From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Dimitri John Ledkov Date: Thu, 3 Mar 2022 13:10:56 +0100 Subject: [PATCH] grub-core/loader/i386/efi/linux.c: do not validate kernels twice On codebases that have shim-lock-verifier built into the grub core (like 2.06 upstream), shim-lock-verifier is in enforcing mode when booted with secureboot. It means that grub_cmd_linux() command attempts to perform shim validate upon opening linux kernel image, including kernel measurement. And the verifier correctly returns file open error when shim validate protocol is not present or shim fails to validate the kernel. This makes the call to grub_linuxefi_secure_validate() redundant, but also harmful. As validating the kernel image twice, extends the PCRs with the same measurement twice. Which breaks existing sealing policies when upgrading from grub2.04+rhboot+sb+linuxefi to grub2.06+rhboot+sb+linuxefi builds. It is also incorrect to measure the kernel twice. This patch must not be ported to older editions of grub code bases that do not have verifiers framework, or it is not builtin, or shim-lock-verifier is an optional module. This patch is tested to ensure that unsigned kernels are not possible to boot in secureboot mode when shim rejects kernel, or shim protocol is missing, and that the measurements become stable once again. The above also ensures that CVE-2020-15705 is not reintroduced. Signed-off-by: Dimitri John Ledkov --- grub-core/loader/i386/efi/linux.c | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c index 3cf0f9b330..941df6400b 100644 --- a/grub-core/loader/i386/efi/linux.c +++ b/grub-core/loader/i386/efi/linux.c @@ -30,7 +30,6 @@ #include #include #include -#include GRUB_MOD_LICENSE ("GPLv3+"); @@ -278,7 +277,6 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), grub_ssize_t start, filelen; void *kernel = NULL; int setup_header_end_offset; - int rc; grub_dl_ref (my_mod); @@ -308,17 +306,6 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), goto fail; } - if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED) - { - rc = grub_linuxefi_secure_validate (kernel, filelen); - if (rc <= 0) - { - grub_error (GRUB_ERR_INVALID_COMMAND, - N_("%s has invalid signature"), argv[0]); - goto fail; - } - } - lh = (struct linux_i386_kernel_header *)kernel; grub_dprintf ("linux", "original lh is at %p\n", kernel);