From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from list by lists.gnu.org with archive (Exim 4.90_1) id 1kcUvN-0005Ca-EL for mharc-grub-devel@gnu.org; Tue, 10 Nov 2020 09:47:09 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:39888) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kcUvC-00059L-IT for grub-devel@gnu.org; Tue, 10 Nov 2020 09:46:58 -0500 Received: from 2.mo177.mail-out.ovh.net ([178.33.109.80]:42593) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1kcUv8-0002zZ-0Y for grub-devel@gnu.org; Tue, 10 Nov 2020 09:46:57 -0500 Received: from player770.ha.ovh.net (unknown [10.108.16.55]) by mo177.mail-out.ovh.net (Postfix) with ESMTP id 1E09C146687 for ; Tue, 10 Nov 2020 15:46:51 +0100 (CET) Received: from 3mdeb.com (231.85-237-190.tkchopin.pl [85.237.190.231]) (Authenticated sender: krystian.hebel@3mdeb.com) by player770.ha.ovh.net (Postfix) with ESMTPSA id 7A12B181EA9D3; Tue, 10 Nov 2020 14:46:48 +0000 (UTC) Authentication-Results: garm.ovh; auth=pass (GARM-97G00278b85d8a-b089-4562-bd64-c2491f8bdf9d, 5ACF1FF395264E632C6C78FAA4B0D4185B0C945F) smtp.auth=krystian.hebel@3mdeb.com From: Krystian Hebel To: grub-devel@gnu.org Cc: Norbert Kaminski Subject: [GRUB PATCH RFC 12/22] i386/efi: Report UEFI Secure Boot status to the Linux kernel Date: Tue, 10 Nov 2020 15:44:50 +0100 Message-Id: <20201110144500.31606-13-krystian.hebel@3mdeb.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20201110144500.31606-1-krystian.hebel@3mdeb.com> References: <20201110144500.31606-1-krystian.hebel@3mdeb.com> X-Ovh-Tracer-Id: 12095261224851397517 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: -100 X-VR-SPAMCAUSE: gggruggvucftvghtrhhoucdtuddrgedujedruddujedgieelucetufdoteggodetrfdotffvucfrrhhofhhilhgvmecuqfggjfdpvefjgfevmfevgfenuceurghilhhouhhtmecuhedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmnecujfgurhephffvufffkffojghfsedttdertdertddtnecuhfhrohhmpefmrhihshhtihgrnhcujfgvsggvlhcuoehkrhihshhtihgrnhdrhhgvsggvlhesfehmuggvsgdrtghomheqnecuggftrfgrthhtvghrnhepuddvleehjeegieeijeeitddvjeeffedukeehueekveegfeffgfekteeutdeutdeknecukfhppedtrddtrddtrddtpdekhedrvdefjedrudeltddrvdefudenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhhouggvpehsmhhtphdqohhuthdphhgvlhhopehplhgrhigvrhejjedtrdhhrgdrohhvhhdrnhgvthdpihhnvghtpedtrddtrddtrddtpdhmrghilhhfrhhomhepkhhrhihsthhirghnrdhhvggsvghlseefmhguvggsrdgtohhmpdhrtghpthhtohepghhruhgsqdguvghvvghlsehgnhhurdhorhhg Received-SPF: pass client-ip=178.33.109.80; envelope-from=krystian.hebel@3mdeb.com; helo=2.mo177.mail-out.ovh.net X-detected-operating-system: by eggs.gnu.org: First seen = 2020/11/10 09:46:51 X-ACL-Warn: Detected OS = Linux 3.11 and newer X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Nov 2020 14:46:58 -0000 From: Norbert Kaminski Otherwise the kernel does not know its state and cannot enable various security features depending on UEFI Secure Boot. Signed-off-by: Ignat Korchagin Signed-off-by: Daniel Kiper Signed-off-by: Norbert Kaminski --- grub-core/loader/i386/linux.c | 86 ++++++++++++++++++++++++++++++++++- include/grub/i386/linux.h | 14 +++++- 2 files changed, 97 insertions(+), 3 deletions(-) diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c index 976af3fae873..940ce0f98bca 100644 --- a/grub-core/loader/i386/linux.c +++ b/grub-core/loader/i386/linux.c @@ -397,6 +397,87 @@ grub_linux_boot_mmap_fill (grub_uint64_t addr, grub_uint64_t size, return 0; } +#ifdef GRUB_MACHINE_EFI +/* + * Determine whether we're in secure boot mode. + * + * Please keep the logic in sync with the Linux kernel, + * drivers/firmware/efi/libstub/secureboot.c:efi_get_secureboot(). + */ +static grub_uint8_t +grub_efi_get_secureboot (void) +{ + grub_efi_guid_t efi_variable_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID; + grub_efi_guid_t efi_shim_lock_guid = GRUB_EFI_SHIM_LOCK_GUID; + grub_efi_status_t status; + grub_efi_uint32_t attr = 0; + grub_size_t size = 0; + grub_uint8_t *secboot = NULL; + grub_uint8_t *setupmode = NULL; + grub_uint8_t *moksbstate = NULL; + grub_uint8_t secureboot = GRUB_LINUX_EFI_SECUREBOOT_MODE_UNKNOWN; + const char *secureboot_str = "UNKNOWN"; + + status = grub_efi_get_variable ("SecureBoot", &efi_variable_guid, + &size, (void **) &secboot); + + if (status == GRUB_EFI_NOT_FOUND) + { + secureboot = GRUB_LINUX_EFI_SECUREBOOT_MODE_DISABLED; + goto out; + } + + if (status != GRUB_EFI_SUCCESS) + goto out; + + status = grub_efi_get_variable ("SetupMode", &efi_variable_guid, + &size, (void **) &setupmode); + + if (status != GRUB_EFI_SUCCESS) + goto out; + + if ((*secboot == 0) || (*setupmode == 1)) + { + secureboot = GRUB_LINUX_EFI_SECUREBOOT_MODE_DISABLED; + goto out; + } + + /* + * See if a user has put the shim into insecure mode. If so, and if the + * variable doesn't have the runtime attribute set, we might as well + * honor that. + */ + status = grub_efi_get_variable_with_attributes ("MokSBState", &efi_shim_lock_guid, + &size, (void **) &moksbstate, &attr); + + /* If it fails, we don't care why. Default to secure. */ + if (status != GRUB_EFI_SUCCESS) + { + secureboot = GRUB_LINUX_EFI_SECUREBOOT_MODE_ENABLED; + goto out; + } + + if (!(attr & GRUB_EFI_VARIABLE_RUNTIME_ACCESS) && *moksbstate == 1) + secureboot = GRUB_LINUX_EFI_SECUREBOOT_MODE_DISABLED; + + secureboot = GRUB_LINUX_EFI_SECUREBOOT_MODE_ENABLED; + + out: + grub_free (moksbstate); + grub_free (setupmode); + grub_free (secboot); + + if (secureboot == GRUB_LINUX_EFI_SECUREBOOT_MODE_DISABLED) + secureboot_str = "Disabled"; + else if (secureboot == GRUB_LINUX_EFI_SECUREBOOT_MODE_ENABLED) + secureboot_str = "Enabled"; + + grub_dprintf ("linux", "UEFI Secure Boot state: %s\n", secureboot_str); + + return secureboot; +} +#endif + static grub_err_t grub_linux_boot (void) { @@ -583,6 +664,9 @@ grub_linux_boot (void) grub_efi_uintn_t efi_desc_size; grub_size_t efi_mmap_target; grub_efi_uint32_t efi_desc_version; + + ctx.params->secure_boot = grub_efi_get_secureboot (); + err = grub_efi_finish_boot_services (&efi_mmap_size, efi_mmap_buf, NULL, &efi_desc_size, &efi_desc_version); if (err) @@ -794,7 +878,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), linux_params.code32_start = prot_mode_target + lh.code32_start - GRUB_LINUX_BZIMAGE_ADDR; linux_params.kernel_alignment = (1 << align); - linux_params.ps_mouse = linux_params.padding10 = 0; + linux_params.ps_mouse = linux_params.padding11 = 0; linux_params.type_of_loader = GRUB_LINUX_BOOT_LOADER_TYPE; /* These two are used (instead of cmd_line_ptr) by older versions of Linux, diff --git a/include/grub/i386/linux.h b/include/grub/i386/linux.h index ce30e7fb01b9..6aea73ddb145 100644 --- a/include/grub/i386/linux.h +++ b/include/grub/i386/linux.h @@ -49,6 +49,12 @@ /* Maximum number of MBR signatures to store. */ #define EDD_MBR_SIG_MAX 16 +/* Possible values for Linux secure_boot kernel parameter. */ +#define GRUB_LINUX_EFI_SECUREBOOT_MODE_UNSET 0 +#define GRUB_LINUX_EFI_SECUREBOOT_MODE_UNKNOWN 1 +#define GRUB_LINUX_EFI_SECUREBOOT_MODE_DISABLED 2 +#define GRUB_LINUX_EFI_SECUREBOOT_MODE_ENABLED 3 + #ifdef __x86_64__ #define GRUB_LINUX_EFI_SIGNATURE \ @@ -275,7 +281,11 @@ struct linux_kernel_params grub_uint8_t mmap_size; /* 1e8 */ - grub_uint8_t padding9[0x1f1 - 0x1e9]; + grub_uint8_t padding9[0x1ec - 0x1e9]; + + grub_uint8_t secure_boot; /* 1ec */ + + grub_uint8_t padding10[0x1f1 - 0x1ed]; /* Linux setup header copy - BEGIN. */ grub_uint8_t setup_sects; /* The size of the setup in sectors */ @@ -286,7 +296,7 @@ struct linux_kernel_params grub_uint16_t vid_mode; /* Video mode control */ grub_uint16_t root_dev; /* Default root device number */ - grub_uint8_t padding10; /* 1fe */ + grub_uint8_t padding11; /* 1fe */ grub_uint8_t ps_mouse; /* 1ff */ grub_uint16_t jump; /* Jump instruction */ -- 2.17.1