1From 133d73079c5771bbf3d8311281b6772846357ec1 Mon Sep 17 00:00:00 2001
2From: Chris Coulson <chris.coulson@canonical.com>
3Date: Tue, 1 Dec 2020 23:03:39 +0000
4Subject: [PATCH] kern/efi: Add initial stack protector implementation
5
6It works only on UEFI platforms but can be quite easily extended to
7others architectures and platforms if needed.
8
9Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
10Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
11Reviewed-by: Marco A Benatto <mbenatto@redhat.com>
12Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
13Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
14---
15 acinclude.m4                   | 38 ++++++++++++++++-
16 configure                      | 97 +++++++++++++++++++++++++++++++++++++++---
17 configure.ac                   | 44 ++++++++++++++++---
18 grub-core/Makefile.am          |  1 +
19 grub-core/Makefile.in          |  1 +
20 grub-core/kern/efi/init.c      | 54 +++++++++++++++++++++++
21 include/grub/efi/api.h         | 19 +++++++++
22 include/grub/stack_protector.h | 30 +++++++++++++
23 po/POTFILES.in                 |  1 +
24 9 files changed, 272 insertions(+), 13 deletions(-)
25 create mode 100644 include/grub/stack_protector.h
26
27diff --git a/acinclude.m4 b/acinclude.m4
28index 78cdf6e..6e14bb5 100644
29--- a/acinclude.m4
30+++ b/acinclude.m4
31@@ -305,9 +305,9 @@ fi
32 ])
33
34
35-dnl Check if the C compiler supports `-fstack-protector'.
36+dnl Check if the C compiler supports the stack protector
37 AC_DEFUN([grub_CHECK_STACK_PROTECTOR],[
38-[# Smashing stack protector.
39+[# Stack smashing protector.
40 ssp_possible=yes]
41 AC_MSG_CHECKING([whether `$CC' accepts `-fstack-protector'])
42 # Is this a reliable test case?
43@@ -324,6 +324,40 @@ else
44   ssp_possible=no]
45   AC_MSG_RESULT([no])
46 [fi]
47+[# Strong stack smashing protector.
48+ssp_strong_possible=yes]
49+AC_MSG_CHECKING([whether `$CC' accepts `-fstack-protector-strong'])
50+# Is this a reliable test case?
51+AC_LANG_CONFTEST([AC_LANG_SOURCE([[
52+void foo (void) { volatile char a[8]; a[3]; }
53+]])])
54+[# `$CC -c -o ...' might not be portable.  But, oh, well...  Is calling
55+# `ac_compile' like this correct, after all?
56+if eval "$ac_compile -S -fstack-protector-strong -o conftest.s" 2> /dev/null; then]
57+  AC_MSG_RESULT([yes])
58+  [# Should we clear up other files as well, having called `AC_LANG_CONFTEST'?
59+  rm -f conftest.s
60+else
61+  ssp_strong_possible=no]
62+  AC_MSG_RESULT([no])
63+[fi]
64+[# Global stack smashing protector.
65+ssp_global_possible=yes]
66+AC_MSG_CHECKING([whether `$CC' accepts `-mstack-protector-guard=global'])
67+# Is this a reliable test case?
68+AC_LANG_CONFTEST([AC_LANG_SOURCE([[
69+void foo (void) { volatile char a[8]; a[3]; }
70+]])])
71+[# `$CC -c -o ...' might not be portable.  But, oh, well...  Is calling
72+# `ac_compile' like this correct, after all?
73+if eval "$ac_compile -S -fstack-protector -mstack-protector-guard=global -o conftest.s" 2> /dev/null; then]
74+  AC_MSG_RESULT([yes])
75+  [# Should we clear up other files as well, having called `AC_LANG_CONFTEST'?
76+  rm -f conftest.s
77+else
78+  ssp_global_possible=no]
79+  AC_MSG_RESULT([no])
80+[fi]
81 ])
82
83 dnl Check if the C compiler supports `-mstack-arg-probe' (Cygwin).
