On Fri, Oct 11, 2024 at 05:23:04PM +0200, Julian Andres Klode wrote:
> Copy the list of things that do not affect secure boot state from
> the shim_lock verifier to the lockdown verifier, and change the code
> there to defer for anything not in that list, rather than known
> images.
>
> This prevents non-shim-lock systems from getting vulnerabilities in
> newly added or missed "insecure" file types.
>
> Signed-off-by: Julian Andres Klode <julian.kl...@canonical.com>
> ---
> grub-core/kern/lockdown.c | 50 +++++++++++++++++++++++----------------
> 1 file changed, 30 insertions(+), 20 deletions(-)
>
> diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c
> index af6d493cd..44ac6fd6c 100644
> --- a/grub-core/kern/lockdown.c
> +++ b/grub-core/kern/lockdown.c
> @@ -35,28 +35,38 @@ lockdown_verifier_init (grub_file_t io __attribute__
> ((unused)),
>
> switch (type & GRUB_FILE_TYPE_MASK)
> {
> - case GRUB_FILE_TYPE_GRUB_MODULE:
> - case GRUB_FILE_TYPE_LINUX_KERNEL:
> - case GRUB_FILE_TYPE_MULTIBOOT_KERNEL:
> - case GRUB_FILE_TYPE_XEN_HYPERVISOR:
> - case GRUB_FILE_TYPE_BSD_KERNEL:
> - case GRUB_FILE_TYPE_XNU_KERNEL:
> - case GRUB_FILE_TYPE_PLAN9_KERNEL:
> - case GRUB_FILE_TYPE_NTLDR:
> - case GRUB_FILE_TYPE_TRUECRYPT:
> - case GRUB_FILE_TYPE_FREEDOS:
> - case GRUB_FILE_TYPE_PXECHAINLOADER:
> - case GRUB_FILE_TYPE_PCCHAINLOADER:
> - case GRUB_FILE_TYPE_COREBOOT_CHAINLOADER:
> - case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:
> - case GRUB_FILE_TYPE_ACPI_TABLE:
> - case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
> - case GRUB_FILE_TYPE_FONT:
> - *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
> -
> - /* Fall through. */
> + /* Files that do not affect secureboot state. */
> + case GRUB_FILE_TYPE_NONE:
> + case GRUB_FILE_TYPE_LOOPBACK:
> + case GRUB_FILE_TYPE_LINUX_INITRD:
> + case GRUB_FILE_TYPE_OPENBSD_RAMDISK:
> + case GRUB_FILE_TYPE_XNU_RAMDISK:
> + case GRUB_FILE_TYPE_SIGNATURE:
> + case GRUB_FILE_TYPE_PUBLIC_KEY:
> + case GRUB_FILE_TYPE_PUBLIC_KEY_TRUST:
> + case GRUB_FILE_TYPE_PRINT_BLOCKLIST:
> + case GRUB_FILE_TYPE_TESTLOAD:
> + case GRUB_FILE_TYPE_GET_SIZE:
> + case GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY:
> + case GRUB_FILE_TYPE_CAT:
> + case GRUB_FILE_TYPE_HEXCAT:
> + case GRUB_FILE_TYPE_CMP:
> + case GRUB_FILE_TYPE_HASHLIST:
> + case GRUB_FILE_TYPE_TO_HASH:
> + case GRUB_FILE_TYPE_KEYBOARD_LAYOUT:
> + case GRUB_FILE_TYPE_PIXMAP:
> + case GRUB_FILE_TYPE_GRUB_MODULE_LIST:
> + case GRUB_FILE_TYPE_CONFIG:
> + case GRUB_FILE_TYPE_THEME:
> + case GRUB_FILE_TYPE_GETTEXT_CATALOG:
> + case GRUB_FILE_TYPE_FS_SEARCH:
> + case GRUB_FILE_TYPE_LOADENV:
> + case GRUB_FILE_TYPE_SAVEENV:
> + case GRUB_FILE_TYPE_VERIFY_SIGNATURE:
> + return GRUB_ERR_NONE;
Instead of keeping the same list in both places would not it be easier
to have a func in grub-core/kern/lockdown.c which returns a bool and is
called from both grub-core/kern/lockdown.c and grub-core/kern/efi/sb.c?
Daniel
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
