|
 |
468bd4 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
468bd4 |
From: Javier Martinez Canillas <javierm@redhat.com>
|
|
|
468bd4 |
Date: Wed, 24 Feb 2021 09:00:05 +0100
|
|
|
468bd4 |
Subject: [PATCH] commands: Restrict commands that can load BIOS or DT blobs
|
|
|
468bd4 |
when locked down
|
|
|
468bd4 |
|
|
|
468bd4 |
There are some more commands that should be restricted when the GRUB is
|
|
|
468bd4 |
locked down. Following is the list of commands and reasons to restrict:
|
|
|
468bd4 |
|
|
|
468bd4 |
* fakebios: creates BIOS-like structures for backward compatibility with
|
|
|
468bd4 |
existing OSes. This should not be allowed when locked down.
|
|
|
468bd4 |
|
|
|
468bd4 |
* loadbios: reads a BIOS dump from storage and loads it. This action
|
|
|
468bd4 |
should not be allowed when locked down.
|
|
|
468bd4 |
|
|
|
468bd4 |
* devicetree: loads a Device Tree blob and passes it to the OS. It replaces
|
|
|
468bd4 |
any Device Tree provided by the firmware. This also should
|
|
|
468bd4 |
not be allowed when locked down.
|
|
|
468bd4 |
|
|
|
468bd4 |
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
|
|
468bd4 |
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
|
468bd4 |
---
|
|
|
468bd4 |
grub-core/commands/efi/loadbios.c | 14 +++++++-------
|
|
|
468bd4 |
grub-core/loader/arm/linux.c | 6 +++---
|
|
|
468bd4 |
grub-core/loader/efi/fdt.c | 4 ++--
|
|
|
468bd4 |
docs/grub.texi | 6 ++++--
|
|
|
468bd4 |
4 files changed, 16 insertions(+), 14 deletions(-)
|
|
|
468bd4 |
|
|
|
468bd4 |
diff --git a/grub-core/commands/efi/loadbios.c b/grub-core/commands/efi/loadbios.c
|
|
|
468bd4 |
index d41d521a4ae..5c7725f8bd8 100644
|
|
|
468bd4 |
--- a/grub-core/commands/efi/loadbios.c
|
|
|
468bd4 |
+++ b/grub-core/commands/efi/loadbios.c
|
|
|
468bd4 |
@@ -205,14 +205,14 @@ static grub_command_t cmd_fakebios, cmd_loadbios;
|
|
|
468bd4 |
|
|
|
468bd4 |
GRUB_MOD_INIT(loadbios)
|
|
|
468bd4 |
{
|
|
|
468bd4 |
- cmd_fakebios = grub_register_command ("fakebios", grub_cmd_fakebios,
|
|
|
468bd4 |
- 0, N_("Create BIOS-like structures for"
|
|
|
468bd4 |
- " backward compatibility with"
|
|
|
468bd4 |
- " existing OS."));
|
|
|
468bd4 |
+ cmd_fakebios = grub_register_command_lockdown ("fakebios", grub_cmd_fakebios,
|
|
|
468bd4 |
+ 0, N_("Create BIOS-like structures for"
|
|
|
468bd4 |
+ " backward compatibility with"
|
|
|
468bd4 |
+ " existing OS."));
|
|
|
468bd4 |
|
|
|
468bd4 |
- cmd_loadbios = grub_register_command ("loadbios", grub_cmd_loadbios,
|
|
|
468bd4 |
- N_("BIOS_DUMP [INT10_DUMP]"),
|
|
|
468bd4 |
- N_("Load BIOS dump."));
|
|
|
468bd4 |
+ cmd_loadbios = grub_register_command_lockdown ("loadbios", grub_cmd_loadbios,
|
|
|
468bd4 |
+ N_("BIOS_DUMP [INT10_DUMP]"),
|
|
|
468bd4 |
+ N_("Load BIOS dump."));
