git.ipfire.org Git - thirdparty/grub.git/commit

author	Dimitri John Ledkov <xnox@ubuntu.com>
	Sat, 20 Feb 2021 17:10:34 +0000 (17:10 +0000)
committer	Daniel Kiper <daniel.kiper@oracle.com>
	Tue, 2 Mar 2021 14:54:19 +0000 (15:54 +0100)
commit	968de8c23c1cba0f18230f778ebcf6c412ec8ec5
tree	44c3961d70dac882a1b5e3c828472f526eb74aa8	tree
parent	bb51ee2b49fbda0f66c1fa580a33442ff578f110	commit \| diff

shim_lock: Only skip loading shim_lock verifier with explicit consent

Commit 32ddc42c (efi: Only register shim_lock verifier if shim_lock
protocol is found and SB enabled) reintroduced CVE-2020-15705 which
previously only existed in the out-of-tree linuxefi patches and was
fixed as part of the BootHole patch series.

Under Secure Boot enforce loading shim_lock verifier. Allow skipping
shim_lock verifier if SecureBoot/MokSBState EFI variables indicate
skipping validations, or if GRUB image is built with --disable-shim-lock.

Fixes: 132ddc42c (efi: Only register shim_lock verifier if shim_lock
protocol is found and SB enabled)
Fixes: CVE-2020-15705
Fixes: CVE-2021-3418
Reported-by: Dimitri John Ledkov <xnox@ubuntu.com>
Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>

docs/grub.texi		diff \| blob \| blame \| history
grub-core/kern/efi/sb.c		diff \| blob \| blame \| history
include/grub/kernel.h		diff \| blob \| blame \| history
include/grub/util/install.h		diff \| blob \| blame \| history
util/grub-install-common.c		diff \| blob \| blame \| history
util/grub-mkimage.c		diff \| blob \| blame \| history
util/mkimage.c		diff \| blob \| blame \| history