub/mm.h> | ||
50 | #include <grub/memory.h> | ||
51 | #include <grub/i18n.h> | ||
52 | +#include <grub/lockdown.h> | ||
53 | |||
54 | #ifdef GRUB_MACHINE_EFI | ||
55 | #include <grub/efi/efi.h> | ||
56 | @@ -775,13 +776,13 @@ static grub_extcmd_t cmd; | ||
57 | |||
58 | GRUB_MOD_INIT(acpi) | ||
59 | { | ||
60 | - cmd = grub_register_extcmd ("acpi", grub_cmd_acpi, 0, | ||
61 | - N_("[-1|-2] [--exclude=TABLE1,TABLE2|" | ||
62 | - "--load-only=TABLE1,TABLE2] FILE1" | ||
63 | - " [FILE2] [...]"), | ||
64 | - N_("Load host ACPI tables and tables " | ||
65 | - "specified by arguments."), | ||
66 | - options); | ||
67 | + cmd = grub_register_extcmd_lockdown ("acpi", grub_cmd_acpi, 0, | ||
68 | + N_("[-1|-2] [--exclude=TABLE1,TABLE2|" | ||
69 | + "--load-only=TABLE1,TABLE2] FILE1" | ||
70 | + " [FILE2] [...]"), | ||
71 | + N_("Load host ACPI tables and tables " | ||
72 | + "specified by arguments."), | ||
73 | + options); | ||
74 | } | ||
75 | |||
76 | GRUB_MOD_FINI(acpi) | ||
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_1.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_1.patch new file mode 100644 index 0000000000..745f335501 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_1.patch | |||
@@ -0,0 +1,130 @@ | |||
1 | From fe7a13df6200bda934fcc0246458df249f1ef4f2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Marco A Benatto <mbenatto@redhat.com> | ||
3 | Date: Wed, 23 Sep 2020 11:33:33 -0400 | ||
4 | Subject: [PATCH] verifiers: Move verifiers API to kernel image | ||
5 | |||
6 | Move verifiers API from a module to the kernel image, so it can be | ||
7 | used there as well. There are no functional changes in this patch. | ||
8 | |||
9 | Signed-off-by: Marco A Benatto <mbenatto@redhat.com> | ||
10 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
11 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
12 | |||
13 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9e95f45ceeef36fcf93cbfffcf004276883dbc99] | ||
14 | CVE: CVE-2020-14372 | ||
15 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
16 | --- | ||
17 | grub-core/Makefile.am | 1 + | ||
18 | grub-core/Makefile.core.def | 6 +----- | ||
19 | grub-core/kern/main.c | 4 ++++ | ||
20 | grub-core/{commands => kern}/verifiers.c | 8 ++------ | ||
21 | include/grub/verify.h | 9 ++++++--- | ||
22 | 5 files changed, 14 insertions(+), 14 deletions(-) | ||
23 | rename grub-core/{commands => kern}/verifiers.c (97%) | ||
24 | |||
25 | diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am | ||
26 | index 3ea8e7f..375c30d 100644 | ||
27 | --- a/grub-core/Makefile.am | ||
28 | +++ b/grub-core/Makefile.am | ||
29 | @@ -90,6 +90,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/parser.h | ||
30 | KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/partition.h | ||
31 | KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h | ||
32 | KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h | ||
33 | +KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/verify.h | ||
34 | KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm_private.h | ||
35 | KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/net.h | ||
36 | KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/memory.h | ||
37 | diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def | ||
38 | index 474a63e..cff02f2 100644 | ||
39 | --- a/grub-core/Makefile.core.def | ||
40 | +++ b/grub-core/Makefile.core.def | ||
41 | @@ -140,6 +140,7 @@ kernel = { | ||
42 | common = kern/rescue_parser.c; | ||
43 | common = kern/rescue_reader.c; | ||
44 | common = kern/term.c; | ||
45 | + common = kern/verifiers.c; | ||
46 | |||
47 | noemu = kern/compiler-rt.c; | ||
48 | noemu = kern/mm.c; | ||
49 | @@ -942,11 +943,6 @@ module = { | ||
50 | cppflags = '-I$(srcdir)/lib/posix_wrap'; | ||
51 | }; | ||
52 | |||
53 | -module = { | ||
54 | - name = verifiers; | ||
55 | - common = commands/verifiers.c; | ||
56 | -}; | ||
57 | - | ||
58 | module = { | ||
59 | name = shim_lock; | ||
60 | common = commands/efi/shim_lock.c; | ||
61 | diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c | ||
62 | index 9cad0c4..73967e2 100644 | ||
63 | --- a/grub-core/kern/main.c | ||
64 | +++ b/grub-core/kern/main.c | ||
65 | @@ -29,6 +29,7 @@ | ||
66 | #include <grub/command.h> | ||
67 | #include <grub/reader.h> | ||
68 | #include <grub/parser.h> | ||
69 | +#include <grub/verify.h> | ||
70 | |||
71 | #ifdef GRUB_MACHINE_PCBIOS | ||
72 | #include <grub/machine/memory.h> | ||
73 | @@ -274,6 +275,9 @@ grub_main (void) | ||
74 | grub_printf ("Welcome to GRUB!\n\n"); | ||
75 | grub_setcolorstate (GRUB_TERM_COLOR_STANDARD); | ||
76 | |||
77 | + /* Init verifiers API. */ | ||
78 | + grub_verifiers_init (); | ||
79 | + | ||
80 | grub_load_config (); | ||
81 | |||
82 | grub_boot_time ("Before loading embedded modules."); | ||
83 | diff --git a/grub-core/commands/verifiers.c b/grub-core/kern/verifiers.c | ||
84 | similarity index 97% | ||
85 | rename from grub-core/commands/verifiers.c | ||
86 | rename to grub-core/kern/verifiers.c | ||
87 | index 0dde481..aa3dc7c 100644 | ||
88 | --- a/grub-core/commands/verifiers.c | ||
89 | +++ b/grub-core/kern/verifiers.c | ||
90 | @@ -217,12 +217,8 @@ grub_verify_string (char *str, enum grub_verify_string_type type) | ||
91 | return GRUB_ERR_NONE; | ||
92 | } | ||
93 | |||
94 | -GRUB_MOD_INIT(verifiers) | ||
95 | +void | ||
96 | +grub_verifiers_init (void) | ||
97 | { | ||
98 | grub_file_filter_register (GRUB_FILE_FILTER_VERIFY, grub_verifiers_open); | ||
99 | } | ||
100 | - | ||
101 | -GRUB_MOD_FINI(verifiers) | ||
102 | -{ | ||
103 | - grub_file_filter_unregister (GRUB_FILE_FILTER_VERIFY); | ||
104 | -} | ||
105 | diff --git a/include/grub/verify.h b/include/grub/verify.h | ||
106 | index ea04914..cd129c3 100644 | ||
107 | --- a/include/grub/verify.h | ||
108 | +++ b/include/grub/verify.h | ||
109 | @@ -64,7 +64,10 @@ struct grub_file_verifier | ||
110 | grub_err_t (*verify_string) (char *str, enum grub_verify_string_type type); | ||
111 | }; | ||
112 | |||
113 | -extern struct grub_file_verifier *grub_file_verifiers; | ||
114 | +extern struct grub_file_verifier *EXPORT_VAR (grub_file_verifiers); | ||
115 | + | ||
116 | +extern void | ||
117 | +grub_verifiers_init (void); | ||
118 | |||
119 | static inline void | ||
120 | grub_verifier_register (struct grub_file_verifier *ver) | ||
121 | @@ -78,7 +81,7 @@ grub_verifier_unregister (struct grub_file_verifier *ver) | ||
122 | grub_list_remove (GRUB_AS_LIST (ver)); | ||
123 | } | ||
124 | |||
125 | -grub_err_t | ||
126 | -grub_verify_string (char *str, enum grub_verify_string_type type); | ||
127 | +extern grub_err_t | ||
128 | +EXPORT_FUNC (grub_verify_string) (char *str, enum grub_verify_string_type type); | ||
129 | |||
130 | #endif /* ! GRUB_VERIFY_HEADER */ | ||
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_2.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_2.patch new file mode 100644 index 0000000000..a98b5d0455 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_2.patch | |||
@@ -0,0 +1,431 @@ | |||
1 | From d8aac4517fef0f0188a60a2a8ff9cafdd9c7ca42 Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Mon, 28 Sep 2020 20:08:02 +0200 | ||
4 | Subject: [PATCH] kern: Add lockdown support | ||
5 | |||
6 | When the GRUB starts on a secure boot platform, some commands can be | ||
7 | used to subvert the protections provided by the verification mechanism and | ||
8 | could lead to booting untrusted system. | ||
9 | |||
10 | To prevent that situation, allow GRUB to be locked down. That way the code | ||
11 | may check if GRUB has been locked down and further restrict the commands | ||
12 | that are registered or what subset of their functionality could be used. | ||
13 | |||
14 | The lockdown support adds the following components: | ||
15 | |||
16 | * The grub_lockdown() function which can be used to lockdown GRUB if, | ||
17 | e.g., UEFI Secure Boot is enabled. | ||
18 | |||
19 | * The grub_is_lockdown() function which can be used to check if the GRUB | ||
20 | was locked down. | ||
21 | |||
22 | * A verifier that flags OS kernels, the GRUB modules, Device Trees and ACPI | ||
23 | tables as GRUB_VERIFY_FLAGS_DEFER_AUTH to defer verification to other | ||
