Merge pull request #8 from mjg59/master

Add some more secure boot infrastructure to grub
2015-04-22 16:02:19 -07:00 · 2015-04-22 16:02:19 -07:00 · 19c075a7ac
commit 19c075a7ac
parent 4f35e11003 2755ecd157
6 changed files with 212 additions and 2 deletions
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@ -821,6 +821,13 @@ module = {
  enable = x86_64_efi;
 };

+module = {
+  name = getenv;
+  common = commands/efi/getenv.c;
+  enable = i386_efi;
+  enable = x86_64_efi;
+};
+
 module = {
  name = gptsync;
  common = commands/gptsync.c;
--- a/grub-core/commands/efi/getenv.c
+++ b/grub-core/commands/efi/getenv.c
@ -0,0 +1,153 @@
+/* getenv.c - retrieve EFI variables.  */
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2009  Free Software Foundation, Inc.
+ *  Copyright (C) 2014  CoreOS, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <grub/efi/efi.h>
+#include <grub/dl.h>
+#include <grub/env.h>
+#include <grub/err.h>
+#include <grub/extcmd.h>
+#include <grub/i18n.h>
+#include <grub/misc.h>
+#include <grub/mm.h>
+
+GRUB_MOD_LICENSE ("GPLv3+");
+
+static const struct grub_arg_option options_getenv[] = {
+  {"var-name", 'e', 0,
+   N_("Environment variable to query"),
+   N_("VARNAME"), ARG_TYPE_STRING},
+  {"var-guid", 'g', 0,
+   N_("GUID of environment variable to query"),
+   N_("GUID"), ARG_TYPE_STRING},
+  {"binary", 'b', 0,
+   N_("Read binary data and represent it as hex"),
+   0, ARG_TYPE_NONE},
+  {0, 0, 0, 0, 0, 0}
+};
+
+enum options_getenv
+{
+  GETENV_VAR_NAME,
+  GETENV_VAR_GUID,
+  GETENV_BINARY,
+};
+
+static grub_err_t
+grub_cmd_getenv (grub_extcmd_context_t ctxt, int argc, char **args)
+{
+  struct grub_arg_list *state = ctxt->state;
+  char *envvar = NULL, *guid = NULL, *bindata = NULL, *data = NULL;
+  grub_size_t datasize;
+  grub_efi_guid_t efi_var_guid;
+  grub_efi_boolean_t binary = state[GETENV_BINARY].set;
+  unsigned int i;
+
+  if (!state[GETENV_VAR_NAME].set || !state[GETENV_VAR_GUID].set)
+    {
+      grub_error (GRUB_ERR_INVALID_COMMAND, N_("-e and -g are required"));
+      goto done;
+    }
+
+  if (argc != 1)
+    {
+      grub_error (GRUB_ERR_BAD_ARGUMENT, N_("unexpected arguments"));
+      goto done;
+    }
+
+  envvar = state[GETENV_VAR_NAME].arg;
+  guid = state[GETENV_VAR_GUID].arg;
+
+  if (grub_strlen(guid) != 36 ||
+      guid[8] != '-' ||
+      guid[13] != '-' ||
+      guid[18] != '-' ||
+      guid[23] != '-')
+    {
+      grub_error (GRUB_ERR_BAD_ARGUMENT, N_("invalid GUID"));
+      goto done;
+    }
+
+  /* Forgive me father for I have sinned */
+  guid[8] = 0;
+  efi_var_guid.data1 = grub_strtoul(guid, NULL, 16);
+  guid[13] = 0;
+  efi_var_guid.data2 = grub_strtoul(guid + 9, NULL, 16);
+  guid[18] = 0;
+  efi_var_guid.data3 = grub_strtoul(guid + 14, NULL, 16);
+  efi_var_guid.data4[7] = grub_strtoul(guid + 34, NULL, 16);
+  guid[34] = 0;
+  efi_var_guid.data4[6] = grub_strtoul(guid + 32, NULL, 16);
+  guid[32] = 0;
+  efi_var_guid.data4[5] = grub_strtoul(guid + 30, NULL, 16);
+  guid[30] = 0;
+  efi_var_guid.data4[4] = grub_strtoul(guid + 28, NULL, 16);
+  guid[28] = 0;
+  efi_var_guid.data4[3] = grub_strtoul(guid + 26, NULL, 16);
+  guid[26] = 0;
+  efi_var_guid.data4[2] = grub_strtoul(guid + 24, NULL, 16);
+  guid[23] = 0;
+  efi_var_guid.data4[1] = grub_strtoul(guid + 21, NULL, 16);
+  guid[21] = 0;
+  efi_var_guid.data4[0] = grub_strtoul(guid + 19, NULL, 16);
+
+  data = grub_efi_get_variable(envvar, &efi_var_guid, &datasize);
+
+  if (!data || !datasize)
+    {
+      grub_error (GRUB_ERR_FILE_NOT_FOUND, N_("No such variable"));
+      goto done;
+    }
+
+  if (binary)
+    {
+      bindata = grub_zalloc(datasize * 2 + 1);
+      for (i=0; i<datasize; i++)
+	  grub_snprintf(bindata + i*2, 3, "%02x", data[i]);
+
+      if (grub_env_set (args[0], bindata))
+	goto done;
+    }
+  else if (grub_env_set (args[0], data))
+    {
+      goto done;
+    }
+
+  grub_errno = GRUB_ERR_NONE;
+
+done:
+  grub_free(bindata);
+  grub_free(data);
+  return grub_errno;
+}
+
+static grub_extcmd_t cmd_getenv;
+
+GRUB_MOD_INIT(getenv)
+{
+  cmd_getenv = grub_register_extcmd ("getenv", grub_cmd_getenv, 0,
+				   N_("-e envvar -g guidenv setvar"),
+				   N_("Read a firmware environment variable"),
+				   options_getenv);
+}
+
+GRUB_MOD_FINI(getenv)
+{
+  grub_unregister_extcmd (cmd_getenv);
+}
--- a/grub-core/kern/dl.c
+++ b/grub-core/kern/dl.c
@ -38,6 +38,14 @@
 #define GRUB_MODULES_MACHINE_READONLY
 #endif

