1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
From 9f330999565e1e82ce5b9460ffefa933cc47d67c Mon Sep 17 00:00:00 2001
From: Jason Wessel <jason.wessel@windriver.com>
Date: Thu, 17 Oct 2019 12:35:01 -0700
Subject: [PATCH] grub verify: Add strict_security variable
With strict_security set to 1, it is impossible to change the value of
check_signatures. It will also cause grub to reboot instead of
allowing a rescue or grub shell, which could allow an end user to
alter boot arguments or load some other binary.
Upstream-Status: Pending
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
---
grub-core/commands/pgp.c | 16 +++++++++++++++-
grub-core/kern/main.c | 9 +++++++++
grub-core/normal/main.c | 7 +++++--
3 files changed, 29 insertions(+), 3 deletions(-)
diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c
index 5daa1e9..ed8514c 100644
--- a/grub-core/commands/pgp.c
+++ b/grub-core/commands/pgp.c
@@ -864,6 +864,7 @@ grub_cmd_verify_signature (grub_extcmd_context_t ctxt,
}
static int sec = 0;
+static int strict_sec = 0;
static grub_err_t
grub_pubkey_init (grub_file_t io, enum grub_file_type type __attribute__ ((unused)),
@@ -918,10 +919,21 @@ static char *
grub_env_write_sec (struct grub_env_var *var __attribute__ ((unused)),
const char *val)
{
- sec = (*val == '1') || (*val == 'e');
+ if (!strict_sec)
+ sec = (*val == '1') || (*val == 'e');
return grub_strdup (sec ? "enforce" : "no");
}
+static char *
+grub_env_write_strict_sec (struct grub_env_var *var __attribute__ ((unused)),
+ const char *val)
+{
+ /* once it is set, it is a one way transition */
+ if (!strict_sec)
+ strict_sec = (*val == '1') || (*val == 'e');
+ return grub_strdup (strict_sec ? "enforce" : "no");
+}
+
static grub_ssize_t
pseudo_read (struct grub_file *file, char *buf, grub_size_t len)
{
@@ -961,7 +973,9 @@ GRUB_MOD_INIT(pgp)
sec = 0;
grub_register_variable_hook ("check_signatures", 0, grub_env_write_sec);
+ grub_register_variable_hook ("strict_security", 0, grub_env_write_strict_sec);
grub_env_export ("check_signatures");
+ grub_env_export ("strict_security");
grub_pk_trusted = 0;
FOR_MODULES (header)
diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
index 73967e2..86e7f35 100644
--- a/grub-core/kern/main.c
+++ b/grub-core/kern/main.c
@@ -30,6 +30,7 @@
#include <grub/reader.h>
#include <grub/parser.h>
#include <grub/verify.h>
+#include <grub/time.h>
#ifdef GRUB_MACHINE_PCBIOS
#include <grub/machine/memory.h>
@@ -312,5 +313,13 @@ grub_main (void)
grub_boot_time ("After execution of embedded config. Attempt to go to normal mode");
grub_load_normal_mode ();
+ const char *val = grub_env_get ("strict_security");
+ if (val && (val[0] == '1' || val[0] == 'e'))
+ while (1) {
+ grub_printf("Boot configuration error - Attempting reboot\n");
+ grub_sleep(3);
+ grub_dl_load ("reboot");
+ grub_command_execute ("reboot", 0, 0);
+ }
grub_rescue_run ();
}
diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
index c4ebe9e..2c3f4f8 100644
--- a/grub-core/normal/main.c
+++ b/grub-core/normal/main.c
@@ -302,8 +302,11 @@ grub_enter_normal_mode (const char *config)
grub_boot_time ("Entering normal mode");
nested_level++;
grub_normal_execute (config, 0, 0);
- grub_boot_time ("Entering shell");
- grub_cmdline_run (0, 1);
+ const char *val = grub_env_get ("strict_security");
+ if (!(val && (val[0] == '1' || val[0] == 'e'))) {
+ grub_boot_time ("Entering shell");
+ grub_cmdline_run (0, 1);
+ }
nested_level--;
if (grub_normal_exit_level)
grub_normal_exit_level--;
--
2.17.1
|