24 | verifiers. These files are only successfully verified if another registered | ||
25 | verifier returns success. Otherwise, the whole verification process fails. | ||
26 | |||
27 | For example, PE/COFF binaries verification can be done by the shim_lock | ||
28 | verifier which validates the signatures using the shim_lock protocol. | ||
29 | However, the verification is not deferred directly to the shim_lock verifier. | ||
30 | The shim_lock verifier is hooked into the verification process instead. | ||
31 | |||
32 | * A set of grub_{command,extcmd}_lockdown functions that can be used by | ||
33 | code registering command handlers, to only register unsafe commands if | ||
34 | the GRUB has not been locked down. | ||
35 | |||
36 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
37 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
38 | |||
39 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=578c95298bcc46e0296f4c786db64c2ff26ce2cc] | ||
40 | CVE: CVE-2020-14372 | ||
41 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
42 | --- | ||
43 | conf/Makefile.common | 2 + | ||
44 | docs/grub-dev.texi | 27 +++++++++++++ | ||
45 | docs/grub.texi | 8 ++++ | ||
46 | grub-core/Makefile.am | 5 ++- | ||
47 | grub-core/Makefile.core.def | 1 + | ||
48 | grub-core/commands/extcmd.c | 23 +++++++++++ | ||
49 | grub-core/kern/command.c | 24 +++++++++++ | ||
50 | grub-core/kern/lockdown.c | 80 +++++++++++++++++++++++++++++++++++++ | ||
51 | include/grub/command.h | 5 +++ | ||
52 | include/grub/extcmd.h | 7 ++++ | ||
53 | include/grub/lockdown.h | 44 ++++++++++++++++++++ | ||
54 | 11 files changed, 225 insertions(+), 1 deletion(-) | ||
55 | create mode 100644 grub-core/kern/lockdown.c | ||
56 | create mode 100644 include/grub/lockdown.h | ||
57 | |||
58 | diff --git a/conf/Makefile.common b/conf/Makefile.common | ||
59 | index 6cd71cb..2a1a886 100644 | ||
60 | --- a/conf/Makefile.common | ||
61 | +++ b/conf/Makefile.common | ||
62 | @@ -84,7 +84,9 @@ CPPFLAGS_PARTTOOL_LIST = -Dgrub_parttool_register=PARTTOOL_LIST_MARKER | ||
63 | CPPFLAGS_TERMINAL_LIST = '-Dgrub_term_register_input(...)=INPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)' | ||
64 | CPPFLAGS_TERMINAL_LIST += '-Dgrub_term_register_output(...)=OUTPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)' | ||
65 | CPPFLAGS_COMMAND_LIST = '-Dgrub_register_command(...)=COMMAND_LIST_MARKER(__VA_ARGS__)' | ||
66 | +CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_lockdown(...)=COMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)' | ||
67 | CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd(...)=EXTCOMMAND_LIST_MARKER(__VA_ARGS__)' | ||
68 | +CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd_lockdown(...)=EXTCOMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)' | ||
69 | CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_p1(...)=P1COMMAND_LIST_MARKER(__VA_ARGS__)' | ||
70 | CPPFLAGS_FDT_LIST := '-Dgrub_fdtbus_register(...)=FDT_DRIVER_LIST_MARKER(__VA_ARGS__)' | ||
71 | CPPFLAGS_MARKER = $(CPPFLAGS_FS_LIST) $(CPPFLAGS_VIDEO_LIST) \ | ||
72 | diff --git a/docs/grub-dev.texi b/docs/grub-dev.texi | ||
73 | index ee389fd..635ec72 100644 | ||
74 | --- a/docs/grub-dev.texi | ||
75 | +++ b/docs/grub-dev.texi | ||
76 | @@ -86,6 +86,7 @@ This edition documents version @value{VERSION}. | ||
77 | * PFF2 Font File Format:: | ||
78 | * Graphical Menu Software Design:: | ||
79 | * Verifiers framework:: | ||
80 | +* Lockdown framework:: | ||
81 | * Copying This Manual:: Copying This Manual | ||
82 | * Index:: | ||
83 | @end menu | ||
84 | @@ -2086,6 +2087,32 @@ Optionally at the end of the file @samp{fini}, if it exists, is called with just | ||
85 | the context. If you return no error during any of @samp{init}, @samp{write} and | ||
86 | @samp{fini} then the file is considered as having succeded verification. | ||
87 | |||
88 | +@node Lockdown framework | ||
89 | +@chapter Lockdown framework | ||
90 | + | ||
91 | +The GRUB can be locked down, which is a restricted mode where some operations | ||
92 | +are not allowed. For instance, some commands cannot be used when the GRUB is | ||
93 | +locked down. | ||
94 | + | ||
95 | +The function | ||
96 | +@code{grub_lockdown()} is used to lockdown GRUB and the function | ||
97 | +@code{grub_is_lockdown()} function can be used to check whether lockdown is | ||
98 | +enabled or not. When enabled, the function returns @samp{GRUB_LOCKDOWN_ENABLED} | ||
99 | +and @samp{GRUB_LOCKDOWN_DISABLED} when is not enabled. | ||
100 | + | ||
101 | +The following functions can be used to register the commands that can only be | ||
102 | +used when lockdown is disabled: | ||
103 | + | ||
104 | +@itemize | ||
105 | + | ||
106 | +@item @code{grub_cmd_lockdown()} registers command which should not run when the | ||
107 | +GRUB is in lockdown mode. | ||
108 | + | ||
109 | +@item @code{grub_cmd_lockdown()} registers extended command which should not run | ||
110 | +when the GRUB is in lockdown mode. | ||
111 | + | ||
112 | +@end itemize | ||
113 | + | ||
114 | @node Copying This Manual | ||
115 | @appendix Copying This Manual | ||
116 | |||
117 | diff --git a/docs/grub.texi b/docs/grub.texi | ||
118 | index 8779507..d778bfb 100644 | ||
119 | --- a/docs/grub.texi | ||
120 | +++ b/docs/grub.texi | ||
121 | @@ -5581,6 +5581,7 @@ environment variables and commands are listed in the same order. | ||
122 | * Using digital signatures:: Booting digitally signed code | ||
123 | * UEFI secure boot and shim:: Booting digitally signed PE files | ||
124 | * Measured Boot:: Measuring boot components | ||
125 | +* Lockdown:: Lockdown when booting on a secure setup | ||
126 | @end menu | ||
127 | |||
128 | @node Authentication and authorisation | ||
129 | @@ -5794,6 +5795,13 @@ into @file{core.img} in order to avoid a potential gap in measurement between | ||
130 | |||
131 | Measured boot is currently only supported on EFI platforms. | ||
132 | |||
133 | +@node Lockdown | ||
134 | +@section Lockdown when booting on a secure setup | ||
135 | + | ||
136 | +The GRUB can be locked down when booted on a secure boot environment, for example | ||
137 | +if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will | ||
138 | +be restricted and some operations/commands cannot be executed. | ||
139 | + | ||
140 | @node Platform limitations | ||
141 | @chapter Platform limitations | ||
142 | |||
143 | diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am | ||
144 | index 375c30d..3096241 100644 | ||
145 | --- a/grub-core/Makefile.am | ||
146 | +++ b/grub-core/Makefile.am | ||
147 | @@ -79,6 +79,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/fs.h | ||
148 | KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/i18n.h | ||
149 | KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/kernel.h | ||
150 | KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/list.h | ||
151 | +KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/lockdown.h | ||
152 | KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/misc.h | ||
153 | if COND_emu | ||
154 | KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/compiler-rt-emu.h | ||
155 | @@ -376,8 +377,10 @@ command.lst: $(MARKER_FILES) | ||
156 | b=`basename $$pp .marker`; \ | ||
157 | sed -n \ | ||
158 | -e "/EXTCOMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \ | ||
159 | + -e "/EXTCOMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \ | ||
160 | -e "/P1COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \ | ||
161 | - -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \ | ||
162 | + -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" \ | ||
163 | + -e "/COMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \ | ||
164 | done) | sort -u > $@ | ||
165 | platform_DATA += command.lst | ||
166 | CLEANFILES += command.lst | ||
167 | diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def | ||
168 | index cff02f2..651ea2a 100644 | ||
169 | --- a/grub-core/Makefile.core.def | ||
170 | +++ b/grub-core/Makefile.core.def | ||
171 | @@ -204,6 +204,7 @@ kernel = { | ||
172 | efi = term/efi/console.c; | ||
173 | efi = kern/acpi.c; | ||
174 | efi = kern/efi/acpi.c; | ||
