Do a better job of preventing insmod on secure boot systems.

Signed-off-by: Peter Jones <pjones@redhat.com>
This commit is contained in:
Peter Jones 2012-10-23 10:45:04 -04:00
parent 5598b7f41e
commit a47bcbb099

View File

@ -1,43 +1,62 @@
From 7a65d7b558974c89f19afaf0d78b54dc0327f56c Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg@redhat.com>
Date: Wed, 15 Aug 2012 09:53:05 -0400
Subject: [PATCH] Don't permit insmod on secure boot
From 8a2a8d6021d926f00c5f85dab2d66f4ed8be86a2 Mon Sep 17 00:00:00 2001
From: Colin Watson <cjwatson@ubuntu.com>
Date: Tue, 23 Oct 2012 10:40:49 -0400
Subject: [PATCH] Don't allow insmod when secure boot is enabled.
Hi,
Fedora's patch to forbid insmod in UEFI Secure Boot environments is fine
as far as it goes. However, the insmod command is not the only way that
modules can be loaded. In particular, the 'normal' command, which
implements the usual GRUB menu and the fully-featured command prompt,
will implicitly load commands not currently loaded into memory. This
permits trivial Secure Boot violations by writing commands implementing
whatever you want to do and pointing $prefix at the malicious code.
I'm currently test-building this patch (replacing your current
grub-2.00-no-insmod-on-sb.patch), but this should be more correct. It
moves the check into grub_dl_load_file.
---
grub-core/kern/corecmd.c | 9 +++++++++
grub-core/kern/dl.c | 17 +++++++++++++++++
grub-core/kern/efi/efi.c | 28 ++++++++++++++++++++++++++++
include/grub/efi/efi.h | 1 +
3 files changed, 38 insertions(+)
3 files changed, 46 insertions(+)
diff --git a/grub-core/kern/corecmd.c b/grub-core/kern/corecmd.c
index eec575c..3df9dbd 100644
--- a/grub-core/kern/corecmd.c
+++ b/grub-core/kern/corecmd.c
@@ -28,6 +28,10 @@
#include <grub/command.h>
#include <grub/i18n.h>
diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
index a498682..2578fce 100644
--- a/grub-core/kern/dl.c
+++ b/grub-core/kern/dl.c
@@ -43,6 +43,10 @@
#include <sys/mman.h>
#endif
+#ifdef GRUB_MACHINE_EFI
+#include <grub/efi/efi.h>
+#endif
+
/* set ENVVAR=VALUE */
static grub_err_t
grub_core_cmd_set (struct grub_command *cmd __attribute__ ((unused)),
@@ -81,6 +85,13 @@ grub_core_cmd_insmod (struct grub_command *cmd __attribute__ ((unused)),
{
grub_dl_t mod;
#pragma GCC diagnostic ignored "-Wcast-align"
@@ -721,6 +725,19 @@ grub_dl_load_file (const char *filename)
void *core = 0;
grub_dl_t mod = 0;
+#ifdef GRUB_MACHINE_EFI
+ if (grub_efi_secure_boot()) {
+ //grub_printf("%s\n", N_("Secure Boot forbids insmod"));
+ return 0;
+ }
+ if (grub_efi_secure_boot ())
+ {
+#if 0
+ /* This is an error, but grub2-mkconfig still generates a pile of
+ * insmod commands, so emitting it would be mostly just obnoxious. */
+ grub_error (GRUB_ERR_ACCESS_DENIED,
+ "Secure Boot forbids loading module from %s", filename);
+#endif
+ return 0;
+ }
+#endif
+
if (argc == 0)
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
file = grub_file_open (filename);
if (! file)
return 0;
diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
index 820968f..ad7aa8d 100644
--- a/grub-core/kern/efi/efi.c
@ -90,5 +109,5 @@ index 9370fd5..a000c38 100644
EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1,
const grub_efi_device_path_t *dp2);
--
1.7.11.2
1.7.12.1