1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
|
From 1ad728b08ba2a21573e5f81a565114f74ca33988 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Mon, 28 Sep 2020 20:08:33 +0200
Subject: [PATCH] efi: Use grub_is_lockdown() instead of hardcoding a disabled
modules list
Now the GRUB can check if it has been locked down and this can be used to
prevent executing commands that can be utilized to circumvent the UEFI
Secure Boot mechanisms. So, instead of hardcoding a list of modules that
have to be disabled, prevent the usage of commands that can be dangerous.
This not only allows the commands to be disabled on other platforms, but
also properly separate the concerns. Since the shim_lock verifier logic
should be only about preventing to run untrusted binaries and not about
defining these kind of policies.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=8f73052885892bc0dbc01e297f79d7cf4925e491]
CVE: CVE-2020-14372
Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com>
---
docs/grub.texi | 10 ++++++++++
grub-core/commands/i386/wrmsr.c | 5 +++--
grub-core/commands/iorw.c | 19 ++++++++++---------
grub-core/commands/memrw.c | 19 ++++++++++---------
4 files changed, 33 insertions(+), 20 deletions(-)
diff --git a/docs/grub.texi b/docs/grub.texi
index 5e6cace..0786427 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -5256,6 +5256,9 @@ only applies to the particular cpu/core/thread that runs the command.
Also, if you specify a reserved or unimplemented MSR address, it will
cause a general protection exception (which is not currently being handled)
and the system will reboot.
+
+Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
+ This is done to prevent subverting various security mechanisms.
@end deffn
@node xen_hypervisor
@@ -5758,6 +5761,13 @@ security reasons. All above mentioned requirements are enforced by the
shim_lock module. And itself it is a persistent module which means that
it cannot be unloaded if it was loaded into the memory.
+All GRUB modules not stored in the @file{core.img}, OS kernels, ACPI tables,
+Device Trees, etc. have to be signed, e.g, using PGP. Additionally, the commands
+that can be used to subvert the UEFI secure boot mechanism, such as @command{iorw}
+and @command{memrw} will not be available when the UEFI secure boot is enabled.
+This is done for security reasons and are enforced by the GRUB Lockdown mechanism
+(@pxref{Lockdown}).
+
@node Measured Boot
@section Measuring boot components
diff --git a/grub-core/commands/i386/wrmsr.c b/grub-core/commands/i386/wrmsr.c
index 9c5e510..56a29c2 100644
--- a/grub-core/commands/i386/wrmsr.c
+++ b/grub-core/commands/i386/wrmsr.c
@@ -24,6 +24,7 @@
#include <grub/env.h>
#include <grub/command.h>
#include <grub/extcmd.h>
+#include <grub/lockdown.h>
#include <grub/i18n.h>
#include <grub/i386/cpuid.h>
#include <grub/i386/wrmsr.h>
@@ -83,8 +84,8 @@ grub_cmd_msr_write (grub_command_t cmd __attribute__ ((unused)), int argc, char
GRUB_MOD_INIT(wrmsr)
{
- cmd_write = grub_register_command ("wrmsr", grub_cmd_msr_write, N_("ADDR VALUE"),
- N_("Write a value to a CPU model specific register."));
+ cmd_write = grub_register_command_lockdown ("wrmsr", grub_cmd_msr_write, N_("ADDR VALUE"),
+ N_("Write a value to a CPU model specific register."));
}
GRUB_MOD_FINI(wrmsr)
diff --git a/grub-core/commands/iorw.c b/grub-core/commands/iorw.c
index a0c164e..584baec 100644
--- a/grub-core/commands/iorw.c
+++ b/grub-core/commands/iorw.c
@@ -23,6 +23,7 @@
#include <grub/env.h>
#include <grub/cpu/io.h>
#include <grub/i18n.h>
+#include <grub/lockdown.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -131,17 +132,17 @@ GRUB_MOD_INIT(memrw)
N_("PORT"), N_("Read 32-bit value from PORT."),
options);
cmd_write_byte =
- grub_register_command ("outb", grub_cmd_write,
- N_("PORT VALUE [MASK]"),
- N_("Write 8-bit VALUE to PORT."));
+ grub_register_command_lockdown ("outb", grub_cmd_write,
+ N_("PORT VALUE [MASK]"),
+ N_("Write 8-bit VALUE to PORT."));
cmd_write_word =
- grub_register_command ("outw", grub_cmd_write,
- N_("PORT VALUE [MASK]"),
- N_("Write 16-bit VALUE to PORT."));
+ grub_register_command_lockdown ("outw", grub_cmd_write,
+ N_("PORT VALUE [MASK]"),
+ N_("Write 16-bit VALUE to PORT."));
cmd_write_dword =
- grub_register_command ("outl", grub_cmd_write,
- N_("ADDR VALUE [MASK]"),
- N_("Write 32-bit VALUE to PORT."));
+ grub_register_command_lockdown ("outl", grub_cmd_write,
+ N_("ADDR VALUE [MASK]"),
+ N_("Write 32-bit VALUE to PORT."));
}
GRUB_MOD_FINI(memrw)
diff --git a/grub-core/commands/memrw.c b/grub-core/commands/memrw.c
index 98769ea..d401a6d 100644
--- a/grub-core/commands/memrw.c
+++ b/grub-core/commands/memrw.c
@@ -22,6 +22,7 @@
#include <grub/extcmd.h>
#include <grub/env.h>
#include <grub/i18n.h>
+#include <grub/lockdown.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -133,17 +134,17 @@ GRUB_MOD_INIT(memrw)
N_("ADDR"), N_("Read 32-bit value from ADDR."),
options);
cmd_write_byte =
- grub_register_command ("write_byte", grub_cmd_write,
- N_("ADDR VALUE [MASK]"),
- N_("Write 8-bit VALUE to ADDR."));
+ grub_register_command_lockdown ("write_byte", grub_cmd_write,
+ N_("ADDR VALUE [MASK]"),
+ N_("Write 8-bit VALUE to ADDR."));
cmd_write_word =
- grub_register_command ("write_word", grub_cmd_write,
- N_("ADDR VALUE [MASK]"),
- N_("Write 16-bit VALUE to ADDR."));
+ grub_register_command_lockdown ("write_word", grub_cmd_write,
+ N_("ADDR VALUE [MASK]"),
+ N_("Write 16-bit VALUE to ADDR."));
cmd_write_dword =
- grub_register_command ("write_dword", grub_cmd_write,
- N_("ADDR VALUE [MASK]"),
- N_("Write 32-bit VALUE to ADDR."));
+ grub_register_command_lockdown ("write_dword", grub_cmd_write,
+ N_("ADDR VALUE [MASK]"),
+ N_("Write 32-bit VALUE to ADDR."));
}
GRUB_MOD_FINI(memrw)
|