175 | + efi = kern/lockdown.c; | ||
176 | i386_coreboot = kern/i386/pc/acpi.c; | ||
177 | i386_multiboot = kern/i386/pc/acpi.c; | ||
178 | i386_coreboot = kern/acpi.c; | ||
179 | diff --git a/grub-core/commands/extcmd.c b/grub-core/commands/extcmd.c | ||
180 | index 69574e2..90a5ca2 100644 | ||
181 | --- a/grub-core/commands/extcmd.c | ||
182 | +++ b/grub-core/commands/extcmd.c | ||
183 | @@ -19,6 +19,7 @@ | ||
184 | |||
185 | #include <grub/mm.h> | ||
186 | #include <grub/list.h> | ||
187 | +#include <grub/lockdown.h> | ||
188 | #include <grub/misc.h> | ||
189 | #include <grub/extcmd.h> | ||
190 | #include <grub/script_sh.h> | ||
191 | @@ -110,6 +111,28 @@ grub_register_extcmd (const char *name, grub_extcmd_func_t func, | ||
192 | summary, description, parser, 1); | ||
193 | } | ||
194 | |||
195 | +static grub_err_t | ||
196 | +grub_extcmd_lockdown (grub_extcmd_context_t ctxt __attribute__ ((unused)), | ||
197 | + int argc __attribute__ ((unused)), | ||
198 | + char **argv __attribute__ ((unused))) | ||
199 | +{ | ||
200 | + return grub_error (GRUB_ERR_ACCESS_DENIED, | ||
201 | + N_("%s: the command is not allowed when lockdown is enforced"), | ||
202 | + ctxt->extcmd->cmd->name); | ||
203 | +} | ||
204 | + | ||
205 | +grub_extcmd_t | ||
206 | +grub_register_extcmd_lockdown (const char *name, grub_extcmd_func_t func, | ||
207 | + grub_command_flags_t flags, const char *summary, | ||
208 | + const char *description, | ||
209 | + const struct grub_arg_option *parser) | ||
210 | +{ | ||
211 | + if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED) | ||
212 | + func = grub_extcmd_lockdown; | ||
213 | + | ||
214 | + return grub_register_extcmd (name, func, flags, summary, description, parser); | ||
215 | +} | ||
216 | + | ||
217 | void | ||
218 | grub_unregister_extcmd (grub_extcmd_t ext) | ||
219 | { | ||
220 | diff --git a/grub-core/kern/command.c b/grub-core/kern/command.c | ||
221 | index acd7218..4aabcd4 100644 | ||
222 | --- a/grub-core/kern/command.c | ||
223 | +++ b/grub-core/kern/command.c | ||
224 | @@ -17,6 +17,7 @@ | ||
225 | * along with GRUB. If not, see <http://www.gnu.org/licenses/>. | ||
226 | */ | ||
227 | |||
228 | +#include <grub/lockdown.h> | ||
229 | #include <grub/mm.h> | ||
230 | #include <grub/command.h> | ||
231 | |||
232 | @@ -77,6 +78,29 @@ grub_register_command_prio (const char *name, | ||
233 | return cmd; | ||
234 | } | ||
235 | |||
236 | +static grub_err_t | ||
237 | +grub_cmd_lockdown (grub_command_t cmd __attribute__ ((unused)), | ||
238 | + int argc __attribute__ ((unused)), | ||
239 | + char **argv __attribute__ ((unused))) | ||
240 | + | ||
241 | +{ | ||
242 | + return grub_error (GRUB_ERR_ACCESS_DENIED, | ||
243 | + N_("%s: the command is not allowed when lockdown is enforced"), | ||
244 | + cmd->name); | ||
245 | +} | ||
246 | + | ||
247 | +grub_command_t | ||
248 | +grub_register_command_lockdown (const char *name, | ||
249 | + grub_command_func_t func, | ||
250 | + const char *summary, | ||
251 | + const char *description) | ||
252 | +{ | ||
253 | + if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED) | ||
254 | + func = grub_cmd_lockdown; | ||
255 | + | ||
256 | + return grub_register_command_prio (name, func, summary, description, 0); | ||
257 | +} | ||
258 | + | ||
259 | void | ||
260 | grub_unregister_command (grub_command_t cmd) | ||
261 | { | ||
262 | diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c | ||
263 | new file mode 100644 | ||
264 | index 0000000..1e56c0b | ||
265 | --- /dev/null | ||
266 | +++ b/grub-core/kern/lockdown.c | ||
267 | @@ -0,0 +1,80 @@ | ||
268 | +/* | ||
269 | + * GRUB -- GRand Unified Bootloader | ||
270 | + * Copyright (C) 2020 Free Software Foundation, Inc. | ||
271 | + * | ||
272 | + * GRUB is free software: you can redistribute it and/or modify | ||
273 | + * it under the terms of the GNU General Public License as published by | ||
274 | + * the Free Software Foundation, either version 3 of the License, or | ||
275 | + * (at your option) any later version. | ||
276 | + * | ||
277 | + * GRUB is distributed in the hope that it will be useful, | ||
278 | + * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
279 | + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
280 | + * GNU General Public License for more details. | ||
281 | + * | ||
282 | + * You should have received a copy of the GNU General Public License | ||
283 | + * along with GRUB. If not, see <http://www.gnu.org/licenses/>. | ||
284 | + * | ||
285 | + */ | ||
286 | + | ||
287 | +#include <grub/dl.h> | ||
288 | +#include <grub/file.h> | ||
289 | +#include <grub/lockdown.h> | ||
290 | +#include <grub/verify.h> | ||
291 | + | ||
292 | +static int lockdown = GRUB_LOCKDOWN_DISABLED; | ||
293 | + | ||
294 | +static grub_err_t | ||
295 | +lockdown_verifier_init (grub_file_t io __attribute__ ((unused)), | ||
296 | + enum grub_file_type type, | ||
297 | + void **context __attribute__ ((unused)), | ||
298 | + enum grub_verify_flags *flags) | ||
299 | +{ | ||
300 | + *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION; | ||
301 | + | ||
302 | + switch (type & GRUB_FILE_TYPE_MASK) | ||
303 | + { | ||
304 | + case GRUB_FILE_TYPE_GRUB_MODULE: | ||
305 | + case GRUB_FILE_TYPE_LINUX_KERNEL: | ||
306 | + case GRUB_FILE_TYPE_MULTIBOOT_KERNEL: | ||
307 | + case GRUB_FILE_TYPE_XEN_HYPERVISOR: | ||
308 | + case GRUB_FILE_TYPE_BSD_KERNEL: | ||
309 | + case GRUB_FILE_TYPE_XNU_KERNEL: | ||
310 | + case GRUB_FILE_TYPE_PLAN9_KERNEL: | ||
311 | + case GRUB_FILE_TYPE_NTLDR: | ||
312 | + case GRUB_FILE_TYPE_TRUECRYPT: | ||
313 | + case GRUB_FILE_TYPE_FREEDOS: | ||
314 | + case GRUB_FILE_TYPE_PXECHAINLOADER: | ||
315 | + case GRUB_FILE_TYPE_PCCHAINLOADER: | ||
316 | + case GRUB_FILE_TYPE_COREBOOT_CHAINLOADER: | ||
317 | + case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE: | ||
318 | + case GRUB_FILE_TYPE_ACPI_TABLE: | ||
319 | + case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE: | ||
320 | + *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH; | ||
321 | + | ||
322 | + /* Fall through. */ | ||
323 | + | ||
324 | + default: | ||
325 | + return GRUB_ERR_NONE; | ||
326 | + } | ||
327 | +} | ||
328 | + | ||
329 | +struct grub_file_verifier lockdown_verifier = | ||
330 | + { | ||
331 | + .name = "lockdown_verifier", | ||
332 | + .init = lockdown_verifier_init, | ||
333 | + }; | ||
334 | + | ||
335 | +void | ||
336 | +grub_lockdown (void) | ||
337 | +{ | ||
338 | + lockdown = GRUB_LOCKDOWN_ENABLED; | ||
339 | + | ||
340 | + grub_verifier_register (&lockdown_verifier); | ||
341 | +} | ||
342 | + | ||
343 | +int | ||
344 | +grub_is_lockdown (void) | ||
345 | +{ | ||
346 | + return lockdown; | ||
347 | +} | ||
348 | diff --git a/include/grub/command.h b/include/grub/command.h | ||
349 | index eee4e84..2a6f7f8 100644 | ||
350 | --- a/include/grub/command.h | ||
351 | +++ b/include/grub/command.h | ||
352 | @@ -86,6 +86,11 @@ EXPORT_FUNC(grub_register_command_prio) (const char *name, | ||
353 | const char *summary, | ||
354 | const char *description, | ||
355 | int prio); | ||
356 | +grub_command_t | ||
357 | +EXPORT_FUNC(grub_register_command_lockdown) (const char *name, | ||
358 | + grub_command_func_t func, | ||
359 | + const char *summary, | ||
360 | + const char *description); | ||
361 | void EXPORT_FUNC(grub_unregister_command) (grub_command_t cmd); | ||
362 | |||
363 | static inline grub_command_t | ||
364 | diff --git a/include/grub/extcmd.h b/include/grub/extcmd.h | ||
365 | index 19fe592..fe9248b 100644 | ||
366 | --- a/include/grub/extcmd.h | ||
367 | +++ b/include/grub/extcmd.h | ||
368 | @@ -62,6 +62,13 @@ grub_extcmd_t EXPORT_FUNC(grub_register_extcmd) (const char *name, | ||
369 | const char *description, | ||
370 | const struct grub_arg_option *parser); | ||
371 | |||
372 | +grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_lockdown) (const char *name, | ||
373 | + grub_extcmd_func_t func, | ||
374 | + grub_command_flags_t flags, | ||
375 | + const char *summary, | ||
376 | + const char *description, | ||
377 | + const struct grub_arg_option *parser); | ||
378 | + | ||
379 | grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_prio) (const char *name, | ||
