| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105 |
- From 1e1b1271b7a7c6ac20a4c5f8e0dc29614b4975d1 Mon Sep 17 00:00:00 2001
- From: Julian Andres Klode <julian.klode@canonical.com>
- Date: Thu, 2 Dec 2021 15:03:53 +0100
- Subject: [PATCH] kern/efi/sb: Reject non-kernel files in the shim_lock
- verifier
- We must not allow other verifiers to pass things like the GRUB modules.
- Instead of maintaining a blocklist, maintain an allowlist of things
- that we do not care about.
- This allowlist really should be made reusable, and shared by the
- lockdown verifier, but this is the minimal patch addressing
- security concerns where the TPM verifier was able to mark modules
- as verified (or the OpenPGP verifier for that matter), when it
- should not do so on shim-powered secure boot systems.
- Fixes: CVE-2022-28735
- Signed-off-by: Julian Andres Klode <julian.klode@canonical.com>
- Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
- Upstream: 6fe755c5c07bb386fda58306bfd19e4a1c974c53
- Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
- ---
- grub-core/kern/efi/sb.c | 39 ++++++++++++++++++++++++++++++++++++---
- include/grub/verify.h | 1 +
- 2 files changed, 37 insertions(+), 3 deletions(-)
- diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
- index c52ec6226..89c4bb3fd 100644
- --- a/grub-core/kern/efi/sb.c
- +++ b/grub-core/kern/efi/sb.c
- @@ -119,10 +119,11 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)),
- void **context __attribute__ ((unused)),
- enum grub_verify_flags *flags)
- {
- - *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
- + *flags = GRUB_VERIFY_FLAGS_NONE;
-
- switch (type & GRUB_FILE_TYPE_MASK)
- {
- + /* Files we check. */
- case GRUB_FILE_TYPE_LINUX_KERNEL:
- case GRUB_FILE_TYPE_MULTIBOOT_KERNEL:
- case GRUB_FILE_TYPE_BSD_KERNEL:
- @@ -130,11 +131,43 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)),
- case GRUB_FILE_TYPE_PLAN9_KERNEL:
- case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:
- *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
- + return GRUB_ERR_NONE;
-
- - /* Fall through. */
- + /* Files that do not affect secureboot state. */
- + case GRUB_FILE_TYPE_NONE:
- + case GRUB_FILE_TYPE_LOOPBACK:
- + case GRUB_FILE_TYPE_LINUX_INITRD:
- + case GRUB_FILE_TYPE_OPENBSD_RAMDISK:
- + case GRUB_FILE_TYPE_XNU_RAMDISK:
- + case GRUB_FILE_TYPE_SIGNATURE:
- + case GRUB_FILE_TYPE_PUBLIC_KEY:
- + case GRUB_FILE_TYPE_PUBLIC_KEY_TRUST:
- + case GRUB_FILE_TYPE_PRINT_BLOCKLIST:
- + case GRUB_FILE_TYPE_TESTLOAD:
- + case GRUB_FILE_TYPE_GET_SIZE:
- + case GRUB_FILE_TYPE_FONT:
- + case GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY:
- + case GRUB_FILE_TYPE_CAT:
- + case GRUB_FILE_TYPE_HEXCAT:
- + case GRUB_FILE_TYPE_CMP:
- + case GRUB_FILE_TYPE_HASHLIST:
- + case GRUB_FILE_TYPE_TO_HASH:
- + case GRUB_FILE_TYPE_KEYBOARD_LAYOUT:
- + case GRUB_FILE_TYPE_PIXMAP:
- + case GRUB_FILE_TYPE_GRUB_MODULE_LIST:
- + case GRUB_FILE_TYPE_CONFIG:
- + case GRUB_FILE_TYPE_THEME:
- + case GRUB_FILE_TYPE_GETTEXT_CATALOG:
- + case GRUB_FILE_TYPE_FS_SEARCH:
- + case GRUB_FILE_TYPE_LOADENV:
- + case GRUB_FILE_TYPE_SAVEENV:
- + case GRUB_FILE_TYPE_VERIFY_SIGNATURE:
- + *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
- + return GRUB_ERR_NONE;
-
- + /* Other files. */
- default:
- - return GRUB_ERR_NONE;
- + return grub_error (GRUB_ERR_ACCESS_DENIED, N_("prohibited by secure boot policy"));
- }
- }
-
- diff --git a/include/grub/verify.h b/include/grub/verify.h
- index cd129c398..672ae1692 100644
- --- a/include/grub/verify.h
- +++ b/include/grub/verify.h
- @@ -24,6 +24,7 @@
-
- enum grub_verify_flags
- {
- + GRUB_VERIFY_FLAGS_NONE = 0,
- GRUB_VERIFY_FLAGS_SKIP_VERIFICATION = 1,
- GRUB_VERIFY_FLAGS_SINGLE_CHUNK = 2,
- /* Defer verification to another authority. */
- --
- 2.41.0
|
