Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP7:Update
grub2.26837
0012-commands-Restrict-commands-that-can-load-B...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0012-commands-Restrict-commands-that-can-load-BIOS-or-DT-.patch of Package grub2.26837
From 24def34e1307fccdc5f8dfa0f940cb470b7cca74 Mon Sep 17 00:00:00 2001 From: Javier Martinez Canillas <javierm@redhat.com> Date: Wed, 24 Feb 2021 09:00:05 +0100 Subject: [PATCH 12/41] commands: Restrict commands that can load BIOS or DT blobs when locked down There are some more commands that should be restricted when the GRUB is locked down. Following is the list of commands and reasons to restrict: * fakebios: creates BIOS-like structures for backward compatibility with existing OSes. This should not be allowed when locked down. * loadbios: reads a BIOS dump from storage and loads it. This action should not be allowed when locked down. * devicetree: loads a Device Tree blob and passes it to the OS. It replaces any Device Tree provided by the firmware. This also should not be allowed when locked down. Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> --- docs/grub.texi | 3 +++ grub-core/commands/efi/loadbios.c | 16 ++++++++-------- grub-core/loader/arm/linux.c | 6 +++--- grub-core/loader/arm64/fdt.c | 4 ++-- 4 files changed, 16 insertions(+), 13 deletions(-) diff --git a/docs/grub.texi b/docs/grub.texi index 8089f3925..400f5ce6b 100644 --- a/docs/grub.texi +++ b/docs/grub.texi @@ -4157,6 +4157,9 @@ Load a device tree blob (.dtb) from a filesystem, for later use by a Linux kernel. Does not perform merging with any device tree supplied by firmware, but rather replaces it completely. @ref{GNU/Linux}. + +Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}). + This is done to prevent subverting various security mechanisms. @end deffn @node distrust diff --git a/grub-core/commands/efi/loadbios.c b/grub-core/commands/efi/loadbios.c index 132cadbc7..3da4c26df 100644 --- a/grub-core/commands/efi/loadbios.c +++ b/grub-core/commands/efi/loadbios.c @@ -205,14 +205,14 @@ static grub_command_t cmd_fakebios, cmd_loadbios; GRUB_MOD_INIT(loadbios) { - cmd_fakebios = grub_register_command ("fakebios", grub_cmd_fakebios, - 0, N_("Create BIOS-like structures for" - " backward compatibility with" - " existing OS.")); - - cmd_loadbios = grub_register_command ("loadbios", grub_cmd_loadbios, - N_("BIOS_DUMP [INT10_DUMP]"), - N_("Load BIOS dump.")); + cmd_fakebios = grub_register_command_lockdown ("fakebios", grub_cmd_fakebios, + 0, N_("Create BIOS-like structures for" + " backward compatibility with" + " existing OS.")); + + cmd_loadbios = grub_register_command_lockdown ("loadbios", grub_cmd_loadbios, + N_("BIOS_DUMP [INT10_DUMP]"), + N_("Load BIOS dump.")); } GRUB_MOD_FINI(loadbios) diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c index 996407ea0..24b7022a3 100644 --- a/grub-core/loader/arm/linux.c +++ b/grub-core/loader/arm/linux.c @@ -513,9 +513,9 @@ GRUB_MOD_INIT (linux) 0, N_("Load Linux.")); cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd, 0, N_("Load initrd.")); - cmd_devicetree = grub_register_command ("devicetree", grub_cmd_devicetree, - /* TRANSLATORS: DTB stands for device tree blob. */ - 0, N_("Load DTB file.")); + cmd_devicetree = grub_register_command_lockdown ("devicetree", grub_cmd_devicetree, + /* TRANSLATORS: DTB stands for device tree blob. */ + 0, N_("Load DTB file.")); my_mod = mod; fdt_addr = (void *) grub_arm_firmware_get_boot_data (); machine_type = grub_arm_firmware_get_machine_type (); diff --git a/grub-core/loader/arm64/fdt.c b/grub-core/loader/arm64/fdt.c index db49cf649..3a2bb0df6 100644 --- a/grub-core/loader/arm64/fdt.c +++ b/grub-core/loader/arm64/fdt.c @@ -153,8 +153,8 @@ static grub_command_t cmd_devicetree; GRUB_MOD_INIT (fdt) { cmd_devicetree = - grub_register_command ("devicetree", grub_cmd_devicetree, 0, - N_("Load DTB file.")); + grub_register_command_lockdown ("devicetree", grub_cmd_devicetree, 0, + N_("Load DTB file.")); } GRUB_MOD_FINI (fdt) -- 2.26.2
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor