diff options
author | Dimitri John Ledkov <xnox@ubuntu.com> | 2021-02-20 17:10:34 +0000 |
---|---|---|
committer | Daniel Kiper <daniel.kiper@oracle.com> | 2021-03-02 15:54:19 +0100 |
commit | 968de8c23c1cba0f18230f778ebcf6c412ec8ec5 (patch) | |
tree | 44c3961d70dac882a1b5e3c828472f526eb74aa8 /util/mkimage.c | |
parent | bb51ee2b49fbda0f66c1fa580a33442ff578f110 (diff) |
shim_lock: Only skip loading shim_lock verifier with explicit consent
Commit 32ddc42c (efi: Only register shim_lock verifier if shim_lock
protocol is found and SB enabled) reintroduced CVE-2020-15705 which
previously only existed in the out-of-tree linuxefi patches and was
fixed as part of the BootHole patch series.
Under Secure Boot enforce loading shim_lock verifier. Allow skipping
shim_lock verifier if SecureBoot/MokSBState EFI variables indicate
skipping validations, or if GRUB image is built with --disable-shim-lock.
Fixes: 132ddc42c (efi: Only register shim_lock verifier if shim_lock
protocol is found and SB enabled)
Fixes: CVE-2020-15705
Fixes: CVE-2021-3418
Reported-by: Dimitri John Ledkov <xnox@ubuntu.com>
Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Diffstat (limited to 'util/mkimage.c')
-rw-r--r-- | util/mkimage.c | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/util/mkimage.c b/util/mkimage.c index b354ec1d9..a26cf76f7 100644 --- a/util/mkimage.c +++ b/util/mkimage.c @@ -870,7 +870,7 @@ grub_install_generate_image (const char *dir, const char *prefix, size_t npubkeys, char *config_path, const struct grub_install_image_target_desc *image_target, int note, grub_compression_t comp, const char *dtb_path, - const char *sbat_path) + const char *sbat_path, int disable_shim_lock) { char *kernel_img, *core_img; size_t total_module_size, core_size; @@ -929,6 +929,9 @@ grub_install_generate_image (const char *dir, const char *prefix, if (sbat_path != NULL && image_target->id != IMAGE_EFI) grub_util_error (_(".sbat section can be embedded into EFI images only")); + if (disable_shim_lock) + total_module_size += sizeof (struct grub_module_header); + if (config_path) { config_size = ALIGN_ADDR (grub_util_get_image_size (config_path) + 1); @@ -1065,6 +1068,16 @@ grub_install_generate_image (const char *dir, const char *prefix, offset += dtb_size; } + if (disable_shim_lock) + { + struct grub_module_header *header; + + header = (struct grub_module_header *) (kernel_img + offset); + header->type = grub_host_to_target32 (OBJ_TYPE_DISABLE_SHIM_LOCK); + header->size = grub_host_to_target32 (sizeof (*header)); + offset += sizeof (*header); + } + if (config_path) { struct grub_module_header *header; |