380 | grub_extcmd_func_t func, | ||
381 | grub_command_flags_t flags, | ||
382 | diff --git a/include/grub/lockdown.h b/include/grub/lockdown.h | ||
383 | new file mode 100644 | ||
384 | index 0000000..40531fa | ||
385 | --- /dev/null | ||
386 | +++ b/include/grub/lockdown.h | ||
387 | @@ -0,0 +1,44 @@ | ||
388 | +/* | ||
389 | + * GRUB -- GRand Unified Bootloader | ||
390 | + * Copyright (C) 2020 Free Software Foundation, Inc. | ||
391 | + * | ||
392 | + * GRUB is free software: you can redistribute it and/or modify | ||
393 | + * it under the terms of the GNU General Public License as published by | ||
394 | + * the Free Software Foundation, either version 3 of the License, or | ||
395 | + * (at your option) any later version. | ||
396 | + * | ||
397 | + * GRUB is distributed in the hope that it will be useful, | ||
398 | + * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
399 | + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
400 | + * GNU General Public License for more details. | ||
401 | + * | ||
402 | + * You should have received a copy of the GNU General Public License | ||
403 | + * along with GRUB. If not, see <http://www.gnu.org/licenses/>. | ||
404 | + */ | ||
405 | + | ||
406 | +#ifndef GRUB_LOCKDOWN_H | ||
407 | +#define GRUB_LOCKDOWN_H 1 | ||
408 | + | ||
409 | +#include <grub/symbol.h> | ||
410 | + | ||
411 | +#define GRUB_LOCKDOWN_DISABLED 0 | ||
412 | +#define GRUB_LOCKDOWN_ENABLED 1 | ||
413 | + | ||
414 | +#ifdef GRUB_MACHINE_EFI | ||
415 | +extern void | ||
416 | +EXPORT_FUNC (grub_lockdown) (void); | ||
417 | +extern int | ||
418 | +EXPORT_FUNC (grub_is_lockdown) (void); | ||
419 | +#else | ||
420 | +static inline void | ||
421 | +grub_lockdown (void) | ||
422 | +{ | ||
423 | +} | ||
424 | + | ||
425 | +static inline int | ||
426 | +grub_is_lockdown (void) | ||
427 | +{ | ||
428 | + return GRUB_LOCKDOWN_DISABLED; | ||
429 | +} | ||
430 | +#endif | ||
431 | +#endif /* ! GRUB_LOCKDOWN_H */ | ||
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_3.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_3.patch new file mode 100644 index 0000000000..93fdd2cb1a --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_3.patch | |||
@@ -0,0 +1,57 @@ | |||
1 | From bfb9c44298aa202c176fef8dc5ea48f9b0e76e5e Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Tue, 2 Feb 2021 19:59:48 +0100 | ||
4 | Subject: [PATCH] kern/lockdown: Set a variable if the GRUB is locked down | ||
5 | |||
6 | It may be useful for scripts to determine whether the GRUB is locked | ||
7 | down or not. Add the lockdown variable which is set to "y" when the GRUB | ||
8 | is locked down. | ||
9 | |||
10 | Suggested-by: Dimitri John Ledkov <xnox@ubuntu.com> | ||
11 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
12 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
13 | |||
14 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=d90367471779c240e002e62edfb6b31fc85b4908] | ||
15 | CVE: CVE-2020-14372 | ||
16 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
17 | --- | ||
18 | docs/grub.texi | 3 +++ | ||
19 | grub-core/kern/lockdown.c | 4 ++++ | ||
20 | 2 files changed, 7 insertions(+) | ||
21 | |||
22 | diff --git a/docs/grub.texi b/docs/grub.texi | ||
23 | index d778bfb..5e6cace 100644 | ||
24 | --- a/docs/grub.texi | ||
25 | +++ b/docs/grub.texi | ||
26 | @@ -5802,6 +5802,9 @@ The GRUB can be locked down when booted on a secure boot environment, for exampl | ||
27 | if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will | ||
28 | be restricted and some operations/commands cannot be executed. | ||
29 | |||
30 | +The @samp{lockdown} variable is set to @samp{y} when the GRUB is locked down. | ||
31 | +Otherwise it does not exit. | ||
32 | + | ||
33 | @node Platform limitations | ||
34 | @chapter Platform limitations | ||
35 | |||
36 | diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c | ||
37 | index 1e56c0b..0bc70fd 100644 | ||
38 | --- a/grub-core/kern/lockdown.c | ||
39 | +++ b/grub-core/kern/lockdown.c | ||
40 | @@ -18,6 +18,7 @@ | ||
41 | */ | ||
42 | |||
43 | #include <grub/dl.h> | ||
44 | +#include <grub/env.h> | ||
45 | #include <grub/file.h> | ||
46 | #include <grub/lockdown.h> | ||
47 | #include <grub/verify.h> | ||
48 | @@ -71,6 +72,9 @@ grub_lockdown (void) | ||
49 | lockdown = GRUB_LOCKDOWN_ENABLED; | ||
50 | |||
51 | grub_verifier_register (&lockdown_verifier); | ||
52 | + | ||
53 | + grub_env_set ("lockdown", "y"); | ||
54 | + grub_env_export ("lockdown"); | ||
55 | } | ||
56 | |||
57 | int | ||
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_4.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_4.patch new file mode 100644 index 0000000000..ac509b63c7 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_4.patch | |||
@@ -0,0 +1,52 @@ | |||
1 | From 0d809c0979ced9db4d0e500b3e812bba95e52972 Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Mon, 28 Sep 2020 20:08:29 +0200 | ||
4 | Subject: [PATCH] efi: Lockdown the GRUB when the UEFI Secure Boot is enabled | ||
5 | |||
6 | If the UEFI Secure Boot is enabled then the GRUB must be locked down | ||
7 | to prevent executing code that can potentially be used to subvert its | ||
8 | verification mechanisms. | ||
9 | |||
10 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
11 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
12 | |||
13 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=98b00a403cbf2ba6833d1ac0499871b27a08eb77] | ||
14 | CVE: CVE-2020-14372 | ||
15 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
16 | --- | ||
17 | grub-core/kern/efi/init.c | 15 +++++++++++++++ | ||
18 | 1 file changed, 15 insertions(+) | ||
19 | |||
20 | diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c | ||
21 | index 3dfdf2d..db84d82 100644 | ||
22 | --- a/grub-core/kern/efi/init.c | ||
23 | +++ b/grub-core/kern/efi/init.c | ||
24 | @@ -20,6 +20,7 @@ | ||
25 | #include <grub/efi/efi.h> | ||
26 | #include <grub/efi/console.h> | ||
27 | #include <grub/efi/disk.h> | ||
28 | +#include <grub/lockdown.h> | ||
29 | #include <grub/term.h> | ||
30 | #include <grub/misc.h> | ||
31 | #include <grub/env.h> | ||
32 | @@ -39,6 +40,20 @@ grub_efi_init (void) | ||
33 | /* Initialize the memory management system. */ | ||
34 | grub_efi_mm_init (); | ||
35 | |||
36 | + /* | ||
37 | + * Lockdown the GRUB and register the shim_lock verifier | ||
38 | + * if the UEFI Secure Boot is enabled. | ||
39 | + */ | ||
40 | + if (grub_efi_secure_boot ()) | ||
41 | + { | ||
42 | + grub_lockdown (); | ||
43 | + /* NOTE: Our version does not have the shim_lock_verifier, | ||
44 | + * need to update below if added */ | ||
45 | +#if 0 | ||
46 | + grub_shim_lock_verifier_setup (); | ||
47 | +#endif | ||
48 | + } | ||
49 | + | ||
50 | efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer, | ||
51 | 0, 0, 0, NULL); | ||
52 | |||
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_5.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_5.patch new file mode 100644 index 0000000000..12ec4e1c17 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_5.patch | |||
@@ -0,0 +1,158 @@ | |||
1 | From 1ad728b08ba2a21573e5f81a565114f74ca33988 Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Mon, 28 Sep 2020 20:08:33 +0200 | ||
4 | Subject: [PATCH] efi: Use grub_is_lockdown() instead of hardcoding a disabled | ||
5 | modules list | ||
6 | |||
7 | Now the GRUB can check if it has been locked down and this can be used to | ||
8 | prevent executing commands that can be utilized to circumvent the UEFI | ||
9 | Secure Boot mechanisms. So, instead of hardcoding a list of modules that | ||
10 | have to be disabled, prevent the usage of commands that can be dangerous. | ||
11 | |||
12 | This not only allows the commands to be disabled on other platforms, but | ||
13 | also properly separate the concerns. Since the shim_lock verifier logic | ||
14 | should be only about preventing to run untrusted binaries and not about | ||
15 | defining these kind of policies. | ||
16 | |||
17 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
18 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
19 | |||
20 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=8f73052885892bc0dbc01e297f79d7cf4925e491] | ||
