8e6824ec91
We add patches to fix CVEs for grub instead of upgrading because grub2/grub-efi is ported from yocto for secure boot bringing up. The patches for CVE-2022-28736 have conflicts with the patches for secure boot. So refer to below link to fix this CVE: (1) https://patchwork.yoctoproject.org/project/oe-core/patch/ 20221207034254.58292-1-xiangyu.chen@eng.windriver.com/ (2)https://github.com/jiazhang0/meta-secure-core/pull/257 The special patches for grub-efi are from layers meta-lat and meta-secure-core of yocto upstream, which are based on the patches for grub-efi in oe-core layer (including CVE patches). We used to mix all the patches together. Now we will move the patches from meta-lat and meta-secure-core to the end of sequence for applying patches, so that we can keep align with yocto upstream and make it easier to maintain the grub here. Since there are many patches involved here, we don't change the number in patches' name in case confusion is caused if we rename many files. Below commits are added for the CVE: <loader/efi/chainloader: Simplify the loader state> <commands/boot: Add API to pass context to loader> <loader/efi/chainloader: Use grub_loader_set_ex()> Below patches for secure boot are adapted for conflicts with above: secure-core/0009 <efi: chainloader: port shim to grub> secure-core/0010 <efi: chainloader: use shim to load and verify an image> secure-core/0012 <efi: chainloader: take care of unload undershim> All of them are aligned with upstream and no changes here. Test plan: - PASS: build grub2/grub-efi. - PASS: build-image and install and boot up on lab/qemu. - PASS: check that the "stx.N" version number is right for both bios(grub2 ver) and uefi(grub-efi ver) boot. - PASS: the tests are done on lab with secure boot disabled and enabled. Closes-Bug: #2034119 Signed-off-by: Li Zhou <li.zhou@windriver.com> Change-Id: I9a37cd8b804b238407f8ac6528f087a2eb0cf2de
99 lines
3.4 KiB
Diff
99 lines
3.4 KiB
Diff
From a99c7ea281b02f14abd0911886cabbea9fc81649 Mon Sep 17 00:00:00 2001
|
|
From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
|
|
Date: Fri, 27 Mar 2015 08:26:08 -0700
|
|
Subject: [PATCH 5/7] efi: chainloader: use shim to load and verify an image
|
|
|
|
Upstream-Status: Inappropriate [embedded specific]
|
|
|
|
The grub chainloader module uses the UEFI LoadImage service
|
|
to load a chainloaded binary. However, if such binary is not
|
|
signed by the UEFI certification authority, LoadImage will fail.
|
|
Under shim, we can use Machine-Owned Keys (MOKs) to verify an
|
|
image. Thus, in case LoadImage fails due to a security violation
|
|
we rely on the shim verification service. If successful, the
|
|
image is parsed and loaded.
|
|
|
|
Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
|
|
---
|
|
grub-core/loader/efi/chainloader.c | 49 ++++++++++++++++++++++++------
|
|
1 file changed, 40 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
|
|
index 74c84a7..667b4c3 100644
|
|
--- a/grub-core/loader/efi/chainloader.c
|
|
+++ b/grub-core/loader/efi/chainloader.c
|
|
@@ -760,6 +760,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
|
grub_efi_uintn_t pages = 0;
|
|
grub_efi_char16_t *cmdline = NULL;
|
|
grub_efi_handle_t image_handle = NULL;
|
|
+ struct grub_shim_pe_coff_loader_image_context context;
|
|
|
|
if (argc == 0)
|
|
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
|
|
@@ -886,23 +887,53 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
|
if (status != GRUB_EFI_SUCCESS)
|
|
{
|
|
if (status == GRUB_EFI_OUT_OF_RESOURCES)
|
|
- grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of resources");
|
|
+ {
|
|
+ grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of resources");
|
|
+ goto fail;
|
|
+ }
|
|
+ /* try with shim */
|
|
+ else if (status == GRUB_EFI_SECURITY_VIOLATION)
|
|
+ {
|
|
+ status = grub_shim_load_image (address, size, &context);
|
|
+ if (status != GRUB_EFI_SUCCESS)
|
|
+ {
|
|
+ grub_error (GRUB_ERR_BAD_OS, "shim cannot load image");
|
|
+ goto fail;
|
|
+ }
|
|
+ }
|
|
else
|
|
- grub_error (GRUB_ERR_BAD_OS, "cannot load image");
|
|
-
|
|
- goto fail;
|
|
+ {
|
|
+ grub_error (GRUB_ERR_BAD_OS, "cannot load image");
|
|
+ goto fail;
|
|
+ }
|
|
}
|
|
|
|
- /* LoadImage does not set a device handler when the image is
|
|
- loaded from memory, so it is necessary to set it explicitly here.
|
|
- This is a mess. */
|
|
- loaded_image = grub_efi_get_loaded_image (image_handle);
|
|
+ /* if we use shim, the UEFI load_image failed, thus, we borrow
|
|
+ * grub_efi_image_handle and restore it later
|
|
+ */
|
|
+ if (shim_used)
|
|
+ /* if we use shim, the UEFI load_image failed, thus, we borrow
|
|
+ grub_efi_image_handle and restore it later */
|
|
+ loaded_image = grub_efi_get_loaded_image (grub_efi_image_handle);
|
|
+ else
|
|
+ /* LoadImage does not set a device handler when the image is
|
|
+ loaded from memory, so it is necessary to set it explicitly here.
|
|
+ This is a mess. */
|
|
+ loaded_image = grub_efi_get_loaded_image (image_handle);
|
|
+
|
|
if (! loaded_image)
|
|
{
|
|
grub_error (GRUB_ERR_BAD_OS, "no loaded image available");
|
|
goto fail;
|
|
}
|
|
- loaded_image->device_handle = dev_handle;
|
|
+ if (shim_used)
|
|
+ {
|
|
+ grub_memcpy(&shim_li_bak, loaded_image, sizeof(shim_li_bak));
|
|
+ loaded_image->image_base = (void *)shim_buffer;
|
|
+ loaded_image->image_size = context.image_size;
|
|
+ }
|
|
+ else
|
|
+ loaded_image->device_handle = dev_handle;
|
|
|
|
if (argc > 1)
|
|
{
|
|
--
|
|
2.25.1
|
|
|