dcavalca / rpms / grub2

Forked from rpms/grub2 3 years ago
Clone

Blame SOURCES/0379-commands-Restrict-commands-that-can-load-BIOS-or-DT-.patch

80913e
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
80913e
From: Javier Martinez Canillas <javierm@redhat.com>
80913e
Date: Wed, 24 Feb 2021 09:00:05 +0100
80913e
Subject: [PATCH] commands: Restrict commands that can load BIOS or DT blobs
80913e
 when locked down
80913e
80913e
There are some more commands that should be restricted when the GRUB is
80913e
locked down. Following is the list of commands and reasons to restrict:
80913e
80913e
  * fakebios:   creates BIOS-like structures for backward compatibility with
80913e
                existing OSes. This should not be allowed when locked down.
80913e
80913e
  * loadbios:   reads a BIOS dump from storage and loads it. This action
80913e
                should not be allowed when locked down.
80913e
80913e
  * devicetree: loads a Device Tree blob and passes it to the OS. It replaces
80913e
                any Device Tree provided by the firmware. This also should
80913e
                not be allowed when locked down.
80913e
80913e
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
80913e
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
80913e
---
80913e
 grub-core/commands/efi/loadbios.c | 14 +++++++-------
80913e
 grub-core/loader/arm/linux.c      |  6 +++---
80913e
 grub-core/loader/efi/fdt.c        |  4 ++--
80913e
 docs/grub.texi                    |  6 ++++--
80913e
 4 files changed, 16 insertions(+), 14 deletions(-)
80913e
80913e
diff --git a/grub-core/commands/efi/loadbios.c b/grub-core/commands/efi/loadbios.c
80913e
index d41d521a4ae..5c7725f8bd8 100644
80913e
--- a/grub-core/commands/efi/loadbios.c
80913e
+++ b/grub-core/commands/efi/loadbios.c
80913e
@@ -205,14 +205,14 @@ static grub_command_t cmd_fakebios, cmd_loadbios;
80913e
 
80913e
 GRUB_MOD_INIT(loadbios)
80913e
 {
80913e
-  cmd_fakebios = grub_register_command ("fakebios", grub_cmd_fakebios,
80913e
-					0, N_("Create BIOS-like structures for"
80913e
-					      " backward compatibility with"
80913e
-					      " existing OS."));
80913e
+  cmd_fakebios = grub_register_command_lockdown ("fakebios", grub_cmd_fakebios,
80913e
+						 0, N_("Create BIOS-like structures for"
80913e
+						       " backward compatibility with"
80913e
+						       " existing OS."));
80913e
 
80913e
-  cmd_loadbios = grub_register_command ("loadbios", grub_cmd_loadbios,
80913e
-					N_("BIOS_DUMP [INT10_DUMP]"),
80913e
-					N_("Load BIOS dump."));
80913e
+  cmd_loadbios = grub_register_command_lockdown ("loadbios", grub_cmd_loadbios,
80913e
+						 N_("BIOS_DUMP [INT10_DUMP]"),
80913e
+						 N_("Load BIOS dump."));
80913e
 }
80913e
 
80913e
 GRUB_MOD_FINI(loadbios)
80913e
diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c
80913e
index 1e944a2b671..653f2e07692 100644
80913e
--- a/grub-core/loader/arm/linux.c
80913e
+++ b/grub-core/loader/arm/linux.c
80913e
@@ -493,9 +493,9 @@ GRUB_MOD_INIT (linux)
80913e
 				     0, N_("Load Linux."));
80913e
   cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd,
80913e
 				      0, N_("Load initrd."));
80913e
-  cmd_devicetree = grub_register_command ("devicetree", grub_cmd_devicetree,
80913e
-					  /* TRANSLATORS: DTB stands for device tree blob.  */
80913e
-					  0, N_("Load DTB file."));
80913e
+  cmd_devicetree = grub_register_command_lockdown ("devicetree", grub_cmd_devicetree,
80913e
+						   /* TRANSLATORS: DTB stands for device tree blob. */
80913e
+						   0, N_("Load DTB file."));
80913e
   my_mod = mod;
80913e
   current_fdt = (const void *) grub_arm_firmware_get_boot_data ();
80913e
   machine_type = grub_arm_firmware_get_machine_type ();
80913e
diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c
80913e
index e3ee3ad79d6..64c560f5610 100644
80913e
--- a/grub-core/loader/efi/fdt.c
80913e
+++ b/grub-core/loader/efi/fdt.c
80913e
@@ -167,8 +167,8 @@ static grub_command_t cmd_devicetree;
80913e
 GRUB_MOD_INIT (fdt)
80913e
 {
80913e
   cmd_devicetree =
80913e
-    grub_register_command ("devicetree", grub_cmd_devicetree, 0,
80913e
-			   N_("Load DTB file."));
80913e
+    grub_register_command_lockdown ("devicetree", grub_cmd_devicetree, 0,
80913e
+				    N_("Load DTB file."));
80913e
 }
80913e
 
80913e
 GRUB_MOD_FINI (fdt)
80913e
diff --git a/docs/grub.texi b/docs/grub.texi
80913e
index f1675b6140c..c55452307dc 100644
80913e
--- a/docs/grub.texi
80913e
+++ b/docs/grub.texi
80913e
@@ -4281,13 +4281,15 @@ hour, minute, and second unchanged.
80913e
 
80913e
 
80913e
 @node devicetree
80913e
-@subsection linux
80913e
+@subsection devicetree
80913e
 
80913e
 @deffn Command devicetree file
80913e
 Load a device tree blob (.dtb) from a filesystem, for later use by a Linux
80913e
 kernel. Does not perform merging with any device tree supplied by firmware,
80913e
 but rather replaces it completely.
80913e
-@ref{GNU/Linux}.
80913e
+
80913e
+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
80913e
+      This is done to prevent subverting various security mechanisms.
80913e
 @end deffn
80913e
 
80913e
 @node distrust