proxmox-mirrors/grub2
1
0
Fork 0
mirror of https://git.proxmox.com/git/grub2 synced 2025-07-21 23:41:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
a9d8de9608
grub2/grub-core/kern/efi
History
Dimitri John Ledkov 968de8c23c shim_lock: Only skip loading shim_lock verifier with explicit consent 
Commit 32ddc42c (efi: Only register shim_lock verifier if shim_lock
protocol is found and SB enabled) reintroduced CVE-2020-15705 which
previously only existed in the out-of-tree linuxefi patches and was
fixed as part of the BootHole patch series.

Under Secure Boot enforce loading shim_lock verifier. Allow skipping
shim_lock verifier if SecureBoot/MokSBState EFI variables indicate
skipping validations, or if GRUB image is built with --disable-shim-lock.

Fixes: 132ddc42c (efi: Only register shim_lock verifier if shim_lock
       protocol is found and SB enabled)
Fixes: CVE-2020-15705
Fixes: CVE-2021-3418

Reported-by: Dimitri John Ledkov <xnox@ubuntu.com>
Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2021-03-02 15:54:19 +01:00
..
acpi.c tsc: Use alternative delay sources whenever appropriate. 2015-11-27 11:39:55 +01:00
efi.c kern/efi: Fix memory leak on failure 2021-03-02 15:54:16 +01:00
fdt.c efi: Move fdt helper into own file 2016-11-24 10:09:24 +01:00
init.c kern/efi: Add initial stack protector implementation 2021-03-02 15:54:19 +01:00
mm.c kern/efi/mm: Fix possible NULL pointer dereference 2021-03-02 15:54:16 +01:00
sb.c shim_lock: Only skip loading shim_lock verifier with explicit consent 2021-03-02 15:54:19 +01:00