Sync from SUSE:SLFO:Main grub2 revision 3010d884e9d64ab422fda75d82b89c60
This commit is contained in:
parent
5668489852
commit
88730040a1
374
0001-cli_lock-Add-build-option-to-block-command-line-inte.patch
Normal file
374
0001-cli_lock-Add-build-option-to-block-command-line-inte.patch
Normal file
@ -0,0 +1,374 @@
|
|||||||
|
From c7dd3dd296592fef6166170121b54aafe634369f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alec Brown <alec.r.brown@oracle.com>
|
||||||
|
Date: Wed, 24 Jan 2024 06:26:37 +0000
|
||||||
|
Subject: [PATCH 1/2] cli_lock: Add build option to block command line
|
||||||
|
interface
|
||||||
|
|
||||||
|
Add functionality to disable command line interface access and editing of GRUB
|
||||||
|
menu entries if GRUB image is built with --disable-cli.
|
||||||
|
|
||||||
|
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
|
||||||
|
Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com>
|
||||||
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
---
|
||||||
|
docs/grub.texi | 6 ++++--
|
||||||
|
grub-core/kern/main.c | 28 ++++++++++++++++++++++++++++
|
||||||
|
grub-core/kern/rescue_reader.c | 13 +++++++++++++
|
||||||
|
grub-core/normal/auth.c | 3 +++
|
||||||
|
grub-core/normal/menu_text.c | 31 +++++++++++++++++--------------
|
||||||
|
include/grub/kernel.h | 3 ++-
|
||||||
|
include/grub/misc.h | 2 ++
|
||||||
|
include/grub/util/install.h | 8 ++++++--
|
||||||
|
util/grub-install-common.c | 11 ++++++++---
|
||||||
|
util/grub-mkimage.c | 9 ++++++++-
|
||||||
|
util/mkimage.c | 16 +++++++++++++++-
|
||||||
|
11 files changed, 106 insertions(+), 24 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/docs/grub.texi b/docs/grub.texi
|
||||||
|
index 00c5fdc44..e89007920 100644
|
||||||
|
--- a/docs/grub.texi
|
||||||
|
+++ b/docs/grub.texi
|
||||||
|
@@ -6523,8 +6523,10 @@ the GRUB command line, edit menu entries, and execute any menu entry. If
|
||||||
|
@samp{superusers} is set, then use of the command line and editing of menu
|
||||||
|
entries are automatically restricted to superusers. Setting @samp{superusers}
|
||||||
|
to empty string effectively disables both access to CLI and editing of menu
|
||||||
|
-entries. Note: The environment variable needs to be exported to also affect
|
||||||
|
-the section defined by the @samp{submenu} command (@pxref{submenu}).
|
||||||
|
+entries. Building a grub image with @samp{--disable-cli} option will also
|
||||||
|
+disable access to CLI and editing of menu entries, as well as disabling rescue
|
||||||
|
+mode. Note: The environment variable needs to be exported to also affect the
|
||||||
|
+section defined by the @samp{submenu} command (@pxref{submenu}).
|
||||||
|
|
||||||
|
Other users may be allowed to execute specific menu entries by giving a list of
|
||||||
|
usernames (as above) using the @option{--users} option to the
|
||||||
|
diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
|
||||||
|
index 02df49206..07b6940d2 100644
|
||||||
|
--- a/grub-core/kern/main.c
|
||||||
|
+++ b/grub-core/kern/main.c
|
||||||
|
@@ -30,11 +30,14 @@
|
||||||
|
#include <grub/reader.h>
|
||||||
|
#include <grub/parser.h>
|
||||||
|
#include <grub/verify.h>
|
||||||
|
+#include <grub/types.h>
|
||||||
|
|
||||||
|
#ifdef GRUB_MACHINE_PCBIOS
|
||||||
|
#include <grub/machine/memory.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+static bool cli_disabled = false;
|
||||||
|
+
|
||||||
|
grub_addr_t
|
||||||
|
grub_modules_get_end (void)
|
||||||
|
{
|
||||||
|
@@ -237,6 +240,28 @@ grub_load_normal_mode (void)
|
||||||
|
grub_command_execute ("normal", 0, 0);
|
||||||
|
}
|
||||||
|
|
||||||
|
+bool
|
||||||
|
+grub_is_cli_disabled (void)
|
||||||
|
+{
|
||||||
|
+ return cli_disabled;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+check_is_cli_disabled (void)
|
||||||
|
+{
|
||||||
|
+ struct grub_module_header *header;
|
||||||
|
+ header = 0;
|
||||||
|
+
|
||||||
|
+ FOR_MODULES (header)
|
||||||
|
+ {
|
||||||
|
+ if (header->type == OBJ_TYPE_DISABLE_CLI)
|
||||||
|
+ {
|
||||||
|
+ cli_disabled = true;
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static void
|
||||||
|
reclaim_module_space (void)
|
||||||
|
{
|
||||||
|
@@ -294,6 +319,9 @@ grub_main (void)
|
||||||
|
|
||||||
|
grub_boot_time ("After loading embedded modules.");
|
||||||
|
|
||||||
|
+ /* Check if the CLI should be disabled */
|
||||||
|
+ check_is_cli_disabled ();
|
||||||
|
+
|
||||||
|
/* It is better to set the root device as soon as possible,
|
||||||
|
for convenience. */
|
||||||
|
grub_set_prefix_and_root ();
|
||||||
|
diff --git a/grub-core/kern/rescue_reader.c b/grub-core/kern/rescue_reader.c
|
||||||
|
index dcd7d4439..4259857ba 100644
|
||||||
|
--- a/grub-core/kern/rescue_reader.c
|
||||||
|
+++ b/grub-core/kern/rescue_reader.c
|
||||||
|
@@ -78,6 +78,19 @@ grub_rescue_read_line (char **line, int cont,
|
||||||
|
void __attribute__ ((noreturn))
|
||||||
|
grub_rescue_run (void)
|
||||||
|
{
|
||||||
|
+ /* Stall if the CLI has been disabled */
|
||||||
|
+ if (grub_is_cli_disabled ())
|
||||||
|
+ {
|
||||||
|
+ grub_printf ("Rescue mode has been disabled...\n");
|
||||||
|
+
|
||||||
|
+ do
|
||||||
|
+ {
|
||||||
|
+ /* Do not optimize out the loop. */
|
||||||
|
+ asm volatile ("");
|
||||||
|
+ }
|
||||||
|
+ while (1);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
grub_printf ("Entering rescue mode...\n");
|
||||||
|
|
||||||
|
while (1)
|
||||||
|
diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c
|
||||||
|
index 517fc623f..d94020186 100644
|
||||||
|
--- a/grub-core/normal/auth.c
|
||||||
|
+++ b/grub-core/normal/auth.c
|
||||||
|
@@ -209,6 +209,9 @@ grub_auth_check_authentication (const char *userlist)
|
||||||
|
char entered[GRUB_AUTH_MAX_PASSLEN];
|
||||||
|
struct grub_auth_user *user;
|
||||||
|
|
||||||
|
+ if (grub_is_cli_disabled ())
|
||||||
|
+ return GRUB_ACCESS_DENIED;
|
||||||
|
+
|
||||||
|
grub_memset (login, 0, sizeof (login));
|
||||||
|
|
||||||
|
if (is_authenticated (userlist))
|
||||||
|
diff --git a/grub-core/normal/menu_text.c b/grub-core/normal/menu_text.c
|
||||||
|
index ae92050d7..56c6f7797 100644
|
||||||
|
--- a/grub-core/normal/menu_text.c
|
||||||
|
+++ b/grub-core/normal/menu_text.c
|
||||||
|
@@ -194,21 +194,24 @@ command-line or ESC to discard edits and return to the GRUB menu."),
|
||||||
|
grub_free (msg_translated);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
- if (nested)
|
||||||
|
+ if (!grub_is_cli_disabled ())
|
||||||
|
{
|
||||||
|
- ret += grub_print_message_indented_real
|
||||||
|
- (_("Press enter to boot the selected OS, "
|
||||||
|
- "`e' to edit the commands before booting "
|
||||||
|
- "or `c' for a command-line. ESC to return previous menu."),
|
||||||
|
- STANDARD_MARGIN, STANDARD_MARGIN, term, dry_run);
|
||||||
|
- }
|
||||||
|
- else
|
||||||
|
- {
|
||||||
|
- ret += grub_print_message_indented_real
|
||||||
|
- (_("Press enter to boot the selected OS, "
|
||||||
|
- "`e' to edit the commands before booting "
|
||||||
|
- "or `c' for a command-line."),
|
||||||
|
- STANDARD_MARGIN, STANDARD_MARGIN, term, dry_run);
|
||||||
|
+ if (nested)
|
||||||
|
+ {
|
||||||
|
+ ret += grub_print_message_indented_real
|
||||||
|
+ (_("Press enter to boot the selected OS, "
|
||||||
|
+ "`e' to edit the commands before booting "
|
||||||
|
+ "or `c' for a command-line. ESC to return previous menu."),
|
||||||
|
+ STANDARD_MARGIN, STANDARD_MARGIN, term, dry_run);
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ {
|
||||||
|
+ ret += grub_print_message_indented_real
|
||||||
|
+ (_("Press enter to boot the selected OS, "
|
||||||
|
+ "`e' to edit the commands before booting "
|
||||||
|
+ "or `c' for a command-line."),
|
||||||
|
+ STANDARD_MARGIN, STANDARD_MARGIN, term, dry_run);
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return ret;
|
||||||
|
diff --git a/include/grub/kernel.h b/include/grub/kernel.h
|
||||||
|
index d3aafc884..9f3e2031f 100644
|
||||||
|
--- a/include/grub/kernel.h
|
||||||
|
+++ b/include/grub/kernel.h
|
||||||
|
@@ -31,7 +31,8 @@ enum
|
||||||
|
OBJ_TYPE_GPG_PUBKEY,
|
||||||
|
OBJ_TYPE_X509_PUBKEY,
|
||||||
|
OBJ_TYPE_DTB,
|
||||||
|
- OBJ_TYPE_DISABLE_SHIM_LOCK
|
||||||
|
+ OBJ_TYPE_DISABLE_SHIM_LOCK,
|
||||||
|
+ OBJ_TYPE_DISABLE_CLI
|
||||||
|
};
|
||||||
|
|
||||||
|
/* The module header. */
|
||||||
|
diff --git a/include/grub/misc.h b/include/grub/misc.h
|
||||||
|
index 1b35a167f..1578f36c3 100644
|
||||||
|
--- a/include/grub/misc.h
|
||||||
|
+++ b/include/grub/misc.h
|
||||||
|
@@ -391,6 +391,8 @@ grub_uint64_t EXPORT_FUNC(grub_divmod64) (grub_uint64_t n,
|
||||||
|
grub_uint64_t d,
|
||||||
|
grub_uint64_t *r);
|
||||||
|
|
||||||
|
+extern bool EXPORT_FUNC(grub_is_cli_disabled) (void);
|
||||||
|
+
|
||||||
|
/* Must match softdiv group in gentpl.py. */
|
||||||
|
#if !defined(GRUB_MACHINE_EMU) && (defined(__arm__) || defined(__ia64__) || \
|
||||||
|
(defined(__riscv) && (__riscv_xlen == 32)))
|
||||||
|
diff --git a/include/grub/util/install.h b/include/grub/util/install.h
|
||||||
|
index 38c6da73b..a4aac7b85 100644
|
||||||
|
--- a/include/grub/util/install.h
|
||||||
|
+++ b/include/grub/util/install.h
|
||||||
|
@@ -72,6 +72,8 @@
|
||||||
|
{ "appended-signature-size", GRUB_INSTALL_OPTIONS_APPENDED_SIGNATURE_SIZE,\
|
||||||
|
"SIZE", 0, N_("Add a note segment reserving SIZE bytes for an appended signature"), \
|
||||||
|
1}, \
|
||||||
|
+ { "disable-cli", GRUB_INSTALL_OPTIONS_DISABLE_CLI, 0, 0, \
|
||||||
|
+ N_("disabled command line interface access"), 0 }, \
|
||||||
|
{ "verbose", 'v', 0, 0, \
|
||||||
|
N_("print verbose messages."), 1 }
|
||||||
|
|
||||||
|
@@ -136,7 +138,8 @@ enum grub_install_options {
|
||||||
|
GRUB_INSTALL_OPTIONS_DTB,
|
||||||
|
GRUB_INSTALL_OPTIONS_SBAT,
|
||||||
|
GRUB_INSTALL_OPTIONS_DISABLE_SHIM_LOCK,
|
||||||
|
- GRUB_INSTALL_OPTIONS_APPENDED_SIGNATURE_SIZE
|
||||||
|
+ GRUB_INSTALL_OPTIONS_APPENDED_SIGNATURE_SIZE,
|
||||||
|
+ GRUB_INSTALL_OPTIONS_DISABLE_CLI
|
||||||
|
};
|
||||||
|
|
||||||
|
extern char *grub_install_source_directory;
|
||||||
|
@@ -199,7 +202,8 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||||||
|
const struct grub_install_image_target_desc *image_target,
|
||||||
|
int note, size_t appsig_size,
|
||||||
|
grub_compression_t comp, const char *dtb_file,
|
||||||
|
- const char *sbat_path, const int disable_shim_lock);
|
||||||
|
+ const char *sbat_path, const int disable_shim_lock,
|
||||||
|
+ const int disable_cli);
|
||||||
|
|
||||||
|
const struct grub_install_image_target_desc *
|
||||||
|
grub_install_get_image_target (const char *arg);
|
||||||
|
diff --git a/util/grub-install-common.c b/util/grub-install-common.c
|
||||||
|
index 75fa03995..344dca664 100644
|
||||||
|
--- a/util/grub-install-common.c
|
||||||
|
+++ b/util/grub-install-common.c
|
||||||
|
@@ -469,6 +469,7 @@ static char **x509keys;
|
||||||
|
static size_t nx509keys;
|
||||||
|
static grub_compression_t compression;
|
||||||
|
static size_t appsig_size;
|
||||||
|
+static int disable_cli;
|
||||||
|
|
||||||
|
int
|
||||||
|
grub_install_parse (int key, char *arg)
|
||||||
|
@@ -514,6 +515,9 @@ grub_install_parse (int key, char *arg)
|
||||||
|
* (nx509keys + 1));
|
||||||
|
x509keys[nx509keys++] = xstrdup (arg);
|
||||||
|
return 1;
|
||||||
|
+ case GRUB_INSTALL_OPTIONS_DISABLE_CLI:
|
||||||
|
+ disable_cli = 1;
|
||||||
|
+ return 1;
|
||||||
|
|
||||||
|
case GRUB_INSTALL_OPTIONS_VERBOSITY:
|
||||||
|
verbosity++;
|
||||||
|
@@ -707,12 +711,13 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix,
|
||||||
|
|
||||||
|
grub_util_info ("grub-mkimage --directory '%s' --prefix '%s' --output '%s'"
|
||||||
|
" --format '%s' --compression '%s'"
|
||||||
|
- " --appended-signature-size %zu%s%s%s\n",
|
||||||
|
+ " --appended-signature-size %zu%s%s%s%s\n",
|
||||||
|
dir, prefix, outname,
|
||||||
|
mkimage_target, compnames[compression],
|
||||||
|
appsig_size,
|
||||||
|
note ? " --note" : "",
|
||||||
|
- disable_shim_lock ? " --disable-shim-lock" : "", s);
|
||||||
|
+ disable_shim_lock ? " --disable-shim-lock" : "",
|
||||||
|
+ disable_cli ? " --disable-cli" : "", s);
|
||||||
|
free (s);
|
||||||
|
|
||||||
|
tgt = grub_install_get_image_target (mkimage_target);
|
||||||
|
@@ -724,7 +729,7 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix,
|
||||||
|
pubkeys, npubkeys, x509keys, nx509keys,
|
||||||
|
config_path, tgt,
|
||||||
|
note, appsig_size, compression, dtb, sbat,
|
||||||
|
- disable_shim_lock);
|
||||||
|
+ disable_shim_lock, disable_cli);
|
||||||
|
while (dc--)
|
||||||
|
grub_install_pop_module ();
|
||||||
|
}
|
||||||
|
diff --git a/util/grub-mkimage.c b/util/grub-mkimage.c
|
||||||
|
index 7d61ef3ea..351a5e430 100644
|
||||||
|
--- a/util/grub-mkimage.c
|
||||||
|
+++ b/util/grub-mkimage.c
|
||||||
|
@@ -84,6 +84,7 @@ static struct argp_option options[] = {
|
||||||
|
{"compression", 'C', "(xz|none|auto)", 0, N_("choose the compression to use for core image"), 0},
|
||||||
|
{"sbat", 's', N_("FILE"), 0, N_("SBAT metadata"), 0},
|
||||||
|
{"disable-shim-lock", GRUB_INSTALL_OPTIONS_DISABLE_SHIM_LOCK, 0, 0, N_("disable shim_lock verifier"), 0},
|
||||||
|
+ {"disable-cli", GRUB_INSTALL_OPTIONS_DISABLE_CLI, 0, 0, N_("disable command line interface access"), 0},
|
||||||
|
{"verbose", 'v', 0, 0, N_("print verbose messages."), 0},
|
||||||
|
{"appended-signature-size", 'S', N_("SIZE"), 0, N_("Add a note segment reserving SIZE bytes for an appended signature"), 0},
|
||||||
|
{ 0, 0, 0, 0, 0, 0 }
|
||||||
|
@@ -133,6 +134,7 @@ struct arguments
|
||||||
|
int note;
|
||||||
|
int disable_shim_lock;
|
||||||
|
size_t appsig_size;
|
||||||
|
+ int disable_cli;
|
||||||
|
const struct grub_install_image_target_desc *image_target;
|
||||||
|
grub_compression_t comp;
|
||||||
|
};
|
||||||
|
@@ -259,6 +261,10 @@ argp_parser (int key, char *arg, struct argp_state *state)
|
||||||
|
arguments->disable_shim_lock = 1;
|
||||||
|
break;
|
||||||
|
|
||||||
|
+ case GRUB_INSTALL_OPTIONS_DISABLE_CLI:
|
||||||
|
+ arguments->disable_cli = 1;
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
case 'v':
|
||||||
|
verbosity++;
|
||||||
|
break;
|
||||||
|
@@ -347,7 +353,8 @@ main (int argc, char *argv[])
|
||||||
|
arguments.image_target, arguments.note,
|
||||||
|
arguments.appsig_size,
|
||||||
|
arguments.comp, arguments.dtb,
|
||||||
|
- arguments.sbat, arguments.disable_shim_lock);
|
||||||
|
+ arguments.sbat, arguments.disable_shim_lock,
|
||||||
|
+ arguments.disable_cli);
|
||||||
|
|
||||||
|
if (grub_util_file_sync (fp) < 0)
|
||||||
|
grub_util_error (_("cannot sync `%s': %s"), arguments.output ? : "stdout",
|
||||||
|
diff --git a/util/mkimage.c b/util/mkimage.c
|
||||||
|
index 0737935fd..d6cc13475 100644
|
||||||
|
--- a/util/mkimage.c
|
||||||
|
+++ b/util/mkimage.c
|
||||||
|
@@ -889,7 +889,8 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||||||
|
const struct grub_install_image_target_desc *image_target,
|
||||||
|
int note, size_t appsig_size, grub_compression_t comp,
|
||||||
|
const char *dtb_path, const char *sbat_path,
|
||||||
|
- int disable_shim_lock)
|
||||||
|
+ int disable_shim_lock,
|
||||||
|
+ int disable_cli)
|
||||||
|
{
|
||||||
|
char *kernel_img, *core_img;
|
||||||
|
size_t total_module_size, core_size;
|
||||||
|
@@ -964,6 +965,9 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||||||
|
if (disable_shim_lock)
|
||||||
|
total_module_size += sizeof (struct grub_module_header);
|
||||||
|
|
||||||
|
+ if (disable_cli)
|
||||||
|
+ total_module_size += sizeof (struct grub_module_header);
|
||||||
|
+
|
||||||
|
if (config_path)
|
||||||
|
{
|
||||||
|
config_size = ALIGN_ADDR (grub_util_get_image_size (config_path) + 1);
|
||||||
|
@@ -1130,6 +1134,16 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||||||
|
offset += sizeof (*header);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (disable_cli)
|
||||||
|
+ {
|
||||||
|
+ struct grub_module_header *header;
|
||||||
|
+
|
||||||
|
+ header = (struct grub_module_header *) (kernel_img + offset);
|
||||||
|
+ header->type = grub_host_to_target32 (OBJ_TYPE_DISABLE_CLI);
|
||||||
|
+ header->size = grub_host_to_target32 (sizeof (*header));
|
||||||
|
+ offset += sizeof (*header);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (config_path)
|
||||||
|
{
|
||||||
|
struct grub_module_header *header;
|
||||||
|
--
|
||||||
|
2.46.0
|
||||||
|
|
66
0001-kern-main-Fix-cmdpath-in-root-directory.patch
Normal file
66
0001-kern-main-Fix-cmdpath-in-root-directory.patch
Normal file
@ -0,0 +1,66 @@
|
|||||||
|
From 56b221476d31310de485af26550c8651618832bb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michael Chang <mchang@suse.com>
|
||||||
|
Date: Tue, 29 Oct 2024 11:54:28 +0800
|
||||||
|
Subject: [PATCH] kern/main: Fix cmdpath in root directory
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
The "cmdpath" environment variable is set at startup to the location
|
||||||
|
from which the grub image is loaded. It includes a device part and,
|
||||||
|
optionally, an absolute directory name if the grub image is booted as a
|
||||||
|
file in a local file-system directory, or in a remote server directory,
|
||||||
|
like TFTP.
|
||||||
|
|
||||||
|
This entire process relies on firmware to provide the correct device
|
||||||
|
path of the booted image.
|
||||||
|
|
||||||
|
We encountered an issue when the image is booted from the root
|
||||||
|
directory, where the absolute directory name "/" is discarded. This
|
||||||
|
makes it unclear whether the root path was missing in the firmware
|
||||||
|
provided device path or if it is simply the root directory. This
|
||||||
|
ambiguity can cause confusion in custom scripts, potentially causing
|
||||||
|
them to interpret firmware data incorrectly and trigger unintended
|
||||||
|
fallback measures.
|
||||||
|
|
||||||
|
This patch fixes the problem by properly assigning the "fwpath" returned
|
||||||
|
by "grub_machine_get_bootlocation()" to "cmdpath". The fix is based on
|
||||||
|
the fact that fwpath is NULL if the firmware didn’t provide a path part
|
||||||
|
or an NUL character, "", if it represents the root directory. With this,
|
||||||
|
it becomes possible to clearly distinguish:
|
||||||
|
|
||||||
|
- cmdpath=(hd0,1) - Either the image is booted from the first (raw)
|
||||||
|
partition, or the firmware failed to provide the path part.
|
||||||
|
- cmdpath=(hd0,1)/ - The image is booted from the root directory in the
|
||||||
|
first partition.
|
||||||
|
|
||||||
|
As a side note, the fix is similar to [1], but without the renaming
|
||||||
|
part.
|
||||||
|
|
||||||
|
[1] https://mail.gnu.org/archive/html/grub-devel/2024-10/msg00155.html
|
||||||
|
|
||||||
|
Signed-off-by: Michael Chang <mchang@suse.com>
|
||||||
|
---
|
||||||
|
grub-core/kern/main.c | 6 +++++-
|
||||||
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
|
||||||
|
index ef3b3756d..f9ab12c74 100644
|
||||||
|
--- a/grub-core/kern/main.c
|
||||||
|
+++ b/grub-core/kern/main.c
|
||||||
|
@@ -136,7 +136,11 @@ grub_set_prefix_and_root (void)
|
||||||
|
{
|
||||||
|
char *cmdpath;
|
||||||
|
|
||||||
|
- cmdpath = grub_xasprintf ("(%s)%s", fwdevice, fwpath ? : "");
|
||||||
|
+ if (fwpath && *fwpath == '\0')
|
||||||
|
+ cmdpath = grub_xasprintf ("(%s)/", fwdevice);
|
||||||
|
+ else
|
||||||
|
+ cmdpath = grub_xasprintf ("(%s)%s", fwdevice, fwpath ? : "");
|
||||||
|
+
|
||||||
|
if (cmdpath)
|
||||||
|
{
|
||||||
|
grub_env_set ("cmdpath", cmdpath);
|
||||||
|
--
|
||||||
|
2.47.0
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
@ -1,7 +1,7 @@
|
|||||||
From bf09618c47c6632b763960e265436294ab98dd43 Mon Sep 17 00:00:00 2001
|
From 1bc53f8fc980914132040670b85a010e094559ec Mon Sep 17 00:00:00 2001
|
||||||
From: Hernan Gatta <hegatta@linux.microsoft.com>
|
From: Hernan Gatta <hegatta@linux.microsoft.com>
|
||||||
Date: Tue, 1 Feb 2022 05:02:53 -0800
|
Date: Tue, 1 Feb 2022 05:02:53 -0800
|
||||||
Subject: [PATCH 1/5] key_protector: Add key protectors framework
|
Subject: [PATCH] key_protector: Add key protectors framework
|
||||||
|
|
||||||
A key protector encapsulates functionality to retrieve an unlocking key
|
A key protector encapsulates functionality to retrieve an unlocking key
|
||||||
for a fully-encrypted disk from a specific source. A key protector
|
for a fully-encrypted disk from a specific source. A key protector
|
||||||
@ -19,17 +19,18 @@ Cc: Vladimir Serbinenko <phcoder@gmail.com>
|
|||||||
Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
|
Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
|
||||||
Signed-off-by: Gary Lin <glin@suse.com>
|
Signed-off-by: Gary Lin <glin@suse.com>
|
||||||
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
|
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
|
||||||
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
---
|
---
|
||||||
grub-core/Makefile.am | 1 +
|
grub-core/Makefile.am | 1 +
|
||||||
grub-core/Makefile.core.def | 5 +++
|
grub-core/Makefile.core.def | 5 +++
|
||||||
grub-core/disk/key_protector.c | 78 ++++++++++++++++++++++++++++++++++
|
grub-core/disk/key_protector.c | 73 ++++++++++++++++++++++++++++++++++
|
||||||
include/grub/key_protector.h | 46 ++++++++++++++++++++
|
include/grub/key_protector.h | 47 ++++++++++++++++++++++
|
||||||
4 files changed, 130 insertions(+)
|
4 files changed, 126 insertions(+)
|
||||||
create mode 100644 grub-core/disk/key_protector.c
|
create mode 100644 grub-core/disk/key_protector.c
|
||||||
create mode 100644 include/grub/key_protector.h
|
create mode 100644 include/grub/key_protector.h
|
||||||
|
|
||||||
diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
|
diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
|
||||||
index f18550c1c..9d3d5f519 100644
|
index 1eda467e0..e50db8106 100644
|
||||||
--- a/grub-core/Makefile.am
|
--- a/grub-core/Makefile.am
|
||||||
+++ b/grub-core/Makefile.am
|
+++ b/grub-core/Makefile.am
|
||||||
@@ -90,6 +90,7 @@ endif
|
@@ -90,6 +90,7 @@ endif
|
||||||
@ -41,10 +42,10 @@ index f18550c1c..9d3d5f519 100644
|
|||||||
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h
|
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h
|
||||||
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h
|
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h
|
||||||
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
|
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
|
||||||
index bc893e547..4307b8e2d 100644
|
index a38955e18..37f131ae2 100644
|
||||||
--- a/grub-core/Makefile.core.def
|
--- a/grub-core/Makefile.core.def
|
||||||
+++ b/grub-core/Makefile.core.def
|
+++ b/grub-core/Makefile.core.def
|
||||||
@@ -1302,6 +1302,11 @@ module = {
|
@@ -1282,6 +1282,11 @@ module = {
|
||||||
common = disk/raid6_recover.c;
|
common = disk/raid6_recover.c;
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -58,13 +59,14 @@ index bc893e547..4307b8e2d 100644
|
|||||||
common = disk/scsi.c;
|
common = disk/scsi.c;
|
||||||
diff --git a/grub-core/disk/key_protector.c b/grub-core/disk/key_protector.c
|
diff --git a/grub-core/disk/key_protector.c b/grub-core/disk/key_protector.c
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 000000000..b84afe1c7
|
index 000000000..0d146c1c0
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/grub-core/disk/key_protector.c
|
+++ b/grub-core/disk/key_protector.c
|
||||||
@@ -0,0 +1,78 @@
|
@@ -0,0 +1,73 @@
|
||||||
+/*
|
+/*
|
||||||
+ * GRUB -- GRand Unified Bootloader
|
+ * GRUB -- GRand Unified Bootloader
|
||||||
+ * Copyright (C) 2022 Microsoft Corporation
|
+ * Copyright (C) 2022 Microsoft Corporation
|
||||||
|
+ * Copyright (C) 2024 Free Software Foundation, Inc.
|
||||||
+ *
|
+ *
|
||||||
+ * GRUB is free software: you can redistribute it and/or modify
|
+ * GRUB is free software: you can redistribute it and/or modify
|
||||||
+ * it under the terms of the GNU General Public License as published by
|
+ * it under the terms of the GNU General Public License as published by
|
||||||
@ -93,16 +95,14 @@ index 000000000..b84afe1c7
|
|||||||
+grub_err_t
|
+grub_err_t
|
||||||
+grub_key_protector_register (struct grub_key_protector *protector)
|
+grub_key_protector_register (struct grub_key_protector *protector)
|
||||||
+{
|
+{
|
||||||
+ if (protector == NULL || protector->name == NULL || grub_strlen (protector->name) == 0)
|
+ if (protector == NULL || protector->name == NULL || protector->name[0] == '\0')
|
||||||
+ return GRUB_ERR_BAD_ARGUMENT;
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid key protector for registration");
|
||||||
+
|
+
|
||||||
+ if (grub_key_protectors &&
|
+ if (grub_key_protectors != NULL &&
|
||||||
+ grub_named_list_find (GRUB_AS_NAMED_LIST (grub_key_protectors),
|
+ grub_named_list_find (GRUB_AS_NAMED_LIST (grub_key_protectors), protector->name) != NULL)
|
||||||
+ protector->name))
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Key protector '%s' already registered", protector->name);
|
||||||
+ return GRUB_ERR_BAD_ARGUMENT;
|
|
||||||
+
|
+
|
||||||
+ grub_list_push (GRUB_AS_LIST_P (&grub_key_protectors),
|
+ grub_list_push (GRUB_AS_LIST_P (&grub_key_protectors), GRUB_AS_LIST (protector));
|
||||||
+ GRUB_AS_LIST (protector));
|
|
||||||
+
|
+
|
||||||
+ return GRUB_ERR_NONE;
|
+ return GRUB_ERR_NONE;
|
||||||
+}
|
+}
|
||||||
@ -111,7 +111,7 @@ index 000000000..b84afe1c7
|
|||||||
+grub_key_protector_unregister (struct grub_key_protector *protector)
|
+grub_key_protector_unregister (struct grub_key_protector *protector)
|
||||||
+{
|
+{
|
||||||
+ if (protector == NULL)
|
+ if (protector == NULL)
|
||||||
+ return GRUB_ERR_BAD_ARGUMENT;
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid key protector for unregistration");
|
||||||
+
|
+
|
||||||
+ grub_list_remove (GRUB_AS_LIST (protector));
|
+ grub_list_remove (GRUB_AS_LIST (protector));
|
||||||
+
|
+
|
||||||
@ -125,30 +125,27 @@ index 000000000..b84afe1c7
|
|||||||
+ struct grub_key_protector *kp = NULL;
|
+ struct grub_key_protector *kp = NULL;
|
||||||
+
|
+
|
||||||
+ if (grub_key_protectors == NULL)
|
+ if (grub_key_protectors == NULL)
|
||||||
+ return GRUB_ERR_OUT_OF_RANGE;
|
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, "No key protector registered");
|
||||||
+
|
+
|
||||||
+ if (protector == NULL || grub_strlen (protector) == 0)
|
+ if (protector == NULL || protector[0] == '\0')
|
||||||
+ return GRUB_ERR_BAD_ARGUMENT;
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid key protector");
|
||||||
+
|
+
|
||||||
+ kp = grub_named_list_find (GRUB_AS_NAMED_LIST (grub_key_protectors),
|
+ kp = grub_named_list_find (GRUB_AS_NAMED_LIST (grub_key_protectors), protector);
|
||||||
+ protector);
|
|
||||||
+ if (kp == NULL)
|
+ if (kp == NULL)
|
||||||
+ return grub_error (GRUB_ERR_OUT_OF_RANGE,
|
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, "Key protector '%s' not found", protector);
|
||||||
+ N_("A key protector with name '%s' could not be found. "
|
|
||||||
+ "Is the name spelled correctly and is the "
|
|
||||||
+ "corresponding module loaded?"), protector);
|
|
||||||
+
|
+
|
||||||
+ return kp->recover_key (key, key_size);
|
+ return kp->recover_key (key, key_size);
|
||||||
+}
|
+}
|
||||||
diff --git a/include/grub/key_protector.h b/include/grub/key_protector.h
|
diff --git a/include/grub/key_protector.h b/include/grub/key_protector.h
|
||||||
new file mode 100644
|
new file mode 100644
|
||||||
index 000000000..6e6a6fb24
|
index 000000000..00b15c13d
|
||||||
--- /dev/null
|
--- /dev/null
|
||||||
+++ b/include/grub/key_protector.h
|
+++ b/include/grub/key_protector.h
|
||||||
@@ -0,0 +1,46 @@
|
@@ -0,0 +1,47 @@
|
||||||
+/*
|
+/*
|
||||||
+ * GRUB -- GRand Unified Bootloader
|
+ * GRUB -- GRand Unified Bootloader
|
||||||
+ * Copyright (C) 2022 Microsoft Corporation
|
+ * Copyright (C) 2022 Microsoft Corporation
|
||||||
|
+ * Copyright (C) 2024 Free Software Foundation, Inc.
