nalika / rpms / grub2

Forked from rpms/grub2 2 years ago
Clone

Blame SOURCES/0379-commands-Restrict-commands-that-can-load-BIOS-or-DT-.patch

9723a8
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
9723a8
From: Javier Martinez Canillas <javierm@redhat.com>
9723a8
Date: Wed, 24 Feb 2021 09:00:05 +0100
9723a8
Subject: [PATCH] commands: Restrict commands that can load BIOS or DT blobs
9723a8
 when locked down
9723a8
9723a8
There are some more commands that should be restricted when the GRUB is
9723a8
locked down. Following is the list of commands and reasons to restrict:
9723a8
9723a8
  * fakebios:   creates BIOS-like structures for backward compatibility with
9723a8
                existing OSes. This should not be allowed when locked down.
9723a8
9723a8
  * loadbios:   reads a BIOS dump from storage and loads it. This action
9723a8
                should not be allowed when locked down.
9723a8
9723a8
  * devicetree: loads a Device Tree blob and passes it to the OS. It replaces
9723a8
                any Device Tree provided by the firmware. This also should
9723a8
                not be allowed when locked down.
9723a8
9723a8
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
9723a8
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
9723a8
---
9723a8
 grub-core/commands/efi/loadbios.c | 14 +++++++-------
9723a8
 grub-core/loader/arm/linux.c      |  6 +++---
9723a8
 grub-core/loader/efi/fdt.c        |  4 ++--
9723a8
 docs/grub.texi                    |  6 ++++--
9723a8
 4 files changed, 16 insertions(+), 14 deletions(-)
9723a8
9723a8
diff --git a/grub-core/commands/efi/loadbios.c b/grub-core/commands/efi/loadbios.c
3efed6
index d41d521a4ae..5c7725f8bd8 100644
9723a8
--- a/grub-core/commands/efi/loadbios.c
9723a8
+++ b/grub-core/commands/efi/loadbios.c
9723a8
@@ -205,14 +205,14 @@ static grub_command_t cmd_fakebios, cmd_loadbios;
9723a8
 
9723a8
 GRUB_MOD_INIT(loadbios)
9723a8
 {
9723a8
-  cmd_fakebios = grub_register_command ("fakebios", grub_cmd_fakebios,
9723a8
-					0, N_("Create BIOS-like structures for"
9723a8
-					      " backward compatibility with"
9723a8
-					      " existing OS."));
9723a8
+  cmd_fakebios = grub_register_command_lockdown ("fakebios", grub_cmd_fakebios,
9723a8
+						 0, N_("Create BIOS-like structures for"
9723a8
+						       " backward compatibility with"
9723a8
+						       " existing OS."));
9723a8
 
9723a8
-  cmd_loadbios = grub_register_command ("loadbios", grub_cmd_loadbios,
9723a8
-					N_("BIOS_DUMP [INT10_DUMP]"),
9723a8
-					N_("Load BIOS dump."));
9723a8
+  cmd_loadbios = grub_register_command_lockdown ("loadbios", grub_cmd_loadbios,
9723a8
+						 N_("BIOS_DUMP [INT10_DUMP]"),
9723a8
+						 N_("Load BIOS dump."));
9723a8
 }
9723a8
 
9723a8
 GRUB_MOD_FINI(loadbios)
9723a8
diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c
3efed6
index 1e944a2b671..653f2e07692 100644
9723a8
--- a/grub-core/loader/arm/linux.c
9723a8
+++ b/grub-core/loader/arm/linux.c
3efed6
@@ -493,9 +493,9 @@ GRUB_MOD_INIT (linux)
9723a8
 				     0, N_("Load Linux."));
9723a8
   cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd,
9723a8
 				      0, N_("Load initrd."));
9723a8
-  cmd_devicetree = grub_register_command ("devicetree", grub_cmd_devicetree,
9723a8
-					  /* TRANSLATORS: DTB stands for device tree blob.  */
9723a8
-					  0, N_("Load DTB file."));
9723a8
+  cmd_devicetree = grub_register_command_lockdown ("devicetree", grub_cmd_devicetree,
9723a8
+						   /* TRANSLATORS: DTB stands for device tree blob. */
9723a8
+						   0, N_("Load DTB file."));
9723a8
   my_mod = mod;
9723a8
   current_fdt = (const void *) grub_arm_firmware_get_boot_data ();
9723a8
   machine_type = grub_arm_firmware_get_machine_type ();
9723a8
diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c
3efed6
index e3ee3ad79d6..64c560f5610 100644
9723a8
--- a/grub-core/loader/efi/fdt.c
9723a8
+++ b/grub-core/loader/efi/fdt.c
9723a8
@@ -167,8 +167,8 @@ static grub_command_t cmd_devicetree;
9723a8
 GRUB_MOD_INIT (fdt)
9723a8
 {
9723a8
   cmd_devicetree =
9723a8
-    grub_register_command ("devicetree", grub_cmd_devicetree, 0,
9723a8
-			   N_("Load DTB file."));
9723a8
+    grub_register_command_lockdown ("devicetree", grub_cmd_devicetree, 0,
9723a8
+				    N_("Load DTB file."));
9723a8
 }
9723a8
 
9723a8
 GRUB_MOD_FINI (fdt)
9723a8
diff --git a/docs/grub.texi b/docs/grub.texi
3efed6
index f1675b6140c..c55452307dc 100644
9723a8
--- a/docs/grub.texi
9723a8
+++ b/docs/grub.texi
3efed6
@@ -4281,13 +4281,15 @@ hour, minute, and second unchanged.
9723a8
 
9723a8
 
9723a8
 @node devicetree
9723a8
-@subsection linux
9723a8
+@subsection devicetree
9723a8
 
9723a8
 @deffn Command devicetree file
9723a8
 Load a device tree blob (.dtb) from a filesystem, for later use by a Linux
9723a8
 kernel. Does not perform merging with any device tree supplied by firmware,
9723a8
 but rather replaces it completely.
9723a8
-@ref{GNU/Linux}.
9723a8
+
9723a8
+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
9723a8
+      This is done to prevent subverting various security mechanisms.
9723a8
 @end deffn
9723a8
 
9723a8
 @node distrust