efi: Make use of the grub's prefix for detection

Avoid relying on the signature in order to detect an Ubuntu production grub binary for binaries without a SBAT section, as this breaks test cases in snapd where grub is re-signed. Instead, obtain the prefix from the "mods" section (which is set to "/EFI/ubuntu" in Ubuntu).
canonical · Oct 27, 2023 · 3a7fd0b · 3a7fd0b
1 parent f33c1f8
commit 3a7fd0b
Show file tree

Hide file tree

Showing 9 changed files with 284 additions and 18 deletions.
diff --git a/efi/efi_test.go b/efi/efi_test.go
@@ -143,6 +143,8 @@ type mockPeImageHandle struct {
 func (*mockPeImageHandle) Close() error    { return nil }
 func (h *mockPeImageHandle) Source() Image { return h.mockImage }
 
+func (h *mockPeImageHandle) Machine() uint16 { return 0 }
+
 func (h *mockPeImageHandle) OpenSection(name string) *io.SectionReader {
 	data, exists := h.sections[name]
 	if !exists {
@@ -182,6 +184,10 @@ func (h *mockPeImageHandle) newShimImageHandle() *mockShimImageHandle {
 	return &mockShimImageHandle{mockPeImageHandle: h}
 }
 
+func (h *mockPeImageHandle) newGrubImageHandle() *mockGrubImageHandle {
+	return &mockGrubImageHandle{mockPeImageHandle: h}
+}
+
 type mockShimImageHandle struct {
 	*mockPeImageHandle
 }
@@ -211,6 +217,14 @@ func (h *mockShimImageHandle) ReadSbatLevel() (ShimSbatLevel, error) {
 	return *h.shimSbatLevel, nil
 }
 
+type mockGrubImageHandle struct {
+	*mockPeImageHandle
+}
+
+func (h *mockGrubImageHandle) Prefix() (string, error) {
+	return h.grubPrefix, nil
+}
+
 type mockImage struct {
 	sections  map[string][]byte
 	sbat      []SbatComponent
@@ -222,6 +236,8 @@ type mockImage struct {
 	shimVendorDb       efi.SignatureDatabase
 	shimVendorDbFormat ShimVendorCertFormat
 	shimSbatLevel      *ShimSbatLevel
+
+	grubPrefix string
 }
 
 func newMockImage() *mockImage {
@@ -284,6 +300,11 @@ func (i *mockImage) withShimSbatLevel(sbatLevel ShimSbatLevel) *mockImage {
 	return i
 }
 
+func (i *mockImage) withGrubPrefix(prefix string) *mockImage {
+	i.grubPrefix = prefix
+	return i
+}
+
 func newMockUbuntuShimImage15a(c *C) *mockImage {
 	return newMockImage().
 		appendSignatures(efitest.ReadWinCertificateAuthenticodeDetached(c, shimUbuntuSig1)).
@@ -324,7 +345,8 @@ func newMockUbuntuShimImage15_7(c *C) *mockImage {
 func newMockUbuntuGrubImage1(c *C) *mockImage {
 	return newMockImage().
 		appendSignatures(efitest.ReadWinCertificateAuthenticodeDetached(c, grubUbuntuSig1)).
-		addSection("mods", nil)
+		addSection("mods", nil).
+		withGrubPrefix("/EFI/ubuntu")
 }
 
 func newMockUbuntuGrubImage2(c *C) *mockImage {
@@ -334,7 +356,8 @@ func newMockUbuntuGrubImage2(c *C) *mockImage {
 		withSbat([]SbatComponent{
 			{Name: "grub"},
 			{Name: "grub.ubuntu"},
-		})
+		}).
+		withGrubPrefix("/EFI/ubuntu")
 }
 
 func newMockUbuntuGrubImage3(c *C) *mockImage {
@@ -344,7 +367,8 @@ func newMockUbuntuGrubImage3(c *C) *mockImage {
 		withSbat([]SbatComponent{
 			{Name: "grub"},
 			{Name: "grub.ubuntu"},
-		})
+		}).
+		withGrubPrefix("/EFI/ubuntu")
 }
 
 func newMockUbuntuKernelImage1(c *C) *mockImage {
@@ -439,6 +463,27 @@ func (m *mockShimImageHandleMixin) TearDownTest(c *C) {
 	}
 }
 
+type mockGrubImageHandleMixin struct {
+	restore func()
+}
+
+func (m *mockGrubImageHandleMixin) SetUpTest(c *C) {
+	orig := NewGrubImageHandle
+	m.restore = MockNewGrubImageHandle(func(image PeImageHandle) GrubImageHandle {
+		h, ok := image.(*mockPeImageHandle)
+		if !ok {
+			return orig(image)
+		}
+		return h.newGrubImageHandle()
+	})
+}
+
+func (m *mockGrubImageHandleMixin) TearDownTest(c *C) {
+	if m.restore != nil {
+		m.restore()
+	}
+}
+
 type mockImageLoadHandlerMap map[Image]ImageLoadHandler
 
 func (h mockImageLoadHandlerMap) LookupHandler(image PeImageHandle) (ImageLoadHandler, error) {

diff --git a/efi/export_test.go b/efi/export_test.go
@@ -59,6 +59,7 @@ var (
 	MustParseShimVersion                        = mustParseShimVersion
 	NewestSbatLevel                             = newestSbatLevel
 	NewFwLoadHandler                            = newFwLoadHandler
+	NewGrubImageHandle                          = newGrubImageHandle
 	NewImageLoadHandlerLazyMap                  = newImageLoadHandlerLazyMap
 	NewImageRule                                = newImageRule
 	NewImageRules                               = newImageRules
@@ -85,6 +86,7 @@ var (
 // unexported members of some unexported types.
 type FwContext = fwContext
 type GrubFlags = grubFlags
+type GrubImageHandle = grubImageHandle
 type GrubLoadHandler = grubLoadHandler
 type ImageLoadHandler = imageLoadHandler
 type ImageLoadHandlerMap = imageLoadHandlerMap
@@ -170,6 +172,14 @@ func MockNewFwLoadHandler(fn func(*tcglog.Log) ImageLoadHandler) (restore func()
 	}
 }
 
+func MockNewGrubImageHandle(fn func(peImageHandle) grubImageHandle) (restore func()) {
+	orig := newGrubImageHandle
+	newGrubImageHandle = fn
+	return func() {
+		newGrubImageHandle = orig
+	}
+}
+
 func MockNewShimImageHandle(fn func(peImageHandle) shimImageHandle) (restore func()) {
 	orig := newShimImageHandle
 	newShimImageHandle = fn

diff --git a/efi/grub.go b/efi/grub.go
@@ -0,0 +1,158 @@
+// -*- Mode: Go; indent-tabs-mode: t -*-
+
+/*
+ * Copyright (C) 2023 Canonical Ltd
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 3 as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+package efi
+
+import (
+	"encoding/binary"
+	"errors"
+	"fmt"
+	"io"
+	"math"
+
+	pe "github.com/snapcore/secboot/internal/pe1.14"
+)
+
+const grubObjTypePrefix uint32 = 3
+
+type grubModuleHeader struct {
+	Type uint32
+	Size uint32
+}
+
+const grubModuleMagic uint32 = 0x676d696d
+
+type grubModuleInfo32 struct {
+	Magic  uint32
+	Offset uint32
+	Size   uint32
+}
+
+type grubModuleInfo64 struct {
+	Magic   uint32
+	Padding uint32
+	Offset  uint64
+	Size    uint64
+}
+
+type grubModule struct {
+	Type uint32
+	*io.SectionReader
+}
+
+type grubImageHandle interface {
+	peImageHandle
+
+	Prefix() (string, error)
+}
+
+type grubImageHandleImpl struct {
+	peImageHandle
+}
+
+// newGrubImageHandle returns a new grubImageHandle for the supplied peImageHandle.
+var newGrubImageHandle = func(image peImageHandle) grubImageHandle {
+	return &grubImageHandleImpl{peImageHandle: image}
+}
+
+func (h *grubImageHandleImpl) mods() ([]grubModule, error) {
+	section := h.OpenSection("mods")
+	if section == nil {
+		return nil, errors.New("no mods section")
+	}
+
+	var r *io.SectionReader
+	switch h.Machine() {
+	case pe.IMAGE_FILE_MACHINE_AMD64, pe.IMAGE_FILE_MACHINE_ARM64, pe.IMAGE_FILE_MACHINE_RISCV64:
+		var info grubModuleInfo64
+		if err := binary.Read(section, binary.LittleEndian, &info); err != nil {
+			return nil, fmt.Errorf("cannot obtain modules info: %w", err)
+		}
+		if info.Magic != grubModuleMagic {
+			return nil, errors.New("invalid modules magic")
+		}
+		if info.Size > math.MaxInt64 {
+			return nil, errors.New("invalid modules offset")
+		}
+		if info.Size > math.MaxInt64 || info.Size < uint64(binary.Size(info)) {
+			return nil, errors.New("invalid modules size")
+		}
+		r = io.NewSectionReader(section, int64(info.Offset), int64(info.Size)-int64(binary.Size(info)))
+	case pe.IMAGE_FILE_MACHINE_ARM, pe.IMAGE_FILE_MACHINE_I386, pe.IMAGE_FILE_MACHINE_RISCV32:
+		var info grubModuleInfo32
+		if err := binary.Read(section, binary.LittleEndian, &info); err != nil {
+			return nil, fmt.Errorf("cannot obtain modules info: %w", err)
+		}
+		if info.Magic != grubModuleMagic {
+			return nil, errors.New("invalid module magic")
+		}
+		if info.Size < uint32(binary.Size(info.Size)) {
+			return nil, errors.New("invalid modules size")
+		}
+		r = io.NewSectionReader(section, int64(info.Offset), int64(info.Size)-int64(binary.Size(info)))
+	default:
+		return nil, fmt.Errorf("unrecognized machine: %d", h.Machine())
+	}
+
+	var mods []grubModule
+
+	for {
+		var hdr grubModuleHeader
+		if err := binary.Read(r, binary.LittleEndian, &hdr); err != nil {
+			if err == io.EOF {
+				break
+			}
+			return nil, fmt.Errorf("cannot obtain module header: %w", err)
+		}
+
+		offset, _ := r.Seek(0, io.SeekCurrent)
+		size := int64(hdr.Size) - int64(binary.Size(hdr))
+		mods = append(mods, grubModule{
+			Type:          hdr.Type,
+			SectionReader: io.NewSectionReader(r, offset, size),
+		})
+
+		if _, err := r.Seek(size, io.SeekCurrent); err != nil {
+			return nil, fmt.Errorf("cannot seek to next module: %w", err)
+		}
+	}
+
+	return mods, nil
+}
+
+func (h *grubImageHandleImpl) Prefix() (string, error) {
+	mods, err := h.mods()
+	if err != nil {
+		return "", err
+	}
+
+	for _, mod := range mods {
+		if mod.Type != grubObjTypePrefix {
+			continue
+		}
+
+		prefix, err := io.ReadAll(newCstringReader(mod))
+		if err != nil {
+			return "", fmt.Errorf("cannot obtain prefix: %w", err)
+		}
+		return string(prefix), nil
+	}
+
+	return "", nil
+}
diff --git a/efi/image_load_handler_test.go b/efi/image_load_handler_test.go
@@ -48,6 +48,17 @@ func (c *mockImageLoadHandlerConstructor) NewImageLoadHandler(image PeImageHandl
 
 type imageLoadHandlerSuite struct {
 	mockShimImageHandleMixin
+	mockGrubImageHandleMixin
+}
+
+func (s *imageLoadHandlerSuite) SetUpTest(c *C) {
+	s.mockShimImageHandleMixin.SetUpTest(c)
+	s.mockGrubImageHandleMixin.SetUpTest(c)
+}
+
+func (s *imageLoadHandlerSuite) TearDownTest(c *C) {
+	s.mockShimImageHandleMixin.TearDownTest(c)
+	s.mockGrubImageHandleMixin.TearDownTest(c)
 }
 
 var _ = Suite(&imageLoadHandlerSuite{})
@@ -131,5 +142,5 @@ func (s *imageLoadHandlerSuite) TestDefaultLookupFallback(c *C) {
 	handler, err := m.LookupHandler(image.newPeImageHandle())
 	c.Assert(err, IsNil)
 	c.Assert(handler, testutil.ConvertibleTo, &GrubLoadHandler{})
-	c.Check(handler, DeepEquals, new(GrubLoadHandler))
+	c.Check(handler.(*GrubLoadHandler).Flags, Equals, GrubChainloaderUsesShimProtocol)
 }
diff --git a/efi/image_rules.go b/efi/image_rules.go
@@ -258,3 +258,15 @@ func (p *shimVersionPredicate) Matches(image peImageHandle) (bool, error) {
 		return false, fmt.Errorf("invalid shim version operator %s", p.operator)
 	}
 }
+
+type grubHasPrefix string
+
+func (p grubHasPrefix) Matches(image peImageHandle) (bool, error) {
+	grub := newGrubImageHandle(image)
+	prefix, err := grub.Prefix()
+	if err != nil {
+		return false, fmt.Errorf("cannot obtain grub prefix: %w", err)
+	}
+
+	return prefix == string(p), nil
+}
diff --git a/efi/image_rules_defs.go b/efi/image_rules_defs.go
@@ -161,18 +161,7 @@ func makeMicrosoftUEFICASecureBootNamespaceRules() *secureBootNamespaceRules {
 				),
 				imageMatchesAll(
 					imageSectionExists("mods"),
-					imageSignedByOrganization("Canonical Ltd."),
-				),
-			),
-			newGrubLoadHandlerConstructor(grubChainloaderUsesShimProtocol).New,
-		),
-		withImageRuleOnlyForTesting(
-			"Ubuntu grub, signed with snakeoil or other test key",
-			imageMatchesAll(
-				imageSectionExists(".mods"),
-				imageMatchesAny(
-					imageSignedByOrganization("Snake Oil"),
-					imageSignedByCommonName("new vendor certificate"),
+					grubHasPrefix("/EFI/ubuntu"),
 				),
 			),
 			newGrubLoadHandlerConstructor(grubChainloaderUsesShimProtocol).New,
@@ -218,6 +207,15 @@ func makeFallbackImageRules() *imageRules {
 			imageSectionExists(".vendor_cert"),
 			newShimLoadHandler,
 		),
+		// Ubuntu grub
+		newImageRule(
+			"grub",
+			imageMatchesAll(
+				imageSectionExists("mods"),
+				grubHasPrefix("/EFI/ubuntu"),
+			),
+			newGrubLoadHandlerConstructor(grubChainloaderUsesShimProtocol).New,
+		),
 		// Grub
 		newImageRule(
 			"grub",