Commit 97e8ce87 authored by Lorenzo "Palinuro" Faletra's avatar Lorenzo "Palinuro" Faletra
Browse files

Import Debian changes 2.04-16parrot1

grub2 (2.04-16parrot1) rolling; urgency=medium
.
  * Import new Debian release.
  * Add the proper SBAT metadata.
.
grub2 (2.04-16) unstable; urgency=medium
.
  * Fix broken advice in message when the postinst has to bail out (thanks
    to Daniel Leidert for pointing out the problem).
  * Backport security patch series from upstream:
    - verifiers: Move verifiers API to kernel image
    - kern: Add lockdown support
    - kern/lockdown: Set a variable if the GRUB is locked down
    - efi: Lockdown the GRUB when the UEFI Secure Boot is enabled
    - efi: Use grub_is_lockdown() instead of hardcoding a disabled modules
      list
    - CVE-2020-14372: acpi: Don't register the acpi command when locked down
    - CVE-2020-27779: mmap: Don't register cutmem and badram commands when
      lockdown is enforced
    - commands: Restrict commands that can load BIOS or DT blobs when locked
      down
    - commands/setpci: Restrict setpci command when locked down
    - commands/hdparm: Restrict hdparm command when locked down
    - gdb: Restrict GDB access when locked down
    - loader/xnu: Don't allow loading extension and packages when locked
      down
    - docs: Document the cutmem command
    - CVE-2020-25632: dl: Only allow unloading modules that are not
      dependencies
    - CVE-2020-25647: usb: Avoid possible out-of-bound accesses caused by
      malicious devices
    - mmap: Fix memory leak when iterating over mapped memory
    - net/net: Fix possible dereference to of a NULL pointer
    - net/tftp: Fix dangling memory pointer
    - kern/parser: Fix resource leak if argc == 0
    - kern/efi: Fix memory leak on failure
    - kern/efi/mm: Fix possible NULL pointer dereference
    - gnulib/regexec: Resolve unused variable
    - gnulib/regcomp: Fix uninitialized token structure
    - gnulib/argp-help: Fix dereference of a possibly NULL state
    - gnulib/regexec: Fix possible null-dereference
    - gnulib/regcomp: Fix uninitialized re_token
    - io/lzopio: Resolve unnecessary self-assignment errors
    - zstd: Initialize seq_t structure fully
    - kern/partition: Check for NULL before dereferencing input string
    - disk/ldm: Make sure comp data is freed before exiting from make_vg()
    - disk/ldm: If failed then free vg variable too
    - disk/ldm: Fix memory leak on uninserted lv references
    - disk/cryptodisk: Fix potential integer overflow
    - hfsplus: Check that the volume name length is valid
    - zfs: Fix possible negative shift operation
    - zfs: Fix resource leaks while constructing path
    - zfs: Fix possible integer overflows
    - zfsinfo: Correct a check for error allocating memory
    - affs: Fix memory leaks
    - libgcrypt/mpi: Fix possible unintended sign extension
    - libgcrypt/mpi: Fix possible NULL dereference
    - syslinux: Fix memory leak while parsing
    - normal/completion: Fix leaking of memory when processing a completion
    - commands/hashsum: Fix a memory leak
    - video/efi_gop: Remove unnecessary return value of
      grub_video_gop_fill_mode_info()
    - video/fb/fbfill: Fix potential integer overflow
    - video/fb/video_fb: Fix multiple integer overflows
    - video/fb/video_fb: Fix possible integer overflow
    - video/readers/jpeg: Test for an invalid next marker reference from a
      jpeg file
    - gfxmenu/gui_list: Remove code that coverity is flagging as dead
    - loader/bsd: Check for NULL arg up-front
    - loader/xnu: Fix memory leak
    - loader/xnu: Free driverkey data when an error is detected in
      grub_xnu_writetree_toheap()
    - loader/xnu: Check if pointer is NULL before using it
    - util/grub-install: Fix NULL pointer dereferences
    - util/grub-editenv: Fix incorrect casting of a signed value
    - util/glue-efi: Fix incorrect use of a possibly negative value