21 | CVE: CVE-2020-14372 | ||
22 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
23 | --- | ||
24 | docs/grub.texi | 10 ++++++++++ | ||
25 | grub-core/commands/i386/wrmsr.c | 5 +++-- | ||
26 | grub-core/commands/iorw.c | 19 ++++++++++--------- | ||
27 | grub-core/commands/memrw.c | 19 ++++++++++--------- | ||
28 | 4 files changed, 33 insertions(+), 20 deletions(-) | ||
29 | |||
30 | diff --git a/docs/grub.texi b/docs/grub.texi | ||
31 | index 5e6cace..0786427 100644 | ||
32 | --- a/docs/grub.texi | ||
33 | +++ b/docs/grub.texi | ||
34 | @@ -5256,6 +5256,9 @@ only applies to the particular cpu/core/thread that runs the command. | ||
35 | Also, if you specify a reserved or unimplemented MSR address, it will | ||
36 | cause a general protection exception (which is not currently being handled) | ||
37 | and the system will reboot. | ||
38 | + | ||
39 | +Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}). | ||
40 | + This is done to prevent subverting various security mechanisms. | ||
41 | @end deffn | ||
42 | |||
43 | @node xen_hypervisor | ||
44 | @@ -5758,6 +5761,13 @@ security reasons. All above mentioned requirements are enforced by the | ||
45 | shim_lock module. And itself it is a persistent module which means that | ||
46 | it cannot be unloaded if it was loaded into the memory. | ||
47 | |||
48 | +All GRUB modules not stored in the @file{core.img}, OS kernels, ACPI tables, | ||
49 | +Device Trees, etc. have to be signed, e.g, using PGP. Additionally, the commands | ||
50 | +that can be used to subvert the UEFI secure boot mechanism, such as @command{iorw} | ||
51 | +and @command{memrw} will not be available when the UEFI secure boot is enabled. | ||
52 | +This is done for security reasons and are enforced by the GRUB Lockdown mechanism | ||
53 | +(@pxref{Lockdown}). | ||
54 | + | ||
55 | @node Measured Boot | ||
56 | @section Measuring boot components | ||
57 | |||
58 | diff --git a/grub-core/commands/i386/wrmsr.c b/grub-core/commands/i386/wrmsr.c | ||
59 | index 9c5e510..56a29c2 100644 | ||
60 | --- a/grub-core/commands/i386/wrmsr.c | ||
61 | +++ b/grub-core/commands/i386/wrmsr.c | ||
62 | @@ -24,6 +24,7 @@ | ||
63 | #include <grub/env.h> | ||
64 | #include <grub/command.h> | ||
65 | #include <grub/extcmd.h> | ||
66 | +#include <grub/lockdown.h> | ||
67 | #include <grub/i18n.h> | ||
68 | #include <grub/i386/cpuid.h> | ||
69 | #include <grub/i386/wrmsr.h> | ||
70 | @@ -83,8 +84,8 @@ grub_cmd_msr_write (grub_command_t cmd __attribute__ ((unused)), int argc, char | ||
71 | |||
72 | GRUB_MOD_INIT(wrmsr) | ||
73 | { | ||
74 | - cmd_write = grub_register_command ("wrmsr", grub_cmd_msr_write, N_("ADDR VALUE"), | ||
75 | - N_("Write a value to a CPU model specific register.")); | ||
76 | + cmd_write = grub_register_command_lockdown ("wrmsr", grub_cmd_msr_write, N_("ADDR VALUE"), | ||
77 | + N_("Write a value to a CPU model specific register.")); | ||
78 | } | ||
79 | |||
80 | GRUB_MOD_FINI(wrmsr) | ||
81 | diff --git a/grub-core/commands/iorw.c b/grub-core/commands/iorw.c | ||
82 | index a0c164e..584baec 100644 | ||
83 | --- a/grub-core/commands/iorw.c | ||
84 | +++ b/grub-core/commands/iorw.c | ||
85 | @@ -23,6 +23,7 @@ | ||
86 | #include <grub/env.h> | ||
87 | #include <grub/cpu/io.h> | ||
88 | #include <grub/i18n.h> | ||
89 | +#include <grub/lockdown.h> | ||
90 | |||
91 | GRUB_MOD_LICENSE ("GPLv3+"); | ||
92 | |||
93 | @@ -131,17 +132,17 @@ GRUB_MOD_INIT(memrw) | ||
94 | N_("PORT"), N_("Read 32-bit value from PORT."), | ||
95 | options); | ||
96 | cmd_write_byte = | ||
97 | - grub_register_command ("outb", grub_cmd_write, | ||
98 | - N_("PORT VALUE [MASK]"), | ||
99 | - N_("Write 8-bit VALUE to PORT.")); | ||
100 | + grub_register_command_lockdown ("outb", grub_cmd_write, | ||
101 | + N_("PORT VALUE [MASK]"), | ||
102 | + N_("Write 8-bit VALUE to PORT.")); | ||
103 | cmd_write_word = | ||
104 | - grub_register_command ("outw", grub_cmd_write, | ||
105 | - N_("PORT VALUE [MASK]"), | ||
106 | - N_("Write 16-bit VALUE to PORT.")); | ||
107 | + grub_register_command_lockdown ("outw", grub_cmd_write, | ||
108 | + N_("PORT VALUE [MASK]"), | ||
109 | + N_("Write 16-bit VALUE to PORT.")); | ||
110 | cmd_write_dword = | ||
111 | - grub_register_command ("outl", grub_cmd_write, | ||
112 | - N_("ADDR VALUE [MASK]"), | ||
113 | - N_("Write 32-bit VALUE to PORT.")); | ||
114 | + grub_register_command_lockdown ("outl", grub_cmd_write, | ||
115 | + N_("ADDR VALUE [MASK]"), | ||
116 | + N_("Write 32-bit VALUE to PORT.")); | ||
117 | } | ||
118 | |||
119 | GRUB_MOD_FINI(memrw) | ||
120 | diff --git a/grub-core/commands/memrw.c b/grub-core/commands/memrw.c | ||
121 | index 98769ea..d401a6d 100644 | ||
122 | --- a/grub-core/commands/memrw.c | ||
123 | +++ b/grub-core/commands/memrw.c | ||
124 | @@ -22,6 +22,7 @@ | ||
125 | #include <grub/extcmd.h> | ||
126 | #include <grub/env.h> | ||
127 | #include <grub/i18n.h> | ||
128 | +#include <grub/lockdown.h> | ||
129 | |||
130 | GRUB_MOD_LICENSE ("GPLv3+"); | ||
131 | |||
132 | @@ -133,17 +134,17 @@ GRUB_MOD_INIT(memrw) | ||
133 | N_("ADDR"), N_("Read 32-bit value from ADDR."), | ||
134 | options); | ||
135 | cmd_write_byte = | ||
136 | - grub_register_command ("write_byte", grub_cmd_write, | ||
137 | - N_("ADDR VALUE [MASK]"), | ||
138 | - N_("Write 8-bit VALUE to ADDR.")); | ||
139 | + grub_register_command_lockdown ("write_byte", grub_cmd_write, | ||
140 | + N_("ADDR VALUE [MASK]"), | ||
141 | + N_("Write 8-bit VALUE to ADDR.")); | ||
142 | cmd_write_word = | ||
143 | - grub_register_command ("write_word", grub_cmd_write, | ||
144 | - N_("ADDR VALUE [MASK]"), | ||
145 | - N_("Write 16-bit VALUE to ADDR.")); | ||
146 | + grub_register_command_lockdown ("write_word", grub_cmd_write, | ||
147 | + N_("ADDR VALUE [MASK]"), | ||
148 | + N_("Write 16-bit VALUE to ADDR.")); | ||
149 | cmd_write_dword = | ||
150 | - grub_register_command ("write_dword", grub_cmd_write, | ||
151 | - N_("ADDR VALUE [MASK]"), | ||
152 | - N_("Write 32-bit VALUE to ADDR.")); | ||
153 | + grub_register_command_lockdown ("write_dword", grub_cmd_write, | ||
154 | + N_("ADDR VALUE [MASK]"), | ||
155 | + N_("Write 32-bit VALUE to ADDR.")); | ||
156 | } | ||
157 | |||
158 | GRUB_MOD_FINI(memrw) | ||
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779.patch new file mode 100644 index 0000000000..c82423b8af --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-27779.patch | |||
@@ -0,0 +1,70 @@ | |||
1 | From 584263eca1546e5cab69ba6fe7b4b07df2630a21 Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Wed, 14 Oct 2020 16:33:42 +0200 | ||
4 | Subject: [PATCH] mmap: Don't register cutmem and badram commands when lockdown | ||
5 | is enforced | ||
6 | |||
7 | The cutmem and badram commands can be used to remove EFI memory regions | ||
8 | and potentially disable the UEFI Secure Boot. Prevent the commands to be | ||
9 | registered if the GRUB is locked down. | ||
10 | |||
11 | Fixes: CVE-2020-27779 | ||
12 | |||
13 | Reported-by: Teddy Reed <teddy.reed@gmail.com> | ||
14 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
15 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
16 | |||
17 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=d298b41f90cbf1f2e5a10e29daa1fc92ddee52c9] | ||
18 | CVE: CVE-2020-27779 | ||
19 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
20 | --- | ||
21 | docs/grub.texi | 4 ++++ | ||
22 | grub-core/mmap/mmap.c | 13 +++++++------ | ||
23 | 2 files changed, 11 insertions(+), 6 deletions(-) | ||
24 | |||
25 | diff --git a/docs/grub.texi b/docs/grub.texi | ||
26 | index 47ac7ff..a1aaee6 100644 | ||
27 | --- a/docs/grub.texi | ||
28 | +++ b/docs/grub.texi | ||
29 | @@ -4051,6 +4051,10 @@ this page is to be filtered. This syntax makes it easy to represent patterns | ||
30 | that are often result of memory damage, due to physical distribution of memory | ||
31 | cells. | ||
32 | |||
33 | +Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}). | ||
34 | + This prevents removing EFI memory regions to potentially subvert the | ||
35 | + security mechanisms provided by the UEFI secure boot. | ||
36 | + | ||
37 | @node blocklist | ||
38 | @subsection blocklist | ||