84diff --git a/configure b/configure
85index 9290ae8..973f702 100755
86--- a/configure
87+++ b/configure
88@@ -1778,6 +1778,7 @@ with_libintl_prefix
89 with_libpth_prefix
90 with_included_regex
91 enable_efiemu
92+enable_stack_protector
93 enable_mm_debug
94 enable_cache_stats
95 enable_boot_time
96@@ -2459,6 +2460,8 @@ Optional Features:
97   --disable-rpath         do not hardcode runtime library paths
98   --enable-efiemu         build and install the efiemu runtimes
99                           (default=guessed)
100+  --enable-stack-protector
101+                          enable the stack protector
102   --enable-mm-debug       include memory manager debugging
103   --enable-cache-stats    enable disk cache statistics collection
104   --enable-boot-time      enable boot time statistics collection
105@@ -32348,9 +32351,9 @@ fi
106
107 CFLAGS="$TARGET_CFLAGS"
108
109-# Smashing stack protector.
110+# Stack smashing protector.
111
112-# Smashing stack protector.
113+# Stack smashing protector.
114 ssp_possible=yes
115 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether \`$CC' accepts \`-fstack-protector'" >&5
116 $as_echo_n "checking whether \`$CC' accepts \`-fstack-protector'... " >&6; }
117@@ -32373,11 +32376,88 @@ else
118   { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
119 $as_echo "no" >&6; }
120 fi
121+# Strong stack smashing protector.
122+ssp_strong_possible=yes
123+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether \`$CC' accepts \`-fstack-protector-strong'" >&5
124+$as_echo_n "checking whether \`$CC' accepts \`-fstack-protector-strong'... " >&6; }
125+# Is this a reliable test case?
126+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
127+/* end confdefs.h.  */
128
129-# Need that, because some distributions ship compilers that include
130-# `-fstack-protector' in the default specs.
131-if test "x$ssp_possible" = xyes; then
132-  TARGET_CFLAGS="$TARGET_CFLAGS -fno-stack-protector"
133+void foo (void) { volatile char a[8]; a[3]; }
134+
135+_ACEOF
136+# `$CC -c -o ...' might not be portable.  But, oh, well...  Is calling
137+# `ac_compile' like this correct, after all?
138+if eval "$ac_compile -S -fstack-protector-strong -o conftest.s" 2> /dev/null; then
139+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
140+$as_echo "yes" >&6; }
141+  # Should we clear up other files as well, having called `AC_LANG_CONFTEST'?
142+  rm -f conftest.s
143+else
144+  ssp_strong_possible=no
145+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
146+$as_echo "no" >&6; }
147+fi
148+# Global stack smashing protector.
149+ssp_global_possible=yes
150+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether \`$CC' accepts \`-mstack-protector-guard=global'" >&5
151+$as_echo_n "checking whether \`$CC' accepts \`-mstack-protector-guard=global'... " >&6; }
152+# Is this a reliable test case?
153+cat confdefs.h - <<_ACEOF >conftest.$ac_ext
154+/* end confdefs.h.  */
155+
156+void foo (void) { volatile char a[8]; a[3]; }
157+
158+_ACEOF
159+# `$CC -c -o ...' might not be portable.  But, oh, well...  Is calling
160+# `ac_compile' like this correct, after all?
161+if eval "$ac_compile -S -fstack-protector -mstack-protector-guard=global -o conftest.s" 2> /dev/null; then
162+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
163+$as_echo "yes" >&6; }
164+  # Should we clear up other files as well, having called `AC_LANG_CONFTEST'?
165+  rm -f conftest.s
166+else
167+  ssp_global_possible=no
168+  { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
169+$as_echo "no" >&6; }
170+fi
171+
172+# Check whether --enable-stack-protector was given.
173+if test "${enable_stack_protector+set}" = set; then :
174+  enableval=$enable_stack_protector;
175+else
176+  enable_stack_protector=no
177+fi
178+
179+if test "x$enable_stack_protector" = xno; then
180+  if test "x$ssp_possible" = xyes; then
181+    # Need that, because some distributions ship compilers that include
182+    # `-fstack-protector' in the default specs.
