mirror of
https://git.proxmox.com/git/pve-edk2-firmware
synced 2025-08-26 00:15:30 +00:00
b82f91d3ec
since the shell allows circumvention of Secure Boot restrictions, for example
via raw memory access or execution of scripts on the ESP.
see Links in the patch for details.
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
(cherry picked from commit 334229c409)
101 lines
3.4 KiB
Diff
101 lines
3.4 KiB
Diff
From: Mate Kukri <mate.kukri@canonical.com>
|
|
Date: Wed, 6 Dec 2023 15:47:42 +0000
|
|
Subject: Shell: Disable the Shell when SecureBoot is enabled and not in
|
|
SetupMode
|
|
|
|
Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
|
|
---
|
|
ShellPkg/Application/Shell/Shell.c | 14 ++++++++++++++
|
|
ShellPkg/Application/Shell/Shell.h | 3 +++
|
|
ShellPkg/Application/Shell/Shell.inf | 2 ++
|
|
ShellPkg/ShellPkg.dsc | 1 +
|
|
4 files changed, 20 insertions(+)
|
|
|
|
Origin: https://bugs.launchpad.net/ubuntu/+source/edk2/+bug/2040137/+attachment/5741528/+files/Disable-the-Shell-when-SecureBoot-is-enabled.patch
|
|
Bug: https://bugzilla.tianocore.org/show_bug.cgi?id=4641
|
|
Bug-Ubuntu: https://launchpad.net/bugs/2040137
|
|
Last-Updated: 2024-02-11
|
|
Forwarded: https://bugzilla.tianocore.org/show_bug.cgi?id=4641#c0
|
|
|
|
diff --git a/ShellPkg/Application/Shell/Shell.c b/ShellPkg/Application/Shell/Shell.c
|
|
index f95c799..502013d 100644
|
|
--- a/ShellPkg/Application/Shell/Shell.c
|
|
+++ b/ShellPkg/Application/Shell/Shell.c
|
|
@@ -357,6 +357,20 @@ UefiMain (
|
|
EFI_HANDLE ConInHandle;
|
|
EFI_SIMPLE_TEXT_INPUT_PROTOCOL *OldConIn;
|
|
SPLIT_LIST *Split;
|
|
+ UINT8 SetupMode;
|
|
+
|
|
+ //
|
|
+ // Check for Secure Boot mode
|
|
+ //
|
|
+ if (IsSecureBootEnabled()) {
|
|
+ Status = GetSetupMode (&SetupMode);
|
|
+ if (EFI_ERROR (Status)) {
|
|
+ return (Status);
|
|
+ }
|
|
+ if (SetupMode != 1) {
|
|
+ return (EFI_SECURITY_VIOLATION);
|
|
+ }
|
|
+ }
|
|
|
|
if (PcdGet8 (PcdShellSupportLevel) > 3) {
|
|
return (EFI_UNSUPPORTED);
|
|
diff --git a/ShellPkg/Application/Shell/Shell.h b/ShellPkg/Application/Shell/Shell.h
|
|
index 89b4ac6..595ec79 100644
|
|
--- a/ShellPkg/Application/Shell/Shell.h
|
|
+++ b/ShellPkg/Application/Shell/Shell.h
|
|
@@ -11,9 +11,11 @@
|
|
#define _SHELL_INTERNAL_HEADER_
|
|
|
|
#include <Uefi.h>
|
|
+#include <UefiSecureBoot.h>
|
|
|
|
#include <Guid/ShellVariableGuid.h>
|
|
#include <Guid/ShellAliasGuid.h>
|
|
+#include <Guid/ImageAuthentication.h>
|
|
|
|
#include <Protocol/LoadedImage.h>
|
|
#include <Protocol/SimpleTextOut.h>
|
|
@@ -42,6 +44,7 @@
|
|
#include <Library/HandleParsingLib.h>
|
|
#include <Library/FileHandleLib.h>
|
|
#include <Library/UefiHiiServicesLib.h>
|
|
+#include <Library/SecureBootVariableLib.h>
|
|
|
|
#include "ShellParametersProtocol.h"
|
|
#include "ShellProtocol.h"
|
|
diff --git a/ShellPkg/Application/Shell/Shell.inf b/ShellPkg/Application/Shell/Shell.inf
|
|
index f1e41de..340585f 100644
|
|
--- a/ShellPkg/Application/Shell/Shell.inf
|
|
+++ b/ShellPkg/Application/Shell/Shell.inf
|
|
@@ -47,6 +47,7 @@
|
|
MdePkg/MdePkg.dec
|
|
ShellPkg/ShellPkg.dec
|
|
MdeModulePkg/MdeModulePkg.dec
|
|
+ SecurityPkg/SecurityPkg.dec
|
|
|
|
[LibraryClasses]
|
|
BaseLib
|
|
@@ -66,6 +67,7 @@
|
|
SortLib
|
|
HandleParsingLib
|
|
UefiHiiServicesLib
|
|
+ SecureBootVariableLib
|
|
|
|
[Guids]
|
|
gShellVariableGuid ## SOMETIMES_CONSUMES ## GUID
|
|
diff --git a/ShellPkg/ShellPkg.dsc b/ShellPkg/ShellPkg.dsc
|
|
index dd0d886..28d6a87 100644
|
|
--- a/ShellPkg/ShellPkg.dsc
|
|
+++ b/ShellPkg/ShellPkg.dsc
|
|
@@ -64,6 +64,7 @@
|
|
DxeServicesTableLib|MdePkg/Library/DxeServicesTableLib/DxeServicesTableLib.inf
|
|
DxeServicesLib|MdePkg/Library/DxeServicesLib/DxeServicesLib.inf
|
|
ReportStatusCodeLib|MdePkg/Library/BaseReportStatusCodeLibNull/BaseReportStatusCodeLibNull.inf
|
|
+ SecureBootVariableLib|SecurityPkg/Library/SecureBootVariableLib/SecureBootVariableLib.inf
|
|
|
|
[LibraryClasses.ARM,LibraryClasses.AARCH64]
|
|
#
|