Merge branch 'f18'
Conflicts: grub2.spec Signed-off-by: Peter Jones <pjones@redhat.com>
This commit is contained in:
		
						commit
						1f0786299e
					
				| @ -1,43 +1,62 @@ | |||||||
| From 7a65d7b558974c89f19afaf0d78b54dc0327f56c Mon Sep 17 00:00:00 2001 | From 8a2a8d6021d926f00c5f85dab2d66f4ed8be86a2 Mon Sep 17 00:00:00 2001 | ||||||
| From: Matthew Garrett <mjg@redhat.com> | From: Colin Watson <cjwatson@ubuntu.com> | ||||||
| Date: Wed, 15 Aug 2012 09:53:05 -0400 | Date: Tue, 23 Oct 2012 10:40:49 -0400 | ||||||
| Subject: [PATCH] Don't permit insmod on secure boot | Subject: [PATCH] Don't allow insmod when secure boot is enabled. | ||||||
| 
 | 
 | ||||||
|  | Hi, | ||||||
|  | 
 | ||||||
|  | Fedora's patch to forbid insmod in UEFI Secure Boot environments is fine | ||||||
|  | as far as it goes.  However, the insmod command is not the only way that | ||||||
|  | modules can be loaded.  In particular, the 'normal' command, which | ||||||
|  | implements the usual GRUB menu and the fully-featured command prompt, | ||||||
|  | will implicitly load commands not currently loaded into memory.  This | ||||||
|  | permits trivial Secure Boot violations by writing commands implementing | ||||||
|  | whatever you want to do and pointing $prefix at the malicious code. | ||||||
|  | 
 | ||||||
|  | I'm currently test-building this patch (replacing your current | ||||||
|  | grub-2.00-no-insmod-on-sb.patch), but this should be more correct.  It | ||||||
|  | moves the check into grub_dl_load_file. | ||||||
| ---
 | ---
 | ||||||
|  grub-core/kern/corecmd.c |  9 +++++++++ |  grub-core/kern/dl.c      | 17 +++++++++++++++++ | ||||||
|  grub-core/kern/efi/efi.c | 28 ++++++++++++++++++++++++++++ |  grub-core/kern/efi/efi.c | 28 ++++++++++++++++++++++++++++ | ||||||
|  include/grub/efi/efi.h   |  1 + |  include/grub/efi/efi.h   |  1 + | ||||||
|  3 files changed, 38 insertions(+) |  3 files changed, 46 insertions(+) | ||||||
| 
 | 
 | ||||||
| diff --git a/grub-core/kern/corecmd.c b/grub-core/kern/corecmd.c
 | diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
 | ||||||
| index eec575c..3df9dbd 100644
 | index a498682..2578fce 100644
 | ||||||
| --- a/grub-core/kern/corecmd.c
 | --- a/grub-core/kern/dl.c
 | ||||||
| +++ b/grub-core/kern/corecmd.c
 | +++ b/grub-core/kern/dl.c
 | ||||||
| @@ -28,6 +28,10 @@
 | @@ -43,6 +43,10 @@
 | ||||||
|  #include <grub/command.h> |  #include <sys/mman.h> | ||||||
|  #include <grub/i18n.h> |  #endif | ||||||
|   |   | ||||||
| +#ifdef GRUB_MACHINE_EFI
 | +#ifdef GRUB_MACHINE_EFI
 | ||||||
| +#include <grub/efi/efi.h>
 | +#include <grub/efi/efi.h>
 | ||||||
| +#endif
 | +#endif
 | ||||||
| +
 | +
 | ||||||
|  /* set ENVVAR=VALUE */ |   | ||||||
|  static grub_err_t |   | ||||||
|  grub_core_cmd_set (struct grub_command *cmd __attribute__ ((unused)), |  #pragma GCC diagnostic ignored "-Wcast-align" | ||||||
| @@ -81,6 +85,13 @@ grub_core_cmd_insmod (struct grub_command *cmd __attribute__ ((unused)),
 | @@ -721,6 +725,19 @@ grub_dl_load_file (const char *filename)
 | ||||||
|  { |    void *core = 0; | ||||||
|    grub_dl_t mod; |    grub_dl_t mod = 0; | ||||||
|   |   | ||||||
| +#ifdef GRUB_MACHINE_EFI
 | +#ifdef GRUB_MACHINE_EFI
 | ||||||
| +  if (grub_efi_secure_boot()) {
 | +  if (grub_efi_secure_boot ())
 | ||||||
| +    //grub_printf("%s\n", N_("Secure Boot forbids insmod"));
 | +    {
 | ||||||
| +    return 0;
 | +#if 0
 | ||||||
| +  }
 | +      /* This is an error, but grub2-mkconfig still generates a pile of
 | ||||||
|  | +       * insmod commands, so emitting it would be mostly just obnoxious. */
 | ||||||
|  | +      grub_error (GRUB_ERR_ACCESS_DENIED,
 | ||||||
|  | +		  "Secure Boot forbids loading module from %s", filename);
 | ||||||
|  | +#endif
 | ||||||
|  | +      return 0;
 | ||||||
|  | +    }
 | ||||||
| +#endif
 | +#endif
 | ||||||
| +
 | +
 | ||||||
|    if (argc == 0) |    file = grub_file_open (filename); | ||||||
|      return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected")); |    if (! file) | ||||||
|   |      return 0; | ||||||
| diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
 | diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
 | ||||||
| index 820968f..ad7aa8d 100644
 | index 820968f..ad7aa8d 100644
 | ||||||
| --- a/grub-core/kern/efi/efi.c
 | --- a/grub-core/kern/efi/efi.c
 | ||||||
| @ -90,5 +109,5 @@ index 9370fd5..a000c38 100644 | |||||||
|  EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1, |  EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1, | ||||||
|  					     const grub_efi_device_path_t *dp2); |  					     const grub_efi_device_path_t *dp2); | ||||||
| -- 
 | -- 
 | ||||||
| 1.7.11.2 | 1.7.12.1 | ||||||
| 
 | 
 | ||||||
|  | |||||||
| @ -41,7 +41,7 @@ | |||||||
| Name:           grub2 | Name:           grub2 | ||||||
| Epoch:          1 | Epoch:          1 | ||||||
| Version:        2.00 | Version:        2.00 | ||||||
| Release:        11%{?dist} | Release:        12%{?dist} | ||||||
| Summary:        Bootloader with support for Linux, Multiboot and more | Summary:        Bootloader with support for Linux, Multiboot and more | ||||||
| 
 | 
 | ||||||
| Group:          System Environment/Base | Group:          System Environment/Base | ||||||
| @ -425,6 +425,9 @@ fi | |||||||
| %doc grub-%{tarversion}/themes/starfield/COPYING.CC-BY-SA-3.0 | %doc grub-%{tarversion}/themes/starfield/COPYING.CC-BY-SA-3.0 | ||||||
| 
 | 
 | ||||||
| %changelog | %changelog | ||||||
|  | * Tue Oct 23 2012 Peter Jones <pjones@redhat.com> - 2.00-12 | ||||||
|  | - Don't load modules when grub transitions to "normal" mode on UEFI. | ||||||
|  | 
 | ||||||
| * Mon Oct 22 2012 Peter Jones <pjones@redhat.com> - 2.00-11 | * Mon Oct 22 2012 Peter Jones <pjones@redhat.com> - 2.00-11 | ||||||
| - Rebuild with newer pesign so we'll get signed with the final signing keys. | - Rebuild with newer pesign so we'll get signed with the final signing keys. | ||||||
| 
 | 
 | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user