diff options
| author | Jussi Keranen <jussi.keranen@vincit.com> | 2021-02-02 10:18:59 +0200 |
|---|---|---|
| committer | Jia Zhang <zhang.jia@linux.alibaba.com> | 2021-02-02 18:55:52 +0800 |
| commit | 64097c52a0db6f3551af62651186fcfc6bca057d (patch) | |
| tree | e66ee1abda317b46001b1cbe71bd44f4aa04cb82 | |
| parent | d72746bfa7b2466fe16fb636314ec0cee319f6d4 (diff) | |
| download | meta-secure-core-64097c52a0db6f3551af62651186fcfc6bca057d.tar.gz | |
Grub: Verify buffiles, e.g. fonts and images
| -rw-r--r-- | meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc | 4 | ||||
| -rw-r--r-- | meta-efi-secure-boot/recipes-bsp/grub/grub-efi/verify-all-buffiles.patch | 30 |
2 files changed, 33 insertions, 1 deletions
diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc index 88818ea..d0de1b2 100644 --- a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc +++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc | |||
| @@ -9,7 +9,9 @@ EXTRA_SRC_URI = "\ | |||
| 9 | 9 | ||
| 10 | GRUB_MOKVERIFY_PATCH = " \ | 10 | GRUB_MOKVERIFY_PATCH = " \ |
| 11 | file://mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch \ | 11 | file://mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch \ |
| 12 | file://mok2verify-multiboot.patch" | 12 | file://mok2verify-multiboot.patch \ |
| 13 | file://verify-all-buffiles.patch \ | ||
| 14 | " | ||
| 13 | 15 | ||
| 14 | SRC_URI += "\ | 16 | SRC_URI += "\ |
| 15 | file://0001-pe32.h-add-header-structures-for-TE-and-DOS-executab.patch \ | 17 | file://0001-pe32.h-add-header-structures-for-TE-and-DOS-executab.patch \ |
diff --git a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/verify-all-buffiles.patch b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/verify-all-buffiles.patch new file mode 100644 index 0000000..204785f --- /dev/null +++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/verify-all-buffiles.patch | |||
| @@ -0,0 +1,30 @@ | |||
| 1 | --- a/grub-core/io/bufio.c 2021-02-02 07:35:26.062890543 +0000 | ||
| 2 | +++ b/grub-core/io/bufio.c 2021-02-02 07:41:06.659570989 +0000 | ||
| 3 | @@ -24,6 +24,9 @@ | ||
| 4 | #include <grub/fs.h> | ||
| 5 | #include <grub/bufio.h> | ||
| 6 | #include <grub/dl.h> | ||
| 7 | +#ifdef GRUB_MACHINE_EFI | ||
| 8 | +#include <grub/efi/mok2verify.h> | ||
| 9 | +#endif | ||
| 10 | |||
| 11 | GRUB_MOD_LICENSE ("GPLv3+"); | ||
| 12 | |||
| 13 | @@ -91,7 +94,17 @@ | ||
| 14 | grub_buffile_open (const char *name, enum grub_file_type type, grub_size_t size) | ||
| 15 | { | ||
| 16 | grub_file_t io, file; | ||
| 17 | +#ifdef GRUB_MACHINE_EFI | ||
| 18 | + grub_err_t err; | ||
| 19 | |||
| 20 | + err = grub_verify_file (name); | ||
| 21 | + if (err != GRUB_ERR_NONE) | ||
| 22 | + { | ||
| 23 | + grub_error (err, "Security Violation: %s failed to load", name); | ||
| 24 | + grub_print_error (); | ||
| 25 | + grub_halt(); | ||
| 26 | + } | ||
| 27 | +#endif | ||
| 28 | io = grub_file_open (name, type); | ||
| 29 | if (! io) | ||
| 30 | return 0; | ||