1From 468a5699b249fe6816b4e7e86c5dc9d325c9b09e Mon Sep 17 00:00:00 2001 2From: Javier Martinez Canillas <javierm@redhat.com> 3Date: Wed, 24 Feb 2021 09:00:05 +0100 4Subject: [PATCH] commands: Restrict commands that can load BIOS or DT blobs 5 when locked down 6 7There are some more commands that should be restricted when the GRUB is 8locked down. Following is the list of commands and reasons to restrict: 9 10 * fakebios: creates BIOS-like structures for backward compatibility with 11 existing OSes. This should not be allowed when locked down. 12 13 * loadbios: reads a BIOS dump from storage and loads it. This action 14 should not be allowed when locked down. 15 16 * devicetree: loads a Device Tree blob and passes it to the OS. It replaces 17 any Device Tree provided by the firmware. This also should 18 not be allowed when locked down. 19 20Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> 21Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 22Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 23--- 24 docs/grub.texi | 3 +++ 25 grub-core/commands/efi/loadbios.c | 16 ++++++++-------- 26 grub-core/loader/arm/linux.c | 6 +++--- 27 grub-core/loader/efi/fdt.c | 4 ++-- 28 4 files changed, 16 insertions(+), 13 deletions(-) 29 30diff --git a/docs/grub.texi b/docs/grub.texi 31index f2fe149..79f58c5 100644 32--- a/docs/grub.texi 33+++ b/docs/grub.texi 34@@ -4235,6 +4235,9 @@ hour, minute, and second unchanged. 35 Load a device tree blob (.dtb) from a filesystem, for later use by a Linux 36 kernel. Does not perform merging with any device tree supplied by firmware, 37 but rather replaces it completely. 38+ 39+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}). 40+ This is done to prevent subverting various security mechanisms. 41 @ref{GNU/Linux}. 42 @end deffn 43 44diff --git a/grub-core/commands/efi/loadbios.c b/grub-core/commands/efi/loadbios.c 45index d41d521..5c7725f 100644 46--- a/grub-core/commands/efi/loadbios.c 47+++ b/grub-core/commands/efi/loadbios.c 48@@ -205,14 +205,14 @@ static grub_command_t cmd_fakebios, cmd_loadbios; 49 50 GRUB_MOD_INIT(loadbios) 51 { 52- cmd_fakebios = grub_register_command ("fakebios", grub_cmd_fakebios, 53- 0, N_("Create BIOS-like structures for" 54- " backward compatibility with" 55- " existing OS.")); 56- 57- cmd_loadbios = grub_register_command ("loadbios", grub_cmd_loadbios, 58- N_("BIOS_DUMP [INT10_DUMP]"), 59- N_("Load BIOS dump.")); 60+ cmd_fakebios = grub_register_command_lockdown ("fakebios", grub_cmd_fakebios, 61+ 0, N_("Create BIOS-like structures for" 62+ " backward compatibility with" 63+ " existing OS.")); 64+ 65+ cmd_loadbios = grub_register_command_lockdown ("loadbios", grub_cmd_loadbios, 66+ N_("BIOS_DUMP [INT10_DUMP]"), 67+ N_("Load BIOS dump.")); 68 } 69 70 GRUB_MOD_FINI(loadbios) 71diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c 72index d70c174..ed23dc7 100644 73--- a/grub-core/loader/arm/linux.c 74+++ b/grub-core/loader/arm/linux.c 75@@ -493,9 +493,9 @@ GRUB_MOD_INIT (linux) 76 0, N_("Load Linux.")); 77 cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd, 78 0, N_("Load initrd.")); 79- cmd_devicetree = grub_register_command ("devicetree", grub_cmd_devicetree, 80- /* TRANSLATORS: DTB stands for device tree blob. */ 81- 0, N_("Load DTB file.")); 82+ cmd_devicetree = grub_register_command_lockdown ("devicetree", grub_cmd_devicetree, 83+ /* TRANSLATORS: DTB stands for device tree blob. */ 84+ 0, N_("Load DTB file.")); 85 my_mod = mod; 86 current_fdt = (const void *) grub_arm_firmware_get_boot_data (); 87 machine_type = grub_arm_firmware_get_machine_type (); 88diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c 89index ee9c559..003d07c 100644 90--- a/grub-core/loader/efi/fdt.c 91+++ b/grub-core/loader/efi/fdt.c 92@@ -165,8 +165,8 @@ static grub_command_t cmd_devicetree; 93 GRUB_MOD_INIT (fdt) 94 { 95 cmd_devicetree = 96- grub_register_command ("devicetree", grub_cmd_devicetree, 0, 97- N_("Load DTB file.")); 98+ grub_register_command_lockdown ("devicetree", grub_cmd_devicetree, 0, 99+ N_("Load DTB file.")); 100 } 101 102 GRUB_MOD_FINI (fdt) 103-- 1042.14.2 105 106