183+    TARGET_CFLAGS="$TARGET_CFLAGS -fno-stack-protector"
184+  fi
185+elif test "x$platform" != xefi; then
186+  as_fn_error $? "--enable-stack-protector is only supported on EFI platforms" "$LINENO" 5
187+elif test "x$ssp_global_possible" != xyes; then
188+  as_fn_error $? "--enable-stack-protector is not supported (compiler doesn't support -mstack-protector-guard=global)" "$LINENO" 5
189+else
190+  TARGET_CFLAGS="$TARGET_CFLAGS -mstack-protector-guard=global"
191+  if test "x$enable_stack_protector" = xyes; then
192+    if test "x$ssp_possible" != xyes; then
193+      as_fn_error $? "--enable-stack-protector is not supported (compiler doesn't support -fstack-protector)" "$LINENO" 5
194+    fi
195+    TARGET_CFLAGS="$TARGET_CFLAGS -fstack-protector"
196+  elif test "x$enable_stack_protector" = xstrong; then
197+    if test "x$ssp_strong_possible" != xyes; then
198+      as_fn_error $? "--enable-stack-protector=strong is not supported (compiler doesn't support -fstack-protector-strong)" "$LINENO" 5
199+    fi
200+    TARGET_CFLAGS="$TARGET_CFLAGS -fstack-protector-strong"
201+  else
202+    # Note, -fstack-protector-all requires that the protector is disabled for
203+    # functions that appear in the call stack when the canary is initialized.
204+    as_fn_error $? "invalid value $enable_stack_protector for --enable-stack-protector" "$LINENO" 5
205+  fi
206+  TARGET_CPPFLAGS="$TARGET_CPPFLAGS -DGRUB_STACK_PROTECTOR=1"
207 fi
208
209 CFLAGS="$TARGET_CFLAGS"
210@@ -37054,5 +37134,10 @@ echo "Without liblzma (no support for XZ-compressed mips images) ($liblzma_excus
211 else
212 echo "With liblzma from $LIBLZMA (support for XZ-compressed mips images)"
213 fi
214+if test "x$enable_stack_protector" != xno; then
215+echo "With stack smashing protector: Yes"
216+else
217+echo "With stack smashing protector: No"
218+fi
219 echo "*******************************************************"
220
221diff --git a/configure.ac b/configure.ac
222index 7656f24..bb6b02a 100644
223--- a/configure.ac
224+++ b/configure.ac
225@@ -1285,12 +1285,41 @@ fi]
226
227 CFLAGS="$TARGET_CFLAGS"
228
229-# Smashing stack protector.
230+# Stack smashing protector.
231 grub_CHECK_STACK_PROTECTOR
232-# Need that, because some distributions ship compilers that include
233-# `-fstack-protector' in the default specs.
234-if test "x$ssp_possible" = xyes; then
235-  TARGET_CFLAGS="$TARGET_CFLAGS -fno-stack-protector"
236+AC_ARG_ENABLE([stack-protector],
237+	      AS_HELP_STRING([--enable-stack-protector],
238+			     [enable the stack protector]),
239+	      [],
240+	      [enable_stack_protector=no])
241+if test "x$enable_stack_protector" = xno; then
242+  if test "x$ssp_possible" = xyes; then
243+    # Need that, because some distributions ship compilers that include
244+    # `-fstack-protector' in the default specs.
245+    TARGET_CFLAGS="$TARGET_CFLAGS -fno-stack-protector"
246+  fi
247+elif test "x$platform" != xefi; then
248+  AC_MSG_ERROR([--enable-stack-protector is only supported on EFI platforms])
249+elif test "x$ssp_global_possible" != xyes; then
250+  AC_MSG_ERROR([--enable-stack-protector is not supported (compiler doesn't support -mstack-protector-guard=global)])
251+else
252+  TARGET_CFLAGS="$TARGET_CFLAGS -mstack-protector-guard=global"
253+  if test "x$enable_stack_protector" = xyes; then
254+    if test "x$ssp_possible" != xyes; then
255+      AC_MSG_ERROR([--enable-stack-protector is not supported (compiler doesn't support -fstack-protector)])
256+    fi
257+    TARGET_CFLAGS="$TARGET_CFLAGS -fstack-protector"
258+  elif test "x$enable_stack_protector" = xstrong; then
259+    if test "x$ssp_strong_possible" != xyes; then
260+      AC_MSG_ERROR([--enable-stack-protector=strong is not supported (compiler doesn't support -fstack-protector-strong)])
261+    fi
262+    TARGET_CFLAGS="$TARGET_CFLAGS -fstack-protector-strong"
263+  else
264+    # Note, -fstack-protector-all requires that the protector is disabled for
265+    # functions that appear in the call stack when the canary is initialized.
