[PATCH] lockdown: Defer authorization for anything not in allowlist

[Julian Andres Klode]

Copy the list of things that do not affect secure boot state from
the shim_lock verifier to the lockdown verifier, and change the code
there to defer for anything not in that list, rather than known
images.

This prevents non-shim-lock systems from getting vulnerabilities in
newly added or missed "insecure" file types.

Signed-off-by: Julian Andres Klode <julian.kl...@canonical.com>
---
 grub-core/kern/lockdown.c | 50 +++++++++++++++++++++++----------------
 1 file changed, 30 insertions(+), 20 deletions(-)

diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c
index af6d493cd..44ac6fd6c 100644
--- a/grub-core/kern/lockdown.c
+++ b/grub-core/kern/lockdown.c
@@ -35,28 +35,38 @@ lockdown_verifier_init (grub_file_t io __attribute__ 
((unused)),
 
   switch (type & GRUB_FILE_TYPE_MASK)
     {
-    case GRUB_FILE_TYPE_GRUB_MODULE:
-    case GRUB_FILE_TYPE_LINUX_KERNEL:
-    case GRUB_FILE_TYPE_MULTIBOOT_KERNEL:
-    case GRUB_FILE_TYPE_XEN_HYPERVISOR:
-    case GRUB_FILE_TYPE_BSD_KERNEL:
-    case GRUB_FILE_TYPE_XNU_KERNEL:
-    case GRUB_FILE_TYPE_PLAN9_KERNEL:
-    case GRUB_FILE_TYPE_NTLDR:
-    case GRUB_FILE_TYPE_TRUECRYPT:
-    case GRUB_FILE_TYPE_FREEDOS:
-    case GRUB_FILE_TYPE_PXECHAINLOADER:
-    case GRUB_FILE_TYPE_PCCHAINLOADER:
-    case GRUB_FILE_TYPE_COREBOOT_CHAINLOADER:
-    case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:
-    case GRUB_FILE_TYPE_ACPI_TABLE:
-    case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
-    case GRUB_FILE_TYPE_FONT:
-      *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
-
-      /* Fall through. */
+    /* Files that do not affect secureboot state. */
+    case GRUB_FILE_TYPE_NONE:
+    case GRUB_FILE_TYPE_LOOPBACK:
+    case GRUB_FILE_TYPE_LINUX_INITRD:
+    case GRUB_FILE_TYPE_OPENBSD_RAMDISK:
+    case GRUB_FILE_TYPE_XNU_RAMDISK:
+    case GRUB_FILE_TYPE_SIGNATURE:
+    case GRUB_FILE_TYPE_PUBLIC_KEY:
+    case GRUB_FILE_TYPE_PUBLIC_KEY_TRUST:
+    case GRUB_FILE_TYPE_PRINT_BLOCKLIST:
+    case GRUB_FILE_TYPE_TESTLOAD:
+    case GRUB_FILE_TYPE_GET_SIZE:
+    case GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY:
+    case GRUB_FILE_TYPE_CAT:
+    case GRUB_FILE_TYPE_HEXCAT:
+    case GRUB_FILE_TYPE_CMP:
+    case GRUB_FILE_TYPE_HASHLIST:
+    case GRUB_FILE_TYPE_TO_HASH:
+    case GRUB_FILE_TYPE_KEYBOARD_LAYOUT:
+    case GRUB_FILE_TYPE_PIXMAP:
+    case GRUB_FILE_TYPE_GRUB_MODULE_LIST:
+    case GRUB_FILE_TYPE_CONFIG:
+    case GRUB_FILE_TYPE_THEME:
+    case GRUB_FILE_TYPE_GETTEXT_CATALOG:
+    case GRUB_FILE_TYPE_FS_SEARCH:
+    case GRUB_FILE_TYPE_LOADENV:
+    case GRUB_FILE_TYPE_SAVEENV:
+    case GRUB_FILE_TYPE_VERIFY_SIGNATURE:
+      return GRUB_ERR_NONE;
 
     default:
+      *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
       return GRUB_ERR_NONE;
     }
 }
-- 
2.45.2


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel