Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package grub2 for openSUSE:Factory checked
in at 2021-03-05 16:52:16
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/grub2 (Old)
and /work/SRC/openSUSE:Factory/.grub2.new.2378 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "grub2"
Fri Mar 5 16:52:16 2021 rev:236 rq:877254 version:2.04
Changes:
--------
--- /work/SRC/openSUSE:Factory/grub2/grub2.changes 2021-03-05
13:47:06.751722342 +0100
+++ /work/SRC/openSUSE:Factory/.grub2.new.2378/grub2.changes 2021-03-05
16:52:18.968447593 +0100
@@ -2,70 +1,0 @@
-Fri Mar 5 09:41:07 UTC 2021 - Michael Chang <mch...@suse.com>
-
-- Fix chainloading windows on dual boot machine (bsc#1183073)
- * 0001-Add-chainloaded-image-as-shim-s-verifiable-object.patch
-
--------------------------------------------------------------------
-Fri Feb 26 06:52:18 UTC 2021 - Michael Chang <mch...@suse.com>
-
-- VUL-0: grub2,shim: implement new SBAT method (bsc#1182057)
- * 0031-util-mkimage-Remove-unused-code-to-add-BSS-section.patch
- * 0032-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch
- * 0033-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch
- * 0034-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch
- * 0035-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch
- * 0036-util-mkimage-Improve-data_size-value-calculation.patch
- * 0037-util-mkimage-Refactor-section-setup-to-use-a-helper.patch
- * 0038-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch
- * 0039-grub-install-common-Add-sbat-option.patch
-- Fix CVE-2021-20225 (bsc#1182262)
- * 0022-lib-arg-Block-repeated-short-options-that-require-an.patch
-- Fix CVE-2020-27749 (bsc#1179264)
- * 0024-kern-parser-Fix-resource-leak-if-argc-0.patch
- * 0025-kern-parser-Fix-a-memory-leak.patch
- * 0026-kern-parser-Introduce-process_char-helper.patch
- * 0027-kern-parser-Introduce-terminate_arg-helper.patch
- * 0028-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch
- * 0029-kern-buffer-Add-variable-sized-heap-buffer.patch
- * 0030-kern-parser-Fix-a-stack-buffer-overflow.patch
-- Fix CVE-2021-20233 (bsc#1182263)
- * 0023-commands-menuentry-Fix-quoting-in-setparams_prefix.patch
-- Fix CVE-2020-25647 (bsc#1177883)
- * 0021-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch
-- Fix CVE-2020-25632 (bsc#1176711)
- * 0020-dl-Only-allow-unloading-modules-that-are-not-depende.patch
-- Fix CVE-2020-27779, CVE-2020-14372 (bsc#1179265) (bsc#1175970)
- * 0001-include-grub-i386-linux.h-Include-missing-grub-types.patch
- * 0002-efi-Make-shim_lock-GUID-and-protocol-type-public.patch
- * 0003-efi-Return-grub_efi_status_t-from-grub_efi_get_varia.patch
- * 0004-efi-Add-a-function-to-read-EFI-variables-with-attrib.patch
- * 0005-efi-Add-secure-boot-detection.patch
- * 0006-efi-Only-register-shim_lock-verifier-if-shim_lock-pr.patch
- * 0007-verifiers-Move-verifiers-API-to-kernel-image.patch
- * 0008-efi-Move-the-shim_lock-verifier-to-the-GRUB-core.patch
- * 0009-kern-Add-lockdown-support.patch
- * 0010-kern-lockdown-Set-a-variable-if-the-GRUB-is-locked-d.patch
- * 0011-efi-Lockdown-the-GRUB-when-the-UEFI-Secure-Boot-is-e.patch
- * 0012-efi-Use-grub_is_lockdown-instead-of-hardcoding-a-dis.patch
- * 0013-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch
- * 0014-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch
- * 0015-commands-Restrict-commands-that-can-load-BIOS-or-DT-.patch
- * 0016-commands-setpci-Restrict-setpci-command-when-locked-.patch