|
||||||
+ *
|
+ *
|
||||||
+ * GRUB is free software: you can redistribute it and/or modify
|
+ * GRUB is free software: you can redistribute it and/or modify
|
||||||
+ * it under the terms of the GNU General Public License as published by
|
+ * it under the terms of the GNU General Public License as published by
|
||||||
@ -193,5 +190,5 @@ index 000000000..6e6a6fb24
|
|||||||
+
|
+
|
||||||
+#endif /* ! GRUB_PROTECTOR_HEADER */
|
+#endif /* ! GRUB_PROTECTOR_HEADER */
|
||||||
--
|
--
|
||||||
2.35.3
|
2.43.0
|
||||||
|
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From f41a45b080cb9c6f59879a3e23f9ec2380015a16 Mon Sep 17 00:00:00 2001
|
From 5b4ecd408417249dec8bfc71a3c0b7ef1070d3fa Mon Sep 17 00:00:00 2001
|
||||||
From: Gary Lin <glin@suse.com>
|
From: Gary Lin <glin@suse.com>
|
||||||
Date: Thu, 25 Apr 2024 16:21:45 +0800
|
Date: Thu, 25 Apr 2024 16:21:45 +0800
|
||||||
Subject: [PATCH] tpm2: Add extra RSA SRK types
|
Subject: [PATCH] tpm2: Add extra RSA SRK types
|
||||||
@ -8,16 +8,16 @@ to support those parameters.
|
|||||||
|
|
||||||
Signed-off-by: Gary Lin <glin@suse.com>
|
Signed-off-by: Gary Lin <glin@suse.com>
|
||||||
---
|
---
|
||||||
grub-core/tpm2/args.c | 12 ++++++++++++
|
grub-core/commands/tpm2_key_protector/args.c | 12 ++++++++++++
|
||||||
grub-core/tpm2/module.c | 16 ++++++++++++++--
|
grub-core/commands/tpm2_key_protector/module.c | 16 ++++++++++++++--
|
||||||
util/grub-protect.c | 4 ++--
|
util/grub-protect.c | 4 ++--
|
||||||
3 files changed, 28 insertions(+), 4 deletions(-)
|
3 files changed, 28 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
diff --git a/grub-core/tpm2/args.c b/grub-core/tpm2/args.c
|
diff --git a/grub-core/commands/tpm2_key_protector/args.c b/grub-core/commands/tpm2_key_protector/args.c
|
||||||
index c11280ab9..d140364d2 100644
|
index 48c39de01..b291793a7 100644
|
||||||
--- a/grub-core/tpm2/args.c
|
--- a/grub-core/commands/tpm2_key_protector/args.c
|
||||||
+++ b/grub-core/tpm2/args.c
|
+++ b/grub-core/commands/tpm2_key_protector/args.c
|
||||||
@@ -92,6 +92,18 @@ grub_tpm2_protector_parse_asymmetric (const char *value,
|
@@ -85,6 +85,18 @@ grub_tpm2_protector_parse_asymmetric (const char *value,
|
||||||
srk_type->type = TPM_ALG_RSA;
|
srk_type->type = TPM_ALG_RSA;
|
||||||
srk_type->detail.rsa_bits = 2048;
|
srk_type->detail.rsa_bits = 2048;
|
||||||
}
|
}
|
||||||
@ -34,13 +34,13 @@ index c11280ab9..d140364d2 100644
|
|||||||
+ srk_type->detail.rsa_bits = 4096;
|
+ srk_type->detail.rsa_bits = 4096;
|
||||||
+ }
|
+ }
|
||||||
else
|
else
|
||||||
return grub_error (GRUB_ERR_OUT_OF_RANGE,
|
return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("value '%s' is not a valid asymmetric key type"), value);
|
||||||
N_("Value '%s' is not a valid asymmetric key type"),
|
|
||||||
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
|
diff --git a/grub-core/commands/tpm2_key_protector/module.c b/grub-core/commands/tpm2_key_protector/module.c
|
||||||
index b754b38df..8b72ed6fa 100644
|
index 74e79a545..ee16d7f15 100644
|
||||||
--- a/grub-core/tpm2/module.c
|
--- a/grub-core/commands/tpm2_key_protector/module.c
|
||||||
+++ b/grub-core/tpm2/module.c
|
+++ b/grub-core/commands/tpm2_key_protector/module.c
|
||||||
@@ -136,8 +136,8 @@ static const struct grub_arg_option grub_tpm2_protector_init_cmd_options[] =
|
@@ -138,8 +138,8 @@ static const struct grub_arg_option tpm2_protector_init_cmd_options[] =
|
||||||
.arg = NULL,
|
.arg = NULL,
|
||||||
.type = ARG_TYPE_STRING,
|
.type = ARG_TYPE_STRING,
|
||||||
.doc =
|
.doc =
|
||||||
@ -51,18 +51,18 @@ index b754b38df..8b72ed6fa 100644
|
|||||||
},
|
},
|
||||||
/* NV Index-mode options */
|
/* NV Index-mode options */
|
||||||
{
|
{
|
||||||
@@ -541,6 +541,10 @@ srk_type_to_name (grub_srk_type_t srk_type)
|
@@ -517,6 +517,10 @@ srk_type_to_name (grub_srk_type_t srk_type)
|
||||||
{
|
return "ECC_NIST_P256";
|
||||||
case 2048:
|
else if (srk_type.type == TPM_ALG_RSA && srk_type.detail.rsa_bits == 2048)
|
||||||
return "RSA2048";
|
return "RSA2048";
|
||||||
+ case 3072:
|
+ else if (srk_type.type == TPM_ALG_RSA && srk_type.detail.rsa_bits == 3072)
|
||||||
+ return "RSA3072";
|
+ return "RSA3072";
|
||||||
+ case 4096:
|
+ else if (srk_type.type == TPM_ALG_RSA && srk_type.detail.rsa_bits == 4096)
|
||||||
+ return "RSA4096";
|
+ return "RSA4096";
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -561,6 +565,14 @@ grub_tpm2_protector_load_key (const struct grub_tpm2_protector_context *ctx,
|
return "Unknown";
|
||||||
|
}
|
||||||
|
@@ -535,6 +539,14 @@ tpm2_protector_load_key (const tpm2_protector_context_t *ctx,
|
||||||
.type = TPM_ALG_ECC,
|
.type = TPM_ALG_ECC,
|
||||||
.detail.ecc_curve = TPM_ECC_NIST_P256,
|
.detail.ecc_curve = TPM_ECC_NIST_P256,
|
||||||
},
|
},
|
||||||
@ -78,20 +78,20 @@ index b754b38df..8b72ed6fa 100644
|
|||||||
.type = TPM_ALG_RSA,
|
.type = TPM_ALG_RSA,
|
||||||
.detail.rsa_bits = 2048,
|
.detail.rsa_bits = 2048,
|
||||||
diff --git a/util/grub-protect.c b/util/grub-protect.c
|
diff --git a/util/grub-protect.c b/util/grub-protect.c
|
||||||
index 869f45861..00be03ca0 100644
|
index 5b7e952f4..f1108f2c5 100644
|
||||||
--- a/util/grub-protect.c
|
--- a/util/grub-protect.c
|
||||||
+++ b/util/grub-protect.c
|
+++ b/util/grub-protect.c
|
||||||
@@ -199,8 +199,8 @@ static struct argp_option grub_protect_options[] =
|
@@ -202,8 +202,8 @@ static struct argp_option protect_options[] =
|
||||||
.arg = "TYPE",
|
.arg = "TYPE",
|
||||||
.flags = 0,
|
.flags = 0,
|
||||||
.doc =
|
.doc =
|
||||||
- N_("The type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)."
|
- N_("Set the type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)."
|
||||||
- "(default: ECC)"),
|
- "(default: ECC)"),
|
||||||
+ N_("The type of SRK: RSA (RSA2048), RSA3072, RSA4096, "
|
+ N_("Set the type of SRK: RSA (RSA2048), RSA3072, RSA4096, "
|
||||||
+ "and ECC (ECC_NIST_P256). (default: ECC)"),
|
+ "and ECC (ECC_NIST_P256). (default: ECC)"),
|
||||||
.group = 0
|
.group = 0
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
--
|
--
|
||||||
2.35.3
|
2.43.0
|
||||||
|
|
||||||
|
@ -1,171 +0,0 @@
|
|||||||
From 26a66098d5fa50b9462c8c815429a4c18f20310b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Gary Lin <glin@suse.com>
|
|
||||||
Date: Thu, 6 Apr 2023 16:00:25 +0800
|
|
||||||
Subject: [PATCH] tpm2: Support authorized policy
|
|
||||||
|
|
||||||
This commit handles the TPM2_PolicyAuthorize command from the key file
|
|
||||||
in TPM 2.0 Key File format.
|
|
||||||
|
|
||||||
TPM2_PolicyAuthorize is the essential command to support authorized
|
|
||||||
policy which allows the users to sign TPM policies with their own keys.
|
|
||||||
Per TPM 2.0 Key File(*1), CommandPolicy for TPM2_PolicyAuthorize
|
|
||||||
comprises 'TPM2B_PUBLIC pubkey', 'TPM2B_DIGEST policy_ref', and
|
|
||||||
'TPMT_SIGNATURE signature'. To verify the signature, the current policy
|
|
||||||
digest is hashed with the hash algorithm written in 'signature', and then
|
|
||||||
'signature' is verified with the hashed policy digest and 'pubkey'. Once
|
|
||||||
TPM accepts 'signature', TPM2_PolicyAuthorize is invoked to authorize the
|
|
||||||
signed policy.
|
|
||||||
|
|
||||||
To create the key file with authorized policy, here are the pcr-oracle(*2)
|
|
||||||
commands:
|
|
||||||
|
|
||||||
# Generate the RSA key and create the authorized policy file
|
|
||||||
$ pcr-oracle \
|
|
||||||
--rsa-generate-key \
|
|
||||||
--private-key policy-key.pem \
|
|
||||||
--auth authorized.policy \
|
|
||||||
create-authorized-policy 0,2,4,7,9
|
|
||||||
|
|
||||||
# Seal the secret with the authorized policy
|
|
||||||
$ pcr-oracle \
|
|
||||||
--key-format tpm2.0 \
|
|
||||||
--auth authorized.policy \
|
|
||||||
--input disk-secret.txt \
|
|
||||||
--output sealed.key \
|
|
||||||
seal-secret
|
|
||||||
|
|
||||||
# Sign the predicted PCR policy
|
|
||||||
$ pcr-oracle \
|
|
||||||
--key-format tpm2.0 \
|
|
||||||
--private-key policy-key.pem \
|
|
||||||
--from eventlog \
|
|
||||||
--stop-event "grub-file=grub.cfg" \
|
|
||||||
--after \
|
|
||||||
--input sealed.key \
|
|
||||||
--output sealed.tpm \
|
|
||||||
sign 0,2,4,7,9
|
|
||||||
|
|
||||||
Then specify the key file and the key protector to grub.cfg in the EFI
|
|
||||||
system partition:
|
|
||||||
|
|
||||||
tpm2_key_protector_init -a RSA --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm
|
|
||||||
cryptomount -u <PART_UUID> -P tpm2
|
|
||||||
|
|
||||||
For any change in the boot components, just run the 'sign' command again
|
|
||||||
to update the signature in sealed.tpm, and TPM can unseal the key file
|
|
||||||
with the updated PCR policy.
|
|
||||||
|
|
||||||
(*1) https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
|
|
||||||
(*2) https://github.com/okirch/pcr-oracle
|
|
||||||
|
|
||||||
Signed-off-by: Gary Lin <glin@suse.com>
|
|
||||||
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
|
|
||||||
---
|
|
||||||
grub-core/tpm2/module.c | 84 +++++++++++++++++++++++++++++++++++++++++
|
|
||||||
1 file changed, 84 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
|
|
||||||
index 3db25ceca..e83b02865 100644
|
|
||||||
--- a/grub-core/tpm2/module.c
|
|
||||||
+++ b/grub-core/tpm2/module.c
|
|
||||||
@@ -650,6 +650,87 @@ grub_tpm2_protector_policypcr (TPMI_SH_AUTH_SESSION session,
|
|
||||||
return GRUB_ERR_NONE;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static grub_err_t
|
|
||||||
+grub_tpm2_protector_policyauthorize (TPMI_SH_AUTH_SESSION session,
|
|
||||||
+ struct grub_tpm2_buffer *cmd_buf)
|
|
||||||
+{
|
|
||||||
+ TPM2B_PUBLIC pubkey;
|
|
||||||
+ TPM2B_DIGEST policy_ref;
|
|
||||||
+ TPMT_SIGNATURE signature;
|
|
||||||
+ TPM2B_DIGEST pcr_policy;
|
|
||||||
+ TPM2B_DIGEST pcr_policy_hash;
|
|
||||||
+ TPMI_ALG_HASH sig_hash;
|
|
||||||
+ TPMT_TK_VERIFIED verification_ticket;
|
|
||||||
+ TPM_HANDLE pubkey_handle = 0;
|
|
||||||
+ TPM2B_NAME pubname;
|
|
||||||
+ TPM_RC rc;
|
|
||||||
+ grub_err_t err;
|
|
||||||
+
|
|
||||||
+ grub_tpm2_mu_TPM2B_PUBLIC_Unmarshal (cmd_buf, &pubkey);
|
|
||||||
+ grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (cmd_buf, &policy_ref);
|
|
||||||
+ grub_tpm2_mu_TPMT_SIGNATURE_Unmarshal (cmd_buf, &signature);
|
|
||||||
+ if (cmd_buf->error != 0)
|
|
||||||
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
|
||||||
+ N_("Failed to unmarshal the buffer for TPM2_PolicyAuthorize"));
|
|
||||||
+
|
|
||||||
+ /* Retrieve Policy Digest */
|
|
||||||
+ rc = TPM2_PolicyGetDigest (session, NULL, &pcr_policy, NULL);
|
|
||||||
+ if (rc != TPM_RC_SUCCESS)
|
|
||||||
+ return grub_error (GRUB_ERR_BAD_DEVICE,
|
|
||||||
+ N_("Failed to get policy digest (TPM2_PolicyGetDigest: 0x%x)."),
|
|
||||||
+ rc);
|
|
||||||
+
|
|
||||||
+ /* Calculate the digest of the polcy for VerifySignature */
|
|
||||||
+ sig_hash = TPMT_SIGNATURE_get_hash_alg (&signature);
|
|
||||||
+ if (sig_hash == TPM_ALG_NULL)
|
|
||||||
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
|
||||||
+ N_("Failed to get the hash algorithm of the signature"));
|
|
||||||
+
|
|
||||||
+ rc = TPM2_Hash (NULL, (TPM2B_MAX_BUFFER *)&pcr_policy, sig_hash,
|
|
||||||
+ TPM_RH_NULL, &pcr_policy_hash, NULL, NULL);
|
|
||||||
+ if (rc != TPM_RC_SUCCESS)
|
|
||||||
+ return grub_error (GRUB_ERR_BAD_DEVICE,
|
|
||||||
+ N_("Failed to create PCR policy hash (TPM2_Hash: 0x%x)"),
|
|
||||||
+ rc);
|
|
||||||
+
|
|
||||||
+ /* Load the public key */
|
|
||||||
+ rc = TPM2_LoadExternal (NULL, NULL, &pubkey, TPM_RH_OWNER,
|
|
||||||
+ &pubkey_handle, &pubname, NULL);
|
|
||||||
+ if (rc != TPM_RC_SUCCESS)
|
|
||||||
+ return grub_error (GRUB_ERR_BAD_DEVICE,
|
|
||||||
+ N_("Failed to load public key (TPM2_LoadExternal: 0x%x)"),
|
|
||||||
+ rc);
|
|
||||||
+
|
|
||||||
+ /* Verify the signature against the public key and the policy digest */
|
|
||||||
+ rc = TPM2_VerifySignature (pubkey_handle, NULL, &pcr_policy_hash, &signature,
|
|
||||||
+ &verification_ticket, NULL);
|
|
||||||
+ if (rc != TPM_RC_SUCCESS)
|
|
||||||
+ {
|
|
||||||
+ err = grub_error (GRUB_ERR_BAD_DEVICE,
|
|
||||||
+ N_("Failed to verify signature (TPM2_VerifySignature: 0x%x)"),
|
|
||||||
+ rc);
|
|
||||||
+ goto error;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* Authorize the signed policy with the public key and the verification ticket */
|
|
||||||
+ rc = TPM2_PolicyAuthorize (session, NULL, &pcr_policy, &policy_ref, &pubname,
|
|
||||||
+ &verification_ticket, NULL);
|
|
||||||
+ if (rc != TPM_RC_SUCCESS)
|
|
||||||
+ {
|
|
||||||
+ err = grub_error (GRUB_ERR_BAD_DEVICE,
|
|
||||||
+ N_("Failed to authorize PCR policy (TPM2_PolicyAuthorize: 0x%x)"),
|
|
||||||
+ rc);
|
|
||||||
+ goto error;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ err = GRUB_ERR_NONE;
|
|
||||||
+
|
|
||||||
+error:
|
|
||||||
+ TPM2_FlushContext (pubkey_handle);
|
|
||||||
+
|
|
||||||
+ return err;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static grub_err_t
|
|
||||||
grub_tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSION session)
|
|
||||||
{
|
|
||||||
@@ -669,6 +750,9 @@ grub_tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSIO
|
|
||||||
case TPM_CC_PolicyPCR:
|
|
||||||
err = grub_tpm2_protector_policypcr (session, &buf);
|
|
||||||
break;
|
|
||||||
+ case TPM_CC_PolicyAuthorize:
|
|
||||||
+ err = grub_tpm2_protector_policyauthorize (session, &buf);
|
|
||||||
+ break;
|
|
||||||
default:
|
|
||||||
return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
|
||||||
N_("Unknown TPM Command: 0x%x"), policy->cmd_code);
|
|
||||||
--
|
|
||||||
2.35.3
|
|
||||||
|
|
@ -1,12 +1,12 @@
|
|||||||
From 947009d79e3f17b10a7753bdde8d3a4a7b757bed Mon Sep 17 00:00:00 2001
|
From 53e24662523d033ae3506b73787b972ef332db36 Mon Sep 17 00:00:00 2001
|
||||||
From: Patrick Colp <patrick.colp@oracle.com>
|
From: Patrick Colp <patrick.colp@oracle.com>
|
||||||
Date: Mon, 31 Jul 2023 07:01:45 -0700
|
Date: Mon, 31 Jul 2023 07:01:45 -0700
|
||||||
Subject: [PATCH 1/4] tpm2: Implement NV index
|
Subject: [PATCH] tpm2_key_protector: Implement NV index
|
||||||
|
|
||||||
Currently with the TPM2 protector, only SRK mode is supported and
|
Currently with the TPM2 protector, only SRK mode is supported and
|
||||||
NV index support is just a stub. Implement the NV index option.
|
NV index support is just a stub. Implement the NV index option.
|
||||||
|
|
||||||
Note: This only extends support on the unseal path. grub2_protect
|
Note: This only extends support on the unseal path. grub-protect
|
||||||
has not been updated. tpm2-tools can be used to insert a key into
|
has not been updated. tpm2-tools can be used to insert a key into
|
||||||
the NV index.
|
the NV index.
|
||||||
|
|
||||||
@ -36,41 +36,40 @@ Then to unseal the key in grub, add this to grub.cfg:
|
|||||||
Signed-off-by: Patrick Colp <patrick.colp@oracle.com>
|
Signed-off-by: Patrick Colp <patrick.colp@oracle.com>
|
||||||
Signed-off-by: Gary Lin <glin@suse.com>
|
Signed-off-by: Gary Lin <glin@suse.com>
|
||||||
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
|
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
|
||||||
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
---
|
---
|
||||||
grub-core/tpm2/module.c | 25 ++++++++++++++++++++-----
|
.../commands/tpm2_key_protector/module.c | 23 +++++++++++++++----
|
||||||
1 file changed, 20 insertions(+), 5 deletions(-)
|
1 file changed, 19 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
|
diff --git a/grub-core/commands/tpm2_key_protector/module.c b/grub-core/commands/tpm2_key_protector/module.c
|
||||||
index e83b02865..b754b38df 100644
|
index 6b4b5d460..74e79a545 100644
|
||||||
--- a/grub-core/tpm2/module.c
|
--- a/grub-core/commands/tpm2_key_protector/module.c
|
||||||
+++ b/grub-core/tpm2/module.c
|
+++ b/grub-core/commands/tpm2_key_protector/module.c
|
||||||
@@ -1035,12 +1035,27 @@ static grub_err_t
|
@@ -973,11 +973,26 @@ tpm2_protector_srk_recover (const tpm2_protector_context_t *ctx,
|
||||||
grub_tpm2_protector_nv_recover (const struct grub_tpm2_protector_context *ctx,
|
}
|
||||||
grub_uint8_t **key, grub_size_t *key_size)
|
|
||||||
|
static grub_err_t
|
||||||
|
-tpm2_protector_nv_recover (const tpm2_protector_context_t *ctx __attribute__ ((unused)),
|
||||||
|
- grub_uint8_t **key __attribute__ ((unused)),
|
||||||
|
- grub_size_t *key_size __attribute__ ((unused)))
|
||||||
|
+tpm2_protector_nv_recover (const tpm2_protector_context_t *ctx,
|
||||||
|
+ grub_uint8_t **key, grub_size_t *key_size)
|
||||||
{
|
{
|
||||||
- (void)ctx;
|
- return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "NV Index mode is not implemented yet");
|
||||||
- (void)key;
|
+ TPM_HANDLE_t sealed_handle = ctx->nv;
|
||||||
- (void)key_size;
|
|
||||||
+ TPM_HANDLE sealed_handle = ctx->nv;
|
|
||||||
+ tpm2key_policy_t policy_seq = NULL;
|
+ tpm2key_policy_t policy_seq = NULL;
|
||||||
+ grub_err_t err;
|
+ grub_err_t err;
|
||||||
+
|
+
|
||||||
+ /* Create a basic policy sequence based on the given PCR selection */
|
+ /* Create a basic policy sequence based on the given PCR selection */
|
||||||
+ err = grub_tpm2_protector_simple_policy_seq (ctx, &policy_seq);
|
+ err = tpm2_protector_simple_policy_seq (ctx, &policy_seq);
|
||||||
+ if (err != GRUB_ERR_NONE)
|
+ if (err != GRUB_ERR_NONE)
|
||||||
+ goto exit;
|
+ goto exit;
|
||||||
+
|
+
|
||||||
+ err = grub_tpm2_protector_unseal (policy_seq, sealed_handle, key, key_size);
|
+ err = tpm2_protector_unseal (policy_seq, sealed_handle, key, key_size);
|
||||||
+
|
|
||||||
+ /* Pop error messages on success */
|
|
||||||
+ if (err == GRUB_ERR_NONE)
|
|
||||||
+ while (grub_error_pop ());
|
|
||||||
+
|
+
|
||||||
+ exit:
|
+ exit:
|
||||||
+ TPM2_FlushContext (sealed_handle);
|
+ grub_tpm2_flushcontext (sealed_handle);
|
||||||
|
+
|
||||||
- return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET,
|
|
||||||
- N_("NV Index mode is not implemented yet"));
|
|
||||||
+ grub_tpm2key_free_policy_seq (policy_seq);
|
+ grub_tpm2key_free_policy_seq (policy_seq);
|
||||||
+
|
+
|
||||||
+ return err;
|
+ return err;
|
||||||
@ -78,5 +77,5 @@ index e83b02865..b754b38df 100644
|
|||||||
|
|
||||||
static grub_err_t
|
static grub_err_t
|
||||||
--
|
--
|
||||||
2.35.3
|
2.43.0
|
||||||
|
|
158
0001-tpm2_key_protector-Support-authorized-policy.patch
Normal file
158
0001-tpm2_key_protector-Support-authorized-policy.patch
Normal file
@ -0,0 +1,158 @@
|
|||||||
|
From 7ef1b9b357c803cb8e30bbbebd44494b2b5c9d09 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gary Lin <glin@suse.com>
|
||||||
|
Date: Thu, 6 Apr 2023 16:00:25 +0800
|
||||||
|
Subject: [PATCH] tpm2_key_protector: Support authorized policy
|
||||||
|
|
||||||
|
This commit handles the TPM2_PolicyAuthorize command from the key file
|
||||||
|
in TPM 2.0 Key File format.
|
||||||
|
|
||||||
|
TPM2_PolicyAuthorize is the essential command to support authorized
|
||||||
|
policy which allows the users to sign TPM policies with their own keys.
|
||||||
|
Per TPM 2.0 Key File(*1), CommandPolicy for TPM2_PolicyAuthorize
|
||||||
|
comprises 'TPM2B_PUBLIC pubkey', 'TPM2B_DIGEST policy_ref', and
|
||||||
|
'TPMT_SIGNATURE signature'. To verify the signature, the current policy
|
||||||
|
digest is hashed with the hash algorithm written in 'signature', and then
|
||||||
|
'signature' is verified with the hashed policy digest and 'pubkey'. Once
|
||||||
|
TPM accepts 'signature', TPM2_PolicyAuthorize is invoked to authorize the
|
||||||
|
signed policy.
|
||||||
|
|
||||||
|
To create the key file with authorized policy, here are the pcr-oracle(*2)
|
||||||
|
commands:
|
||||||
|
|
||||||
|
# Generate the RSA key and create the authorized policy file
|
||||||
|
$ pcr-oracle \
|
||||||
|
--rsa-generate-key \
|
||||||
|
--private-key policy-key.pem \
|
||||||
|
--auth authorized.policy \
|
||||||
|
create-authorized-policy 0,2,4,7,9
|
||||||
|
|
||||||
|
# Seal the secret with the authorized policy
|
||||||
|
$ pcr-oracle \
|
||||||
|
--key-format tpm2.0 \
|
||||||
|
--auth authorized.policy \
|
||||||
|
--input disk-secret.txt \
|
||||||
|
--output sealed.key \
|
||||||
|
seal-secret
|
||||||
|
|
||||||
|
# Sign the predicted PCR policy
|
||||||
|
$ pcr-oracle \
|
||||||
|
--key-format tpm2.0 \
|
||||||
|
--private-key policy-key.pem \
|
||||||
|
--from eventlog \
|
||||||
|
--stop-event "grub-file=grub.cfg" \
|
||||||
|
--after \
|
||||||
|
--input sealed.key \
|
||||||
|
--output /boot/efi/efi/grub/sealed.tpm \
|
||||||
|
sign 0,2,4,7,9
|
||||||
|
|
||||||
|
Then specify the key file and the key protector to grub.cfg in the EFI
|
||||||
|
system partition:
|
||||||
|
|
||||||
|
tpm2_key_protector_init -a RSA --tpm2key=(hd0,gpt1)/efi/grub/sealed.tpm
|
||||||
|
cryptomount -u <PART_UUID> -P tpm2
|
||||||
|
|
||||||
|
For any change in the boot components, just run the 'sign' command again
|
||||||
|
to update the signature in sealed.tpm, and TPM can unseal the key file
|
||||||
|
with the updated PCR policy.
|
||||||
|
|
||||||
|
(*1) https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
|
||||||
|
(*2) https://github.com/okirch/pcr-oracle
|
||||||
|
|
||||||
|
Signed-off-by: Gary Lin <glin@suse.com>
|
||||||
|
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
|
||||||
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
---
|
||||||
|
.../commands/tpm2_key_protector/module.c | 70 +++++++++++++++++++
|
||||||
|
1 file changed, 70 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/grub-core/commands/tpm2_key_protector/module.c b/grub-core/commands/tpm2_key_protector/module.c
|
||||||
|
index 70d4d0df7..6b4b5d460 100644
|
||||||
|
--- a/grub-core/commands/tpm2_key_protector/module.c
|
||||||
|
+++ b/grub-core/commands/tpm2_key_protector/module.c
|
||||||
|
@@ -618,6 +618,73 @@ tpm2_protector_policypcr (TPMI_SH_AUTH_SESSION_t session, struct grub_tpm2_buffe
|
||||||
|
return GRUB_ERR_NONE;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static grub_err_t
|
||||||
|
+tpm2_protector_policyauthorize (TPMI_SH_AUTH_SESSION_t session, struct grub_tpm2_buffer *cmd_buf)
|
||||||
|
+{
|
||||||
|
+ TPM2B_PUBLIC_t pubkey;
|
||||||
|
+ TPM2B_DIGEST_t policy_ref;
|
||||||
|
+ TPMT_SIGNATURE_t signature;
|
||||||
|
+ TPM2B_DIGEST_t pcr_policy;
|
||||||
|
+ TPM2B_DIGEST_t pcr_policy_hash;
|
||||||
|
+ TPMI_ALG_HASH_t sig_hash;
|
||||||
|
+ TPMT_TK_VERIFIED_t verification_ticket;
|
||||||
|
+ TPM_HANDLE_t pubkey_handle = 0;
|
||||||
|
+ TPM2B_NAME_t pubname;
|
||||||
|
+ TPM_RC_t rc;
|
||||||
|
+ grub_err_t err;
|
||||||
|
+
|
||||||
|
+ grub_Tss2_MU_TPM2B_PUBLIC_Unmarshal (cmd_buf, &pubkey);
|
||||||
|
+ grub_Tss2_MU_TPM2B_DIGEST_Unmarshal (cmd_buf, &policy_ref);
|
||||||
|
+ grub_Tss2_MU_TPMT_SIGNATURE_Unmarshal (cmd_buf, &signature);
|
||||||
|
+ if (cmd_buf->error != 0)
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "failed to unmarshal the buffer for TPM2_PolicyAuthorize");
|
||||||
|
+
|
||||||
|
+ /* Retrieve Policy Digest */
|
||||||
|
+ rc = grub_tpm2_policygetdigest (session, NULL, &pcr_policy, NULL);
|
||||||
|
+ if (rc != TPM_RC_SUCCESS)
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_DEVICE, "failed to get policy digest (TPM2_PolicyGetDigest: 0x%x).", rc);
|
||||||
|
+
|
||||||
|
+ /* Calculate the digest of the polcy for VerifySignature */
|
||||||
|
+ sig_hash = TPMT_SIGNATURE_get_hash_alg (&signature);
|
||||||
|
+ if (sig_hash == TPM_ALG_NULL)
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "failed to get the hash algorithm of the signature");
|
||||||
|
+
|
||||||
|
+ rc = grub_tpm2_hash (NULL, (TPM2B_MAX_BUFFER_t *) &pcr_policy, sig_hash,
|
||||||
|
+ TPM_RH_NULL, &pcr_policy_hash, NULL, NULL);
|
||||||
|
+ if (rc != TPM_RC_SUCCESS)
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_DEVICE, "failed to create PCR policy hash (TPM2_Hash: 0x%x)", rc);
|
||||||
|
+
|
||||||
|
+ /* Load the public key */
|
||||||
|
+ rc = grub_tpm2_loadexternal (NULL, NULL, &pubkey, TPM_RH_OWNER, &pubkey_handle, &pubname, NULL);
|
||||||
|
+ if (rc != TPM_RC_SUCCESS)
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_DEVICE, "failed to load public key (TPM2_LoadExternal: 0x%x)", rc);
|
||||||
|
+
|
||||||
|
+ /* Verify the signature against the public key and the policy digest */
|
||||||
|
+ rc = grub_tpm2_verifysignature (pubkey_handle, NULL, &pcr_policy_hash, &signature,
|
||||||
|
+ &verification_ticket, NULL);
|
||||||
|
+ if (rc != TPM_RC_SUCCESS)
|
||||||
|
+ {
|
||||||
|
+ err = grub_error (GRUB_ERR_BAD_DEVICE, "failed to verify signature (TPM2_VerifySignature: 0x%x)", rc);
|
||||||
|
+ goto error;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Authorize the signed policy with the public key and the verification ticket */
|
||||||
|
+ rc = grub_tpm2_policyauthorize (session, NULL, &pcr_policy, &policy_ref, &pubname,
|
||||||
|
+ &verification_ticket, NULL);
|
||||||
|
+ if (rc != TPM_RC_SUCCESS)
|
||||||
|
+ {
|
||||||
|
+ err = grub_error (GRUB_ERR_BAD_DEVICE, "failed to authorize PCR policy (TPM2_PolicyAuthorize: 0x%x)", rc);
|
||||||
|
+ goto error;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ err = GRUB_ERR_NONE;
|
||||||
|
+
|
||||||
|
+ error:
|
||||||
|
+ grub_tpm2_flushcontext (pubkey_handle);
|
||||||
|
+
|
||||||
|
+ return err;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static grub_err_t
|
||||||
|
tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSION_t session)
|
||||||
|
{
|
||||||
|
@@ -636,6 +703,9 @@ tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSION_t s
|
||||||
|
case TPM_CC_PolicyPCR:
|
||||||
|
err = tpm2_protector_policypcr (session, &buf);
|
||||||
|
break;
|
||||||
|
+ case TPM_CC_PolicyAuthorize:
|
||||||
|
+ err = tpm2_protector_policyauthorize (session, &buf);
|
||||||
|
+ break;
|
||||||
|
default:
|
||||||
|
return grub_error (GRUB_ERR_BAD_ARGUMENT, "unknown TPM Command: 0x%x", policy->cmd_code);
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
@ -1,411 +0,0 @@
|
|||||||
From 439de947262b0d8d4a02ca5afb1ef4f15853962c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Jones <pjones@redhat.com>
|
|
||||||
Date: Fri, 9 Dec 2016 15:40:29 -0500
|
|
||||||
Subject: [PATCH 2/9] Add BLS support to grub-mkconfig
|
|
||||||
|
|
||||||
GRUB now has BootLoaderSpec support, the user can choose to use this by
|
|
||||||
setting GRUB_ENABLE_BLSCFG to true in /etc/default/grub. On this setup,
|
|
||||||
the boot menu entries are not added to the grub.cfg, instead BLS config
|
|
||||||
files are parsed by blscfg command and the entries created dynamically.
|
|
||||||
|
|
||||||
A 10_linux_bls grub.d snippet to generate menu entries from BLS files
|
|
||||||
is also added that can be used on platforms where the bootloader doesn't
|
|
||||||
have BLS support and only can parse a normal grub configuration file.
