From c55481b8066a32afefdd4404b7ce5a7e8ebbb7cd Mon Sep 17 00:00:00 2001
From: Marta Rybczynska <rybczynska@gmail.com>
Date: Wed, 5 Jan 2022 09:40:50 +0100
Subject: grub: fix CVE-2020-14372 and CVE-2020-27779

Fix issues with grub in secure boot mode where an attacker could circumvent
secure boot by using acpi and cutmem commands. Also include patches fixing
similar issues.

Most patches are backported directly from grub. One patch
(no-insmod-on-sb.patch) comes from Debian, as the upstream implementation is
too complicated to backport.

CVE-2020-14372 description (from NVD [1]):
A flaw was found in grub2 in versions prior to 2.06, where it incorrectly
enables the usage of the ACPI command when Secure Boot is enabled.
This flaw allows an attacker with privileged access to craft a Secondary
System Description Table (SSDT) containing code to overwrite the Linux
kernel lockdown variable content directly into memory. The table is
further loaded and executed by the kernel, defeating its Secure Boot
lockdown and allowing the attacker to load unsigned code. The highest
threat from this vulnerability is to data confidentiality and integrity,
as well as system availability.

CVE-2020-27779 description (from NVD [2]):
A flaw was found in grub2 in versions prior to 2.06. The cutmem command
does not honor secure boot locking allowing an privileged attacker to
remove address ranges from memory creating an opportunity to circumvent
SecureBoot protections after proper triage about grub's memory layout.
The highest threat from this vulnerability is to data confidentiality
and integrity as well as system availability.

[1] https://nvd.nist.gov/vuln/detail/CVE-2020-14372
[2] https://nvd.nist.gov/vuln/detail/CVE-2020-27779

(From OE-Core rev: da6c0f3cfc920cea57cd409b17303bf735ccd68d)

Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
---
 meta/recipes-bsp/grub/files/CVE-2020-27779.patch | 70 ++++++++++++++++++++++++
 1 file changed, 70 insertions(+)
 create mode 100644 meta/recipes-bsp/grub/files/CVE-2020-27779.patch

(limited to 'meta/recipes-bsp/grub/files/CVE-2020-27779.patch')

diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779.patch
new file mode 100644
index 0000000000..c82423b8af
--- /dev/null
+++ b/meta/recipes-bsp/grub/files/CVE-2020-27779.patch
@@ -0,0 +1,70 @@
+From 584263eca1546e5cab69ba6fe7b4b07df2630a21 Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Wed, 14 Oct 2020 16:33:42 +0200
+Subject: [PATCH] mmap: Don't register cutmem and badram commands when lockdown
+ is enforced
+
+The cutmem and badram commands can be used to remove EFI memory regions
+and potentially disable the UEFI Secure Boot. Prevent the commands to be
+registered if the GRUB is locked down.
+
+Fixes: CVE-2020-27779
+
+Reported-by: Teddy Reed <teddy.reed@gmail.com>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+
+Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=d298b41f90cbf1f2e5a10e29daa1fc92ddee52c9]
+CVE: CVE-2020-27779
+Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
+---
+ docs/grub.texi        |  4 ++++
+ grub-core/mmap/mmap.c | 13 +++++++------
+ 2 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/docs/grub.texi b/docs/grub.texi
+index 47ac7ff..a1aaee6 100644
+--- a/docs/grub.texi
++++ b/docs/grub.texi
+@@ -4051,6 +4051,10 @@ this page is to be filtered.  This syntax makes it easy to represent patterns
+ that are often result of memory damage, due to physical distribution of memory
+ cells.
+ 
++Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
++      This prevents removing EFI memory regions to potentially subvert the
++      security mechanisms provided by the UEFI secure boot.
++
+ @node blocklist
+ @subsection blocklist
+ 
+diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c
+index 57b4e9a..7ebf32e 100644
+--- a/grub-core/mmap/mmap.c
++++ b/grub-core/mmap/mmap.c
+@@ -20,6 +20,7 @@
+ #include <grub/memory.h>
+ #include <grub/machine/memory.h>
+ #include <grub/err.h>
++#include <grub/lockdown.h>
+ #include <grub/misc.h>
+ #include <grub/mm.h>
+ #include <grub/command.h>
+@@ -534,12 +535,12 @@ static grub_command_t cmd, cmd_cut;
+ 
+ GRUB_MOD_INIT(mmap)
+ {
+-  cmd = grub_register_command ("badram", grub_cmd_badram,
+-			       N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"),
+-			       N_("Declare memory regions as faulty (badram)."));
+-  cmd_cut = grub_register_command ("cutmem", grub_cmd_cutmem,
+-				   N_("FROM[K|M|G] TO[K|M|G]"),
+-				   N_("Remove any memory regions in specified range."));
++  cmd = grub_register_command_lockdown ("badram", grub_cmd_badram,
++                                        N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"),
++                                        N_("Declare memory regions as faulty (badram)."));
++  cmd_cut = grub_register_command_lockdown ("cutmem", grub_cmd_cutmem,
++                                            N_("FROM[K|M|G] TO[K|M|G]"),
++                                            N_("Remove any memory regions in specified range."));
+ 
+ }
+ 
-- 
cgit v1.2.3-54-g00ecf