packages/grub2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
grub2/backport-kern-efi-sb-Enforce-verification-of-font-files.patch
zhangqiumiao a15cb45a1a fix CVE-2022-2601 and CVE-2022-3775 
Signed-off-by: zhangqiumiao <zhangqiumiao1@huawei.com>
2022-11-18 17:42:24 +08:00

58 lines
2.1 KiB
Diff
Raw Blame History

From 93a786a00163e50c29f0394df198518617e1c9a5 Mon Sep 17 00:00:00 2001
From: Zhang Boyang <zhangboyang.id@gmail.com>
Date: Sun, 14 Aug 2022 15:51:54 +0800
Subject: [PATCH 08/13] kern/efi/sb: Enforce verification of font files
As a mitigation and hardening measure enforce verification of font
files. Then only trusted font files can be load. This will reduce the
attack surface at cost of losing the ability of end-users to customize
fonts if e.g. UEFI Secure Boot is enabled. Vendors can always customize
fonts because they have ability to pack fonts into their GRUB bundles.
This goal is achieved by:
* Removing GRUB_FILE_TYPE_FONT from shim lock verifier's
skip-verification list.
* Adding GRUB_FILE_TYPE_FONT to lockdown verifier's defer-auth list,
so font files must be verified by a verifier before they can be
loaded.
Conflict:grub-core/kern/efi/sb.c -> grub-core/commands/efi/shim_lock.c
Suggested-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/commands/efi/shim_lock.c | 1 +
grub-core/kern/lockdown.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/grub-core/commands/efi/shim_lock.c b/grub-core/commands/efi/shim_lock.c
index 764098c..42f088a 100644
--- a/grub-core/commands/efi/shim_lock.c
+++ b/grub-core/commands/efi/shim_lock.c
@@ -82,6 +82,7 @@ shim_lock_init (grub_file_t io, enum grub_file_type type,
case GRUB_FILE_TYPE_ACPI_TABLE:
case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
+ case GRUB_FILE_TYPE_FONT:
*flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
return GRUB_ERR_NONE;
diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c
index 0bc70fd..af6d493 100644
--- a/grub-core/kern/lockdown.c
+++ b/grub-core/kern/lockdown.c
@@ -51,6 +51,7 @@ lockdown_verifier_init (grub_file_t io __attribute__ ((unused)),
case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:
case GRUB_FILE_TYPE_ACPI_TABLE:
case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
+ case GRUB_FILE_TYPE_FONT:
*flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
/* Fall through. */
--
2.27.0
Reference in New Issue View Git Blame Copy Permalink