+#ifdef GRUB_MACHINE_EMU
+#include <sys/mman.h>
+#endif
+
+#ifdef GRUB_MACHINE_EFI
+#include <grub/efi/efi.h>
+#endif
+


 #pragma GCC diagnostic ignored "-Wcast-align"
@ -680,6 +688,15 @@ grub_dl_load_file (const char *filename)
  void *core = 0;
  grub_dl_t mod = 0;

+#ifdef GRUB_MACHINE_EFI
+  if (grub_efi_secure_boot ())
+    {
+      grub_error (GRUB_ERR_ACCESS_DENIED,
+		  "Secure Boot forbids loading module from %s", filename);
+      return 0;
+    }
+#endif
+
  grub_boot_time ("Loading module %s", filename);

  file = grub_file_open (filename);
--- a/grub-core/kern/efi/efi.c
+++ b/grub-core/kern/efi/efi.c
@ -259,6 +259,34 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
  return NULL;
 }

+grub_efi_boolean_t
+grub_efi_secure_boot (void)
+{
+  grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
+  grub_size_t datasize;
+  char *secure_boot = NULL;
+  char *setup_mode = NULL;
+  grub_efi_boolean_t ret = 0;
+
+  secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);
+
+  if (datasize != 1 || !secure_boot)
+    goto out;
+
+  setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize);
+
+  if (datasize != 1 || !setup_mode)
+    goto out;
+
+  if (*secure_boot && !*setup_mode)
+    ret = 1;
+
+ out:
+  grub_free (secure_boot);
+  grub_free (setup_mode);
+  return ret;
+}
+
 #pragma GCC diagnostic ignored "-Wcast-align"

 /* Search the mods section from the PE32/PE32+ image. This code uses
--- a/grub-core/loader/i386/efi/linux.c
+++ b/grub-core/loader/i386/efi/linux.c
@ -57,8 +57,12 @@ grub_linuxefi_secure_validate (void *data, grub_uint32_t size)

  shim_lock = grub_efi_locate_protocol(&guid, NULL);

-  if (!shim_lock)
+  if (!shim_lock) {
+    if (grub_efi_secure_boot())
+      return 0;
+    else
      return 1;
+  }

  if (shim_lock->verify(data, size) == GRUB_EFI_SUCCESS)
    return 1;
--- a/include/grub/efi/efi.h
+++ b/include/grub/efi/efi.h
@ -72,6 +72,7 @@ EXPORT_FUNC (grub_efi_set_variable) (const char *var,
 				     const grub_efi_guid_t *guid,
 				     void *data,
 				     grub_size_t datasize);
+grub_efi_boolean_t EXPORT_FUNC (grub_efi_secure_boot) (void);
 int
 EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1,
 					     const grub_efi_device_path_t *dp2);