Blame SOURCES/0343-commands-Restrict-commands-that-can-load-BIOS-or-DT-.patch

b1bcb2
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
b1bcb2
From: Javier Martinez Canillas <javierm@redhat.com>
b1bcb2
Date: Wed, 24 Feb 2021 09:00:05 +0100
b1bcb2
Subject: [PATCH] commands: Restrict commands that can load BIOS or DT blobs
b1bcb2
 when locked down
b1bcb2
b1bcb2
There are some more commands that should be restricted when the GRUB is
b1bcb2
locked down. Following is the list of commands and reasons to restrict:
b1bcb2
b1bcb2
  * fakebios:   creates BIOS-like structures for backward compatibility with
b1bcb2
                existing OSes. This should not be allowed when locked down.
b1bcb2
b1bcb2
  * loadbios:   reads a BIOS dump from storage and loads it. This action
b1bcb2
                should not be allowed when locked down.
b1bcb2
b1bcb2
  * devicetree: loads a Device Tree blob and passes it to the OS. It replaces
b1bcb2
                any Device Tree provided by the firmware. This also should
b1bcb2
                not be allowed when locked down.
b1bcb2
b1bcb2
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
b1bcb2
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
b1bcb2
---
b1bcb2
 grub-core/commands/efi/loadbios.c | 14 +++++++-------
b1bcb2
 grub-core/loader/arm/linux.c      |  6 +++---
b1bcb2
 docs/grub.texi                    |  6 ++++--
b1bcb2
 3 files changed, 14 insertions(+), 12 deletions(-)
b1bcb2
b1bcb2
diff --git a/grub-core/commands/efi/loadbios.c b/grub-core/commands/efi/loadbios.c
b1bcb2
index 132cadbc764..3da4c26df7a 100644
b1bcb2
--- a/grub-core/commands/efi/loadbios.c
b1bcb2
+++ b/grub-core/commands/efi/loadbios.c
b1bcb2
@@ -205,14 +205,14 @@ static grub_command_t cmd_fakebios, cmd_loadbios;
b1bcb2
 
b1bcb2
 GRUB_MOD_INIT(loadbios)
b1bcb2
 {
b1bcb2
-  cmd_fakebios = grub_register_command ("fakebios", grub_cmd_fakebios,
b1bcb2
-					0, N_("Create BIOS-like structures for"
b1bcb2
-					      " backward compatibility with"
b1bcb2
-					      " existing OS."));
b1bcb2
+  cmd_fakebios = grub_register_command_lockdown ("fakebios", grub_cmd_fakebios,
b1bcb2
+						 0, N_("Create BIOS-like structures for"
b1bcb2
+						       " backward compatibility with"
b1bcb2
+						       " existing OS."));
b1bcb2
 
b1bcb2
-  cmd_loadbios = grub_register_command ("loadbios", grub_cmd_loadbios,
b1bcb2
-					N_("BIOS_DUMP [INT10_DUMP]"),
b1bcb2
-					N_("Load BIOS dump."));
b1bcb2
+  cmd_loadbios = grub_register_command_lockdown ("loadbios", grub_cmd_loadbios,
b1bcb2
+						 N_("BIOS_DUMP [INT10_DUMP]"),
b1bcb2
+						 N_("Load BIOS dump."));
b1bcb2
 }
b1bcb2
 
b1bcb2
 GRUB_MOD_FINI(loadbios)
b1bcb2
diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c
b1bcb2
index 1b195e0899e..8fc905e26ca 100644
b1bcb2
--- a/grub-core/loader/arm/linux.c
b1bcb2
+++ b/grub-core/loader/arm/linux.c
b1bcb2
@@ -513,9 +513,9 @@ GRUB_MOD_INIT (linux)
b1bcb2
 				     0, N_("Load Linux."));
b1bcb2
   cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd,
b1bcb2
 				      0, N_("Load initrd."));
b1bcb2
-  cmd_devicetree = grub_register_command ("devicetree", grub_cmd_devicetree,
b1bcb2
-					  /* TRANSLATORS: DTB stands for device tree blob.  */
b1bcb2
-					  0, N_("Load DTB file."));
b1bcb2
+  cmd_devicetree = grub_register_command_lockdown ("devicetree", grub_cmd_devicetree,
b1bcb2
+						   /* TRANSLATORS: DTB stands for device tree blob. */
b1bcb2
+						   0, N_("Load DTB file."));
b1bcb2
   my_mod = mod;
b1bcb2
   fdt_addr = (void *) grub_arm_firmware_get_boot_data ();
b1bcb2
   machine_type = grub_arm_firmware_get_machine_type ();
b1bcb2
diff --git a/docs/grub.texi b/docs/grub.texi
b1bcb2
index 5a1cfd4aea9..432610991b7 100644
b1bcb2
--- a/docs/grub.texi
b1bcb2
+++ b/docs/grub.texi
b1bcb2
@@ -4157,13 +4157,15 @@ hour, minute, and second unchanged.
b1bcb2
 
b1bcb2
 
b1bcb2
 @node devicetree
b1bcb2
-@subsection linux
b1bcb2
+@subsection devicetree
b1bcb2
 
b1bcb2
 @deffn Command devicetree file
b1bcb2
 Load a device tree blob (.dtb) from a filesystem, for later use by a Linux
b1bcb2
 kernel. Does not perform merging with any device tree supplied by firmware,
b1bcb2
 but rather replaces it completely.
b1bcb2
-@ref{GNU/Linux}.
b1bcb2
+
b1bcb2
+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
b1bcb2
+      This is done to prevent subverting various security mechanisms.
b1bcb2
 @end deffn
b1bcb2
 
b1bcb2
 @node distrust