From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Daniel Axtens Date: Mon, 28 Sep 2020 11:11:17 +1000 Subject: [PATCH] ieee1275: link appended-signature enforcement to /ibm,secure-boot If the 'ibm,secure-boot' property of the root node is 2 or greater, require that the kernel pass appended-signature verification. Do not consider the presence of a certificate to enforce verification. Signed-off-by: Daniel Axtens --- grub-core/commands/appendedsig/appendedsig.c | 44 +++++++++++++++++++++------- grub-core/kern/ieee1275/init.c | 26 ++++++++++++++++ 2 files changed, 60 insertions(+), 10 deletions(-) diff --git a/grub-core/commands/appendedsig/appendedsig.c b/grub-core/commands/appendedsig/appendedsig.c index 1fbc942254a..6efe58ce8b2 100644 --- a/grub-core/commands/appendedsig/appendedsig.c +++ b/grub-core/commands/appendedsig/appendedsig.c @@ -95,10 +95,24 @@ static char * grub_env_write_sec (struct grub_env_var *var __attribute__((unused)), const char *val) { + if (check_sigs == 2) + return grub_strdup ("forced"); check_sigs = (*val == '1') || (*val == 'e'); return grub_strdup (check_sigs ? "enforce" : "no"); } +static const char * +grub_env_read_sec (struct grub_env_var *var __attribute__ ((unused)), + const char *val __attribute__ ((unused))) +{ + if (check_sigs == 2) + return "forced"; + else if (check_sigs == 1) + return "enforce"; + else + return "no"; +} + static grub_err_t read_cert_from_file (grub_file_t f, struct x509_certificate *certificate) { @@ -552,14 +566,20 @@ GRUB_MOD_INIT (appendedsig) val = grub_env_get ("check_appended_signatures"); grub_dprintf ("appendedsig", "check_appended_signatures='%s'\n", val); - if (val && (val[0] == '1' || val[0] == 'e')) - check_sigs = 1; - else - check_sigs = 0; + if (val) + { + if (val[0] == '2' || val[0] == 'f') + check_sigs = 2; + else if (val[0] == '1' || val[0] == 'e') + check_sigs = 1; + else + check_sigs = 0; + } grub_trusted_key = NULL; - grub_register_variable_hook ("check_appended_signatures", 0, + grub_register_variable_hook ("check_appended_signatures", + grub_env_read_sec, grub_env_write_sec); grub_env_export ("check_appended_signatures"); @@ -603,11 +623,15 @@ GRUB_MOD_INIT (appendedsig) grub_trusted_key = pk; } - if (!val || val[0] == '\0') - { - grub_env_set ("check_appended_signatures", - grub_trusted_key ? "enforce" : "no"); - } + /* + * When controlled by ibm,secure-boot, we don't want the presence of + * a certificate to enforce secure boot. + * if (!val || val[0] == '\0') + * { + * grub_env_set ("check_appended_signatures", + * grub_trusted_key ? "enforce" : "no"); + * } + */ cmd_trust = grub_register_command ("trust_certificate", grub_cmd_trust, diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c index 937c1bc44cb..5df2e0efae7 100644 --- a/grub-core/kern/ieee1275/init.c +++ b/grub-core/kern/ieee1275/init.c @@ -271,6 +271,30 @@ grub_parse_cmdline (void) } } +static void +grub_get_ieee1275_secure_boot (void) +{ + grub_ieee1275_phandle_t root; + int rc; + grub_uint32_t is_sb; + + grub_ieee1275_finddevice ("/", &root); + + rc = grub_ieee1275_get_integer_property (root, "ibm,secure-boot", &is_sb, + sizeof (is_sb), 0); + + /* ibm,secure-boot: + * 0 - disabled + * 1 - audit + * 2 - enforce + * 3 - enforce + OS-specific behaviour + * + * We only support enforce. + */ + if (rc >= 0 && is_sb >= 2) + grub_env_set("check_appended_signatures", "forced"); +} + grub_addr_t grub_modbase; void @@ -296,6 +320,8 @@ grub_machine_init (void) #else grub_install_get_time_ms (grub_rtc_get_time_ms); #endif + + grub_get_ieee1275_secure_boot (); } void