cos /
cos /
cobble /
97a219dff087c4df86a41501264f3e9ca1f98dea grub-lakitu: BACKPORT: FROMGIT: linuxefi: fail kernel validation without shim protocol.
If certificates that signed grub are installed into db, grub can be
booted directly. It will then boot any kernel without signature
validation. The booted kernel will think it was booted in secureboot
mode and will implement lockdown, yet it could have been tampered.
This version of the patch skips calling verification, when booted
without secureboot. And is indented with gnu ident.
CVE-2020-15705
Reported-by: Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>
Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
(cherry picked from commit bb240087ce9ef9a62936fd6c1241df65a1e42d01
https://github.com/rhboot/grub2 fedora-31)
Signed-off-by: Robert Kolchmeyer <rkolchmeyer@google.com>
Conflicts:
- grub-core/loader/i386/efi/linux.c: Removed TPM measurement from patch
context. Our grub does TPM measurements differently. I also needed to
include an additional header in this file.
BUG=b/162782466,b/137884271
TEST=validation test (cl/325153880)
Change-Id: Id5a91b77b42689b4dfac7d5c4bf5b077bec9178b
4 files changed
