|
 |
b35c50 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
b35c50 |
From: Zhang Boyang <zhangboyang.id@gmail.com>
|
|
|
b35c50 |
Date: Sun, 14 Aug 2022 15:51:54 +0800
|
|
|
b35c50 |
Subject: [PATCH] kern/efi/sb: Enforce verification of font files
|
|
|
b35c50 |
|
|
|
b35c50 |
As a mitigation and hardening measure enforce verification of font
|
|
|
b35c50 |
files. Then only trusted font files can be load. This will reduce the
|
|
|
b35c50 |
attack surface at cost of losing the ability of end-users to customize
|
|
|
b35c50 |
fonts if e.g. UEFI Secure Boot is enabled. Vendors can always customize
|
|
|
b35c50 |
fonts because they have ability to pack fonts into their GRUB bundles.
|
|
|
b35c50 |
|
|
|
b35c50 |
This goal is achieved by:
|
|
|
b35c50 |
|
|
|
b35c50 |
* Removing GRUB_FILE_TYPE_FONT from shim lock verifier's
|
|
|
b35c50 |
skip-verification list.
|
|
|
b35c50 |
|
|
|
b35c50 |
* Adding GRUB_FILE_TYPE_FONT to lockdown verifier's defer-auth list,
|
|
|
b35c50 |
so font files must be verified by a verifier before they can be loaded.
|
|
|
b35c50 |
|
|
|
b35c50 |
Suggested-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
|
b35c50 |
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
|
|
|
b35c50 |
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
|
b35c50 |
(cherry picked from commit 630deb8c0d8b02b670ced4b7030414bcf17aa080)
|
|
|
b35c50 |
---
|
|
|
b35c50 |
grub-core/kern/efi/sb.c | 1 -
|
|
|
b35c50 |
grub-core/kern/lockdown.c | 1 +
|
|
|
b35c50 |
2 files changed, 1 insertion(+), 1 deletion(-)
|
|
|
b35c50 |
|
|
|
b35c50 |
diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
|
|
|
b35c50 |
index 89c4bb3fd1..db42c2539f 100644
|
|
|
b35c50 |
--- a/grub-core/kern/efi/sb.c
|
|
|
b35c50 |
+++ b/grub-core/kern/efi/sb.c
|
|
|
b35c50 |
@@ -145,7 +145,6 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)),
|
|
|
b35c50 |
case GRUB_FILE_TYPE_PRINT_BLOCKLIST:
|
|
|
b35c50 |
case GRUB_FILE_TYPE_TESTLOAD:
|
|
|
b35c50 |
case GRUB_FILE_TYPE_GET_SIZE:
|
|
|
b35c50 |
- case GRUB_FILE_TYPE_FONT:
|
|
|
b35c50 |
case GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY:
|
|
|
b35c50 |
case GRUB_FILE_TYPE_CAT:
|
|
|
b35c50 |
case GRUB_FILE_TYPE_HEXCAT:
|
|
|
b35c50 |
diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c
|
|
|
b35c50 |
index 0bc70fd42d..af6d493cd3 100644
|
|
|
b35c50 |
--- a/grub-core/kern/lockdown.c
|
|
|
b35c50 |
+++ b/grub-core/kern/lockdown.c
|
|
|
b35c50 |
@@ -51,6 +51,7 @@ lockdown_verifier_init (grub_file_t io __attribute__ ((unused)),
|
|
|
b35c50 |
case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:
|
|
|
b35c50 |
case GRUB_FILE_TYPE_ACPI_TABLE:
|
|
|
b35c50 |
case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
|
|
|
b35c50 |
+ case GRUB_FILE_TYPE_FONT:
|
|
|
b35c50 |
*flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
|
|
|
b35c50 |
|
|
|
b35c50 |
/* Fall through. */
|