The GRUB may use TPM to verify the integrity of boot components and the
result can determine whether a previously sealed key can be released. If
everything checks out, showing nothing has been tampered with, the key
is released and GRUB unlocks the encrypted root partition for the next
stage of booting.
However, the liberal Command Line Interface (CLI) can be misused by
anyone in this case to access files in the encrypted partition one way
or another. Despite efforts to keep the CLI secure by preventing utility
command output from leaking file content, many techniques in the wild
could still be used to exploit the CLI, enabling attacks or learning
methods to attack. It's nearly impossible to account for all scenarios
where a hack could be applied.
Therefore, to mitigate potential misuse of the CLI after the root device
has been successfully unlocked via TPM, the user should be required to
authenticate using the LUKS password. This added layer of security
ensures that only authorized users can access the CLI reducing the risk
of exploitation or unauthorized access to the encrypted partition.
Fixes: CVE-2024-49504
Signed-off-by: Michael Chang <mchang@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Add functionality to disable command line interface access and editing of GRUB
menu entries if GRUB image is built with --disable-cli.
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
compact and more efficient code.
* grub-core/kern/list.c (grub_list_push): Moved from here ...
* include/grub/list.h (grub_list_push): ... to here. Set prev.
(grub_list_remove): Moved from here ...
* include/grub/list.h (grub_list_remove): ... here. Use and set prev.
(grub_prio_list_insert): Set prev.
* include/grub/list.h (grub_list): Add prev. All users updated.
* Makefile.util.def (grub-mklayout): New file.
(grub-kbdcomp): New script.
* grub-core/Makefile.am (KERNEL_HEADER_FILES) [COND_mips_yeeloong]:
Add keyboard_layouts.h.
* grub-core/Makefile.core.def (kernel): Add commands/keylayouts.c and
commands/boot.c on yeeloong.
(keylayouts): New module.
* grub-core/bus/usb/ohci.c
* grub-core/bus/usb/uhci.c
* grub-core/bus/usb/usbhub.c (rescan): New variable.
(grub_usb_add_hub): Poll interrupt pipe for device handling.
(attach_root_port): Likewise.
(poll_nonroot_hub): Likewise.
(grub_usb_poll_devices): Likewise.
(detach_device): Close transfer.
* grub-core/bus/usb/usbtrans.c (grub_usb_execute_and_wait_transfer): New
function.
(grub_usb_bulk_setup_readwrite): Likewise.
(grub_usb_bulk_finish_readwrite): Likewise.
* grub-core/commands/keylayouts.c: New file.
* grub-core/commands/keystatus.c (grub_getkeystatus): New function.
* grub-core/commands/menuentry.c (hotkey_aliases): All several new
aliases.
* grub-core/term/at_keyboard.c: Restructured to use keylayouts and
support scancode 2.
* grub-core/term/usb_keyboard.c: Restructured to use keylayouts.
* include/grub/keyboard_layouts.h: New file.
* util/grub-mklayout.c: New file.
* util/grub-kbdcomp.in: Likewise.
Also-By: Aleš Nesrsta <starous@volny.cz>
Also-By: Vladimir Serbinenko <phcoder@gmail.com>
