|
 |
b35c50 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
b35c50 |
From: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
|
|
|
b35c50 |
Date: Thu, 3 Mar 2022 13:10:56 +0100
|
|
|
b35c50 |
Subject: [PATCH] grub-core/loader/i386/efi/linux.c: do not validate kernels
|
|
|
b35c50 |
twice
|
|
|
b35c50 |
|
|
|
b35c50 |
On codebases that have shim-lock-verifier built into the grub core
|
|
|
b35c50 |
(like 2.06 upstream), shim-lock-verifier is in enforcing mode when
|
|
|
b35c50 |
booted with secureboot. It means that grub_cmd_linux() command
|
|
|
b35c50 |
attempts to perform shim validate upon opening linux kernel image,
|
|
|
b35c50 |
including kernel measurement. And the verifier correctly returns file
|
|
|
b35c50 |
open error when shim validate protocol is not present or shim fails to
|
|
|
b35c50 |
validate the kernel.
|
|
|
b35c50 |
|
|
|
b35c50 |
This makes the call to grub_linuxefi_secure_validate() redundant, but
|
|
|
b35c50 |
also harmful. As validating the kernel image twice, extends the PCRs
|
|
|
b35c50 |
with the same measurement twice. Which breaks existing sealing
|
|
|
b35c50 |
policies when upgrading from grub2.04+rhboot+sb+linuxefi to
|
|
|
b35c50 |
grub2.06+rhboot+sb+linuxefi builds. It is also incorrect to measure
|
|
|
b35c50 |
the kernel twice.
|
|
|
b35c50 |
|
|
|
b35c50 |
This patch must not be ported to older editions of grub code bases
|
|
|
b35c50 |
that do not have verifiers framework, or it is not builtin, or
|
|
|
b35c50 |
shim-lock-verifier is an optional module.
|
|
|
b35c50 |
|
|
|
b35c50 |
This patch is tested to ensure that unsigned kernels are not possible
|
|
|
b35c50 |
to boot in secureboot mode when shim rejects kernel, or shim protocol
|
|
|
b35c50 |
is missing, and that the measurements become stable once again. The
|
|
|
b35c50 |
above also ensures that CVE-2020-15705 is not reintroduced.
|
|
|
b35c50 |
|
|
|
b35c50 |
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
|
|
|
b35c50 |
---
|
|
|
b35c50 |
grub-core/loader/i386/efi/linux.c | 13 -------------
|
|
|
b35c50 |
1 file changed, 13 deletions(-)
|
|
|
b35c50 |
|
|
|
b35c50 |
diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
|
|
|
b35c50 |
index 3cf0f9b330..941df6400b 100644
|
|
|
b35c50 |
--- a/grub-core/loader/i386/efi/linux.c
|
|
|
b35c50 |
+++ b/grub-core/loader/i386/efi/linux.c
|
|
|
b35c50 |
@@ -30,7 +30,6 @@
|
|
|
b35c50 |
#include <grub/cpu/efi/memory.h>
|
|
|
b35c50 |
#include <grub/tpm.h>
|
|
|
b35c50 |
#include <grub/safemath.h>
|
|
|
b35c50 |
-#include <grub/efi/sb.h>
|
|
|
b35c50 |
|
|
|
b35c50 |
GRUB_MOD_LICENSE ("GPLv3+");
|
|
|
b35c50 |
|
|
|
b35c50 |
@@ -278,7 +277,6 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
|
|
b35c50 |
grub_ssize_t start, filelen;
|
|
|
b35c50 |
void *kernel = NULL;
|
|
|
b35c50 |
int setup_header_end_offset;
|
|
|
b35c50 |
- int rc;
|
|
|
b35c50 |
|
|
|
b35c50 |
grub_dl_ref (my_mod);
|
|
|
b35c50 |
|
|
|
b35c50 |
@@ -308,17 +306,6 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
|
|
b35c50 |
goto fail;
|
|
|
b35c50 |
}
|
|
|
b35c50 |
|
|
|
b35c50 |
- if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
|
|
|
b35c50 |
- {
|
|
|
b35c50 |
- rc = grub_linuxefi_secure_validate (kernel, filelen);
|
|
|
b35c50 |
- if (rc <= 0)
|
|
|
b35c50 |
- {
|
|
|
b35c50 |
- grub_error (GRUB_ERR_INVALID_COMMAND,
|
|
|
b35c50 |
- N_("%s has invalid signature"), argv[0]);
|
|
|
b35c50 |
- goto fail;
|
|
|
b35c50 |
- }
|
|
|
b35c50 |
- }
|
|
|
b35c50 |
-
|
|
|
b35c50 |
lh = (struct linux_i386_kernel_header *)kernel;
|
|
|
b35c50 |
grub_dprintf ("linux", "original lh is at %p\n", kernel);
|
|
|
b35c50 |
|