Grub: Verify buffiles, e.g. fonts and images

2026-01-12 01:00:15 +00:00 · 2021-02-02 10:18:59 +02:00
parent d72746bfa7
commit 64097c52a0
2 changed files with 33 additions and 1 deletions
--- a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc
+++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc
@@ -9,7 +9,9 @@ EXTRA_SRC_URI = "\

 GRUB_MOKVERIFY_PATCH = " \
   file://mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch \
-   file://mok2verify-multiboot.patch"
+   file://mok2verify-multiboot.patch \
+   file://verify-all-buffiles.patch \
+"

 SRC_URI += "\
    file://0001-pe32.h-add-header-structures-for-TE-and-DOS-executab.patch \
--- a/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/verify-all-buffiles.patch
+++ b/meta-efi-secure-boot/recipes-bsp/grub/grub-efi/verify-all-buffiles.patch
@@ -0,0 +1,30 @@
+--- a/grub-core/io/bufio.c	2021-02-02 07:35:26.062890543 +0000
+++ b/grub-core/io/bufio.c	2021-02-02 07:41:06.659570989 +0000
+@@ -24,6 +24,9 @@
+ #include <grub/fs.h>
+ #include <grub/bufio.h>
+ #include <grub/dl.h>
+#ifdef GRUB_MACHINE_EFI
+#include <grub/efi/mok2verify.h>
+#endif
+ 
+ GRUB_MOD_LICENSE ("GPLv3+");
+ 
+@@ -91,7 +94,17 @@
+ grub_buffile_open (const char *name, enum grub_file_type type, grub_size_t size)
+ {
+   grub_file_t io, file;
+#ifdef GRUB_MACHINE_EFI
+  grub_err_t err;
+ 
+  err = grub_verify_file (name);
+  if (err != GRUB_ERR_NONE)
+    {
+      grub_error (err, "Security Violation: %s failed to load", name);
+      grub_print_error ();
+      grub_halt();
+    }
+#endif
+   io = grub_file_open (name, type);
+   if (! io)
+     return 0;