stub: use command line from loader in insecure mode

When booting without Secure Boot active, it is not necessary to defend
against a malicious command line being passed from the loader. So just
use it in this case, to facilitaty some debugging and recovery use
cases.

Fixes: https://github.com/nix-community/lanzaboote/issues/226
This commit is contained in:
Alois Wohlschlager 2023-10-02 08:33:04 +02:00
parent db39223a7c
commit b02a7e2a7f
No known key found for this signature in database
GPG Key ID: E0F59EA5E5216914
4 changed files with 91 additions and 55 deletions

View File

@ -9,7 +9,7 @@ use uefi::{
boot::{AllocateType, MemoryType},
Boot, SystemTable,
},
CStr16, Handle, Status,
Handle, Status,
};
/// UEFI mandates 4 KiB pages.
@ -174,7 +174,7 @@ impl Image {
self,
handle: Handle,
system_table: &SystemTable<Boot>,
load_options: &CStr16,
load_options: &[u8],
) -> Status {
let mut loaded_image = system_table
.boot_services()
@ -196,7 +196,7 @@ impl Image {
);
loaded_image.set_load_options(
load_options.as_ptr() as *const u8,
u32::try_from(load_options.num_bytes()).unwrap(),
u32::try_from(load_options.len()).unwrap(),
);
}

View File

@ -1,5 +1,9 @@
use alloc::vec::Vec;
use uefi::{prelude::*, CStr16, CString16, Result};
use log::warn;
use uefi::{
guid, prelude::*, proto::loaded_image::LoadedImage, table::runtime::VariableVendor, CStr16,
CString16, Result,
};
use linux_bootloader::linux_loader::InitrdLoader;
use linux_bootloader::pe_loader::Image;
@ -12,6 +16,70 @@ pub fn extract_string(pe_data: &[u8], section: &str) -> Result<CString16> {
Ok(CString16::try_from(string.as_str()).map_err(|_| Status::INVALID_PARAMETER)?)
}
/// Obtain the kernel command line that should be used for booting.
///
/// If Secure Boot is active, this is always the embedded one (since the one passed from the bootloader may come from a malicious type 1 entry).
/// If Secure Boot is not active, the command line passed from the bootloader is used, falling back to the embedded one.
pub fn get_cmdline(
embedded: &CStr16,
boot_services: &BootServices,
secure_boot_enabled: bool,
) -> Vec<u8> {
if secure_boot_enabled {
// The command line passed from the bootloader cannot be trusted, so it is not used when Secure Boot is active.
embedded.as_bytes().to_vec()
} else {
let passed = boot_services
.open_protocol_exclusive::<LoadedImage>(boot_services.image_handle())
.map(|loaded_image| loaded_image.load_options_as_bytes().map(|b| b.to_vec()));
match passed {
Ok(Some(passed)) => passed,
// If anything went wrong, fall back to the embedded command line.
_ => embedded.as_bytes().to_vec(),
}
}
}
/// Check whether Secure Boot is active, and we should be enforcing integrity checks.
///
/// In case of doubt, true is returned to be on the safe side.
pub fn get_secure_boot_status(runtime_services: &RuntimeServices) -> bool {
// The firmware initialized SecureBoot to 1 if performing signature checks, and 0 if it doesn't.
// Applications are not supposed to modify this variable (in particular, don't change the value from 1 to 0).
let secure_boot_enabled = runtime_services
.get_variable(
cstr16!("SecureBoot"),
&VariableVendor(guid!("8be4df61-93ca-11d2-aa0d-00e098032b8c")),
&mut [1],
)
.and_then(|(value, _)| match value {
[0] => Ok(false),
[1] => Ok(true),
[v] => {
warn!(
"Unexpected value of SecureBoot variable: {v}. Performing verification anyway."
);
Ok(true)
}
_ => Err(Status::BAD_BUFFER_SIZE.into()),
})
.unwrap_or_else(|err| {
if err.status() == Status::NOT_FOUND {
warn!("SecureBoot variable not found. Assuming Secure Boot is not supported.");
false
} else {
warn!("Failed to read SecureBoot variable: {err}. Performing verification anyway.");
true
}
});
if !secure_boot_enabled {
warn!("Secure Boot is not active!");
}
secure_boot_enabled
}
/// Boot the Linux kernel without checking the PE signature.
///
/// We assume that the caller has made sure that the image is safe to
@ -20,7 +88,7 @@ pub fn boot_linux_unchecked(
handle: Handle,
system_table: SystemTable<Boot>,
kernel_data: Vec<u8>,
kernel_cmdline: &CStr16,
kernel_cmdline: &[u8],
initrd_data: Vec<u8>,
) -> uefi::Result<()> {
let kernel =

View File

@ -1,7 +1,7 @@
use alloc::vec::Vec;
use uefi::{prelude::*, CString16, Result};
use crate::common::{boot_linux_unchecked, extract_string};
use crate::common::{boot_linux_unchecked, extract_string, get_cmdline, get_secure_boot_status};
use linux_bootloader::pe_section::pe_section;
use linux_bootloader::uefi_helpers::booted_image_file;
@ -56,12 +56,12 @@ pub fn boot_linux(handle: Handle, mut system_table: SystemTable<Boot>) -> Status
.expect("Failed to extract configuration from binary.")
};
boot_linux_unchecked(
handle,
system_table,
config.kernel,
let secure_boot_enabled = get_secure_boot_status(system_table.runtime_services());
let cmdline = get_cmdline(
&config.cmdline,
config.initrd,
)
.status()
system_table.boot_services(),
secure_boot_enabled,
);
boot_linux_unchecked(handle, system_table, config.kernel, &cmdline, config.initrd).status()
}

View File

@ -1,8 +1,8 @@
use log::{error, warn};
use sha2::{Digest, Sha256};
use uefi::{fs::FileSystem, guid, prelude::*, table::runtime::VariableVendor, CString16, Result};
use uefi::{fs::FileSystem, prelude::*, CString16, Result};
use crate::common::{boot_linux_unchecked, extract_string};
use crate::common::{boot_linux_unchecked, extract_string, get_cmdline, get_secure_boot_status};
use linux_bootloader::pe_section::pe_section;
use linux_bootloader::uefi_helpers::booted_image_file;
@ -91,39 +91,7 @@ pub fn boot_linux(handle: Handle, mut system_table: SystemTable<Boot>) -> uefi::
.expect("Failed to extract configuration from binary. Did you run lzbt?")
};
// The firmware initialized SecureBoot to 1 if performing signature checks, and 0 if it doesn't.
// Applications are not supposed to modify this variable (in particular, don't change the value from 1 to 0).
let secure_boot_enabled = system_table
.runtime_services()
.get_variable(
cstr16!("SecureBoot"),
&VariableVendor(guid!("8be4df61-93ca-11d2-aa0d-00e098032b8c")),
&mut [1],
)
.and_then(|(value, _)| match value {
[0] => Ok(false),
[1] => Ok(true),
[v] => {
warn!(
"Unexpected value of SecureBoot variable: {v}. Performing verification anyway."
);
Ok(true)
}
_ => Err(Status::BAD_BUFFER_SIZE.into()),
})
.unwrap_or_else(|err| {
if err.status() == Status::NOT_FOUND {
warn!("SecureBoot variable not found. Assuming Secure Boot is not supported.");
false
} else {
warn!("Failed to read SecureBoot variable: {err}. Performing verification anyway.");
true
}
});
if !secure_boot_enabled {
warn!("Secure Boot is not active!");
}
let secure_boot_enabled = get_secure_boot_status(system_table.runtime_services());
let kernel_data;
let initrd_data;
@ -143,6 +111,12 @@ pub fn boot_linux(handle: Handle, mut system_table: SystemTable<Boot>) -> uefi::
.expect("Failed to read initrd file into memory");
}
let cmdline = get_cmdline(
&config.cmdline,
system_table.boot_services(),
secure_boot_enabled,
);
check_hash(
&kernel_data,
config.kernel_hash,
@ -156,11 +130,5 @@ pub fn boot_linux(handle: Handle, mut system_table: SystemTable<Boot>) -> uefi::
secure_boot_enabled,
)?;
boot_linux_unchecked(
handle,
system_table,
kernel_data,
&config.cmdline,
initrd_data,
)
boot_linux_unchecked(handle, system_table, kernel_data, &cmdline, initrd_data)
}