Blame SOURCES/0333-linuxefi-fail-kernel-validation-without-shim-protoco.patch

c4e390
From 02bdaed98f9a17a06f71ce7e21d9af2bd6547dfc Mon Sep 17 00:00:00 2001
c4e390
From: Dimitri John Ledkov <xnox@ubuntu.com>
c4e390
Date: Wed, 22 Jul 2020 11:31:43 +0100
c4e390
Subject: [PATCH 333/336] linuxefi: fail kernel validation without shim
c4e390
 protocol.
c4e390
c4e390
If certificates that signed grub are installed into db, grub can be
c4e390
booted directly. It will then boot any kernel without signature
c4e390
validation. The booted kernel will think it was booted in secureboot
c4e390
mode and will implement lockdown, yet it could have been tampered.
c4e390
c4e390
This version of the patch skips calling verification, when booted
c4e390
without secureboot. And is indented with gnu ident.
c4e390
c4e390
CVE-2020-15705
c4e390
c4e390
Reported-by: Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>
c4e390
Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
c4e390
---
c4e390
 grub-core/loader/arm64/linux.c     | 12 ++++++++----
c4e390
 grub-core/loader/efi/chainloader.c |  4 +---
c4e390
 grub-core/loader/efi/linux.c       |  1 +
c4e390
 grub-core/loader/i386/efi/linux.c  | 13 ++++++++-----
c4e390
 4 files changed, 18 insertions(+), 12 deletions(-)
c4e390
c4e390
diff --git a/grub-core/loader/arm64/linux.c b/grub-core/loader/arm64/linux.c
c4e390
index 1eb332a892c..d0a428d05fc 100644
c4e390
--- a/grub-core/loader/arm64/linux.c
c4e390
+++ b/grub-core/loader/arm64/linux.c
c4e390
@@ -439,11 +439,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
c4e390
 
c4e390
   grub_dprintf ("linux", "kernel @ %p\n", kernel_addr);
c4e390
 
c4e390
-  rc = grub_linuxefi_secure_validate (kernel_addr, kernel_size);
c4e390
-  if (rc < 0)
c4e390
+  if (grub_efi_secure_boot ())
c4e390
     {
c4e390
-      grub_error (GRUB_ERR_INVALID_COMMAND, N_("%s has invalid signature"), argv[0]);
c4e390
-      goto fail;
c4e390
+      rc = grub_linuxefi_secure_validate (kernel_addr, kernel_size);
c4e390
+      if (rc <= 0)
c4e390
+	{
c4e390
+	  grub_error (GRUB_ERR_INVALID_COMMAND,
c4e390
+		      N_("%s has invalid signature"), argv[0]);
c4e390
+	  goto fail;
c4e390
+	}
c4e390
     }
c4e390
 
c4e390
   pe = (void *)((unsigned long)kernel_addr + lh.hdr_offset);
c4e390
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
c4e390
index dbcdf333b62..001766bdf68 100644
c4e390
--- a/grub-core/loader/efi/chainloader.c
c4e390
+++ b/grub-core/loader/efi/chainloader.c
c4e390
@@ -1082,9 +1082,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
c4e390
 
c4e390
       return 0;
c4e390
     }
c4e390
-
c4e390
-  grub_file_close (file);
c4e390
-  grub_device_close (dev);
c4e390
+  // -1 fall-through to fail
c4e390
 
c4e390
 fail:
c4e390
   if (dev)
c4e390
diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
c4e390
index 7fe7201a388..d9b5380cfd3 100644
c4e390
--- a/grub-core/loader/efi/linux.c
c4e390
+++ b/grub-core/loader/efi/linux.c
c4e390
@@ -33,6 +33,7 @@ struct grub_efi_shim_lock
c4e390
 };
c4e390
 typedef struct grub_efi_shim_lock grub_efi_shim_lock_t;
c4e390
 
c4e390
+// Returns 1 on success, -1 on error, 0 when not available
c4e390
 int
c4e390
 grub_linuxefi_secure_validate (void *data, grub_uint32_t size)
c4e390
 {
c4e390
diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
c4e390
index 95dbb9e20af..c146bc58e3d 100644
c4e390
--- a/grub-core/loader/i386/efi/linux.c
c4e390
+++ b/grub-core/loader/i386/efi/linux.c
c4e390
@@ -201,12 +201,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
c4e390
       goto fail;
c4e390
     }
c4e390
 
c4e390
-  rc = grub_linuxefi_secure_validate (kernel, filelen);
c4e390
-  if (rc < 0)
c4e390
+  if (grub_efi_secure_boot ())
c4e390
     {
c4e390
-      grub_error (GRUB_ERR_INVALID_COMMAND, N_("%s has invalid signature"),
c4e390
-		  argv[0]);
c4e390
-      goto fail;
c4e390
+      rc = grub_linuxefi_secure_validate (kernel, filelen);
c4e390
+      if (rc <= 0)
c4e390
+	{
c4e390
+	  grub_error (GRUB_ERR_INVALID_COMMAND,
c4e390
+		      N_("%s has invalid signature"), argv[0]);
c4e390
+	  goto fail;
c4e390
+	}
c4e390
     }
c4e390
 
c4e390
   params = grub_efi_allocate_pages_max (0x3fffffff,
c4e390
-- 
c4e390
2.26.2
c4e390