    - script/execute: Fix NULL dereference in grub_script_execute_cmdline()
    - commands/ls: Require device_name is not NULL before printing
    - script/execute: Avoid crash when using "$#" outside a function scope
    - CVE-2021-20225: lib/arg: Block repeated short options that require an
      argument
    - script/execute: Don't crash on a "for" loop with no items
    - CVE-2021-20233: commands/menuentry: Fix quoting in setparams_prefix()
    - kern/misc: Always set *end in grub_strtoull()
    - video/readers/jpeg: Catch files with unsupported quantization or
      Huffman tables
    - video/readers/jpeg: Catch OOB reads/writes in grub_jpeg_decode_du()
    - video/readers/jpeg: Don't decode data before start of stream
    - term/gfxterm: Don't set up a font with glyphs that are too big
    - fs/fshelp: Catch impermissibly large block sizes in read helper
    - fs/hfsplus: Don't fetch a key beyond the end of the node
    - fs/hfsplus: Don't use uninitialized data on corrupt filesystems
    - fs/hfs: Disable under lockdown
    - fs/sfs: Fix over-read of root object name
    - fs/jfs: Do not move to leaf level if name length is negative
    - fs/jfs: Limit the extents that getblk() can consider
    - fs/jfs: Catch infinite recursion
    - fs/nilfs2: Reject too-large keys
    - fs/nilfs2: Don't search children if provided number is too large
    - fs/nilfs2: Properly bail on errors in grub_nilfs2_btree_node_lookup()
    - io/gzio: Bail if gzio->tl/td is NULL
    - io/gzio: Add init_dynamic_block() clean up if unpacking codes fails
    - io/gzio: Catch missing values in huft_build() and bail
    - io/gzio: Zero gzio->tl/td in init_dynamic_block() if huft_build()
      fails
    - disk/lvm: Don't go beyond the end of the data we read from disk
    - disk/lvm: Don't blast past the end of the circular metadata buffer
    - disk/lvm: Bail on missing PV list
    - disk/lvm: Do not crash if an expected string is not found
    - disk/lvm: Do not overread metadata
    - disk/lvm: Sanitize rlocn->offset to prevent wild read
    - disk/lvm: Do not allow a LV to be it's own segment's node's LV
    - fs/btrfs: Validate the number of stripes/parities in RAID5/6
    - fs/btrfs: Squash some uninitialized reads
    - kern/parser: Fix a memory leak
    - kern/parser: Introduce process_char() helper
    - kern/parser: Introduce terminate_arg() helper
    - kern/parser: Refactor grub_parser_split_cmdline() cleanup
    - kern/buffer: Add variable sized heap buffer
    - CVE-2020-27749: kern/parser: Fix a stack buffer overflow
    - kern/efi: Add initial stack protector implementation
    - util/mkimage: Remove unused code to add BSS section
    - util/mkimage: Use grub_host_to_target32() instead of
      grub_cpu_to_le32()
    - util/mkimage: Always use grub_host_to_target32() to initialize PE
      stack and heap stuff
    - util/mkimage: Unify more of the PE32 and PE32+ header set-up
    - util/mkimage: Reorder PE optional header fields set-up
    - util/mkimage: Improve data_size value calculation
    - util/mkimage: Refactor section setup to use a helper
    - util/mkimage: Add an option to import SBAT metadata into a .sbat
      section
    - grub-install-common: Add --sbat option
    - kern/misc: Split parse_printf_args() into format parsing and va_list
      handling
    - kern/misc: Add STRING type for internal printf() format handling
    - kern/misc: Add function to check printf() format against expected
      format
    - gfxmenu/gui: Check printf() format in the gui_progress_bar and
      gui_label
    - kern/mm: Fix grub_debug_calloc() compilation error
  * Add SBAT section (thanks, Chris Coulson).
parent 580366b1
Pipeline #2331 failed
# see git-dpm(1) from git-dpm package
2bd6855d2e6a570ee3b68cbe46a2ab714e5dda0a
2bd6855d2e6a570ee3b68cbe46a2ab714e5dda0a
9cd32c57605b7ad713e108e0b98ebd504caa532e
9cd32c57605b7ad713e108e0b98ebd504caa532e
578bb115fbd47e1c464696f1f8d6183e5443975d
578bb115fbd47e1c464696f1f8d6183e5443975d
grub2_2.04.orig.tar.xz
......
......@@ -20,8 +20,8 @@ set -e
# Make EFI boot images for signing.
if [ $# -lt 6 ]; then
echo "usage: $0 GRUB-MKIMAGE GRUB-CORE OUTPUT-DIRECTORY DEB-ARCH PLATFORM EFI-NAME [EFI-VENDOR]"
if [ $# -lt 7 ]; then
echo "usage: $0 GRUB-MKIMAGE GRUB-CORE OUTPUT-DIRECTORY DEB-ARCH PLATFORM EFI-NAME SBAT-CSV [EFI-VENDOR]"
fi
grub_mkimage="$1"
......@@ -30,7 +30,8 @@ outdir="$3"
deb_arch="$4"
platform="$5"
efi_name="$6"
efi_vendor="${7:-$(dpkg-vendor --query vendor | tr '[:upper:]' '[:lower:]')}"
sbat_csv="$7"
efi_vendor="${8:-$(dpkg-vendor --query vendor | tr '[:upper:]' '[:lower:]')}"
# mkfs.msdos may not be on the default PATH.
export PATH="$PATH:/sbin:/usr/sbin"
......@@ -200,17 +201,22 @@ NET_MODULES="$CD_MODULES
-d "$grub_core" \
-c "$workdir/grub-bootstrap.cfg" -m "$workdir/memdisk.fat" \
-p /boot/grub \
--sbat "$sbat_csv" \
$CD_MODULES
# Normal disk boot image
"$grub_mkimage" -O "$platform" -o "$outdir/grub$efi_name.efi" \
-d "$grub_core" -p "/EFI/$efi_vendor" $GRUB_MODULES
-d "$grub_core" -p "/EFI/$efi_vendor" \
--sbat "$sbat_csv" \
$GRUB_MODULES
# Normal network boot image
"$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name.efi" \
-d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \
-m "$workdir/memdisk-netboot.fat" \
-p /grub $NET_MODULES
-p /grub \
--sbat "$sbat_csv" \
$NET_MODULES
# Special network boot image for d-i to use. Just the same as the
# normal network boot image, but with a different value baked in for
......
grub2 (2.04-16parrot1) rolling; urgency=medium
* Import new Debian release.
* Add the proper SBAT metadata.
-- Lorenzo "Palinuro" Faletra <palinuro@parrotsec.org> Fri, 12 Mar 2021 19:11:39 +0100
grub2 (2.04-16) unstable; urgency=medium
* Fix broken advice in message when the postinst has to bail out (thanks
to Daniel Leidert for pointing out the problem).
* Backport security patch series from upstream:
- verifiers: Move verifiers API to kernel image
- kern: Add lockdown support
- kern/lockdown: Set a variable if the GRUB is locked down
- efi: Lockdown the GRUB when the UEFI Secure Boot is enabled
- efi: Use grub_is_lockdown() instead of hardcoding a disabled modules
list
- CVE-2020-14372: acpi: Don't register the acpi command when locked down
- CVE-2020-27779: mmap: Don't register cutmem and badram commands when
lockdown is enforced
- commands: Restrict commands that can load BIOS or DT blobs when locked
down
- commands/setpci: Restrict setpci command when locked down
- commands/hdparm: Restrict hdparm command when locked down
- gdb: Restrict GDB access when locked down
- loader/xnu: Don't allow loading extension and packages when locked
down
- docs: Document the cutmem command
- CVE-2020-25632: dl: Only allow unloading modules that are not
dependencies
- CVE-2020-25647: usb: Avoid possible out-of-bound accesses caused by
malicious devices
- mmap: Fix memory leak when iterating over mapped memory
- net/net: Fix possible dereference to of a NULL pointer
- net/tftp: Fix dangling memory pointer
- kern/parser: Fix resource leak if argc == 0
- kern/efi: Fix memory leak on failure
- kern/efi/mm: Fix possible NULL pointer dereference
- gnulib/regexec: Resolve unused variable
- gnulib/regcomp: Fix uninitialized token structure
- gnulib/argp-help: Fix dereference of a possibly NULL state
- gnulib/regexec: Fix possible null-dereference
- gnulib/regcomp: Fix uninitialized re_token
- io/lzopio: Resolve unnecessary self-assignment errors
- zstd: Initialize seq_t structure fully
- kern/partition: Check for NULL before dereferencing input string
- disk/ldm: Make sure comp data is freed before exiting from make_vg()
- disk/ldm: If failed then free vg variable too
- disk/ldm: Fix memory leak on uninserted lv references
- disk/cryptodisk: Fix potential integer overflow
- hfsplus: Check that the volume name length is valid
- zfs: Fix possible negative shift operation
- zfs: Fix resource leaks while constructing path
- zfs: Fix possible integer overflows
- zfsinfo: Correct a check for error allocating memory
- affs: Fix memory leaks
- libgcrypt/mpi: Fix possible unintended sign extension
- libgcrypt/mpi: Fix possible NULL dereference
- syslinux: Fix memory leak while parsing
- normal/completion: Fix leaking of memory when processing a completion
