Don't allow insmod when secure boot is enabled.
Hi, Fedora's patch to forbid insmod in UEFI Secure Boot environments is fine as far as it goes. However, the insmod command is not the only way that modules can be loaded. In particular, the 'normal' command, which implements the usual GRUB menu and the fully-featured command prompt, will implicitly load commands not currently loaded into memory. This permits trivial Secure Boot violations by writing commands implementing whatever you want to do and pointing $prefix at the malicious code. I'm currently test-building this patch (replacing your current grub-2.00-no-insmod-on-sb.patch), but this should be more correct. It moves the check into grub_dl_load_file.
This commit is contained in:
		
							parent
							
								
									4f35e11003
								
							
						
					
					
						commit
						25850cfd50
					
				
					 3 changed files with 46 additions and 0 deletions
				
			
		|  | @ -259,6 +259,34 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid, | |||
|   return NULL; | ||||
| } | ||||
| 
 | ||||
| grub_efi_boolean_t | ||||
| grub_efi_secure_boot (void) | ||||
| { | ||||
|   grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID; | ||||
|   grub_size_t datasize; | ||||
|   char *secure_boot = NULL; | ||||
|   char *setup_mode = NULL; | ||||
|   grub_efi_boolean_t ret = 0; | ||||
| 
 | ||||
|   secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize); | ||||
| 
 | ||||
|   if (datasize != 1 || !secure_boot) | ||||
|     goto out; | ||||
| 
 | ||||
|   setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize); | ||||
| 
 | ||||
|   if (datasize != 1 || !setup_mode) | ||||
|     goto out; | ||||
| 
 | ||||
|   if (*secure_boot && !*setup_mode) | ||||
|     ret = 1; | ||||
| 
 | ||||
|  out: | ||||
|   grub_free (secure_boot); | ||||
|   grub_free (setup_mode); | ||||
|   return ret; | ||||
| } | ||||
| 
 | ||||
| #pragma GCC diagnostic ignored "-Wcast-align" | ||||
| 
 | ||||
| /* Search the mods section from the PE32/PE32+ image. This code uses
 | ||||
|  |  | |||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue