Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Step:FrontRunner
grub2.16807
0001-linuxefi-fail-kernel-validation-without-sh...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch of Package grub2.16807
From 9ead33bd4bd6ca37ad0e5cb12ad51572e4e1f0b8 Mon Sep 17 00:00:00 2001 From: Dimitri John Ledkov <xnox@ubuntu.com> Date: Mon, 17 Aug 2020 22:21:06 +0800 Subject: [PATCH] linuxefi: fail kernel validation without shim protocol. If certificates that signed grub are installed into db, grub can be booted directly. It will then boot any kernel without signature validation. The booted kernel will think it was booted in secureboot mode and will implement lockdown, yet it could have been tampered. This version of the patch skips calling verification, when booted without secureboot. And is indented with gnu ident. CVE-2020-15705 Reported-by: Mathieu Trudel-Lapierre <cyphermox@ubuntu.com> Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> --- grub-core/loader/i386/efi/linux.c | 40 +++++++++++++++++++++++-------- 1 file changed, 30 insertions(+), 10 deletions(-) diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c index 27dea343c..a2895c4ca 100644 --- a/grub-core/loader/i386/efi/linux.c +++ b/grub-core/loader/i386/efi/linux.c @@ -50,21 +50,35 @@ struct grub_efi_shim_lock }; typedef struct grub_efi_shim_lock grub_efi_shim_lock_t; -static grub_efi_boolean_t +// Returns 1 on success, -1 on error, 0 when not available +static int grub_linuxefi_secure_validate (void *data, grub_uint32_t size) { grub_efi_guid_t guid = SHIM_LOCK_GUID; grub_efi_shim_lock_t *shim_lock; + grub_efi_status_t status; shim_lock = grub_efi_locate_protocol(&guid, NULL); - + grub_dprintf ("secureboot", "shim_lock: %p\n", shim_lock); if (!shim_lock) - return 1; + { + grub_dprintf ("secureboot", "shim not available\n"); + return 0; + } - if (shim_lock->verify(data, size) == GRUB_EFI_SUCCESS) - return 1; + grub_dprintf ("secureboot", "Asking shim to verify kernel signature\n"); + status = shim_lock->verify (data, size); + grub_dprintf ("secureboot", "shim_lock->verify(): %ld\n", (long int)status); + if (status == GRUB_EFI_SUCCESS) + { + grub_dprintf ("secureboot", "Kernel signature verification passed\n"); + return 1; + } + + grub_dprintf ("secureboot", "Kernel signature verification failed (0x%lx)\n", + (unsigned long) status); - return 0; + return -1; } typedef void(*handover_func)(void *, grub_efi_system_table_t *, struct linux_kernel_params *); @@ -221,11 +235,17 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), grub_tpm_measure (kernel, filelen, GRUB_BINARY_PCR, "grub_linuxefi", "Kernel"); - if (! grub_linuxefi_secure_validate (kernel, filelen)) + if (grub_efi_secure_boot ()) { - grub_error (GRUB_ERR_INVALID_COMMAND, N_("%s has invalid signature"), argv[0]); - grub_free (kernel); - goto fail; + int rc; + + rc = grub_linuxefi_secure_validate (kernel, filelen); + if (rc <= 0) + { + grub_error (GRUB_ERR_INVALID_COMMAND, + N_("%s has invalid signature"), argv[0]); + goto fail; + } } grub_file_seek (file, 0); -- 2.26.2
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor