Sync from SUSE:SLFO:Main grub2 revision 3010d884e9d64ab422fda75d82b89c60
This commit is contained in:
parent
5668489852
commit
88730040a1
374
0001-cli_lock-Add-build-option-to-block-command-line-inte.patch
Normal file
374
0001-cli_lock-Add-build-option-to-block-command-line-inte.patch
Normal file
@ -0,0 +1,374 @@
|
||||
From c7dd3dd296592fef6166170121b54aafe634369f Mon Sep 17 00:00:00 2001
|
||||
From: Alec Brown <alec.r.brown@oracle.com>
|
||||
Date: Wed, 24 Jan 2024 06:26:37 +0000
|
||||
Subject: [PATCH 1/2] cli_lock: Add build option to block command line
|
||||
interface
|
||||
|
||||
Add functionality to disable command line interface access and editing of GRUB
|
||||
menu entries if GRUB image is built with --disable-cli.
|
||||
|
||||
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
|
||||
Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
docs/grub.texi | 6 ++++--
|
||||
grub-core/kern/main.c | 28 ++++++++++++++++++++++++++++
|
||||
grub-core/kern/rescue_reader.c | 13 +++++++++++++
|
||||
grub-core/normal/auth.c | 3 +++
|
||||
grub-core/normal/menu_text.c | 31 +++++++++++++++++--------------
|
||||
include/grub/kernel.h | 3 ++-
|
||||
include/grub/misc.h | 2 ++
|
||||
include/grub/util/install.h | 8 ++++++--
|
||||
util/grub-install-common.c | 11 ++++++++---
|
||||
util/grub-mkimage.c | 9 ++++++++-
|
||||
util/mkimage.c | 16 +++++++++++++++-
|
||||
11 files changed, 106 insertions(+), 24 deletions(-)
|
||||
|
||||
diff --git a/docs/grub.texi b/docs/grub.texi
|
||||
index 00c5fdc44..e89007920 100644
|
||||
--- a/docs/grub.texi
|
||||
+++ b/docs/grub.texi
|
||||
@@ -6523,8 +6523,10 @@ the GRUB command line, edit menu entries, and execute any menu entry. If
|
||||
@samp{superusers} is set, then use of the command line and editing of menu
|
||||
entries are automatically restricted to superusers. Setting @samp{superusers}
|
||||
to empty string effectively disables both access to CLI and editing of menu
|
||||
-entries. Note: The environment variable needs to be exported to also affect
|
||||
-the section defined by the @samp{submenu} command (@pxref{submenu}).
|
||||
+entries. Building a grub image with @samp{--disable-cli} option will also
|
||||
+disable access to CLI and editing of menu entries, as well as disabling rescue
|
||||
+mode. Note: The environment variable needs to be exported to also affect the
|
||||
+section defined by the @samp{submenu} command (@pxref{submenu}).
|
||||
|
||||
Other users may be allowed to execute specific menu entries by giving a list of
|
||||
usernames (as above) using the @option{--users} option to the
|
||||
diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
|
||||
index 02df49206..07b6940d2 100644
|
||||
--- a/grub-core/kern/main.c
|
||||
+++ b/grub-core/kern/main.c
|
||||
@@ -30,11 +30,14 @@
|
||||
#include <grub/reader.h>
|
||||
#include <grub/parser.h>
|
||||
#include <grub/verify.h>
|
||||
+#include <grub/types.h>
|
||||
|
||||
#ifdef GRUB_MACHINE_PCBIOS
|
||||
#include <grub/machine/memory.h>
|
||||
#endif
|
||||
|
||||
+static bool cli_disabled = false;
|
||||
+
|
||||
grub_addr_t
|
||||
grub_modules_get_end (void)
|
||||
{
|
||||
@@ -237,6 +240,28 @@ grub_load_normal_mode (void)
|
||||
grub_command_execute ("normal", 0, 0);
|
||||
}
|
||||
|
||||
+bool
|
||||
+grub_is_cli_disabled (void)
|
||||
+{
|
||||
+ return cli_disabled;
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
+check_is_cli_disabled (void)
|
||||
+{
|
||||
+ struct grub_module_header *header;
|
||||
+ header = 0;
|
||||
+
|
||||
+ FOR_MODULES (header)
|
||||
+ {
|
||||
+ if (header->type == OBJ_TYPE_DISABLE_CLI)
|
||||
+ {
|
||||
+ cli_disabled = true;
|
||||
+ return;
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
static void
|
||||
reclaim_module_space (void)
|
||||
{
|
||||
@@ -294,6 +319,9 @@ grub_main (void)
|
||||
|
||||
grub_boot_time ("After loading embedded modules.");
|
||||
|
||||
+ /* Check if the CLI should be disabled */
|
||||
+ check_is_cli_disabled ();
|
||||
+
|
||||
/* It is better to set the root device as soon as possible,
|
||||
for convenience. */
|
||||
grub_set_prefix_and_root ();
|
||||
diff --git a/grub-core/kern/rescue_reader.c b/grub-core/kern/rescue_reader.c
|
||||
index dcd7d4439..4259857ba 100644
|
||||
--- a/grub-core/kern/rescue_reader.c
|
||||
+++ b/grub-core/kern/rescue_reader.c
|
||||
@@ -78,6 +78,19 @@ grub_rescue_read_line (char **line, int cont,
|
||||
void __attribute__ ((noreturn))
|
||||
grub_rescue_run (void)
|
||||
{
|
||||
+ /* Stall if the CLI has been disabled */
|
||||
+ if (grub_is_cli_disabled ())
|
||||
+ {
|
||||
+ grub_printf ("Rescue mode has been disabled...\n");
|
||||
+
|
||||
+ do
|
||||
+ {
|
||||
+ /* Do not optimize out the loop. */
|
||||
+ asm volatile ("");
|
||||
+ }
|
||||
+ while (1);
|
||||
+ }
|
||||
+
|
||||
grub_printf ("Entering rescue mode...\n");
|
||||
|
||||
while (1)
|
||||
diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c
|
||||
index 517fc623f..d94020186 100644
|
||||
--- a/grub-core/normal/auth.c
|
||||
+++ b/grub-core/normal/auth.c
|
||||
@@ -209,6 +209,9 @@ grub_auth_check_authentication (const char *userlist)
|
||||
char entered[GRUB_AUTH_MAX_PASSLEN];
|
||||
struct grub_auth_user *user;
|
||||
|
||||
+ if (grub_is_cli_disabled ())
|
||||
+ return GRUB_ACCESS_DENIED;
|
||||
+
|
||||
grub_memset (login, 0, sizeof (login));
|
||||
|
||||
if (is_authenticated (userlist))
|
||||
diff --git a/grub-core/normal/menu_text.c b/grub-core/normal/menu_text.c
|
||||
index ae92050d7..56c6f7797 100644
|
||||
--- a/grub-core/normal/menu_text.c
|
||||
+++ b/grub-core/normal/menu_text.c
|
||||
@@ -194,21 +194,24 @@ command-line or ESC to discard edits and return to the GRUB menu."),
|
||||
grub_free (msg_translated);
|
||||
#endif
|
||||
|
||||
- if (nested)
|
||||
+ if (!grub_is_cli_disabled ())
|
||||
{
|
||||
- ret += grub_print_message_indented_real
|
||||
- (_("Press enter to boot the selected OS, "
|
||||
- "`e' to edit the commands before booting "
|
||||
- "or `c' for a command-line. ESC to return previous menu."),
|
||||
- STANDARD_MARGIN, STANDARD_MARGIN, term, dry_run);
|
||||
- }
|
||||
- else
|
||||
- {
|
||||
- ret += grub_print_message_indented_real
|
||||
- (_("Press enter to boot the selected OS, "
|
||||
- "`e' to edit the commands before booting "
|
||||
- "or `c' for a command-line."),
|
||||
- STANDARD_MARGIN, STANDARD_MARGIN, term, dry_run);
|
||||
+ if (nested)
|
||||
+ {
|
||||
+ ret += grub_print_message_indented_real
|
||||
+ (_("Press enter to boot the selected OS, "
|
||||
+ "`e' to edit the commands before booting "
|
||||
+ "or `c' for a command-line. ESC to return previous menu."),
|
||||
+ STANDARD_MARGIN, STANDARD_MARGIN, term, dry_run);
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ ret += grub_print_message_indented_real
|
||||
+ (_("Press enter to boot the selected OS, "
|
||||
+ "`e' to edit the commands before booting "
|
||||
+ "or `c' for a command-line."),
|
||||
+ STANDARD_MARGIN, STANDARD_MARGIN, term, dry_run);
|
||||
+ }
|
||||
}
|
||||
}
|
||||
return ret;
|
||||
diff --git a/include/grub/kernel.h b/include/grub/kernel.h
|
||||
index d3aafc884..9f3e2031f 100644
|
||||
--- a/include/grub/kernel.h
|
||||
+++ b/include/grub/kernel.h
|
||||
@@ -31,7 +31,8 @@ enum
|
||||
OBJ_TYPE_GPG_PUBKEY,
|
||||
OBJ_TYPE_X509_PUBKEY,
|
||||
OBJ_TYPE_DTB,
|
||||
- OBJ_TYPE_DISABLE_SHIM_LOCK
|
||||
+ OBJ_TYPE_DISABLE_SHIM_LOCK,
|
||||
+ OBJ_TYPE_DISABLE_CLI
|
||||
};
|
||||
|
||||
/* The module header. */
|
||||
diff --git a/include/grub/misc.h b/include/grub/misc.h
|
||||
index 1b35a167f..1578f36c3 100644
|
||||
--- a/include/grub/misc.h
|
||||
+++ b/include/grub/misc.h
|
||||
@@ -391,6 +391,8 @@ grub_uint64_t EXPORT_FUNC(grub_divmod64) (grub_uint64_t n,
|
||||
grub_uint64_t d,
|
||||
grub_uint64_t *r);
|
||||
|
||||
+extern bool EXPORT_FUNC(grub_is_cli_disabled) (void);
|
||||
+
|
||||
/* Must match softdiv group in gentpl.py. */
|
||||
#if !defined(GRUB_MACHINE_EMU) && (defined(__arm__) || defined(__ia64__) || \
|
||||
(defined(__riscv) && (__riscv_xlen == 32)))
|
||||
diff --git a/include/grub/util/install.h b/include/grub/util/install.h
|
||||
index 38c6da73b..a4aac7b85 100644
|
||||
--- a/include/grub/util/install.h
|
||||
+++ b/include/grub/util/install.h
|
||||
@@ -72,6 +72,8 @@
|
||||
{ "appended-signature-size", GRUB_INSTALL_OPTIONS_APPENDED_SIGNATURE_SIZE,\
|
||||
"SIZE", 0, N_("Add a note segment reserving SIZE bytes for an appended signature"), \
|
||||
1}, \
|
||||
+ { "disable-cli", GRUB_INSTALL_OPTIONS_DISABLE_CLI, 0, 0, \
|
||||
+ N_("disabled command line interface access"), 0 }, \
|
||||
{ "verbose", 'v', 0, 0, \
|
||||
N_("print verbose messages."), 1 }
|
||||
|
||||
@@ -136,7 +138,8 @@ enum grub_install_options {
|
||||
GRUB_INSTALL_OPTIONS_DTB,
|
||||
GRUB_INSTALL_OPTIONS_SBAT,
|
||||
GRUB_INSTALL_OPTIONS_DISABLE_SHIM_LOCK,
|
||||
- GRUB_INSTALL_OPTIONS_APPENDED_SIGNATURE_SIZE
|
||||
+ GRUB_INSTALL_OPTIONS_APPENDED_SIGNATURE_SIZE,
|
||||
+ GRUB_INSTALL_OPTIONS_DISABLE_CLI
|
||||
};
|
||||
|
||||
extern char *grub_install_source_directory;
|
||||
@@ -199,7 +202,8 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||||
const struct grub_install_image_target_desc *image_target,
|
||||
int note, size_t appsig_size,
|
||||
grub_compression_t comp, const char *dtb_file,
|
||||
- const char *sbat_path, const int disable_shim_lock);
|
||||
+ const char *sbat_path, const int disable_shim_lock,
|
||||
+ const int disable_cli);
|
||||
|
||||
const struct grub_install_image_target_desc *
|
||||
grub_install_get_image_target (const char *arg);
|
||||
diff --git a/util/grub-install-common.c b/util/grub-install-common.c
|
||||
index 75fa03995..344dca664 100644
|
||||
--- a/util/grub-install-common.c
|
||||
+++ b/util/grub-install-common.c
|
||||
@@ -469,6 +469,7 @@ static char **x509keys;
|
||||
static size_t nx509keys;
|
||||
static grub_compression_t compression;
|
||||
static size_t appsig_size;
|
||||
+static int disable_cli;
|
||||
|
||||
int
|
||||
grub_install_parse (int key, char *arg)
|
||||
@@ -514,6 +515,9 @@ grub_install_parse (int key, char *arg)
|
||||
* (nx509keys + 1));
|
||||
x509keys[nx509keys++] = xstrdup (arg);
|
||||
return 1;
|
||||
+ case GRUB_INSTALL_OPTIONS_DISABLE_CLI:
|
||||
+ disable_cli = 1;
|
||||
+ return 1;
|
||||
|
||||
case GRUB_INSTALL_OPTIONS_VERBOSITY:
|
||||
verbosity++;
|
||||
@@ -707,12 +711,13 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix,
|
||||
|
||||
grub_util_info ("grub-mkimage --directory '%s' --prefix '%s' --output '%s'"
|
||||
" --format '%s' --compression '%s'"
|
||||
- " --appended-signature-size %zu%s%s%s\n",
|
||||
+ " --appended-signature-size %zu%s%s%s%s\n",
|
||||
dir, prefix, outname,
|
||||
mkimage_target, compnames[compression],
|
||||
appsig_size,
|
||||
note ? " --note" : "",
|
||||
- disable_shim_lock ? " --disable-shim-lock" : "", s);
|
||||
+ disable_shim_lock ? " --disable-shim-lock" : "",
|
||||
+ disable_cli ? " --disable-cli" : "", s);
|
||||
free (s);
|
||||
|
||||
tgt = grub_install_get_image_target (mkimage_target);
|
||||
@@ -724,7 +729,7 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix,
|
||||
pubkeys, npubkeys, x509keys, nx509keys,
|
||||
config_path, tgt,
|
||||
note, appsig_size, compression, dtb, sbat,
|
||||
- disable_shim_lock);
|
||||
+ disable_shim_lock, disable_cli);
|
||||
while (dc--)
|
||||
grub_install_pop_module ();
|
||||
}
|
||||
diff --git a/util/grub-mkimage.c b/util/grub-mkimage.c
|
||||
index 7d61ef3ea..351a5e430 100644
|
||||
--- a/util/grub-mkimage.c
|
||||
+++ b/util/grub-mkimage.c
|
||||
@@ -84,6 +84,7 @@ static struct argp_option options[] = {
|
||||
