|
|
9723a8 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
9723a8 |
From: Javier Martinez Canillas <javierm@redhat.com>
|
|
|
9723a8 |
Date: Wed, 14 Oct 2020 16:33:42 +0200
|
|
|
9723a8 |
Subject: [PATCH] mmap: Don't register cutmem and badram commands when lockdown
|
|
|
9723a8 |
is enforced
|
|
|
9723a8 |
|
|
|
9723a8 |
The cutmem and badram commands can be used to remove EFI memory regions
|
|
|
9723a8 |
and potentially disable the UEFI Secure Boot. Prevent the commands to be
|
|
|
9723a8 |
registered if the GRUB is locked down.
|
|
|
9723a8 |
|
|
|
9723a8 |
Fixes: CVE-2020-27779
|
|
|
9723a8 |
|
|
|
9723a8 |
Reported-by: Teddy Reed <teddy.reed@gmail.com>
|
|
|
9723a8 |
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
|
|
9723a8 |
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
|
9723a8 |
---
|
|
|
9723a8 |
grub-core/mmap/mmap.c | 13 +++++++------
|
|
|
9723a8 |
docs/grub.texi | 4 ++++
|
|
|
9723a8 |
2 files changed, 11 insertions(+), 6 deletions(-)
|
|
|
9723a8 |
|
|
|
9723a8 |
diff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c
|
|
|
9723a8 |
index 57b4e9a72a9..7ebf32e1e5e 100644
|
|
|
9723a8 |
--- a/grub-core/mmap/mmap.c
|
|
|
9723a8 |
+++ b/grub-core/mmap/mmap.c
|
|
|
9723a8 |
@@ -20,6 +20,7 @@
|
|
|
9723a8 |
#include <grub/memory.h>
|
|
|
9723a8 |
#include <grub/machine/memory.h>
|
|
|
9723a8 |
#include <grub/err.h>
|
|
|
9723a8 |
+#include <grub/lockdown.h>
|
|
|
9723a8 |
#include <grub/misc.h>
|
|
|
9723a8 |
#include <grub/mm.h>
|
|
|
9723a8 |
#include <grub/command.h>
|
|
|
9723a8 |
@@ -534,12 +535,12 @@ static grub_command_t cmd, cmd_cut;
|
|
|
9723a8 |
|
|
|
9723a8 |
GRUB_MOD_INIT(mmap)
|
|
|
9723a8 |
{
|
|
|
9723a8 |
- cmd = grub_register_command ("badram", grub_cmd_badram,
|
|
|
9723a8 |
- N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"),
|
|
|
9723a8 |
- N_("Declare memory regions as faulty (badram)."));
|
|
|
9723a8 |
- cmd_cut = grub_register_command ("cutmem", grub_cmd_cutmem,
|
|
|
9723a8 |
- N_("FROM[K|M|G] TO[K|M|G]"),
|
|
|
9723a8 |
- N_("Remove any memory regions in specified range."));
|
|
|
9723a8 |
+ cmd = grub_register_command_lockdown ("badram", grub_cmd_badram,
|
|
|
9723a8 |
+ N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"),
|
|
|
9723a8 |
+ N_("Declare memory regions as faulty (badram)."));
|
|
|
9723a8 |
+ cmd_cut = grub_register_command_lockdown ("cutmem", grub_cmd_cutmem,
|
|
|
9723a8 |
+ N_("FROM[K|M|G] TO[K|M|G]"),
|
|
|
9723a8 |
+ N_("Remove any memory regions in specified range."));
|
|
|
9723a8 |
|
|
|
9723a8 |
}
|
|
|
9723a8 |
|
|
|
9723a8 |
diff --git a/docs/grub.texi b/docs/grub.texi
|
|
|
9723a8 |
index a724d0712ed..a9b02190404 100644
|
|
|
9723a8 |
--- a/docs/grub.texi
|
|
|
9723a8 |
+++ b/docs/grub.texi
|
|
|
9723a8 |
@@ -4098,6 +4098,10 @@ this page is to be filtered. This syntax makes it easy to represent patterns
|
|
|
9723a8 |
that are often result of memory damage, due to physical distribution of memory
|
|
|
9723a8 |
cells.
|
|
|
9723a8 |
|
|
|
9723a8 |
+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
|
|
|
9723a8 |
+ This prevents removing EFI memory regions to potentially subvert the
|
|
|
9723a8 |
+ security mechanisms provided by the UEFI secure boot.
|
|
|
9723a8 |
+
|
|
|
9723a8 |
@node blocklist
|
|
|
9723a8 |
@subsection blocklist
|
|
|
9723a8 |
|