39 | |||
40 | diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c | ||
41 | index 57b4e9a..7ebf32e 100644 | ||
42 | --- a/grub-core/mmap/mmap.c | ||
43 | +++ b/grub-core/mmap/mmap.c | ||
44 | @@ -20,6 +20,7 @@ | ||
45 | #include <grub/memory.h> | ||
46 | #include <grub/machine/memory.h> | ||
47 | #include <grub/err.h> | ||
48 | +#include <grub/lockdown.h> | ||
49 | #include <grub/misc.h> | ||
50 | #include <grub/mm.h> | ||
51 | #include <grub/command.h> | ||
52 | @@ -534,12 +535,12 @@ static grub_command_t cmd, cmd_cut; | ||
53 | |||
54 | GRUB_MOD_INIT(mmap) | ||
55 | { | ||
56 | - cmd = grub_register_command ("badram", grub_cmd_badram, | ||
57 | - N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"), | ||
58 | - N_("Declare memory regions as faulty (badram).")); | ||
59 | - cmd_cut = grub_register_command ("cutmem", grub_cmd_cutmem, | ||
60 | - N_("FROM[K|M|G] TO[K|M|G]"), | ||
61 | - N_("Remove any memory regions in specified range.")); | ||
62 | + cmd = grub_register_command_lockdown ("badram", grub_cmd_badram, | ||
63 | + N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"), | ||
64 | + N_("Declare memory regions as faulty (badram).")); | ||
65 | + cmd_cut = grub_register_command_lockdown ("cutmem", grub_cmd_cutmem, | ||
66 | + N_("FROM[K|M|G] TO[K|M|G]"), | ||
67 | + N_("Remove any memory regions in specified range.")); | ||
68 | |||
69 | } | ||
70 | |||
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_2.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_2.patch new file mode 100644 index 0000000000..e33c96a05b --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_2.patch | |||
@@ -0,0 +1,105 @@ | |||
1 | From 4ff1dfdf8c4c71bf4b0dd0488d9fa40ff2617f41 Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Wed, 24 Feb 2021 09:00:05 +0100 | ||
4 | Subject: [PATCH] commands: Restrict commands that can load BIOS or DT blobs | ||
5 | when locked down | ||
6 | |||
7 | There are some more commands that should be restricted when the GRUB is | ||
8 | locked down. Following is the list of commands and reasons to restrict: | ||
9 | |||
10 | * fakebios: creates BIOS-like structures for backward compatibility with | ||
11 | existing OSes. This should not be allowed when locked down. | ||
12 | |||
13 | * loadbios: reads a BIOS dump from storage and loads it. This action | ||
14 | should not be allowed when locked down. | ||
15 | |||
16 | * devicetree: loads a Device Tree blob and passes it to the OS. It replaces | ||
17 | any Device Tree provided by the firmware. This also should | ||
18 | not be allowed when locked down. | ||
19 | |||
20 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
21 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
22 | |||
23 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=468a5699b249fe6816b4e7e86c5dc9d325c9b09e] | ||
24 | CVE: CVE-2020-27779 | ||
25 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
26 | --- | ||
27 | docs/grub.texi | 3 +++ | ||
28 | grub-core/commands/efi/loadbios.c | 16 ++++++++-------- | ||
29 | grub-core/loader/arm/linux.c | 6 +++--- | ||
30 | grub-core/loader/efi/fdt.c | 4 ++-- | ||
31 | 4 files changed, 16 insertions(+), 13 deletions(-) | ||
32 | |||
33 | diff --git a/docs/grub.texi b/docs/grub.texi | ||
34 | index a1aaee6..ccf1908 100644 | ||
35 | --- a/docs/grub.texi | ||
36 | +++ b/docs/grub.texi | ||
37 | @@ -4236,6 +4236,9 @@ Load a device tree blob (.dtb) from a filesystem, for later use by a Linux | ||
38 | kernel. Does not perform merging with any device tree supplied by firmware, | ||
39 | but rather replaces it completely. | ||
40 | @ref{GNU/Linux}. | ||
41 | + | ||
42 | +Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}). | ||
43 | + This is done to prevent subverting various security mechanisms. | ||
44 | @end deffn | ||
45 | |||
46 | @node distrust | ||
47 | diff --git a/grub-core/commands/efi/loadbios.c b/grub-core/commands/efi/loadbios.c | ||
48 | index d41d521..5c7725f 100644 | ||
49 | --- a/grub-core/commands/efi/loadbios.c | ||
50 | +++ b/grub-core/commands/efi/loadbios.c | ||
51 | @@ -205,14 +205,14 @@ static grub_command_t cmd_fakebios, cmd_loadbios; | ||
52 | |||
53 | GRUB_MOD_INIT(loadbios) | ||
54 | { | ||
55 | - cmd_fakebios = grub_register_command ("fakebios", grub_cmd_fakebios, | ||
56 | - 0, N_("Create BIOS-like structures for" | ||
57 | - " backward compatibility with" | ||
58 | - " existing OS.")); | ||
59 | - | ||
60 | - cmd_loadbios = grub_register_command ("loadbios", grub_cmd_loadbios, | ||
61 | - N_("BIOS_DUMP [INT10_DUMP]"), | ||
62 | - N_("Load BIOS dump.")); | ||
63 | + cmd_fakebios = grub_register_command_lockdown ("fakebios", grub_cmd_fakebios, | ||
64 | + 0, N_("Create BIOS-like structures for" | ||
65 | + " backward compatibility with" | ||
66 | + " existing OS.")); | ||
67 | + | ||
68 | + cmd_loadbios = grub_register_command_lockdown ("loadbios", grub_cmd_loadbios, | ||
69 | + N_("BIOS_DUMP [INT10_DUMP]"), | ||
70 | + N_("Load BIOS dump.")); | ||
71 | } | ||
72 | |||
73 | GRUB_MOD_FINI(loadbios) | ||
74 | diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c | ||
75 | index d70c174..ed23dc7 100644 | ||
76 | --- a/grub-core/loader/arm/linux.c | ||
77 | +++ b/grub-core/loader/arm/linux.c | ||
78 | @@ -493,9 +493,9 @@ GRUB_MOD_INIT (linux) | ||
79 | 0, N_("Load Linux.")); | ||
80 | cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd, | ||
81 | 0, N_("Load initrd.")); | ||
82 | - cmd_devicetree = grub_register_command ("devicetree", grub_cmd_devicetree, | ||
83 | - /* TRANSLATORS: DTB stands for device tree blob. */ | ||
84 | - 0, N_("Load DTB file.")); | ||
85 | + cmd_devicetree = grub_register_command_lockdown ("devicetree", grub_cmd_devicetree, | ||
86 | + /* TRANSLATORS: DTB stands for device tree blob. */ | ||
87 | + 0, N_("Load DTB file.")); | ||
88 | my_mod = mod; | ||
89 | current_fdt = (const void *) grub_arm_firmware_get_boot_data (); | ||
90 | machine_type = grub_arm_firmware_get_machine_type (); | ||
91 | diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c | ||
92 | index ee9c559..003d07c 100644 | ||
93 | --- a/grub-core/loader/efi/fdt.c | ||
94 | +++ b/grub-core/loader/efi/fdt.c | ||
95 | @@ -165,8 +165,8 @@ static grub_command_t cmd_devicetree; | ||
96 | GRUB_MOD_INIT (fdt) | ||
97 | { | ||
98 | cmd_devicetree = | ||
99 | - grub_register_command ("devicetree", grub_cmd_devicetree, 0, | ||
100 | - N_("Load DTB file.")); | ||
101 | + grub_register_command_lockdown ("devicetree", grub_cmd_devicetree, 0, | ||
102 | + N_("Load DTB file.")); | ||
103 | } | ||
104 | |||
105 | GRUB_MOD_FINI (fdt) | ||
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_3.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_3.patch new file mode 100644 index 0000000000..f9a6a73ebc --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_3.patch | |||
@@ -0,0 +1,37 @@ | |||
1 | From e4f5c16f76e137b3beb6b61a6d2435e54fcb495c Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Wed, 24 Feb 2021 22:59:59 +0100 | ||
4 | Subject: [PATCH] commands/setpci: Restrict setpci command when locked down | ||
5 | |||
6 | This command can set PCI devices register values, which makes it dangerous | ||
7 | in a locked down configuration. Restrict it so can't be used on this setup. | ||
8 | |||
9 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
10 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
11 | |||
12 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=58b77d4069823b44c5fa916fa8ddfc9c4cd51e02] | ||
13 | CVE: CVE-2020-27779 | ||
14 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
15 | --- | ||
16 | grub-core/commands/setpci.c | 8 ++++---- | ||
17 | 1 file changed, 4 insertions(+), 4 deletions(-) | ||
18 | |||
19 | diff --git a/grub-core/commands/setpci.c b/grub-core/commands/setpci.c | ||
20 | index d5bc97d..fa2ba7d 100644 | ||
21 | --- a/grub-core/commands/setpci.c | ||
22 | +++ b/grub-core/commands/setpci.c | ||
23 | @@ -329,10 +329,10 @@ static grub_extcmd_t cmd; | ||
24 | |||
25 | GRUB_MOD_INIT(setpci) | ||
26 | { | ||
27 | - cmd = grub_register_extcmd ("setpci", grub_cmd_setpci, 0, | ||
28 | - N_("[-s POSITION] [-d DEVICE] [-v VAR] " | ||
29 | - "REGISTER[=VALUE[:MASK]]"), | ||