{"compression", 'C', "(xz|none|auto)", 0, N_("choose the compression to use for core image"), 0},
|
||||
{"sbat", 's', N_("FILE"), 0, N_("SBAT metadata"), 0},
|
||||
{"disable-shim-lock", GRUB_INSTALL_OPTIONS_DISABLE_SHIM_LOCK, 0, 0, N_("disable shim_lock verifier"), 0},
|
||||
+ {"disable-cli", GRUB_INSTALL_OPTIONS_DISABLE_CLI, 0, 0, N_("disable command line interface access"), 0},
|
||||
{"verbose", 'v', 0, 0, N_("print verbose messages."), 0},
|
||||
{"appended-signature-size", 'S', N_("SIZE"), 0, N_("Add a note segment reserving SIZE bytes for an appended signature"), 0},
|
||||
{ 0, 0, 0, 0, 0, 0 }
|
||||
@@ -133,6 +134,7 @@ struct arguments
|
||||
int note;
|
||||
int disable_shim_lock;
|
||||
size_t appsig_size;
|
||||
+ int disable_cli;
|
||||
const struct grub_install_image_target_desc *image_target;
|
||||
grub_compression_t comp;
|
||||
};
|
||||
@@ -259,6 +261,10 @@ argp_parser (int key, char *arg, struct argp_state *state)
|
||||
arguments->disable_shim_lock = 1;
|
||||
break;
|
||||
|
||||
+ case GRUB_INSTALL_OPTIONS_DISABLE_CLI:
|
||||
+ arguments->disable_cli = 1;
|
||||
+ break;
|
||||
+
|
||||
case 'v':
|
||||
verbosity++;
|
||||
break;
|
||||
@@ -347,7 +353,8 @@ main (int argc, char *argv[])
|
||||
arguments.image_target, arguments.note,
|
||||
arguments.appsig_size,
|
||||
arguments.comp, arguments.dtb,
|
||||
- arguments.sbat, arguments.disable_shim_lock);
|
||||
+ arguments.sbat, arguments.disable_shim_lock,
|
||||
+ arguments.disable_cli);
|
||||
|
||||
if (grub_util_file_sync (fp) < 0)
|
||||
grub_util_error (_("cannot sync `%s': %s"), arguments.output ? : "stdout",
|
||||
diff --git a/util/mkimage.c b/util/mkimage.c
|
||||
index 0737935fd..d6cc13475 100644
|
||||
--- a/util/mkimage.c
|
||||
+++ b/util/mkimage.c
|
||||
@@ -889,7 +889,8 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||||
const struct grub_install_image_target_desc *image_target,
|
||||
int note, size_t appsig_size, grub_compression_t comp,
|
||||
const char *dtb_path, const char *sbat_path,
|
||||
- int disable_shim_lock)
|
||||
+ int disable_shim_lock,
|
||||
+ int disable_cli)
|
||||
{
|
||||
char *kernel_img, *core_img;
|
||||
size_t total_module_size, core_size;
|
||||
@@ -964,6 +965,9 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||||
if (disable_shim_lock)
|
||||
total_module_size += sizeof (struct grub_module_header);
|
||||
|
||||
+ if (disable_cli)
|
||||
+ total_module_size += sizeof (struct grub_module_header);
|
||||
+
|
||||
if (config_path)
|
||||
{
|
||||
config_size = ALIGN_ADDR (grub_util_get_image_size (config_path) + 1);
|
||||
@@ -1130,6 +1134,16 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||||
offset += sizeof (*header);
|
||||
}
|
||||
|
||||
+ if (disable_cli)
|
||||
+ {
|
||||
+ struct grub_module_header *header;
|
||||
+
|
||||
+ header = (struct grub_module_header *) (kernel_img + offset);
|
||||
+ header->type = grub_host_to_target32 (OBJ_TYPE_DISABLE_CLI);
|
||||
+ header->size = grub_host_to_target32 (sizeof (*header));
|
||||
+ offset += sizeof (*header);
|
||||
+ }
|
||||
+
|
||||
if (config_path)
|
||||
{
|
||||
struct grub_module_header *header;
|
||||
--
|
||||
2.46.0
|
||||
|
66
0001-kern-main-Fix-cmdpath-in-root-directory.patch
Normal file
66
0001-kern-main-Fix-cmdpath-in-root-directory.patch
Normal file
@ -0,0 +1,66 @@
|
||||
From 56b221476d31310de485af26550c8651618832bb Mon Sep 17 00:00:00 2001
|
||||
From: Michael Chang <mchang@suse.com>
|
||||
Date: Tue, 29 Oct 2024 11:54:28 +0800
|
||||
Subject: [PATCH] kern/main: Fix cmdpath in root directory
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The "cmdpath" environment variable is set at startup to the location
|
||||
from which the grub image is loaded. It includes a device part and,
|
||||
optionally, an absolute directory name if the grub image is booted as a
|
||||
file in a local file-system directory, or in a remote server directory,
|
||||
like TFTP.
|
||||
|
||||
This entire process relies on firmware to provide the correct device
|
||||
path of the booted image.
|
||||
|
||||
We encountered an issue when the image is booted from the root
|
||||
directory, where the absolute directory name "/" is discarded. This
|
||||
makes it unclear whether the root path was missing in the firmware
|
||||
provided device path or if it is simply the root directory. This
|
||||
ambiguity can cause confusion in custom scripts, potentially causing
|
||||
them to interpret firmware data incorrectly and trigger unintended
|
||||
fallback measures.
|
||||
|
||||
This patch fixes the problem by properly assigning the "fwpath" returned
|
||||
by "grub_machine_get_bootlocation()" to "cmdpath". The fix is based on
|
||||
the fact that fwpath is NULL if the firmware didn’t provide a path part
|
||||
or an NUL character, "", if it represents the root directory. With this,
|
||||
it becomes possible to clearly distinguish:
|
||||
|
||||
- cmdpath=(hd0,1) - Either the image is booted from the first (raw)
|
||||
partition, or the firmware failed to provide the path part.
|
||||
- cmdpath=(hd0,1)/ - The image is booted from the root directory in the
|
||||
first partition.
|
||||
|
||||
As a side note, the fix is similar to [1], but without the renaming
|
||||
part.
|
||||
|
||||
[1] https://mail.gnu.org/archive/html/grub-devel/2024-10/msg00155.html
|
||||
|
||||
Signed-off-by: Michael Chang <mchang@suse.com>
|
||||
---
|
||||
grub-core/kern/main.c | 6 +++++-
|
||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
|
||||
index ef3b3756d..f9ab12c74 100644
|
||||
--- a/grub-core/kern/main.c
|
||||
+++ b/grub-core/kern/main.c
|
||||
@@ -136,7 +136,11 @@ grub_set_prefix_and_root (void)
|
||||
{
|
||||
char *cmdpath;
|
||||
|
||||
- cmdpath = grub_xasprintf ("(%s)%s", fwdevice, fwpath ? : "");
|
||||
+ if (fwpath && *fwpath == '\0')
|
||||
+ cmdpath = grub_xasprintf ("(%s)/", fwdevice);
|
||||
+ else
|
||||
+ cmdpath = grub_xasprintf ("(%s)%s", fwdevice, fwpath ? : "");
|
||||
+
|
||||
if (cmdpath)
|
||||
{
|
||||
grub_env_set ("cmdpath", cmdpath);
|
||||
--
|
||||
2.47.0
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,7 +1,7 @@
|
||||
From bf09618c47c6632b763960e265436294ab98dd43 Mon Sep 17 00:00:00 2001
|
||||
From 1bc53f8fc980914132040670b85a010e094559ec Mon Sep 17 00:00:00 2001
|
||||
From: Hernan Gatta <hegatta@linux.microsoft.com>
|
||||
Date: Tue, 1 Feb 2022 05:02:53 -0800
|
||||
Subject: [PATCH 1/5] key_protector: Add key protectors framework
|
||||
Subject: [PATCH] key_protector: Add key protectors framework
|
||||
|
||||
A key protector encapsulates functionality to retrieve an unlocking key
|
||||
for a fully-encrypted disk from a specific source. A key protector
|
||||
@ -19,17 +19,18 @@ Cc: Vladimir Serbinenko <phcoder@gmail.com>
|
||||
Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
|
||||
Signed-off-by: Gary Lin <glin@suse.com>
|
||||
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/Makefile.am | 1 +
|
||||
grub-core/Makefile.core.def | 5 +++
|
||||
grub-core/disk/key_protector.c | 78 ++++++++++++++++++++++++++++++++++
|
||||
include/grub/key_protector.h | 46 ++++++++++++++++++++
|
||||
4 files changed, 130 insertions(+)
|
||||
grub-core/disk/key_protector.c | 73 ++++++++++++++++++++++++++++++++++
|
||||
include/grub/key_protector.h | 47 ++++++++++++++++++++++
|
||||
4 files changed, 126 insertions(+)
|
||||
create mode 100644 grub-core/disk/key_protector.c
|
||||
create mode 100644 include/grub/key_protector.h
|
||||
|
||||
diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
|
||||
index f18550c1c..9d3d5f519 100644
|
||||
index 1eda467e0..e50db8106 100644
|
||||
--- a/grub-core/Makefile.am
|
||||
+++ b/grub-core/Makefile.am
|
||||
@@ -90,6 +90,7 @@ endif
|
||||
@ -41,10 +42,10 @@ index f18550c1c..9d3d5f519 100644
|
||||
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h
|
||||
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h
|
||||
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
|
||||
index bc893e547..4307b8e2d 100644
|
||||
index a38955e18..37f131ae2 100644
|
||||
--- a/grub-core/Makefile.core.def
|
||||
+++ b/grub-core/Makefile.core.def
|
||||
@@ -1302,6 +1302,11 @@ module = {
|
||||
@@ -1282,6 +1282,11 @@ module = {
|
||||
common = disk/raid6_recover.c;
|
||||
};
|
||||
|
||||
@ -58,13 +59,14 @@ index bc893e547..4307b8e2d 100644
|
||||
common = disk/scsi.c;
|
||||
diff --git a/grub-core/disk/key_protector.c b/grub-core/disk/key_protector.c
|
||||
new file mode 100644
|
||||
index 000000000..b84afe1c7
|
||||
index 000000000..0d146c1c0
|
||||
--- /dev/null
|
||||
+++ b/grub-core/disk/key_protector.c
|
||||
@@ -0,0 +1,78 @@
|
||||
@@ -0,0 +1,73 @@
|
||||
+/*
|
||||
+ * GRUB -- GRand Unified Bootloader
|
||||
+ * Copyright (C) 2022 Microsoft Corporation
|
||||
+ * Copyright (C) 2024 Free Software Foundation, Inc.
|
||||
+ *
|
||||
+ * GRUB is free software: you can redistribute it and/or modify
|
||||
+ * it under the terms of the GNU General Public License as published by
|
||||
@ -93,16 +95,14 @@ index 000000000..b84afe1c7
|
||||
+grub_err_t
|
||||
+grub_key_protector_register (struct grub_key_protector *protector)
|
||||
+{
|
||||
+ if (protector == NULL || protector->name == NULL || grub_strlen (protector->name) == 0)
|
||||
+ return GRUB_ERR_BAD_ARGUMENT;
|
||||
+ if (protector == NULL || protector->name == NULL || protector->name[0] == '\0')
|
||||
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid key protector for registration");
|
||||
+
|
||||
+ if (grub_key_protectors &&
|
||||
+ grub_named_list_find (GRUB_AS_NAMED_LIST (grub_key_protectors),
|
||||
+ protector->name))
|
||||
+ return GRUB_ERR_BAD_ARGUMENT;
|
||||
+ if (grub_key_protectors != NULL &&
|
||||
+ grub_named_list_find (GRUB_AS_NAMED_LIST (grub_key_protectors), protector->name) != NULL)
|
||||
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Key protector '%s' already registered", protector->name);
|
||||
+
|
||||
+ grub_list_push (GRUB_AS_LIST_P (&grub_key_protectors),
|
||||
+ GRUB_AS_LIST (protector));
|
||||
+ grub_list_push (GRUB_AS_LIST_P (&grub_key_protectors), GRUB_AS_LIST (protector));
|
||||
+
|
||||
+ return GRUB_ERR_NONE;
|
||||
+}
|
||||
@ -111,7 +111,7 @@ index 000000000..b84afe1c7
|
||||
+grub_key_protector_unregister (struct grub_key_protector *protector)
|
||||
+{
|
||||
+ if (protector == NULL)
|
||||
+ return GRUB_ERR_BAD_ARGUMENT;
|
||||
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid key protector for unregistration");
|
||||
+
|
||||
+ grub_list_remove (GRUB_AS_LIST (protector));
|
||||
+
|
||||
@ -125,30 +125,27 @@ index 000000000..b84afe1c7
|
||||
+ struct grub_key_protector *kp = NULL;
|
||||
+
|
||||
+ if (grub_key_protectors == NULL)
|
||||
+ return GRUB_ERR_OUT_OF_RANGE;
|
||||
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, "No key protector registered");
|
||||
+
|
||||
+ if (protector == NULL || grub_strlen (protector) == 0)
|
||||
+ return GRUB_ERR_BAD_ARGUMENT;
|
||||
+ if (protector == NULL || protector[0] == '\0')
|
||||
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid key protector");
|
||||
+
|
||||
+ kp = grub_named_list_find (GRUB_AS_NAMED_LIST (grub_key_protectors),
|
||||
+ protector);
|
||||
+ kp = grub_named_list_find (GRUB_AS_NAMED_LIST (grub_key_protectors), protector);
|
||||
+ if (kp == NULL)
|
||||
+ return grub_error (GRUB_ERR_OUT_OF_RANGE,
|
||||
+ N_("A key protector with name '%s' could not be found. "
|
||||
+ "Is the name spelled correctly and is the "
|
||||
+ "corresponding module loaded?"), protector);
|
||||
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, "Key protector '%s' not found", protector);
|
||||
+
|
||||
+ return kp->recover_key (key, key_size);
|
||||
+}
|
||||
diff --git a/include/grub/key_protector.h b/include/grub/key_protector.h
|
||||
new file mode 100644
|
||||
index 000000000..6e6a6fb24
|
||||
index 000000000..00b15c13d
|
||||
--- /dev/null
|
||||
+++ b/include/grub/key_protector.h
|
||||
@@ -0,0 +1,46 @@
|
||||
@@ -0,0 +1,47 @@
|
||||
+/*
|
||||
+ * GRUB -- GRand Unified Bootloader
|
||||
+ * Copyright (C) 2022 Microsoft Corporation
|
||||
+ * Copyright (C) 2024 Free Software Foundation, Inc.
|
||||
+ *
|
||||
+ * GRUB is free software: you can redistribute it and/or modify
|
||||
+ * it under the terms of the GNU General Public License as published by
|
||||
@ -193,5 +190,5 @@ index 000000000..6e6a6fb24
|
||||
+
|
||||
+#endif /* ! GRUB_PROTECTOR_HEADER */
|
||||
--
|
||||
2.35.3
|
||||
2.43.0
|
||||
|
||||
|
@ -1,4 +1,4 @@
|
||||
From f41a45b080cb9c6f59879a3e23f9ec2380015a16 Mon Sep 17 00:00:00 2001
|
||||
From 5b4ecd408417249dec8bfc71a3c0b7ef1070d3fa Mon Sep 17 00:00:00 2001
|
||||
From: Gary Lin <glin@suse.com>
|
||||
Date: Thu, 25 Apr 2024 16:21:45 +0800
|
||||
Subject: [PATCH] tpm2: Add extra RSA SRK types
|
||||
@ -8,16 +8,16 @@ to support those parameters.
|
||||
|
||||
Signed-off-by: Gary Lin <glin@suse.com>
|
||||
---
|
||||
grub-core/tpm2/args.c | 12 ++++++++++++
|
||||
grub-core/tpm2/module.c | 16 ++++++++++++++--
|
||||
util/grub-protect.c | 4 ++--
|
||||
grub-core/commands/tpm2_key_protector/args.c | 12 ++++++++++++
|
||||
grub-core/commands/tpm2_key_protector/module.c | 16 ++++++++++++++--
|
||||
util/grub-protect.c | 4 ++--
|
||||
3 files changed, 28 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/grub-core/tpm2/args.c b/grub-core/tpm2/args.c
|
||||
index c11280ab9..d140364d2 100644
|
||||
--- a/grub-core/tpm2/args.c
|
||||
+++ b/grub-core/tpm2/args.c
|
||||
@@ -92,6 +92,18 @@ grub_tpm2_protector_parse_asymmetric (const char *value,
|
||||
diff --git a/grub-core/commands/tpm2_key_protector/args.c b/grub-core/commands/tpm2_key_protector/args.c
|
||||
index 48c39de01..b291793a7 100644
|
||||
--- a/grub-core/commands/tpm2_key_protector/args.c
|
||||
+++ b/grub-core/commands/tpm2_key_protector/args.c
|
||||
@@ -85,6 +85,18 @@ grub_tpm2_protector_parse_asymmetric (const char *value,
|
||||
srk_type->type = TPM_ALG_RSA;
|
||||
srk_type->detail.rsa_bits = 2048;
|
||||
}
|
||||
@ -34,13 +34,13 @@ index c11280ab9..d140364d2 100644
|
||||
+ srk_type->detail.rsa_bits = 4096;
|
||||
+ }
|
||||
else
|
||||
return grub_error (GRUB_ERR_OUT_OF_RANGE,
|
||||
N_("Value '%s' is not a valid asymmetric key type"),
|
||||
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
|
||||
index b754b38df..8b72ed6fa 100644
|
||||
--- a/grub-core/tpm2/module.c
|
||||
+++ b/grub-core/tpm2/module.c
|
||||
@@ -136,8 +136,8 @@ static const struct grub_arg_option grub_tpm2_protector_init_cmd_options[] =
|
||||
return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("value '%s' is not a valid asymmetric key type"), value);
|
||||
|
||||
diff --git a/grub-core/commands/tpm2_key_protector/module.c b/grub-core/commands/tpm2_key_protector/module.c
|
||||
index 74e79a545..ee16d7f15 100644
|
||||
--- a/grub-core/commands/tpm2_key_protector/module.c
|
||||
+++ b/grub-core/commands/tpm2_key_protector/module.c
|
||||
@@ -138,8 +138,8 @@ static const struct grub_arg_option tpm2_protector_init_cmd_options[] =
|
||||
.arg = NULL,
|
||||
.type = ARG_TYPE_STRING,
|
||||
.doc =
|
||||
@ -51,18 +51,18 @@ index b754b38df..8b72ed6fa 100644
|
||||
},
|
||||
/* NV Index-mode options */
|
||||
{
|
||||
@@ -541,6 +541,10 @@ srk_type_to_name (grub_srk_type_t srk_type)
|
||||
{
|
||||
case 2048:
|
||||
return "RSA2048";
|
||||
+ case 3072:
|
||||
+ return "RSA3072";
|
||||
+ case 4096:
|
||||
+ return "RSA4096";
|
||||
}
|
||||
}
|
||||
@@ -517,6 +517,10 @@ srk_type_to_name (grub_srk_type_t srk_type)
|
||||
return "ECC_NIST_P256";
|
||||
else if (srk_type.type == TPM_ALG_RSA && srk_type.detail.rsa_bits == 2048)
|
||||
return "RSA2048";
|
||||
+ else if (srk_type.type == TPM_ALG_RSA && srk_type.detail.rsa_bits == 3072)
|
||||
+ return "RSA3072";
|
||||
+ else if (srk_type.type == TPM_ALG_RSA && srk_type.detail.rsa_bits == 4096)
|
