[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[RFC PATCH v3 0/1] kern/dl: Add module version check

From: Zhang Boyang
Subject: [RFC PATCH v3 0/1] kern/dl: Add module version check
Date: Fri, 23 Dec 2022 00:38:28 +0800
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.6.0


This is the V3 of my patch.

V2 is at:

V1 is at:

[ TD;LR ]

1) The check is always enforced when GRUB is locked down, i.e. modules will be refused to load if they have mismatched version

2) If built with "--disable-modver-check", modules can always be loaded even if they have mismatched version, and no message will be displayed.

3) If built with "--enable-modver-check=audit", modules can always be loaded even if they have mismatched version, but if mismatch is found, a warning message will be displayed. This is the default.

4) If built with "--enable-modver-check=enforce", the behavior is same as 1)

[ Why this patch is useful, even for BIOS boot ]

Because it helps people diagnose broken (or improper) GRUB installations.

For example, if you google "452: out of range pointer", you will got a lot of results in 2022. I think the most of them are related to mismatched modules. However, these problem are often not properly diagnosed because they disappear magically, e.g. update whole system (which triggers grub reinstall). There are several people even suspect there are problems with their hard disk / BIOS. However, the root cause is 052e6068be62 ("mm: When adding a region, merge with region after as well as before") changed the layout of `struct grub_mm_region`, which is both used in main program and "relocator.mod", so the module reads the wrong field and crashes GRUB. Please the commit did nothing wrong because there is no API/ABI compatibility guarantees in GRUB.

If there are warning messages about mismatched modules, user will easily notice there are problems with their GRUB installation.

[ Why not enforce this check to prevent crashes ]

As Glenn & Pete said, most mismatched modules isn't harmful. At most times, GRUB with mismatched modules can boot Linux happily, even if these modules come from another Linux distribution. This enables user to fix his/her GRUB installation without using a boot/rescue disk, because the user can boot the existing Linux using the existing (but improperly installed) GRUB.

[ Why warning can be disabled ]

Some tools like Rufus relies on mismatched modules. Some advanced users also doesn't like redundant warnings for their existing known-to-work configurations.

However, it's highly unrecommended to disable this warning.

[ Why this patch is a prerequisite for external signed module support ]

Consider this scenario:

1) GRUB 2.XX is free of vulnerabilities

2) GRUB 2.YY is also free of vulnerabilities

3) So GRUB 2.XX shares same SBAT numbers with GRUB 2.YY, therefore SBAT can't help in version check

4) If there is no version check, it's possible to load GRUB 2.YY modules into GRUB 2.XX (and vice versa)

5) However, due to some changes in API or ABI, although unlikely, there is possibility that there are vulnerabilities when using GRUB 2.YY modules with GRUB 2.XX (and vice versa)

6) So we must enforce version check to prevent this from happening

However, because version string is only consisted of PACKAGE_VERSION, it must be unique for one given vendor (signer). For example, version string need to be different for Debian 10 and Debian 11 even they both use GRUB 2.06, and no two build in Debian 10 (or Debian 11) have same version string.

Best Regards,
Zhang Boyang

reply via email to

[Prev in Thread] Current Thread [Next in Thread]