|
|
||||||
|
|
||||||
Portions of the 10_linux_bls were taken from the ostree-grub-generator
|
|
||||||
script that's included in the OSTree project.
|
|
||||||
|
|
||||||
Fixes to support multi-devices and generate a BLS section even if no
|
|
||||||
kernels are found in the boot directory were proposed by Yclept Nemo
|
|
||||||
and Tom Gundersen respectively.
|
|
||||||
|
|
||||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
||||||
[javierm: remove outdated URL for BLS document]
|
|
||||||
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
|
||||||
[iwienand@redhat.com: skip machine ID check when updating entries]
|
|
||||||
Signed-off-by: Ian Wienand <iwienand@redhat.com>
|
|
||||||
[rharwood: commit message composits, drop man pages]
|
|
||||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
---
|
|
||||||
util/grub-mkconfig.in | 9 +-
|
|
||||||
util/grub-mkconfig_lib.in | 22 +++-
|
|
||||||
util/grub.d/10_linux.in | 244 +++++++++++++++++++++++++++++++++++++-
|
|
||||||
3 files changed, 269 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
|
|
||||||
index cf5b79342..7af15df94 100644
|
|
||||||
--- a/util/grub-mkconfig.in
|
|
||||||
+++ b/util/grub-mkconfig.in
|
|
||||||
@@ -49,6 +49,8 @@ grub_script_check="${bindir}/@grub_script_check@"
|
|
||||||
export TEXTDOMAIN=@PACKAGE@
|
|
||||||
export TEXTDOMAINDIR="@localedir@"
|
|
||||||
|
|
||||||
+export GRUB_GRUBENV_UPDATE="yes"
|
|
||||||
+
|
|
||||||
. "${pkgdatadir}/grub-mkconfig_lib"
|
|
||||||
|
|
||||||
# Usage: usage
|
|
||||||
@@ -58,6 +60,7 @@ usage () {
|
|
||||||
gettext "Generate a grub config file"; echo
|
|
||||||
echo
|
|
||||||
print_option_help "-o, --output=$(gettext FILE)" "$(gettext "output generated config to FILE [default=stdout]")"
|
|
||||||
+ print_option_help "--no-grubenv-update" "$(gettext "do not update variables in the grubenv file")"
|
|
||||||
print_option_help "-h, --help" "$(gettext "print this message and exit")"
|
|
||||||
print_option_help "-V, --version" "$(gettext "print the version information and exit")"
|
|
||||||
echo
|
|
||||||
@@ -93,6 +96,9 @@ do
|
|
||||||
--output=*)
|
|
||||||
grub_cfg=`echo "$option" | sed 's/--output=//'`
|
|
||||||
;;
|
|
||||||
+ --no-grubenv-update)
|
|
||||||
+ GRUB_GRUBENV_UPDATE="no"
|
|
||||||
+ ;;
|
|
||||||
-*)
|
|
||||||
gettext_printf "Unrecognized option \`%s'\n" "$option" 1>&2
|
|
||||||
usage
|
|
||||||
@@ -300,7 +306,8 @@ export GRUB_DEFAULT \
|
|
||||||
GRUB_DISABLE_SUBMENU \
|
|
||||||
SUSE_BTRFS_SNAPSHOT_BOOTING \
|
|
||||||
SUSE_CMDLINE_XENEFI \
|
|
||||||
- SUSE_REMOVE_LINUX_ROOT_PARAM
|
|
||||||
+ SUSE_REMOVE_LINUX_ROOT_PARAM \
|
|
||||||
+ GRUB_ENABLE_BLSCFG
|
|
||||||
|
|
||||||
if test "x${grub_cfg}" != "x"; then
|
|
||||||
rm -f "${grub_cfg}.new"
|
|
||||||
diff --git a/util/grub-mkconfig_lib.in b/util/grub-mkconfig_lib.in
|
|
||||||
index 22fb7668f..5db4337c6 100644
|
|
||||||
--- a/util/grub-mkconfig_lib.in
|
|
||||||
+++ b/util/grub-mkconfig_lib.in
|
|
||||||
@@ -30,6 +30,9 @@ fi
|
|
||||||
if test "x$grub_file" = x; then
|
|
||||||
grub_file="${bindir}/@grub_file@"
|
|
||||||
fi
|
|
||||||
+if test "x$grub_editenv" = x; then
|
|
||||||
+ grub_editenv="${bindir}/@grub_editenv@"
|
|
||||||
+fi
|
|
||||||
if test "x$grub_mkrelpath" = x; then
|
|
||||||
grub_mkrelpath="${bindir}/@grub_mkrelpath@"
|
|
||||||
fi
|
|
||||||
@@ -123,8 +126,19 @@ EOF
|
|
||||||
fi
|
|
||||||
}
|
|
||||||
|
|
||||||
+prepare_grub_to_access_device_with_variable ()
|
|
||||||
+{
|
|
||||||
+ device_variable="$1"
|
|
||||||
+ shift
|
|
||||||
+ prepare_grub_to_access_device "$@"
|
|
||||||
+ unset "device_variable"
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
prepare_grub_to_access_device ()
|
|
||||||
{
|
|
||||||
+ if [ -z "$device_variable" ]; then
|
|
||||||
+ device_variable="root"
|
|
||||||
+ fi
|
|
||||||
old_ifs="$IFS"
|
|
||||||
IFS='
|
|
||||||
'
|
|
||||||
@@ -159,18 +173,18 @@ prepare_grub_to_access_device ()
|
|
||||||
# otherwise set root as per value in device.map.
|
|
||||||
fs_hint="`"${grub_probe}" --device $@ --target=compatibility_hint`"
|
|
||||||
if [ "x$fs_hint" != x ]; then
|
|
||||||
- echo "set root='$fs_hint'"
|
|
||||||
+ echo "set ${device_variable}='$fs_hint'"
|
|
||||||
fi
|
|
||||||
if [ "x${GRUB_DISABLE_UUID}" != "xtrue" ] && fs_uuid="`"${grub_probe}" --device $@ --target=fs_uuid 2> /dev/null`" ; then
|
|
||||||
hints="`"${grub_probe}" --device $@ --target=hints_string 2> /dev/null`" || hints=
|
|
||||||
if [ "x$hints" != x ]; then
|
|
||||||
echo "if [ x\$feature_platform_search_hint = xy ]; then"
|
|
||||||
- echo " search --no-floppy --fs-uuid --set=root ${hints} ${fs_uuid}"
|
|
||||||
+ echo " search --no-floppy --fs-uuid --set=${device_variable} ${hints} ${fs_uuid}"
|
|
||||||
echo "else"
|
|
||||||
- echo " search --no-floppy --fs-uuid --set=root ${fs_uuid}"
|
|
||||||
+ echo " search --no-floppy --fs-uuid --set=${device_variable} ${fs_uuid}"
|
|
||||||
echo "fi"
|
|
||||||
else
|
|
||||||
- echo "search --no-floppy --fs-uuid --set=root ${fs_uuid}"
|
|
||||||
+ echo "search --no-floppy --fs-uuid --set=${device_variable} ${fs_uuid}"
|
|
||||||
fi
|
|
||||||
fi
|
|
||||||
IFS="$old_ifs"
|
|
||||||
diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
|
|
||||||
index 5531239eb..49eccbeaf 100644
|
|
||||||
--- a/util/grub.d/10_linux.in
|
|
||||||
+++ b/util/grub.d/10_linux.in
|
|
||||||
@@ -91,6 +91,244 @@ if [ "x$SUSE_REMOVE_LINUX_ROOT_PARAM" = "xtrue" ]; then
|
|
||||||
LINUX_ROOT_DEVICE=""
|
|
||||||
fi
|
|
||||||
|
|
||||||
+populate_header_warn()
|
|
||||||
+{
|
|
||||||
+if [ "x${BLS_POPULATE_MENU}" = "xtrue" ]; then
|
|
||||||
+ bls_parser="10_linux script"
|
|
||||||
+else
|
|
||||||
+ bls_parser="blscfg command"
|
|
||||||
+fi
|
|
||||||
+cat <<EOF
|
|
||||||
+
|
|
||||||
+# This section was generated by a script. Do not modify the generated file - all changes
|
|
||||||
+# will be lost the next time file is regenerated. Instead edit the BootLoaderSpec files.
|
|
||||||
+#
|
|
||||||
+# The $bls_parser parses the BootLoaderSpec files stored in /boot/loader/entries and
|
|
||||||
+# populates the boot menu. Please refer to the Boot Loader Specification documentation
|
|
||||||
+# for the files format: https://systemd.io/BOOT_LOADER_SPECIFICATION/.
|
|
||||||
+
|
|
||||||
+EOF
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+read_config()
|
|
||||||
+{
|
|
||||||
+ config_file=${1}
|
|
||||||
+ title=""
|
|
||||||
+ initrd=""
|
|
||||||
+ options=""
|
|
||||||
+ linux=""
|
|
||||||
+ grub_arg=""
|
|
||||||
+
|
|
||||||
+ while read -r line
|
|
||||||
+ do
|
|
||||||
+ record=$(echo ${line} | cut -f 1 -d ' ')
|
|
||||||
+ value=$(echo ${line} | cut -s -f2- -d ' ')
|
|
||||||
+ case "${record}" in
|
|
||||||
+ "title")
|
|
||||||
+ title=${value}
|
|
||||||
+ ;;
|
|
||||||
+ "initrd")
|
|
||||||
+ initrd=${value}
|
|
||||||
+ ;;
|
|
||||||
+ "linux")
|
|
||||||
+ linux=${value}
|
|
||||||
+ ;;
|
|
||||||
+ "options")
|
|
||||||
+ options=${value}
|
|
||||||
+ ;;
|
|
||||||
+ "grub_arg")
|
|
||||||
+ grub_arg=${value}
|
|
||||||
+ ;;
|
|
||||||
+ esac
|
|
||||||
+ done < ${config_file}
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+blsdir="/boot/loader/entries"
|
|
||||||
+
|
|
||||||
+get_sorted_bls()
|
|
||||||
+{
|
|
||||||
+ if ! [ -d "${blsdir}" ]; then
|
|
||||||
+ return
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ local IFS=$'\n'
|
|
||||||
+
|
|
||||||
+ files=($(for bls in ${blsdir}/*.conf; do
|
|
||||||
+ if ! [[ -e "${bls}" ]] ; then
|
|
||||||
+ continue
|
|
||||||
+ fi
|
|
||||||
+ bls="${bls%.conf}"
|
|
||||||
+ bls="${bls##*/}"
|
|
||||||
+ echo "${bls}"
|
|
||||||
+ done | ${kernel_sort} 2>/dev/null | tac)) || :
|
|
||||||
+
|
|
||||||
+ echo "${files[@]}"
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+update_bls_cmdline()
|
|
||||||
+{
|
|
||||||
+ local cmdline="root=${LINUX_ROOT_DEVICE} ro ${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
|
|
||||||
+ local -a files=($(get_sorted_bls))
|
|
||||||
+
|
|
||||||
+ for bls in "${files[@]}"; do
|
|
||||||
+ local options="${cmdline}"
|
|
||||||
+ if [ -z "${bls##*debug*}" ]; then
|
|
||||||
+ options="${options} ${GRUB_CMDLINE_LINUX_DEBUG}"
|
|
||||||
+ fi
|
|
||||||
+ options="$(echo "${options}" | sed -e 's/\//\\\//g')"
|
|
||||||
+ sed -i -e "s/^options.*/options ${options}/" "${blsdir}/${bls}.conf"
|
|
||||||
+ done
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+populate_menu()
|
|
||||||
+{
|
|
||||||
+ local -a files=($(get_sorted_bls))
|
|
||||||
+
|
|
||||||
+ gettext_printf "Generating boot entries from BLS files...\n" >&2
|
|
||||||
+
|
|
||||||
+ for bls in "${files[@]}"; do
|
|
||||||
+ read_config "${blsdir}/${bls}.conf"
|
|
||||||
+
|
|
||||||
+ menu="${menu}menuentry '${title}' ${grub_arg} --id=${bls} {\n"
|
|
||||||
+ menu="${menu}\t linux ${linux} ${options}\n"
|
|
||||||
+ if [ -n "${initrd}" ] ; then
|
|
||||||
+ menu="${menu}\t initrd ${boot_prefix}${initrd}\n"
|
|
||||||
+ fi
|
|
||||||
+ menu="${menu}}\n\n"
|
|
||||||
+ done
|
|
||||||
+ # The printf command seems to be more reliable across shells for special character (\n, \t) evaluation
|
|
||||||
+ printf "$menu"
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+# Make BLS the default if GRUB_ENABLE_BLSCFG was not set and grubby is not installed.
|
|
||||||
+if [ -z "${GRUB_ENABLE_BLSCFG}" ] && ! command -v new-kernel-pkg >/dev/null; then
|
|
||||||
+ GRUB_ENABLE_BLSCFG="true"
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+if [ "x${GRUB_ENABLE_BLSCFG}" = "xtrue" ]; then
|
|
||||||
+ if [ x$dirname = x/ ]; then
|
|
||||||
+ if [ -z "${prepare_root_cache}" ]; then
|
|
||||||
+ prepare_grub_to_access_device ${GRUB_DEVICE}
|
|
||||||
+ fi
|
|
||||||
+ else
|
|
||||||
+ if [ -z "${prepare_boot_cache}" ]; then
|
|
||||||
+ prepare_grub_to_access_device ${GRUB_DEVICE_BOOT}
|
|
||||||
+ fi
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ if [ -d /sys/firmware/efi ]; then
|
|
||||||
+ bootefi_device="`${grub_probe} --target=device /boot/efi/`"
|
|
||||||
+ prepare_grub_to_access_device_with_variable boot ${bootefi_device}
|
|
||||||
+ else
|
|
||||||
+ boot_device="`${grub_probe} --target=device /boot/`"
|
|
||||||
+ prepare_grub_to_access_device_with_variable boot ${boot_device}
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ arch="$(uname -m)"
|
|
||||||
+ if [ "x${arch}" = "xppc64le" ] && [ -d /sys/firmware/opal ]; then
|
|
||||||
+
|
|
||||||
+ BLS_POPULATE_MENU="true"
|
|
||||||
+ petitboot_path="/sys/firmware/devicetree/base/ibm,firmware-versions/petitboot"
|
|
||||||
+
|
|
||||||
+ if test -e ${petitboot_path}; then
|
|
||||||
+ read -r -d '' petitboot_version < ${petitboot_path}
|
|
||||||
+ petitboot_version="$(echo ${petitboot_version//v})"
|
|
||||||
+
|
|
||||||
+ if test -n ${petitboot_version}; then
|
|
||||||
+ major_version="$(echo ${petitboot_version} | cut -d . -f1)"
|
|
||||||
+ minor_version="$(echo ${petitboot_version} | cut -d . -f2)"
|
|
||||||
+
|
|
||||||
+ re='^[0-9]+$'
|
|
||||||
+ if [[ $major_version =~ $re ]] && [[ $minor_version =~ $re ]] &&
|
|
||||||
+ ([[ ${major_version} -gt 1 ]] ||
|
|
||||||
+ [[ ${major_version} -eq 1 &&
|
|
||||||
+ ${minor_version} -ge 8 ]]); then
|
|
||||||
+ BLS_POPULATE_MENU="false"
|
|
||||||
+ fi
|
|
||||||
+ fi
|
|
||||||
+ fi
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ populate_header_warn
|
|
||||||
+
|
|
||||||
+ cat << EOF
|
|
||||||
+# The kernelopts variable should be defined in the grubenv file. But to ensure that menu
|
|
||||||
+# entries populated from BootLoaderSpec files that use this variable work correctly even
|
|
||||||
+# without a grubenv file, define a fallback kernelopts variable if this has not been set.
|
|
||||||
+#
|
|
||||||
+# The kernelopts variable in the grubenv file can be modified using the grubby tool or by
|
|
||||||
+# executing the grub2-mkconfig tool. For the latter, the values of the GRUB_CMDLINE_LINUX
|
|
||||||
+# and GRUB_CMDLINE_LINUX_DEFAULT options from /etc/default/grub file are used to set both
|
|
||||||
+# the kernelopts variable in the grubenv file and the fallback kernelopts variable.
|
|
||||||
+if [ -z "\${kernelopts}" ]; then
|
|
||||||
+ set kernelopts="root=${LINUX_ROOT_DEVICE} ro ${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
|
|
||||||
+fi
|
|
||||||
+EOF
|
|
||||||
+
|
|
||||||
+ update_bls_cmdline
|
|
||||||
+
|
|
||||||
+ if [ "x${BLS_POPULATE_MENU}" = "xtrue" ]; then
|
|
||||||
+ populate_menu
|
|
||||||
+ else
|
|
||||||
+ cat << EOF
|
|
||||||
+
|
|
||||||
+insmod blscfg
|
|
||||||
+blscfg
|
|
||||||
+EOF
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ if [ "x${GRUB_GRUBENV_UPDATE}" = "xyes" ]; then
|
|
||||||
+ blsdir="/boot/loader/entries"
|
|
||||||
+ [ -d "${blsdir}" ] && GRUB_BLS_FS="$(${grub_probe} --target=fs ${blsdir})"
|
|
||||||
+ if [ "x${GRUB_BLS_FS}" = "xbtrfs" ] || [ "x${GRUB_BLS_FS}" = "xzfs" ]; then
|
|
||||||
+ blsdir=$(make_system_path_relative_to_its_root "${blsdir}")
|
|
||||||
+ if [ "x${blsdir}" != "x/loader/entries" ] && [ "x${blsdir}" != "x/boot/loader/entries" ]; then
|
|
||||||
+ ${grub_editenv} - set blsdir="${blsdir}"
|
|
||||||
+ fi
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ if [ -n "${GRUB_EARLY_INITRD_LINUX_CUSTOM}" ]; then
|
|
||||||
+ ${grub_editenv} - set early_initrd="${GRUB_EARLY_INITRD_LINUX_CUSTOM}"
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ if [ -n "${GRUB_DEFAULT_DTB}" ]; then
|
|
||||||
+ ${grub_editenv} - set devicetree="${GRUB_DEFAULT_DTB}"
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ if [ -n "${GRUB_SAVEDEFAULT}" ]; then
|
|
||||||
+ ${grub_editenv} - set save_default="${GRUB_SAVEDEFAULT}"
|
|
||||||
+ fi
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ exit 0
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+mktitle ()
|
|
||||||
+{
|
|
||||||
+ local title_type
|
|
||||||
+ local version
|
|
||||||
+ local OS_NAME
|
|
||||||
+ local OS_VERS
|
|
||||||
+
|
|
||||||
+ title_type=$1 && shift
|
|
||||||
+ version=$1 && shift
|
|
||||||
+
|
|
||||||
+ OS_NAME="$(eval $(grep ^NAME= /etc/os-release) ; echo ${NAME})"
|
|
||||||
+ OS_VERS="$(eval $(grep ^VERSION= /etc/os-release) ; echo ${VERSION})"
|
|
||||||
+
|
|
||||||
+ case $title_type in
|
|
||||||
+ recovery)
|
|
||||||
+ title=$(printf '%s (%s) %s (recovery mode)' \
|
|
||||||
+ "${OS_NAME}" "${version}" "${OS_VERS}")
|
|
||||||
+ ;;
|
|
||||||
+ *)
|
|
||||||
+ title=$(printf '%s (%s) %s' \
|
|
||||||
+ "${OS_NAME}" "${version}" "${OS_VERS}")
|
|
||||||
+ ;;
|
|
||||||
+ esac
|
|
||||||
+ echo -n ${title}
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
title_correction_code=
|
|
||||||
|
|
||||||
hotkey=1
|
|
||||||
@@ -124,6 +362,7 @@ linux_entry ()
|
|
||||||
if [ -z "$boot_device_id" ]; then
|
|
||||||
boot_device_id="$(grub_get_device_id "${GRUB_DEVICE}")"
|
|
||||||
fi
|
|
||||||
+
|
|
||||||
if [ x$type != xsimple ] ; then
|
|
||||||
case $type in
|
|
||||||
recovery)
|
|
||||||
@@ -298,6 +537,7 @@ fi
|
|
||||||
is_top_level=true
|
|
||||||
for linux in ${reverse_sorted_list}; do
|
|
||||||
gettext_printf "Found linux image: %s\n" "$linux" >&2
|
|
||||||
+
|
|
||||||
basename=`basename $linux`
|
|
||||||
dirname=`dirname $linux`
|
|
||||||
rel_dirname=`make_system_path_relative_to_its_root $dirname`
|
|
||||||
@@ -348,7 +588,9 @@ for linux in ${reverse_sorted_list}; do
|
|
||||||
for i in ${initrd}; do
|
|
||||||
initrd_display="${initrd_display} ${dirname}/${i}"
|
|
||||||
done
|
|
||||||
- gettext_printf "Found initrd image: %s\n" "$(echo $initrd_display)" >&2
|
|
||||||
+ if [ "x${GRUB_ENABLE_BLSCFG}" != "xtrue" ]; then
|
|
||||||
+ gettext_printf "Found initrd image: %s\n" "$(echo $initrd_display)" >&2
|
|
||||||
+ fi
|
|
||||||
fi
|
|
||||||
|
|
||||||
config=
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
290
0002-Requiring-authentication-after-tpm-unlock-for-CLI-ac.patch
Normal file
290
0002-Requiring-authentication-after-tpm-unlock-for-CLI-ac.patch
Normal file
@ -0,0 +1,290 @@
|
|||||||
|
From af8b106667aa2ca7a7613e10d8746959e182f8f1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michael Chang <mchang@suse.com>
|
||||||
|
Date: Thu, 29 Aug 2024 13:27:30 +0800
|
||||||
|
Subject: [PATCH 2/2] Requiring authentication after tpm unlock for CLI access
|
||||||
|
|
||||||
|
GRUB may use TPM to verify the integrity of boot components, and the
|
||||||
|
result can determine whether a previously sealed key can be released. If
|
||||||
|
everything checks out, showing nothing has been tampered with, the key
|
||||||
|
is released, and grub unlocks the encrypted root partition for the next
|
||||||
|
stage of booting.
|
||||||
|
|
||||||
|
However, the liberal command line interface (CLI) can be misused by
|
||||||
|
anyone in this case to access files in the encrypted partition one way
|
||||||
|
or another. Despite efforts to keep the CLI secure by preventing utility
|
||||||
|
command output from leaking file content, many techniques in the wild
|
||||||
|
could still be used to exploit the CLI, enabling attacks or learning
|
||||||
|
methods to attack. It's nearly impossible to account for all scenarios
|
||||||
|
where a hack could be applied.
|
||||||
|
|
||||||
|
Therefore, to mitigate potential misuse of the CLI after the root device
|
||||||
|
has been successfully unlocked via TPM, the user should be required to
|
||||||
|
authenticate using the LUKS password. This added layer of security
|
||||||
|
ensures that only authorized users can access the CLI, reducing the risk
|
||||||
|
of exploitation or unauthorized access to the encrypted partition.
|
||||||
|
|
||||||
|
Fixes: CVE-2024-49504
|
||||||
|
|
||||||
|
Signed-off-by: Michael Chang <mchang@suse.com>
|
||||||
|
---
|
||||||
|
grub-core/disk/cryptodisk.c | 80 +++++++++++++++++++++++++++++++++++
|
||||||
|
grub-core/kern/main.c | 12 ++++++
|
||||||
|
grub-core/normal/auth.c | 30 +++++++++++++
|
||||||
|
grub-core/normal/main.c | 4 ++
|
||||||
|
grub-core/normal/menu_entry.c | 4 ++
|
||||||
|
include/grub/auth.h | 1 +
|
||||||
|
include/grub/cryptodisk.h | 3 ++
|
||||||
|
include/grub/misc.h | 2 +
|
||||||
|
8 files changed, 136 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
|
||||||
|
index babc94868..77bc782fd 100644
|
||||||
|
--- a/grub-core/disk/cryptodisk.c
|
||||||
|
+++ b/grub-core/disk/cryptodisk.c
|
||||||
|
@@ -1188,6 +1188,7 @@ grub_cryptodisk_scan_device_real (const char *name,
|
||||||
|
goto error;
|
||||||
|
#ifndef GRUB_UTIL
|
||||||
|
is_tpmkey = 1;
|
||||||
|
+ grub_cli_set_auth_needed ();
|
||||||
|
#endif
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
@@ -1706,6 +1707,85 @@ luks_script_get (grub_size_t *sz)
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifdef GRUB_MACHINE_EFI
|
||||||
|
+grub_err_t
|
||||||
|
+grub_cryptodisk_challenge_password (void)
|
||||||
|
+{
|
||||||
|
+ grub_cryptodisk_t cr_dev;
|
||||||
|
+
|
||||||
|
+ for (cr_dev = cryptodisk_list; cr_dev != NULL; cr_dev = cr_dev->next)
|
||||||
|
+ {
|
||||||
|
+ grub_cryptodisk_dev_t cr;
|
||||||
|
+ grub_disk_t source = NULL;
|
||||||
|
+ grub_err_t ret = GRUB_ERR_NONE;
|
||||||
|
+ grub_cryptodisk_t dev = NULL;
|
||||||
|
+ char *part = NULL;
|
||||||
|
+ struct grub_cryptomount_args cargs = {0};
|
||||||
|
+
|
||||||
|
+ cargs.check_boot = 0;
|
||||||
|
+ cargs.search_uuid = cr_dev->uuid;
|
||||||
|
+
|
||||||
|
+ source = grub_disk_open (cr_dev->source);
|
||||||
|
+
|
||||||
|
+ if (source == NULL)
|
||||||
|
+ goto error_out;
|
||||||
|
+
|
||||||
|
+ FOR_CRYPTODISK_DEVS (cr)
|
||||||
|
+ {
|
||||||
|
+ dev = cr->scan (source, &cargs);
|
||||||
|
+ if (grub_errno)
|
||||||
|
+ goto error_out;
|
||||||
|
+ if (!dev)
|
||||||
|
+ continue;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (dev == NULL)
|
||||||
|
+ {
|
||||||
|
+ grub_error (GRUB_ERR_BAD_MODULE,
|
||||||
|
+ "no cryptodisk module can handle this device");
|
||||||
|
+ goto error_out;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ part = grub_partition_get_name (source->partition);
|
||||||
|
+ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
|
||||||
|
+ source->partition != NULL ? "," : "",
|
||||||
|
+ part != NULL ? part : N_("UNKNOWN"), cr_dev->uuid);
|
||||||
|
+ grub_free (part);
|
||||||
|
+
|
||||||
|
+ cargs.key_data = grub_malloc (GRUB_CRYPTODISK_MAX_PASSPHRASE);
|
||||||
|
+ if (cargs.key_data == NULL)
|
||||||
|
+ goto error_out;
|
||||||
|
+
|
||||||
|
+ if (!grub_password_get ((char *) cargs.key_data, GRUB_CRYPTODISK_MAX_PASSPHRASE))
|
||||||
|
+ {
|
||||||
|
+ grub_error (GRUB_ERR_BAD_ARGUMENT, "passphrase not supplied");
|
||||||
|
+ goto error_out;
|
||||||
|
+ }
|
||||||
|
+ cargs.key_len = grub_strlen ((char *) cargs.key_data);
|
||||||
|
+ ret = cr->recover_key (source, dev, &cargs);
|
||||||
|
+ if (ret != GRUB_ERR_NONE)
|
||||||
|
+ goto error_out;
|
||||||
|
+
|
||||||
|
+ error_out:
|
||||||
|
+ if (source)
|
||||||
|
+ grub_disk_close (source);
|
||||||
|
+ if (dev)
|
||||||
|
+ cryptodisk_close (dev);
|
||||||
|
+ if (cargs.key_data)
|
||||||
|
+ {
|
||||||
|
+ grub_memset (cargs.key_data, 0, cargs.key_len);
|
||||||
|
+ grub_free (cargs.key_data);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (grub_errno != GRUB_ERR_NONE)
|
||||||
|
+ return grub_errno;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return GRUB_ERR_NONE;
|
||||||
|
+}
|
||||||
|
+#endif /* GRUB_MACHINE_EFI */
|
||||||
|
+
|
||||||
|
struct grub_procfs_entry luks_script =
|
||||||
|
{
|
||||||
|
.name = "luks_script",
|
||||||
|
diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
|
||||||
|
index 07b6940d2..ef3b3756d 100644
|
||||||
|
--- a/grub-core/kern/main.c
|
||||||
|
+++ b/grub-core/kern/main.c
|
||||||
|
@@ -37,6 +37,7 @@
|
||||||
|
#endif
|
||||||
|
|
||||||
|
static bool cli_disabled = false;
|
||||||
|
+static bool cli_need_auth = false;
|
||||||
|
|
||||||
|
grub_addr_t
|
||||||
|
grub_modules_get_end (void)
|
||||||
|
@@ -246,6 +247,17 @@ grub_is_cli_disabled (void)
|
||||||
|
return cli_disabled;
|
||||||
|
}
|
||||||
|
|
||||||
|
+bool
|
||||||
|
+grub_is_cli_need_auth (void)
|
||||||
|
+{
|
||||||
|
+ return cli_need_auth;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+void grub_cli_set_auth_needed (void)
|
||||||
|
+{
|
||||||
|
+ cli_need_auth = true;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static void
|
||||||
|
check_is_cli_disabled (void)
|
||||||
|
{
|
||||||
|
diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c
|
||||||
|
index d94020186..2931ba604 100644
|
||||||
|
--- a/grub-core/normal/auth.c
|
||||||
|
+++ b/grub-core/normal/auth.c
|
||||||
|
@@ -25,6 +25,10 @@
|
||||||
|
#include <grub/time.h>
|
||||||
|
#include <grub/i18n.h>
|
||||||
|
|
||||||
|
+#ifdef GRUB_MACHINE_EFI
|
||||||
|
+#include <grub/cryptodisk.h>
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
struct grub_auth_user
|
||||||
|
{
|
||||||
|
struct grub_auth_user *next;
|
||||||
|
@@ -200,6 +204,32 @@ grub_username_get (char buf[], unsigned buf_size)
|
||||||
|
return (key != GRUB_TERM_ESC);
|
||||||
|
}
|
||||||
|
|
||||||
|
+grub_err_t
|
||||||
|
+grub_auth_check_cli_access (void)
|
||||||
|
+{
|
||||||
|
+ if (grub_is_cli_need_auth () == true)
|
||||||
|
+ {
|
||||||
|
+#ifdef GRUB_MACHINE_EFI
|
||||||
|
+ static bool authenticated = false;
|
||||||
|
+
|
||||||
|
+ if (authenticated == false)
|
||||||
|
+ {
|
||||||
|
+ grub_err_t ret;
|
||||||
|
+
|
||||||
|
+ ret = grub_cryptodisk_challenge_password ();
|
||||||
|
+ if (ret == GRUB_ERR_NONE)
|
||||||
|
+ authenticated = true;
|
||||||
|
+ return ret;
|
||||||
|
+ }
|
||||||
|
+ return GRUB_ERR_NONE;
|
||||||
|
+#else
|
||||||
|
+ return GRUB_ACCESS_DENIED;
|
||||||
|
+#endif
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return GRUB_ERR_NONE;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
grub_err_t
|
||||||
|
grub_auth_check_authentication (const char *userlist)
|
||||||
|
{
|
||||||
|
diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
|
||||||
|
index 8e58ced67..b08fd6977 100644
|
||||||
|
--- a/grub-core/normal/main.c
|
||||||
|
+++ b/grub-core/normal/main.c
|
||||||
|
@@ -560,9 +560,13 @@ grub_cmdline_run (int nested, int force_auth)
|
||||||
|
}
|
||||||
|
while (err && force_auth);
|
||||||
|
|
||||||
|
+ if (err == GRUB_ERR_NONE)
|
||||||
|
+ err = grub_auth_check_cli_access ();
|
||||||
|
+
|
||||||
|
if (err)
|
||||||
|
{
|
||||||
|
grub_print_error ();
|
||||||
|
+ grub_wait_after_message ();
|
||||||
|
grub_errno = GRUB_ERR_NONE;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
diff --git a/grub-core/normal/menu_entry.c b/grub-core/normal/menu_entry.c
|
||||||
|
index e5ba91ea4..06682a396 100644
|
||||||
|
--- a/grub-core/normal/menu_entry.c
|
||||||
|
+++ b/grub-core/normal/menu_entry.c
|
||||||
|
@@ -1256,9 +1256,13 @@ grub_menu_entry_run (grub_menu_entry_t entry)
|
||||||
|
|
||||||
|
err = grub_auth_check_authentication (NULL);
|
||||||
|
|
||||||
|
+ if (err == GRUB_ERR_NONE)
|
||||||
|
+ err = grub_auth_check_cli_access ();
|
||||||
|
+
|
||||||
|
if (err)
|
||||||
|
{
|
||||||
|
grub_print_error ();
|
||||||
|
+ grub_wait_after_message ();
|
||||||
|
grub_errno = GRUB_ERR_NONE;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
diff --git a/include/grub/auth.h b/include/grub/auth.h
|
||||||
|
index 747334451..21d5190f0 100644
|
||||||
|
--- a/include/grub/auth.h
|
||||||
|
+++ b/include/grub/auth.h
|
||||||
|
@@ -33,5 +33,6 @@ grub_err_t grub_auth_unregister_authentication (const char *user);
|
||||||
|
grub_err_t grub_auth_authenticate (const char *user);
|
||||||
|
grub_err_t grub_auth_deauthenticate (const char *user);
|
||||||
|
grub_err_t grub_auth_check_authentication (const char *userlist);
|
||||||
|
+grub_err_t grub_auth_check_cli_access (void);
|
||||||
|
|
||||||
|
#endif /* ! GRUB_AUTH_HEADER */
|
||||||
|
diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
|
||||||
|
index 0b41e249e..b3291519b 100644
|
||||||
|
--- a/include/grub/cryptodisk.h
|
||||||
|
+++ b/include/grub/cryptodisk.h
|
||||||
|
@@ -203,4 +203,7 @@ grub_util_get_geli_uuid (const char *dev);
|
||||||
|
grub_cryptodisk_t grub_cryptodisk_get_by_uuid (const char *uuid);
|
||||||
|
grub_cryptodisk_t grub_cryptodisk_get_by_source_disk (grub_disk_t disk);
|
||||||
|
|
||||||
|
+#ifdef GRUB_MACHINE_EFI
|
||||||
|
+grub_err_t grub_cryptodisk_challenge_password (void);
|
||||||
|
+#endif
|
||||||
|
#endif
|
||||||
|
diff --git a/include/grub/misc.h b/include/grub/misc.h
|
||||||
|
index 1578f36c3..6e94d18f5 100644
|
||||||
|
--- a/include/grub/misc.h
|
||||||
|
+++ b/include/grub/misc.h
|
||||||
|
@@ -392,6 +392,8 @@ grub_uint64_t EXPORT_FUNC(grub_divmod64) (grub_uint64_t n,
|
||||||
|
grub_uint64_t *r);
|
||||||
|
|
||||||
|
extern bool EXPORT_FUNC(grub_is_cli_disabled) (void);
|
||||||
|
+extern bool EXPORT_FUNC(grub_is_cli_need_auth) (void);
|
||||||
|
+extern void EXPORT_FUNC(grub_cli_set_auth_needed) (void);
|
||||||
|
|
||||||
|
/* Must match softdiv group in gentpl.py. */
|
||||||
|
#if !defined(GRUB_MACHINE_EMU) && (defined(__arm__) || defined(__ia64__) || \
|
||||||
|
--
|
||||||
|
2.47.0
|
||||||
|
|
@ -1,197 +0,0 @@
|
|||||||
From 912384e63c1e3b6aa9d90effb71cd535a17da1e2 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Michael Chang <mchang@suse.com>
|
|
||||||
Date: Sat, 18 Nov 2023 19:02:31 +0800
|
|
||||||
Subject: [PATCH 2/4] Restrict file access on cryptodisk print
|
|
||||||
|
|
||||||
When the encrypted partition is automatically unlocked by TPM, granting
|
|
||||||
access to the system upon validation of its known good state, there's a
|
|
||||||
potential vulnerability. Grub gains access to file systems that were
|
|
||||||
previously inaccessible to the public, enabling certain commands from
|
|
||||||
the grub console to print content. This arises due to grub lacking
|
|
||||||
restrictions similar to those imposed by password authentication, which
|
|
||||||
typically occurs before privileged access is granted.
