[SECURITY PATCH 1/8] kern/rescue_reader: Block the rescue mode until the CLI authentication

Thu, 08 May 2025 10:03:42 -0700 

From: Maxim Suhanov <dfirb...@gmail.com>

This further mitigates potential misuse of the CLI after the
root device has been successfully unlocked via TPM.

Fixes: CVE-2025-4382

Signed-off-by: Maxim Suhanov <dfirb...@gmail.com>
Reviewed-by: Daniel Kiper <daniel.ki...@oracle.com>
---
 grub-core/kern/rescue_reader.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/grub-core/kern/rescue_reader.c b/grub-core/kern/rescue_reader.c
index 4259857ba..a71ada8fb 100644
--- a/grub-core/kern/rescue_reader.c
+++ b/grub-core/kern/rescue_reader.c
@@ -79,7 +79,7 @@ void __attribute__ ((noreturn))
 grub_rescue_run (void)
 {
   /* Stall if the CLI has been disabled */
-  if (grub_is_cli_disabled ())
+  if (grub_is_cli_disabled () || grub_is_cli_need_auth ())
     {
       grub_printf ("Rescue mode has been disabled...\n");
 
-- 
2.11.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to