- * 0017-commands-hdparm-Restrict-hdparm-command-when-locked-.patch
- * 0018-gdb-Restrict-GDB-access-when-locked-down.patch
- * 0019-loader-xnu-Don-t-allow-loading-extension-and-package.patch
- * 0040-shim_lock-Only-skip-loading-shim_lock-verifier-with-.patch
- * 0041-squash-Add-secureboot-support-on-efi-chainloader.patch
- * 0042-squash-grub2-efi-chainload-harder.patch
- * 0043-squash-Don-t-allow-insmod-when-secure-boot-is-enable.patch
- * 0044-squash-kern-Add-lockdown-support.patch
- * 0045-squash-Add-support-for-Linux-EFI-stub-loading-on-aar.patch
- * 0046-squash-verifiers-Move-verifiers-API-to-kernel-image.patch
-- Drop patch supersceded by the new backport
- * 0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch
- * 0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch
- * 0007-linuxefi-fail-kernel-validation-without-shim-protoco.patch
-- Add SBAT metadata section to grub.efi
-- Drop shim_lock module as it is part of core of grub.efi
- * grub2.spec
-
--------------------------------------------------------------------
Old:
----
0001-Add-chainloaded-image-as-shim-s-verifiable-object.patch
0001-include-grub-i386-linux.h-Include-missing-grub-types.patch
0002-efi-Make-shim_lock-GUID-and-protocol-type-public.patch
0003-efi-Return-grub_efi_status_t-from-grub_efi_get_varia.patch
0004-efi-Add-a-function-to-read-EFI-variables-with-attrib.patch
0005-efi-Add-secure-boot-detection.patch
0006-efi-Only-register-shim_lock-verifier-if-shim_lock-pr.patch
0007-verifiers-Move-verifiers-API-to-kernel-image.patch
0008-efi-Move-the-shim_lock-verifier-to-the-GRUB-core.patch
0009-kern-Add-lockdown-support.patch
0010-kern-lockdown-Set-a-variable-if-the-GRUB-is-locked-d.patch
0011-efi-Lockdown-the-GRUB-when-the-UEFI-Secure-Boot-is-e.patch
0012-efi-Use-grub_is_lockdown-instead-of-hardcoding-a-dis.patch
0013-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch
0014-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch
0015-commands-Restrict-commands-that-can-load-BIOS-or-DT-.patch
0016-commands-setpci-Restrict-setpci-command-when-locked-.patch
0017-commands-hdparm-Restrict-hdparm-command-when-locked-.patch
0018-gdb-Restrict-GDB-access-when-locked-down.patch
0019-loader-xnu-Don-t-allow-loading-extension-and-package.patch
0020-dl-Only-allow-unloading-modules-that-are-not-depende.patch
0021-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch
0022-lib-arg-Block-repeated-short-options-that-require-an.patch
0023-commands-menuentry-Fix-quoting-in-setparams_prefix.patch
0024-kern-parser-Fix-resource-leak-if-argc-0.patch
0025-kern-parser-Fix-a-memory-leak.patch
0026-kern-parser-Introduce-process_char-helper.patch
0027-kern-parser-Introduce-terminate_arg-helper.patch
0028-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch
0029-kern-buffer-Add-variable-sized-heap-buffer.patch
0030-kern-parser-Fix-a-stack-buffer-overflow.patch
0031-util-mkimage-Remove-unused-code-to-add-BSS-section.patch
0032-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch
0033-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch
0034-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch
0035-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch
0036-util-mkimage-Improve-data_size-value-calculation.patch
0037-util-mkimage-Refactor-section-setup-to-use-a-helper.patch
0038-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch
0039-grub-install-common-Add-sbat-option.patch
0040-shim_lock-Only-skip-loading-shim_lock-verifier-with-.patch
0041-squash-Add-secureboot-support-on-efi-chainloader.patch