|
|
|
468bd4 |
}
|
|
|
468bd4 |
|
|
|
468bd4 |
GRUB_MOD_FINI(loadbios)
|
|
|
468bd4 |
diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c
|
|
|
468bd4 |
index 1e944a2b671..653f2e07692 100644
|
|
|
468bd4 |
--- a/grub-core/loader/arm/linux.c
|
|
|
468bd4 |
+++ b/grub-core/loader/arm/linux.c
|
|
|
468bd4 |
@@ -493,9 +493,9 @@ GRUB_MOD_INIT (linux)
|
|
|
468bd4 |
0, N_("Load Linux."));
|
|
|
468bd4 |
cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd,
|
|
|
468bd4 |
0, N_("Load initrd."));
|
|
|
468bd4 |
- cmd_devicetree = grub_register_command ("devicetree", grub_cmd_devicetree,
|
|
|
468bd4 |
- /* TRANSLATORS: DTB stands for device tree blob. */
|
|
|
468bd4 |
- 0, N_("Load DTB file."));
|
|
|
468bd4 |
+ cmd_devicetree = grub_register_command_lockdown ("devicetree", grub_cmd_devicetree,
|
|
|
468bd4 |
+ /* TRANSLATORS: DTB stands for device tree blob. */
|
|
|
468bd4 |
+ 0, N_("Load DTB file."));
|
|
|
468bd4 |
my_mod = mod;
|
|
|
468bd4 |
current_fdt = (const void *) grub_arm_firmware_get_boot_data ();
|
|
|
468bd4 |
machine_type = grub_arm_firmware_get_machine_type ();
|
|
|
468bd4 |
diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c
|
|
|
468bd4 |
index e3ee3ad79d6..64c560f5610 100644
|
|
|
468bd4 |
--- a/grub-core/loader/efi/fdt.c
|
|
|
468bd4 |
+++ b/grub-core/loader/efi/fdt.c
|
|
|
468bd4 |
@@ -167,8 +167,8 @@ static grub_command_t cmd_devicetree;
|
|
|
468bd4 |
GRUB_MOD_INIT (fdt)
|
|
|
468bd4 |
{
|
|
|
468bd4 |
cmd_devicetree =
|
|
|
468bd4 |
- grub_register_command ("devicetree", grub_cmd_devicetree, 0,
|
|
|
468bd4 |
- N_("Load DTB file."));
|
|
|
468bd4 |
+ grub_register_command_lockdown ("devicetree", grub_cmd_devicetree, 0,
|
|
|
468bd4 |
+ N_("Load DTB file."));
|
|
|
468bd4 |
}
|
|
|
468bd4 |
|
|
|
468bd4 |
GRUB_MOD_FINI (fdt)
|
|
|
468bd4 |
diff --git a/docs/grub.texi b/docs/grub.texi
|
|
|
468bd4 |
index f1675b6140c..c55452307dc 100644
|
|
|
468bd4 |
--- a/docs/grub.texi
|
|
|
468bd4 |
+++ b/docs/grub.texi
|
|
|
468bd4 |
@@ -4281,13 +4281,15 @@ hour, minute, and second unchanged.
|
|
|
468bd4 |
|
|
|
468bd4 |
|
|
|
468bd4 |
@node devicetree
|
|
|
468bd4 |
-@subsection linux
|
|
|
468bd4 |
+@subsection devicetree
|
|
|
468bd4 |
|
|
|
468bd4 |
@deffn Command devicetree file
|
|
|
468bd4 |
Load a device tree blob (.dtb) from a filesystem, for later use by a Linux
|
|
|
468bd4 |
kernel. Does not perform merging with any device tree supplied by firmware,
|
|
|
468bd4 |
but rather replaces it completely.
|
|
|
468bd4 |
-@ref{GNU/Linux}.
|
|
|
468bd4 |
+
|
|
|
468bd4 |
+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
|
|
|
468bd4 |
+ This is done to prevent subverting various security mechanisms.
|
|
|
468bd4 |
@end deffn
|
|
|
468bd4 |
|
|
|
468bd4 |
@node distrust
|