From 5598b7f41e5e5205b7e57001258c1921e98f36e0 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Mon, 22 Oct 2012 14:44:52 -0400 Subject: [PATCH 1/3] Bump release as well... Signed-off-by: Peter Jones --- grub2.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/grub2.spec b/grub2.spec index 8c64265c..0be276ec 100644 --- a/grub2.spec +++ b/grub2.spec @@ -41,7 +41,7 @@ Name: grub2 Epoch: 1 Version: 2.00 -Release: 10%{?dist} +Release: 11%{?dist} Summary: Bootloader with support for Linux, Multiboot and more Group: System Environment/Base @@ -425,7 +425,7 @@ fi %doc grub-%{tarversion}/themes/starfield/COPYING.CC-BY-SA-3.0 %changelog -* Mon Oct 22 2012 Peter Jones - 2.00-10 +* Mon Oct 22 2012 Peter Jones - 2.00-11 - Rebuild with newer pesign so we'll get signed with the final signing keys. * Thu Oct 18 2012 Peter Jones - 2.00-10 From a47bcbb09936813028fb5257805d85c48e08ee52 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 23 Oct 2012 10:45:04 -0400 Subject: [PATCH 2/3] Do a better job of preventing insmod on secure boot systems. Signed-off-by: Peter Jones --- grub-2.00-no-insmod-on-sb.patch | 73 +++++++++++++++++++++------------ 1 file changed, 46 insertions(+), 27 deletions(-) diff --git a/grub-2.00-no-insmod-on-sb.patch b/grub-2.00-no-insmod-on-sb.patch index 828ce811..1bfd6f8c 100644 --- a/grub-2.00-no-insmod-on-sb.patch +++ b/grub-2.00-no-insmod-on-sb.patch @@ -1,43 +1,62 @@ -From 7a65d7b558974c89f19afaf0d78b54dc0327f56c Mon Sep 17 00:00:00 2001 -From: Matthew Garrett -Date: Wed, 15 Aug 2012 09:53:05 -0400 -Subject: [PATCH] Don't permit insmod on secure boot +From 8a2a8d6021d926f00c5f85dab2d66f4ed8be86a2 Mon Sep 17 00:00:00 2001 +From: Colin Watson +Date: Tue, 23 Oct 2012 10:40:49 -0400 +Subject: [PATCH] Don't allow insmod when secure boot is enabled. +Hi, + +Fedora's patch to forbid insmod in UEFI Secure Boot environments is fine +as far as it goes. However, the insmod command is not the only way that +modules can be loaded. In particular, the 'normal' command, which +implements the usual GRUB menu and the fully-featured command prompt, +will implicitly load commands not currently loaded into memory. This +permits trivial Secure Boot violations by writing commands implementing +whatever you want to do and pointing $prefix at the malicious code. + +I'm currently test-building this patch (replacing your current +grub-2.00-no-insmod-on-sb.patch), but this should be more correct. It +moves the check into grub_dl_load_file. --- - grub-core/kern/corecmd.c | 9 +++++++++ + grub-core/kern/dl.c | 17 +++++++++++++++++ grub-core/kern/efi/efi.c | 28 ++++++++++++++++++++++++++++ include/grub/efi/efi.h | 1 + - 3 files changed, 38 insertions(+) + 3 files changed, 46 insertions(+) -diff --git a/grub-core/kern/corecmd.c b/grub-core/kern/corecmd.c -index eec575c..3df9dbd 100644 ---- a/grub-core/kern/corecmd.c -+++ b/grub-core/kern/corecmd.c -@@ -28,6 +28,10 @@ - #include - #include +diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c +index a498682..2578fce 100644 +--- a/grub-core/kern/dl.c ++++ b/grub-core/kern/dl.c +@@ -43,6 +43,10 @@ + #include + #endif +#ifdef GRUB_MACHINE_EFI +#include +#endif + - /* set ENVVAR=VALUE */ - static grub_err_t - grub_core_cmd_set (struct grub_command *cmd __attribute__ ((unused)), -@@ -81,6 +85,13 @@ grub_core_cmd_insmod (struct grub_command *cmd __attribute__ ((unused)), - { - grub_dl_t mod; + + + #pragma GCC diagnostic ignored "-Wcast-align" +@@ -721,6 +725,19 @@ grub_dl_load_file (const char *filename) + void *core = 0; + grub_dl_t mod = 0; +#ifdef GRUB_MACHINE_EFI -+ if (grub_efi_secure_boot()) { -+ //grub_printf("%s\n", N_("Secure Boot forbids insmod")); -+ return 0; -+ } ++ if (grub_efi_secure_boot ()) ++ { ++#if 0 ++ /* This is an error, but grub2-mkconfig still generates a pile of ++ * insmod commands, so emitting it would be mostly just obnoxious. */ ++ grub_error (GRUB_ERR_ACCESS_DENIED, ++ "Secure Boot forbids loading module from %s", filename); ++#endif ++ return 0; ++ } +#endif + - if (argc == 0) - return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected")); - + file = grub_file_open (filename); + if (! file) + return 0; diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c index 820968f..ad7aa8d 100644 --- a/grub-core/kern/efi/efi.c @@ -90,5 +109,5 @@ index 9370fd5..a000c38 100644 EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1, const grub_efi_device_path_t *dp2); -- -1.7.11.2 +1.7.12.1 From 478803371405407b7a8055b8fe98012ad585a022 Mon Sep 17 00:00:00 2001 From: Peter Jones Date: Tue, 23 Oct 2012 10:49:39 -0400 Subject: [PATCH 3/3] Don't load modules when grub transitions to "normal" mode on UEFI. Signed-off-by: Peter Jones --- grub2.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/grub2.spec b/grub2.spec index 0be276ec..047632a4 100644 --- a/grub2.spec +++ b/grub2.spec @@ -41,7 +41,7 @@ Name: grub2 Epoch: 1 Version: 2.00 -Release: 11%{?dist} +Release: 12%{?dist} Summary: Bootloader with support for Linux, Multiboot and more Group: System Environment/Base @@ -425,6 +425,9 @@ fi %doc grub-%{tarversion}/themes/starfield/COPYING.CC-BY-SA-3.0 %changelog +* Tue Oct 23 2012 Peter Jones - 2.00-12 +- Don't load modules when grub transitions to "normal" mode on UEFI. + * Mon Oct 22 2012 Peter Jones - 2.00-11 - Rebuild with newer pesign so we'll get signed with the final signing keys.