- commands/hashsum: Fix a memory leak
- video/efi_gop: Remove unnecessary return value of
grub_video_gop_fill_mode_info()
- video/fb/fbfill: Fix potential integer overflow
- video/fb/video_fb: Fix multiple integer overflows
- video/fb/video_fb: Fix possible integer overflow
- video/readers/jpeg: Test for an invalid next marker reference from a
jpeg file
- gfxmenu/gui_list: Remove code that coverity is flagging as dead
- loader/bsd: Check for NULL arg up-front
- loader/xnu: Fix memory leak
- loader/xnu: Free driverkey data when an error is detected in
grub_xnu_writetree_toheap()
- loader/xnu: Check if pointer is NULL before using it
- util/grub-install: Fix NULL pointer dereferences
- util/grub-editenv: Fix incorrect casting of a signed value
- util/glue-efi: Fix incorrect use of a possibly negative value
- script/execute: Fix NULL dereference in grub_script_execute_cmdline()
- commands/ls: Require device_name is not NULL before printing
- script/execute: Avoid crash when using "$#" outside a function scope
- CVE-2021-20225: lib/arg: Block repeated short options that require an
argument
- script/execute: Don't crash on a "for" loop with no items
- CVE-2021-20233: commands/menuentry: Fix quoting in setparams_prefix()
- kern/misc: Always set *end in grub_strtoull()
- video/readers/jpeg: Catch files with unsupported quantization or
Huffman tables
- video/readers/jpeg: Catch OOB reads/writes in grub_jpeg_decode_du()
- video/readers/jpeg: Don't decode data before start of stream
- term/gfxterm: Don't set up a font with glyphs that are too big
- fs/fshelp: Catch impermissibly large block sizes in read helper
- fs/hfsplus: Don't fetch a key beyond the end of the node
- fs/hfsplus: Don't use uninitialized data on corrupt filesystems
- fs/hfs: Disable under lockdown
- fs/sfs: Fix over-read of root object name
- fs/jfs: Do not move to leaf level if name length is negative
- fs/jfs: Limit the extents that getblk() can consider
- fs/jfs: Catch infinite recursion
- fs/nilfs2: Reject too-large keys
- fs/nilfs2: Don't search children if provided number is too large
- fs/nilfs2: Properly bail on errors in grub_nilfs2_btree_node_lookup()
- io/gzio: Bail if gzio->tl/td is NULL
- io/gzio: Add init_dynamic_block() clean up if unpacking codes fails
- io/gzio: Catch missing values in huft_build() and bail
- io/gzio: Zero gzio->tl/td in init_dynamic_block() if huft_build()
fails
- disk/lvm: Don't go beyond the end of the data we read from disk
- disk/lvm: Don't blast past the end of the circular metadata buffer
- disk/lvm: Bail on missing PV list
- disk/lvm: Do not crash if an expected string is not found
- disk/lvm: Do not overread metadata
- disk/lvm: Sanitize rlocn->offset to prevent wild read
- disk/lvm: Do not allow a LV to be it's own segment's node's LV
- fs/btrfs: Validate the number of stripes/parities in RAID5/6
- fs/btrfs: Squash some uninitialized reads
- kern/parser: Fix a memory leak
- kern/parser: Introduce process_char() helper
- kern/parser: Introduce terminate_arg() helper
- kern/parser: Refactor grub_parser_split_cmdline() cleanup
- kern/buffer: Add variable sized heap buffer
- CVE-2020-27749: kern/parser: Fix a stack buffer overflow
- kern/efi: Add initial stack protector implementation
- util/mkimage: Remove unused code to add BSS section
- util/mkimage: Use grub_host_to_target32() instead of
grub_cpu_to_le32()
- util/mkimage: Always use grub_host_to_target32() to initialize PE
stack and heap stuff
- util/mkimage: Unify more of the PE32 and PE32+ header set-up
- util/mkimage: Reorder PE optional header fields set-up
- util/mkimage: Improve data_size value calculation
- util/mkimage: Refactor section setup to use a helper
- util/mkimage: Add an option to import SBAT metadata into a .sbat
section
- grub-install-common: Add --sbat option
- kern/misc: Split parse_printf_args() into format parsing and va_list
handling
- kern/misc: Add STRING type for internal printf() format handling
- kern/misc: Add function to check printf() format against expected
format
- gfxmenu/gui: Check printf() format in the gui_progress_bar and
gui_label
- kern/mm: Fix grub_debug_calloc() compilation error
* Add SBAT section (thanks, Chris Coulson).
