You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
grub2/SOURCES/0466-kern-efi-Add-initial-s...

299 lines
10 KiB

This file contains invisible Unicode characters!

This file contains invisible Unicode characters that may be processed differently from what appears below. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to reveal hidden characters.

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Chris Coulson <chris.coulson@canonical.com>
Date: Fri, 19 Feb 2021 13:53:45 +0100
Subject: [PATCH] kern/efi: Add initial stack protector implementation
It works only on UEFI platforms but can be quite easily extended to
others architectures and platforms if needed.
Signed-off-by: Chris Coulson <chris.coulson@canonical.com>
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Marco A Benatto <mbenatto@redhat.com>
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
---
configure.ac | 44 ++++++++++++++++++++++++++++++----
grub-core/kern/efi/init.c | 54 ++++++++++++++++++++++++++++++++++++++++++
include/grub/efi/api.h | 19 +++++++++++++++
include/grub/stack_protector.h | 30 +++++++++++++++++++++++
acinclude.m4 | 38 +++++++++++++++++++++++++++--
grub-core/Makefile.am | 1 +
6 files changed, 179 insertions(+), 7 deletions(-)
create mode 100644 include/grub/stack_protector.h
diff --git a/configure.ac b/configure.ac
index 0059b938a..f59a7b86c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1330,12 +1330,41 @@ fi]
CFLAGS="$TARGET_CFLAGS"
-# Smashing stack protector.
+# Stack smashing protector.
grub_CHECK_STACK_PROTECTOR
-# Need that, because some distributions ship compilers that include
-# `-fstack-protector' in the default specs.
-if test "x$ssp_possible" = xyes; then
- TARGET_CFLAGS="$TARGET_CFLAGS -fno-stack-protector"
+AC_ARG_ENABLE([stack-protector],
+ AS_HELP_STRING([--enable-stack-protector],
+ [enable the stack protector]),
+ [],
+ [enable_stack_protector=no])
+if test "x$enable_stack_protector" = xno; then
+ if test "x$ssp_possible" = xyes; then
+ # Need that, because some distributions ship compilers that include
+ # `-fstack-protector' in the default specs.
+ TARGET_CFLAGS="$TARGET_CFLAGS -fno-stack-protector"
+ fi
+elif test "x$platform" != xefi; then
+ AC_MSG_ERROR([--enable-stack-protector is only supported on EFI platforms])
+elif test "x$ssp_global_possible" != xyes; then
+ AC_MSG_ERROR([--enable-stack-protector is not supported (compiler doesn't support -mstack-protector-guard=global)])
+else
+ TARGET_CFLAGS="$TARGET_CFLAGS -mstack-protector-guard=global"
+ if test "x$enable_stack_protector" = xyes; then
+ if test "x$ssp_possible" != xyes; then
+ AC_MSG_ERROR([--enable-stack-protector is not supported (compiler doesn't support -fstack-protector)])
+ fi
+ TARGET_CFLAGS="$TARGET_CFLAGS -fstack-protector"
+ elif test "x$enable_stack_protector" = xstrong; then
+ if test "x$ssp_strong_possible" != xyes; then
+ AC_MSG_ERROR([--enable-stack-protector=strong is not supported (compiler doesn't support -fstack-protector-strong)])
+ fi
+ TARGET_CFLAGS="$TARGET_CFLAGS -fstack-protector-strong"
+ else
+ # Note, -fstack-protector-all requires that the protector is disabled for
+ # functions that appear in the call stack when the canary is initialized.
