grub2/backport-fix-CVE-2020-15705.patch

From 3ddffe5b10cba0607ceaaae8c630ce5f870decbb Mon Sep 17 00:00:00 2001
From: Dimitri John Ledkov <xnox@ubuntu.com>
Date: Wed, 22 Jul 2020 11:31:43 +0100
Subject: [PATCH] linuxefi: fail kernel validation without shim protocol.

Conflict: NA
Reference:https://src.fedoraproject.org/rpms/grub2/blob/rawhide/f/0160-linuxefi-fail-kernel-validation-without-shim-protoco.patch

If certificates that signed grub are installed into db, grub can be
booted directly. It will then boot any kernel without signature
validation. The booted kernel will think it was booted in secureboot
mode and will implement lockdown, yet it could have been tampered.

This version of the patch skips calling verification, when booted
without secureboot. And is indented with gnu ident.

CVE-2020-15705

Reported-by: Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>
Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
---
 grub-core/kern/efi/sb.c           | 14 +++++++++-----
 grub-core/loader/arm64/linux.c    | 11 ++++++-----
 grub-core/loader/i386/efi/linux.c | 11 ++++++-----
 3 files changed, 21 insertions(+), 15 deletions(-)

diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
index d74778b..60cdef3 100644
--- a/grub-core/kern/efi/sb.c
+++ b/grub-core/kern/efi/sb.c
@@ -31,9 +31,10 @@ grub_efi_secure_boot (void)
 #ifdef GRUB_MACHINE_EFI
   grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
   grub_size_t datasize;
-  char *secure_boot = NULL;
-  char *setup_mode = NULL;
+  grub_uint8_t *secure_boot = NULL;
+  grub_uint8_t *setup_mode = NULL;
   grub_efi_boolean_t ret = 0;
+  grub_uint8_t setupmode = 0;
 
   secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);
   if (datasize != 1 || !secure_boot)
@@ -47,11 +48,14 @@ grub_efi_secure_boot (void)
   if (datasize != 1 || !setup_mode)
     {
       grub_dprintf ("secureboot", "No SetupMode variable\n");
-      goto out;
     }
-  grub_dprintf ("secureboot", "SetupMode: %d\n", *setup_mode);
+  else
+    {
+        grub_dprintf ("secure_boot", "SetupMode: %d\n", *setup_mode);
+        setupmode = *setup_mode;
+    }
 
-  if (*secure_boot && !*setup_mode)
+  if (*secure_boot && !setupmode)
     ret = 1;
 
  out:
diff --git a/grub-core/loader/arm64/linux.c b/grub-core/loader/arm64/linux.c
index a18c487..fad13cb 100644
--- a/grub-core/loader/arm64/linux.c
+++ b/grub-core/loader/arm64/linux.c
@@ -34,6 +34,7 @@
 #include <grub/i18n.h>
 #include <grub/lib/cmdline.h>
 #include <grub/verify.h>
+#include <grub/efi/sb.h>
 
 GRUB_MOD_LICENSE ("GPLv3+");
 
@@ -387,11 +388,11 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
     {
       rc = grub_linuxefi_secure_validate (kernel_addr, kernel_size);
       if (rc <= 0)
-	{
-	  grub_error (GRUB_ERR_INVALID_COMMAND,
-		      N_("%s has invalid signature"), argv[0]);
-	  goto fail;
-	}
+        {
+          grub_error (GRUB_ERR_INVALID_COMMAND,
+                      N_("%s has invalid signature"), argv[0]);
+          goto fail;
+        }
     }
 
   pe = (void *)((unsigned long)kernel_addr + lh.hdr_offset);
diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
index e613115..0a5d086 100644
--- a/grub-core/loader/i386/efi/linux.c
+++ b/grub-core/loader/i386/efi/linux.c
@@ -28,6 +28,7 @@
 #include <grub/efi/efi.h>
 #include <grub/efi/linux.h>
 #include <grub/cpu/efi/memory.h>
+#include <grub/efi/sb.h>
 
 GRUB_MOD_LICENSE ("GPLv3+");
 
@@ -305,11 +306,11 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
     {
       rc = grub_linuxefi_secure_validate (kernel, filelen);
       if (rc <= 0)
-	{
-	  grub_error (GRUB_ERR_INVALID_COMMAND,
-		      N_("%s has invalid signature"), argv[0]);
-	  goto fail;
-	}
+        {
+          grub_error (GRUB_ERR_INVALID_COMMAND,
+                      N_("%s has invalid signature"), argv[0]);
+          goto fail;
+        }
     }
 
   lh = (struct linux_i386_kernel_header *)kernel;
-- 
2.19.1