-- Colin Watson <cjwatson@debian.org> Tue, 02 Mar 2021 18:00:00 +0000
grub2 (2.04-15parrot1) rolling; urgency=medium
* Import new Debian release.
......
......@@ -9,9 +9,9 @@ License: GPL-3+
Files: debian/*
Copyright: 2003, 2004, 2005, 2006, 2007, 2008, 2009, Robert Millan
2005, 2006, 2007, Otavio Salvador
2008, 2009, Felix Zielcke
2009, Jordi Mallach
2005, 2006, 2007, Otavio Salvador
2008, 2009, Felix Zielcke
2009, Jordi Mallach
License: GPL-3+
Files: debian/grub-extras/*
......@@ -162,21 +162,21 @@ License: CC-BY-SA-3.0
to Distribute and Publicly Perform Adaptations.
.
For the avoidance of doubt:
Non-waivable Compulsory License Schemes. In those jurisdictions in
which the right to collect royalties through any statutory or
compulsory licensing scheme cannot be waived, the Licensor reserves
the exclusive right to collect such royalties for any exercise by
You of the rights granted under this License;
Waivable Compulsory License Schemes. In those jurisdictions in which
the right to collect royalties through any statutory or compulsory
licensing scheme can be waived, the Licensor waives the exclusive
right to collect such royalties for any exercise by You of the
rights granted under this License; and,
Voluntary License Schemes. The Licensor waives the right to collect
royalties, whether individually or, in the event that the Licensor
is a member of a collecting society that administers voluntary
licensing schemes, via that society, from any exercise by You of the
rights granted under this License.
Non-waivable Compulsory License Schemes. In those jurisdictions in
which the right to collect royalties through any statutory or
compulsory licensing scheme cannot be waived, the Licensor reserves
the exclusive right to collect such royalties for any exercise by
You of the rights granted under this License;
Waivable Compulsory License Schemes. In those jurisdictions in which
the right to collect royalties through any statutory or compulsory
licensing scheme can be waived, the Licensor waives the exclusive
right to collect such royalties for any exercise by You of the
rights granted under this License; and,
Voluntary License Schemes. The Licensor waives the right to collect
royalties, whether individually or, in the event that the Licensor
is a member of a collecting society that administers voluntary
licensing schemes, via that society, from any exercise by You of the
rights granted under this License.
.
The above rights may be exercised in all media and formats whether now
known or hereafter devised. The above rights include the right to make such
......
......@@ -6,3 +6,7 @@ patch-numbers = False
[dch]
multimaint-merge = True
[import-dsc]
debian-branch = debian
debian-tag = debian/%(version)s
From 0d324ad1bf87f0c8b1595b3901017e508cbf3a86 Mon Sep 17 00:00:00 2001
From: Marco A Benatto <mbenatto@redhat.com>
Date: Wed, 23 Sep 2020 11:33:33 -0400
Subject: verifiers: Move verifiers API to kernel image
Move verifiers API from a module to the kernel image, so it can be
used there as well. There are no functional changes in this patch.
Signed-off-by: Marco A Benatto <mbenatto@redhat.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Patch-Name: 2021-02-security/001-verifiers-Move-verifiers-API-to-kernel-image.patch
---
grub-core/Makefile.am | 1 +
grub-core/Makefile.core.def | 6 +-----
grub-core/kern/main.c | 4 ++++
grub-core/{commands => kern}/verifiers.c | 8 ++------
include/grub/verify.h | 9 ++++++---
5 files changed, 14 insertions(+), 14 deletions(-)
rename grub-core/{commands => kern}/verifiers.c (97%)
diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
index 3ea8e7ff4..375c30d76 100644
--- a/grub-core/Makefile.am
+++ b/grub-core/Makefile.am
@@ -90,6 +90,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/parser.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/partition.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/verify.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm_private.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/net.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/memory.h
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index 836bf0a59..7274d0094 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -140,6 +140,7 @@ kernel = {
common = kern/rescue_parser.c;
common = kern/rescue_reader.c;
common = kern/term.c;
+ common = kern/verifiers.c;
noemu = kern/compiler-rt.c;
noemu = kern/mm.c;
@@ -942,11 +943,6 @@ module = {
cppflags = '-I$(srcdir)/lib/posix_wrap';
};
-module = {
- name = verifiers;
- common = commands/verifiers.c;
-};
-
module = {
name = shim_lock;
common = commands/efi/shim_lock.c;
diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
index 714b63d67..2879d644a 100644
--- a/grub-core/kern/main.c
+++ b/grub-core/kern/main.c
@@ -29,6 +29,7 @@
#include <grub/command.h>
#include <grub/reader.h>
#include <grub/parser.h>
+#include <grub/verify.h>
#ifdef GRUB_MACHINE_PCBIOS
#include <grub/machine/memory.h>
@@ -284,6 +285,9 @@ grub_main (void)
grub_setcolorstate (GRUB_TERM_COLOR_STANDARD);
#endif
+ /* Init verifiers API. */
+ grub_verifiers_init ();
+
grub_load_config ();
grub_boot_time ("Before loading embedded modules.");
diff --git a/grub-core/commands/verifiers.c b/grub-core/kern/verifiers.c
similarity index 97%
rename from grub-core/commands/verifiers.c
rename to grub-core/kern/verifiers.c
index 0dde48182..aa3dc7c64 100644
--- a/grub-core/commands/verifiers.c
+++ b/grub-core/kern/verifiers.c
@@ -217,12 +217,8 @@ grub_verify_string (char *str, enum grub_verify_string_type type)
return GRUB_ERR_NONE;
}
-GRUB_MOD_INIT(verifiers)
+void
+grub_verifiers_init (void)
{
grub_file_filter_register (GRUB_FILE_FILTER_VERIFY, grub_verifiers_open);
}
-
-GRUB_MOD_FINI(verifiers)
-{
- grub_file_filter_unregister (GRUB_FILE_FILTER_VERIFY);
-}
diff --git a/include/grub/verify.h b/include/grub/verify.h
index ea0491433..cd129c398 100644
--- a/include/grub/verify.h
+++ b/include/grub/verify.h
@@ -64,7 +64,10 @@ struct grub_file_verifier
grub_err_t (*verify_string) (char *str, enum grub_verify_string_type type);
};
-extern struct grub_file_verifier *grub_file_verifiers;
+extern struct grub_file_verifier *EXPORT_VAR (grub_file_verifiers);
+
+extern void
+grub_verifiers_init (void);
static inline void
grub_verifier_register (struct grub_file_verifier *ver)
@@ -78,7 +81,7 @@ grub_verifier_unregister (struct grub_file_verifier *ver)
grub_list_remove (GRUB_AS_LIST (ver));
}
-grub_err_t
-grub_verify_string (char *str, enum grub_verify_string_type type);
+extern grub_err_t
+EXPORT_FUNC (grub_verify_string) (char *str, enum grub_verify_string_type type);
#endif /* ! GRUB_VERIFY_HEADER */
From 6e14c57c653a969d962dac1c5c4451b9d3197493 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Mon, 28 Sep 2020 20:08:02 +0200
Subject: kern: Add lockdown support
When the GRUB starts on a secure boot platform, some commands can be
used to subvert the protections provided by the verification mechanism and
could lead to booting untrusted system.
