diff options
| author |   Marta Rybczynska <rybczynska@gmail.com> | 2022-01-05 09:40:50 +0100 |
|---|---|---|
| committer |   Steve Sakoman <steve@sakoman.com> | 2022-01-06 04:27:01 -1000 |
| commit | da6c0f3cfc920cea57cd409b17303bf735ccd68d (patch) | |
| tree | cabee2b08d1ba18249d63d987d5e5f91dd1e6634 /meta/recipes-bsp/grub/files/CVE-2020-27779_7.patch | |
| parent | 1ab7aee542589f6b6c76f8515b4230ce870a8678 (diff) | |
| download | openembedded-core-contrib-da6c0f3cfc920cea57cd409b17303bf735ccd68d.tar.gz | |
grub: fix CVE-2020-14372 and CVE-2020-27779
Fix issues with grub in secure boot mode where an attacker could circumvent
secure boot by using acpi and cutmem commands. Also include patches fixing
similar issues.
Most patches are backported directly from grub. One patch
(no-insmod-on-sb.patch) comes from Debian, as the upstream implementation is
too complicated to backport.
CVE-2020-14372 description (from NVD [1]):
A flaw was found in grub2 in versions prior to 2.06, where it incorrectly
enables the usage of the ACPI command when Secure Boot is enabled.
This flaw allows an attacker with privileged access to craft a Secondary
System Description Table (SSDT) containing code to overwrite the Linux
kernel lockdown variable content directly into memory. The table is
further loaded and executed by the kernel, defeating its Secure Boot
lockdown and allowing the attacker to load unsigned code. The highest
threat from this vulnerability is to data confidentiality and integrity,
as well as system availability.
CVE-2020-27779 description (from NVD [2]):
A flaw was found in grub2 in versions prior to 2.06. The cutmem command
does not honor secure boot locking allowing an privileged attacker to
remove address ranges from memory creating an opportunity to circumvent
SecureBoot protections after proper triage about grub's memory layout.
The highest threat from this vulnerability is to data confidentiality
and integrity as well as system availability.
[1] https://nvd.nist.gov/vuln/detail/CVE-2020-14372
[2] https://nvd.nist.gov/vuln/detail/CVE-2020-27779
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-bsp/grub/files/CVE-2020-27779_7.patch')
| -rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2020-27779_7.patch | 65 |
1 files changed, 65 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-27779_7.patch b/meta/recipes-bsp/grub/files/CVE-2020-27779_7.patch new file mode 100644 index 0000000000..e5d372a2b1 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-27779_7.patch @@ -0,0 +1,65 @@ +From dcc5a434e59f721b03cc809db0375a24aa2ac6d0 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas <javierm@redhat.com> +Date: Sat, 7 Nov 2020 01:03:18 +0100 +Subject: [PATCH] docs: Document the cutmem command + +The command is not present in the docs/grub.texi user documentation. + +Reported-by: Daniel Kiper <daniel.kiper@oracle.com> +Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> +Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com> +Reviewed-by: Javier Martinez Canillas <javierm@redhat.com> + +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=f05e79a0143beb2d9a482a3ebf4fe0ce76778122] +CVE: CVE-2020-27779 +Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> +--- + docs/grub.texi | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/docs/grub.texi b/docs/grub.texi +index ccf1908..ae85f55 100644 +--- a/docs/grub.texi ++++ b/docs/grub.texi +@@ -3892,6 +3892,7 @@ you forget a command, you can run the command @command{help} + * cpuid:: Check for CPU features + * crc:: Compute or check CRC32 checksums + * cryptomount:: Mount a crypto device ++* cutmem:: Remove memory regions + * date:: Display or set current date and time + * devicetree:: Load a device tree blob + * distrust:: Remove a pubkey from trusted keys +@@ -4051,6 +4052,8 @@ this page is to be filtered. This syntax makes it easy to represent patterns + that are often result of memory damage, due to physical distribution of memory + cells. + ++The command is similar to @command{cutmem} command. ++ + Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}). + This prevents removing EFI memory regions to potentially subvert the + security mechanisms provided by the UEFI secure boot. +@@ -4214,6 +4217,24 @@ GRUB suports devices encrypted using LUKS and geli. Note that necessary modules + be used. + @end deffn + ++@node cutmem ++@subsection cutmem ++ ++@deffn Command cutmem from[K|M|G] to[K|M|G] ++Remove any memory regions in specified range. ++@end deffn ++ ++This command notifies the memory manager that specified regions of RAM ought to ++be filtered out. This remains in effect after a payload kernel has been loaded ++by GRUB, as long as the loaded kernel obtains its memory map from GRUB. Kernels ++that support this include Linux, GNU Mach, the kernel of FreeBSD and Multiboot ++kernels in general. ++ ++The command is similar to @command{badram} command. ++ ++Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}). ++ This prevents removing EFI memory regions to potentially subvert the ++ security mechanisms provided by the UEFI secure boot. + + @node date + @subsection date |