|
|
3efed6 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
3efed6 |
From: Daniel Axtens <dja@axtens.net>
|
|
|
3efed6 |
Date: Mon, 28 Sep 2020 11:11:17 +1000
|
|
|
3efed6 |
Subject: [PATCH] ieee1275: link appended-signature enforcement to
|
|
|
3efed6 |
/ibm,secure-boot
|
|
|
3efed6 |
|
|
|
3efed6 |
If the 'ibm,secure-boot' property of the root node is 2 or greater,
|
|
|
3efed6 |
require that the kernel pass appended-signature verification.
|
|
|
3efed6 |
|
|
|
3efed6 |
Do not consider the presence of a certificate to enforce verification.
|
|
|
3efed6 |
|
|
|
3efed6 |
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
|
|
3efed6 |
---
|
|
|
3efed6 |
grub-core/commands/appendedsig/appendedsig.c | 44 +++++++++++++++++++++-------
|
|
|
3efed6 |
grub-core/kern/ieee1275/init.c | 26 ++++++++++++++++
|
|
|
3efed6 |
2 files changed, 60 insertions(+), 10 deletions(-)
|
|
|
3efed6 |
|
|
|
3efed6 |
diff --git a/grub-core/commands/appendedsig/appendedsig.c b/grub-core/commands/appendedsig/appendedsig.c
|
|
|
b71686 |
index 5d8897be5..4ef2ec289 100644
|
|
|
3efed6 |
--- a/grub-core/commands/appendedsig/appendedsig.c
|
|
|
3efed6 |
+++ b/grub-core/commands/appendedsig/appendedsig.c
|
|
|
3efed6 |
@@ -95,10 +95,24 @@ static char *
|
|
|
3efed6 |
grub_env_write_sec (struct grub_env_var *var __attribute__((unused)),
|
|
|
3efed6 |
const char *val)
|
|
|
3efed6 |
{
|
|
|
3efed6 |
+ if (check_sigs == 2)
|
|
|
3efed6 |
+ return grub_strdup ("forced");
|
|
|
3efed6 |
check_sigs = (*val == '1') || (*val == 'e');
|
|
|
3efed6 |
return grub_strdup (check_sigs ? "enforce" : "no");
|
|
|
3efed6 |
}
|
|
|
3efed6 |
|
|
|
3efed6 |
+static const char *
|
|
|
3efed6 |
+grub_env_read_sec (struct grub_env_var *var __attribute__ ((unused)),
|
|
|
3efed6 |
+ const char *val __attribute__ ((unused)))
|
|
|
3efed6 |
+{
|
|
|
3efed6 |
+ if (check_sigs == 2)
|
|
|
3efed6 |
+ return "forced";
|
|
|
3efed6 |
+ else if (check_sigs == 1)
|
|
|
3efed6 |
+ return "enforce";
|
|
|
3efed6 |
+ else
|
|
|
3efed6 |
+ return "no";
|
|
|
3efed6 |
+}
|
|
|
3efed6 |
+
|
|
|
3efed6 |
static grub_err_t
|
|
|
3efed6 |
read_cert_from_file (grub_file_t f, struct x509_certificate *certificate)
|
|
|
3efed6 |
{
|
|
|
3efed6 |
@@ -552,14 +566,20 @@ GRUB_MOD_INIT (appendedsig)
|
|
|
3efed6 |
val = grub_env_get ("check_appended_signatures");
|
|
|
3efed6 |
grub_dprintf ("appendedsig", "check_appended_signatures='%s'\n", val);
|
|
|
3efed6 |
|
|
|
3efed6 |
- if (val && (val[0] == '1' || val[0] == 'e'))
|
|
|
3efed6 |
- check_sigs = 1;
|
|
|
3efed6 |
- else
|
|
|
3efed6 |
- check_sigs = 0;
|
|
|
3efed6 |
+ if (val)
|
|
|
3efed6 |
+ {
|
|
|
3efed6 |
+ if (val[0] == '2' || val[0] == 'f')
|
|
|
3efed6 |
+ check_sigs = 2;
|
|
|
3efed6 |
+ else if (val[0] == '1' || val[0] == 'e')
|
|
|
3efed6 |
+ check_sigs = 1;
|
|
|
3efed6 |
+ else
|
|
|
3efed6 |
+ check_sigs = 0;
|
|
|
3efed6 |
+ }
|
|
|
3efed6 |
|
|
|
3efed6 |
grub_trusted_key = NULL;
|
|
|
3efed6 |
|
|
|
3efed6 |
- grub_register_variable_hook ("check_appended_signatures", 0,
|
|
|
3efed6 |
+ grub_register_variable_hook ("check_appended_signatures",
|
|
|
3efed6 |
+ grub_env_read_sec,
|
|
|
3efed6 |
grub_env_write_sec);
|
|
|
3efed6 |
grub_env_export ("check_appended_signatures");
|
|
|
3efed6 |
|
|
|
3efed6 |
@@ -603,11 +623,15 @@ GRUB_MOD_INIT (appendedsig)
|
|
|
3efed6 |
grub_trusted_key = pk;
|
|
|
3efed6 |
}
|
|
|
3efed6 |
|
|
|
3efed6 |
- if (!val || val[0] == '\0')
|
|
|
3efed6 |
- {
|
|
|
3efed6 |
- grub_env_set ("check_appended_signatures",
|
|
|
3efed6 |
- grub_trusted_key ? "enforce" : "no");
|
|
|
3efed6 |
- }
|
|
|
3efed6 |
+ /*
|
|
|
3efed6 |
+ * When controlled by ibm,secure-boot, we don't want the presence of
|
|
|
3efed6 |
+ * a certificate to enforce secure boot.