To prevent that situation, allow GRUB to be locked down. That way the code
may check if GRUB has been locked down and further restrict the commands
that are registered or what subset of their functionality could be used.
The lockdown support adds the following components:
* The grub_lockdown() function which can be used to lockdown GRUB if,
e.g., UEFI Secure Boot is enabled.
* The grub_is_lockdown() function which can be used to check if the GRUB
was locked down.
* A verifier that flags OS kernels, the GRUB modules, Device Trees and ACPI
tables as GRUB_VERIFY_FLAGS_DEFER_AUTH to defer verification to other
verifiers. These files are only successfully verified if another registered
verifier returns success. Otherwise, the whole verification process fails.
For example, PE/COFF binaries verification can be done by the shim_lock
verifier which validates the signatures using the shim_lock protocol.
However, the verification is not deferred directly to the shim_lock verifier.
The shim_lock verifier is hooked into the verification process instead.
* A set of grub_{command,extcmd}_lockdown functions that can be used by
code registering command handlers, to only register unsafe commands if
the GRUB has not been locked down.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Patch-Name: 2021-02-security/002-kern-Add-lockdown-support.patch
---
conf/Makefile.common | 2 +
docs/grub-dev.texi | 27 +++++++++++++
docs/grub.texi | 8 ++++
grub-core/Makefile.am | 5 ++-
grub-core/Makefile.core.def | 1 +
grub-core/commands/extcmd.c | 23 +++++++++++
grub-core/kern/command.c | 24 +++++++++++
grub-core/kern/lockdown.c | 80 +++++++++++++++++++++++++++++++++++++
include/grub/command.h | 5 +++
include/grub/extcmd.h | 7 ++++
include/grub/lockdown.h | 44 ++++++++++++++++++++
11 files changed, 225 insertions(+), 1 deletion(-)
create mode 100644 grub-core/kern/lockdown.c
create mode 100644 include/grub/lockdown.h
diff --git a/conf/Makefile.common b/conf/Makefile.common
index 6cd71cbb2..2a1a886f6 100644
--- a/conf/Makefile.common
+++ b/conf/Makefile.common
@@ -84,7 +84,9 @@ CPPFLAGS_PARTTOOL_LIST = -Dgrub_parttool_register=PARTTOOL_LIST_MARKER
CPPFLAGS_TERMINAL_LIST = '-Dgrub_term_register_input(...)=INPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)'
CPPFLAGS_TERMINAL_LIST += '-Dgrub_term_register_output(...)=OUTPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)'
CPPFLAGS_COMMAND_LIST = '-Dgrub_register_command(...)=COMMAND_LIST_MARKER(__VA_ARGS__)'
+CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_lockdown(...)=COMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)'
CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd(...)=EXTCOMMAND_LIST_MARKER(__VA_ARGS__)'
+CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd_lockdown(...)=EXTCOMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)'
CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_p1(...)=P1COMMAND_LIST_MARKER(__VA_ARGS__)'
CPPFLAGS_FDT_LIST := '-Dgrub_fdtbus_register(...)=FDT_DRIVER_LIST_MARKER(__VA_ARGS__)'
CPPFLAGS_MARKER = $(CPPFLAGS_FS_LIST) $(CPPFLAGS_VIDEO_LIST) \
diff --git a/docs/grub-dev.texi b/docs/grub-dev.texi
index ee389fd83..635ec7231 100644
--- a/docs/grub-dev.texi
+++ b/docs/grub-dev.texi
@@ -86,6 +86,7 @@ This edition documents version @value{VERSION}.
* PFF2 Font File Format::
* Graphical Menu Software Design::
* Verifiers framework::
+* Lockdown framework::
* Copying This Manual:: Copying This Manual
* Index::
@end menu
@@ -2086,6 +2087,32 @@ Optionally at the end of the file @samp{fini}, if it exists, is called with just
the context. If you return no error during any of @samp{init}, @samp{write} and
@samp{fini} then the file is considered as having succeded verification.
