grub2/grub-core/commands/efi/shim_lock.c

/*
 *  GRUB  --  GRand Unified Bootloader
 *  Copyright (C) 2017  Free Software Foundation, Inc.
 *
 *  GRUB is free software: you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation, either version 3 of the License, or
 *  (at your option) any later version.
 *
 *  GRUB is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
 *
 *  EFI shim lock verifier.
 */

#include <grub/dl.h>
#include <grub/efi/efi.h>
#include <grub/err.h>
#include <grub/file.h>
#include <grub/misc.h>
#include <grub/verify.h>

GRUB_MOD_LICENSE ("GPLv3+");

#define GRUB_EFI_SHIM_LOCK_GUID \
  { 0x605dab50, 0xe046, 0x4300, \
    { 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 } \
  }

struct grub_efi_shim_lock_protocol
{
  grub_efi_status_t
  (*verify) (void *buffer, grub_uint32_t size);
};
typedef struct grub_efi_shim_lock_protocol grub_efi_shim_lock_protocol_t;

static grub_efi_guid_t shim_lock_guid = GRUB_EFI_SHIM_LOCK_GUID;
static grub_efi_shim_lock_protocol_t *sl;

/* List of modules which cannot be loaded if UEFI secure boot mode is enabled. */
static const char * const disabled_mods[] = {"iorw", "memrw", "wrmsr", NULL};

static grub_err_t
shim_lock_init (grub_file_t io, enum grub_file_type type,
		void **context __attribute__ ((unused)),
		enum grub_verify_flags *flags)
{
  const char *b, *e;
  int i;

  *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;

  if (!sl)
    return GRUB_ERR_NONE;

  switch (type & GRUB_FILE_TYPE_MASK)
    {
    case GRUB_FILE_TYPE_GRUB_MODULE:
      /* Establish GRUB module name. */
      b = grub_strrchr (io->name, '/');
      e = grub_strrchr (io->name, '.');

      b = b ? (b + 1) : io->name;
      e = e ? e : io->name + grub_strlen (io->name);
      e = (e > b) ? e : io->name + grub_strlen (io->name);

      for (i = 0; disabled_mods[i]; i++)
	if (!grub_strncmp (b, disabled_mods[i], grub_strlen (b) - grub_strlen (e)))
	  {
	    grub_error (GRUB_ERR_ACCESS_DENIED,
			N_("module cannot be loaded in UEFI secure boot mode: %s"),
			io->name);
	    return GRUB_ERR_ACCESS_DENIED;
	  }

      /* Fall through. */

    case GRUB_FILE_TYPE_ACPI_TABLE:
    case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
      *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;

      return GRUB_ERR_NONE;

    case GRUB_FILE_TYPE_LINUX_KERNEL:
    case GRUB_FILE_TYPE_MULTIBOOT_KERNEL:
    case GRUB_FILE_TYPE_BSD_KERNEL:
    case GRUB_FILE_TYPE_XNU_KERNEL:
    case GRUB_FILE_TYPE_PLAN9_KERNEL:
      for (i = 0; disabled_mods[i]; i++)
	if (grub_dl_get (disabled_mods[i]))
	  {
	    grub_error (GRUB_ERR_ACCESS_DENIED,
			N_("cannot boot due to dangerous module in memory: %s"),
			disabled_mods[i]);
	    return GRUB_ERR_ACCESS_DENIED;
	  }

      *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK;

      /* Fall through. */

    default:
      return GRUB_ERR_NONE;
    }
}

static grub_err_t
shim_lock_write (void *context __attribute__ ((unused)), void *buf, grub_size_t size)
{
  if (sl->verify (buf, size) != GRUB_EFI_SUCCESS)
    return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("bad shim signature"));

  return GRUB_ERR_NONE;
}

struct grub_file_verifier shim_lock =
  {
    .name = "shim_lock",
    .init = shim_lock_init,
    .write = shim_lock_write
  };

GRUB_MOD_INIT(shim_lock)
{
  sl = grub_efi_locate_protocol (&shim_lock_guid, 0);
  grub_verifier_register (&shim_lock);

  if (!sl)
    return;

  grub_dl_set_persistent (mod);
}

GRUB_MOD_FINI(shim_lock)
{
  grub_verifier_unregister (&shim_lock);
}