nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone
Blob Blame History Raw
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Wed, 24 Feb 2021 09:00:05 +0100
Subject: [PATCH] commands: Restrict commands that can load BIOS or DT blobs
 when locked down

There are some more commands that should be restricted when the GRUB is
locked down. Following is the list of commands and reasons to restrict:

  * fakebios:   creates BIOS-like structures for backward compatibility with
                existing OSes. This should not be allowed when locked down.

  * loadbios:   reads a BIOS dump from storage and loads it. This action
                should not be allowed when locked down.

  * devicetree: loads a Device Tree blob and passes it to the OS. It replaces
                any Device Tree provided by the firmware. This also should
                not be allowed when locked down.

Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/commands/efi/loadbios.c | 14 +++++++-------
 grub-core/loader/arm/linux.c      |  6 +++---
 grub-core/loader/efi/fdt.c        |  4 ++--
 docs/grub.texi                    |  6 ++++--
 4 files changed, 16 insertions(+), 14 deletions(-)

diff --git a/grub-core/commands/efi/loadbios.c b/grub-core/commands/efi/loadbios.c
index d41d521a4ae..5c7725f8bd8 100644
--- a/grub-core/commands/efi/loadbios.c
+++ b/grub-core/commands/efi/loadbios.c
@@ -205,14 +205,14 @@ static grub_command_t cmd_fakebios, cmd_loadbios;
 
 GRUB_MOD_INIT(loadbios)
 {
-  cmd_fakebios = grub_register_command ("fakebios", grub_cmd_fakebios,
-					0, N_("Create BIOS-like structures for"
-					      " backward compatibility with"
-					      " existing OS."));
+  cmd_fakebios = grub_register_command_lockdown ("fakebios", grub_cmd_fakebios,
+						 0, N_("Create BIOS-like structures for"
+						       " backward compatibility with"
+						       " existing OS."));
 
-  cmd_loadbios = grub_register_command ("loadbios", grub_cmd_loadbios,
-					N_("BIOS_DUMP [INT10_DUMP]"),
-					N_("Load BIOS dump."));
+  cmd_loadbios = grub_register_command_lockdown ("loadbios", grub_cmd_loadbios,
+						 N_("BIOS_DUMP [INT10_DUMP]"),
+						 N_("Load BIOS dump."));
 }
 
 GRUB_MOD_FINI(loadbios)
diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c
index 1e944a2b671..653f2e07692 100644
--- a/grub-core/loader/arm/linux.c
+++ b/grub-core/loader/arm/linux.c
@@ -493,9 +493,9 @@ GRUB_MOD_INIT (linux)
 				     0, N_("Load Linux."));
   cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd,
 				      0, N_("Load initrd."));
-  cmd_devicetree = grub_register_command ("devicetree", grub_cmd_devicetree,
-					  /* TRANSLATORS: DTB stands for device tree blob.  */
-					  0, N_("Load DTB file."));
+  cmd_devicetree = grub_register_command_lockdown ("devicetree", grub_cmd_devicetree,
+						   /* TRANSLATORS: DTB stands for device tree blob. */
+						   0, N_("Load DTB file."));
   my_mod = mod;
   current_fdt = (const void *) grub_arm_firmware_get_boot_data ();
   machine_type = grub_arm_firmware_get_machine_type ();
diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c
index e3ee3ad79d6..64c560f5610 100644
--- a/grub-core/loader/efi/fdt.c
+++ b/grub-core/loader/efi/fdt.c
@@ -167,8 +167,8 @@ static grub_command_t cmd_devicetree;
 GRUB_MOD_INIT (fdt)
 {
   cmd_devicetree =
-    grub_register_command ("devicetree", grub_cmd_devicetree, 0,
-			   N_("Load DTB file."));
+    grub_register_command_lockdown ("devicetree", grub_cmd_devicetree, 0,
+				    N_("Load DTB file."));
 }
 
 GRUB_MOD_FINI (fdt)
diff --git a/docs/grub.texi b/docs/grub.texi
index f1675b6140c..c55452307dc 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -4281,13 +4281,15 @@ hour, minute, and second unchanged.
 
 
 @node devicetree
-@subsection linux
+@subsection devicetree
 
 @deffn Command devicetree file
 Load a device tree blob (.dtb) from a filesystem, for later use by a Linux
 kernel. Does not perform merging with any device tree supplied by firmware,
 but rather replaces it completely.
-@ref{GNU/Linux}.
+
+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
+      This is done to prevent subverting various security mechanisms.
 @end deffn
 
 @node distrust