[RFC PATCH v3 0/1] kern/dl: Add module version check

[Zhang Boyang]

Hi,

This is the V3 of my patch.

V2 is at:
https://lists.gnu.org/archive/html/grub-devel/2022-12/msg00234.html

V1 is at:
https://lists.gnu.org/archive/html/grub-devel/2022-12/msg00213.html


[ TD;LR ]

1) The check is always enforced when GRUB is locked down, i.e. modules 
will be refused to load if they have mismatched version

2) If built with "--disable-modver-check", modules can always be loaded 
even if they have mismatched version, and no message will be displayed.

3) If built with "--enable-modver-check=audit", modules can always be 
loaded even if they have mismatched version, but if mismatch is found, a 
warning message will be displayed. This is the default.

4) If built with "--enable-modver-check=enforce", the behavior is same as 1)


[ Why this patch is useful, even for BIOS boot ]

Because it helps people diagnose broken (or improper) GRUB installations.

For example, if you google "452: out of range pointer", you will got a 
lot of results in 2022. I think the most of them are related to 
mismatched modules. However, these problem are often not properly 
diagnosed because they disappear magically, e.g. update whole system 
(which triggers grub reinstall). There are several people even suspect 
there are problems with their hard disk / BIOS. However, the root cause 
is 052e6068be62 ("mm: When adding a region, merge with region after as 
well as before") changed the layout of `struct grub_mm_region`, which is 
both used in main program and "relocator.mod", so the module reads the 
wrong field and crashes GRUB. Please the commit did nothing wrong 
because there is no API/ABI compatibility guarantees in GRUB.

If there are warning messages about mismatched modules, user will easily 
notice there are problems with their GRUB installation.


[ Why not enforce this check to prevent crashes ]

As Glenn & Pete said, most mismatched modules isn't harmful. At most 
times, GRUB with mismatched modules can boot Linux happily, even if 
these modules come from another Linux distribution. This enables user to 
fix his/her GRUB installation without using a boot/rescue disk, because 
the user can boot the existing Linux using the existing (but improperly 
installed) GRUB.


[ Why warning can be disabled ]

Some tools like Rufus relies on mismatched modules. Some advanced users 
also doesn't like redundant warnings for their existing known-to-work 
configurations.

However, it's highly unrecommended to disable this warning.


[ Why this patch is a prerequisite for external signed module support ]

Consider this scenario:

1) GRUB 2.XX is free of vulnerabilities

2) GRUB 2.YY is also free of vulnerabilities

3) So GRUB 2.XX shares same SBAT numbers with GRUB 2.YY, therefore SBAT 
can't help in version check

4) If there is no version check, it's possible to load GRUB 2.YY modules 
into GRUB 2.XX (and vice versa)

5) However, due to some changes in API or ABI, although unlikely, there 
is possibility that there are vulnerabilities when using GRUB 2.YY 
modules with GRUB 2.XX  (and vice versa)

6) So we must enforce version check to prevent this from happening

However, because version string is only consisted of PACKAGE_VERSION, it 
must be unique for one given vendor (signer). For example, version 
string need to be different for Debian 10 and Debian 11 even they both 
use GRUB 2.06, and no two build in Debian 10 (or Debian 11) have same 
version string.


Best Regards,
Zhang Boyang