0042-squash-grub2-efi-chainload-harder.patch
0043-squash-Don-t-allow-insmod-when-secure-boot-is-enable.patch
0044-squash-kern-Add-lockdown-support.patch
0045-squash-Add-support-for-Linux-EFI-stub-loading-on-aar.patch
0046-squash-verifiers-Move-verifiers-API-to-kernel-image.patch
New:
----
0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch
0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch
0007-linuxefi-fail-kernel-validation-without-shim-protoco.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ grub2.spec ++++++
--- /var/tmp/diff_new_pack.a566aa/_old 2021-03-05 16:52:21.180449663 +0100
+++ /var/tmp/diff_new_pack.a566aa/_new 2021-03-05 16:52:21.184449667 +0100
@@ -321,12 +321,16 @@
# overflows in initrd size handling
Patch713: 0010-linux-Fix-integer-overflows-in-initrd-size-handling.patch
Patch714: 0001-kern-mm.c-Make-grub_calloc-inline.patch
+# bsc#1174421 VUL-0: CVE-2020-15705: grub2: linuxefi: fail kernel validation
+# without shim protocol
+Patch715: 0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch
Patch716: 0002-cmdline-Provide-cmdline-functions-as-module.patch
# bsc#1172745 L3: SLES 12 SP4 - Slow boot of system after updated kernel -
# takes 45 minutes after grub to start loading kernel
Patch717: 0001-ieee1275-powerpc-implements-fibre-channel-discovery-.patch
Patch718: 0002-ieee1275-powerpc-enables-device-mapper-discovery.patch
Patch719: 0001-Unify-the-check-to-enable-btrfs-relative-path.patch
+Patch720: 0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch
Patch721: 0001-efi-linux-provide-linux-command.patch
# Improve the error handling when grub2-install fails with short mbr gap
# (bsc#1176062)
@@ -339,58 +343,11 @@
Patch733: 0004-arm-arm64-loader-Better-memory-allocation-and-error-.patch
Patch734: 0005-Make-linux_arm_kernel_header.hdr_offset-be-at-the-ri.patch
Patch735: 0006-efi-Set-image-base-address-before-jumping-to-the-PE-.patch
+Patch736: 0007-linuxefi-fail-kernel-validation-without-shim-protoco.patch
Patch737: 0008-squash-Add-support-for-Linux-EFI-stub-loading-on-aar.patch
Patch738: 0009-squash-Add-support-for-linuxefi.patch
Patch739: 0001-Fix-build-error-in-binutils-2.36.patch
Patch740: 0001-emu-fix-executable-stack-marking.patch
-# Boothole2
-Patch741: 0001-include-grub-i386-linux.h-Include-missing-grub-types.patch
-Patch742: 0002-efi-Make-shim_lock-GUID-and-protocol-type-public.patch
-Patch743: 0003-efi-Return-grub_efi_status_t-from-grub_efi_get_varia.patch
-Patch744: 0004-efi-Add-a-function-to-read-EFI-variables-with-attrib.patch
-Patch745: 0005-efi-Add-secure-boot-detection.patch
-Patch746: 0006-efi-Only-register-shim_lock-verifier-if-shim_lock-pr.patch
-Patch747: 0007-verifiers-Move-verifiers-API-to-kernel-image.patch
-Patch748: 0008-efi-Move-the-shim_lock-verifier-to-the-GRUB-core.patch
-Patch749: 0009-kern-Add-lockdown-support.patch
-Patch750: 0010-kern-lockdown-Set-a-variable-if-the-GRUB-is-locked-d.patch
-Patch751: 0011-efi-Lockdown-the-GRUB-when-the-UEFI-Secure-Boot-is-e.patch
-Patch752: 0012-efi-Use-grub_is_lockdown-instead-of-hardcoding-a-dis.patch
-Patch753: 0013-acpi-Don-t-register-the-acpi-command-when-locked-dow.patch
-Patch754: 0014-mmap-Don-t-register-cutmem-and-badram-commands-when-.patch
-Patch755: 0015-commands-Restrict-commands-that-can-load-BIOS-or-DT-.patch
-Patch756: 0016-commands-setpci-Restrict-setpci-command-when-locked-.patch
-Patch757: 0017-commands-hdparm-Restrict-hdparm-command-when-locked-.patch
-Patch758: 0018-gdb-Restrict-GDB-access-when-locked-down.patch