266+    AC_MSG_ERROR([invalid value $enable_stack_protector for --enable-stack-protector])
267+  fi
268+  TARGET_CPPFLAGS="$TARGET_CPPFLAGS -DGRUB_STACK_PROTECTOR=1"
269 fi
270
271 CFLAGS="$TARGET_CFLAGS"
272@@ -2103,5 +2132,10 @@ echo "Without liblzma (no support for XZ-compressed mips images) ($liblzma_excus
273 else
274 echo "With liblzma from $LIBLZMA (support for XZ-compressed mips images)"
275 fi
276+if test "x$enable_stack_protector" != xno; then
277+echo "With stack smashing protector: Yes"
278+else
279+echo "With stack smashing protector: No"
280+fi
281 echo "*******************************************************"
282 ]
283diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
284index 30e23ad..ee88e44 100644
285--- a/grub-core/Makefile.am
286+++ b/grub-core/Makefile.am
287@@ -90,6 +90,7 @@ endif
288 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm.h
289 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/parser.h
290 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/partition.h
291+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/stack_protector.h
292 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h
293 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h
294 KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/verify.h
295diff --git a/grub-core/Makefile.in b/grub-core/Makefile.in
296index 1f8133b..50c70b5 100644
297--- a/grub-core/Makefile.in
298+++ b/grub-core/Makefile.in
299@@ -16425,6 +16425,7 @@ KERNEL_HEADER_FILES = $(top_srcdir)/include/grub/cache.h \
300 	$(am__append_5795) $(top_srcdir)/include/grub/mm.h \
301 	$(top_srcdir)/include/grub/parser.h \
302 	$(top_srcdir)/include/grub/partition.h \
303+	$(top_srcdir)/include/grub/stack_protector.h \
304 	$(top_srcdir)/include/grub/term.h \
305 	$(top_srcdir)/include/grub/time.h \
306 	$(top_srcdir)/include/grub/verify.h \
307diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
308index 1333465..7facacf 100644
309--- a/grub-core/kern/efi/init.c
310+++ b/grub-core/kern/efi/init.c
311@@ -27,6 +27,58 @@
312 #include <grub/env.h>
313 #include <grub/mm.h>
314 #include <grub/kernel.h>
315+#include <grub/stack_protector.h>
316+
317+#ifdef GRUB_STACK_PROTECTOR
318+
319+static grub_efi_guid_t rng_protocol_guid = GRUB_EFI_RNG_PROTOCOL_GUID;
320+
321+/*
322+ * Don't put this on grub_efi_init()'s local stack to avoid it
323+ * getting a stack check.
324+ */
325+static grub_efi_uint8_t stack_chk_guard_buf[32];
326+
327+grub_addr_t __stack_chk_guard;
328+
329+void __attribute__ ((noreturn))
330+__stack_chk_fail (void)
331+{
332+  /*
333+   * Assume it's not safe to call into EFI Boot Services. Sorry, that
334+   * means no console message here.
