Do a better job of preventing insmod on secure boot systems.
Signed-off-by: Peter Jones <pjones@redhat.com>
This commit is contained in:
parent
5598b7f41e
commit
a47bcbb099
@ -1,43 +1,62 @@
|
|||||||
From 7a65d7b558974c89f19afaf0d78b54dc0327f56c Mon Sep 17 00:00:00 2001
|
From 8a2a8d6021d926f00c5f85dab2d66f4ed8be86a2 Mon Sep 17 00:00:00 2001
|
||||||
From: Matthew Garrett <mjg@redhat.com>
|
From: Colin Watson <cjwatson@ubuntu.com>
|
||||||
Date: Wed, 15 Aug 2012 09:53:05 -0400
|
Date: Tue, 23 Oct 2012 10:40:49 -0400
|
||||||
Subject: [PATCH] Don't permit insmod on secure boot
|
Subject: [PATCH] Don't allow insmod when secure boot is enabled.
|
||||||
|
|
||||||
|
Hi,
|
||||||
|
|
||||||
|
Fedora's patch to forbid insmod in UEFI Secure Boot environments is fine
|
||||||
|
as far as it goes. However, the insmod command is not the only way that
|
||||||
|
modules can be loaded. In particular, the 'normal' command, which
|
||||||
|
implements the usual GRUB menu and the fully-featured command prompt,
|
||||||
|
will implicitly load commands not currently loaded into memory. This
|
||||||
|
permits trivial Secure Boot violations by writing commands implementing
|
||||||
|
whatever you want to do and pointing $prefix at the malicious code.
|
||||||
|
|
||||||
|
I'm currently test-building this patch (replacing your current
|
||||||
|
grub-2.00-no-insmod-on-sb.patch), but this should be more correct. It
|
||||||
|
moves the check into grub_dl_load_file.
|
||||||
---
|
---
|
||||||
grub-core/kern/corecmd.c | 9 +++++++++
|
grub-core/kern/dl.c | 17 +++++++++++++++++
|
||||||
grub-core/kern/efi/efi.c | 28 ++++++++++++++++++++++++++++
|
grub-core/kern/efi/efi.c | 28 ++++++++++++++++++++++++++++
|
||||||
include/grub/efi/efi.h | 1 +
|
include/grub/efi/efi.h | 1 +
|
||||||
3 files changed, 38 insertions(+)
|
3 files changed, 46 insertions(+)
|
||||||
|
|
||||||
diff --git a/grub-core/kern/corecmd.c b/grub-core/kern/corecmd.c
|
diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
|
||||||
index eec575c..3df9dbd 100644
|
index a498682..2578fce 100644
|
||||||
--- a/grub-core/kern/corecmd.c
|
--- a/grub-core/kern/dl.c
|
||||||
+++ b/grub-core/kern/corecmd.c
|
+++ b/grub-core/kern/dl.c
|
||||||
@@ -28,6 +28,10 @@
|
@@ -43,6 +43,10 @@
|
||||||
#include <grub/command.h>
|
#include <sys/mman.h>
|
||||||
#include <grub/i18n.h>
|
#endif
|
||||||
|
|
||||||
+#ifdef GRUB_MACHINE_EFI
|
+#ifdef GRUB_MACHINE_EFI
|
||||||
+#include <grub/efi/efi.h>
|
+#include <grub/efi/efi.h>
|
||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
/* set ENVVAR=VALUE */
|
|
||||||
static grub_err_t
|
|
||||||
grub_core_cmd_set (struct grub_command *cmd __attribute__ ((unused)),
|
#pragma GCC diagnostic ignored "-Wcast-align"
|
||||||
@@ -81,6 +85,13 @@ grub_core_cmd_insmod (struct grub_command *cmd __attribute__ ((unused)),
|
@@ -721,6 +725,19 @@ grub_dl_load_file (const char *filename)
|
||||||
{
|
void *core = 0;
|
||||||
grub_dl_t mod;
|
grub_dl_t mod = 0;
|
||||||
|
|
||||||
+#ifdef GRUB_MACHINE_EFI
|
+#ifdef GRUB_MACHINE_EFI
|
||||||
+ if (grub_efi_secure_boot()) {
|
+ if (grub_efi_secure_boot ())
|
||||||
+ //grub_printf("%s\n", N_("Secure Boot forbids insmod"));
|
+ {
|
||||||
+ return 0;
|
+#if 0
|
||||||
+ }
|
+ /* This is an error, but grub2-mkconfig still generates a pile of
|
||||||
|
+ * insmod commands, so emitting it would be mostly just obnoxious. */
|
||||||
|
+ grub_error (GRUB_ERR_ACCESS_DENIED,
|
||||||
|
+ "Secure Boot forbids loading module from %s", filename);
|
||||||
|
+#endif
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
+#endif
|
+#endif
|
||||||
+
|
+
|
||||||
if (argc == 0)
|
file = grub_file_open (filename);
|
||||||
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
|
if (! file)
|
||||||
|
return 0;
|
||||||
diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
|
diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
|
||||||
index 820968f..ad7aa8d 100644
|
index 820968f..ad7aa8d 100644
|
||||||
--- a/grub-core/kern/efi/efi.c
|
--- a/grub-core/kern/efi/efi.c
|
||||||
@ -90,5 +109,5 @@ index 9370fd5..a000c38 100644
|
|||||||
EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1,
|
EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1,
|
||||||
const grub_efi_device_path_t *dp2);
|
const grub_efi_device_path_t *dp2);
|
||||||
--
|
--
|
||||||
1.7.11.2
|
1.7.12.1
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user