From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Mon, 28 Sep 2020 11:11:17 +1000
Subject: [PATCH] ieee1275: link appended-signature enforcement to
/ibm,secure-boot
If the 'ibm,secure-boot' property of the root node is 2 or greater,
require that the kernel pass appended-signature verification.
Do not consider the presence of a certificate to enforce verification.
Signed-off-by: Daniel Axtens <dja@axtens.net>
---
grub-core/commands/appendedsig/appendedsig.c | 44 +++++++++++++++++++++-------
grub-core/kern/ieee1275/init.c | 26 ++++++++++++++++
2 files changed, 60 insertions(+), 10 deletions(-)
diff --git a/grub-core/commands/appendedsig/appendedsig.c b/grub-core/commands/appendedsig/appendedsig.c
index 5d8897be5..4ef2ec289 100644
--- a/grub-core/commands/appendedsig/appendedsig.c
+++ b/grub-core/commands/appendedsig/appendedsig.c
@@ -95,10 +95,24 @@ static char *
grub_env_write_sec (struct grub_env_var *var __attribute__((unused)),
const char *val)
{
+ if (check_sigs == 2)
+ return grub_strdup ("forced");
check_sigs = (*val == '1') || (*val == 'e');
return grub_strdup (check_sigs ? "enforce" : "no");
}
+static const char *
+grub_env_read_sec (struct grub_env_var *var __attribute__ ((unused)),
+ const char *val __attribute__ ((unused)))
+{
+ if (check_sigs == 2)
+ return "forced";
+ else if (check_sigs == 1)
+ return "enforce";
+ else
+ return "no";
+}
+
static grub_err_t
read_cert_from_file (grub_file_t f, struct x509_certificate *certificate)
{
@@ -552,14 +566,20 @@ GRUB_MOD_INIT (appendedsig)
val = grub_env_get ("check_appended_signatures");
grub_dprintf ("appendedsig", "check_appended_signatures='%s'\n", val);
- if (val && (val[0] == '1' || val[0] == 'e'))
- check_sigs = 1;
- else
- check_sigs = 0;
+ if (val)
+ {
+ if (val[0] == '2' || val[0] == 'f')
+ check_sigs = 2;
+ else if (val[0] == '1' || val[0] == 'e')
+ check_sigs = 1;
+ else
+ check_sigs = 0;
+ }
grub_trusted_key = NULL;
- grub_register_variable_hook ("check_appended_signatures", 0,
+ grub_register_variable_hook ("check_appended_signatures",
+ grub_env_read_sec,
grub_env_write_sec);
grub_env_export ("check_appended_signatures");
@@ -603,11 +623,15 @@ GRUB_MOD_INIT (appendedsig)
grub_trusted_key = pk;
}
- if (!val || val[0] == '\0')
- {
- grub_env_set ("check_appended_signatures",
- grub_trusted_key ? "enforce" : "no");
- }
+ /*
+ * When controlled by ibm,secure-boot, we don't want the presence of
+ * a certificate to enforce secure boot.
+ * if (!val || val[0] == '\0')
+ * {
+ * grub_env_set ("check_appended_signatures",
+ * grub_trusted_key ? "enforce" : "no");
+ * }
+ */
cmd_trust =
grub_register_command ("trust_certificate", grub_cmd_trust,
diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
index e731a57a4..22dc3013d 100644
--- a/grub-core/kern/ieee1275/init.c
+++ b/grub-core/kern/ieee1275/init.c
@@ -268,6 +268,30 @@ grub_parse_cmdline (void)
}
}
+static void
+grub_get_ieee1275_secure_boot (void)
+{
+ grub_ieee1275_phandle_t root;
+ int rc;
+ grub_uint32_t is_sb;
+
+ grub_ieee1275_finddevice ("/", &root);
+
+ rc = grub_ieee1275_get_integer_property (root, "ibm,secure-boot", &is_sb,
+ sizeof (is_sb), 0);
+
+ /* ibm,secure-boot:
+ * 0 - disabled
+ * 1 - audit
+ * 2 - enforce
+ * 3 - enforce + OS-specific behaviour
+ *
+ * We only support enforce.
+ */
+ if (rc >= 0 && is_sb >= 2)
+ grub_env_set("check_appended_signatures", "forced");
+}
+
grub_addr_t grub_modbase;
void
@@ -290,6 +314,8 @@ grub_machine_init (void)
#else
grub_install_get_time_ms (grub_rtc_get_time_ms);
#endif
+
+ grub_get_ieee1275_secure_boot ();
}
void