|
|
||||||
|
|
||||||
Although the automatic unlocking process ensures system integrity and a
|
|
||||||
secure environment for grub to operate in, it doesn't directly address
|
|
||||||
the issue of authentication for viewing encrypted partition content.
|
|
||||||
|
|
||||||
This commit addresses this security loophole by implementing a file
|
|
||||||
filter upon adding a TPM key. The newly added file filter will
|
|
||||||
specifically verify if the disk is encrypted, denying access and
|
|
||||||
returning an "Access Denied: prohibited to view encrypted data" error
|
|
||||||
message to alert the user.
|
|
||||||
|
|
||||||
Since the policy to filter out unwanted commands from leaking encrypted
|
|
||||||
content is irreversible, it is advisable to make the loaded module
|
|
||||||
persistent to prevent its removal.
|
|
||||||
|
|
||||||
This enhancement aims to bolster security measures and prevent
|
|
||||||
unauthorized access to encrypted data.
|
|
||||||
|
|
||||||
Signed-Off-by Michael Chang <mchang@suse.com>
|
|
||||||
---
|
|
||||||
grub-core/commands/crypttab.c | 35 ++++++++++++++++++++++++++++++++++-
|
|
||||||
grub-core/disk/diskfilter.c | 35 +++++++++++++++++++++++++++++++++++
|
|
||||||
include/grub/disk.h | 10 ++++++++++
|
|
||||||
include/grub/file.h | 1 +
|
|
||||||
4 files changed, 80 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/grub-core/commands/crypttab.c b/grub-core/commands/crypttab.c
|
|
||||||
index 9397bede9..d3acc4b59 100644
|
|
||||||
--- a/grub-core/commands/crypttab.c
|
|
||||||
+++ b/grub-core/commands/crypttab.c
|
|
||||||
@@ -6,11 +6,39 @@
|
|
||||||
#include <grub/mm.h>
|
|
||||||
#include <grub/list.h>
|
|
||||||
#include <grub/crypttab.h>
|
|
||||||
+#include <grub/file.h>
|
|
||||||
|
|
||||||
GRUB_MOD_LICENSE ("GPLv3+");
|
|
||||||
|
|
||||||
grub_crypto_key_list_t *cryptokey_lst;
|
|
||||||
|
|
||||||
+static grub_file_t
|
|
||||||
+grub_nocat_open (grub_file_t io, enum grub_file_type type)
|
|
||||||
+{
|
|
||||||
+ grub_disk_t disk;
|
|
||||||
+
|
|
||||||
+ /* Network device */
|
|
||||||
+ if (!io->device->disk)
|
|
||||||
+ return io;
|
|
||||||
+
|
|
||||||
+ disk = io->device->disk;
|
|
||||||
+
|
|
||||||
+ if (grub_disk_is_crypto (disk))
|
|
||||||
+ {
|
|
||||||
+ switch (type & GRUB_FILE_TYPE_MASK)
|
|
||||||
+ {
|
|
||||||
+ case GRUB_FILE_TYPE_CAT:
|
|
||||||
+ case GRUB_FILE_TYPE_HEXCAT:
|
|
||||||
+ grub_error (GRUB_ERR_ACCESS_DENIED, N_("prohibited to view encrypted data"));
|
|
||||||
+ return NULL;
|
|
||||||
+ default:
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return io;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
grub_err_t
|
|
||||||
grub_cryptokey_add_or_update (const char *uuid, const char *key, grub_size_t key_len, const char *path, int is_tpmkey)
|
|
||||||
{
|
|
||||||
@@ -48,7 +76,11 @@ grub_cryptokey_add_or_update (const char *uuid, const char *key, grub_size_t key
|
|
||||||
}
|
|
||||||
|
|
||||||
if (is_tpmkey >= 0)
|
|
||||||
- cur->is_tpmkey = is_tpmkey;
|
|
||||||
+ {
|
|
||||||
+ cur->is_tpmkey = is_tpmkey;
|
|
||||||
+ if (is_tpmkey)
|
|
||||||
+ grub_file_filter_register (GRUB_FILE_FILTER_NOCAT, grub_nocat_open);
|
|
||||||
+ }
|
|
||||||
|
|
||||||
if (!cur->name)
|
|
||||||
{
|
|
||||||
@@ -121,6 +153,7 @@ GRUB_MOD_INIT(crypttab)
|
|
||||||
{
|
|
||||||
cmd = grub_register_command ("crypttab_entry", grub_cmd_crypttab_entry,
|
|
||||||
N_("VOLUME-NAME ENCRYPTED-DEVICE KEY-FILE") , N_("No description"));
|
|
||||||
+ grub_dl_set_persistent (mod);
|
|
||||||
}
|
|
||||||
|
|
||||||
GRUB_MOD_FINI(crypttab)
|
|
||||||
diff --git a/grub-core/disk/diskfilter.c b/grub-core/disk/diskfilter.c
|
|
||||||
index 5c5fabe1a..b0c1c880d 100644
|
|
||||||
--- a/grub-core/disk/diskfilter.c
|
|
||||||
+++ b/grub-core/disk/diskfilter.c
|
|
||||||
@@ -558,6 +558,39 @@ find_lv (const char *name)
|
|
||||||
return NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static int
|
|
||||||
+grub_diskfilter_has_cryptodisk (const struct grub_diskfilter_lv *lv)
|
|
||||||
+{
|
|
||||||
+ struct grub_diskfilter_pv *pv;
|
|
||||||
+
|
|
||||||
+ if (!lv)
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+ if (lv->vg->pvs)
|
|
||||||
+ for (pv = lv->vg->pvs; pv; pv = pv->next)
|
|
||||||
+ {
|
|
||||||
+ if (!pv->disk)
|
|
||||||
+ {
|
|
||||||
+ grub_dprintf ("diskfilter", _("Couldn't find physical volume `%s'."
|
|
||||||
+ " Some modules may be missing from core image."),
|
|
||||||
+ pv->name);
|
|
||||||
+ continue;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ switch (pv->disk->dev->id)
|
|
||||||
+ {
|
|
||||||
+ case GRUB_DISK_DEVICE_CRYPTODISK_ID:
|
|
||||||
+ return 1;
|
|
||||||
+ case GRUB_DISK_DEVICE_DISKFILTER_ID:
|
|
||||||
+ return grub_diskfilter_has_cryptodisk (pv->disk->data);
|
|
||||||
+ default:
|
|
||||||
+ break;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return 0;
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static grub_err_t
|
|
||||||
grub_diskfilter_open (const char *name, grub_disk_t disk)
|
|
||||||
{
|
|
||||||
@@ -589,6 +622,8 @@ grub_diskfilter_open (const char *name, grub_disk_t disk)
|
|
||||||
|
|
||||||
disk->total_sectors = lv->size;
|
|
||||||
disk->max_agglomerate = GRUB_DISK_MAX_MAX_AGGLOMERATE;
|
|
||||||
+ disk->is_crypto_diskfilter = grub_diskfilter_has_cryptodisk (lv);
|
|
||||||
+
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/include/grub/disk.h b/include/grub/disk.h
|
|
||||||
index 3b3db6222..63982f16c 100644
|
|
||||||
--- a/include/grub/disk.h
|
|
||||||
+++ b/include/grub/disk.h
|
|
||||||
@@ -147,6 +147,8 @@ struct grub_disk
|
|
||||||
|
|
||||||
/* Device-specific data. */
|
|
||||||
void *data;
|
|
||||||
+
|
|
||||||
+ int is_crypto_diskfilter;
|
|
||||||
};
|
|
||||||
typedef struct grub_disk *grub_disk_t;
|
|
||||||
|
|
||||||
@@ -314,4 +316,12 @@ void grub_mdraid1x_fini (void);
|
|
||||||
void grub_diskfilter_fini (void);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
+static inline int
|
|
||||||
+grub_disk_is_crypto (grub_disk_t disk)
|
|
||||||
+{
|
|
||||||
+ return ((disk->is_crypto_diskfilter ||
|
|
||||||
+ disk->dev->id == GRUB_DISK_DEVICE_CRYPTODISK_ID) ?
|
|
||||||
+ 1 : 0);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
#endif /* ! GRUB_DISK_HEADER */
|
|
||||||
diff --git a/include/grub/file.h b/include/grub/file.h
|
|
||||||
index fde58f0fa..fcfd32ce2 100644
|
|
||||||
--- a/include/grub/file.h
|
|
||||||
+++ b/include/grub/file.h
|
|
||||||
@@ -185,6 +185,7 @@ extern grub_disk_read_hook_t EXPORT_VAR(grub_file_progress_hook);
|
|
||||||
/* Filters with lower ID are executed first. */
|
|
||||||
typedef enum grub_file_filter_id
|
|
||||||
{
|
|
||||||
+ GRUB_FILE_FILTER_NOCAT,
|
|
||||||
GRUB_FILE_FILTER_VERIFY,
|
|
||||||
GRUB_FILE_FILTER_GZIO,
|
|
||||||
GRUB_FILE_FILTER_XZIO,
|
|
||||||
--
|
|
||||||
2.42.1
|
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
@ -1,385 +0,0 @@
|
|||||||
From 90153f1c9631498723450d84e014e25865fecc1b Mon Sep 17 00:00:00 2001
|
|
||||||
From: Peter Jones <pjones@redhat.com>
|
|
||||||
Date: Thu, 15 Mar 2018 14:12:40 -0400
|
|
||||||
Subject: [PATCH 3/9] Add grub2-switch-to-blscfg
|
|
||||||
|
|
||||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
|
||||||
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
|
||||||
[jhlavac: Use ${etcdefaultgrub} instead of /etc/default/grub]
|
|
||||||
Signed-off-by: Jan Hlavac <jhlavac@redhat.com>
|
|
||||||
[rharwood: skip on ostree installations, migrate man to h2m]
|
|
||||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
|
||||||
---
|
|
||||||
Makefile.util.def | 7 +
|
|
||||||
docs/man/grub-switch-to-blscfg.h2m | 2 +
|
|
||||||
util/grub-switch-to-blscfg.in | 317 +++++++++++++++++++++++++++++
|
|
||||||
util/grub.d/10_linux.in | 2 +-
|
|
||||||
4 files changed, 327 insertions(+), 1 deletion(-)
|
|
||||||
create mode 100644 docs/man/grub-switch-to-blscfg.h2m
|
|
||||||
create mode 100644 util/grub-switch-to-blscfg.in
|
|
||||||
|
|
||||||
diff --git a/Makefile.util.def b/Makefile.util.def
|
|
||||||
index 6bb30c165..ffedea24a 100644
|
|
||||||
--- a/Makefile.util.def
|
|
||||||
+++ b/Makefile.util.def
|
|
||||||
@@ -1460,6 +1460,13 @@ program = {
|
|
||||||
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
|
|
||||||
};
|
|
||||||
|
|
||||||
+script = {
|
|
||||||
+ name = grub-switch-to-blscfg;
|
|
||||||
+ common = util/grub-switch-to-blscfg.in;
|
|
||||||
+ mansection = 8;
|
|
||||||
+ installdir = sbin;
|
|
||||||
+};
|
|
||||||
+
|
|
||||||
program = {
|
|
||||||
name = grub-glue-efi;
|
|
||||||
mansection = 1;
|
|
||||||
diff --git a/docs/man/grub-switch-to-blscfg.h2m b/docs/man/grub-switch-to-blscfg.h2m
|
|
||||||
new file mode 100644
|
|
||||||
index 000000000..fa341426a
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/docs/man/grub-switch-to-blscfg.h2m
|
|
||||||
@@ -0,0 +1,2 @@
|
|
||||||
+[NAME]
|
|
||||||
+grub-switch-to-blscfg \- switch to using BLS config files
|
|
||||||
diff --git a/util/grub-switch-to-blscfg.in b/util/grub-switch-to-blscfg.in
|
|
||||||
new file mode 100644
|
|
||||||
index 000000000..a851424be
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/util/grub-switch-to-blscfg.in
|
|
||||||
@@ -0,0 +1,317 @@
|
|
||||||
+#! /bin/sh
|
|
||||||
+#
|
|
||||||
+# Set a default boot entry for GRUB.
|
|
||||||
+# Copyright (C) 2004,2009 Free Software Foundation, Inc.
|
|
||||||
+#
|
|
||||||
+# GRUB is free software: you can redistribute it and/or modify
|
|
||||||
+# it under the terms of the GNU General Public License as published by
|
|
||||||
+# the Free Software Foundation, either version 3 of the License, or
|
|
||||||
+# (at your option) any later version.
|
|
||||||
+#
|
|
||||||
+# GRUB is distributed in the hope that it will be useful,
|
|
||||||
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
+# GNU General Public License for more details.
|
|
||||||
+#
|
|
||||||
+# You should have received a copy of the GNU General Public License
|
|
||||||
+# along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
+
|
|
||||||
+#set -eu
|
|
||||||
+
|
|
||||||
+# Initialize some variables.
|
|
||||||
+prefix=@prefix@
|
|
||||||
+exec_prefix=@exec_prefix@
|
|
||||||
+sbindir=@sbindir@
|
|
||||||
+bindir=@bindir@
|
|
||||||
+sysconfdir="@sysconfdir@"
|
|
||||||
+PACKAGE_NAME=@PACKAGE_NAME@
|
|
||||||
+PACKAGE_VERSION=@PACKAGE_VERSION@
|
|
||||||
+datarootdir="@datarootdir@"
|
|
||||||
+datadir="@datadir@"
|
|
||||||
+if [ ! -v pkgdatadir ]; then
|
|
||||||
+ pkgdatadir="${datadir}/@PACKAGE@"
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+self=`basename $0`
|
|
||||||
+
|
|
||||||
+grub_get_kernel_settings="${sbindir}/@grub_get_kernel_settings@"
|
|
||||||
+grub_editenv=${bindir}/@grub_editenv@
|
|
||||||
+etcdefaultgrub=/etc/default/grub
|
|
||||||
+
|
|
||||||
+eval "$("${grub_get_kernel_settings}")" || true
|
|
||||||
+
|
|
||||||
+EFIDIR=$(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/' -e 's/\"//g')
|
|
||||||
+if [ -d /sys/firmware/efi/efivars/ ]; then
|
|
||||||
+ startlink=/etc/grub2-efi.cfg
|
|
||||||
+ grubdir=`echo "/@bootdirname@/efi/EFI/${EFIDIR}/" | sed 's,//*,/,g'`
|
|
||||||
+else
|
|
||||||
+ startlink=/etc/grub2.cfg
|
|
||||||
+ grubdir=`echo "/@bootdirname@/@grubdirname@" | sed 's,//*,/,g'`
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+blsdir=`echo "/@bootdirname@/loader/entries" | sed 's,//*,/,g'`
|
|
||||||
+
|
|
||||||
+backupsuffix=.bak
|
|
||||||
+
|
|
||||||
+arch="$(uname -m)"
|
|
||||||
+
|
|
||||||
+export TEXTDOMAIN=@PACKAGE@
|
|
||||||
+export TEXTDOMAINDIR="@localedir@"
|
|
||||||
+
|
|
||||||
+. "${pkgdatadir}/grub-mkconfig_lib"
|
|
||||||
+
|
|
||||||
+# Usage: usage
|
|
||||||
+# Print the usage.
|
|
||||||
+usage () {
|
|
||||||
+ gettext_printf "Usage: %s\n" "$self"
|
|
||||||
+ gettext "Switch to BLS config files.\n"; echo
|
|
||||||
+ echo
|
|
||||||
+ print_option_help "-h, --help" "$(gettext "print this message and exit")"
|
|
||||||
+ print_option_help "-V, --version" "$(gettext "print the version information and exit")"
|
|
||||||
+ echo
|
|
||||||
+ print_option_help "--backup-suffix=$(gettext "SUFFIX")" "$backupsuffix"
|
|
||||||
+ print_option_help "--bls-directory=$(gettext "DIR")" "$blsdir"
|
|
||||||
+ print_option_help "--config-file=$(gettext "FILE")" "$startlink"
|
|
||||||
+ print_option_help "--grub-defaults=$(gettext "FILE")" "$etcdefaultgrub"
|
|
||||||
+ print_option_help "--grub-directory=$(gettext "DIR")" "$grubdir"
|
|
||||||
+ # echo
|
|
||||||
+ # gettext "Report bugs to <bug-grub@gnu.org>."; echo
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+argument () {
|
|
||||||
+ opt=$1
|
|
||||||
+ shift
|
|
||||||
+
|
|
||||||
+ if test $# -eq 0; then
|
|
||||||
+ gettext_printf "%s: option requires an argument -- \`%s'\n" "$self" "$opt" 1>&2
|
|
||||||
+ exit 1
|
|
||||||
+ fi
|
|
||||||
+ echo $1
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+# Check the arguments.
|
|
||||||
+while test $# -gt 0
|
|
||||||
+do
|
|
||||||
+ option=$1
|
|
||||||
+ shift
|
|
||||||
+
|
|
||||||
+ case "$option" in
|
|
||||||
+ -h | --help)
|
|
||||||
+ usage
|
|
||||||
+ exit 0 ;;
|
|
||||||
+ -V | --version)
|
|
||||||
+ echo "$self (${PACKAGE_NAME}) ${PACKAGE_VERSION}"
|
|
||||||
+ exit 0 ;;
|
|
||||||
+
|
|
||||||
+ --backup-suffix)
|
|
||||||
+ backupsuffix=`argument $option "$@"`
|
|
||||||
+ shift
|
|
||||||
+ ;;
|
|
||||||
+ --backup-suffix=*)
|
|
||||||
+ backupsuffix=`echo "$option" | sed 's/--backup-suffix=//'`
|
|
||||||
+ ;;
|
|
||||||
+
|
|
||||||
+ --bls-directory)
|
|
||||||
+ blsdir=`argument $option "$@"`
|
|
||||||
+ shift
|
|
||||||
+ ;;
|
|
||||||
+ --bls-directory=*)
|
|
||||||
+ blsdir=`echo "$option" | sed 's/--bls-directory=//'`
|
|
||||||
+ ;;
|
|
||||||
+
|
|
||||||
+ --config-file)
|
|
||||||
+ startlink=`argument $option "$@"`
|
|
||||||
+ shift
|
|
||||||
+ ;;
|
|
||||||
+ --config-file=*)
|
|
||||||
+ startlink=`echo "$option" | sed 's/--config-file=//'`
|
|
||||||
+ ;;
|
|
||||||
+
|
|
||||||
+ --grub-defaults)
|
|
||||||
+ etcdefaultgrub=`argument $option "$@"`
|
|
||||||
+ shift
|
|
||||||
+ ;;
|
|
||||||
+ --grub-defaults=*)
|
|
||||||
+ etcdefaultgrub=`echo "$option" | sed 's/--grub-defaults=//'`
|
|
||||||
+ ;;
|
|
||||||
+
|
|
||||||
+ --grub-directory)
|
|
||||||
+ grubdir=`argument $option "$@"`
|
|
||||||
+ shift
|
|
||||||
+ ;;
|
|
||||||
+ --grub-directory=*)
|
|
||||||
+ grubdir=`echo "$option" | sed 's/--grub-directory=//'`
|
|
||||||
+ ;;
|
|
||||||
+
|
|
||||||
+ *)
|
|
||||||
+ gettext_printf "Unrecognized option \`%s'\n" "$option" 1>&2
|
|
||||||
+ usage
|
|
||||||
+ exit 1
|
|
||||||
+ ;;
|
|
||||||
+ esac
|
|
||||||
+done
|
|
||||||
+
|
|
||||||
+find_grub_cfg() {
|
|
||||||
+ local candidate=""
|
|
||||||
+ while [ -e "${candidate}" -o $# -gt 0 ]
|
|
||||||
+ do
|
|
||||||
+ if [ ! -e "${candidate}" ] ; then
|
|
||||||
+ candidate="$1"
|
|
||||||
+ shift
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ if [ -L "${candidate}" ]; then
|
|
||||||
+ candidate="$(realpath "${candidate}")"
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ if [ -f "${candidate}" ]; then
|
|
||||||
+ export GRUB_CONFIG_FILE="${candidate}"
|
|
||||||
+ return 0
|
|
||||||
+ fi
|
|
||||||
+ done
|
|
||||||
+ return 1
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+if ! find_grub_cfg ${startlink} ${grubdir}/grub.cfg ; then
|
|
||||||
+ gettext_printf "Couldn't find config file\n" 1>&2
|
|
||||||
+ exit 1
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+if [ ! -d "${blsdir}" ]; then
|
|
||||||
+ install -m 700 -d "${blsdir}"
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+if [ -f /etc/machine-id ]; then
|
|
||||||
+ MACHINE_ID=$(cat /etc/machine-id)
|
|
||||||
+else
|
|
||||||
+ MACHINE_ID=$(dmesg | sha256sum)
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+mkbls() {
|
|
||||||
+ local kernelver=$1 && shift
|
|
||||||
+ local datetime=$1 && shift
|
|
||||||
+ local kernelopts=$1 && shift
|
|
||||||
+
|
|
||||||
+ local debugname=""
|
|
||||||
+ local debugid=""
|
|
||||||
+ local flavor=""
|
|
||||||
+
|
|
||||||
+ if [ "$kernelver" == *\+* ] ; then
|
|
||||||
+ local flavor=-"${kernelver##*+}"
|
|
||||||
+ if [ "${flavor}" == "-debug" ]; then
|
|
||||||
+ local debugname=" with debugging"
|
|
||||||
+ local debugid="-debug"
|
|
||||||
+ fi
|
|
||||||
+ fi
|
|
||||||
+ (
|
|
||||||
+ source /etc/os-release
|
|
||||||
+
|
|
||||||
+ cat <<EOF
|
|
||||||
+title ${NAME} (${kernelver}) ${VERSION}${debugname}
|
|
||||||
+version ${kernelver}${debugid}
|
|
||||||
+linux /vmlinuz-${kernelver}
|
|
||||||
+initrd /initramfs-${kernelver}.img
|
|
||||||
+options ${kernelopts}
|
|
||||||
+grub_users \$grub_users
|
|
||||||
+grub_arg --unrestricted
|
|
||||||
+grub_class kernel${flavor}
|
|
||||||
+EOF
|
|
||||||
+ ) | cat
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+copy_bls() {
|
|
||||||
+ for kernelver in $(cd /lib/modules/ ; ls -1) "" ; do
|
|
||||||
+ bls_target="${blsdir}/${MACHINE_ID}-${kernelver}.conf"
|
|
||||||
+ linux="/vmlinuz-${kernelver}"
|
|
||||||
+ linux_path="/boot${linux}"
|
|
||||||
+ kernel_dir="/lib/modules/${kernelver}"
|
|
||||||
+
|
|
||||||
+ if [ ! -d "${kernel_dir}" ] ; then
|
|
||||||
+ continue
|
|
||||||
+ fi
|
|
||||||
+ if [ ! -f "${linux_path}" ]; then
|
|
||||||
+ continue
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ linux_relpath="$("${grub_mkrelpath}" "${linux_path}")"
|
|
||||||
+ bootprefix="${linux_relpath%%"${linux}"}"
|
|
||||||
+ cmdline="root=${LINUX_ROOT_DEVICE} ro ${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
|
|
||||||
+
|
|
||||||
+ mkbls "${kernelver}" \
|
|
||||||
+ "$(date -u +%Y%m%d%H%M%S -d "$(stat -c '%y' "${kernel_dir}")")" \
|
|
||||||
+ "${bootprefix}" "${cmdline}" >"${bls_target}"
|
|
||||||
+
|
|
||||||
+ if [ "x$GRUB_LINUX_MAKE_DEBUG" = "xtrue" ]; then
|
|
||||||
+ bls_debug="$(echo ${bls_target} | sed -e "s/${kernelver}/${kernelver}~debug/")"
|
|
||||||
+ cp -aT "${bls_target}" "${bls_debug}"
|
|
||||||
+ title="$(grep '^title[ \t]' "${bls_debug}" | sed -e 's/^title[ \t]*//')"
|
|
||||||
+ options="$(echo "${cmdline} ${GRUB_CMDLINE_LINUX_DEBUG}" | sed -e 's/\//\\\//g')"
|
|
||||||
+ sed -i -e "s/^title.*/title ${title}${GRUB_LINUX_DEBUG_TITLE_POSTFIX}/" "${bls_debug}"
|
|
||||||
+ sed -i -e "s/^options.*/options ${options}/" "${bls_debug}"
|
|
||||||
+ fi
|
|
||||||
+ done
|
|
||||||
+
|
|
||||||
+ if [ -f "/boot/vmlinuz-0-rescue-${MACHINE_ID}" ]; then
|
|
||||||
+ mkbls "0-rescue-${MACHINE_ID}" "0" "${bootprefix}" >"${blsdir}/${MACHINE_ID}-0-rescue.conf"
|
|
||||||
+ fi
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
+# The grub2 EFI binary is not copied to the ESP as a part of an ostree
|
|
||||||
+# transaction. Make sure a grub2 version with BLS support is installed
|
|
||||||
+# but only do this if the blsdir is not set, to make sure that the BLS
|
|
||||||
+# parsing module will search for the BLS snippets in the default path.
|
|
||||||
+if test -f /run/ostree-booted && test -d /sys/firmware/efi/efivars && \
|
|
||||||
+ ! ${grub_editenv} - list | grep -q blsdir && \
|
|
||||||
+ mountpoint -q /boot; then
|
|
||||||
+ grub_binary="$(find /usr/lib/ostree-boot/efi/EFI/${EFIDIR}/ -name grub*.efi)"
|
|
||||||
+ install -m 700 ${grub_binary} ${grubdir} || exit 1
|
|
||||||
+ # Create a hidden file to indicate that grub2 now has BLS support.
|
|
||||||
+ touch /boot/grub2/.grub2-blscfg-supported
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+GENERATE=0
|
|
||||||
+if grep '^GRUB_ENABLE_BLSCFG=.*' "${etcdefaultgrub}" \
|
|
||||||
+ | grep -vq '^GRUB_ENABLE_BLSCFG="*true"*\s*$' ; then
|
|
||||||
+ if ! sed -i"${backupsuffix}" \
|
|
||||||
+ -e 's,^GRUB_ENABLE_BLSCFG=.*,GRUB_ENABLE_BLSCFG=true,' \
|
|
||||||
+ "${etcdefaultgrub}" ; then
|
|
||||||
+ gettext_printf "Updating %s failed\n" "${etcdefaultgrub}"
|
|
||||||
+ exit 1
|
|
||||||
+ fi
|
|
||||||
+ GENERATE=1
|
|
||||||
+elif ! grep -q '^GRUB_ENABLE_BLSCFG=.*' "${etcdefaultgrub}" ; then
|
|
||||||
+ if ! echo 'GRUB_ENABLE_BLSCFG=true' >> "${etcdefaultgrub}" ; then
|
|
||||||
+ gettext_printf "Updating %s failed\n" "${etcdefaultgrub}"
|
|
||||||
+ exit 1
|
|
||||||
+ fi
|
|
||||||
+ GENERATE=1
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+if [ "${GENERATE}" -eq 1 ] ; then
|
|
||||||
+ copy_bls
|
|
||||||
+
|
|
||||||
+ if [ $arch = "x86_64" ] && [ ! -d /sys/firmware/efi ]; then
|
|
||||||
+ mod_dir="i386-pc"
|
|
||||||
+ elif [ $arch = "ppc64" -o $arch = "ppc64le" ] && [ ! -d /sys/firmware/opal ]; then
|
|
||||||
+ mod_dir="powerpc-ieee1275"
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ if [ -n "${mod_dir}" ]; then
|
|
||||||
+ for mod in blscfg increment; do
|
|
||||||
+ install -m 700 ${prefix}/lib/grub/${mod_dir}/${mod}.mod ${grubdir}/$mod_dir/ || exit 1
|
|
||||||
+ done
|
|
||||||
+ fi
|
|
||||||
+
|
|
||||||
+ cp -af "${GRUB_CONFIG_FILE}" "${GRUB_CONFIG_FILE}${backupsuffix}"
|
|
||||||
+ if ! grub2-mkconfig -o "${GRUB_CONFIG_FILE}" ; then
|
|
||||||
+ install -m 700 "${GRUB_CONFIG_FILE}${backupsuffix}" "${GRUB_CONFIG_FILE}"
|
|
||||||
+ sed -i"${backupsuffix}" \
|
|
||||||
+ -e 's,^GRUB_ENABLE_BLSCFG=.*,GRUB_ENABLE_BLSCFG=false,' \
|
|
||||||
+ "${etcdefaultgrub}"
|
|
||||||
+ gettext_printf "Updating %s failed\n" "${GRUB_CONFIG_FILE}"
|
|
||||||
+ exit 1
|
|
||||||
+ fi
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+# Bye.
|
|
||||||
+exit 0
|
|
||||||
diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
|
|
||||||
index 49eccbeaf..45eefb332 100644
|
|
||||||
--- a/util/grub.d/10_linux.in
|
|
||||||
+++ b/util/grub.d/10_linux.in
|
|
||||||
@@ -147,7 +147,7 @@ blsdir="/boot/loader/entries"
|
|
||||||
|
|
||||||
get_sorted_bls()
|
|
||||||
{
|
|
||||||
- if ! [ -d "${blsdir}" ]; then
|
|
||||||
+ if ! [ -d "${blsdir}" ] || [ -f /run/ostree-booted ] || [ -d /ostree/repo ]; then
|
|
||||||
return
|
|
||||||
fi
|
|
||||||
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
@ -1,117 +0,0 @@
|
|||||||
From 6c8d390809956d355fed8bc830f64e86838e3e82 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Michael Chang <mchang@suse.com>
|
|
||||||
Date: Sat, 18 Nov 2023 21:42:00 +0800
|
|
||||||
Subject: [PATCH 3/4] Restrict 'ls' and auto file completion on cryptodisk
|
|
||||||
print
|
|
||||||
|
|
||||||
The 'ls' command allows file listing, while file completion assists in
|
|
||||||
providing matched file names by partially inputting via the TAB key.
|
|
||||||
Both functionalities should be restricted when the disk is automatically
|
|
||||||
unlocked for the same reasons as highlighted in the previous patch
|
|
||||||
addressing the limitation on file access to the cryptodisk.
|
|
||||||
|
|
||||||
Given that no file is explicitly opened for listing, employing file
|
|
||||||
filters becomes impractical. Consequently, this patch focuses on
|
|
||||||
modifying relevant routines separately to incorporate necessary checks.
|
|
||||||
The objective is to introduce measures that prevent 'ls' and auto file
|
|
||||||
completion from accessing encrypted data when the disk is automatically
|
|
||||||
unlocked.
|
|
||||||
|
|
||||||
By implementing these modifications, any attempt to utilize 'ls' or file
|
|
||||||
completion on the cryptodisk will result in an "Access Denied:
|
|
||||||
prohibited to browse encrypted data" error message, thus effectively
|
|
||||||
alerting the user about the restricted access.
|
|
||||||
|
|
||||||
While protecting content within disk files from viewing is essential,
|
|
||||||
it's equally crucial to restrict access to in-memory content. This
|
|
||||||
includes prohibiting access to the decrypted in-memory copies of disk
|
|
||||||
files.
|
|
||||||
|
|
||||||
This enhancement aims to fortify security protocols by extending
|
|
||||||
restrictions to additional functionalities beyond direct file access.
