1*4882a593SmuzhiyunFrom 468a5699b249fe6816b4e7e86c5dc9d325c9b09e Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Javier Martinez Canillas <javierm@redhat.com> 3*4882a593SmuzhiyunDate: Wed, 24 Feb 2021 09:00:05 +0100 4*4882a593SmuzhiyunSubject: [PATCH] commands: Restrict commands that can load BIOS or DT blobs 5*4882a593Smuzhiyun when locked down 6*4882a593Smuzhiyun 7*4882a593SmuzhiyunThere are some more commands that should be restricted when the GRUB is 8*4882a593Smuzhiyunlocked down. Following is the list of commands and reasons to restrict: 9*4882a593Smuzhiyun 10*4882a593Smuzhiyun * fakebios: creates BIOS-like structures for backward compatibility with 11*4882a593Smuzhiyun existing OSes. This should not be allowed when locked down. 12*4882a593Smuzhiyun 13*4882a593Smuzhiyun * loadbios: reads a BIOS dump from storage and loads it. This action 14*4882a593Smuzhiyun should not be allowed when locked down. 15*4882a593Smuzhiyun 16*4882a593Smuzhiyun * devicetree: loads a Device Tree blob and passes it to the OS. It replaces 17*4882a593Smuzhiyun any Device Tree provided by the firmware. This also should 18*4882a593Smuzhiyun not be allowed when locked down. 19*4882a593Smuzhiyun 20*4882a593SmuzhiyunSigned-off-by: Javier Martinez Canillas <javierm@redhat.com> 21*4882a593SmuzhiyunReviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 22*4882a593SmuzhiyunSigned-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 23*4882a593Smuzhiyun--- 24*4882a593Smuzhiyun docs/grub.texi | 3 +++ 25*4882a593Smuzhiyun grub-core/commands/efi/loadbios.c | 16 ++++++++-------- 26*4882a593Smuzhiyun grub-core/loader/arm/linux.c | 6 +++--- 27*4882a593Smuzhiyun grub-core/loader/efi/fdt.c | 4 ++-- 28*4882a593Smuzhiyun 4 files changed, 16 insertions(+), 13 deletions(-) 29*4882a593Smuzhiyun 30*4882a593Smuzhiyundiff --git a/docs/grub.texi b/docs/grub.texi 31*4882a593Smuzhiyunindex f2fe149..79f58c5 100644 32*4882a593Smuzhiyun--- a/docs/grub.texi 33*4882a593Smuzhiyun+++ b/docs/grub.texi 34*4882a593Smuzhiyun@@ -4235,6 +4235,9 @@ hour, minute, and second unchanged. 35*4882a593Smuzhiyun Load a device tree blob (.dtb) from a filesystem, for later use by a Linux 36*4882a593Smuzhiyun kernel. Does not perform merging with any device tree supplied by firmware, 37*4882a593Smuzhiyun but rather replaces it completely. 38*4882a593Smuzhiyun+ 39*4882a593Smuzhiyun+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}). 40*4882a593Smuzhiyun+ This is done to prevent subverting various security mechanisms. 41*4882a593Smuzhiyun @ref{GNU/Linux}. 42*4882a593Smuzhiyun @end deffn 43*4882a593Smuzhiyun 44*4882a593Smuzhiyundiff --git a/grub-core/commands/efi/loadbios.c b/grub-core/commands/efi/loadbios.c 45*4882a593Smuzhiyunindex d41d521..5c7725f 100644 46*4882a593Smuzhiyun--- a/grub-core/commands/efi/loadbios.c 47*4882a593Smuzhiyun+++ b/grub-core/commands/efi/loadbios.c 48*4882a593Smuzhiyun@@ -205,14 +205,14 @@ static grub_command_t cmd_fakebios, cmd_loadbios; 49*4882a593Smuzhiyun 50*4882a593Smuzhiyun GRUB_MOD_INIT(loadbios) 