(mirror of https://github.com/vyos/efi-boot-shim.git) https://git.amelek.net/vyos/efi-boot-shim.git/atom?h=15.6 2022-06-01T18:25:48+00:00 2022-06-01T18:25:48+00:00 Peter Jones pjones@redhat.com 2022-06-01T18:25:48+00:00 urn:sha1:505cdb678b319fcf9a7fdee77c0f091b4147cbe5 Signed-off-by: Peter Jones <pjones@redhat.com> 2022-06-01T15:01:24+00:00 Peter Jones pjones@redhat.com 2022-06-01T15:01:24+00:00 urn:sha1:a674edede0b3322b7e1d4f38dc03ec5bce9d81f5 Signed-off-by: Peter Jones <pjones@redhat.com> 2022-05-31T19:17:14+00:00 Peter Jones pjones@redhat.com 2022-05-31T19:17:14+00:00 urn:sha1:8ee1e1c132dfacf21dbc460be629fdb17e2304c2 Signed-off-by: Peter Jones <pjones@redhat.com> 2022-05-24T20:28:35+00:00 Peter Jones pjones@redhat.com 2022-05-03T21:05:20+00:00 urn:sha1:159151b6649008793d6204a34d7b9c41221fb4b0 PR 446 ("Add verify_image") duplicates some of the code affected by Chris Coulson's defense in depth patch against CVE-2022-28737 ("pe: Perform image verification earlier when loading grub"). This patch makes the same change to the new function. Signed-off-by: Peter Jones <pjones@redhat.com> 2022-05-24T20:28:35+00:00 Jan Setje-Eilers jan.setjeeilers@oracle.com 2022-05-10T21:09:26+00:00 urn:sha1:9a09faf390eea083c3bef1b07c7e043ebe0cc1f6 bump shim SBAT generation requirement to 2 for CVE-2022-28737 bump GRUB2 SBAT generation requirement to 2 for CVE-2021-3695 Signed-off-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com> 2022-05-24T20:28:35+00:00 Jan Setje-Eilers jan.setjeeilers@oracle.com 2022-05-10T20:14:24+00:00 urn:sha1:80e34fc3d55106680a245f6338bec627114bed35 Signed-off-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com> 2022-05-24T20:28:35+00:00 Chris Coulson chris.coulson@canonical.com 2022-05-03T14:02:19+00:00 urn:sha1:5a82d7973656c68f006aac1ed462e7bb37075d92 The second stage loader was being verified after loading it into memory. As an additional hardening measure to avoid performing risky memcpys using header fields from a potentially specially crafted image, perform the verification before this so that it can be rejected earlier. Signed-off-by: Chris Coulson <chris.coulson@canonical.com> 2022-05-24T20:28:35+00:00 Chris Coulson chris.coulson@canonical.com 2022-05-03T13:41:00+00:00 urn:sha1:e99bdbb827a50cde019393d3ca1e89397db221a7 During image loading, the size of the destination buffer for the image is determined by the SizeOfImage field in the optional header. The start and end virtual addresses of each section, as determined by each section's VirtualAddress and VirtualSize fields, are bounds checked against the allocated buffer. However, the amount of data copied to the destination buffer is determined by the section's SizeOfRawData filed. If this is larger than the VirtualSize, then the copy can overflow the destination buffer. Fix this by limiting the amount of data to copy to the section's VirtualSize. In the case where a section has SizeOfRawData > VirtualSize, the excess data is discarded. This fixes CVE-2022-28737 Signed-off-by: Chris Coulson <chris.coulson@canonical.com> 2022-05-24T20:27:48+00:00 Jan Setje-Eilers jan.setjeeilers@oracle.com 2022-05-24T18:49:44+00:00 urn:sha1:77144e5a404df89b45941bfc54fd2f59e0ee607b Since booting from removable media can be hard to detect, setting a persistent latest SBAT policy is risky in a typical client system. This changes latest to be a one-shot operation that could be set at the time of an OS update if desired. Signed-off-by: Jan Setje-Eilers <Jan.SetjeEilers@oracle.com> 2022-05-24T20:09:39+00:00 Peter Jones pjones@redhat.com 2022-05-23T20:52:37+00:00 urn:sha1:c0bcd04f5abe9d6efe04e7d8727fa4afe4d46eff