|
|
||||||
|
|
||||||
Signed-Off-by Michael Chang <mchang@suse.com>
|
|
||||||
---
|
|
||||||
grub-core/commands/ls.c | 8 ++++++++
|
|
||||||
grub-core/commands/minicmd.c | 6 ++++++
|
|
||||||
grub-core/kern/corecmd.c | 8 ++++++++
|
|
||||||
grub-core/normal/completion.c | 8 ++++++++
|
|
||||||
4 files changed, 30 insertions(+)
|
|
||||||
|
|
||||||
diff --git a/grub-core/commands/ls.c b/grub-core/commands/ls.c
|
|
||||||
index 8e98c73cc..aeb336a73 100644
|
|
||||||
--- a/grub-core/commands/ls.c
|
|
||||||
+++ b/grub-core/commands/ls.c
|
|
||||||
@@ -183,6 +183,14 @@ grub_ls_list_files (char *dirname, int longlist, int all, int human)
|
|
||||||
if (! dev)
|
|
||||||
goto fail;
|
|
||||||
|
|
||||||
+ if (dev->disk &&
|
|
||||||
+ grub_disk_is_crypto (dev->disk) &&
|
|
||||||
+ grub_file_filters[GRUB_FILE_FILTER_NOCAT])
|
|
||||||
+ {
|
|
||||||
+ grub_error (GRUB_ERR_ACCESS_DENIED, N_("prohibited to browse encrypted content"));
|
|
||||||
+ goto fail;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
fs = grub_fs_probe (dev);
|
|
||||||
path = grub_strchr (dirname, ')');
|
|
||||||
if (! path)
|
|
||||||
diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c
|
|
||||||
index fa498931e..8f2ac0539 100644
|
|
||||||
--- a/grub-core/commands/minicmd.c
|
|
||||||
+++ b/grub-core/commands/minicmd.c
|
|
||||||
@@ -101,6 +101,12 @@ grub_mini_cmd_dump (struct grub_command *cmd __attribute__ ((unused)),
|
|
||||||
if (argc == 0)
|
|
||||||
return grub_error (GRUB_ERR_BAD_ARGUMENT, "no address specified");
|
|
||||||
|
|
||||||
+ /* NOCAT filter is applied to prevent cat alike command from revealing file
|
|
||||||
+ * content, the dump command should also be prohibited to revealing memory
|
|
||||||
+ * content as well */
|
|
||||||
+ if (grub_file_filters[GRUB_FILE_FILTER_NOCAT])
|
|
||||||
+ return grub_error (GRUB_ERR_ACCESS_DENIED, N_("prohibited by security policy"));
|
|
||||||
+
|
|
||||||
#if GRUB_CPU_SIZEOF_VOID_P == GRUB_CPU_SIZEOF_LONG
|
|
||||||
#define grub_strtoaddr grub_strtoul
|
|
||||||
#else
|
|
||||||
diff --git a/grub-core/kern/corecmd.c b/grub-core/kern/corecmd.c
|
|
||||||
index 62d434ba9..b639bc3ae 100644
|
|
||||||
--- a/grub-core/kern/corecmd.c
|
|
||||||
+++ b/grub-core/kern/corecmd.c
|
|
||||||
@@ -135,6 +135,14 @@ grub_core_cmd_ls (struct grub_command *cmd __attribute__ ((unused)),
|
|
||||||
if (! dev)
|
|
||||||
goto fail;
|
|
||||||
|
|
||||||
+ if (dev->disk &&
|
|
||||||
+ grub_disk_is_crypto (dev->disk) &&
|
|
||||||
+ grub_file_filters[GRUB_FILE_FILTER_NOCAT])
|
|
||||||
+ {
|
|
||||||
+ grub_error (GRUB_ERR_ACCESS_DENIED, N_("prohibited to browse encrypted content"));
|
|
||||||
+ goto fail;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
fs = grub_fs_probe (dev);
|
|
||||||
path = grub_strchr (argv[0], ')');
|
|
||||||
if (! path)
|
|
||||||
diff --git a/grub-core/normal/completion.c b/grub-core/normal/completion.c
|
|
||||||
index 18cadfa85..d003ec37d 100644
|
|
||||||
--- a/grub-core/normal/completion.c
|
|
||||||
+++ b/grub-core/normal/completion.c
|
|
||||||
@@ -259,6 +259,14 @@ complete_file (void)
|
|
||||||
goto fail;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (dev->disk &&
|
|
||||||
+ grub_disk_is_crypto (dev->disk) &&
|
|
||||||
+ grub_file_filters[GRUB_FILE_FILTER_NOCAT])
|
|
||||||
+ {
|
|
||||||
+ grub_error (GRUB_ERR_ACCESS_DENIED, N_("prohibited to browse encrypted content"));
|
|
||||||
+ goto fail;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
fs = grub_fs_probe (dev);
|
|
||||||
if (! fs)
|
|
||||||
{
|
|
||||||
--
|
|
||||||
2.42.1
|
|
||||||
|
|
@ -20,11 +20,17 @@ Signed-Off-by Michael Chang <mchang@suse.com>
|
|||||||
include/grub/file.h | 1 +
|
include/grub/file.h | 1 +
|
||||||
2 files changed, 37 insertions(+)
|
2 files changed, 37 insertions(+)
|
||||||
|
|
||||||
diff --git a/grub-core/commands/crypttab.c b/grub-core/commands/crypttab.c
|
|
||||||
index d3acc4b59..e09296c57 100644
|
|
||||||
--- a/grub-core/commands/crypttab.c
|
--- a/grub-core/commands/crypttab.c
|
||||||
+++ b/grub-core/commands/crypttab.c
|
+++ b/grub-core/commands/crypttab.c
|
||||||
@@ -121,6 +121,41 @@ grub_cryptokey_tpmkey_discard (void)
|
@@ -6,6 +6,7 @@
|
||||||
|
#include <grub/mm.h>
|
||||||
|
#include <grub/list.h>
|
||||||
|
#include <grub/crypttab.h>
|
||||||
|
+#include <grub/file.h>
|
||||||
|
|
||||||
|
GRUB_MOD_LICENSE ("GPLv3+");
|
||||||
|
|
||||||
|
@@ -89,6 +90,41 @@
|
||||||
grub_cryptokey_discard();
|
grub_cryptokey_discard();
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -66,26 +72,97 @@ index d3acc4b59..e09296c57 100644
|
|||||||
static grub_err_t
|
static grub_err_t
|
||||||
grub_cmd_crypttab_entry (grub_command_t cmd __attribute__ ((unused)),
|
grub_cmd_crypttab_entry (grub_command_t cmd __attribute__ ((unused)),
|
||||||
int argc, char **argv)
|
int argc, char **argv)
|
||||||
@@ -153,6 +188,7 @@ GRUB_MOD_INIT(crypttab)
|
@@ -121,6 +157,8 @@
|
||||||
{
|
{
|
||||||
cmd = grub_register_command ("crypttab_entry", grub_cmd_crypttab_entry,
|
cmd = grub_register_command ("crypttab_entry", grub_cmd_crypttab_entry,
|
||||||
N_("VOLUME-NAME ENCRYPTED-DEVICE KEY-FILE") , N_("No description"));
|
N_("VOLUME-NAME ENCRYPTED-DEVICE KEY-FILE") , N_("No description"));
|
||||||
+ grub_file_filter_register (GRUB_FILE_FILTER_DISTRUST, grub_distrust_open);
|
+ grub_file_filter_register (GRUB_FILE_FILTER_DISTRUST, grub_distrust_open);
|
||||||
grub_dl_set_persistent (mod);
|
+ grub_dl_set_persistent (mod);
|
||||||
}
|
}
|
||||||
|
|
||||||
diff --git a/include/grub/file.h b/include/grub/file.h
|
GRUB_MOD_FINI(crypttab)
|
||||||
index fcfd32ce2..daf23a9c9 100644
|
|
||||||
--- a/include/grub/file.h
|
--- a/include/grub/file.h
|
||||||
+++ b/include/grub/file.h
|
+++ b/include/grub/file.h
|
||||||
@@ -185,6 +185,7 @@ extern grub_disk_read_hook_t EXPORT_VAR(grub_file_progress_hook);
|
@@ -185,6 +185,7 @@
|
||||||
/* Filters with lower ID are executed first. */
|
/* Filters with lower ID are executed first. */
|
||||||
typedef enum grub_file_filter_id
|
typedef enum grub_file_filter_id
|
||||||
{
|
{
|
||||||
+ GRUB_FILE_FILTER_DISTRUST,
|
+ GRUB_FILE_FILTER_DISTRUST,
|
||||||
GRUB_FILE_FILTER_NOCAT,
|
|
||||||
GRUB_FILE_FILTER_VERIFY,
|
GRUB_FILE_FILTER_VERIFY,
|
||||||
GRUB_FILE_FILTER_GZIO,
|
GRUB_FILE_FILTER_GZIO,
|
||||||
--
|
GRUB_FILE_FILTER_XZIO,
|
||||||
2.42.1
|
--- a/grub-core/disk/diskfilter.c
|
||||||
|
+++ b/grub-core/disk/diskfilter.c
|
||||||
|
@@ -558,6 +558,39 @@
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static int
|
||||||
|
+grub_diskfilter_has_cryptodisk (const struct grub_diskfilter_lv *lv)
|
||||||
|
+{
|
||||||
|
+ struct grub_diskfilter_pv *pv;
|
||||||
|
+
|
||||||
|
+ if (!lv)
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ if (lv->vg->pvs)
|
||||||
|
+ for (pv = lv->vg->pvs; pv; pv = pv->next)
|
||||||
|
+ {
|
||||||
|
+ if (!pv->disk)
|
||||||
|
+ {
|
||||||
|
+ grub_dprintf ("diskfilter", _("Couldn't find physical volume `%s'."
|
||||||
|
+ " Some modules may be missing from core image."),
|
||||||
|
+ pv->name);
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ switch (pv->disk->dev->id)
|
||||||
|
+ {
|
||||||
|
+ case GRUB_DISK_DEVICE_CRYPTODISK_ID:
|
||||||
|
+ return 1;
|
||||||
|
+ case GRUB_DISK_DEVICE_DISKFILTER_ID:
|
||||||
|
+ return grub_diskfilter_has_cryptodisk (pv->disk->data);
|
||||||
|
+ default:
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static grub_err_t
|
||||||
|
grub_diskfilter_open (const char *name, grub_disk_t disk)
|
||||||
|
{
|
||||||
|
@@ -589,6 +622,8 @@
|
||||||
|
|
||||||
|
disk->total_sectors = lv->size;
|
||||||
|
disk->max_agglomerate = GRUB_DISK_MAX_MAX_AGGLOMERATE;
|
||||||
|
+ disk->is_crypto_diskfilter = grub_diskfilter_has_cryptodisk (lv);
|
||||||
|
+
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
--- a/include/grub/disk.h
|
||||||
|
+++ b/include/grub/disk.h
|
||||||
|
@@ -147,6 +147,8 @@
|
||||||
|
|
||||||
|
/* Device-specific data. */
|
||||||
|
void *data;
|
||||||
|
+
|
||||||
|
+ int is_crypto_diskfilter;
|
||||||
|
};
|
||||||
|
typedef struct grub_disk *grub_disk_t;
|
||||||
|
|
||||||
|
@@ -317,4 +319,12 @@
|
||||||
|
void grub_diskfilter_fini (void);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+static inline int
|
||||||
|
+grub_disk_is_crypto (grub_disk_t disk)
|
||||||
|
+{
|
||||||
|
+ return ((disk->is_crypto_diskfilter ||
|
||||||
|
+ disk->dev->id == GRUB_DISK_DEVICE_CRYPTODISK_ID) ?
|
||||||
|
+ 1 : 0);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
#endif /* ! GRUB_DISK_HEADER */
|
||||||
|
@ -1,19 +1,21 @@
|
|||||||
From 77316f09f133e9c7c5e1026b2b4f5749daac644a Mon Sep 17 00:00:00 2001
|
From 6701b4a9e1994c8a05c87a7167694bc3dd71e7d6 Mon Sep 17 00:00:00 2001
|
||||||
From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
|
From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
|
||||||
Date: Wed, 17 Apr 2024 23:48:51 +0530
|
Date: Wed, 23 Oct 2024 17:54:32 +0530
|
||||||
Subject: [PATCH 7/8] mkimage: create new ELF Note for SBAT
|
Subject: [PATCH 7/8] grub-mkimage: Create new ELF note for SBAT
|
||||||
|
|
||||||
we add a new ELF note for SBAT which store the SBAT data.
|
In order to store the SBAT data we create a new ELF note. The string
|
||||||
The name field of shall be the string "Secure-Boot-Advanced-Targeting", zero-padded
|
".sbat", zero-padded to 4 byte alignment, shall be entered in the name
|
||||||
to 4 byte alignment. The type field shall be 0x41536967 (the ASCII values
|
field. The string "SBAT"'s ASCII values, 0x53424154, should be entered
|
||||||
for the string "sbat").
|
in the type field.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
|
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
|
||||||
Co-authored-by: Daniel Axtens <dja@axtens.net>
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
---
|
---
|
||||||
include/grub/util/mkimage.h | 4 +-
|
include/grub/util/mkimage.h | 4 +-
|
||||||
util/grub-mkimagexx.c | 92 +++++++++++++++++++++++++++----------
|
util/grub-mkimagexx.c | 92 +++++++++++++++++++++++++++----------
|
||||||
2 files changed, 71 insertions(+), 25 deletions(-)
|
util/mkimage.c | 5 +-
|
||||||
|
3 files changed, 74 insertions(+), 27 deletions(-)
|
||||||
|
|
||||||
diff --git a/include/grub/util/mkimage.h b/include/grub/util/mkimage.h
|
diff --git a/include/grub/util/mkimage.h b/include/grub/util/mkimage.h
|
||||||
index 6f1da89b9..881e3031f 100644
|
index 6f1da89b9..881e3031f 100644
|
||||||
@ -35,24 +37,24 @@ index 6f1da89b9..881e3031f 100644
|
|||||||
struct grub_mkimage_layout *layout);
|
struct grub_mkimage_layout *layout);
|
||||||
|
|
||||||
diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c
|
diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c
|
||||||
index 9488f0525..0041b2d0b 100644
|
index 9488f0525..b507d4ade 100644
|
||||||
--- a/util/grub-mkimagexx.c
|
--- a/util/grub-mkimagexx.c
|
||||||
+++ b/util/grub-mkimagexx.c
|
+++ b/util/grub-mkimagexx.c
|
||||||
@@ -85,6 +85,14 @@ struct grub_ieee1275_note
|
@@ -116,6 +116,14 @@ struct section_metadata
|
||||||
struct grub_ieee1275_note_desc descriptor;
|
const char *strtab;
|
||||||
};
|
};
|
||||||
|
|
||||||
+#define GRUB_SBAT_NOTE_NAME "Secure-Boot-Advanced-Targeting"
|
+#define GRUB_SBAT_NOTE_NAME ".sbat"
|
||||||
+#define GRUB_SBAT_NOTE_TYPE 0x73626174 /* "sbat" */
|
+#define GRUB_SBAT_NOTE_TYPE 0x53424154 /* "SBAT" */
|
||||||
+
|
+
|
||||||
+struct grub_sbat_note {
|
+struct grub_sbat_note {
|
||||||
+ Elf32_Nhdr header;
|
+ Elf32_Nhdr header;
|
||||||
+ char name[ALIGN_UP(sizeof(GRUB_SBAT_NOTE_NAME), 4)];
|
+ char name[ALIGN_UP(sizeof(GRUB_SBAT_NOTE_NAME), 4)];
|
||||||
+};
|
+};
|
||||||
+
|
+
|
||||||
#define GRUB_APPENDED_SIGNATURE_NOTE_NAME "Appended-Signature"
|
static int
|
||||||
#define GRUB_APPENDED_SIGNATURE_NOTE_TYPE 0x41536967 /* "ASig" */
|
is_relocatable (const struct grub_install_image_target_desc *image_target)
|
||||||
|
{
|
||||||
@@ -217,7 +225,7 @@ grub_arm_reloc_jump24 (grub_uint32_t *target, Elf32_Addr sym_addr)
|
@@ -217,7 +225,7 @@ grub_arm_reloc_jump24 (grub_uint32_t *target, Elf32_Addr sym_addr)
|
||||||
|
|
||||||
void
|
void
|
||||||
@ -184,6 +186,31 @@ index 9488f0525..0041b2d0b 100644
|
|||||||
|
|
||||||
{
|
{
|
||||||
char *str_start = (elf_img + sizeof (*ehdr) + phnum * sizeof (*phdr)
|
char *str_start = (elf_img + sizeof (*ehdr) + phnum * sizeof (*phdr)
|
||||||
|
diff --git a/util/mkimage.c b/util/mkimage.c
|
||||||
|
index 0737935fd..be7f02c5c 100644
|
||||||
|
--- a/util/mkimage.c
|
||||||
|
+++ b/util/mkimage.c
|
||||||
|
@@ -1835,6 +1835,7 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||||||
|
case IMAGE_I386_IEEE1275:
|
||||||
|
{
|
||||||
|
grub_uint64_t target_addr;
|
||||||
|
+ char *sbat = NULL;
|
||||||
|
if (image_target->id == IMAGE_LOONGSON_ELF)
|
||||||
|
{
|
||||||
|
if (comp == GRUB_COMPRESSION_NONE)
|
||||||
|
@@ -1846,10 +1847,10 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||||||
|
else
|
||||||
|
target_addr = image_target->link_addr;
|
||||||
|
if (image_target->voidp_sizeof == 4)
|
||||||
|
- grub_mkimage_generate_elf32 (image_target, note, appsig_size, &core_img,
|
||||||
|
+ grub_mkimage_generate_elf32 (image_target, note, appsig_size, sbat, &core_img,
|
||||||
|
&core_size, target_addr, &layout);
|
||||||
|
else
|
||||||
|
- grub_mkimage_generate_elf64 (image_target, note, appsig_size, &core_img,
|
||||||
|
+ grub_mkimage_generate_elf64 (image_target, note, appsig_size, sbat, &core_img,
|
||||||
|
&core_size, target_addr, &layout);
|
||||||
|
}
|
||||||
|
break;
|
||||||
--
|
--
|
||||||
2.47.0
|
2.47.1
|
||||||
|
|
@ -1,279 +0,0 @@
|
|||||||
From 96e5a28d120856057fe7fc9b281f11f8933063b7 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Michael Chang <mchang@suse.com>
|
|
||||||
Date: Fri, 30 Jun 2023 14:37:41 +0800
|
|
||||||
Subject: [PATCH 7/9] grub-switch-to-blscfg: adapt to openSUSE
|
|
||||||
|
|
||||||
A few tweaks to make it 'just works' for openSUSE:
|
|
||||||
|
|
||||||
- remove RHEL specific $grub_get_kernel_settings and all reference to it.
|
|
||||||
- make $grubdir and $startlink to the path in openSUSE
|
|
||||||
- change the bls template to openSUSE
|
|
||||||
- make $cmdline account for btrfs subvolumes, among others
|
|
||||||
- remove RHEL specific $GRUB_LINUX_MAKE_DEBUG and all related code
|
|
||||||
- remove ostree specific hack
|
|
||||||
- ignore increment.mod
|
|
||||||
- fix error in dash shell script
|
|
||||||
- fix kernel flavor parsing in openSUSE
|
|
||||||
|
|
||||||
Signed-off-by: Michael Chang <mchang@suse.com>
|
|
||||||
---
|
|
||||||
util/grub-switch-to-blscfg.in | 156 ++++++++++++++++++++--------------
|
|
||||||
1 file changed, 94 insertions(+), 62 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/util/grub-switch-to-blscfg.in b/util/grub-switch-to-blscfg.in
|
|
||||||
index a851424be..145c22add 100644
|
|
||||||
--- a/util/grub-switch-to-blscfg.in
|
|
||||||
+++ b/util/grub-switch-to-blscfg.in
|
|
||||||
@@ -28,27 +28,24 @@ PACKAGE_NAME=@PACKAGE_NAME@
|
|
||||||
PACKAGE_VERSION=@PACKAGE_VERSION@
|
|
||||||
datarootdir="@datarootdir@"
|
|
||||||
datadir="@datadir@"
|
|
||||||
-if [ ! -v pkgdatadir ]; then
|
|
||||||
+if [ -z "${pkgdatadir+x}" ]; then
|
|
||||||
pkgdatadir="${datadir}/@PACKAGE@"
|
|
||||||
fi
|
|
||||||
|
|
||||||
self=`basename $0`
|
|
||||||
|
|
||||||
-grub_get_kernel_settings="${sbindir}/@grub_get_kernel_settings@"
|
|
||||||
grub_editenv=${bindir}/@grub_editenv@
|
|
||||||
-etcdefaultgrub=/etc/default/grub
|
|
||||||
+grub_probe="${sbindir}/@grub_probe@"
|
|
||||||
+etcdefaultgrub=${sysconfdir}/default/grub
|
|
||||||
|
|
||||||
-eval "$("${grub_get_kernel_settings}")" || true
|
|
||||||
-
|
|
||||||
-EFIDIR=$(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/' -e 's/\"//g')
|
|
||||||
-if [ -d /sys/firmware/efi/efivars/ ]; then
|
|
||||||
- startlink=/etc/grub2-efi.cfg
|
|
||||||
- grubdir=`echo "/@bootdirname@/efi/EFI/${EFIDIR}/" | sed 's,//*,/,g'`
|
|
||||||
-else
|
|
||||||
- startlink=/etc/grub2.cfg
|
|
||||||
- grubdir=`echo "/@bootdirname@/@grubdirname@" | sed 's,//*,/,g'`
|
|
||||||
+if test -f "$etcdefaultgrub" ; then
|
|
||||||
+ # shellcheck source=/etc/default/grub
|
|
||||||
+ . "$etcdefaultgrub"
|
|
||||||
fi
|
|
||||||
|
|
||||||
+grubdir=`echo "/@bootdirname@/@grubdirname@" | sed 's,//*,/,g'`
|
|
||||||
+startlink="${grubdir}/grub.cfg"
|
|
||||||
+
|
|
||||||
blsdir=`echo "/@bootdirname@/loader/entries" | sed 's,//*,/,g'`
|
|
||||||
|
|
||||||
backupsuffix=.bak
|
|
||||||
@@ -58,19 +55,80 @@ arch="$(uname -m)"
|
|
||||||
export TEXTDOMAIN=@PACKAGE@
|
|
||||||
export TEXTDOMAINDIR="@localedir@"
|
|
||||||
|
|
||||||
+# shellcheck source=/usr/share/grub2/grub-mkconfig_lib
|
|
||||||
. "${pkgdatadir}/grub-mkconfig_lib"
|
|
||||||
|
|
||||||
+# FIXME: Abort if grub_probe fails
|
|
||||||
+
|
|
||||||
+GRUB_DEVICE="`${grub_probe} --target=device /`"
|
|
||||||
+GRUB_DEVICE_UUID="`${grub_probe} --device ${GRUB_DEVICE} --target=fs_uuid 2> /dev/null`" || true
|
|
||||||
+GRUB_DEVICE_PARTUUID="`${grub_probe} --device ${GRUB_DEVICE} --target=partuuid 2> /dev/null`" || true
|
|
||||||
+GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"
|
|
||||||
+
|
|
||||||
+# loop-AES arranges things so that /dev/loop/X can be our root device, but
|
|
||||||
+# the initrds that Linux uses don't like that.
|
|
||||||
+case ${GRUB_DEVICE} in
|
|
||||||
+ /dev/loop/*|/dev/loop[0-9])
|
|
||||||
+ GRUB_DEVICE=$(losetup "${GRUB_DEVICE}" | sed -e "s/^[^(]*(\([^)]\+\)).*/\1/")
|
|
||||||
+ ;;
|
|
||||||
+esac
|
|
||||||
+
|
|
||||||
+# Default to disabling partition uuid support to maintian compatibility with
|
|
||||||
+# older kernels.
|
|
||||||
+GRUB_DISABLE_LINUX_PARTUUID=${GRUB_DISABLE_LINUX_PARTUUID-true}
|
|
||||||
+
|
|
||||||
+# btrfs may reside on multiple devices. We cannot pass them as value of root= parameter
|
|
||||||
+# and mounting btrfs requires user space scanning, so force UUID in this case.
|
|
||||||
+if ( [ "x${GRUB_DEVICE_UUID}" = "x" ] && [ "x${GRUB_DEVICE_PARTUUID}" = "x" ] ) \
|
|
||||||
+ || ( [ "x${GRUB_DISABLE_LINUX_UUID}" = "xtrue" ] \
|
|
||||||
+ && [ "x${GRUB_DISABLE_LINUX_PARTUUID}" = "xtrue" ] ) \
|
|
||||||
+ || ( ! test -e "/dev/disk/by-uuid/${GRUB_DEVICE_UUID}" \
|
|
||||||
+ && ! test -e "/dev/disk/by-partuuid/${GRUB_DEVICE_PARTUUID}" ) \
|
|
||||||
+ || ( test -e "${GRUB_DEVICE}" && uses_abstraction "${GRUB_DEVICE}" lvm ); then
|
|
||||||
+ LINUX_ROOT_DEVICE=${GRUB_DEVICE}
|
|
||||||
+elif [ "x${GRUB_DEVICE_UUID}" = "x" ] \
|
|
||||||
+ || [ "x${GRUB_DISABLE_LINUX_UUID}" = "xtrue" ]; then
|
|
||||||
+ LINUX_ROOT_DEVICE=PARTUUID=${GRUB_DEVICE_PARTUUID}
|
|
||||||
+else
|
|
||||||
+ LINUX_ROOT_DEVICE=UUID=${GRUB_DEVICE_UUID}
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+if [ "x$GRUB_CONMODE" != "x" ]; then
|
|
||||||
+ GRUB_CMDLINE_LINUX="conmode=${GRUB_CONMODE} ${GRUB_CMDLINE_LINUX}"
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
+case x"$GRUB_FS" in
|
|
||||||
+ xbtrfs)
|
|
||||||
+ if [ "x${SUSE_BTRFS_SNAPSHOT_BOOTING}" != "xtrue" ]; then
|
|
||||||
+ rootsubvol="`make_system_path_relative_to_its_root /`"
|
|
||||||
+ rootsubvol="${rootsubvol#/}"
|
|
||||||
+ if [ "x${rootsubvol}" != x ] && [ "x$SUSE_REMOVE_LINUX_ROOT_PARAM" != "xtrue" ]; then
|
|
||||||
+ GRUB_CMDLINE_LINUX="rootflags=subvol=${rootsubvol} ${GRUB_CMDLINE_LINUX}"
|
|
||||||
+ fi
|
|
||||||
+ fi
|
|
||||||
+ ;;
|
|
||||||
+ xzfs)
|
|
||||||
+ rpool=`${grub_probe} --device ${GRUB_DEVICE} --target=fs_label 2>/dev/null || true`
|
|
||||||
+ bootfs="`make_system_path_relative_to_its_root / | sed -e "s,@$,,"`"
|
|
||||||
+ LINUX_ROOT_DEVICE="ZFS=${rpool}${bootfs%/}"
|
|
||||||
+ ;;
|
|
||||||
+esac
|
|
||||||
+
|
|
||||||
+if [ "x$SUSE_REMOVE_LINUX_ROOT_PARAM" = "xtrue" ]; then
|
|
||||||
+ LINUX_ROOT_DEVICE=""
|
|
||||||
+fi
|
|
||||||
+
|
|
||||||
# Usage: usage
|
|
||||||
# Print the usage.
|
|
||||||
usage () {
|
|
||||||
gettext_printf "Usage: %s\n" "$self"
|
|
||||||
- gettext "Switch to BLS config files.\n"; echo
|
|
||||||
+ gettext "Switch to BLS config files. Only for testing purpose !!!\n"; echo
|
|
||||||
echo
|
|
||||||
print_option_help "-h, --help" "$(gettext "print this message and exit")"
|
|
||||||
print_option_help "-V, --version" "$(gettext "print the version information and exit")"
|
|
||||||
echo
|
|
||||||
print_option_help "--backup-suffix=$(gettext "SUFFIX")" "$backupsuffix"
|
|
||||||
- print_option_help "--bls-directory=$(gettext "DIR")" "$blsdir"
|
|
||||||
+ print_option_help "--bls-directory=$(gettext "DIR")" "Noop, always $blsdir"
|
|
||||||
print_option_help "--config-file=$(gettext "FILE")" "$startlink"
|
|
||||||
print_option_help "--grub-defaults=$(gettext "FILE")" "$etcdefaultgrub"
|
|
||||||
print_option_help "--grub-directory=$(gettext "DIR")" "$grubdir"
|
|
||||||
@@ -112,11 +170,15 @@ do
|
|
||||||
;;
|
|
||||||
|
|
||||||
--bls-directory)
|
|
||||||
- blsdir=`argument $option "$@"`
|
|
||||||
+ # blsdir=`argument $option "$@"`
|
|
||||||
+ gettext_printf "WARN: --bls-directory is currently disabled, it's always $blsdir !!!\n"
|
|
||||||
+ gettext_printf "WARN: use kernel-install instead if you want to test bls directory on ESP !!!\n"
|
|
||||||
shift
|
|
||||||
;;
|
|
||||||
--bls-directory=*)
|
|
||||||
- blsdir=`echo "$option" | sed 's/--bls-directory=//'`
|
|
||||||
+ # blsdir=`echo "$option" | sed 's/--bls-directory=//'`
|
|
||||||
+ gettext_printf "WARN: --bls-directory is currently disabled, it's always $blsdir !!!\n"
|
|
||||||
+ gettext_printf "WARN: use kernel-install instead if you want to test bls directory on ESP !!!\n"
|
|
||||||
;;
|
|
||||||
|
|
||||||
--config-file)
|
|
||||||
@@ -172,7 +234,7 @@ find_grub_cfg() {
|
|
||||||
return 1
|
|
||||||
}
|
|
||||||
|
|
||||||
-if ! find_grub_cfg ${startlink} ${grubdir}/grub.cfg ; then
|
|
||||||
+if ! find_grub_cfg "${startlink}" ; then
|
|
||||||
gettext_printf "Couldn't find config file\n" 1>&2
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
@@ -190,27 +252,24 @@ fi
|
|
||||||
mkbls() {
|
|
||||||
local kernelver=$1 && shift
|
|
||||||
local datetime=$1 && shift
|
|
||||||
+ local prefix=$1 && shift
|
|
||||||
local kernelopts=$1 && shift
|
|
||||||
|
|
||||||
- local debugname=""
|
|
||||||
- local debugid=""
|
|
||||||
local flavor=""
|
|
||||||
|
|
||||||
- if [ "$kernelver" == *\+* ] ; then
|
|
||||||
- local flavor=-"${kernelver##*+}"
|
|
||||||
- if [ "${flavor}" == "-debug" ]; then
|
|
||||||
- local debugname=" with debugging"
|
|
||||||
- local debugid="-debug"
|
|
||||||
- fi
|
|
||||||
- fi
|
|
||||||
+ case "$kernelver" in
|
|
||||||
+ *-*-*)
|
|
||||||
+ flavor=-"${kernelver##*-}"
|
|
||||||
+ ;;
|
|
||||||
+ esac
|
|
||||||
(
|
|
||||||
- source /etc/os-release
|
|
||||||
+ . /etc/os-release
|
|
||||||
|
|
||||||
cat <<EOF
|
|
||||||
-title ${NAME} (${kernelver}) ${VERSION}${debugname}
|
|
||||||
-version ${kernelver}${debugid}
|
|
||||||
-linux /vmlinuz-${kernelver}
|
|
||||||
-initrd /initramfs-${kernelver}.img
|
|
||||||
+title ${NAME} (${kernelver}) ${VERSION}
|
|
||||||
+version ${kernelver}
|
|
||||||
+linux ${prefix}/vmlinuz-${kernelver}
|
|
||||||
+initrd ${prefix}/initrd-${kernelver}
|
|
||||||
options ${kernelopts}
|
|
||||||
grub_users \$grub_users
|
|
||||||
grub_arg --unrestricted
|
|
||||||
@@ -233,42 +292,15 @@ copy_bls() {
|
|
||||||
continue
|
|
||||||
fi
|
|
||||||
|
|
||||||
- linux_relpath="$("${grub_mkrelpath}" "${linux_path}")"
|
|
||||||
- bootprefix="${linux_relpath%%"${linux}"}"
|
|
||||||
+ bootprefix="$(make_system_path_relative_to_its_root /boot)"
|
|
||||||
cmdline="root=${LINUX_ROOT_DEVICE} ro ${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
|
|
||||||
|
|
||||||
mkbls "${kernelver}" \
|
|
||||||
"$(date -u +%Y%m%d%H%M%S -d "$(stat -c '%y' "${kernel_dir}")")" \
|
|
||||||
"${bootprefix}" "${cmdline}" >"${bls_target}"
|
|
||||||
-
|
|
||||||
- if [ "x$GRUB_LINUX_MAKE_DEBUG" = "xtrue" ]; then
|
|
||||||
- bls_debug="$(echo ${bls_target} | sed -e "s/${kernelver}/${kernelver}~debug/")"
|
|
||||||
- cp -aT "${bls_target}" "${bls_debug}"
|
|
||||||
- title="$(grep '^title[ \t]' "${bls_debug}" | sed -e 's/^title[ \t]*//')"
|
|
||||||
- options="$(echo "${cmdline} ${GRUB_CMDLINE_LINUX_DEBUG}" | sed -e 's/\//\\\//g')"
|
|
||||||
- sed -i -e "s/^title.*/title ${title}${GRUB_LINUX_DEBUG_TITLE_POSTFIX}/" "${bls_debug}"
|
|
||||||
- sed -i -e "s/^options.*/options ${options}/" "${bls_debug}"
|
|
||||||
- fi
|
|
||||||
done
|
|
||||||
-
|
|
||||||
- if [ -f "/boot/vmlinuz-0-rescue-${MACHINE_ID}" ]; then
|
|
||||||
- mkbls "0-rescue-${MACHINE_ID}" "0" "${bootprefix}" >"${blsdir}/${MACHINE_ID}-0-rescue.conf"
|
|
||||||
- fi
|
|
||||||
}
|
|
||||||
|
|
||||||
-# The grub2 EFI binary is not copied to the ESP as a part of an ostree
|
|
||||||
-# transaction. Make sure a grub2 version with BLS support is installed
|
|
||||||
-# but only do this if the blsdir is not set, to make sure that the BLS
|
|
||||||
-# parsing module will search for the BLS snippets in the default path.
