starlingx/integ
Code Issues Proposed changes
06c396fbe3
integ/grub/grub-efi/debian/patches/lat/0005-grub-verify-Add-skip_check_cfg-variable.patch
Li Zhou 8e6824ec91 grub2/grub-efi: fix CVE-2022-28736 
We add patches to fix CVEs for grub instead of upgrading because
grub2/grub-efi is ported from yocto for secure boot bringing up.

The patches for CVE-2022-28736 have conflicts with the patches for
secure boot. So refer to below link to fix this CVE:
(1) https://patchwork.yoctoproject.org/project/oe-core/patch/
20221207034254.58292-1-xiangyu.chen@eng.windriver.com/
(2)https://github.com/jiazhang0/meta-secure-core/pull/257

The special patches for grub-efi are from layers meta-lat and
meta-secure-core of yocto upstream, which are based on the patches
for grub-efi in oe-core layer (including CVE patches). We used to mix
all the patches together. Now we will move the patches from meta-lat
and meta-secure-core to the end of sequence for applying patches,
so that we can keep align with yocto upstream and make it easier
to maintain the grub here.
Since there are many patches involved here, we don't change the number
in patches' name in case confusion is caused if we rename many files.

Below commits are added for the CVE:
<loader/efi/chainloader: Simplify the loader state>
<commands/boot: Add API to pass context to loader>
<loader/efi/chainloader: Use grub_loader_set_ex()>

Below patches for secure boot are adapted for conflicts with above:
secure-core/0009 <efi: chainloader: port shim to grub>
secure-core/0010 <efi: chainloader: use shim to load and verify an image>
secure-core/0012 <efi: chainloader: take care of unload undershim>

All of them are aligned with upstream and no changes here.

Test plan:
 - PASS: build grub2/grub-efi.
 - PASS: build-image and install and boot up on lab/qemu.
 - PASS: check that the "stx.N" version number is right for both
         bios(grub2 ver) and uefi(grub-efi ver) boot.
 - PASS: the tests are done on lab with secure boot disabled and
         enabled.

Closes-Bug: #2034119

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I9a37cd8b804b238407f8ac6528f087a2eb0cf2de
2023-09-07 02:00:19 -04:00

99 lines
3.1 KiB
Diff
Raw Blame History

From 01120b5ec61ae7bbe550b1e2fe0f75c2d2073b1f Mon Sep 17 00:00:00 2001
From: Hongxu Jia <hongxu.jia@windriver.com>
Date: Fri, 6 May 2022 15:44:14 +0800
Subject: [PATCH] grub verify: Add skip_check_cfg variable
While check_signatures enabled, with skip_check_cfg set to 1
- Do not verify the signature on the file that has suffix `.cfg'
- Do not authenticate user and password if cfg is changed
Implement function grub_strendswith to find cfg file
Upstream-Status: Pending
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
---
grub-core/commands/pgp.c | 12 ++++++++++++
grub-core/kern/misc.c | 12 ++++++++++++
grub-core/normal/auth.c | 5 +++++
include/grub/misc.h | 1 +
4 files changed, 30 insertions(+)
diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c
index 5daa1e9..e60a29a 100644
--- a/grub-core/commands/pgp.c
+++ b/grub-core/commands/pgp.c
@@ -873,6 +873,18 @@ grub_pubkey_init (grub_file_t io, enum grub_file_type type __attribute__ ((unuse
char *fsuf, *ptr;
grub_err_t err;
struct grub_pubkey_context *ctxt;
+ const char *val;
+
+ /* SKip to check the signature of cfg */
+ val = grub_env_get ("skip_check_cfg");
+ if (val && (val[0] == '1'))
+ {
+ if (grub_strendswith (io->name, ".cfg"))
+ {
+ *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
+ return GRUB_ERR_NONE;
+ }
+ }
if (!sec)
{
diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c
index 3af336e..8bf1d90 100644
--- a/grub-core/kern/misc.c
+++ b/grub-core/kern/misc.c
@@ -280,6 +280,18 @@ grub_strncmp (const char *s1, const char *s2, grub_size_t n)
return (int) (grub_uint8_t) *s1 - (int) (grub_uint8_t) *s2;
}
+int
+grub_strendswith (const char *str, const char *suffix)
+{
+ if (!str || !suffix)
+ return 0;
+ grub_size_t lenstr = grub_strlen(str);
+ grub_size_t lensuffix = grub_strlen(suffix);
+ if (lensuffix > lenstr)
+ return 0;
+ return grub_strncmp(str + lenstr - lensuffix, suffix, lensuffix) == 0;
+}
+
char *
grub_strchr (const char *s, int c)
{
diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c
index 6be678c..57a1a42 100644
--- a/grub-core/normal/auth.c
+++ b/grub-core/normal/auth.c
@@ -136,6 +136,11 @@ is_authenticated (const char *userlist)
const char *superusers;
struct grub_auth_user *user;
+ /* SKip to authenticate grub cfg */
+ const char *val = grub_env_get ("skip_check_cfg");
+ if (val && (val[0] == '1'))
+ return 1;
+
superusers = grub_env_get ("superusers");
if (!superusers)
diff --git a/include/grub/misc.h b/include/grub/misc.h
index 7d2b551..cce29d7 100644
--- a/include/grub/misc.h
+++ b/include/grub/misc.h
@@ -82,6 +82,7 @@ grub_memcpy (void *dest, const void *src, grub_size_t n)
int EXPORT_FUNC(grub_memcmp) (const void *s1, const void *s2, grub_size_t n);
int EXPORT_FUNC(grub_strcmp) (const char *s1, const char *s2);
int EXPORT_FUNC(grub_strncmp) (const char *s1, const char *s2, grub_size_t n);
+int EXPORT_FUNC(grub_strendswith) (const char *str, const char *suffix);
char *EXPORT_FUNC(grub_strchr) (const char *s, int c);
char *EXPORT_FUNC(grub_strrchr) (const char *s, int c);
--
2.17.1
View Git Blame Copy Permalink