4dcaf21223
Resolves: rhbz#1125540
118 lines
3.5 KiB
Diff
118 lines
3.5 KiB
Diff
From fe7b32ab9e58470fdf930d8efc7c9ebcd69e6ef3 Mon Sep 17 00:00:00 2001
|
||
From: Colin Watson <cjwatson@ubuntu.com>
|
||
Date: Tue, 23 Oct 2012 10:40:49 -0400
|
||
Subject: [PATCH 093/143] Don't allow insmod when secure boot is enabled.
|
||
|
||
Hi,
|
||
|
||
Fedora's patch to forbid insmod in UEFI Secure Boot environments is fine
|
||
as far as it goes. However, the insmod command is not the only way that
|
||
modules can be loaded. In particular, the 'normal' command, which
|
||
implements the usual GRUB menu and the fully-featured command prompt,
|
||
will implicitly load commands not currently loaded into memory. This
|
||
permits trivial Secure Boot violations by writing commands implementing
|
||
whatever you want to do and pointing $prefix at the malicious code.
|
||
|
||
I'm currently test-building this patch (replacing your current
|
||
grub-2.00-no-insmod-on-sb.patch), but this should be more correct. It
|
||
moves the check into grub_dl_load_file.
|
||
---
|
||
grub-core/kern/dl.c | 21 +++++++++++++++++++++
|
||
grub-core/kern/efi/efi.c | 28 ++++++++++++++++++++++++++++
|
||
include/grub/efi/efi.h | 1 +
|
||
3 files changed, 50 insertions(+)
|
||
|
||
diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
|
||
index 6850e04..b0b0405 100644
|
||
--- a/grub-core/kern/dl.c
|
||
+++ b/grub-core/kern/dl.c
|
||
@@ -38,6 +38,14 @@
|
||
#define GRUB_MODULES_MACHINE_READONLY
|
||
#endif
|
||
|
||
+#ifdef GRUB_MACHINE_EMU
|
||
+#include <sys/mman.h>
|
||
+#endif
|
||
+
|
||
+#ifdef GRUB_MACHINE_EFI
|
||
+#include <grub/efi/efi.h>
|
||
+#endif
|
||
+
|
||
|
||
|
||
#pragma GCC diagnostic ignored "-Wcast-align"
|
||
@@ -680,6 +688,19 @@ grub_dl_load_file (const char *filename)
|
||
void *core = 0;
|
||
grub_dl_t mod = 0;
|
||
|
||
+#ifdef GRUB_MACHINE_EFI
|
||
+ if (grub_efi_secure_boot ())
|
||
+ {
|
||
+#if 0
|
||
+ /* This is an error, but grub2-mkconfig still generates a pile of
|
||
+ * insmod commands, so emitting it would be mostly just obnoxious. */
|
||
+ grub_error (GRUB_ERR_ACCESS_DENIED,
|
||
+ "Secure Boot forbids loading module from %s", filename);
|
||
+#endif
|
||
+ return 0;
|
||
+ }
|
||
+#endif
|
||
+
|
||
grub_boot_time ("Loading module %s", filename);
|
||
|
||
file = grub_file_open (filename);
|
||
diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
|
||
index b9eb1ab..cd839cc 100644
|
||
--- a/grub-core/kern/efi/efi.c
|
||
+++ b/grub-core/kern/efi/efi.c
|
||
@@ -259,6 +259,34 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
|
||
return NULL;
|
||
}
|
||
|
||
+grub_efi_boolean_t
|
||
+grub_efi_secure_boot (void)
|
||
+{
|
||
+ grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
|
||
+ grub_size_t datasize;
|
||
+ char *secure_boot = NULL;
|
||
+ char *setup_mode = NULL;
|
||
+ grub_efi_boolean_t ret = 0;
|
||
+
|
||
+ secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);
|
||
+
|
||
+ if (datasize != 1 || !secure_boot)
|
||
+ goto out;
|
||
+
|
||
+ setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize);
|
||
+
|
||
+ if (datasize != 1 || !setup_mode)
|
||
+ goto out;
|
||
+
|
||
+ if (*secure_boot && !*setup_mode)
|
||
+ ret = 1;
|
||
+
|
||
+ out:
|
||
+ grub_free (secure_boot);
|
||
+ grub_free (setup_mode);
|
||
+ return ret;
|
||
+}
|
||
+
|
||
#pragma GCC diagnostic ignored "-Wcast-align"
|
||
|
||
/* Search the mods section from the PE32/PE32+ image. This code uses
|
||
diff --git a/include/grub/efi/efi.h b/include/grub/efi/efi.h
|
||
index 9370fd5..a000c38 100644
|
||
--- a/include/grub/efi/efi.h
|
||
+++ b/include/grub/efi/efi.h
|
||
@@ -72,6 +72,7 @@ EXPORT_FUNC (grub_efi_set_variable) (const char *var,
|
||
const grub_efi_guid_t *guid,
|
||
void *data,
|
||
grub_size_t datasize);
|
||
+grub_efi_boolean_t EXPORT_FUNC (grub_efi_secure_boot) (void);
|
||
int
|
||
EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1,
|
||
const grub_efi_device_path_t *dp2);
|
||
--
|
||
1.9.3
|
||
|