+@node Lockdown framework
+@chapter Lockdown framework
+
+The GRUB can be locked down, which is a restricted mode where some operations
+are not allowed. For instance, some commands cannot be used when the GRUB is
+locked down.
+
+The function
+@code{grub_lockdown()} is used to lockdown GRUB and the function
+@code{grub_is_lockdown()} function can be used to check whether lockdown is
+enabled or not. When enabled, the function returns @samp{GRUB_LOCKDOWN_ENABLED}
+and @samp{GRUB_LOCKDOWN_DISABLED} when is not enabled.
+
+The following functions can be used to register the commands that can only be
+used when lockdown is disabled:
+
+@itemize
+
+@item @code{grub_cmd_lockdown()} registers command which should not run when the
+GRUB is in lockdown mode.
+
+@item @code{grub_cmd_lockdown()} registers extended command which should not run
+when the GRUB is in lockdown mode.
+
+@end itemize
+
@node Copying This Manual
@appendix Copying This Manual
diff --git a/docs/grub.texi b/docs/grub.texi
index 3ec35d315..60f7760a3 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -5600,6 +5600,7 @@ environment variables and commands are listed in the same order.
* Using digital signatures:: Booting digitally signed code
* UEFI secure boot and shim:: Booting digitally signed PE files
* Measured Boot:: Measuring boot components
+* Lockdown:: Lockdown when booting on a secure setup
@end menu
@node Authentication and authorisation
@@ -5813,6 +5814,13 @@ into @file{core.img} in order to avoid a potential gap in measurement between
Measured boot is currently only supported on EFI platforms.
+@node Lockdown
+@section Lockdown when booting on a secure setup
+
+The GRUB can be locked down when booted on a secure boot environment, for example
+if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will
+be restricted and some operations/commands cannot be executed.
+
@node Platform limitations
@chapter Platform limitations
diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
index 375c30d76..30962411b 100644
--- a/grub-core/Makefile.am
+++ b/grub-core/Makefile.am
@@ -79,6 +79,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/fs.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/i18n.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/kernel.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/list.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/lockdown.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/misc.h
if COND_emu
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/compiler-rt-emu.h
@@ -376,8 +377,10 @@ command.lst: $(MARKER_FILES)
b=`basename $$pp .marker`; \
sed -n \
-e "/EXTCOMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
+ -e "/EXTCOMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
-e "/P1COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \
- -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \
+ -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" \
+ -e "/COMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \
done) | sort -u > $@
platform_DATA += command.lst
CLEANFILES += command.lst
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index 7274d0094..e7e4d3cf5 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -204,6 +204,7 @@ kernel = {
efi = term/efi/console.c;
efi = kern/acpi.c;
efi = kern/efi/acpi.c;
+ efi = kern/lockdown.c;
i386_coreboot = kern/i386/pc/acpi.c;
i386_multiboot = kern/i386/pc/acpi.c;
i386_coreboot = kern/acpi.c;
diff --git a/grub-core/commands/extcmd.c b/grub-core/commands/extcmd.c
index 69574e2b0..90a5ca24a 100644
--- a/grub-core/commands/extcmd.c
+++ b/grub-core/commands/extcmd.c
@@ -19,6 +19,7 @@
#include <grub/mm.h>
#include <grub/list.h>
+#include <grub/lockdown.h>
#include <grub/misc.h>
#include <grub/extcmd.h>
#include <grub/script_sh.h>
@@ -110,6 +111,28 @@ grub_register_extcmd (const char *name, grub_extcmd_func_t func,
summary, description, parser, 1);
}
+static grub_err_t
+grub_extcmd_lockdown (grub_extcmd_context_t ctxt __attribute__ ((unused)),
+ int argc __attribute__ ((unused)),
+ char **argv __attribute__ ((unused)))
+{
+ return grub_error (GRUB_ERR_ACCESS_DENIED,
+ N_("%s: the command is not allowed when lockdown is enforced"),
+ ctxt->extcmd->cmd->name);
+}
+
+grub_extcmd_t
+grub_register_extcmd_lockdown (const char *name, grub_extcmd_func_t func,
+ grub_command_flags_t flags, const char *summary,
+ const char *description,
+ const struct grub_arg_option *parser)