109 lines
4.2 KiB
Diff
109 lines
4.2 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Javier Martinez Canillas <javierm@redhat.com>
|
|
Date: Wed, 24 Feb 2021 09:00:05 +0100
|
|
Subject: [PATCH] commands: Restrict commands that can load BIOS or DT blobs
|
|
when locked down
|
|
|
|
There are some more commands that should be restricted when the GRUB is
|
|
locked down. Following is the list of commands and reasons to restrict:
|
|
|
|
* fakebios: creates BIOS-like structures for backward compatibility with
|
|
existing OSes. This should not be allowed when locked down.
|
|
|
|
* loadbios: reads a BIOS dump from storage and loads it. This action
|
|
should not be allowed when locked down.
|
|
|
|
* devicetree: loads a Device Tree blob and passes it to the OS. It replaces
|
|
any Device Tree provided by the firmware. This also should
|
|
not be allowed when locked down.
|
|
|
|
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
---
|
|
grub-core/commands/efi/loadbios.c | 14 +++++++-------
|
|
grub-core/loader/arm/linux.c | 6 +++---
|
|
grub-core/loader/efi/fdt.c | 4 ++--
|
|
docs/grub.texi | 6 ++++--
|
|
4 files changed, 16 insertions(+), 14 deletions(-)
|
|
|
|
diff --git a/grub-core/commands/efi/loadbios.c b/grub-core/commands/efi/loadbios.c
|
|
index d41d521a4..5c7725f8b 100644
|
|
--- a/grub-core/commands/efi/loadbios.c
|
|
+++ b/grub-core/commands/efi/loadbios.c
|
|
@@ -205,14 +205,14 @@ static grub_command_t cmd_fakebios, cmd_loadbios;
|
|
|
|
GRUB_MOD_INIT(loadbios)
|
|
{
|
|
- cmd_fakebios = grub_register_command ("fakebios", grub_cmd_fakebios,
|
|
- 0, N_("Create BIOS-like structures for"
|
|
- " backward compatibility with"
|
|
- " existing OS."));
|
|
+ cmd_fakebios = grub_register_command_lockdown ("fakebios", grub_cmd_fakebios,
|
|
+ 0, N_("Create BIOS-like structures for"
|
|
+ " backward compatibility with"
|
|
+ " existing OS."));
|
|
|
|
- cmd_loadbios = grub_register_command ("loadbios", grub_cmd_loadbios,
|
|
- N_("BIOS_DUMP [INT10_DUMP]"),
|
|
- N_("Load BIOS dump."));
|
|
+ cmd_loadbios = grub_register_command_lockdown ("loadbios", grub_cmd_loadbios,
|
|
+ N_("BIOS_DUMP [INT10_DUMP]"),
|
|
+ N_("Load BIOS dump."));
|
|
}
|
|
|
|
GRUB_MOD_FINI(loadbios)
|
|
diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c
|
|
index 1e944a2b6..653f2e076 100644
|
|
--- a/grub-core/loader/arm/linux.c
|
|
+++ b/grub-core/loader/arm/linux.c
|
|
@@ -493,9 +493,9 @@ GRUB_MOD_INIT (linux)
|
|
0, N_("Load Linux."));
|
|
cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd,
|
|
0, N_("Load initrd."));
|
|
- cmd_devicetree = grub_register_command ("devicetree", grub_cmd_devicetree,
|
|
- /* TRANSLATORS: DTB stands for device tree blob. */
|
|
- 0, N_("Load DTB file."));
|
|
+ cmd_devicetree = grub_register_command_lockdown ("devicetree", grub_cmd_devicetree,
|
|
+ /* TRANSLATORS: DTB stands for device tree blob. */
|
|
+ 0, N_("Load DTB file."));
|
|
my_mod = mod;
|
|
current_fdt = (const void *) grub_arm_firmware_get_boot_data ();
|
|
machine_type = grub_arm_firmware_get_machine_type ();
|
|
diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c
|
|
index e3ee3ad79..64c560f56 100644
|
|
--- a/grub-core/loader/efi/fdt.c
|
|
+++ b/grub-core/loader/efi/fdt.c
|
|
@@ -167,8 +167,8 @@ static grub_command_t cmd_devicetree;
|
|
GRUB_MOD_INIT (fdt)
|
|
{
|
|
cmd_devicetree =
|
|
- grub_register_command ("devicetree", grub_cmd_devicetree, 0,
|
|
- N_("Load DTB file."));
|
|
+ grub_register_command_lockdown ("devicetree", grub_cmd_devicetree, 0,
|
|
+ N_("Load DTB file."));
|
|
}
|
|
|
|
GRUB_MOD_FINI (fdt)
|
|
diff --git a/docs/grub.texi b/docs/grub.texi
|
|
index f1675b614..c55452307 100644
|
|
--- a/docs/grub.texi
|
|
+++ b/docs/grub.texi
|
|
@@ -4281,13 +4281,15 @@ hour, minute, and second unchanged.
|
|
|
|
|
|
@node devicetree
|
|
-@subsection linux
|
|
+@subsection devicetree
|
|
|
|
@deffn Command devicetree file
|
|
Load a device tree blob (.dtb) from a filesystem, for later use by a Linux
|
|
kernel. Does not perform merging with any device tree supplied by firmware,
|
|
but rather replaces it completely.
|
|
-@ref{GNU/Linux}.
|
|
+
|
|
+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
|
|
+ This is done to prevent subverting various security mechanisms.
|
|
@end deffn
|
|
|
|
@node distrust
|