登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
13 Star 0 Fork 16

ocs-bot/grub2

forked from OpenCloudOS Stream/grub2 
代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
项目仓库所选许可证以仓库主分支所使用许可证为准
克隆/下载
0274-kern-efi-sb-Enforce-verification-of-font-files.patch 2.11 KB
一键复制 编辑 原始数据 按行查看 历史
Jackey_1024 提交于 2023-09-19 20:20 . fix CVE-2022-2601 and CVE-2022-3775
12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001

From: Zhang Boyang <[email protected]>

Date: Sun, 14 Aug 2022 15:51:54 +0800

Subject: [PATCH] kern/efi/sb: Enforce verification of font files



As a mitigation and hardening measure enforce verification of font

files. Then only trusted font files can be load. This will reduce the

attack surface at cost of losing the ability of end-users to customize

fonts if e.g. UEFI Secure Boot is enabled. Vendors can always customize

fonts because they have ability to pack fonts into their GRUB bundles.



This goal is achieved by:



  * Removing GRUB_FILE_TYPE_FONT from shim lock verifier's

    skip-verification list.



  * Adding GRUB_FILE_TYPE_FONT to lockdown verifier's defer-auth list,

    so font files must be verified by a verifier before they can be loaded.



Suggested-by: Daniel Kiper <[email protected]>

Signed-off-by: Zhang Boyang <[email protected]>

Reviewed-by: Daniel Kiper <[email protected]>

(cherry picked from commit 630deb8c0d8b02b670ced4b7030414bcf17aa080)

---

 grub-core/kern/efi/sb.c   | 1 -

 grub-core/kern/lockdown.c | 1 +

 2 files changed, 1 insertion(+), 1 deletion(-)



diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c

index 89c4bb3fd1..db42c2539f 100644

--- a/grub-core/kern/efi/sb.c

+++ b/grub-core/kern/efi/sb.c

@@ -145,7 +145,6 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)),

     case GRUB_FILE_TYPE_PRINT_BLOCKLIST:

     case GRUB_FILE_TYPE_TESTLOAD:

     case GRUB_FILE_TYPE_GET_SIZE:

-    case GRUB_FILE_TYPE_FONT:

     case GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY:

     case GRUB_FILE_TYPE_CAT:

     case GRUB_FILE_TYPE_HEXCAT:

diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c

index 0bc70fd42d..af6d493cd3 100644

--- a/grub-core/kern/lockdown.c

+++ b/grub-core/kern/lockdown.c

@@ -51,6 +51,7 @@ lockdown_verifier_init (grub_file_t io __attribute__ ((unused)),

     case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:

     case GRUB_FILE_TYPE_ACPI_TABLE:

     case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:

+    case GRUB_FILE_TYPE_FONT:

       *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;

 

       /* Fall through. */
Loading...
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
1
https://gitee.com/ocs-bot/grub2.git
[email protected]:ocs-bot/grub2.git
ocs-bot
grub2
grub2
master
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部