From 9b669efb38a4bd1269fd83dc69ef58cfbd45f7c8 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 16 Apr 2015 16:30:53 -0700 Subject: [PATCH] Fail validation if we can't find shim and Secure Boot is enabled If grub is signed with a key that's in the trusted EFI keyring, an attacker can point a boot entry at grub rather than at shim and grub will fail to locate the shim verification protocol. This would then allow booting an arbitrary kernel image. Fail validation if Secure Boot is enabled and we can't find the shim protocol in order to prevent this. --- grub-core/loader/i386/efi/linux.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c index b79e6320b..57ccd4ec4 100644 --- a/grub-core/loader/i386/efi/linux.c +++ b/grub-core/loader/i386/efi/linux.c @@ -57,8 +57,12 @@ grub_linuxefi_secure_validate (void *data, grub_uint32_t size) shim_lock = grub_efi_locate_protocol(&guid, NULL); - if (!shim_lock) - return 1; + if (!shim_lock) { + if (grub_efi_secure_boot()) + return 0; + else + return 1; + } if (shim_lock->verify(data, size) == GRUB_EFI_SUCCESS) return 1;