48a2e836ff
This is done for moving packages that are related to secure boot
out of LAT and into integ.
Use grub version: 2.06-1 .
Port grub-efi from LAT and make its build independent from grub2.
The patches for code and changes for debian build are ported from
layers ( meta-lat and meta-secure-core ) of yocto upstream.
Make grub-efi independent from grub2 because some code changes
for secure boot can make grub-pc's build fail.
This porting of grub-efi customizes grub images and grub.cfg for
efi boot. Install those files customized to grub-efi-amd64 package.
Test Plan:
The tests are done with all the changes for this porting,
which involves efitools/shim/grub2/grub-efi/lat-sdk.sh, because
they are in a chain for secure boot verification.
- PASS: secure boot OK on qemu.
- PASS: secure boot OK on PowerEdge R430 lab.
- PASS: secure boot NG on qemu/hardware when shim/grub-efi images
are without the right signatures.
Story: 2009221
Task: 46402
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: Ia3b482c1959b5e6462fe54f0b0e59a69db1b1ca7
112 lines
3.5 KiB
Diff
112 lines
3.5 KiB
Diff
From aacf59cc01555c645e5594c0cdaa0e6735921e80 Mon Sep 17 00:00:00 2001
|
|
From: Jason Wessel <jason.wessel@windriver.com>
|
|
Date: Thu, 17 Oct 2019 12:35:01 -0700
|
|
Subject: [PATCH] grub verify: Add strict_security variable
|
|
|
|
With strict_security set to 1, it is impossible to change the value of
|
|
check_signatures. It will also cause grub to reboot instead of
|
|
allowing a rescue or grub shell, which could allow an end user to
|
|
alter boot arguments or load some other binary.
|
|
|
|
Upstream-Status: Pending
|
|
|
|
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
|
|
---
|
|
grub-core/commands/pgp.c | 16 +++++++++++++++-
|
|
grub-core/kern/main.c | 9 +++++++++
|
|
grub-core/normal/main.c | 7 +++++--
|
|
3 files changed, 29 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c
|
|
index e60a29a..578ad18 100644
|
|
--- a/grub-core/commands/pgp.c
|
|
+++ b/grub-core/commands/pgp.c
|
|
@@ -864,6 +864,7 @@ grub_cmd_verify_signature (grub_extcmd_context_t ctxt,
|
|
}
|
|
|
|
static int sec = 0;
|
|
+static int strict_sec = 0;
|
|
|
|
static grub_err_t
|
|
grub_pubkey_init (grub_file_t io, enum grub_file_type type __attribute__ ((unused)),
|
|
@@ -930,10 +931,21 @@ static char *
|
|
grub_env_write_sec (struct grub_env_var *var __attribute__ ((unused)),
|
|
const char *val)
|
|
{
|
|
- sec = (*val == '1') || (*val == 'e');
|
|
+ if (!strict_sec)
|
|
+ sec = (*val == '1') || (*val == 'e');
|
|
return grub_strdup (sec ? "enforce" : "no");
|
|
}
|
|
|
|
+static char *
|
|
+grub_env_write_strict_sec (struct grub_env_var *var __attribute__ ((unused)),
|
|
+ const char *val)
|
|
+{
|
|
+ /* once it is set, it is a one way transition */
|
|
+ if (!strict_sec)
|
|
+ strict_sec = (*val == '1') || (*val == 'e');
|
|
+ return grub_strdup (strict_sec ? "enforce" : "no");
|
|
+}
|
|
+
|
|
static grub_ssize_t
|
|
pseudo_read (struct grub_file *file, char *buf, grub_size_t len)
|
|
{
|
|
@@ -973,7 +985,9 @@ GRUB_MOD_INIT(pgp)
|
|
sec = 0;
|
|
|
|
grub_register_variable_hook ("check_signatures", 0, grub_env_write_sec);
|
|
+ grub_register_variable_hook ("strict_security", 0, grub_env_write_strict_sec);
|
|
grub_env_export ("check_signatures");
|
|
+ grub_env_export ("strict_security");
|
|
|
|
grub_pk_trusted = 0;
|
|
FOR_MODULES (header)
|
|
diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
|
|
index 73967e2..86e7f35 100644
|
|
--- a/grub-core/kern/main.c
|
|
+++ b/grub-core/kern/main.c
|
|
@@ -30,6 +30,7 @@
|
|
#include <grub/reader.h>
|
|
#include <grub/parser.h>
|
|
#include <grub/verify.h>
|
|
+#include <grub/time.h>
|
|
|
|
#ifdef GRUB_MACHINE_PCBIOS
|
|
#include <grub/machine/memory.h>
|
|
@@ -312,5 +313,13 @@ grub_main (void)
|
|
grub_boot_time ("After execution of embedded config. Attempt to go to normal mode");
|
|
|
|
grub_load_normal_mode ();
|
|
+ const char *val = grub_env_get ("strict_security");
|
|
+ if (val && (val[0] == '1' || val[0] == 'e'))
|
|
+ while (1) {
|
|
+ grub_printf("Boot configuration error - Attempting reboot\n");
|
|
+ grub_sleep(3);
|
|
+ grub_dl_load ("reboot");
|
|
+ grub_command_execute ("reboot", 0, 0);
|
|
+ }
|
|
grub_rescue_run ();
|
|
}
|
|
diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
|
|
index c4ebe9e..2c3f4f8 100644
|
|
--- a/grub-core/normal/main.c
|
|
+++ b/grub-core/normal/main.c
|
|
@@ -302,8 +302,11 @@ grub_enter_normal_mode (const char *config)
|
|
grub_boot_time ("Entering normal mode");
|
|
nested_level++;
|
|
grub_normal_execute (config, 0, 0);
|
|
- grub_boot_time ("Entering shell");
|
|
- grub_cmdline_run (0, 1);
|
|
+ const char *val = grub_env_get ("strict_security");
|
|
+ if (!(val && (val[0] == '1' || val[0] == 'e'))) {
|
|
+ grub_boot_time ("Entering shell");
|
|
+ grub_cmdline_run (0, 1);
|
|
+ }
|
|
nested_level--;
|
|
if (grub_normal_exit_level)
|
|
grub_normal_exit_level--;
|
|
--
|
|
2.17.1
|
|
|