+ AC_MSG_ERROR([invalid value $enable_stack_protector for --enable-stack-protector])
+ fi
+ TARGET_CPPFLAGS="$TARGET_CPPFLAGS -DGRUB_STACK_PROTECTOR=1"
fi
CFLAGS="$TARGET_CFLAGS"
@@ -2247,5 +2276,10 @@ echo "Without liblzma (no support for XZ-compressed mips images) ($liblzma_excus
else
echo "With liblzma from $LIBLZMA (support for XZ-compressed mips images)"
fi
+if test "x$enable_stack_protector" != xno; then
+echo "With stack smashing protector: Yes"
+else
+echo "With stack smashing protector: No"
+fi
echo "*******************************************************"
]
diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
index 97bf36906..501608f74 100644
--- a/grub-core/kern/efi/init.c
+++ b/grub-core/kern/efi/init.c
@@ -28,6 +28,58 @@
#include <grub/mm.h>
#include <grub/kernel.h>
#include <grub/lib/envblk.h>
+#include <grub/stack_protector.h>
+
+#ifdef GRUB_STACK_PROTECTOR
+
+static grub_efi_guid_t rng_protocol_guid = GRUB_EFI_RNG_PROTOCOL_GUID;
+
+/*
+ * Don't put this on grub_efi_init()'s local stack to avoid it
+ * getting a stack check.
+ */
+static grub_efi_uint8_t stack_chk_guard_buf[32];
+
+grub_addr_t __stack_chk_guard;
+
+void __attribute__ ((noreturn))
+__stack_chk_fail (void)
+{
+ /*
+ * Assume it's not safe to call into EFI Boot Services. Sorry, that
+ * means no console message here.
+ */
+ do
+ {
+ /* Do not optimize out the loop. */
+ asm volatile ("");
+ }
+ while (1);
+}
+
+static void
+stack_protector_init (void)
+{
+ grub_efi_rng_protocol_t *rng;
+
+ /* Set up the stack canary. Make errors here non-fatal for now. */
+ rng = grub_efi_locate_protocol (&rng_protocol_guid, NULL);
+ if (rng != NULL)
+ {
+ grub_efi_status_t status;
+
+ status = efi_call_4 (rng->get_rng, rng, NULL, sizeof (stack_chk_guard_buf),
+ stack_chk_guard_buf);
+ if (status == GRUB_EFI_SUCCESS)
+ grub_memcpy (&__stack_chk_guard, stack_chk_guard_buf, sizeof (__stack_chk_guard));
+ }
+}
+#else
+static void
+stack_protector_init (void)
+{
+}
+#endif
grub_addr_t grub_modbase;
@@ -92,6 +144,8 @@ grub_efi_init (void)
messages. */
grub_console_init ();
+ stack_protector_init ();
+
/* Initialize the memory management system. */
grub_efi_mm_init ();
diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h
index a092fddb6..37e7b1628 100644
--- a/include/grub/efi/api.h
+++ b/include/grub/efi/api.h
@@ -344,6 +344,11 @@
{ 0x89, 0x29, 0x48, 0xbc, 0xd9, 0x0a, 0xd3, 0x1a } \
}
+#define GRUB_EFI_RNG_PROTOCOL_GUID \
+ { 0x3152bca5, 0xeade, 0x433d, \
+ { 0x86, 0x2e, 0xc0, 0x1c, 0xdc, 0x29, 0x1f, 0x44 } \
+ }
+
struct grub_efi_sal_system_table
{
grub_uint32_t signature;
@@ -2067,6 +2072,20 @@ struct grub_efi_ip6_config_manual_address {
};
typedef struct grub_efi_ip6_config_manual_address grub_efi_ip6_config_manual_address_t;
+typedef grub_efi_guid_t grub_efi_rng_algorithm_t;
+
+struct grub_efi_rng_protocol
+{
+ grub_efi_status_t (*get_info) (struct grub_efi_rng_protocol *this,
+ grub_efi_uintn_t *rng_algorithm_list_size,
+ grub_efi_rng_algorithm_t *rng_algorithm_list);
+ grub_efi_status_t (*get_rng) (struct grub_efi_rng_protocol *this,
+ grub_efi_rng_algorithm_t *rng_algorithm,
+ grub_efi_uintn_t rng_value_length,
+ grub_efi_uint8_t *rng_value);
+};
+typedef struct grub_efi_rng_protocol grub_efi_rng_protocol_t;
+
#if (GRUB_TARGET_SIZEOF_VOID_P == 4) || defined (__ia64__) \
|| defined (__aarch64__) || defined (__MINGW64__) || defined (__CYGWIN__)
diff --git a/include/grub/stack_protector.h b/include/grub/stack_protector.h
new file mode 100644
index 000000000..c88dc00b5
--- /dev/null
+++ b/include/grub/stack_protector.h
@@ -0,0 +1,30 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2021 Free Software Foundation, Inc.
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GRUB is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef GRUB_STACK_PROTECTOR_H
+#define GRUB_STACK_PROTECTOR_H 1
+
+#include <grub/symbol.h>
+#include <grub/types.h>
+
+#ifdef GRUB_STACK_PROTECTOR
+extern grub_addr_t EXPORT_VAR (__stack_chk_guard);
+extern void __attribute__ ((noreturn)) EXPORT_FUNC (__stack_chk_fail) (void);
+#endif
+
+#endif /* GRUB_STACK_PROTECTOR_H */
diff --git a/acinclude.m4 b/acinclude.m4
index 242e829ff..21238fcfd 100644
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -324,9 +324,9 @@ fi
])
-dnl Check if the C compiler supports `-fstack-protector'.
+dnl Check if the C compiler supports the stack protector
AC_DEFUN([grub_CHECK_STACK_PROTECTOR],[
-[# Smashing stack protector.
+[# Stack smashing protector.
ssp_possible=yes]
AC_MSG_CHECKING([whether `$CC' accepts `-fstack-protector'])
# Is this a reliable test case?
@@ -343,6 +343,40 @@ else
ssp_possible=no]
AC_MSG_RESULT([no])
[fi]
+[# Strong stack smashing protector.
+ssp_strong_possible=yes]
+AC_MSG_CHECKING([whether `$CC' accepts `-fstack-protector-strong'])
+# Is this a reliable test case?
+AC_LANG_CONFTEST([AC_LANG_SOURCE([[
+void foo (void) { volatile char a[8]; a[3]; }
+]])])
+[# `$CC -c -o ...' might not be portable. But, oh, well... Is calling
+# `ac_compile' like this correct, after all?
+if eval "$ac_compile -S -fstack-protector-strong -o conftest.s" 2> /dev/null; then]
+ AC_MSG_RESULT([yes])
+ [# Should we clear up other files as well, having called `AC_LANG_CONFTEST'?
+ rm -f conftest.s
+else
+ ssp_strong_possible=no]
+ AC_MSG_RESULT([no])
+[fi]
+[# Global stack smashing protector.
+ssp_global_possible=yes]
+AC_MSG_CHECKING([whether `$CC' accepts `-mstack-protector-guard=global'])
+# Is this a reliable test case?
+AC_LANG_CONFTEST([AC_LANG_SOURCE([[
+void foo (void) { volatile char a[8]; a[3]; }
+]])])
+[# `$CC -c -o ...' might not be portable. But, oh, well... Is calling
+# `ac_compile' like this correct, after all?
+if eval "$ac_compile -S -fstack-protector -mstack-protector-guard=global -o conftest.s" 2> /dev/null; then]
+ AC_MSG_RESULT([yes])
+ [# Should we clear up other files as well, having called `AC_LANG_CONFTEST'?
+ rm -f conftest.s
+else
+ ssp_global_possible=no]
+ AC_MSG_RESULT([no])
+[fi]
])
dnl Check if the C compiler supports `-mstack-arg-probe' (Cygwin).
diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
index a6f1b0dcd..308ad8850 100644
--- a/grub-core/Makefile.am
+++ b/grub-core/Makefile.am
@@ -92,6 +92,7 @@ endif
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/parser.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/partition.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/stack_protector.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm_private.h