-Patch759: 0019-loader-xnu-Don-t-allow-loading-extension-and-package.patch
-Patch760: 0020-dl-Only-allow-unloading-modules-that-are-not-depende.patch
-Patch761: 0021-usb-Avoid-possible-out-of-bound-accesses-caused-by-m.patch
-Patch762: 0022-lib-arg-Block-repeated-short-options-that-require-an.patch
-Patch763: 0023-commands-menuentry-Fix-quoting-in-setparams_prefix.patch
-Patch764: 0024-kern-parser-Fix-resource-leak-if-argc-0.patch
-Patch765: 0025-kern-parser-Fix-a-memory-leak.patch
-Patch766: 0026-kern-parser-Introduce-process_char-helper.patch
-Patch767: 0027-kern-parser-Introduce-terminate_arg-helper.patch
-Patch768: 0028-kern-parser-Refactor-grub_parser_split_cmdline-clean.patch
-Patch769: 0029-kern-buffer-Add-variable-sized-heap-buffer.patch
-Patch770: 0030-kern-parser-Fix-a-stack-buffer-overflow.patch
-Patch771: 0031-util-mkimage-Remove-unused-code-to-add-BSS-section.patch
-Patch772: 0032-util-mkimage-Use-grub_host_to_target32-instead-of-gr.patch
-Patch773: 0033-util-mkimage-Always-use-grub_host_to_target32-to-ini.patch
-Patch774: 0034-util-mkimage-Unify-more-of-the-PE32-and-PE32-header-.patch
-Patch775: 0035-util-mkimage-Reorder-PE-optional-header-fields-set-u.patch
-Patch776: 0036-util-mkimage-Improve-data_size-value-calculation.patch
-Patch777: 0037-util-mkimage-Refactor-section-setup-to-use-a-helper.patch
-Patch778: 0038-util-mkimage-Add-an-option-to-import-SBAT-metadata-i.patch
-Patch779: 0039-grub-install-common-Add-sbat-option.patch
-Patch780: 0040-shim_lock-Only-skip-loading-shim_lock-verifier-with-.patch
-Patch781: 0041-squash-Add-secureboot-support-on-efi-chainloader.patch
-Patch782: 0042-squash-grub2-efi-chainload-harder.patch
-Patch783: 0043-squash-Don-t-allow-insmod-when-secure-boot-is-enable.patch
-Patch784: 0044-squash-kern-Add-lockdown-support.patch
-Patch785: 0045-squash-Add-support-for-Linux-EFI-stub-loading-on-aar.patch
-Patch786: 0046-squash-verifiers-Move-verifiers-API-to-kernel-image.patch
-Patch787: 0001-Add-chainloaded-image-as-shim-s-verifiable-object.patch
Requires: gettext-runtime
%if 0%{?suse_version} >= 1140
@@ -707,10 +664,12 @@
%patch712 -p1
%patch713 -p1
%patch714 -p1
+%patch715 -p1
%patch716 -p1
%patch717 -p1
%patch718 -p1
%patch719 -p1
+%patch720 -p1
%patch721 -p1
%patch722 -p1
%patch723 -p1
@@ -720,57 +679,11 @@
%patch733 -p1
%patch734 -p1
%patch735 -p1
+%patch736 -p1
%patch737 -p1
%patch738 -p1
%patch739 -p1
%patch740 -p1
-%patch741 -p1
-%patch742 -p1
-%patch743 -p1
-%patch744 -p1
-%patch745 -p1
-%patch746 -p1
-%patch747 -p1
-%patch748 -p1
-%patch749 -p1
-%patch750 -p1
-%patch751 -p1
-%patch752 -p1
-%patch753 -p1
-%patch754 -p1
-%patch755 -p1
-%patch756 -p1
-%patch757 -p1
-%patch758 -p1
-%patch759 -p1
-%patch760 -p1
-%patch761 -p1
-%patch762 -p1
-%patch763 -p1
-%patch764 -p1
-%patch765 -p1
-%patch766 -p1
-%patch767 -p1
-%patch768 -p1
-%patch769 -p1
-%patch770 -p1
-%patch771 -p1
-%patch772 -p1
-%patch773 -p1
-%patch774 -p1
-%patch775 -p1
-%patch776 -p1
-%patch777 -p1
-%patch778 -p1
-%patch779 -p1
-%patch780 -p1
-%patch781 -p1
-%patch782 -p1
-%patch783 -p1
-%patch784 -p1
-%patch785 -p1
-%patch786 -p1
-%patch787 -p1
%build
# collect evidence to debug spurious build failure on SLE15
@@ -876,30 +789,16 @@
CRYPTO_MODULES="luks gcry_rijndael gcry_sha1 gcry_sha256"
%ifarch x86_64
-CD_MODULES="${CD_MODULES} linuxefi"
+CD_MODULES="${CD_MODULES} shim_lock linuxefi"
%else
CD_MODULES="${CD_MODULES} linux"
%endif
-# SBAT metadata
-%if 0%{?is_opensuse} == 1
-distro_id="opensuse"