|
|
||||||
-if test -f /run/ostree-booted && test -d /sys/firmware/efi/efivars && \
|
|
||||||
- ! ${grub_editenv} - list | grep -q blsdir && \
|
|
||||||
- mountpoint -q /boot; then
|
|
||||||
- grub_binary="$(find /usr/lib/ostree-boot/efi/EFI/${EFIDIR}/ -name grub*.efi)"
|
|
||||||
- install -m 700 ${grub_binary} ${grubdir} || exit 1
|
|
||||||
- # Create a hidden file to indicate that grub2 now has BLS support.
|
|
||||||
- touch /boot/grub2/.grub2-blscfg-supported
|
|
||||||
-fi
|
|
||||||
-
|
|
||||||
GENERATE=0
|
|
||||||
if grep '^GRUB_ENABLE_BLSCFG=.*' "${etcdefaultgrub}" \
|
|
||||||
| grep -vq '^GRUB_ENABLE_BLSCFG="*true"*\s*$' ; then
|
|
||||||
@@ -297,9 +329,7 @@ if [ "${GENERATE}" -eq 1 ] ; then
|
|
||||||
fi
|
|
||||||
|
|
||||||
if [ -n "${mod_dir}" ]; then
|
|
||||||
- for mod in blscfg increment; do
|
|
||||||
- install -m 700 ${prefix}/lib/grub/${mod_dir}/${mod}.mod ${grubdir}/$mod_dir/ || exit 1
|
|
||||||
- done
|
|
||||||
+ install -m 700 "${pkgdatadir}/${mod_dir}/blscfg.mod" "${grubdir}/$mod_dir/" || exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
cp -af "${GRUB_CONFIG_FILE}" "${GRUB_CONFIG_FILE}${backupsuffix}"
|
|
||||||
@@ -311,6 +341,8 @@ if [ "${GENERATE}" -eq 1 ] ; then
|
|
||||||
gettext_printf "Updating %s failed\n" "${GRUB_CONFIG_FILE}"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
+else
|
|
||||||
+ gettext_printf "Do nothing because \$GRUB_ENABLE_BLSCFG is already true in %s\n" "${GRUB_CONFIG_FILE}"
|
|
||||||
fi
|
|
||||||
|
|
||||||
# Bye.
|
|
||||||
--
|
|
||||||
2.45.2
|
|
||||||
|
|
@ -1,75 +0,0 @@
|
|||||||
From 2b0e6effc31ec166bbbe35a3cd2b4c73051f38bb Mon Sep 17 00:00:00 2001
|
|
||||||
From: Michael Chang <mchang@suse.com>
|
|
||||||
Date: Fri, 16 Jun 2023 15:54:50 +0800
|
|
||||||
Subject: [PATCH 8/9] blscfg: reading bls fragments if boot present
|
|
||||||
|
|
||||||
The Boot Loader Specification (BLS) designates the EFI System Partition
|
|
||||||
(ESP) as a primary location for $BOOT, where boot menu entries can be
|
|
||||||
stored. The specification encourages boot loaders to retrieve menu
|
|
||||||
entries from the ESP, even when XBOOTLDR is present.
|
|
||||||
|
|
||||||
This commit aligns with the BLS specification by introducing the
|
|
||||||
capability to search for the ESP in addition to the default root
|
|
||||||
partition or any specified location via blscfg's command line. The $boot
|
|
||||||
environment variable is utilized as a reference to the ESP device for
|
|
||||||
the blscfg command. Initialization of $boot in grub.cfg is demonstrated
|
|
||||||
as follows:
|
|
||||||
|
|
||||||
insmod part_gpt
|
|
||||||
insmod fat
|
|
||||||
search --no-floppy --fs-uuid --set=boot F414-5A9F
|
|
||||||
|
|
||||||
If $boot is unset, no additional search for the BLS location will be
|
|
||||||
performed.
|
|
||||||
|
|
||||||
Signed-off-by: Michael Chang <mchang@suse.com>
|
|
||||||
---
|
|
||||||
grub-core/commands/blscfg.c | 10 ++++++++++
|
|
||||||
util/grub.d/10_linux.in | 3 ++-
|
|
||||||
2 files changed, 12 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/grub-core/commands/blscfg.c b/grub-core/commands/blscfg.c
|
|
||||||
index c872bcef0..cbe2a289e 100644
|
|
||||||
--- a/grub-core/commands/blscfg.c
|
|
||||||
+++ b/grub-core/commands/blscfg.c
|
|
||||||
@@ -1186,6 +1186,7 @@ grub_cmd_blscfg (grub_extcmd_context_t ctxt UNUSED,
|
|
||||||
char *entry_id = NULL;
|
|
||||||
bool show_default = true;
|
|
||||||
bool show_non_default = true;
|
|
||||||
+ const char *boot = NULL;
|
|
||||||
|
|
||||||
if (argc == 1) {
|
|
||||||
if (grub_strcmp (args[0], "default") == 0) {
|
|
||||||
@@ -1205,6 +1206,15 @@ grub_cmd_blscfg (grub_extcmd_context_t ctxt UNUSED,
|
|
||||||
if (r)
|
|
||||||
return r;
|
|
||||||
|
|
||||||
+ boot = grub_env_get("boot");
|
|
||||||
+ path = (boot) ? grub_xasprintf("(%s)" GRUB_BLS_CONFIG_PATH, boot) : NULL;
|
|
||||||
+ if (path)
|
|
||||||
+ {
|
|
||||||
+ bls_load_entries(path);
|
|
||||||
+ grub_print_error();
|
|
||||||
+ }
|
|
||||||
+ grub_free(path);
|
|
||||||
+
|
|
||||||
return bls_create_entries(show_default, show_non_default, entry_id);
|
|
||||||
}
|
|
||||||
|
|
||||||
diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
|
|
||||||
index 45eefb332..edf0fca55 100644
|
|
||||||
--- a/util/grub.d/10_linux.in
|
|
||||||
+++ b/util/grub.d/10_linux.in
|
|
||||||
@@ -201,7 +201,8 @@ populate_menu()
|
|
||||||
}
|
|
||||||
|
|
||||||
# Make BLS the default if GRUB_ENABLE_BLSCFG was not set and grubby is not installed.
|
|
||||||
-if [ -z "${GRUB_ENABLE_BLSCFG}" ] && ! command -v new-kernel-pkg >/dev/null; then
|
|
||||||
+# FIXME: The test should be aligned to openSUSE, grubby is not our default tool
|
|
||||||
+if [ -z "${GRUB_ENABLE_BLSCFG}" ] && ! command -v new-kernel-pkg >/dev/null && false; then
|
|
||||||
GRUB_ENABLE_BLSCFG="true"
|
|
||||||
fi
|
|
||||||
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
@ -0,0 +1,48 @@
|
|||||||
|
From 312edf1f0ebaebba72e348ae88d95b29fa24c09c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
|
||||||
|
Date: Wed, 23 Oct 2024 17:54:33 +0530
|
||||||
|
Subject: [PATCH 8/8] grub-mkimage: Add SBAT metadata into ELF note for PowerPC
|
||||||
|
targets
|
||||||
|
|
||||||
|
The SBAT metadata is read from CSV file and transformed into an ELF note
|
||||||
|
with the -s option.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
|
||||||
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
---
|
||||||
|
util/mkimage.c | 11 +++++++++--
|
||||||
|
1 file changed, 9 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/util/mkimage.c b/util/mkimage.c
|
||||||
|
index be7f02c5c..d3948937b 100644
|
||||||
|
--- a/util/mkimage.c
|
||||||
|
+++ b/util/mkimage.c
|
||||||
|
@@ -958,8 +958,8 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||||||
|
total_module_size += dtb_size + sizeof (struct grub_module_header);
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (sbat_path != NULL && image_target->id != IMAGE_EFI)
|
||||||
|
- grub_util_error (_(".sbat section can be embedded into EFI images only"));
|
||||||
|
+ if (sbat_path != NULL && (image_target->id != IMAGE_EFI && image_target->id != IMAGE_PPC))
|
||||||
|
+ grub_util_error (_("SBAT data can be added only to EFI or powerpc-ieee1275 images"));
|
||||||
|
|
||||||
|
if (disable_shim_lock)
|
||||||
|
total_module_size += sizeof (struct grub_module_header);
|
||||||
|
@@ -1836,6 +1836,13 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||||||
|
{
|
||||||
|
grub_uint64_t target_addr;
|
||||||
|
char *sbat = NULL;
|
||||||
|
+ if (sbat_path != NULL)
|
||||||
|
+ {
|
||||||
|
+ sbat_size = grub_util_get_image_size (sbat_path);
|
||||||
|
+ sbat = xmalloc (sbat_size);
|
||||||
|
+ grub_util_load_image (sbat_path, sbat);
|
||||||
|
+ layout.sbat_size = sbat_size;
|
||||||
|
+ }
|
||||||
|
if (image_target->id == IMAGE_LOONGSON_ELF)
|
||||||
|
{
|
||||||
|
if (comp == GRUB_COMPRESSION_NONE)
|
||||||
|
--
|
||||||
|
2.47.1
|
||||||
|
|
@ -1,66 +0,0 @@
|
|||||||
From 32d4823762e5a0e7f8bfc5a878d39e1a019392fe Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
|
|
||||||
Date: Thu, 18 Apr 2024 00:00:55 +0530
|
|
||||||
Subject: [PATCH 8/8] mkimage: adding sbat data into sbat ELF Note on powerpc
|
|
||||||
|
|
||||||
it reads the SBAT data from sbat.csv and create the ELF Note for it then
|
|
||||||
store the SBAT data on it while generate image with -s option
|
|
||||||
|
|
||||||
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
|
|
||||||
Co-authored-by: Daniel Axtens <dja@axtens.net>
|
|
||||||
---
|
|
||||||
util/mkimage.c | 23 +++++++++++++++++------
|
|
||||||
1 file changed, 17 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/util/mkimage.c b/util/mkimage.c
|
|
||||||
index 0737935fd..136e4a90c 100644
|
|
||||||
--- a/util/mkimage.c
|
|
||||||
+++ b/util/mkimage.c
|
|
||||||
@@ -958,8 +958,9 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
|
||||||
total_module_size += dtb_size + sizeof (struct grub_module_header);
|
|
||||||
}
|
|
||||||
|
|
||||||
- if (sbat_path != NULL && image_target->id != IMAGE_EFI)
|
|
||||||
- grub_util_error (_(".sbat section can be embedded into EFI images only"));
|
|
||||||
+ if (sbat_path != NULL && (image_target->id != IMAGE_EFI && image_target->id != IMAGE_PPC))
|
|
||||||
+ grub_util_error (_(".sbat section can be embedded into EFI images/"
|
|
||||||
+ "sbat ELF Note cab be added into powerpc-ieee1275 images only"));
|
|
||||||
|
|
||||||
if (disable_shim_lock)
|
|
||||||
total_module_size += sizeof (struct grub_module_header);
|
|
||||||
@@ -1835,6 +1836,16 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
|
||||||
case IMAGE_I386_IEEE1275:
|
|
||||||
{
|
|
||||||
grub_uint64_t target_addr;
|
|
||||||
+ char *sbat = NULL;
|
|
||||||
+
|
|
||||||
+ if (sbat_path != NULL)
|
|
||||||
+ {
|
|
||||||
+ sbat_size = grub_util_get_image_size (sbat_path);
|
|
||||||
+ sbat = xmalloc (sbat_size);
|
|
||||||
+ grub_util_load_image (sbat_path, sbat);
|
|
||||||
+ layout.sbat_size = sbat_size;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
if (image_target->id == IMAGE_LOONGSON_ELF)
|
|
||||||
{
|
|
||||||
if (comp == GRUB_COMPRESSION_NONE)
|
|
||||||
@@ -1846,11 +1857,11 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
|
||||||
else
|
|
||||||
target_addr = image_target->link_addr;
|
|
||||||
if (image_target->voidp_sizeof == 4)
|
|
||||||
- grub_mkimage_generate_elf32 (image_target, note, appsig_size, &core_img,
|
|
||||||
- &core_size, target_addr, &layout);
|
|
||||||
+ grub_mkimage_generate_elf32 (image_target, note, appsig_size, sbat, &core_img, &core_size,
|
|
||||||
+ target_addr, &layout);
|
|
||||||
else
|
|
||||||
- grub_mkimage_generate_elf64 (image_target, note, appsig_size, &core_img,
|
|
||||||
- &core_size, target_addr, &layout);
|
|
||||||
+ grub_mkimage_generate_elf64 (image_target, note, appsig_size, sbat, &core_img, &core_size,
|
|
||||||
+ target_addr, &layout);
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
--
|
|
||||||
2.47.0
|
|
||||||
|
|
@ -1,252 +0,0 @@
|
|||||||
From abd8b83cdc6398c52c7d2b71b378938cf51872fd Mon Sep 17 00:00:00 2001
|
|
||||||
From: Michael Chang <mchang@suse.com>
|
|
||||||
Date: Wed, 13 Mar 2024 15:26:42 +0800
|
|
||||||
Subject: [PATCH 9/9] 10_linux: Some refinement for BLS
|
|
||||||
|
|
||||||
Remove BLS_POPULATE_MENU as it is not being used currently and removing
|
|
||||||
kernelopts assignment in the grub boot config itself to fully delegate
|
|
||||||
the responsibility of generating kernel options to a functioning BLS
|
|
||||||
generator.
|
|
||||||
|
|
||||||
Additionally, removing unused dead code, which is often blamed for
|
|
||||||
causing errors in the dash shell script.
|
|
||||||
|
|
||||||
Signed-off-by: Michael Chang <mchang@suse.com>
|
|
||||||
---
|
|
||||||
util/grub.d/10_linux.in | 194 ----------------------------------------
|
|
||||||
1 file changed, 194 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
|
|
||||||
index edf0fca55..666eae995 100644
|
|
||||||
--- a/util/grub.d/10_linux.in
|
|
||||||
+++ b/util/grub.d/10_linux.in
|
|
||||||
@@ -93,11 +93,7 @@ fi
|
|
||||||
|
|
||||||
populate_header_warn()
|
|
||||||
{
|
|
||||||
-if [ "x${BLS_POPULATE_MENU}" = "xtrue" ]; then
|
|
||||||
- bls_parser="10_linux script"
|
|
||||||
-else
|
|
||||||
bls_parser="blscfg command"
|
|
||||||
-fi
|
|
||||||
cat <<EOF
|
|
||||||
|
|
||||||
# This section was generated by a script. Do not modify the generated file - all changes
|
|
||||||
@@ -110,102 +106,6 @@ cat <<EOF
|
|
||||||
EOF
|
|
||||||
}
|
|
||||||
|
|
||||||
-read_config()
|
|
||||||
-{
|
|
||||||
- config_file=${1}
|
|
||||||
- title=""
|
|
||||||
- initrd=""
|
|
||||||
- options=""
|
|
||||||
- linux=""
|
|
||||||
- grub_arg=""
|
|
||||||
-
|
|
||||||
- while read -r line
|
|
||||||
- do
|
|
||||||
- record=$(echo ${line} | cut -f 1 -d ' ')
|
|
||||||
- value=$(echo ${line} | cut -s -f2- -d ' ')
|
|
||||||
- case "${record}" in
|
|
||||||
- "title")
|
|
||||||
- title=${value}
|
|
||||||
- ;;
|
|
||||||
- "initrd")
|
|
||||||
- initrd=${value}
|
|
||||||
- ;;
|
|
||||||
- "linux")
|
|
||||||
- linux=${value}
|
|
||||||
- ;;
|
|
||||||
- "options")
|
|
||||||
- options=${value}
|
|
||||||
- ;;
|
|
||||||
- "grub_arg")
|
|
||||||
- grub_arg=${value}
|
|
||||||
- ;;
|
|
||||||
- esac
|
|
||||||
- done < ${config_file}
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
-blsdir="/boot/loader/entries"
|
|
||||||
-
|
|
||||||
-get_sorted_bls()
|
|
||||||
-{
|
|
||||||
- if ! [ -d "${blsdir}" ] || [ -f /run/ostree-booted ] || [ -d /ostree/repo ]; then
|
|
||||||
- return
|
|
||||||
- fi
|
|
||||||
-
|
|
||||||
- local IFS=$'\n'
|
|
||||||
-
|
|
||||||
- files=($(for bls in ${blsdir}/*.conf; do
|
|
||||||
- if ! [[ -e "${bls}" ]] ; then
|
|
||||||
- continue
|
|
||||||
- fi
|
|
||||||
- bls="${bls%.conf}"
|
|
||||||
- bls="${bls##*/}"
|
|
||||||
- echo "${bls}"
|
|
||||||
- done | ${kernel_sort} 2>/dev/null | tac)) || :
|
|
||||||
-
|
|
||||||
- echo "${files[@]}"
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
-update_bls_cmdline()
|
|
||||||
-{
|
|
||||||
- local cmdline="root=${LINUX_ROOT_DEVICE} ro ${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
|
|
||||||
- local -a files=($(get_sorted_bls))
|
|
||||||
-
|
|
||||||
- for bls in "${files[@]}"; do
|
|
||||||
- local options="${cmdline}"
|
|
||||||
- if [ -z "${bls##*debug*}" ]; then
|
|
||||||
- options="${options} ${GRUB_CMDLINE_LINUX_DEBUG}"
|
|
||||||
- fi
|
|
||||||
- options="$(echo "${options}" | sed -e 's/\//\\\//g')"
|
|
||||||
- sed -i -e "s/^options.*/options ${options}/" "${blsdir}/${bls}.conf"
|
|
||||||
- done
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
-populate_menu()
|
|
||||||
-{
|
|
||||||
- local -a files=($(get_sorted_bls))
|
|
||||||
-
|
|
||||||
- gettext_printf "Generating boot entries from BLS files...\n" >&2
|
|
||||||
-
|
|
||||||
- for bls in "${files[@]}"; do
|
|
||||||
- read_config "${blsdir}/${bls}.conf"
|
|
||||||
-
|
|
||||||
- menu="${menu}menuentry '${title}' ${grub_arg} --id=${bls} {\n"
|
|
||||||
- menu="${menu}\t linux ${linux} ${options}\n"
|
|
||||||
- if [ -n "${initrd}" ] ; then
|
|
||||||
- menu="${menu}\t initrd ${boot_prefix}${initrd}\n"
|
|
||||||
- fi
|
|
||||||
- menu="${menu}}\n\n"
|
|
||||||
- done
|
|
||||||
- # The printf command seems to be more reliable across shells for special character (\n, \t) evaluation
|
|
||||||
- printf "$menu"
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
-# Make BLS the default if GRUB_ENABLE_BLSCFG was not set and grubby is not installed.
|
|
||||||
-# FIXME: The test should be aligned to openSUSE, grubby is not our default tool
|
|
||||||
-if [ -z "${GRUB_ENABLE_BLSCFG}" ] && ! command -v new-kernel-pkg >/dev/null && false; then
|
|
||||||
- GRUB_ENABLE_BLSCFG="true"
|
|
||||||
-fi
|
|
||||||
-
|
|
||||||
if [ "x${GRUB_ENABLE_BLSCFG}" = "xtrue" ]; then
|
|
||||||
if [ x$dirname = x/ ]; then
|
|
||||||
if [ -z "${prepare_root_cache}" ]; then
|
|
||||||
@@ -225,111 +125,17 @@ if [ "x${GRUB_ENABLE_BLSCFG}" = "xtrue" ]; then
|
|
||||||
prepare_grub_to_access_device_with_variable boot ${boot_device}
|
|
||||||
fi
|
|
||||||
|
|
||||||
- arch="$(uname -m)"
|
|
||||||
- if [ "x${arch}" = "xppc64le" ] && [ -d /sys/firmware/opal ]; then
|
|
||||||
-
|
|
||||||
- BLS_POPULATE_MENU="true"
|
|
||||||
- petitboot_path="/sys/firmware/devicetree/base/ibm,firmware-versions/petitboot"
|
|
||||||
-
|
|
||||||
- if test -e ${petitboot_path}; then
|
|
||||||
- read -r -d '' petitboot_version < ${petitboot_path}
|
|
||||||
- petitboot_version="$(echo ${petitboot_version//v})"
|
|
||||||
-
|
|
||||||
- if test -n ${petitboot_version}; then
|
|
||||||
- major_version="$(echo ${petitboot_version} | cut -d . -f1)"
|
|
||||||
- minor_version="$(echo ${petitboot_version} | cut -d . -f2)"
|
|
||||||
-
|
|
||||||
- re='^[0-9]+$'
|
|
||||||
- if [[ $major_version =~ $re ]] && [[ $minor_version =~ $re ]] &&
|
|
||||||
- ([[ ${major_version} -gt 1 ]] ||
|
|
||||||
- [[ ${major_version} -eq 1 &&
|
|
||||||
- ${minor_version} -ge 8 ]]); then
|
|
||||||
- BLS_POPULATE_MENU="false"
|
|
||||||
- fi
|
|
||||||
- fi
|
|
||||||
- fi
|
|
||||||
- fi
|
|
||||||
-
|
|
||||||
populate_header_warn
|
|
||||||
|
|
||||||
- cat << EOF
|
|
||||||
-# The kernelopts variable should be defined in the grubenv file. But to ensure that menu
|
|
||||||
-# entries populated from BootLoaderSpec files that use this variable work correctly even
|
|
||||||
-# without a grubenv file, define a fallback kernelopts variable if this has not been set.
|
|
||||||
-#
|
|
||||||
-# The kernelopts variable in the grubenv file can be modified using the grubby tool or by
|
|
||||||
-# executing the grub2-mkconfig tool. For the latter, the values of the GRUB_CMDLINE_LINUX
|
|
||||||
-# and GRUB_CMDLINE_LINUX_DEFAULT options from /etc/default/grub file are used to set both
|
|
||||||
-# the kernelopts variable in the grubenv file and the fallback kernelopts variable.
|
|
||||||
-if [ -z "\${kernelopts}" ]; then
|
|
||||||
- set kernelopts="root=${LINUX_ROOT_DEVICE} ro ${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
|
|
||||||
-fi
|
|
||||||
-EOF
|
|
||||||
-
|
|
||||||
- update_bls_cmdline
|
|
||||||
-
|
|
||||||
- if [ "x${BLS_POPULATE_MENU}" = "xtrue" ]; then
|
|
||||||
- populate_menu
|
|
||||||
- else
|
|
||||||
cat << EOF
|
|
||||||
|
|
||||||
insmod blscfg
|
|
||||||
blscfg
|
|
||||||
EOF
|
|
||||||
- fi
|
|
||||||
-
|
|
||||||
- if [ "x${GRUB_GRUBENV_UPDATE}" = "xyes" ]; then
|
|
||||||
- blsdir="/boot/loader/entries"
|
|
||||||
- [ -d "${blsdir}" ] && GRUB_BLS_FS="$(${grub_probe} --target=fs ${blsdir})"
|
|
||||||
- if [ "x${GRUB_BLS_FS}" = "xbtrfs" ] || [ "x${GRUB_BLS_FS}" = "xzfs" ]; then
|
|
||||||
- blsdir=$(make_system_path_relative_to_its_root "${blsdir}")
|
|
||||||
- if [ "x${blsdir}" != "x/loader/entries" ] && [ "x${blsdir}" != "x/boot/loader/entries" ]; then
|
|
||||||
- ${grub_editenv} - set blsdir="${blsdir}"
|
|
||||||
- fi
|
|
||||||
- fi
|
|
||||||
-
|
|
||||||
- if [ -n "${GRUB_EARLY_INITRD_LINUX_CUSTOM}" ]; then
|
|
||||||
- ${grub_editenv} - set early_initrd="${GRUB_EARLY_INITRD_LINUX_CUSTOM}"
|
|
||||||
- fi
|
|
||||||
-
|
|
||||||
- if [ -n "${GRUB_DEFAULT_DTB}" ]; then
|
|
||||||
- ${grub_editenv} - set devicetree="${GRUB_DEFAULT_DTB}"
|
|
||||||
- fi
|
|
||||||
-
|
|
||||||
- if [ -n "${GRUB_SAVEDEFAULT}" ]; then
|
|
||||||
- ${grub_editenv} - set save_default="${GRUB_SAVEDEFAULT}"
|
|
||||||
- fi
|
|
||||||
- fi
|
|
||||||
|
|
||||||
exit 0
|
|
||||||
fi
|
|
||||||
|
|
||||||
-mktitle ()
|
|
||||||
-{
|
|
||||||
- local title_type
|
|
||||||
- local version
|
|
||||||
- local OS_NAME
|
|
||||||
- local OS_VERS
|
|
||||||
-
|
|
||||||
- title_type=$1 && shift
|
|
||||||
- version=$1 && shift
|
|
||||||
-
|
|
||||||
- OS_NAME="$(eval $(grep ^NAME= /etc/os-release) ; echo ${NAME})"
|
|
||||||
- OS_VERS="$(eval $(grep ^VERSION= /etc/os-release) ; echo ${VERSION})"
|
|
||||||
-
|
|
||||||
- case $title_type in
|
|
||||||
- recovery)
|
|
||||||
- title=$(printf '%s (%s) %s (recovery mode)' \
|
|
||||||
- "${OS_NAME}" "${version}" "${OS_VERS}")
|
|
||||||
- ;;
|
|
||||||
- *)
|
|
||||||
- title=$(printf '%s (%s) %s' \
|
|
||||||
- "${OS_NAME}" "${version}" "${OS_VERS}")
|
|
||||||
- ;;
|
|
||||||
- esac
|
|
||||||
- echo -n ${title}
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
title_correction_code=
|
|
||||||
|
|
||||||
hotkey=1
|
|
||||||
--
|
|
||||||
2.45.2
|
|
||||||
|
|
@ -1,5 +1,7 @@
|
|||||||
--- a/include/grub/tpm.h
|
Index: grub-2.12/include/grub/tpm.h
|
||||||
+++ b/include/grub/tpm.h
|
===================================================================
|
||||||
|
--- grub-2.12.orig/include/grub/tpm.h
|
||||||
|
+++ grub-2.12/include/grub/tpm.h
|
||||||
@@ -36,6 +36,12 @@
|
@@ -36,6 +36,12 @@
|
||||||
|
|
||||||
#define EV_IPL 0x0d
|
#define EV_IPL 0x0d
|
||||||
@ -13,7 +15,7 @@
|
|||||||
grub_err_t grub_tpm_measure (unsigned char *buf, grub_size_t size,
|
grub_err_t grub_tpm_measure (unsigned char *buf, grub_size_t size,
|
||||||
grub_uint8_t pcr, const char *description);
|
grub_uint8_t pcr, const char *description);
|
||||||
int grub_tpm_present (void);
|
int grub_tpm_present (void);
|
||||||
@@ -45,5 +51,7 @@
|
@@ -45,5 +51,7 @@ grub_is_tpm_fail_fatal (void)
|
||||||
{
|
{
|
||||||
return grub_env_get_bool ("tpm_fail_fatal", false);
|
return grub_env_get_bool ("tpm_fail_fatal", false);
|
||||||
}
|
}
|
||||||
@ -21,29 +23,32 @@
|
|||||||
+void grub_tpm_digest_free (struct grub_tpm_digest *d);
|
+void grub_tpm_digest_free (struct grub_tpm_digest *d);
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
--- a/grub-core/commands/efi/tpm.c
|
Index: grub-2.12/grub-core/commands/efi/tpm.c
|
||||||
+++ b/grub-core/commands/efi/tpm.c
|
===================================================================
|
||||||
@@ -24,6 +24,7 @@
|
--- grub-2.12.orig/grub-core/commands/efi/tpm.c
|
||||||
#include <grub/efi/efi.h>
|
+++ grub-2.12/grub-core/commands/efi/tpm.c
|
||||||
#include <grub/efi/cc.h>
|
@@ -28,6 +28,8 @@
|
||||||
#include <grub/efi/tpm.h>
|
|
||||||
+#include <grub/tpm2/tpm2.h>
|
|
||||||
#include <grub/mm.h>
|
|
||||||
#include <grub/tpm.h>
|
#include <grub/tpm.h>
|
||||||
#include <grub/term.h>
|
#include <grub/term.h>
|
||||||
@@ -186,6 +187,91 @@
|
|
||||||
|
+#include <tpm2_cmd.h>
|
||||||
|
+
|
||||||
|
typedef TCG_PCR_EVENT grub_tpm_event_t;
|
||||||
|
|
||||||
|
static grub_guid_t tpm_guid = EFI_TPM_GUID;
|
||||||
|
@@ -186,6 +188,91 @@ grub_tpm1_log_event (grub_efi_handle_t t
|
||||||
return grub_efi_log_event_status (status);
|
return grub_efi_log_event_status (status);
|
||||||
}
|
}
|
||||||
|
|
||||||
+static void
|
+static void
|
||||||
+grub_tpm2_select_pcr(TPML_PCR_SELECTION *o, unsigned int pcrIndex, unsigned int algo)
|
+grub_tpm2_select_pcr (TPML_PCR_SELECTION_t *o, unsigned int pcrIndex, unsigned int algo)
|
||||||
+{
|
+{
|
||||||
+ TPMS_PCR_SELECTION *pcr;
|
+ TPMS_PCR_SELECTION_t *pcr;
|
||||||
+
|
+
|
||||||
+ pcr = &o->pcrSelections[o->count++];
|
+ pcr = &o->pcrSelections[o->count++];
|
||||||
+ pcr->hash = algo;
|
+ pcr->hash = algo;
|
||||||
+ pcr->sizeOfSelect = 3;
|
+ pcr->sizeOfSelect = 3;
|
||||||
+ pcr->pcrSelect[TPM2_PCR_TO_SELECT(pcrIndex)] |= TPM2_PCR_TO_BIT(pcrIndex);
|
+ TPMS_PCR_SELECTION_SelectPCR (pcr, pcrIndex);
|
||||||
+}
|
+}
|
||||||
+
|
+
|
||||||
+struct grub_tpm_hash_info {
|
+struct grub_tpm_hash_info {
|
||||||
@ -77,10 +82,10 @@
|
|||||||
+grub_tpm2_read_pcr (grub_int8_t pcrIndex, const char *algo, struct grub_tpm_digest **ret)
|
+grub_tpm2_read_pcr (grub_int8_t pcrIndex, const char *algo, struct grub_tpm_digest **ret)
|
||||||
+{
|
+{
|
||||||
+ const struct grub_tpm_hash_info *info;
|
+ const struct grub_tpm_hash_info *info;
|
||||||
+ TPML_PCR_SELECTION inSelection, outSelection;
|
+ TPML_PCR_SELECTION_t inSelection, outSelection;
|
||||||
+ grub_uint32_t pcrUpdateCounter;
|
+ grub_uint32_t pcrUpdateCounter;
|
||||||
+ TPML_DIGEST digests = { 0 };
|
+ TPML_DIGEST_t digests = { 0 };
|
||||||
+ TPM2B_DIGEST *d;
|
+ TPM2B_DIGEST_t *d;
|
||||||
+ struct grub_tpm_digest *result;
|
+ struct grub_tpm_digest *result;
|
||||||
+ int rc;
|
+ int rc;
|
||||||
+
|
+
|
||||||
@ -92,7 +97,7 @@
|
|||||||
+ grub_memset(&outSelection, 0, sizeof(outSelection));
|
+ grub_memset(&outSelection, 0, sizeof(outSelection));
|
||||||
+ grub_tpm2_select_pcr(&inSelection, pcrIndex, info->id);
|
+ grub_tpm2_select_pcr(&inSelection, pcrIndex, info->id);
|
||||||
+
|
+
|
||||||
+ rc = TPM2_PCR_Read(
|
+ rc = grub_tpm2_pcr_read(
|
||||||
+ NULL,
|
+ NULL,
|
||||||
+ &inSelection,
|
+ &inSelection,
|
||||||
+ &pcrUpdateCounter,
|
+ &pcrUpdateCounter,
|
||||||
@ -123,7 +128,7 @@
|
|||||||
static grub_err_t
|
static grub_err_t
|
||||||
grub_tpm2_log_event (grub_efi_handle_t tpm_handle, unsigned char *buf,
|
grub_tpm2_log_event (grub_efi_handle_t tpm_handle, unsigned char *buf,
|
||||||
grub_size_t size, grub_uint8_t pcr,
|
grub_size_t size, grub_uint8_t pcr,
|
||||||
@@ -323,3 +409,26 @@
|
@@ -323,3 +410,26 @@ grub_tpm_present (void)
|
||||||
return grub_tpm2_present (tpm);
|
return grub_tpm2_present (tpm);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -150,16 +155,15 @@
|
|||||||
+
|
+
|
||||||
+ return result;
|
+ return result;
|
||||||
+}
|
+}
|
||||||
--- a/include/grub/tpm2/tpm2.h
|
Index: grub-2.12/grub-core/Makefile.core.def
|
||||||
+++ b/include/grub/tpm2/tpm2.h
|
===================================================================
|
||||||
@@ -23,6 +23,10 @@
|
--- grub-2.12.orig/grub-core/Makefile.core.def
|
||||||
#include <grub/tpm2/internal/structs.h>
|
+++ grub-2.12/grub-core/Makefile.core.def
|
||||||
#include <grub/tpm2/internal/functions.h>
|
@@ -2606,6 +2606,7 @@ module = {
|
||||||
|
common = commands/tpm.c;
|
||||||
+/* Defined in: TCG TPM Specification, v1.59, Part 2, Section 10.6.1. */
|
efi = commands/efi/tpm.c;
|
||||||
+#define TPM2_PCR_TO_SELECT(x) ((x) / 8)
|
enable = efi;
|
||||||
+#define TPM2_PCR_TO_BIT(x) (1 << ((x) % 8))
|
+ cppflags = '-I$(srcdir)/lib/tss2';
|
||||||
+
|
};
|
||||||
/* Well-Known Windows SRK handle */
|
|
||||||
#define TPM2_SRK_HANDLE 0x81000001
|
|
||||||
|
|
||||||
|
module = {
|
||||||
|
4586
grub2-add-tss2-support.patch
Normal file
4586
grub2-add-tss2-support.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,4 +1,4 @@
|
|||||||
From beb26b1be325ea55f3f9a230152d170a3faa85d5 Mon Sep 17 00:00:00 2001
|
From 32e07f7b99a1dbae933f4d916b0342a82e7ccf35 Mon Sep 17 00:00:00 2001
|
||||||
From: Gary Lin <glin@suse.com>
|
From: Gary Lin <glin@suse.com>
|
||||||
Date: Mon, 18 Mar 2024 14:53:11 +0800
|
Date: Mon, 18 Mar 2024 14:53:11 +0800
|
||||||
Subject: [PATCH] key_protector: implement the blocklist
|
Subject: [PATCH] key_protector: implement the blocklist
|
||||||
@ -15,11 +15,11 @@ Signed-off-by: Gary Lin <glin@suse.com>
|
|||||||
include/grub/efi/api.h | 5 +++++
|
include/grub/efi/api.h | 5 +++++
|
||||||
2 files changed, 36 insertions(+)
|
2 files changed, 36 insertions(+)
|
||||||
|
|
||||||
diff --git a/grub-core/disk/key_protector.c b/grub-core/disk/key_protector.c
|
Index: grub-2.12/grub-core/disk/key_protector.c
|
||||||
index b84afe1c7..3d630ca4f 100644
|
===================================================================
|
||||||
--- a/grub-core/disk/key_protector.c
|
--- grub-2.12.orig/grub-core/disk/key_protector.c
|
||||||
+++ b/grub-core/disk/key_protector.c
|
+++ grub-2.12/grub-core/disk/key_protector.c
|
||||||
@@ -24,6 +24,10 @@
|
@@ -25,6 +25,10 @@
|
||||||
|
|
||||||
GRUB_MOD_LICENSE ("GPLv3+");
|
GRUB_MOD_LICENSE ("GPLv3+");
|
||||||
|
|
||||||
@ -30,7 +30,7 @@ index b84afe1c7..3d630ca4f 100644
|
|||||||
struct grub_key_protector *grub_key_protectors = NULL;
|
struct grub_key_protector *grub_key_protectors = NULL;
|
||||||
|
|
||||||
grub_err_t
|
grub_err_t
|
||||||
@@ -54,11 +58,34 @@ grub_key_protector_unregister (struct grub_key_protector *protector)
|
@@ -53,11 +57,34 @@ grub_key_protector_unregister (struct gr
|
||||||
return GRUB_ERR_NONE;
|
return GRUB_ERR_NONE;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -64,10 +64,10 @@ index b84afe1c7..3d630ca4f 100644
|
|||||||
+ grub_err_t err;
|
+ grub_err_t err;
|
||||||
|
|
||||||
if (grub_key_protectors == NULL)
|
if (grub_key_protectors == NULL)
|
||||||
return GRUB_ERR_OUT_OF_RANGE;
|
return grub_error (GRUB_ERR_OUT_OF_RANGE, "No key protector registered");
|
||||||
@@ -74,5 +101,9 @@ grub_key_protector_recover_key (const char *protector, grub_uint8_t **key,
|
@@ -69,5 +96,9 @@ grub_key_protector_recover_key (const ch
|
||||||
"Is the name spelled correctly and is the "
|
if (kp == NULL)
|
||||||
"corresponding module loaded?"), protector);
|
return grub_error (GRUB_ERR_OUT_OF_RANGE, "Key protector '%s' not found", protector);
|
||||||
|
|
||||||
+ err = grub_key_protector_check_blocklist ();
|
+ err = grub_key_protector_check_blocklist ();
|
||||||
+ if (err != GRUB_ERR_NONE)
|
+ if (err != GRUB_ERR_NONE)
|
||||||
@ -75,10 +75,10 @@ index b84afe1c7..3d630ca4f 100644
|
|||||||
+
|
+
|
||||||
return kp->recover_key (key, key_size);
|
return kp->recover_key (key, key_size);
|
||||||
}
|
}
|
||||||
diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h
|
Index: grub-2.12/include/grub/efi/api.h
|
||||||
index 7947cf592..975b90b09 100644
|
===================================================================
|
||||||
--- a/include/grub/efi/api.h
|
--- grub-2.12.orig/include/grub/efi/api.h
|
||||||
+++ b/include/grub/efi/api.h
|
+++ grub-2.12/include/grub/efi/api.h
|
||||||
@@ -389,6 +389,11 @@
|
@@ -389,6 +389,11 @@
|
||||||
{ 0x89, 0x29, 0x48, 0xbc, 0xd9, 0x0a, 0xd3, 0x1a } \
|
{ 0x89, 0x29, 0x48, 0xbc, 0xd9, 0x0a, 0xd3, 0x1a } \
|
||||||
}
|
}
|
||||||
@ -91,6 +91,3 @@ index 7947cf592..975b90b09 100644
|
|||||||
struct grub_efi_sal_system_table
|
struct grub_efi_sal_system_table
|
||||||
{
|
{
|
||||||
grub_uint32_t signature;
|
grub_uint32_t signature;
|
||||||
--
|
|
||||||
2.35.3
|
|
||||||
|
|
||||||
|
361
grub2-s390x-secure-execution-support.patch
Normal file
361
grub2-s390x-secure-execution-support.patch
Normal file
@ -0,0 +1,361 @@
|
|||||||
|
From 023b569648eece7a7fe2ae38d731185a1f2abeb5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gary Lin <glin@suse.com>
|
||||||
|
Date: Fri, 23 Aug 2024 09:57:03 +0800
|
||||||
|
Subject: [PATCH] s390x: add Secure Execution support
|
||||||
|
|
||||||
|
To support Secure Execution, 2 extra files and 5 environment variables
|
||||||
|
are introduced.
