When the normal module is loaded, the normal and normal_exit commands
are registered but aren't unregistered when the module is unloaded. We
need to add calls to grub_unregister_command() when unloading the module
for these commands.
Fixes: CVE-2025-61663
Fixes: CVE-2025-61664
Reported-by: Alec Brown <alec.r.brown@oracle.com>
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
The --hw-accel option has been added to cryptomount to speed up
decryption by temporarily enabling hardware-specific instruction
sets (e.g., AVX, SSE) in libgcrypt.
A new feature, "feature_gcry_hw_accel", is also introduced to mark the
availability of the new option.
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
To prevent a sealed key from being unsealed again, a common and
straightforward method is to "cap" the key by extending the associated
PCRs. When the PCRs associated with the sealed key are extended, TPM will
be unable to unseal the key, as the PCR values required for unsealing no
longer match, effectively rendering the key unusable until the next
system boot or a state where the PCRs are reset to their expected values.
To cap a specific set of PCRs, simply append the argument '-c pcr_list'
to the tpm2_key_protector command. Upon successfully unsealing the key,
the TPM2 key protector will then invoke tpm2_protector_cap_pcrs(). This
function extends the selected PCRs with an EV_SEPARATOR event,
effectively "capping" them. Consequently, the associated key cannot be
unsealed in any subsequent attempts until these PCRs are reset to their
original, pre-capped state, typically occurring upon the next system
boot.
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
The BootLoaderSpec (BLS) defines a scheme where different bootloaders can
share a format for boot items and a configuration directory that accepts
these common configurations as drop-in files.
The BLS Specification: https://uapi-group.org/specifications/specs/boot_loader_specification/
Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Signed-off-by: Will Thompson <wjt@endlessm.com>
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This allows users to restrict the "search" command's scope to
encrypted disks only.
Typically, this command is used to "rebase" $root and $prefix
before loading additional configuration files via "source" or
"configfile". Unfortunately, this leads to security problems,
like CVE-2023-4001, when an unexpected, attacker-controlled
device is chosen by the "search" command.
The --cryptodisk-only argument allows users to ensure that the
file system picked is encrypted.
This feature supports the CLI authentication, blocking bypass
attempts.
Signed-off-by: Maxim Suhanov <dfirblog@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
The normal module does not entirely cleanup after itself in
its GRUB_MOD_FINI() leaving a few variables hooks in place.
It is not possible to unload normal module now but fix the
issues for completeness.
On the occasion replace 0s with NULLs for "pager" variable
hooks unregister.
Fixes: CVE-2025-0622
Reported-by: B Horn <b@horn.uk>
Signed-off-by: B Horn <b@horn.uk>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
The function included a call to grub_strcpy() which copied data from an
environment variable to a buffer allocated in grub_cmd_normal(). The
grub_cmd_normal() didn't consider the length of the environment variable.
So, the copy operation could exceed the allocation and lead to an OOB
write. Fix the issue by replacing grub_strcpy() with grub_strlcpy() and
pass the underlying buffers size to the grub_net_search_config_file().
Fixes: CVE-2025-0624
Reported-by: B Horn <b@horn.uk>
Signed-off-by: B Horn <b@horn.uk>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
The GRUB may use TPM to verify the integrity of boot components and the
result can determine whether a previously sealed key can be released. If
everything checks out, showing nothing has been tampered with, the key
is released and GRUB unlocks the encrypted root partition for the next
stage of booting.
However, the liberal Command Line Interface (CLI) can be misused by
anyone in this case to access files in the encrypted partition one way
or another. Despite efforts to keep the CLI secure by preventing utility
command output from leaking file content, many techniques in the wild
could still be used to exploit the CLI, enabling attacks or learning
methods to attack. It's nearly impossible to account for all scenarios
where a hack could be applied.
Therefore, to mitigate potential misuse of the CLI after the root device
has been successfully unlocked via TPM, the user should be required to
authenticate using the LUKS password. This added layer of security
ensures that only authorized users can access the CLI reducing the risk
of exploitation or unauthorized access to the encrypted partition.
Fixes: CVE-2024-49504
Signed-off-by: Michael Chang <mchang@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This is not an ideal solution, as interactive users must always run
a command in order to get the behavior they want, but it avoids
problematic interactions between prompting and sourcing files.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This patch implements a search for a specific configuration when the config
file is on a remoteserver. It uses the following order:
1) DHCP client UUID option.
2) MAC address (in lower case hexadecimal with dash separators);
3) IP (in upper case hexadecimal) or IPv6;
4) The original grub.cfg file.
