Blame SOURCES/0323-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch

9723a8
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
9723a8
From: Javier Martinez Canillas <javierm@redhat.com>
9723a8
Date: Wed, 14 Oct 2020 16:33:42 +0200
9723a8
Subject: [PATCH] mmap: Don't register cutmem and badram commands when lockdown
9723a8
 is enforced
9723a8
9723a8
The cutmem and badram commands can be used to remove EFI memory regions
9723a8
and potentially disable the UEFI Secure Boot. Prevent the commands to be
9723a8
registered if the GRUB is locked down.
9723a8
9723a8
Fixes: CVE-2020-27779
9723a8
9723a8
Reported-by: Teddy Reed <teddy.reed@gmail.com>
9723a8
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
9723a8
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
9723a8
---
9723a8
 grub-core/mmap/mmap.c | 13 +++++++------
9723a8
 docs/grub.texi        |  4 ++++
9723a8
 2 files changed, 11 insertions(+), 6 deletions(-)
9723a8
9723a8
diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c
9723a8
index 57b4e9a72a9..7ebf32e1e5e 100644
9723a8
--- a/grub-core/mmap/mmap.c
9723a8
+++ b/grub-core/mmap/mmap.c
9723a8
@@ -20,6 +20,7 @@
9723a8
 #include <grub/memory.h>
9723a8
 #include <grub/machine/memory.h>
9723a8
 #include <grub/err.h>
9723a8
+#include <grub/lockdown.h>
9723a8
 #include <grub/misc.h>
9723a8
 #include <grub/mm.h>
9723a8
 #include <grub/command.h>
9723a8
@@ -534,12 +535,12 @@ static grub_command_t cmd, cmd_cut;
9723a8
 
9723a8
 GRUB_MOD_INIT(mmap)
9723a8
 {
9723a8
-  cmd = grub_register_command ("badram", grub_cmd_badram,
9723a8
-			       N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"),
9723a8
-			       N_("Declare memory regions as faulty (badram)."));
9723a8
-  cmd_cut = grub_register_command ("cutmem", grub_cmd_cutmem,
9723a8
-				   N_("FROM[K|M|G] TO[K|M|G]"),
9723a8
-				   N_("Remove any memory regions in specified range."));
9723a8
+  cmd = grub_register_command_lockdown ("badram", grub_cmd_badram,
9723a8
+                                        N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"),
9723a8
+                                        N_("Declare memory regions as faulty (badram)."));
9723a8
+  cmd_cut = grub_register_command_lockdown ("cutmem", grub_cmd_cutmem,
9723a8
+                                            N_("FROM[K|M|G] TO[K|M|G]"),
9723a8
+                                            N_("Remove any memory regions in specified range."));
9723a8
 
9723a8
 }
9723a8
 
9723a8
diff --git a/docs/grub.texi b/docs/grub.texi
9723a8
index a724d0712ed..a9b02190404 100644
9723a8
--- a/docs/grub.texi
9723a8
+++ b/docs/grub.texi
9723a8
@@ -4098,6 +4098,10 @@ this page is to be filtered.  This syntax makes it easy to represent patterns
9723a8
 that are often result of memory damage, due to physical distribution of memory
9723a8
 cells.
9723a8
 
9723a8
+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
9723a8
+      This prevents removing EFI memory regions to potentially subvert the
9723a8
+      security mechanisms provided by the UEFI secure boot.
9723a8
+
9723a8
 @node blocklist
9723a8
 @subsection blocklist
9723a8