-distro_name="The openSUSE Project"
-%else
-distro_id="sle"
-distro_name="SUSE Linux Enterprise"
-%endif
-upstream_sbat=1
-distro_sbat=1
-echo "sbat,1,SBAT
Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md"; > sbat.csv
-echo "grub,${upstream_sbat},Free Software
Foundation,grub,%{version},https://www.gnu.org/software/grub/"; >> sbat.csv
-echo
"grub.${distro_id},${distro_sbat},${distro_name},%{name},%{version},mail:security-t...@suse.de"
>> sbat.csv
-
GRUB_MODULES="${CD_MODULES} ${FS_MODULES} ${PXE_MODULES} ${CRYPTO_MODULES}
mdraid09 mdraid1x lvm serial"
-./grub-mkimage -O %{grubefiarch} -o grub.efi --prefix= --sbat sbat.csv \
+./grub-mkimage -O %{grubefiarch} -o grub.efi --prefix= \
-d grub-core ${GRUB_MODULES}
%ifarch x86_64
-./grub-mkimage -O %{grubefiarch} -o grub-tpm.efi --prefix= --sbat sbat.csv \
+./grub-mkimage -O %{grubefiarch} -o grub-tpm.efi --prefix= \
-d grub-core ${GRUB_MODULES} tpm
%endif
++++++ 0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch ++++++
>From 1b4f4b2f5cd9b804a5bb66861b659d05d9a4f35a Mon Sep 17 00:00:00 2001
From: Michael Chang <mch...@suse.com>
Date: Mon, 17 Aug 2020 17:09:01 +0800
Subject: [PATCH 1/2] linuxefi: fail kernel validation without shim protocol.
If certificates that signed grub are installed into db, grub can be
booted directly. It will then boot any kernel without signature
validation. The booted kernel will think it was booted in secureboot
mode and will implement lockdown, yet it could have been tampered.
This version of the patch skips calling verification, when booted
without secureboot.
CVE-2020-15705
Reported-by: Mathieu Trudel-Lapierre <cypher...@ubuntu.com>
Also-by: Dimitri John Ledkov <x...@ubuntu.com>
Signed-off-by: Michael Chang <mch...@suse.com>
---
grub-core/loader/i386/efi/linux.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/grub-core/loader/i386/efi/linux.c
b/grub-core/loader/i386/efi/linux.c
index 61b2d5177..8017e8c05 100644
--- a/grub-core/loader/i386/efi/linux.c
+++ b/grub-core/loader/i386/efi/linux.c
@@ -172,6 +172,23 @@ grub_cmd_linux (grub_command_t cmd __attribute__
((unused)),
goto fail;
}
+ if (grub_efi_secure_boot())
+ {
+ grub_dl_t mod;
+
+ mod = grub_dl_get ("shim_lock");
+ if (!mod)
+ {
+ grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock module is not
loaded"));
+ goto fail;
+ }
+ if (!grub_dl_is_persistent (mod))
+ {
+ grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock protocol is not
available"));
+ goto fail;
+ }
+ }
+
file = grub_file_open (argv[0], GRUB_FILE_TYPE_LINUX_KERNEL);
if (! file)
goto fail;
--
2.26.2
++++++ 0001-shim_lock-Disable-GRUB_VERIFY_FLAGS_DEFER_AUTH-if-se.patch ++++++
>From a60cfeacdeefb21215d35c4cad025e57de900352 Mon Sep 17 00:00:00 2001
From: Michael Chang <mch...@suse.com>
Date: Thu, 27 Aug 2020 13:18:25 +0800
Subject: [PATCH] shim_lock: Disable GRUB_VERIFY_FLAGS_DEFER_AUTH if secure
boot off
The GRUB_VERIFY_FLAGS_DEFER_AUTH is enabled regardless secure boot
status that will cause error [1] on loading external grub modules if
secure boot turned off in which shim protocol itself did not verify
images so should not request verification for external modules either.
This patch fixed the problem by adding the secure boot status check
before requesting other verifiers to verify external module, therefore
external module loading can work after shim_lock module loaded and
secure boot turned off.
[1] error: verification requested but nobody cares:
(hd0,gpt10)/boot/grub2/x86_64-efi/linux.mod.