This procedure is similar to what is used by pxelinux and yaboot:
http://www.syslinux.org/wiki/index.php/PXELINUX#config
It is enabled by default but can be disabled by setting the environment
variable "feature_net_search_cfg" to "n" in an embedded configuration.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=873406
Signed-off-by: Paulo Flabiano Smorigo <pfsmorigo@br.ibm.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Let's provide file type info to the I/O layer. This way verifiers
framework and its users will be able to differentiate files and verify
only required ones.
This is preparatory patch.
Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
If configfile is relative pathname, extend it with current ($root) so its
interpretation does not change if $root is changed later.
Suggested by Vladimir Serbienko.
Defalut font color on PC console seems to be light-gray; this is
what user also gets in rescue prompt and what is defined as
GRUB_TERM_DEFAULT_NORMAL_COLOR. But normal.mod defaults to white.
This makes unpleasant visual effect as colors are changed after kernel
is booted.
Use the same color eveywhere for consistency and default to light-gray
as this is also what at least Linux kernel is using by default.
Add a new timeout_style environment variable and a corresponding
GRUB_TIMEOUT_STYLE configuration key for grub-mkconfig. This
controls hidden-timeout handling more simply than the previous
arrangements, and pressing any hotkeys associated with menu entries
during the hidden timeout will now boot the corresponding menu entry
immediately.
GRUB_HIDDEN_TIMEOUT=<non-empty> + GRUB_TIMEOUT=<non-zero> now
generates a warning, and if it shows the menu it will do so as if
the second timeout were not present. Other combinations are
translated into reasonable equivalents.
once enabled).
* grub-core/gettext/gettext.c: Encapsulate all static variables in
main_context and secondary_context. All functions updated.
(grub_gettext_translate): Rename to ...
(grub_gettext_translate_real): ... this. Return NULL on failed
translate.
(grub_gettext_translate): Handle secondary context.
(grub_gettext_delete_list): Close file and zero-out the context.
(grub_mofile_open): Don't call grub_gettext_delete_list.
Don't close file.
(grub_gettext_init_ext): Call grub_gettext_init_ext. Skip loading
if locale="" to avoid pointless error message.
(grub_gettext_env_write_lang): Update lang even if load fails.
Handle secondary context.
(grub_gettext_reread_prefix): New function.
(read_main): Likewise.
(read_secondary): Likewise.
(GRUB_MOD_INIT): Handle secondary context. Hook and export variables.
(GRUB_MOD_FINI): Handle secondary context. Don't close file.
* grub-core/normal/main.c (read_lists): Call grub_gettext_reread_prefix.
* include/grub/normal.h (grub_gettext_reread_prefix): New proto.
* grub-core/Makefile.am (moddep.lst): Make dependent on video.lst.
* grub-core/Makefile.core.def (all_video): New module.
* grub-core/genmoddep.awk: Generate dependency of all_video from
video.lst.
* grub-core/lib/fake_module.c: New file.
* grub-core/normal/main.c (features): Add feature_all_video_module.
* util/grub.d/00_header.in: Define locale_dir based on $prefix and
don't do explicit search again.
insmod all_video in load_video if available.
path for fonts ($prefix/fonts).
* grub-core/kern/corecmd.c (grub_core_cmd_insmod): Unify condition
for checking if string is a path.
* grub-core/normal/main.c (features): Add feature_default_font_path.
* util/grub-mkconfig.in: Skip mangling of GRUB_FONT into GRUB_FONT_PATH.
* util/grub.d/00_header.in: Use default directory if possible.
* util/grub-install.in: Install unicode.pf2.
(grub_fat_bpb): Moved to ...
* include/grub/fat.h (grub_fat_bpb): ... here. New file.
* grub-core/loader/i386/pc/chainloader.c: Include grub/fat.h and
grub/ntfs.h.
* include/grub/i386/pc/chainloader.h (grub_chainloader_flags_t):
Moved from here...
* grub-core/loader/i386/pc/chainloader.c (grub_chainloader_flags_t): ...
here.
* grub-core/loader/i386/pc/chainloader.c (grub_chainloader_patch_bpb):
New function.
(grub_chainloader_cmd): Patch BPB if --bpb is given.
(GRUB_MOD_INIT): Show --bpb.
* grub-core/loader/i386/pc/ntldr.c (grub_cmd_ntldr): Patch BPB.
* grub-core/normal/main.c (features): New variable.
(GRUB_MOD_INIT): Set feature_* variables.
* include/grub/i386/pc/chainloader.h (grub_chainloader_patch_bpb): New
proto.
* include/grub/ntfs.h (grub_ntfs_bpb): New field bios_drive.
