kern/efi/sb: Enforce verification of font files

As a mitigation and hardening measure enforce verification of font
files. Then only trusted font files can be load. This will reduce the
attack surface at cost of losing the ability of end-users to customize
fonts if e.g. UEFI Secure Boot is enabled. Vendors can always customize
fonts because they have ability to pack fonts into their GRUB bundles.

This goal is achieved by:

  * Removing GRUB_FILE_TYPE_FONT from shim lock verifier's
    skip-verification list.

  * Adding GRUB_FILE_TYPE_FONT to lockdown verifier's defer-auth list,
    so font files must be verified by a verifier before they can be loaded.

Suggested-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Zhang Boyang <zhangboyang.id@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
index 89c4bb3fd101e815e3489824620103fef29f6ac0..db42c2539f4e425d7f2f95f0a06ace1bba5f90e8 100644 (file)
--- a/grub-core/kern/efi/sb.c
+++ b/grub-core/kern/efi/sb.c
@@ -145,7 +145,6 @@ shim_lock_verifier_init (grub_file_t io __attribute__ ((unused)),
     case GRUB_FILE_TYPE_PRINT_BLOCKLIST:
     case GRUB_FILE_TYPE_TESTLOAD:
     case GRUB_FILE_TYPE_GET_SIZE:
-    case GRUB_FILE_TYPE_FONT:
     case GRUB_FILE_TYPE_ZFS_ENCRYPTION_KEY:
     case GRUB_FILE_TYPE_CAT:
     case GRUB_FILE_TYPE_HEXCAT:

diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c
index 0bc70fd42d60987d5564018a9d3e6ea61c9aecdc..af6d493cd352cecb418017f885d885000d7f445a 100644 (file)
--- a/grub-core/kern/lockdown.c
+++ b/grub-core/kern/lockdown.c
@@ -51,6 +51,7 @@ lockdown_verifier_init (grub_file_t io __attribute__ ((unused)),
     case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE:
     case GRUB_FILE_TYPE_ACPI_TABLE:
     case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
+    case GRUB_FILE_TYPE_FONT:
       *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
 
       /* Fall through. */