Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:michael-chang:tmp
grub2
grub2-bsc1220338-key_protector-implement-the-bl...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File grub2-bsc1220338-key_protector-implement-the-blocklist.patch of Package grub2
From beb26b1be325ea55f3f9a230152d170a3faa85d5 Mon Sep 17 00:00:00 2001 From: Gary Lin <glin@suse.com> Date: Mon, 18 Mar 2024 14:53:11 +0800 Subject: [PATCH] key_protector: implement the blocklist Some architectures may need to do the additional check to avoid leaking the recovered key. This commit adds an additional check for the EFI system to detect the deprecated SystemdOptions variable. Once the variable is spotted, key_protector just returns without the further action for the key recovery. Signed-off-by: Gary Lin <glin@suse.com> --- grub-core/disk/key_protector.c | 31 +++++++++++++++++++++++++++++++ include/grub/efi/api.h | 5 +++++ 2 files changed, 36 insertions(+) diff --git a/grub-core/disk/key_protector.c b/grub-core/disk/key_protector.c index b84afe1c7..3d630ca4f 100644 --- a/grub-core/disk/key_protector.c +++ b/grub-core/disk/key_protector.c @@ -24,6 +24,10 @@ GRUB_MOD_LICENSE ("GPLv3+"); +#ifdef GRUB_MACHINE_EFI +#include <grub/efi/efi.h> +#endif + struct grub_key_protector *grub_key_protectors = NULL; grub_err_t @@ -54,11 +58,34 @@ grub_key_protector_unregister (struct grub_key_protector *protector) return GRUB_ERR_NONE; } +static grub_err_t +grub_key_protector_check_blocklist (void) +{ +#ifdef GRUB_MACHINE_EFI + static grub_guid_t systemd_guid = GRUB_EFI_SYSTEMD_GUID; + grub_efi_status_t status; + grub_size_t size = 0; + grub_uint8_t *systemdoptions = NULL; + + /* SystemdOptions may contain malicious kernel command lines. */ + status = grub_efi_get_variable ("SystemdOptions", &systemd_guid, + &size, (void **) &systemdoptions); + if (status != GRUB_EFI_NOT_FOUND) + { + grub_free (systemdoptions); + return grub_error (GRUB_ERR_ACCESS_DENIED, N_("SystemdOptions detected")); + } +#endif + + return GRUB_ERR_NONE; +} + grub_err_t grub_key_protector_recover_key (const char *protector, grub_uint8_t **key, grub_size_t *key_size) { struct grub_key_protector *kp = NULL; + grub_err_t err; if (grub_key_protectors == NULL) return GRUB_ERR_OUT_OF_RANGE; @@ -74,5 +101,9 @@ grub_key_protector_recover_key (const char *protector, grub_uint8_t **key, "Is the name spelled correctly and is the " "corresponding module loaded?"), protector); + err = grub_key_protector_check_blocklist (); + if (err != GRUB_ERR_NONE) + return err; + return kp->recover_key (key, key_size); } diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h index 7947cf592..975b90b09 100644 --- a/include/grub/efi/api.h +++ b/include/grub/efi/api.h @@ -389,6 +389,11 @@ { 0x89, 0x29, 0x48, 0xbc, 0xd9, 0x0a, 0xd3, 0x1a } \ } +#define GRUB_EFI_SYSTEMD_GUID \ + { 0x8cf2644b, 0x4b0b, 0x428f, \ + { 0x93, 0x87, 0x6d, 0x87, 0x60, 0x50, 0xdc, 0x67 } \ + } + struct grub_efi_sal_system_table { grub_uint32_t signature; -- 2.35.3
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor