Tree - rpms/grub2 - src.fedoraproject.org

rpms / grub2

Blame 0286-kern-efi-sb-Enforce-verification-of-font-files.patch

Blob History Raw

		ed1787d	`From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001`
		ed1787d	`From: Zhang Boyang <zhangboyang.id@gmail.com>`
		ed1787d	`Date: Sun, 14 Aug 2022 15:51:54 +0800`
		ed1787d	`Subject: [PATCH] kern/efi/sb: Enforce verification of font files`
		ed1787d
		ed1787d	`As a mitigation and hardening measure enforce verification of font`
		ed1787d	`files. Then only trusted font files can be load. This will reduce the`
		ed1787d	`attack surface at cost of losing the ability of end-users to customize`
		ed1787d	`fonts if e.g. UEFI Secure Boot is enabled. Vendors can always customize`
		ed1787d	`fonts because they have ability to pack fonts into their GRUB bundles.`
		ed1787d
		ed1787d	`This goal is achieved by:`
		ed1787d
		ed1787d	`* Removing GRUB_FILE_TYPE_FONT from shim lock verifier's`
		ed1787d	`skip-verification list.`
		ed1787d
		ed1787d	`* Adding GRUB_FILE_TYPE_FONT to lockdown verifier's defer-auth list,`
		ed1787d	`so font files must be verified by a verifier before they can be loaded.`
		ed1787d
		ed1787d	`Suggested-by: Daniel Kiper <daniel.kiper@oracle.com>`
		ed1787d	`Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>`
		ed1787d	`Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>`
		ed1787d	`(cherry picked from commit 630deb8c0d8b02b670ced4b7030414bcf17aa080)`
		ed1787d	`---`
		ed1787d	`grub-core/kern/efi/sb.c \| 1 -`
		ed1787d	`grub-core/kern/lockdown.c \| 1 +`
		ed1787d	`2 files changed, 1 insertion(+), 1 deletion(-)`
		ed1787d
		ed1787d	`diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c`
		ed1787d	`index 89c4bb3fd1..db42c2539f 100644`
		ed1787d	`--- a/grub-core/kern/efi/sb.c`
		ed1787d	`+++ b/grub-core/kern/efi/sb.c`
		ed1787d	`@@ -145,7 +145,6 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)),`
		ed1787d	`case GRUB_FILE_TYPE_PRINT_BLOCKLIST:`
		ed1787d	`case GRUB_FILE_TYPE_TESTLOAD:`
		ed1787d	`case GRUB_FILE_TYPE_GET_SIZE:`
		ed1787d	`- case GRUB_FILE_TYPE_FONT:`
		ed1787d	`case GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY:`
		ed1787d	`case GRUB_FILE_TYPE_CAT:`
		ed1787d	`case GRUB_FILE_TYPE_HEXCAT:`
		ed1787d	`diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c`
		ed1787d	`index 0bc70fd42d..af6d493cd3 100644`
		ed1787d	`--- a/grub-core/kern/lockdown.c`
		ed1787d	`+++ b/grub-core/kern/lockdown.c`
		ed1787d	`@@ -51,6 +51,7 @@ lockdown_verifier_init (grub_file_t io __attribute__ ((unused)),`
		ed1787d	`case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:`
		ed1787d	`case GRUB_FILE_TYPE_ACPI_TABLE:`
		ed1787d	`case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:`
		ed1787d	`+ case GRUB_FILE_TYPE_FONT:`
		ed1787d	`*flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;`
		ed1787d
		ed1787d	`/* Fall through. */`

rpms / grub2

Source Code

Blame 0286-kern-efi-sb-Enforce-verification-of-font-files.patch