51*4882a593Smuzhiyun { 52*4882a593Smuzhiyun- cmd_fakebios = grub_register_command ("fakebios", grub_cmd_fakebios, 53*4882a593Smuzhiyun- 0, N_("Create BIOS-like structures for" 54*4882a593Smuzhiyun- " backward compatibility with" 55*4882a593Smuzhiyun- " existing OS.")); 56*4882a593Smuzhiyun- 57*4882a593Smuzhiyun- cmd_loadbios = grub_register_command ("loadbios", grub_cmd_loadbios, 58*4882a593Smuzhiyun- N_("BIOS_DUMP [INT10_DUMP]"), 59*4882a593Smuzhiyun- N_("Load BIOS dump.")); 60*4882a593Smuzhiyun+ cmd_fakebios = grub_register_command_lockdown ("fakebios", grub_cmd_fakebios, 61*4882a593Smuzhiyun+ 0, N_("Create BIOS-like structures for" 62*4882a593Smuzhiyun+ " backward compatibility with" 63*4882a593Smuzhiyun+ " existing OS.")); 64*4882a593Smuzhiyun+ 65*4882a593Smuzhiyun+ cmd_loadbios = grub_register_command_lockdown ("loadbios", grub_cmd_loadbios, 66*4882a593Smuzhiyun+ N_("BIOS_DUMP [INT10_DUMP]"), 67*4882a593Smuzhiyun+ N_("Load BIOS dump.")); 68*4882a593Smuzhiyun } 69*4882a593Smuzhiyun 70*4882a593Smuzhiyun GRUB_MOD_FINI(loadbios) 71*4882a593Smuzhiyundiff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c 72*4882a593Smuzhiyunindex d70c174..ed23dc7 100644 73*4882a593Smuzhiyun--- a/grub-core/loader/arm/linux.c 74*4882a593Smuzhiyun+++ b/grub-core/loader/arm/linux.c 75*4882a593Smuzhiyun@@ -493,9 +493,9 @@ GRUB_MOD_INIT (linux) 76*4882a593Smuzhiyun 0, N_("Load Linux.")); 77*4882a593Smuzhiyun cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd, 78*4882a593Smuzhiyun 0, N_("Load initrd.")); 79*4882a593Smuzhiyun- cmd_devicetree = grub_register_command ("devicetree", grub_cmd_devicetree, 80*4882a593Smuzhiyun- /* TRANSLATORS: DTB stands for device tree blob. */ 81*4882a593Smuzhiyun- 0, N_("Load DTB file.")); 82*4882a593Smuzhiyun+ cmd_devicetree = grub_register_command_lockdown ("devicetree", grub_cmd_devicetree, 83*4882a593Smuzhiyun+ /* TRANSLATORS: DTB stands for device tree blob. */ 84*4882a593Smuzhiyun+ 0, N_("Load DTB file.")); 85*4882a593Smuzhiyun my_mod = mod; 86*4882a593Smuzhiyun current_fdt = (const void *) grub_arm_firmware_get_boot_data (); 87*4882a593Smuzhiyun machine_type = grub_arm_firmware_get_machine_type (); 88*4882a593Smuzhiyundiff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c 89*4882a593Smuzhiyunindex ee9c559..003d07c 100644 90*4882a593Smuzhiyun--- a/grub-core/loader/efi/fdt.c 91*4882a593Smuzhiyun+++ b/grub-core/loader/efi/fdt.c 92*4882a593Smuzhiyun@@ -165,8 +165,8 @@ static grub_command_t cmd_devicetree; 93*4882a593Smuzhiyun GRUB_MOD_INIT (fdt) 94*4882a593Smuzhiyun { 95*4882a593Smuzhiyun cmd_devicetree = 96*4882a593Smuzhiyun- grub_register_command ("devicetree", grub_cmd_devicetree, 0, 97*4882a593Smuzhiyun- N_("Load DTB file.")); 98*4882a593Smuzhiyun+ grub_register_command_lockdown ("devicetree", grub_cmd_devicetree, 0, 99*4882a593Smuzhiyun+ N_("Load DTB file.")); 100*4882a593Smuzhiyun } 101*4882a593Smuzhiyun 102*4882a593Smuzhiyun GRUB_MOD_FINI (fdt) 103*4882a593Smuzhiyun-- 104*4882a593Smuzhiyun2.14.2 105*4882a593Smuzhiyun 106