1*4882a593SmuzhiyunFrom d298b41f90cbf1f2e5a10e29daa1fc92ddee52c9 Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Javier Martinez Canillas <javierm@redhat.com> 3*4882a593SmuzhiyunDate: Wed, 14 Oct 2020 16:33:42 +0200 4*4882a593SmuzhiyunSubject: [PATCH] mmap: Don't register cutmem and badram commands when lockdown 5*4882a593Smuzhiyun is enforced 6*4882a593Smuzhiyun 7*4882a593SmuzhiyunThe cutmem and badram commands can be used to remove EFI memory regions 8*4882a593Smuzhiyunand potentially disable the UEFI Secure Boot. Prevent the commands to be 9*4882a593Smuzhiyunregistered if the GRUB is locked down. 10*4882a593Smuzhiyun 11*4882a593SmuzhiyunFixes: CVE-2020-27779 12*4882a593Smuzhiyun 13*4882a593SmuzhiyunReported-by: Teddy Reed <teddy.reed@gmail.com> 14*4882a593SmuzhiyunSigned-off-by: Javier Martinez Canillas <javierm@redhat.com> 15*4882a593SmuzhiyunReviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 16*4882a593SmuzhiyunSigned-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 17*4882a593Smuzhiyun--- 18*4882a593Smuzhiyun docs/grub.texi | 4 ++++ 19*4882a593Smuzhiyun grub-core/mmap/mmap.c | 13 +++++++------ 20*4882a593Smuzhiyun 2 files changed, 11 insertions(+), 6 deletions(-) 21*4882a593Smuzhiyun 22*4882a593Smuzhiyundiff --git a/docs/grub.texi b/docs/grub.texi 23*4882a593Smuzhiyunindex 98592d3..f2fe149 100644 24*4882a593Smuzhiyun--- a/docs/grub.texi 25*4882a593Smuzhiyun+++ b/docs/grub.texi 26*4882a593Smuzhiyun@@ -4051,6 +4051,10 @@ this page is to be filtered. This syntax makes it easy to represent patterns 27*4882a593Smuzhiyun that are often result of memory damage, due to physical distribution of memory 28*4882a593Smuzhiyun cells. 29*4882a593Smuzhiyun 30*4882a593Smuzhiyun+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}). 31*4882a593Smuzhiyun+ This prevents removing EFI memory regions to potentially subvert the 32*4882a593Smuzhiyun+ security mechanisms provided by the UEFI secure boot. 33*4882a593Smuzhiyun+ 34*4882a593Smuzhiyun @node blocklist 35*4882a593Smuzhiyun @subsection blocklist 36*4882a593Smuzhiyun 37*4882a593Smuzhiyundiff --git a/grub-core/mmap/mmap.c b/grub-core/mmap/mmap.c 38*4882a593Smuzhiyunindex 57b4e9a..7ebf32e 100644 39*4882a593Smuzhiyun--- a/grub-core/mmap/mmap.c 40*4882a593Smuzhiyun+++ b/grub-core/mmap/mmap.c 41*4882a593Smuzhiyun@@ -20,6 +20,7 @@ 42*4882a593Smuzhiyun #include <grub/memory.h> 43*4882a593Smuzhiyun #include <grub/machine/memory.h> 44*4882a593Smuzhiyun #include <grub/err.h> 45*4882a593Smuzhiyun+#include <grub/lockdown.h> 46*4882a593Smuzhiyun #include <grub/misc.h> 47*4882a593Smuzhiyun #include <grub/mm.h> 48*4882a593Smuzhiyun #include <grub/command.h> 49*4882a593Smuzhiyun@@ -534,12 +535,12 @@ static grub_command_t cmd, cmd_cut; 50*4882a593Smuzhiyun 51*4882a593Smuzhiyun GRUB_MOD_INIT(mmap) 52*4882a593Smuzhiyun { 53*4882a593Smuzhiyun- cmd = grub_register_command ("badram", grub_cmd_badram, 54*4882a593Smuzhiyun- N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"), 55*4882a593Smuzhiyun- N_("Declare memory regions as faulty (badram).")); 56*4882a593Smuzhiyun- cmd_cut = grub_register_command ("cutmem", grub_cmd_cutmem, 57*4882a593Smuzhiyun- N_("FROM[K|M|G] TO[K|M|G]"), 58*4882a593Smuzhiyun- N_("Remove any memory regions in specified range.")); 59*4882a593Smuzhiyun+ cmd = grub_register_command_lockdown ("badram", grub_cmd_badram, 60*4882a593Smuzhiyun+ N_("ADDR1,MASK1[,ADDR2,MASK2[,...]]"), 61*4882a593Smuzhiyun+ N_("Declare memory regions as faulty (badram).")); 62*4882a593Smuzhiyun+ cmd_cut = grub_register_command_lockdown ("cutmem", grub_cmd_cutmem, 63*4882a593Smuzhiyun+ N_("FROM[K|M|G] TO[K|M|G]"), 64*4882a593Smuzhiyun+ N_("Remove any memory regions in specified range.")); 65*4882a593Smuzhiyun 66*4882a593Smuzhiyun } 67*4882a593Smuzhiyun 68*4882a593Smuzhiyun-- 69*4882a593Smuzhiyun2.14.2 70*4882a593Smuzhiyun 71