diff --git a/conf/Makefile.common b/conf/Makefile.common index 6cd71cbb2..2a1a886f6 100644 --- a/conf/Makefile.common +++ b/conf/Makefile.common @@ -84,7 +84,9 @@ CPPFLAGS_PARTTOOL_LIST = -Dgrub_parttool_register=PARTTOOL_LIST_MARKER CPPFLAGS_TERMINAL_LIST = '-Dgrub_term_register_input(...)=INPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)' CPPFLAGS_TERMINAL_LIST += '-Dgrub_term_register_output(...)=OUTPUT_TERMINAL_LIST_MARKER(__VA_ARGS__)' CPPFLAGS_COMMAND_LIST = '-Dgrub_register_command(...)=COMMAND_LIST_MARKER(__VA_ARGS__)' +CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_lockdown(...)=COMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)' CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd(...)=EXTCOMMAND_LIST_MARKER(__VA_ARGS__)' +CPPFLAGS_COMMAND_LIST += '-Dgrub_register_extcmd_lockdown(...)=EXTCOMMAND_LOCKDOWN_LIST_MARKER(__VA_ARGS__)' CPPFLAGS_COMMAND_LIST += '-Dgrub_register_command_p1(...)=P1COMMAND_LIST_MARKER(__VA_ARGS__)' CPPFLAGS_FDT_LIST := '-Dgrub_fdtbus_register(...)=FDT_DRIVER_LIST_MARKER(__VA_ARGS__)' CPPFLAGS_MARKER = $(CPPFLAGS_FS_LIST) $(CPPFLAGS_VIDEO_LIST) \ diff --git a/docs/grub-dev.texi b/docs/grub-dev.texi index 24d17b8ec..a834b3a9c 100644 --- a/docs/grub-dev.texi +++ b/docs/grub-dev.texi @@ -86,6 +86,7 @@ This edition documents version @value{VERSION}. * PFF2 Font File Format:: * Graphical Menu Software Design:: * Verifiers framework:: +* Lockdown framework:: * Copying This Manual:: Copying This Manual * Index:: @end menu @@ -2123,6 +2124,32 @@ Optionally at the end of the file @samp{fini}, if it exists, is called with just the context. If you return no error during any of @samp{init}, @samp{write} and @samp{fini} then the file is considered as having succeded verification. +@node Lockdown framework +@chapter Lockdown framework + +The GRUB can be locked down, which is a restricted mode where some operations +are not allowed. For instance, some commands cannot be used when the GRUB is +locked down. + +The function +@code{grub_lockdown()} is used to lockdown GRUB and the function +@code{grub_is_lockdown()} function can be used to check whether lockdown is +enabled or not. When enabled, the function returns @samp{GRUB_LOCKDOWN_ENABLED} +and @samp{GRUB_LOCKDOWN_DISABLED} when is not enabled. + +The following functions can be used to register the commands that can only be +used when lockdown is disabled: + +@itemize + +@item @code{grub_cmd_lockdown()} registers command which should not run when the +GRUB is in lockdown mode. + +@item @code{grub_cmd_lockdown()} registers extended command which should not run +when the GRUB is in lockdown mode. + +@end itemize + @node Copying This Manual @appendix Copying This Manual diff --git a/docs/grub.texi b/docs/grub.texi index e3de2a4dc..fd3c78054 100644 --- a/docs/grub.texi +++ b/docs/grub.texi @@ -5749,6 +5749,7 @@ environment variables and commands are listed in the same order. * Using digital signatures:: Booting digitally signed code * UEFI secure boot and shim:: Booting digitally signed PE files * Measured Boot:: Measuring boot components +* Lockdown:: Lockdown when booting on a secure setup @end menu @node Authentication and authorisation @@ -5958,6 +5959,13 @@ into @file{core.img} in order to avoid a potential gap in measurement between Measured boot is currently only supported on EFI platforms. +@node Lockdown +@section Lockdown when booting on a secure setup + +The GRUB can be locked down when booted on a secure boot environment, for example +if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will +be restricted and some operations/commands cannot be executed. + @node Platform limitations @chapter Platform limitations diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am index cc6fc7dfa..30e23ada2 100644 --- a/grub-core/Makefile.am +++ b/grub-core/Makefile.am @@ -80,6 +80,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/fs.h KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/i18n.h KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/kernel.h KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/list.h +KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/lockdown.h KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/misc.h if COND_emu KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/compiler-rt-emu.h @@ -377,8 +378,10 @@ command.lst: $(MARKER_FILES) b=`basename $$pp .marker`; \ sed -n \ -e "/EXTCOMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \ + -e "/EXTCOMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \ -e "/P1COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/*\1: $$b/;p;}" \ - -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \ + -e "/COMMAND_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" \ + -e "/COMMAND_LOCKDOWN_LIST_MARKER *( *\"/{s/.*( *\"\([^\"]*\)\".*/\1: $$b/;p;}" $$pp; \ done) | sort -u > $@ platform_DATA += command.lst CLEANFILES += command.lst diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def index 2b98fe1fc..1f450a98f 100644 --- a/grub-core/Makefile.core.def +++ b/grub-core/Makefile.core.def @@ -205,6 +205,7 @@ kernel = { efi = kern/acpi.c; efi = kern/efi/acpi.c; efi = kern/efi/sb.c; + efi = kern/lockdown.c; i386_coreboot = kern/i386/pc/acpi.c; i386_multiboot = kern/i386/pc/acpi.c; i386_coreboot = kern/acpi.c; diff --git a/grub-core/commands/extcmd.c b/grub-core/commands/extcmd.c index 69574e2b0..90a5ca24a 100644 --- a/grub-core/commands/extcmd.c +++ b/grub-core/commands/extcmd.c @@ -19,6 +19,7 @@ #include #include +#include #include #include #include @@ -110,6 +111,28 @@ grub_register_extcmd (const char *name, grub_extcmd_func_t func, summary, description, parser, 1); } +static grub_err_t +grub_extcmd_lockdown (grub_extcmd_context_t ctxt __attribute__ ((unused)), + int argc __attribute__ ((unused)), + char **argv __attribute__ ((unused))) +{ + return grub_error (GRUB_ERR_ACCESS_DENIED, + N_("%s: the command is not allowed when lockdown is enforced"), + ctxt->extcmd->cmd->name); +} + +grub_extcmd_t +grub_register_extcmd_lockdown (const char *name, grub_extcmd_func_t func, + grub_command_flags_t flags, const char *summary, + const char *description, + const struct grub_arg_option *parser) +{ + if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED) + func = grub_extcmd_lockdown; + + return grub_register_extcmd (name, func, flags, summary, description, parser); +} + void grub_unregister_extcmd (grub_extcmd_t ext) { diff --git a/grub-core/kern/command.c b/grub-core/kern/command.c index acd721879..4aabcd4b5 100644 --- a/grub-core/kern/command.c +++ b/grub-core/kern/command.c @@ -17,6 +17,7 @@ * along with GRUB. If not, see . */ +#include #include #include @@ -77,6 +78,29 @@ grub_register_command_prio (const char *name, return cmd; } +static grub_err_t +grub_cmd_lockdown (grub_command_t cmd __attribute__ ((unused)), + int argc __attribute__ ((unused)), + char **argv __attribute__ ((unused))) + +{ + return grub_error (GRUB_ERR_ACCESS_DENIED, + N_("%s: the command is not allowed when lockdown is enforced"), + cmd->name); +} + +grub_command_t +grub_register_command_lockdown (const char *name, + grub_command_func_t func, + const char *summary, + const char *description) +{ + if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED) + func = grub_cmd_lockdown; + + return grub_register_command_prio (name, func, summary, description, 0); +} + void grub_unregister_command (grub_command_t cmd) { diff --git a/grub-core/kern/lockdown.c b/grub-core/kern/lockdown.c new file mode 100644 index 000000000..1e56c0b80 --- /dev/null +++ b/grub-core/kern/lockdown.c @@ -0,0 +1,80 @@ +/* + * GRUB -- GRand Unified Bootloader + * Copyright (C) 2020 Free Software Foundation, Inc. + * + * GRUB is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * GRUB is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GRUB. If not, see . + * + */ + +#include +#include +#include +#include + +static int lockdown = GRUB_LOCKDOWN_DISABLED; + +static grub_err_t +lockdown_verifier_init (grub_file_t io __attribute__ ((unused)), + enum grub_file_type type, + void **context __attribute__ ((unused)), + enum grub_verify_flags *flags) +{ + *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION; + + switch (type & GRUB_FILE_TYPE_MASK) + { + case GRUB_FILE_TYPE_GRUB_MODULE: + case GRUB_FILE_TYPE_LINUX_KERNEL: + case GRUB_FILE_TYPE_MULTIBOOT_KERNEL: + case GRUB_FILE_TYPE_XEN_HYPERVISOR: + case GRUB_FILE_TYPE_BSD_KERNEL: + case GRUB_FILE_TYPE_XNU_KERNEL: + case GRUB_FILE_TYPE_PLAN9_KERNEL: + case GRUB_FILE_TYPE_NTLDR: + case GRUB_FILE_TYPE_TRUECRYPT: + case GRUB_FILE_TYPE_FREEDOS: + case GRUB_FILE_TYPE_PXECHAINLOADER: + case GRUB_FILE_TYPE_PCCHAINLOADER: + case GRUB_FILE_TYPE_COREBOOT_CHAINLOADER: + case GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE: + case GRUB_FILE_TYPE_ACPI_TABLE: + case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE: + *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH; + + /* Fall through. */ + + default: + return GRUB_ERR_NONE; + } +} + +struct grub_file_verifier lockdown_verifier = + { + .name = "lockdown_verifier", + .init = lockdown_verifier_init, + }; + +void +grub_lockdown (void) +{ + lockdown = GRUB_LOCKDOWN_ENABLED; + + grub_verifier_register (&lockdown_verifier); +} + +int +grub_is_lockdown (void) +{ + return lockdown; +} diff --git a/include/grub/command.h b/include/grub/command.h index eee4e847e..2a6f7f846 100644 --- a/include/grub/command.h +++ b/include/grub/command.h @@ -86,6 +86,11 @@ EXPORT_FUNC(grub_register_command_prio) (const char *name, const char *summary, const char *description, int prio); +grub_command_t +EXPORT_FUNC(grub_register_command_lockdown) (const char *name, + grub_command_func_t func, + const char *summary, + const char *description); void EXPORT_FUNC(grub_unregister_command) (grub_command_t cmd); static inline grub_command_t diff --git a/include/grub/extcmd.h b/include/grub/extcmd.h index 19fe59266..fe9248b8b 100644 --- a/include/grub/extcmd.h +++ b/include/grub/extcmd.h @@ -62,6 +62,13 @@ grub_extcmd_t EXPORT_FUNC(grub_register_extcmd) (const char *name, const char *description, const struct grub_arg_option *parser); +grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_lockdown) (const char *name, + grub_extcmd_func_t func, + grub_command_flags_t flags, + const char *summary, + const char *description, + const struct grub_arg_option *parser); + grub_extcmd_t EXPORT_FUNC(grub_register_extcmd_prio) (const char *name, grub_extcmd_func_t func, grub_command_flags_t flags, diff --git a/include/grub/lockdown.h b/include/grub/lockdown.h new file mode 100644 index 000000000..40531fa82 --- /dev/null +++ b/include/grub/lockdown.h @@ -0,0 +1,44 @@ +/* + * GRUB -- GRand Unified Bootloader + * Copyright (C) 2020 Free Software Foundation, Inc. + * + * GRUB is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * GRUB is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with GRUB. If not, see . + */ + +#ifndef GRUB_LOCKDOWN_H +#define GRUB_LOCKDOWN_H 1 + +#include + +#define GRUB_LOCKDOWN_DISABLED 0 +#define GRUB_LOCKDOWN_ENABLED 1 + +#ifdef GRUB_MACHINE_EFI +extern void +EXPORT_FUNC (grub_lockdown) (void); +extern int +EXPORT_FUNC (grub_is_lockdown) (void); +#else +static inline void +grub_lockdown (void) +{ +} + +static inline int +grub_is_lockdown (void) +{ + return GRUB_LOCKDOWN_DISABLED; +} +#endif +#endif /* ! GRUB_LOCKDOWN_H */