Signed-off-by: Michael Chang <mch...@suse.com>
---
grub-core/commands/efi/shim_lock.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/grub-core/commands/efi/shim_lock.c
b/grub-core/commands/efi/shim_lock.c
index 764098cfc..18d121297 100644
--- a/grub-core/commands/efi/shim_lock.c
+++ b/grub-core/commands/efi/shim_lock.c
@@ -82,7 +82,8 @@ shim_lock_init (grub_file_t io, enum grub_file_type type,
case GRUB_FILE_TYPE_ACPI_TABLE:
case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
- *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
+ if (grub_efi_secure_boot())
+ *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
return GRUB_ERR_NONE;
--
2.26.2
++++++ 0007-linuxefi-fail-kernel-validation-without-shim-protoco.patch ++++++
>From 496890ebd2605eb1ff15f8d96c30b5d617f1bb85 Mon Sep 17 00:00:00 2001
From: Michael Chang <mch...@suse.com>
Date: Fri, 6 Nov 2020 11:19:06 +0000
Subject: [PATCH 7/9] linuxefi: fail kernel validation without shim protocol.
If certificates that signed grub are installed into db, grub can be
booted directly. It will then boot any kernel without signature
validation. The booted kernel will think it was booted in secureboot
mode and will implement lockdown, yet it could have been tampered.
This version of the patch skips calling verification, when booted
without secureboot. And is indented with gnu ident.
CVE-2020-15705
Reported-by: Mathieu Trudel-Lapierre <cypher...@ubuntu.com>
Signed-off-by: Michael Chang <mch...@suse.com>
---
grub-core/loader/arm64/efi/linux.c | 38 +++++++++++++++++++++++-------
1 file changed, 29 insertions(+), 9 deletions(-)
diff --git a/grub-core/loader/arm64/efi/linux.c
b/grub-core/loader/arm64/efi/linux.c
index a4041be5c..0e5782caa 100644
--- a/grub-core/loader/arm64/efi/linux.c
+++ b/grub-core/loader/arm64/efi/linux.c
@@ -58,21 +58,35 @@ struct grub_efi_shim_lock
};
typedef struct grub_efi_shim_lock grub_efi_shim_lock_t;
-static grub_efi_boolean_t
+// Returns 1 on success, -1 on error, 0 when not available
+static int
grub_linuxefi_secure_validate (void *data, grub_uint32_t size)
{
grub_efi_guid_t guid = SHIM_LOCK_GUID;
grub_efi_shim_lock_t *shim_lock;
+ grub_efi_status_t status;
shim_lock = grub_efi_locate_protocol(&guid, NULL);
-
+ grub_dprintf ("secureboot", "shim_lock: %p\n", shim_lock);
if (!shim_lock)
- return 1;
+ {
+ grub_dprintf ("secureboot", "shim not available\n");
+ return 0;
+ }
- if (shim_lock->verify(data, size) == GRUB_EFI_SUCCESS)
- return 1;
+ grub_dprintf ("secureboot", "Asking shim to verify kernel signature\n");
+ status = shim_lock->verify (data, size);
+ grub_dprintf ("secureboot", "shim_lock->verify(): %ld\n", (long int)status);
+ if (status == GRUB_EFI_SUCCESS)
+ {
+ grub_dprintf ("secureboot", "Kernel signature verification passed\n");
+ return 1;
+ }
- return 0;
+ grub_dprintf ("secureboot", "Kernel signature verification failed (0x%lx)\n",
+ (unsigned long) status);
+
+ return -1;
}
#pragma GCC diagnostic push
@@ -399,6 +413,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
struct linux_arch_kernel_header lh;
struct grub_armxx_linux_pe_header *pe;
grub_err_t err;
+ int rc;
grub_dl_ref (my_mod);
@@ -443,10 +458,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__
((unused)),
grub_dprintf ("linux", "kernel @ %p\n", kernel_addr);
- if (!grub_linuxefi_secure_validate (kernel_addr, kernel_size))
+ if (grub_efi_secure_boot ())
{
- grub_error (GRUB_ERR_INVALID_COMMAND, N_("%s has invalid signature"),
argv[0]);
- goto fail;
+ rc = grub_linuxefi_secure_validate (kernel_addr, kernel_size);
+ if (rc <= 0)
+ {
+ grub_error (GRUB_ERR_INVALID_COMMAND,
+ N_("%s has invalid signature"), argv[0]);
+ goto fail;
+ }
}
pe = (void *)((unsigned long)kernel_addr + lh.hdr_offset);
--
2.26.2
