From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Chris Coulson Date: Fri, 19 Feb 2021 13:53:45 +0100 Subject: [PATCH] kern/efi: Add initial stack protector implementation It works only on UEFI platforms but can be quite easily extended to others architectures and platforms if needed. Signed-off-by: Chris Coulson Signed-off-by: Daniel Kiper Reviewed-by: Marco A Benatto Reviewed-by: Javier Martinez Canillas --- configure.ac | 44 ++++++++++++++++++++++++++++++---- grub-core/kern/efi/init.c | 54 ++++++++++++++++++++++++++++++++++++++++++ include/grub/efi/api.h | 19 +++++++++++++++ include/grub/stack_protector.h | 30 +++++++++++++++++++++++ acinclude.m4 | 38 +++++++++++++++++++++++++++-- grub-core/Makefile.am | 1 + 6 files changed, 179 insertions(+), 7 deletions(-) create mode 100644 include/grub/stack_protector.h diff --git a/configure.ac b/configure.ac index 0059b938a3a..f59a7b86c51 100644 --- a/configure.ac +++ b/configure.ac @@ -1330,12 +1330,41 @@ fi] CFLAGS="$TARGET_CFLAGS" -# Smashing stack protector. +# Stack smashing protector. grub_CHECK_STACK_PROTECTOR -# Need that, because some distributions ship compilers that include -# `-fstack-protector' in the default specs. -if test "x$ssp_possible" = xyes; then - TARGET_CFLAGS="$TARGET_CFLAGS -fno-stack-protector" +AC_ARG_ENABLE([stack-protector], + AS_HELP_STRING([--enable-stack-protector], + [enable the stack protector]), + [], + [enable_stack_protector=no]) +if test "x$enable_stack_protector" = xno; then + if test "x$ssp_possible" = xyes; then + # Need that, because some distributions ship compilers that include + # `-fstack-protector' in the default specs. + TARGET_CFLAGS="$TARGET_CFLAGS -fno-stack-protector" + fi +elif test "x$platform" != xefi; then + AC_MSG_ERROR([--enable-stack-protector is only supported on EFI platforms]) +elif test "x$ssp_global_possible" != xyes; then + AC_MSG_ERROR([--enable-stack-protector is not supported (compiler doesn't support -mstack-protector-guard=global)]) +else + TARGET_CFLAGS="$TARGET_CFLAGS -mstack-protector-guard=global" + if test "x$enable_stack_protector" = xyes; then + if test "x$ssp_possible" != xyes; then + AC_MSG_ERROR([--enable-stack-protector is not supported (compiler doesn't support -fstack-protector)]) + fi + TARGET_CFLAGS="$TARGET_CFLAGS -fstack-protector" + elif test "x$enable_stack_protector" = xstrong; then + if test "x$ssp_strong_possible" != xyes; then + AC_MSG_ERROR([--enable-stack-protector=strong is not supported (compiler doesn't support -fstack-protector-strong)]) + fi + TARGET_CFLAGS="$TARGET_CFLAGS -fstack-protector-strong" + else + # Note, -fstack-protector-all requires that the protector is disabled for + # functions that appear in the call stack when the canary is initialized. + AC_MSG_ERROR([invalid value $enable_stack_protector for --enable-stack-protector]) + fi + TARGET_CPPFLAGS="$TARGET_CPPFLAGS -DGRUB_STACK_PROTECTOR=1" fi CFLAGS="$TARGET_CFLAGS" @@ -2247,5 +2276,10 @@ echo "Without liblzma (no support for XZ-compressed mips images) ($liblzma_excus else echo "With liblzma from $LIBLZMA (support for XZ-compressed mips images)" fi +if test "x$enable_stack_protector" != xno; then +echo "With stack smashing protector: Yes" +else +echo "With stack smashing protector: No" +fi echo "*******************************************************" ] diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c index 97bf36906a4..501608f743e 100644 --- a/grub-core/kern/efi/init.c +++ b/grub-core/kern/efi/init.c @@ -28,6 +28,58 @@ #include #include #include +#include + +#ifdef GRUB_STACK_PROTECTOR + +static grub_efi_guid_t rng_protocol_guid = GRUB_EFI_RNG_PROTOCOL_GUID; + +/* + * Don't put this on grub_efi_init()'s local stack to avoid it + * getting a stack check. + */ +static grub_efi_uint8_t stack_chk_guard_buf[32]; + +grub_addr_t __stack_chk_guard; + +void __attribute__ ((noreturn)) +__stack_chk_fail (void) +{ + /* + * Assume it's not safe to call into EFI Boot Services. Sorry, that + * means no console message here. + */ + do + { + /* Do not optimize out the loop. */ + asm volatile (""); + } + while (1); +} + +static void +stack_protector_init (void) +{ + grub_efi_rng_protocol_t *rng; + + /* Set up the stack canary. Make errors here non-fatal for now. */ + rng = grub_efi_locate_protocol (&rng_protocol_guid, NULL); + if (rng != NULL) + { + grub_efi_status_t status; + + status = efi_call_4 (rng->get_rng, rng, NULL, sizeof (stack_chk_guard_buf), + stack_chk_guard_buf); + if (status == GRUB_EFI_SUCCESS) + grub_memcpy (&__stack_chk_guard, stack_chk_guard_buf, sizeof (__stack_chk_guard)); + } +} +#else +static void +stack_protector_init (void) +{ +} +#endif grub_addr_t grub_modbase; @@ -92,6 +144,8 @@ grub_efi_init (void) messages. */ grub_console_init (); + stack_protector_init (); + /* Initialize the memory management system. */ grub_efi_mm_init (); diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h index a092fddb629..37e7b162874 100644 --- a/include/grub/efi/api.h +++ b/include/grub/efi/api.h @@ -344,6 +344,11 @@ { 0x89, 0x29, 0x48, 0xbc, 0xd9, 0x0a, 0xd3, 0x1a } \ } +#define GRUB_EFI_RNG_PROTOCOL_GUID \ + { 0x3152bca5, 0xeade, 0x433d, \ + { 0x86, 0x2e, 0xc0, 0x1c, 0xdc, 0x29, 0x1f, 0x44 } \ + } + struct grub_efi_sal_system_table { grub_uint32_t signature; @@ -2067,6 +2072,20 @@ struct grub_efi_ip6_config_manual_address { }; typedef struct grub_efi_ip6_config_manual_address grub_efi_ip6_config_manual_address_t; +typedef grub_efi_guid_t grub_efi_rng_algorithm_t; + +struct grub_efi_rng_protocol +{ + grub_efi_status_t (*get_info) (struct grub_efi_rng_protocol *this, + grub_efi_uintn_t *rng_algorithm_list_size, + grub_efi_rng_algorithm_t *rng_algorithm_list); + grub_efi_status_t (*get_rng) (struct grub_efi_rng_protocol *this, + grub_efi_rng_algorithm_t *rng_algorithm, + grub_efi_uintn_t rng_value_length, + grub_efi_uint8_t *rng_value); +}; +typedef struct grub_efi_rng_protocol grub_efi_rng_protocol_t; + #if (GRUB_TARGET_SIZEOF_VOID_P == 4) || defined (__ia64__) \ || defined (__aarch64__) || defined (__MINGW64__) || defined (__CYGWIN__) diff --git a/include/grub/stack_protector.h b/include/grub/stack_protector.h new file mode 100644 index 00000000000..c88dc00b5f9 --- /dev/null +++ b/include/grub/stack_protector.h @@ -0,0 +1,30 @@ +/* + * GRUB -- GRand Unified Bootloader + * Copyright (C) 2021 Free Software Foundation, Inc. + * + * GRUB is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * GRUB is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GRUB. If not, see . + */ + +#ifndef GRUB_STACK_PROTECTOR_H +#define GRUB_STACK_PROTECTOR_H 1 + +#include +#include + +#ifdef GRUB_STACK_PROTECTOR +extern grub_addr_t EXPORT_VAR (__stack_chk_guard); +extern void __attribute__ ((noreturn)) EXPORT_FUNC (__stack_chk_fail) (void); +#endif + +#endif /* GRUB_STACK_PROTECTOR_H */ diff --git a/acinclude.m4 b/acinclude.m4 index 242e829ff23..21238fcfd03 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -324,9 +324,9 @@ fi ]) -dnl Check if the C compiler supports `-fstack-protector'. +dnl Check if the C compiler supports the stack protector AC_DEFUN([grub_CHECK_STACK_PROTECTOR],[ -[# Smashing stack protector. +[# Stack smashing protector. ssp_possible=yes] AC_MSG_CHECKING([whether `$CC' accepts `-fstack-protector']) # Is this a reliable test case? @@ -343,6 +343,40 @@ else ssp_possible=no] AC_MSG_RESULT([no]) [fi] +[# Strong stack smashing protector. +ssp_strong_possible=yes] +AC_MSG_CHECKING([whether `$CC' accepts `-fstack-protector-strong']) +# Is this a reliable test case? +AC_LANG_CONFTEST([AC_LANG_SOURCE([[ +void foo (void) { volatile char a[8]; a[3]; } +]])]) +[# `$CC -c -o ...' might not be portable. But, oh, well... Is calling +# `ac_compile' like this correct, after all? +if eval "$ac_compile -S -fstack-protector-strong -o conftest.s" 2> /dev/null; then] + AC_MSG_RESULT([yes]) + [# Should we clear up other files as well, having called `AC_LANG_CONFTEST'? + rm -f conftest.s +else + ssp_strong_possible=no] + AC_MSG_RESULT([no]) +[fi] +[# Global stack smashing protector. +ssp_global_possible=yes] +AC_MSG_CHECKING([whether `$CC' accepts `-mstack-protector-guard=global']) +# Is this a reliable test case? +AC_LANG_CONFTEST([AC_LANG_SOURCE([[ +void foo (void) { volatile char a[8]; a[3]; } +]])]) +[# `$CC -c -o ...' might not be portable. But, oh, well... Is calling +# `ac_compile' like this correct, after all? +if eval "$ac_compile -S -fstack-protector -mstack-protector-guard=global -o conftest.s" 2> /dev/null; then] + AC_MSG_RESULT([yes]) + [# Should we clear up other files as well, having called `AC_LANG_CONFTEST'? + rm -f conftest.s +else + ssp_global_possible=no] + AC_MSG_RESULT([no]) +[fi] ]) dnl Check if the C compiler supports `-mstack-arg-probe' (Cygwin). diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am index a6f1b0dcd06..308ad8850c9 100644 --- a/grub-core/Makefile.am +++ b/grub-core/Makefile.am @@ -92,6 +92,7 @@ endif KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm.h KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/parser.h KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/partition.h +KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/stack_protector.h KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm_private.h