|
||||||
|
|
||||||
|
- se-parm.conf.in
|
||||||
|
The template file for the kernel parameter to be used by 'genprotimg'
|
||||||
|
|
||||||
|
- se-zipl2grub.conf.in
|
||||||
|
The template file of zipl.conf for secure execution
|
||||||
|
|
||||||
|
- SUSE_S390_SE_ENABLE
|
||||||
|
The variable to enable s390x Secure Execution
|
||||||
|
|
||||||
|
- SUSE_S390_SE_HOST_KEY
|
||||||
|
The variable to set the file list to the host key documents
|
||||||
|
|
||||||
|
- SUSE_S390_SE_HOST_KEY_SIGNING_KEY
|
||||||
|
The variable to set the file list to the signing key certificates
|
||||||
|
|
||||||
|
- SUSE_S390_SE_CA_CERT
|
||||||
|
The variable to set the file path to the CA certificate
|
||||||
|
|
||||||
|
- SUSE_S390_SE_REVOCATION_LIST
|
||||||
|
The variable to set the file list of the host key revocation lists
|
||||||
|
|
||||||
|
When enabling Secure Execution, the zipl initrd is generated in
|
||||||
|
"/dev/shm/zipl-se" instead of "/boot/zipl" because the zipl initrd
|
||||||
|
may contain the LUKS key for the encrypted root partition. Then,
|
||||||
|
'genprotimg' stores the encrypted image, a combination of the zipl
|
||||||
|
kernel, zipl initrd, and the kernel parameters, as
|
||||||
|
"/boot/secure-linux-$version". To make the image ready for zipl,
|
||||||
|
it is copied to "/boot/zipl/secure-linux-$version" and linked to
|
||||||
|
"/boot/zipl/secure-linux" which is expected by the zipl config.
|
||||||
|
---
|
||||||
|
Makefile.util.def | 17 +++
|
||||||
|
util/s390x/se-parm.conf.in | 1 +
|
||||||
|
util/s390x/se-zipl2grub.conf.in | 17 +++
|
||||||
|
util/s390x/zipl2grub.pl.in | 202 ++++++++++++++++++++++++++------
|
||||||
|
4 files changed, 198 insertions(+), 39 deletions(-)
|
||||||
|
create mode 100644 util/s390x/se-parm.conf.in
|
||||||
|
create mode 100644 util/s390x/se-zipl2grub.conf.in
|
||||||
|
|
||||||
|
diff --git a/Makefile.util.def b/Makefile.util.def
|
||||||
|
index ffedea24a..722542933 100644
|
||||||
|
--- a/Makefile.util.def
|
||||||
|
+++ b/Makefile.util.def
|
||||||
|
@@ -796,6 +796,23 @@ data = {
|
||||||
|
emu_condition = COND_s390x;
|
||||||
|
};
|
||||||
|
|
||||||
|
+data = {
|
||||||
|
+ name = se-parm.conf.in;
|
||||||
|
+ common = util/s390x/se-parm.conf.in;
|
||||||
|
+ installdir = grubconf;
|
||||||
|
+ enable = emu;
|
||||||
|
+ emu_condition = COND_s390x;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+data = {
|
||||||
|
+ name = se-zipl2grub.conf.in;
|
||||||
|
+ common = util/s390x/se-zipl2grub.conf.in;
|
||||||
|
+ installdir = grubconf;
|
||||||
|
+ enable = emu;
|
||||||
|
+ emu_condition = COND_s390x;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+
|
||||||
|
script = {
|
||||||
|
name = dracut-module-setup.sh;
|
||||||
|
common = util/s390x/dracut-module-setup.sh.in;
|
||||||
|
diff --git a/util/s390x/se-parm.conf.in b/util/s390x/se-parm.conf.in
|
||||||
|
new file mode 100644
|
||||||
|
index 000000000..63959b753
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/util/s390x/se-parm.conf.in
|
||||||
|
@@ -0,0 +1 @@
|
||||||
|
+root=@GRUB_DEVICE@ @GRUB_EMU_CONMODE@ @GRUB_CMDLINE_LINUX@ @GRUB_CMDLINE_LINUX_DEFAULT@ initgrub quiet splash=silent plymouth.enable=0
|
||||||
|
diff --git a/util/s390x/se-zipl2grub.conf.in b/util/s390x/se-zipl2grub.conf.in
|
||||||
|
new file mode 100644
|
||||||
|
index 000000000..e9feeb9b6
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/util/s390x/se-zipl2grub.conf.in
|
||||||
|
@@ -0,0 +1,17 @@
|
||||||
|
+## This is the template for '@zipldir@/config' and is subject to
|
||||||
|
+## rpm's %config file handling in case of grub2-s390x-emu package update.
|
||||||
|
+
|
||||||
|
+[defaultboot]
|
||||||
|
+defaultmenu = menu
|
||||||
|
+
|
||||||
|
+[grub2-secure]
|
||||||
|
+ target = @zipldir@
|
||||||
|
+ image = @zipldir@/secure-linux
|
||||||
|
+
|
||||||
|
+:menu
|
||||||
|
+ target = @zipldir@
|
||||||
|
+ timeout = 60
|
||||||
|
+ default = 1
|
||||||
|
+ prompt = 0
|
||||||
|
+ secure = @SUSE_SECURE_BOOT@
|
||||||
|
+ 1 = grub2-secure
|
||||||
|
diff --git a/util/s390x/zipl2grub.pl.in b/util/s390x/zipl2grub.pl.in
|
||||||
|
index 46b902209..930ecc4cd 100644
|
||||||
|
--- a/util/s390x/zipl2grub.pl.in
|
||||||
|
+++ b/util/s390x/zipl2grub.pl.in
|
||||||
|
@@ -12,10 +12,19 @@ my $definitrd = "/boot/initrd";
|
||||||
|
my $Image = "$defimage";
|
||||||
|
my $previous = ".prev";
|
||||||
|
my $zipldir = "";
|
||||||
|
+my $imgdir = "";
|
||||||
|
my $running = "";
|
||||||
|
my $refresh = 1; # needs to default to "on" until most bugs are shaken out!
|
||||||
|
my $force = 0;
|
||||||
|
my $hostonly = 1;
|
||||||
|
+my $secure_exec = 0;
|
||||||
|
+my $sehostkey = "";
|
||||||
|
+my $sesignkey = "";
|
||||||
|
+my $secacert = "";
|
||||||
|
+my $serevoke = "";
|
||||||
|
+my $separm= "";
|
||||||
|
+my $se_zipconf = '@sysconfdir@/default/se-zipl2grub.conf.in';
|
||||||
|
+my $se_kernparm = '@sysconfdir@/default/se-parm.conf.in';
|
||||||
|
my $verbose = 0;
|
||||||
|
my $debug = 0;
|
||||||
|
my $miss = 0;
|
||||||
|
@@ -183,6 +192,55 @@ sub ChkInitrd($$) {
|
||||||
|
return $found;
|
||||||
|
}
|
||||||
|
|
||||||
|
+sub GenSEImage($$$$) {
|
||||||
|
+ my( $kernel, $initrd, $parm, $out_image) = @_;
|
||||||
|
+
|
||||||
|
+ # genprotimg -i <kernel-image-file> \
|
||||||
|
+ # -r <initrd-file>> \
|
||||||
|
+ # -p <parm-file> \
|
||||||
|
+ # --host-key-document <host-key-doc> \
|
||||||
|
+ # --cert ibm-z-host-key-signing.crt \
|
||||||
|
+ # --cert DigiCertCA.crt \
|
||||||
|
+ # --crl revocation.crl \
|
||||||
|
+ # -o /boot/zipl/secure-linux
|
||||||
|
+
|
||||||
|
+ my @C = ( "genprotimg", "-i", $kernel, "-r", $initrd, "-p", $parm,
|
||||||
|
+ "--cert", $secacert);
|
||||||
|
+
|
||||||
|
+ # Handle the host key document list
|
||||||
|
+ if ($sehostkey) {
|
||||||
|
+ my @sehostkey_list = split('[,\s]+', $sehostkey);
|
||||||
|
+ my $hkd;
|
||||||
|
+ foreach $hkd (@sehostkey_list) {
|
||||||
|
+ Panic( 1, "$C: host key document '$hkd' not readable!?\n") unless (-r $hkd);
|
||||||
|
+ push @C, "--host-key-document", $hkd;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ # Handle the signing key list
|
||||||
|
+ if ($sesignkey) {
|
||||||
|
+ my @sesignkey_list = split('[,\s]+', $sesignkey);
|
||||||
|
+ my $signkey;
|
||||||
|
+ foreach $signkey (@sesignkey_list) {
|
||||||
|
+ Panic( 1, "$C: signing key '$signkey' not readable!?\n") unless (-r $signkey);
|
||||||
|
+ push @C, "--cert", $signkey;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ # Handle the revocation list files
|
||||||
|
+ if ($serevoke) {
|
||||||
|
+ my @serevoke_list = split('[,\s]+', $serevoke);
|
||||||
|
+ my $crl;
|
||||||
|
+ foreach $crl (@serevoke_list) {
|
||||||
|
+ Panic( 1, "$C: revocation list '$crl' not readable!?\n") unless (-r $crl);
|
||||||
|
+ push @C, "--crl", $crl;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ push @C, "-o", "$out_image";
|
||||||
|
+ System( @C);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
sub Usage($) {
|
||||||
|
my @cat = ("",
|
||||||
|
"Parameter error.",
|
||||||
|
@@ -401,49 +459,91 @@ if ( $debug && $verbose > 2 ) {
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
-open( IN, "< $in") ||
|
||||||
|
- Panic( 1, "$C: Failed to open 'zipl.conf' template: $!.\n");
|
||||||
|
-while ( <IN> ) {
|
||||||
|
- Info( 4, "$.. <$_$.. >");
|
||||||
|
- if ( $. == 1 && m{^## This} ) {
|
||||||
|
- $_ = "## This file was written by 'grub2-install/$C'\n" .
|
||||||
|
- "## filling '$in' as template\n";
|
||||||
|
- } elsif ( $. == 2 && m{^## rpm's} ) {
|
||||||
|
- $_ = "## with values from '$default'.\n" .
|
||||||
|
- "## In-place modifications will eventually go missing!\n";
|
||||||
|
+#
|
||||||
|
+# s390x Secure Execution variables
|
||||||
|
+#
|
||||||
|
+# SUSE_S390_SE_ENABLE: enabling s390x Secure Execution
|
||||||
|
+# SUSE_S390_SE_HOST_KEY: the host key
|
||||||
|
+# SUSE_S390_SE_HOST_KEY_SIGNING_KEY: the signing key of the host key
|
||||||
|
+# SUSE_S390_SE_CA_CERT: the CA certificate
|
||||||
|
+# SUSE_S390_SE_REVOCATION_LIST: the revocation list
|
||||||
|
+#
|
||||||
|
+if ( -r $C{SUSE_S390_SE_HOST_KEY} && -r $C{SUSE_S390_SE_HOST_KEY_SIGNING_KEY} &&
|
||||||
|
+ -r $C{SUSE_S390_SE_CA_CERT}) {
|
||||||
|
+
|
||||||
|
+ $sehostkey = $C{SUSE_S390_SE_HOST_KEY};
|
||||||
|
+ $sesignkey = $C{SUSE_S390_SE_HOST_KEY_SIGNING_KEY};
|
||||||
|
+ $secacert = $C{SUSE_S390_SE_CA_CERT};
|
||||||
|
+
|
||||||
|
+ $serevoke = $C{SUSE_S390_SE_REVOCATION_LIST} if $C{SUSE_S390_SE_REVOCATION_LIST};
|
||||||
|
+
|
||||||
|
+ if ( $C{SUSE_S390_SE_ENABLE} =~ m{^(yes|true|1)$} ) {
|
||||||
|
+ $secure_exec = 1;
|
||||||
|
}
|
||||||
|
- while ( m{\@([^\@\s]+)\@} ) {
|
||||||
|
- my $k = $1;
|
||||||
|
- my $v;
|
||||||
|
- if ( exists( $C{$k}) ) {
|
||||||
|
- $v = $C{$k};
|
||||||
|
- } elsif ( exists( $Mandatory{$k}) ) {
|
||||||
|
- $v = "$k";
|
||||||
|
- $miss++;
|
||||||
|
- } else {
|
||||||
|
- $v = "";
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+sub MkConfig($$) {
|
||||||
|
+ my( $template, $name) = @_;
|
||||||
|
+ open( IN, "< $template") ||
|
||||||
|
+ Panic( 1, "$C: Failed to open '$name' template: $!.\n");
|
||||||
|
+ while ( <IN> ) {
|
||||||
|
+ Info( 4, "$.. <$_$.. >");
|
||||||
|
+ if ( $. == 1 && m{^## This} ) {
|
||||||
|
+ $_ = "## This file was written by 'grub2-install/$C'\n" .
|
||||||
|
+ "## filling '$template' as template\n";
|
||||||
|
+ } elsif ( $. == 2 && m{^## rpm's} ) {
|
||||||
|
+ $_ = "## with values from '$default'.\n" .
|
||||||
|
+ "## In-place modifications will eventually go missing!\n";
|
||||||
|
}
|
||||||
|
- if ($k eq "GRUB_DEVICE") {
|
||||||
|
- if (($v !~ /^UUID/ && ! -e $v) ||
|
||||||
|
- (exists( $C{SUSE_REMOVE_LINUX_ROOT_PARAM}) &&
|
||||||
|
- $C{SUSE_REMOVE_LINUX_ROOT_PARAM} eq "true")) {
|
||||||
|
- s{root=\@$k\@}{}g;
|
||||||
|
- next;
|
||||||
|
+ while ( m{\@([^\@\s]+)\@} ) {
|
||||||
|
+ my $k = $1;
|
||||||
|
+ my $v;
|
||||||
|
+ if ( exists( $C{$k}) ) {
|
||||||
|
+ $v = $C{$k};
|
||||||
|
+ } elsif ( exists( $Mandatory{$k}) ) {
|
||||||
|
+ $v = "$k";
|
||||||
|
+ $miss++;
|
||||||
|
+ } else {
|
||||||
|
+ $v = "";
|
||||||
|
+ }
|
||||||
|
+ if ($k eq "GRUB_DEVICE") {
|
||||||
|
+ if (($v !~ /^UUID/ && ! -e $v) ||
|
||||||
|
+ (exists( $C{SUSE_REMOVE_LINUX_ROOT_PARAM}) &&
|
||||||
|
+ $C{SUSE_REMOVE_LINUX_ROOT_PARAM} eq "true")) {
|
||||||
|
+ s{root=\@$k\@}{}g;
|
||||||
|
+ next;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
+ s{\@$k\@}{$v}g;
|
||||||
|
}
|
||||||
|
- s{\@$k\@}{$v}g;
|
||||||
|
+ Info( 3, $_);
|
||||||
|
+ $cfg .= $_;
|
||||||
|
+ }
|
||||||
|
+ if ( $miss ) {
|
||||||
|
+ Info( 1, "Partially filled config:\n===\n$cfg===\n");
|
||||||
|
+ Panic( 1, "$C: '$name' template could not be filled. \n");
|
||||||
|
}
|
||||||
|
- Info( 3, $_);
|
||||||
|
- $cfg .= $_;
|
||||||
|
}
|
||||||
|
-if ( $miss ) {
|
||||||
|
- Info( 1, "Partially filled config:\n===\n$cfg===\n");
|
||||||
|
- Panic( 1, "$C: 'zipl.conf' template could not be filled. \n");
|
||||||
|
+
|
||||||
|
+if ( $secure_exec ) {
|
||||||
|
+ # create the kernel parameter file
|
||||||
|
+ MkConfig($se_kernparm, "parm.conf");
|
||||||
|
+ $separm = $cfg;
|
||||||
|
+
|
||||||
|
+ # clean up $cfg to reuse the variable for zipl.conf
|
||||||
|
+ $cfg = "";
|
||||||
|
+ MkConfig($se_zipconf, "zipl.conf");
|
||||||
|
+ $imgdir = "/dev/shm/zipl-se";
|
||||||
|
+
|
||||||
|
+ mkdir ($imgdir, 0700) unless (-d $imgdir);
|
||||||
|
+} else {
|
||||||
|
+ MkConfig($in, "zipl.conf");
|
||||||
|
+ $imgdir = $zipldir;
|
||||||
|
}
|
||||||
|
|
||||||
|
# copy out kernel and initrd
|
||||||
|
-my $ziplimage = "$zipldir/image";
|
||||||
|
-my $ziplinitrd = "$zipldir/initrd";
|
||||||
|
+my $ziplimage = "$imgdir/image";
|
||||||
|
+my $ziplinitrd = "$imgdir/initrd";
|
||||||
|
|
||||||
|
if ( ! $running && ! $force ) {
|
||||||
|
chomp( $running = qx{uname -r});
|
||||||
|
@@ -478,18 +578,42 @@ my $initrd = "initrd-$version";
|
||||||
|
$image = "image-$version";
|
||||||
|
|
||||||
|
if ( ! -r $ziplimage || ! -r $ziplinitrd || $refresh ) {
|
||||||
|
- BootCopy( $Image, $image, $zipldir, "image");
|
||||||
|
- BootCopy( $initrd, $initrd, $zipldir, "initrd")
|
||||||
|
+ BootCopy( $Image, $image, $imgdir, "image");
|
||||||
|
+ BootCopy( $initrd, $initrd, $imgdir, "initrd")
|
||||||
|
if (-r "/boot/$initrd" && ! exists( $fsdev{"/boot"}));
|
||||||
|
}
|
||||||
|
-if ( $refresh || ChkInitrd( $zipldir, "initrd") <= 0 ) {
|
||||||
|
- MkInitrd( $initrd, $zipldir, $version);
|
||||||
|
+if ( $refresh || ChkInitrd( $imgdir, "initrd") <= 0 ) {
|
||||||
|
+ MkInitrd( $initrd, $imgdir, $version);
|
||||||
|
}
|
||||||
|
-if ( ChkInitrd( $zipldir, "initrd") == 0 ) {
|
||||||
|
+if ( ChkInitrd( $imgdir, "initrd") == 0 ) {
|
||||||
|
Info( 0, "$C: dracut does not work as expected! Help needed!\n");
|
||||||
|
$miss++;
|
||||||
|
}
|
||||||
|
|
||||||
|
+if ( $secure_exec ) {
|
||||||
|
+ my $seimage = "secure-linux-$version";
|
||||||
|
+ my $parmconf = "$imgdir/parm.conf";
|
||||||
|
+ my $bootseimg = "/boot/$seimage";
|
||||||
|
+
|
||||||
|
+ # write parm.conf
|
||||||
|
+ if ( ! $debug ) {
|
||||||
|
+ open( OUT, "> $parmconf") || die;
|
||||||
|
+ print( OUT $separm) || die;
|
||||||
|
+ close( OUT);
|
||||||
|
+ } else {
|
||||||
|
+ print( STDERR $separm);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ # Create the secure-execution image in /boot first
|
||||||
|
+ GenSEImage( $ziplimage, $ziplinitrd, $parmconf, $bootseimg );
|
||||||
|
+
|
||||||
|
+ # check /boot/$seimage
|
||||||
|
+ Panic( 1, "$C: Secure Image '$bootseimg' not readable!?\n") unless (-r "$bootseimg");
|
||||||
|
+
|
||||||
|
+ # copy /boot/$seimage to $zipldir
|
||||||
|
+ BootCopy($seimage, $seimage, $zipldir, "secure-linux");
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
# write zipl config file
|
||||||
|
my $ziplconf = "$zipldir/config";
|
||||||
|
$cfg =~ s{#@}{}g if ( -r "$ziplimage$previous" && -r "$ziplinitrd$previous" );
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
@ -1,3 +1,24 @@
|
|||||||
|
From 2a86e5f9e3abb622d2e16ee5f05b1ba2df1f756d Mon Sep 17 00:00:00 2001
|
||||||
|
From: Gary Lin <glin@suse.com>
|
||||||
|
Date: Tue, 6 Aug 2024 14:46:17 +0800
|
||||||
|
Subject: [PATCH] zipl2grub.pl.in: add the switch for hostonly/no-hostonly
|
||||||
|
|
||||||
|
Since the kiwi build environment could be very different from the real
|
||||||
|
system environment, it may cause some problem to build the zipl initrd
|
||||||
|
with '--hostonly' since some critical files could be omitted
|
||||||
|
accidentally. To avoid the potential issues, this commit introduces a
|
||||||
|
variable, SUSE_S390_DRACUT_HOSTONLY, as the switch to use hostonly or
|
||||||
|
no-hostonly for the zipl initrd. By default, it's detected automatically
|
||||||
|
by tracing the root partition to the root block device. If the root
|
||||||
|
block device is a loop device, then it's likely to be a build
|
||||||
|
environment, and then '--no-hostonly' will be used to create the zipl
|
||||||
|
initrd.
