1*4882a593SmuzhiyunFrom e346414725a70e5c74ee87ca14e580c66f517666 Mon Sep 17 00:00:00 2001 2*4882a593SmuzhiyunFrom: Alex Burmashev <alexander.burmashev@oracle.com> 3*4882a593SmuzhiyunDate: Tue, 16 Feb 2021 11:12:12 +0100 4*4882a593SmuzhiyunSubject: [PATCH] templates: Disable the os-prober by default 5*4882a593Smuzhiyun 6*4882a593SmuzhiyunThe os-prober is enabled by default what may lead to potentially 7*4882a593Smuzhiyundangerous use cases and borderline opening attack vectors. This 8*4882a593Smuzhiyunpatch disables the os-prober, adds warning messages and updates 9*4882a593SmuzhiyunGRUB_DISABLE_OS_PROBER configuration option documentation. This 10*4882a593Smuzhiyunway we make it clear that the os-prober usage is not recommended. 11*4882a593Smuzhiyun 12*4882a593SmuzhiyunSimplistic nature of this change allows downstream vendors, who 13*4882a593Smuzhiyunreally want os-prober to be enabled out of the box in their 14*4882a593Smuzhiyunrelevant products, easily revert to it's old behavior. 15*4882a593Smuzhiyun 16*4882a593SmuzhiyunReported-by: NyankoSec (<nyanko@10x.moe>, https://twitter.com/NyankoSec), 17*4882a593Smuzhiyun working with SSD Secure Disclosure 18*4882a593SmuzhiyunSigned-off-by: Alex Burmashev <alexander.burmashev@oracle.com> 19*4882a593SmuzhiyunReviewed-by: Daniel Kiper <daniel.kiper@oracle.com> 20*4882a593SmuzhiyunSigned-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com> 21*4882a593Smuzhiyun--- 22*4882a593Smuzhiyun docs/grub.texi | 18 ++++++++++-------- 23*4882a593Smuzhiyun util/grub.d/30_os-prober.in | 5 ++++- 24*4882a593Smuzhiyun 2 files changed, 14 insertions(+), 9 deletions(-) 25*4882a593Smuzhiyun 26*4882a593Smuzhiyundiff --git a/docs/grub.texi b/docs/grub.texi 27*4882a593Smuzhiyunindex e302797..45a9f80 100644 28*4882a593Smuzhiyun--- a/docs/grub.texi 29*4882a593Smuzhiyun+++ b/docs/grub.texi 30*4882a593Smuzhiyun@@ -1481,10 +1481,13 @@ boot sequence. If you have problems, set this option to @samp{text} and 31*4882a593Smuzhiyun GRUB will tell Linux to boot in normal text mode. 32*4882a593Smuzhiyun 33*4882a593Smuzhiyun @item GRUB_DISABLE_OS_PROBER 34*4882a593Smuzhiyun-Normally, @command{grub-mkconfig} will try to use the external 35*4882a593Smuzhiyun-@command{os-prober} program, if installed, to discover other operating 36*4882a593Smuzhiyun-systems installed on the same system and generate appropriate menu entries 37*4882a593Smuzhiyun-for them. Set this option to @samp{true} to disable this. 38*4882a593Smuzhiyun+The @command{grub-mkconfig} has a feature to use the external 39*4882a593Smuzhiyun+@command{os-prober} program to discover other operating systems installed on 40*4882a593Smuzhiyun+the same machine and generate appropriate menu entries for them. It is disabled 41*4882a593Smuzhiyun+by default since automatic and silent execution of @command{os-prober}, and 42*4882a593Smuzhiyun+creating boot entries based on that data, is a potential attack vector. Set 43*4882a593Smuzhiyun+this option to @samp{false} to enable this feature in the 44*4882a593Smuzhiyun+@command{grub-mkconfig} command. 45*4882a593Smuzhiyun 46*4882a593Smuzhiyun @item GRUB_OS_PROBER_SKIP_LIST 47*4882a593Smuzhiyun List of space-separated FS UUIDs of filesystems to be ignored from os-prober 48*4882a593Smuzhiyun@@ -1812,10 +1815,9 @@ than zero; otherwise 0. 49*4882a593Smuzhiyun @section Multi-boot manual config 50*4882a593Smuzhiyun 51*4882a593Smuzhiyun Currently autogenerating config files for multi-boot environments depends on 52*4882a593Smuzhiyun-os-prober and has several shortcomings. While fixing it is scheduled for the 53*4882a593Smuzhiyun-next release, meanwhile you can make use of the power of GRUB syntax and do it 54*4882a593Smuzhiyun-yourself. A possible configuration is detailed here, feel free to adjust to your 55*4882a593Smuzhiyun-needs. 56*4882a593Smuzhiyun+os-prober and has several shortcomings. Due to that it is disabled by default. 57*4882a593Smuzhiyun+It is advised to use the power of GRUB syntax and do it yourself. A possible 58*4882a593Smuzhiyun+configuration is detailed here, feel free to adjust to your needs. 59*4882a593Smuzhiyun 60*4882a593Smuzhiyun First create a separate GRUB partition, big enough to hold GRUB. Some of the 61*4882a593Smuzhiyun following entries show how to load OS installer images from this same partition, 62*4882a593Smuzhiyundiff --git a/util/grub.d/30_os-prober.in b/util/grub.d/30_os-prober.in 63*4882a593Smuzhiyunindex 515a68c..99de043 100644 64*4882a593Smuzhiyun--- a/util/grub.d/30_os-prober.in 65*4882a593Smuzhiyun+++ b/util/grub.d/30_os-prober.in 66*4882a593Smuzhiyun@@ -26,7 +26,8 @@ export TEXTDOMAINDIR="@localedir@" 67*4882a593Smuzhiyun 68*4882a593Smuzhiyun . "$pkgdatadir/grub-mkconfig_lib" 69*4882a593Smuzhiyun 70*4882a593Smuzhiyun-if [ "x${GRUB_DISABLE_OS_PROBER}" = "xtrue" ]; then 71*4882a593Smuzhiyun+if [ "x${GRUB_DISABLE_OS_PROBER}" = "xfalse" ]; then 72*4882a593Smuzhiyun+ gettext_printf "os-prober will not be executed to detect other bootable partitions.\nSystems on them will not be added to the GRUB boot configuration.\nCheck GRUB_DISABLE_OS_PROBER documentation entry.\n" 73*4882a593Smuzhiyun exit 0 74*4882a593Smuzhiyun fi 75*4882a593Smuzhiyun 76*4882a593Smuzhiyun@@ -39,6 +40,8 @@ OSPROBED="`os-prober | tr ' ' '^' | paste -s -d ' '`" 77*4882a593Smuzhiyun if [ -z "${OSPROBED}" ] ; then 78*4882a593Smuzhiyun # empty os-prober output, nothing doing 79*4882a593Smuzhiyun exit 0 80*4882a593Smuzhiyun+else 81*4882a593Smuzhiyun+ grub_warn "$(gettext_printf "os-prober was executed to detect other bootable partitions.\nIt's output will be used to detect bootable binaries on them and create new boot entries.")" 82*4882a593Smuzhiyun fi 83*4882a593Smuzhiyun 84*4882a593Smuzhiyun osx_entry() { 85*4882a593Smuzhiyun-- 86*4882a593Smuzhiyun2.14.2 87*4882a593Smuzhiyun 88