|
|
|
3efed6 |
+ * if (!val || val[0] == '\0')
|
|
|
3efed6 |
+ * {
|
|
|
3efed6 |
+ * grub_env_set ("check_appended_signatures",
|
|
|
3efed6 |
+ * grub_trusted_key ? "enforce" : "no");
|
|
|
3efed6 |
+ * }
|
|
|
3efed6 |
+ */
|
|
|
3efed6 |
|
|
|
3efed6 |
cmd_trust =
|
|
|
3efed6 |
grub_register_command ("trust_certificate", grub_cmd_trust,
|
|
|
3efed6 |
diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
|
|
|
b71686 |
index e731a57a4..22dc3013d 100644
|
|
|
3efed6 |
--- a/grub-core/kern/ieee1275/init.c
|
|
|
3efed6 |
+++ b/grub-core/kern/ieee1275/init.c
|
|
|
3efed6 |
@@ -268,6 +268,30 @@ grub_parse_cmdline (void)
|
|
|
3efed6 |
}
|
|
|
3efed6 |
}
|
|
|
3efed6 |
|
|
|
3efed6 |
+static void
|
|
|
3efed6 |
+grub_get_ieee1275_secure_boot (void)
|
|
|
3efed6 |
+{
|
|
|
3efed6 |
+ grub_ieee1275_phandle_t root;
|
|
|
3efed6 |
+ int rc;
|
|
|
3efed6 |
+ grub_uint32_t is_sb;
|
|
|
3efed6 |
+
|
|
|
3efed6 |
+ grub_ieee1275_finddevice ("/", &root);
|
|
|
3efed6 |
+
|
|
|
3efed6 |
+ rc = grub_ieee1275_get_integer_property (root, "ibm,secure-boot", &is_sb,
|
|
|
3efed6 |
+ sizeof (is_sb), 0);
|
|
|
3efed6 |
+
|
|
|
3efed6 |
+ /* ibm,secure-boot:
|
|
|
3efed6 |
+ * 0 - disabled
|
|
|
3efed6 |
+ * 1 - audit
|
|
|
3efed6 |
+ * 2 - enforce
|
|
|
3efed6 |
+ * 3 - enforce + OS-specific behaviour
|
|
|
3efed6 |
+ *
|
|
|
3efed6 |
+ * We only support enforce.
|
|
|
3efed6 |
+ */
|
|
|
3efed6 |
+ if (rc >= 0 && is_sb >= 2)
|
|
|
3efed6 |
+ grub_env_set("check_appended_signatures", "forced");
|
|
|
3efed6 |
+}
|
|
|
3efed6 |
+
|
|
|
3efed6 |
grub_addr_t grub_modbase;
|
|
|
3efed6 |
|
|
|
3efed6 |
void
|
|
|
3efed6 |
@@ -290,6 +314,8 @@ grub_machine_init (void)
|
|
|
3efed6 |
#else
|
|
|
3efed6 |
grub_install_get_time_ms (grub_rtc_get_time_ms);
|
|
|
3efed6 |
#endif
|
|
|
3efed6 |
+
|
|
|
3efed6 |
+ grub_get_ieee1275_secure_boot ();
|
|
|
3efed6 |
}
|
|
|
3efed6 |
|
|
|
3efed6 |
void
|