|
||||||
|
|
||||||
|
Signed-off-by: Gary Lin <glin@suse.com>
|
||||||
|
---
|
||||||
|
util/s390x/zipl2grub.pl.in | 26 +++++++++++++++++++++++++-
|
||||||
|
1 file changed, 25 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
diff --git a/util/s390x/zipl2grub.pl.in b/util/s390x/zipl2grub.pl.in
|
diff --git a/util/s390x/zipl2grub.pl.in b/util/s390x/zipl2grub.pl.in
|
||||||
index f4f997100..46b902209 100644
|
index f4f997100..46b902209 100644
|
||||||
--- a/util/s390x/zipl2grub.pl.in
|
--- a/util/s390x/zipl2grub.pl.in
|
||||||
@ -50,3 +71,6 @@ index f4f997100..46b902209 100644
|
|||||||
if ( $debug && $verbose > 2 ) {
|
if ( $debug && $verbose > 2 ) {
|
||||||
foreach ( sort( keys( %C)) ) {
|
foreach ( sort( keys( %C)) ) {
|
||||||
printf( "%s=\"%s\"\n", $_, $C{$_});
|
printf( "%s=\"%s\"\n", $_, $C{$_});
|
||||||
|
--
|
||||||
|
2.35.3
|
||||||
|
|
||||||
|
101
grub2.changes
101
grub2.changes
@ -1,3 +1,104 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Sun Dec 8 10:22:43 UTC 2024 - Michael Chang <mchang@suse.com>
|
||||||
|
|
||||||
|
- Update PowerPC SBAT patches to upstream (bsc#1233730)
|
||||||
|
* 0007-grub-mkimage-Create-new-ELF-note-for-SBAT.patch
|
||||||
|
* 0008-grub-mkimage-Add-SBAT-metadata-into-ELF-note-for-Pow.patch
|
||||||
|
- Replaced patches
|
||||||
|
* 0007-mkimage-create-new-ELF-Note-for-SBAT.patch
|
||||||
|
* 0008-mkimage-adding-sbat-data-into-sbat-ELF-Note-on-power.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Dec 6 16:40:54 UTC 2024 - Michael Chang <mchang@suse.com>
|
||||||
|
|
||||||
|
- Fix missing requires in SLE package (bsc#1234264) (bsc#1234272)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Dec 3 07:18:32 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Update the TPM2 patches to the upstream final version
|
||||||
|
* Update 0001-key_protector-Add-key-protectors-framework.patch
|
||||||
|
* Replace 0002-tpm2-Add-TPM-Software-Stack-TSS.patch with
|
||||||
|
grub2-add-tss2-support.patch
|
||||||
|
* Replace 0003-key_protector-Add-TPM2-Key-Protector.patch with
|
||||||
|
0001-key_protector-Add-TPM2-Key-Protector.patch
|
||||||
|
* Replace 0005-util-grub-protect-Add-new-tool.patch with
|
||||||
|
0001-util-grub-protect-Add-new-tool.patch
|
||||||
|
* Replace 0001-tpm2-Implement-NV-index.patch with
|
||||||
|
0001-tpm2_key_protector-Implement-NV-index.patch
|
||||||
|
* Replace 0001-tpm2-Support-authorized-policy.patch with
|
||||||
|
0001-tpm2_key_protector-Support-authorized-policy.patch
|
||||||
|
- Refresh the TPM2 related patches
|
||||||
|
* grub-read-pcr.patch
|
||||||
|
* 0001-tpm2-Add-extra-RSA-SRK-types.patch
|
||||||
|
* grub2-bsc1220338-key_protector-implement-the-blocklist.patch
|
||||||
|
* safe_tpm_pcr_snapshot.patch
|
||||||
|
* tpm-record-pcrs.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Nov 29 05:56:22 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
|
||||||
|
|
||||||
|
- Support s390x Secure Execution (jsc#PED-9531)
|
||||||
|
* grub2-s390x-secure-execution-support.patch
|
||||||
|
- Update grub2-s390x-set-hostonly.patch to add the patch header
|
||||||
|
and the description
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Nov 13 01:09:47 UTC 2024 - Michael Chang <mchang@suse.com>
|
||||||
|
|
||||||
|
- Revert the patches related to BLS support in grub2-mkconfig, as they are not
|
||||||
|
relevant to the current BLS integration and cause issues in older KIWI
|
||||||
|
versions, which actively force it to be enabled by default (bsc#1233196)
|
||||||
|
* 0002-Add-BLS-support-to-grub-mkconfig.patch
|
||||||
|
* 0003-Add-grub2-switch-to-blscfg.patch
|
||||||
|
* 0007-grub-switch-to-blscfg-adapt-to-openSUSE.patch
|
||||||
|
* 0008-blscfg-reading-bls-fragments-if-boot-present.patch
|
||||||
|
* 0009-10_linux-Some-refinement-for-BLS.patch
|
||||||
|
* 0001-10_linux-Do-not-enable-BLSCFG-on-s390-emu.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Nov 8 14:42:12 UTC 2024 - Michael Chang <mchang@suse.com>
|
||||||
|
|
||||||
|
- Fix previous change as the variable has to be set earlier
|
||||||
|
* 0001-10_linux-Do-not-enable-BLSCFG-on-s390-emu.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Nov 8 05:21:47 UTC 2024 - Michael Chang <mchang@suse.com>
|
||||||
|
|
||||||
|
- Do not enable blscfg on s390-emu
|
||||||
|
* 0001-10_linux-Do-not-enable-BLSCFG-on-s390-emu.patch
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Nov 6 07:45:21 UTC 2024 - Michael Chang <mchang@suse.com>
|
||||||
|
|
||||||
|
- Fix xen package contains debug_info files with the .module suffix by moving
|
||||||
|
them to a separate xen-debug subpackage (bsc#1232573)
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Fri Nov 1 08:46:36 UTC 2024 - Michael Chang <mchang@suse.com>
|
||||||
|
|
||||||
|
- Fix grub.cfg is loaded from an unexpected fallback directory instead of the
|
||||||
|
root directory during PXE boot when grub is loaded from the tftp root
|
||||||
|
directory (bsc#1232391)
|
||||||
|
* 0001-kern-main-Fix-cmdpath-in-root-directory.patch
|
||||||
|
* grub2.spec: Refine PPC grub.elf early config to derive root from cmdpath
|
||||||
|
directly, avoiding the unneeded search
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Oct 30 08:24:15 UTC 2024 - Michael Chang <mchang@suse.com>
|
||||||
|
|
||||||
|
- Fix CVE-2024-49504 (bsc#1229163) (bsc#1229164)
|
||||||
|
- Restrict CLI access if the encrypted root device is automatically unlocked by
|
||||||
|
the TPM. LUKS password authentication is required for access to be granted
|
||||||
|
* 0001-cli_lock-Add-build-option-to-block-command-line-inte.patch
|
||||||
|
* 0002-Requiring-authentication-after-tpm-unlock-for-CLI-ac.patch
|
||||||
|
- Obsolete, as CLI access is now locked and granted access no longer requires
|
||||||
|
the previous restrictions
|
||||||
|
* 0002-Restrict-file-access-on-cryptodisk-print.patch
|
||||||
|
* 0003-Restrict-ls-and-auto-file-completion-on-cryptodisk-p.patch
|
||||||
|
- Rediff
|
||||||
|
* 0004-Key-revocation-on-out-of-bound-file-access.patch
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Wed Oct 30 00:44:41 UTC 2024 - Michael Chang <mchang@suse.com>
|
Wed Oct 30 00:44:41 UTC 2024 - Michael Chang <mchang@suse.com>
|
||||||
|
|
||||||
|
115
grub2.spec
115
grub2.spec
@ -339,10 +339,10 @@ Patch147: 0001-grub-probe-Deduplicate-probed-partmap-output.patch
|
|||||||
Patch148: 0001-Fix-infinite-boot-loop-on-headless-system-in-qemu.patch
|
Patch148: 0001-Fix-infinite-boot-loop-on-headless-system-in-qemu.patch
|
||||||
Patch149: 0001-ofdisk-improve-boot-time-by-lookup-boot-disk-first.patch
|
Patch149: 0001-ofdisk-improve-boot-time-by-lookup-boot-disk-first.patch
|
||||||
Patch150: 0001-key_protector-Add-key-protectors-framework.patch
|
Patch150: 0001-key_protector-Add-key-protectors-framework.patch
|
||||||
Patch151: 0002-tpm2-Add-TPM-Software-Stack-TSS.patch
|
Patch151: grub2-add-tss2-support.patch
|
||||||
Patch152: 0003-key_protector-Add-TPM2-Key-Protector.patch
|
Patch152: 0001-key_protector-Add-TPM2-Key-Protector.patch
|
||||||
Patch153: 0004-cryptodisk-Support-key-protectors.patch
|
Patch153: 0004-cryptodisk-Support-key-protectors.patch
|
||||||
Patch154: 0005-util-grub-protect-Add-new-tool.patch
|
Patch154: 0001-util-grub-protect-Add-new-tool.patch
|
||||||
Patch155: 0008-linuxefi-Use-common-grub_initrd_load.patch
|
Patch155: 0008-linuxefi-Use-common-grub_initrd_load.patch
|
||||||
Patch156: 0009-Add-crypttab_entry-to-obviate-the-need-to-input-pass.patch
|
Patch156: 0009-Add-crypttab_entry-to-obviate-the-need-to-input-pass.patch
|
||||||
Patch157: 0010-templates-import-etc-crypttab-to-grub.cfg.patch
|
Patch157: 0010-templates-import-etc-crypttab-to-grub.cfg.patch
|
||||||
@ -356,7 +356,7 @@ Patch164: 0003-ieee1275-change-the-logic-of-ieee1275_get_devargs.patch
|
|||||||
Patch165: 0004-ofpath-controller-name-update.patch
|
Patch165: 0004-ofpath-controller-name-update.patch
|
||||||
Patch166: 0002-Mark-environmet-blocks-as-used-for-image-embedding.patch
|
Patch166: 0002-Mark-environmet-blocks-as-used-for-image-embedding.patch
|
||||||
Patch167: grub2-increase-crypttab-path-buffer.patch
|
Patch167: grub2-increase-crypttab-path-buffer.patch
|
||||||
Patch170: 0001-tpm2-Support-authorized-policy.patch
|
Patch170: 0001-tpm2_key_protector-Support-authorized-policy.patch
|
||||||
Patch171: 0001-tpm2-Add-extra-RSA-SRK-types.patch
|
Patch171: 0001-tpm2-Add-extra-RSA-SRK-types.patch
|
||||||
Patch174: 0001-clean-up-crypttab-and-linux-modules-dependency.patch
|
Patch174: 0001-clean-up-crypttab-and-linux-modules-dependency.patch
|
||||||
Patch175: 0002-discard-cached-key-before-entering-grub-shell-and-ed.patch
|
Patch175: 0002-discard-cached-key-before-entering-grub-shell-and-ed.patch
|
||||||
@ -368,7 +368,7 @@ Patch180: 0001-xen_boot-add-missing-grub_arch_efi_linux_load_image_.patch
|
|||||||
Patch181: 0001-font-Try-memdisk-fonts-with-the-same-name.patch
|
Patch181: 0001-font-Try-memdisk-fonts-with-the-same-name.patch
|
||||||
Patch182: 0001-Make-grub.cfg-compatible-to-old-binaries.patch
|
Patch182: 0001-Make-grub.cfg-compatible-to-old-binaries.patch
|
||||||
Patch183: grub2-change-bash-completion-dir.patch
|
Patch183: grub2-change-bash-completion-dir.patch
|
||||||
Patch184: 0001-tpm2-Implement-NV-index.patch
|
Patch184: 0001-tpm2_key_protector-Implement-NV-index.patch
|
||||||
Patch185: 0002-cryptodisk-Fallback-to-passphrase.patch
|
Patch185: 0002-cryptodisk-Fallback-to-passphrase.patch
|
||||||
Patch186: 0003-cryptodisk-wipe-out-the-cached-keys-from-protectors.patch
|
Patch186: 0003-cryptodisk-wipe-out-the-cached-keys-from-protectors.patch
|
||||||
Patch187: 0004-diskfilter-look-up-cryptodisk-devices-first.patch
|
Patch187: 0004-diskfilter-look-up-cryptodisk-devices-first.patch
|
||||||
@ -377,8 +377,6 @@ Patch189: arm64-Use-proper-memory-type-for-kernel-allocation.patch
|
|||||||
Patch190: 0001-luks2-Use-grub-tpm2-token-for-TPM2-protected-volume-.patch
|
Patch190: 0001-luks2-Use-grub-tpm2-token-for-TPM2-protected-volume-.patch
|
||||||
Patch191: Fix-the-size-calculation-for-the-synthesized-initrd.patch
|
Patch191: Fix-the-size-calculation-for-the-synthesized-initrd.patch
|
||||||
Patch192: 0001-Improve-TPM-key-protection-on-boot-interruptions.patch
|
Patch192: 0001-Improve-TPM-key-protection-on-boot-interruptions.patch
|
||||||
Patch193: 0002-Restrict-file-access-on-cryptodisk-print.patch
|
|
||||||
Patch194: 0003-Restrict-ls-and-auto-file-completion-on-cryptodisk-p.patch
|
|
||||||
Patch195: 0004-Key-revocation-on-out-of-bound-file-access.patch
|
Patch195: 0004-Key-revocation-on-out-of-bound-file-access.patch
|
||||||
# Workaround for 2.12 tarball
|
# Workaround for 2.12 tarball
|
||||||
Patch196: fix_no_extra_deps_in_release_tarball.patch
|
Patch196: fix_no_extra_deps_in_release_tarball.patch
|
||||||
@ -394,14 +392,9 @@ Patch205: 0001-10_linux-Ensure-persistence-of-root-file-system-moun.patch
|
|||||||
Patch206: 0001-util-bash-completion-Fix-for-bash-completion-2.12.patch
|
Patch206: 0001-util-bash-completion-Fix-for-bash-completion-2.12.patch
|
||||||
Patch207: 0001-util-enable-grub-protect-only-for-EFI-systems.patch
|
Patch207: 0001-util-enable-grub-protect-only-for-EFI-systems.patch
|
||||||
Patch208: 0001-blscfg-add-blscfg-module-to-parse-Boot-Loader-Specif.patch
|
Patch208: 0001-blscfg-add-blscfg-module-to-parse-Boot-Loader-Specif.patch
|
||||||
Patch209: 0002-Add-BLS-support-to-grub-mkconfig.patch
|
|
||||||
Patch210: 0003-Add-grub2-switch-to-blscfg.patch
|
|
||||||
Patch211: 0004-blscfg-Don-t-root-device-in-emu-builds.patch
|
Patch211: 0004-blscfg-Don-t-root-device-in-emu-builds.patch
|
||||||
Patch212: 0005-blscfg-check-for-mounted-boot-in-emu.patch
|
Patch212: 0005-blscfg-check-for-mounted-boot-in-emu.patch
|
||||||
Patch213: 0006-Follow-the-device-where-blscfg-is-discovered.patch
|
Patch213: 0006-Follow-the-device-where-blscfg-is-discovered.patch
|
||||||
Patch214: 0007-grub-switch-to-blscfg-adapt-to-openSUSE.patch
|
|
||||||
Patch215: 0008-blscfg-reading-bls-fragments-if-boot-present.patch
|
|
||||||
Patch216: 0009-10_linux-Some-refinement-for-BLS.patch
|
|
||||||
Patch217: 0001-net-drivers-ieee1275-ofnet-Remove-200-ms-timeout-in-.patch
|
Patch217: 0001-net-drivers-ieee1275-ofnet-Remove-200-ms-timeout-in-.patch
|
||||||
Patch218: grub2-s390x-set-hostonly.patch
|
Patch218: grub2-s390x-set-hostonly.patch
|
||||||
Patch219: 0001-bli-Fix-crash-in-get_part_uuid.patch
|
Patch219: 0001-bli-Fix-crash-in-get_part_uuid.patch
|
||||||
@ -415,10 +408,42 @@ Patch226: 0003-appendedsig-The-creation-of-trusted-and-distrusted-l.patch
|
|||||||
Patch227: 0004-appendedsig-While-verifying-the-kernel-use-trusted-a.patch
|
Patch227: 0004-appendedsig-While-verifying-the-kernel-use-trusted-a.patch
|
||||||
Patch228: 0005-appendedsig-The-grub-command-s-trusted-and-distruste.patch
|
Patch228: 0005-appendedsig-The-grub-command-s-trusted-and-distruste.patch
|
||||||
Patch229: 0006-appendedsig-documentation.patch
|
Patch229: 0006-appendedsig-documentation.patch
|
||||||
Patch230: 0007-mkimage-create-new-ELF-Note-for-SBAT.patch
|
Patch230: 0007-grub-mkimage-Create-new-ELF-note-for-SBAT.patch
|
||||||
Patch231: 0008-mkimage-adding-sbat-data-into-sbat-ELF-Note-on-power.patch
|
Patch231: 0008-grub-mkimage-Add-SBAT-metadata-into-ELF-note-for-Pow.patch
|
||||||
Patch232: 0001-ieee1275-support-added-for-multiple-nvme-bootpaths.patch
|
Patch232: 0001-ieee1275-support-added-for-multiple-nvme-bootpaths.patch
|
||||||
Patch233: 0001-kern-ieee1275-init-Add-IEEE-1275-Radix-support-for-K.patch
|
Patch233: 0001-kern-ieee1275-init-Add-IEEE-1275-Radix-support-for-K.patch
|
||||||
|
Patch234: 0001-cli_lock-Add-build-option-to-block-command-line-inte.patch
|
||||||
|
Patch235: 0002-Requiring-authentication-after-tpm-unlock-for-CLI-ac.patch
|
||||||
|
Patch236: 0001-kern-main-Fix-cmdpath-in-root-directory.patch
|
||||||
|
Patch237: grub2-s390x-secure-execution-support.patch
|
||||||
|
|
||||||
|
%if 0%{?suse_version} <= 1600
|
||||||
|
Requires: gettext-runtime
|
||||||
|
%if 0%{?suse_version} >= 1140
|
||||||
|
%ifnarch s390x
|
||||||
|
Recommends: os-prober
|
||||||
|
%endif
|
||||||
|
# xorriso not available using grub2-mkrescue (bnc#812681)
|
||||||
|
# downgrade to suggest as minimal system can't afford pulling in tcl/tk and half of the x11 stack (bsc#1102515)
|
||||||
|
Suggests: libburnia-tools
|
||||||
|
Suggests: mtools
|
||||||
|
%endif
|
||||||
|
%ifarch s390x
|
||||||
|
# required utilities by grub2-s390x-04-grub2-install.patch
|
||||||
|
# use 'showconsole' to determine console device. (bnc#876743)
|
||||||
|
Requires: kexec-tools
|
||||||
|
Requires: (/sbin/showconsole or /usr/sbin/showconsole)
|
||||||
|
# for /sbin/zipl used by grub2-zipl-setup
|
||||||
|
Requires: s390-tools
|
||||||
|
%endif
|
||||||
|
%ifarch ppc64 ppc64le
|
||||||
|
Requires: powerpc-utils
|
||||||
|
%endif
|
||||||
|
%ifarch %{ix86}
|
||||||
|
# meanwhile, memtest is available as EFI executable
|
||||||
|
Recommends: memtest86+
|
||||||
|
%endif
|
||||||
|
%endif
|
||||||
|
|
||||||
%if 0%{?suse_version} > 1600
|
%if 0%{?suse_version} > 1600
|
||||||
# Always requires a default cpu-platform package
|
# Always requires a default cpu-platform package
|
||||||
@ -445,9 +470,7 @@ computer architectures and hardware devices.
|
|||||||
%package common
|
%package common
|
||||||
Summary: Utilies to manage grub
|
Summary: Utilies to manage grub
|
||||||
Group: System/Boot
|
Group: System/Boot
|
||||||
%endif
|
|
||||||
Requires: gettext-runtime
|
Requires: gettext-runtime
|
||||||
%if 0%{?suse_version} >= 1140
|
|
||||||
%ifnarch s390x
|
%ifnarch s390x
|
||||||
Recommends: os-prober
|
Recommends: os-prober
|
||||||
%endif
|
%endif
|
||||||
@ -455,7 +478,6 @@ Recommends: os-prober
|
|||||||
# downgrade to suggest as minimal system can't afford pulling in tcl/tk and half of the x11 stack (bsc#1102515)
|
# downgrade to suggest as minimal system can't afford pulling in tcl/tk and half of the x11 stack (bsc#1102515)
|
||||||
Suggests: libburnia-tools
|
Suggests: libburnia-tools
|
||||||
Suggests: mtools
|
Suggests: mtools
|
||||||
%endif
|
|
||||||
%ifarch s390x
|
%ifarch s390x
|
||||||
# required utilities by grub2-s390x-04-grub2-install.patch
|
# required utilities by grub2-s390x-04-grub2-install.patch
|
||||||
# use 'showconsole' to determine console device. (bnc#876743)
|
# use 'showconsole' to determine console device. (bnc#876743)
|
||||||
@ -472,7 +494,6 @@ Requires: powerpc-utils
|
|||||||
Recommends: memtest86+
|
Recommends: memtest86+
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if 0%{?suse_version} > 1600
|
|
||||||
%description common
|
%description common
|
||||||
This package includes user space utlities to manage GRUB on your system.
|
This package includes user space utlities to manage GRUB on your system.
|
||||||
%endif
|
%endif
|
||||||
@ -638,6 +659,18 @@ Provides: %{name}-%{grubxenarch}:%{_datadir}/%{name}/%{grubxenarch}/zfsinf
|
|||||||
%description %{grubxenarch}-extras
|
%description %{grubxenarch}-extras
|
||||||
Unsupported modules for %{name}-%{grubxenarch}
|
Unsupported modules for %{name}-%{grubxenarch}
|
||||||
|
|
||||||
|
%package %{grubxenarch}-debug
|
||||||
|
Summary: Debug symbols for %{grubxenarch}
|
||||||
|
Group: System/Boot
|
||||||
|
BuildArch: noarch
|
||||||
|
Requires: %{name}-%{grubxenarch} = %{version}
|
||||||
|
|
||||||
|
%description %{grubxenarch}-debug
|
||||||
|
Debug symbols for %{name}-%{grubxenarch}
|
||||||
|
|
||||||
|
Information on how to debug grub can be found online:
|
||||||
|
https://www.cnblogs.com/coryxie/archive/2013/03/12/2956807.html
|
||||||
|
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%package snapper-plugin
|
%package snapper-plugin
|
||||||
@ -770,7 +803,7 @@ CD_MODULES="all_video boot cat configfile echo true \
|
|||||||
PXE_MODULES="tftp http"
|
PXE_MODULES="tftp http"
|
||||||
CRYPTO_MODULES="luks luks2 gcry_rijndael gcry_sha1 gcry_sha256 gcry_sha512 crypttab"
|
CRYPTO_MODULES="luks luks2 gcry_rijndael gcry_sha1 gcry_sha256 gcry_sha512 crypttab"
|
||||||
%ifarch %{efi}
|
%ifarch %{efi}
|
||||||
CD_MODULES="${CD_MODULES} chain efifwsetup efinet read tpm tpm2 memdisk tar squash4 xzio blscfg"
|
CD_MODULES="${CD_MODULES} chain efifwsetup efinet read tpm tss2 tpm2_key_protector memdisk tar squash4 xzio blscfg"
|
||||||
PXE_MODULES="${PXE_MODULES} efinet"
|
PXE_MODULES="${PXE_MODULES} efinet"
|
||||||
%else
|
%else
|
||||||
CD_MODULES="${CD_MODULES} net ofnet"
|
CD_MODULES="${CD_MODULES} net ofnet"
|
||||||
@ -868,7 +901,7 @@ mksquashfs ./boot memdisk.sqsh -keep-as-directory -comp xz -quiet -no-progress
|
|||||||
%{?sbat_generation:--sbat sbat.csv} \
|
%{?sbat_generation:--sbat sbat.csv} \
|
||||||
-d grub-core \
|
-d grub-core \
|
||||||
all_video boot font gfxmenu gfxterm gzio halt jpeg minicmd normal part_gpt png reboot video \
|
all_video boot font gfxmenu gfxterm gzio halt jpeg minicmd normal part_gpt png reboot video \
|
||||||
fat tpm tpm2 memdisk tar squash4 xzio blscfg linux bli regexp loadenv test echo true sleep
|
fat tpm tss2 tpm2_key_protector memdisk tar squash4 xzio blscfg linux bli regexp loadenv test echo true sleep
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%ifarch x86_64 aarch64
|
%ifarch x86_64 aarch64
|
||||||
@ -948,8 +981,6 @@ echo "bpath=$bpath"
|
|||||||
if regexp '^(tftp|http)$' "$bdev"; then
|
if regexp '^(tftp|http)$' "$bdev"; then
|
||||||
if [ -z "$bpath" ]; then
|
if [ -z "$bpath" ]; then
|
||||||
echo "network booting via $bdev but firmware didn't provide loaded path from sever root"
|
echo "network booting via $bdev but firmware didn't provide loaded path from sever root"
|
||||||
bpath="/boot/grub2/powerpc-ieee1275"
|
|
||||||
echo "using bpath=$bpath as fallback path"
|
|
||||||
fi
|
fi
|
||||||
elif [ -z "$ENV_FS_UUID" ]; then
|
elif [ -z "$ENV_FS_UUID" ]; then
|
||||||
echo "Reading vars from ($bdev)"
|
echo "Reading vars from ($bdev)"
|
||||||
@ -994,6 +1025,17 @@ set prefix=""
|
|||||||
set root=""
|
set root=""
|
||||||
set cfg="grub.cfg"
|
set cfg="grub.cfg"
|
||||||
|
|
||||||
|
if regexp '^(tftp|http)$' "$bdev"; then
|
||||||
|
cfg_dir=""
|
||||||
|
root="$bdev$bpart"
|
||||||
|
if [ -z "$bpath" ]; then
|
||||||
|
bpath="/boot/grub2/powerpc-ieee1275"
|
||||||
|
echo "using bpath=$bpath as fallback path"
|
||||||
|
fi
|
||||||
|
prefix="($root)$bpath"
|
||||||
|
cfg="grub.cfg"
|
||||||
|
fi
|
||||||
|
|
||||||
for uuid in $ENV_CRYPTO_UUID; do
|
for uuid in $ENV_CRYPTO_UUID; do
|
||||||
cryptomount -u $uuid
|
cryptomount -u $uuid
|
||||||
done
|
done
|
||||||
@ -1176,7 +1218,11 @@ rm -f $R%{_sysconfdir}/grub.d/20_ppc_terminfo
|
|||||||
|
|
||||||
%ifarch s390x
|
%ifarch s390x
|
||||||
mv $R%{_sysconfdir}/{grub.d,default}/zipl2grub.conf.in
|
mv $R%{_sysconfdir}/{grub.d,default}/zipl2grub.conf.in
|
||||||
|
mv $R%{_sysconfdir}/{grub.d,default}/se-zipl2grub.conf.in
|
||||||
|
mv $R%{_sysconfdir}/{grub.d,default}/se-parm.conf.in
|
||||||
chmod 600 $R%{_sysconfdir}/default/zipl2grub.conf.in
|
chmod 600 $R%{_sysconfdir}/default/zipl2grub.conf.in
|
||||||
|
chmod 600 $R%{_sysconfdir}/default/se-zipl2grub.conf.in
|
||||||
|
chmod 600 $R%{_sysconfdir}/default/se-parm.conf.in
|
||||||
|
|
||||||
%define dracutlibdir %{_prefix}/lib/dracut
|
%define dracutlibdir %{_prefix}/lib/dracut
|
||||||
%define dracutgrubmoddir %{dracutlibdir}/modules.d/99grub2
|
%define dracutgrubmoddir %{dracutlibdir}/modules.d/99grub2
|
||||||
@ -1211,9 +1257,9 @@ perl -ni -e '
|
|||||||
# EXTRA_PATTERN='pattern1|pattern2|pattern3|...'
|
# EXTRA_PATTERN='pattern1|pattern2|pattern3|...'
|
||||||
EXTRA_PATTERN="zfs"
|
EXTRA_PATTERN="zfs"
|
||||||
%ifarch %{ix86} x86_64
|
%ifarch %{ix86} x86_64
|
||||||
find %{buildroot}/%{_datadir}/%{name}/%{grubxenarch}/ -type f | sed 's,%{buildroot},,' > %{grubxenarch}-all.lst
|
find %{buildroot}/%{_datadir}/%{name}/%{grubxenarch}/ -name '*.mod' | sed 's,%{buildroot},,' > %{grubxenarch}-mod-all.lst
|
||||||
grep -v -E ${EXTRA_PATTERN} %{grubxenarch}-all.lst > %{grubxenarch}.lst
|
grep -v -E ${EXTRA_PATTERN} %{grubxenarch}-mod-all.lst > %{grubxenarch}-mod.lst
|
||||||
grep -E ${EXTRA_PATTERN} %{grubxenarch}-all.lst > %{grubxenarch}-extras.lst
|
grep -E ${EXTRA_PATTERN} %{grubxenarch}-mod-all.lst > %{grubxenarch}-mod-extras.lst
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%ifarch %{efi}
|
%ifarch %{efi}
|
||||||
@ -1342,6 +1388,8 @@ grep -E ${EXTRA_PATTERN} %{grubarch}-mod-all.lst > %{grubarch}-mod-extras.lst
|
|||||||
%endif
|
%endif
|
||||||
%ifarch s390x
|
%ifarch s390x
|
||||||
%config(noreplace) %{_sysconfdir}/default/zipl2grub.conf.in
|
%config(noreplace) %{_sysconfdir}/default/zipl2grub.conf.in
|
||||||
|
%config(noreplace) %{_sysconfdir}/default/se-zipl2grub.conf.in
|
||||||
|
%config(noreplace) %{_sysconfdir}/default/se-parm.conf.in
|
||||||
%{dracutlibdir}
|
%{dracutlibdir}
|
||||||
%{_sbindir}/%{name}-zipl-setup
|
%{_sbindir}/%{name}-zipl-setup
|
||||||
%{_datadir}/%{name}/zipl-refresh
|
%{_datadir}/%{name}/zipl-refresh
|
||||||
@ -1352,7 +1400,6 @@ grep -E ${EXTRA_PATTERN} %{grubarch}-mod-all.lst > %{grubarch}-mod-extras.lst
|
|||||||
%{_sbindir}/%{name}-probe
|
%{_sbindir}/%{name}-probe
|
||||||
%{_sbindir}/%{name}-reboot
|
%{_sbindir}/%{name}-reboot
|
||||||
%{_sbindir}/%{name}-set-default
|
%{_sbindir}/%{name}-set-default
|
||||||
%{_sbindir}/%{name}-switch-to-blscfg
|
|
||||||
%{_sbindir}/%{name}-check-default
|
%{_sbindir}/%{name}-check-default
|
||||||
%{_bindir}/%{name}-editenv
|
%{_bindir}/%{name}-editenv
|
||||||
%{_bindir}/%{name}-file
|
%{_bindir}/%{name}-file
|
||||||
@ -1405,7 +1452,6 @@ grep -E ${EXTRA_PATTERN} %{grubarch}-mod-all.lst > %{grubarch}-mod-extras.lst
|
|||||||
%{_mandir}/man8/%{name}-probe.8.*
|
%{_mandir}/man8/%{name}-probe.8.*
|
||||||
%{_mandir}/man8/%{name}-reboot.8.*
|
%{_mandir}/man8/%{name}-reboot.8.*
|
||||||
%{_mandir}/man8/%{name}-set-default.8.*
|
%{_mandir}/man8/%{name}-set-default.8.*
|
||||||
%{_mandir}/man8/%{name}-switch-to-blscfg.8.*
|
|
||||||
%if %{emu}
|
%if %{emu}
|
||||||
%{_bindir}/%{name}-emu
|
%{_bindir}/%{name}-emu
|
||||||
%{_mandir}/man1/%{name}-emu.1.*
|
%{_mandir}/man1/%{name}-emu.1.*
|
||||||
@ -1526,16 +1572,27 @@ grep -E ${EXTRA_PATTERN} %{grubarch}-mod-all.lst > %{grubarch}-mod-extras.lst
|
|||||||
%{_libdir}/snapper/plugins/grub
|
%{_libdir}/snapper/plugins/grub
|
||||||
|
|
||||||
%ifarch %{ix86} x86_64
|
%ifarch %{ix86} x86_64
|
||||||
%files %{grubxenarch} -f %{grubxenarch}.lst
|
%files %{grubxenarch} -f %{grubxenarch}-mod.lst
|
||||||
%defattr(-,root,root,-)
|
%defattr(-,root,root,-)
|
||||||
%dir %{_datadir}/%{name}/%{grubxenarch}
|
%dir %{_datadir}/%{name}/%{grubxenarch}
|
||||||
# provide compatibility sym-link for VM definitions pointing to old location
|
# provide compatibility sym-link for VM definitions pointing to old location
|
||||||
%dir %{_libdir}/%{name}
|
%dir %{_libdir}/%{name}
|
||||||
%{_libdir}/%{name}/%{grubxenarch}
|
%{_libdir}/%{name}/%{grubxenarch}
|
||||||
|
%{_datadir}/%{name}/%{grubxenarch}/grub.xen
|
||||||
|
%{_datadir}/%{name}/%{grubxenarch}/*.img
|
||||||
|
%{_datadir}/%{name}/%{grubxenarch}/*.lst
|
||||||
|
%{_datadir}/%{name}/%{grubxenarch}/kernel.exec
|
||||||
|
%{_datadir}/%{name}/%{grubxenarch}/modinfo.sh
|
||||||
|
|
||||||
%files %{grubxenarch}-extras -f %{grubxenarch}-extras.lst
|
%files %{grubxenarch}-extras -f %{grubxenarch}-mod-extras.lst
|
||||||
%defattr(-,root,root,-)
|
%defattr(-,root,root,-)
|
||||||
%dir %{_datadir}/%{name}/%{grubxenarch}
|
%dir %{_datadir}/%{name}/%{grubxenarch}
|
||||||
|
|
||||||
|
%files %{grubxenarch}-debug
|
||||||
|
%defattr(-,root,root,-)
|
||||||
|
%{_datadir}/%{name}/%{grubxenarch}/gdb_grub
|
||||||
|
%{_datadir}/%{name}/%{grubxenarch}/gdb_helper.py
|
||||||
|
%{_datadir}/%{name}/%{grubxenarch}/*.module
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%if 0%{?has_systemd:1}
|
%if 0%{?has_systemd:1}
|
||||||
|
@ -3,20 +3,21 @@
|
|||||||
util/grub-install.c | 6 ++++--
|
util/grub-install.c | 6 ++++--
|
||||||
2 files changed, 40 insertions(+), 12 deletions(-)
|
2 files changed, 40 insertions(+), 12 deletions(-)
|
||||||
|
|
||||||
--- a/grub-core/commands/tpm.c
|
Index: grub-2.12/grub-core/commands/tpm.c
|
||||||
+++ b/grub-core/commands/tpm.c
|
===================================================================
|
||||||
@@ -27,8 +27,10 @@
|
--- grub-2.12.orig/grub-core/commands/tpm.c
|
||||||
|
+++ grub-2.12/grub-core/commands/tpm.c
|
||||||
|
@@ -27,7 +27,9 @@
|
||||||
#include <grub/verify.h>
|
#include <grub/verify.h>
|
||||||
#include <grub/dl.h>
|
#include <grub/dl.h>
|
||||||
#include <grub/extcmd.h>
|
#include <grub/extcmd.h>
|
||||||
+#ifdef GRUB_MACHINE_EFI
|
+#ifdef GRUB_MACHINE_EFI
|
||||||
#include <grub/tpm2/tpm2.h>
|
|
||||||
#include <grub/efi/efi.h>
|
#include <grub/efi/efi.h>
|
||||||
+#endif
|
+#endif
|
||||||
|
|
||||||
GRUB_MOD_LICENSE ("GPLv3+");
|
GRUB_MOD_LICENSE ("GPLv3+");
|
||||||
|
|
||||||
@@ -97,12 +99,6 @@
|
@@ -96,12 +98,6 @@ struct grub_file_verifier grub_tpm_verif
|
||||||
.verify_string = grub_tpm_verify_string,
|
.verify_string = grub_tpm_verify_string,
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -29,7 +30,7 @@
|
|||||||
static const struct grub_arg_option grub_tpm_record_pcrs_options[] =
|
static const struct grub_arg_option grub_tpm_record_pcrs_options[] =
|
||||||
{
|
{
|
||||||
{
|
{
|
||||||
@@ -118,6 +114,14 @@
|
@@ -117,6 +113,14 @@ static const struct grub_arg_option grub
|
||||||
{0, 0, 0, 0, 0, 0}
|
{0, 0, 0, 0, 0, 0}
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -44,7 +45,7 @@
|
|||||||
static grub_err_t
|
static grub_err_t
|
||||||
grub_tpm_parse_pcr_index (const char *word, const char **end_ret, unsigned int *index)
|
grub_tpm_parse_pcr_index (const char *word, const char **end_ret, unsigned int *index)
|
||||||
{
|
{
|
||||||
@@ -269,6 +273,10 @@
|
@@ -268,6 +272,10 @@ grub_tpm_record_pcrs (grub_extcmd_contex
|
||||||
grub_size_t size = 0;
|
grub_size_t size = 0;
|
||||||
int n, rv = 1;
|
int n, rv = 1;
|
||||||
|
|
||||||
@ -55,7 +56,7 @@
|
|||||||
if (argc == 0)
|
if (argc == 0)
|
||||||
pcr_bitmask = GRUB2_PCR_BITMASK_DEFAULT;
|
pcr_bitmask = GRUB2_PCR_BITMASK_DEFAULT;
|
||||||
else
|
else
|
||||||
@@ -297,6 +305,18 @@
|
@@ -296,6 +304,18 @@ out:
|
||||||
return rv;
|
return rv;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -74,9 +75,11 @@
|
|||||||
static grub_extcmd_t cmd;
|
static grub_extcmd_t cmd;
|
||||||
|
|
||||||
GRUB_MOD_INIT (tpm)
|
GRUB_MOD_INIT (tpm)
|
||||||
--- a/util/grub-install.c
|
Index: grub-2.12/util/grub-install.c
|
||||||
+++ b/util/grub-install.c
|
===================================================================
|
||||||
@@ -1560,8 +1560,9 @@
|
--- grub-2.12.orig/util/grub-install.c
|
||||||
|
+++ grub-2.12/util/grub-install.c
|
||||||
|
@@ -1574,8 +1574,9 @@ main (int argc, char *argv[])
|
||||||
|
|
||||||
grub_util_unlink (load_cfg);
|
grub_util_unlink (load_cfg);
|
||||||
|
|
||||||
@ -87,7 +90,7 @@
|
|||||||
load_cfg_f = grub_util_fopen (load_cfg, "wb");
|
load_cfg_f = grub_util_fopen (load_cfg, "wb");
|
||||||
have_load_cfg = 1;
|
have_load_cfg = 1;
|
||||||
fprintf (load_cfg_f, "tpm_record_pcrs 0-9\n");
|
fprintf (load_cfg_f, "tpm_record_pcrs 0-9\n");
|
||||||
@@ -1569,7 +1570,8 @@
|
@@ -1583,7 +1584,8 @@ main (int argc, char *argv[])
|
||||||
|
|
||||||
if (debug_image && debug_image[0])
|
if (debug_image && debug_image[0])
|
||||||
{
|
{
|
||||||
|
@ -1,16 +1,17 @@
|
|||||||
--- a/grub-core/commands/tpm.c
|
Index: grub-2.12/grub-core/commands/tpm.c
|
||||||
+++ b/grub-core/commands/tpm.c
|
===================================================================
|
||||||
@@ -26,6 +26,9 @@
|
--- grub-2.12.orig/grub-core/commands/tpm.c
|
||||||
|
+++ grub-2.12/grub-core/commands/tpm.c
|
||||||
|
@@ -26,6 +26,8 @@
|
||||||
#include <grub/term.h>
|
#include <grub/term.h>
|
||||||
#include <grub/verify.h>
|
#include <grub/verify.h>
|
||||||
#include <grub/dl.h>
|
#include <grub/dl.h>
|
||||||
+#include <grub/extcmd.h>
|
+#include <grub/extcmd.h>
|
||||||
+#include <grub/tpm2/tpm2.h>
|
|
||||||
+#include <grub/efi/efi.h>
|
+#include <grub/efi/efi.h>
|
||||||
|
|
||||||
GRUB_MOD_LICENSE ("GPLv3+");
|
GRUB_MOD_LICENSE ("GPLv3+");
|
||||||
|
|
||||||
@@ -94,8 +97,214 @@
|
@@ -94,8 +96,214 @@ struct grub_file_verifier grub_tpm_verif
|
||||||
.verify_string = grub_tpm_verify_string,
|
.verify_string = grub_tpm_verify_string,
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -225,7 +226,7 @@
|
|||||||
/*
|
/*
|
||||||
* Even though this now calls ibmvtpm's grub_tpm_present() from GRUB_MOD_INIT(),
|
* Even though this now calls ibmvtpm's grub_tpm_present() from GRUB_MOD_INIT(),
|
||||||
* it does seem to call it late enough in the initialization sequence so
|
* it does seem to call it late enough in the initialization sequence so
|
||||||
@@ -109,6 +318,7 @@
|
@@ -109,6 +317,7 @@ GRUB_MOD_INIT (tpm)
|
||||||
|
|
||||||
GRUB_MOD_FINI (tpm)
|
GRUB_MOD_FINI (tpm)
|
||||||
{
|
{
|
||||||
|
Loading…
Reference in New Issue
Block a user