30 | - N_("Manipulate PCI devices."), options); | ||
31 | + cmd = grub_register_extcmd_lockdown ("setpci", grub_cmd_setpci, 0, | ||
32 | + N_("[-s POSITION] [-d DEVICE] [-v VAR] " | ||
33 | + "REGISTER[=VALUE[:MASK]]"), | ||
34 | + N_("Manipulate PCI devices."), options); | ||
35 | } | ||
36 | |||
37 | GRUB_MOD_FINI(setpci) | ||
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_4.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_4.patch new file mode 100644 index 0000000000..a756f8d1cf --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_4.patch | |||
@@ -0,0 +1,35 @@ | |||
1 | From 7949671de268ba3116d113778e5d770574e9f9e3 Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Wed, 24 Feb 2021 12:59:29 +0100 | ||
4 | Subject: [PATCH] commands/hdparm: Restrict hdparm command when locked down | ||
5 | |||
6 | The command can be used to get/set ATA disk parameters. Some of these can | ||
7 | be dangerous since change the disk behavior. Restrict it when locked down. | ||
8 | |||
9 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
10 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
11 | |||
12 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=5c97492a29c6063567b65ed1a069f5e6f4e211f0] | ||
13 | CVE: CVE-2020-27779 | ||
14 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
15 | --- | ||
16 | grub-core/commands/hdparm.c | 6 +++--- | ||
17 | 1 file changed, 3 insertions(+), 3 deletions(-) | ||
18 | |||
19 | diff --git a/grub-core/commands/hdparm.c b/grub-core/commands/hdparm.c | ||
20 | index d3fa966..2e2319e 100644 | ||
21 | --- a/grub-core/commands/hdparm.c | ||
22 | +++ b/grub-core/commands/hdparm.c | ||
23 | @@ -436,9 +436,9 @@ static grub_extcmd_t cmd; | ||
24 | |||
25 | GRUB_MOD_INIT(hdparm) | ||
26 | { | ||
27 | - cmd = grub_register_extcmd ("hdparm", grub_cmd_hdparm, 0, | ||
28 | - N_("[OPTIONS] DISK"), | ||
29 | - N_("Get/set ATA disk parameters."), options); | ||
30 | + cmd = grub_register_extcmd_lockdown ("hdparm", grub_cmd_hdparm, 0, | ||
31 | + N_("[OPTIONS] DISK"), | ||
32 | + N_("Get/set ATA disk parameters."), options); | ||
33 | } | ||
34 | |||
35 | GRUB_MOD_FINI(hdparm) | ||
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_5.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_5.patch new file mode 100644 index 0000000000..b52273ff50 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_5.patch | |||
@@ -0,0 +1,62 @@ | |||
1 | From 6993cce7c3a9d15e6573845f455d2f0de424a717 Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Wed, 24 Feb 2021 15:03:26 +0100 | ||
4 | Subject: [PATCH] gdb: Restrict GDB access when locked down | ||
5 | |||
6 | The gdbstub* commands allow to start and control a GDB stub running on | ||
7 | local host that can be used to connect from a remote debugger. Restrict | ||
8 | this functionality when the GRUB is locked down. | ||
9 | |||
10 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
11 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
12 | |||
13 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=508270838998f151a82e9c13e7cb8a470a2dc23d] | ||
14 | CVE: CVE-2020-27779 | ||
15 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
16 | --- | ||
17 | grub-core/gdb/gdb.c | 32 ++++++++++++++++++-------------- | ||
18 | 1 file changed, 18 insertions(+), 14 deletions(-) | ||
19 | |||
20 | diff --git a/grub-core/gdb/gdb.c b/grub-core/gdb/gdb.c | ||
21 | index 847a1e1..1818cb6 100644 | ||
22 | --- a/grub-core/gdb/gdb.c | ||
23 | +++ b/grub-core/gdb/gdb.c | ||
24 | @@ -75,20 +75,24 @@ static grub_command_t cmd, cmd_stop, cmd_break; | ||
25 | GRUB_MOD_INIT (gdb) | ||
26 | { | ||
27 | grub_gdb_idtinit (); | ||
28 | - cmd = grub_register_command ("gdbstub", grub_cmd_gdbstub, | ||
29 | - N_("PORT"), | ||
30 | - /* TRANSLATORS: GDB stub is a small part of | ||
31 | - GDB functionality running on local host | ||
32 | - which allows remote debugger to | ||
33 | - connect to it. */ | ||
34 | - N_("Start GDB stub on given port")); | ||
35 | - cmd_break = grub_register_command ("gdbstub_break", grub_cmd_gdb_break, | ||
36 | - /* TRANSLATORS: this refers to triggering | ||
37 | - a breakpoint so that the user will land | ||
38 | - into GDB. */ | ||
39 | - 0, N_("Break into GDB")); | ||
40 | - cmd_stop = grub_register_command ("gdbstub_stop", grub_cmd_gdbstop, | ||
41 | - 0, N_("Stop GDB stub")); | ||
42 | + cmd = grub_register_command_lockdown ("gdbstub", grub_cmd_gdbstub, | ||
43 | + N_("PORT"), | ||
44 | + /* | ||
45 | + * TRANSLATORS: GDB stub is a small part of | ||
46 | + * GDB functionality running on local host | ||
47 | + * which allows remote debugger to | ||
48 | + * connect to it. | ||
49 | + */ | ||
50 | + N_("Start GDB stub on given port")); | ||
51 | + cmd_break = grub_register_command_lockdown ("gdbstub_break", grub_cmd_gdb_break, | ||
52 | + /* | ||
53 | + * TRANSLATORS: this refers to triggering | ||
54 | + * a breakpoint so that the user will land | ||
55 | + * into GDB. | ||
56 | + */ | ||
57 | + 0, N_("Break into GDB")); | ||
58 | + cmd_stop = grub_register_command_lockdown ("gdbstub_stop", grub_cmd_gdbstop, | ||
59 | + 0, N_("Stop GDB stub")); | ||
60 | } | ||
61 | |||
62 | GRUB_MOD_FINI (gdb) | ||
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_6.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_6.patch new file mode 100644 index 0000000000..474826ade5 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_6.patch | |||
@@ -0,0 +1,61 @@ | |||
1 | From 73f214761cff76a18a2a867976bdd3a9adb00b67 Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Wed, 24 Feb 2021 14:44:38 +0100 | ||
4 | Subject: [PATCH] loader/xnu: Don't allow loading extension and packages when | ||
5 | locked down | ||
6 | |||
7 | The shim_lock verifier validates the XNU kernels but no its extensions | ||
8 | and packages. Prevent these to be loaded when the GRUB is locked down. | ||
9 | |||
10 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
11 | Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
12 | |||
13 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=9c5565135f12400a925ee901b25984e7af4442f5] | ||
14 | CVE: CVE-2020-27779 | ||
15 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
16 | --- | ||
17 | grub-core/loader/xnu.c | 31 +++++++++++++++++-------------- | ||
18 | 1 file changed, 17 insertions(+), 14 deletions(-) | ||
19 | |||
20 | diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c | ||
21 | index 77d7060..07232d2 100644 | ||
22 | --- a/grub-core/loader/xnu.c | ||
23 | +++ b/grub-core/loader/xnu.c | ||
24 | @@ -1482,20 +1482,23 @@ GRUB_MOD_INIT(xnu) | ||
25 | N_("Load XNU image.")); | ||
26 | cmd_kernel64 = grub_register_command ("xnu_kernel64", grub_cmd_xnu_kernel64, | ||
27 | 0, N_("Load 64-bit XNU image.")); | ||
28 | - cmd_mkext = grub_register_command ("xnu_mkext", grub_cmd_xnu_mkext, 0, | ||
29 | - N_("Load XNU extension package.")); | ||
30 | - cmd_kext = grub_register_command ("xnu_kext", grub_cmd_xnu_kext, 0, | ||
31 | - N_("Load XNU extension.")); | ||
32 | - cmd_kextdir = grub_register_command ("xnu_kextdir", grub_cmd_xnu_kextdir, | ||
33 | - /* TRANSLATORS: OSBundleRequired is a | ||
34 | - variable name in xnu extensions | ||
35 | - manifests. It behaves mostly like | ||
36 | - GNU/Linux runlevels. | ||
37 | - */ | ||
38 | - N_("DIRECTORY [OSBundleRequired]"), | ||
39 | - /* TRANSLATORS: There are many extensions | ||
40 | - in extension directory. */ | ||
41 | - N_("Load XNU extension directory.")); | ||
42 | + cmd_mkext = grub_register_command_lockdown ("xnu_mkext", grub_cmd_xnu_mkext, 0, | ||
43 | + N_("Load XNU extension package.")); | ||
44 | + cmd_kext = grub_register_command_lockdown ("xnu_kext", grub_cmd_xnu_kext, 0, | ||
45 | + N_("Load XNU extension.")); | ||
46 | + cmd_kextdir = grub_register_command_lockdown ("xnu_kextdir", grub_cmd_xnu_kextdir, | ||
47 | + /* | ||
48 | + * TRANSLATORS: OSBundleRequired is | ||
49 | + * a variable name in xnu extensions | ||
50 | + * manifests. It behaves mostly like | ||
51 | + * GNU/Linux runlevels. | ||
52 | + */ | ||
53 | + N_("DIRECTORY [OSBundleRequired]"), | ||
54 | + /* | ||
55 | + * TRANSLATORS: There are many extensions | ||
56 | + * in extension directory. | ||
57 | + */ | ||
