proxmox-mirrors/grub2
1
0
Fork 0
mirror of https://git.proxmox.com/git/grub2 synced 2025-10-04 15:29:30 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Do not overwrite sentinel byte in boot_params, breaks lockdown

Browse Source 
grub currently copies the entire boot_params, which includes setting
sentinel byte to 0xff, which triggers sanitize_boot_params in the kernel
which in turn clears various boot_params variables, including the
indication that the bootloader chain is verified and thus the kernel
disables lockdown mode.  According to the information on the Fedora bug
tracker, only the information from byte 0x1f1 is necessary, so start
copying from there instead.

Author: Luca Boccassi <bluca@debian.org>
Bug-Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1418360
Forwarded: no

Patch-Name: fix-lockdown.patch
This commit is contained in:
Luca Boccassi 2018-05-15 11:36:46 +01:00 committed by Colin Watson
parent 5a2c53dd05
commit b2c4515a83
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
grub-core/loader/i386/efi/linux.c
View File

@ -29,6 +29,7 @@
#include <grub/linux.h> #include <grub/linux.h>
#include <grub/efi/efi.h> #include <grub/efi/efi.h>
#include <grub/efi/sb.h> #include <grub/efi/sb.h>
#include <stddef.h>
GRUB_MOD_LICENSE ("GPLv3+"); GRUB_MOD_LICENSE ("GPLv3+");
@ -336,7 +337,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
lh.code32_start = (grub_uint32_t)(grub_addr_t) kernel_mem; lh.code32_start = (grub_uint32_t)(grub_addr_t) kernel_mem;
} }
grub_memcpy (params, &lh, 2 * 512); /* do not overwrite below boot_params->hdr to avoid setting the sentinel byte */
start = offsetof (struct linux_kernel_params, setup_sects);
grub_memcpy ((grub_uint8_t *)params + start, (grub_uint8_t *)&lh + start, 2 * 512 - start);
params->type_of_loader = 0x21; params->type_of_loader = 0x21;