335+   */
336+  do
337+    {
338+      /* Do not optimize out the loop. */
339+      asm volatile ("");
340+    }
341+  while (1);
342+}
343+
344+static void
345+stack_protector_init (void)
346+{
347+  grub_efi_rng_protocol_t *rng;
348+
349+  /* Set up the stack canary. Make errors here non-fatal for now. */
350+  rng = grub_efi_locate_protocol (&rng_protocol_guid, NULL);
351+  if (rng != NULL)
352+    {
353+      grub_efi_status_t status;
354+
355+      status = efi_call_4 (rng->get_rng, rng, NULL, sizeof (stack_chk_guard_buf),
356+			   stack_chk_guard_buf);
357+      if (status == GRUB_EFI_SUCCESS)
358+	grub_memcpy (&__stack_chk_guard, stack_chk_guard_buf, sizeof (__stack_chk_guard));
359+    }
360+}
361+#else
362+static void
363+stack_protector_init (void)
364+{
365+}
366+#endif
367
368 grub_addr_t grub_modbase;
369
370@@ -38,6 +90,8 @@ grub_efi_init (void)
371      messages.  */
372   grub_console_init ();
373
374+  stack_protector_init ();
375+
376   /* Initialize the memory management system.  */
377   grub_efi_mm_init ();
378
379diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h
380index 13e5715..5517f7e 100644
381--- a/include/grub/efi/api.h
382+++ b/include/grub/efi/api.h
383@@ -339,6 +339,11 @@
384     { 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 } \
385   }
386
387+#define GRUB_EFI_RNG_PROTOCOL_GUID \
388+  { 0x3152bca5, 0xeade, 0x433d, \
389+    { 0x86, 0x2e, 0xc0, 0x1c, 0xdc, 0x29, 0x1f, 0x44 } \
390+  }
391+
392 struct grub_efi_sal_system_table
393 {
394   grub_uint32_t signature;
395@@ -1700,6 +1705,20 @@ struct grub_efi_shim_lock_protocol
396 };
397 typedef struct grub_efi_shim_lock_protocol grub_efi_shim_lock_protocol_t;
398
399+typedef grub_efi_guid_t grub_efi_rng_algorithm_t;
400+
401+struct grub_efi_rng_protocol
402+{
403+  grub_efi_status_t (*get_info) (struct grub_efi_rng_protocol *this,
404+				 grub_efi_uintn_t *rng_algorithm_list_size,
405+				 grub_efi_rng_algorithm_t *rng_algorithm_list);
406+  grub_efi_status_t (*get_rng) (struct grub_efi_rng_protocol *this,
407+				grub_efi_rng_algorithm_t *rng_algorithm,
408+				grub_efi_uintn_t rng_value_length,
409+				grub_efi_uint8_t *rng_value);
410+};
411+typedef struct grub_efi_rng_protocol grub_efi_rng_protocol_t;
412+
413 #if (GRUB_TARGET_SIZEOF_VOID_P == 4) || defined (__ia64__) \
414   || defined (__aarch64__) || defined (__MINGW64__) || defined (__CYGWIN__) \
415   || defined(__riscv)
416diff --git a/include/grub/stack_protector.h b/include/grub/stack_protector.h
417new file mode 100644
418index 0000000..c88dc00
419--- /dev/null
420+++ b/include/grub/stack_protector.h
421@@ -0,0 +1,30 @@
422+/*
423+ *  GRUB  --  GRand Unified Bootloader
424+ *  Copyright (C) 2021  Free Software Foundation, Inc.
425+ *
426+ *  GRUB is free software: you can redistribute it and/or modify
427+ *  it under the terms of the GNU General Public License as published by
428+ *  the Free Software Foundation, either version 3 of the License, or
429+ *  (at your option) any later version.
430+ *
431+ *  GRUB is distributed in the hope that it will be useful,
432+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
433+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
434+ *  GNU General Public License for more details.
435+ *
436+ *  You should have received a copy of the GNU General Public License
437+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
438+ */
439+
440+#ifndef GRUB_STACK_PROTECTOR_H
441+#define GRUB_STACK_PROTECTOR_H	1
442+
443+#include <grub/symbol.h>
444+#include <grub/types.h>
445+
446+#ifdef GRUB_STACK_PROTECTOR
447+extern grub_addr_t EXPORT_VAR (__stack_chk_guard);
448+extern void __attribute__ ((noreturn)) EXPORT_FUNC (__stack_chk_fail) (void);
449+#endif
450+
451+#endif /* GRUB_STACK_PROTECTOR_H */
452diff --git a/po/POTFILES.in b/po/POTFILES.in
453index 7753ab4..ef42c7d 100644
454--- a/po/POTFILES.in
455+++ b/po/POTFILES.in
456@@ -1319,6 +1319,7 @@
457 ./include/grub/sparc64/time.h
458 ./include/grub/sparc64/types.h
459 ./include/grub/speaker.h
460+./include/grub/stack_protector.h
461 ./include/grub/symbol.h
462 ./include/grub/syslinux_parse.h
463 ./include/grub/term.h
464--
4652.14.2
466
467