58 | + N_("Load XNU extension directory.")); | ||
59 | cmd_ramdisk = grub_register_command ("xnu_ramdisk", grub_cmd_xnu_ramdisk, 0, | ||
60 | /* TRANSLATORS: ramdisk here isn't identifier. It can be translated. */ | ||
61 | N_("Load XNU ramdisk. " | ||
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_7.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_7.patch new file mode 100644 index 0000000000..e5d372a2b1 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_7.patch | |||
@@ -0,0 +1,65 @@ | |||
1 | From dcc5a434e59f721b03cc809db0375a24aa2ac6d0 Mon Sep 17 00:00:00 2001 | ||
2 | From: Javier Martinez Canillas <javierm@redhat.com> | ||
3 | Date: Sat, 7 Nov 2020 01:03:18 +0100 | ||
4 | Subject: [PATCH] docs: Document the cutmem command | ||
5 | |||
6 | The command is not present in the docs/grub.texi user documentation. | ||
7 | |||
8 | Reported-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
9 | Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> | ||
10 | Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com> | ||
11 | Reviewed-by: Javier Martinez Canillas <javierm@redhat.com> | ||
12 | |||
13 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=f05e79a0143beb2d9a482a3ebf4fe0ce76778122] | ||
14 | CVE: CVE-2020-27779 | ||
15 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
16 | --- | ||
17 | docs/grub.texi | 21 +++++++++++++++++++++ | ||
18 | 1 file changed, 21 insertions(+) | ||
19 | |||
20 | diff --git a/docs/grub.texi b/docs/grub.texi | ||
21 | index ccf1908..ae85f55 100644 | ||
22 | --- a/docs/grub.texi | ||
23 | +++ b/docs/grub.texi | ||
24 | @@ -3892,6 +3892,7 @@ you forget a command, you can run the command @command{help} | ||
25 | * cpuid:: Check for CPU features | ||
26 | * crc:: Compute or check CRC32 checksums | ||
27 | * cryptomount:: Mount a crypto device | ||
28 | +* cutmem:: Remove memory regions | ||
29 | * date:: Display or set current date and time | ||
30 | * devicetree:: Load a device tree blob | ||
31 | * distrust:: Remove a pubkey from trusted keys | ||
32 | @@ -4051,6 +4052,8 @@ this page is to be filtered. This syntax makes it easy to represent patterns | ||
33 | that are often result of memory damage, due to physical distribution of memory | ||
34 | cells. | ||
35 | |||
36 | +The command is similar to @command{cutmem} command. | ||
37 | + | ||
38 | Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}). | ||
39 | This prevents removing EFI memory regions to potentially subvert the | ||
40 | security mechanisms provided by the UEFI secure boot. | ||
41 | @@ -4214,6 +4217,24 @@ GRUB suports devices encrypted using LUKS and geli. Note that necessary modules | ||
42 | be used. | ||
43 | @end deffn | ||
44 | |||
45 | +@node cutmem | ||
46 | +@subsection cutmem | ||
47 | + | ||
48 | +@deffn Command cutmem from[K|M|G] to[K|M|G] | ||
49 | +Remove any memory regions in specified range. | ||
50 | +@end deffn | ||
51 | + | ||
52 | +This command notifies the memory manager that specified regions of RAM ought to | ||
53 | +be filtered out. This remains in effect after a payload kernel has been loaded | ||
54 | +by GRUB, as long as the loaded kernel obtains its memory map from GRUB. Kernels | ||
55 | +that support this include Linux, GNU Mach, the kernel of FreeBSD and Multiboot | ||
56 | +kernels in general. | ||
57 | + | ||
58 | +The command is similar to @command{badram} command. | ||
59 | + | ||
60 | +Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}). | ||
61 | + This prevents removing EFI memory regions to potentially subvert the | ||
62 | + security mechanisms provided by the UEFI secure boot. | ||
63 | |||
64 | @node date | ||
65 | @subsection date | ||
diff --git a/meta/recipes-bsp/grub/files/no-insmod-on-sb.patch b/meta/recipes-bsp/grub/files/no-insmod-on-sb.patch new file mode 100644 index 0000000000..504352b4e3 --- /dev/null +++ b/meta/recipes-bsp/grub/files/no-insmod-on-sb.patch | |||
@@ -0,0 +1,107 @@ | |||
1 | From b5a6aa7d77439bfeb75f200abffe15c6f685c907 Mon Sep 17 00:00:00 2001 | ||
2 | From: Matthew Garrett <mjg@redhat.com> | ||
3 | Date: Mon, 13 Jan 2014 12:13:09 +0000 | ||
4 | Subject: Don't permit loading modules on UEFI secure boot | ||
5 | |||
6 | Author: Colin Watson <cjwatson@ubuntu.com> | ||
7 | Origin: vendor, http://pkgs.fedoraproject.org/cgit/grub2.git/tree/grub-2.00-no-insmod-on-sb.patch | ||
8 | Forwarded: no | ||
9 | Last-Update: 2013-12-25 | ||
10 | |||
11 | Patch-Name: no-insmod-on-sb.patch | ||
12 | |||
13 | Upstream-Status: Inappropriate [other, https://salsa.debian.org/grub-team/grub/-/blob/debian/2.04-20/debian/patches/no-insmod-on-sb.patch] | ||
14 | |||
15 | Backport of a Debian (and Fedora) patch implementing a way to get secure boot status | ||
16 | for CVE-2020-14372_4.patch. The upstream solution has too many dependencies to backport. | ||
17 | Source: https://salsa.debian.org/grub-team/grub/-/blob/debian/2.04-20/debian/patches/no-insmod-on-sb.patch | ||
18 | |||
19 | Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> | ||
20 | --- | ||
21 | grub-core/kern/dl.c | 13 +++++++++++++ | ||
22 | grub-core/kern/efi/efi.c | 28 ++++++++++++++++++++++++++++ | ||
23 | include/grub/efi/efi.h | 1 + | ||
24 | 3 files changed, 42 insertions(+) | ||
25 | |||
26 | diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c | ||
27 | index 48eb5e7b6..074dfc3c6 100644 | ||
28 | --- a/grub-core/kern/dl.c | ||
29 | +++ b/grub-core/kern/dl.c | ||
30 | @@ -38,6 +38,10 @@ | ||
31 | #define GRUB_MODULES_MACHINE_READONLY | ||
32 | #endif | ||
33 | |||
34 | +#ifdef GRUB_MACHINE_EFI | ||
35 | +#include <grub/efi/efi.h> | ||
36 | +#endif | ||
37 | + | ||
38 | |||
39 | |||
40 | #pragma GCC diagnostic ignored "-Wcast-align" | ||
41 | @@ -686,6 +690,15 @@ grub_dl_load_file (const char *filename) | ||
42 | void *core = 0; | ||
43 | grub_dl_t mod = 0; | ||
44 | |||
45 | +#ifdef GRUB_MACHINE_EFI | ||
46 | + if (grub_efi_secure_boot ()) | ||
47 | + { | ||
48 | + grub_error (GRUB_ERR_ACCESS_DENIED, | ||
49 | + "Secure Boot forbids loading module from %s", filename); | ||
50 | + return 0; | ||
51 | + } | ||
52 | +#endif | ||
53 | + | ||
54 | grub_boot_time ("Loading module %s", filename); | ||
55 | |||
56 | file = grub_file_open (filename, GRUB_FILE_TYPE_GRUB_MODULE); | ||
57 | diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c | ||
58 | index 6e1ceb905..96204e39b 100644 | ||
59 | --- a/grub-core/kern/efi/efi.c | ||
60 | +++ b/grub-core/kern/efi/efi.c | ||
61 | @@ -273,6 +273,34 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid, | ||
62 | return NULL; | ||
63 | } | ||
64 | |||
65 | +grub_efi_boolean_t | ||
66 | +grub_efi_secure_boot (void) | ||
67 | +{ | ||
68 | + grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID; | ||
69 | + grub_size_t datasize; | ||
70 | + char *secure_boot = NULL; | ||
71 | + char *setup_mode = NULL; | ||
72 | + grub_efi_boolean_t ret = 0; | ||
73 | + | ||
74 | + secure_boot = grub_efi_get_variable ("SecureBoot", &efi_var_guid, &datasize); | ||
75 | + | ||
76 | + if (datasize != 1 || !secure_boot) | ||
77 | + goto out; | ||
78 | + | ||
79 | + setup_mode = grub_efi_get_variable ("SetupMode", &efi_var_guid, &datasize); | ||
80 | + | ||
81 | + if (datasize != 1 || !setup_mode) | ||
82 | + goto out; | ||
83 | + | ||
84 | + if (*secure_boot && !*setup_mode) | ||
85 | + ret = 1; | ||
86 | + | ||
87 | + out: | ||
88 | + grub_free (secure_boot); | ||
89 | + grub_free (setup_mode); | ||
90 | + return ret; | ||
91 | +} | ||
92 | + | ||
93 | #pragma GCC diagnostic ignored "-Wcast-align" | ||
94 | |||
95 | /* Search the mods section from the PE32/PE32+ image. This code uses | ||
96 | diff --git a/include/grub/efi/efi.h b/include/grub/efi/efi.h | ||
97 | index e90e00dc4..a237952b3 100644 | ||
98 | --- a/include/grub/efi/efi.h | ||
99 | +++ b/include/grub/efi/efi.h | ||
100 | @@ -82,6 +82,7 @@ EXPORT_FUNC (grub_efi_set_variable) (const char *var, | ||
101 | const grub_efi_guid_t *guid, | ||
102 | void *data, | ||
103 | grub_size_t datasize); | ||
104 | +grub_efi_boolean_t EXPORT_FUNC (grub_efi_secure_boot) (void); | ||
105 | int | ||
106 | EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1, | ||
107 | const grub_efi_device_path_t *dp2); | ||