||||
+ return "RSA4096";
|
||||
|
||||
@@ -561,6 +565,14 @@ grub_tpm2_protector_load_key (const struct grub_tpm2_protector_context *ctx,
|
||||
return "Unknown";
|
||||
}
|
||||
@@ -535,6 +539,14 @@ tpm2_protector_load_key (const tpm2_protector_context_t *ctx,
|
||||
.type = TPM_ALG_ECC,
|
||||
.detail.ecc_curve = TPM_ECC_NIST_P256,
|
||||
},
|
||||
@ -78,20 +78,20 @@ index b754b38df..8b72ed6fa 100644
|
||||
.type = TPM_ALG_RSA,
|
||||
.detail.rsa_bits = 2048,
|
||||
diff --git a/util/grub-protect.c b/util/grub-protect.c
|
||||
index 869f45861..00be03ca0 100644
|
||||
index 5b7e952f4..f1108f2c5 100644
|
||||
--- a/util/grub-protect.c
|
||||
+++ b/util/grub-protect.c
|
||||
@@ -199,8 +199,8 @@ static struct argp_option grub_protect_options[] =
|
||||
@@ -202,8 +202,8 @@ static struct argp_option protect_options[] =
|
||||
.arg = "TYPE",
|
||||
.flags = 0,
|
||||
.doc =
|
||||
- N_("The type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)."
|
||||
- N_("Set the type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)."
|
||||
- "(default: ECC)"),
|
||||
+ N_("The type of SRK: RSA (RSA2048), RSA3072, RSA4096, "
|
||||
+ N_("Set the type of SRK: RSA (RSA2048), RSA3072, RSA4096, "
|
||||
+ "and ECC (ECC_NIST_P256). (default: ECC)"),
|
||||
.group = 0
|
||||
},
|
||||
{
|
||||
--
|
||||
2.35.3
|
||||
2.43.0
|
||||
|
||||
|
@ -1,171 +0,0 @@
|
||||
From 26a66098d5fa50b9462c8c815429a4c18f20310b Mon Sep 17 00:00:00 2001
|
||||
From: Gary Lin <glin@suse.com>
|
||||
Date: Thu, 6 Apr 2023 16:00:25 +0800
|
||||
Subject: [PATCH] tpm2: Support authorized policy
|
||||
|
||||
This commit handles the TPM2_PolicyAuthorize command from the key file
|
||||
in TPM 2.0 Key File format.
|
||||
|
||||
TPM2_PolicyAuthorize is the essential command to support authorized
|
||||
policy which allows the users to sign TPM policies with their own keys.
|
||||
Per TPM 2.0 Key File(*1), CommandPolicy for TPM2_PolicyAuthorize
|
||||
comprises 'TPM2B_PUBLIC pubkey', 'TPM2B_DIGEST policy_ref', and
|
||||
'TPMT_SIGNATURE signature'. To verify the signature, the current policy
|
||||
digest is hashed with the hash algorithm written in 'signature', and then
|
||||
'signature' is verified with the hashed policy digest and 'pubkey'. Once
|
||||
TPM accepts 'signature', TPM2_PolicyAuthorize is invoked to authorize the
|
||||
signed policy.
|
||||
|
||||
To create the key file with authorized policy, here are the pcr-oracle(*2)
|
||||
commands:
|
||||
|
||||
# Generate the RSA key and create the authorized policy file
|
||||
$ pcr-oracle \
|
||||
--rsa-generate-key \
|
||||
--private-key policy-key.pem \
|
||||
--auth authorized.policy \
|
||||
create-authorized-policy 0,2,4,7,9
|
||||
|
||||
# Seal the secret with the authorized policy
|
||||
$ pcr-oracle \
|
||||
--key-format tpm2.0 \
|
||||
--auth authorized.policy \
|
||||
--input disk-secret.txt \
|
||||
--output sealed.key \
|
||||
seal-secret
|
||||
|
||||
# Sign the predicted PCR policy
|
||||
$ pcr-oracle \
|
||||
--key-format tpm2.0 \
|
||||
--private-key policy-key.pem \
|
||||
--from eventlog \
|
||||
--stop-event "grub-file=grub.cfg" \
|
||||
--after \
|
||||
--input sealed.key \
|
||||
--output sealed.tpm \
|
||||
sign 0,2,4,7,9
|
||||
|
||||
Then specify the key file and the key protector to grub.cfg in the EFI
|
||||
system partition:
|
||||
|
||||
tpm2_key_protector_init -a RSA --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm
|
||||
cryptomount -u <PART_UUID> -P tpm2
|
||||
|
||||
For any change in the boot components, just run the 'sign' command again
|
||||
to update the signature in sealed.tpm, and TPM can unseal the key file
|
||||
with the updated PCR policy.
|
||||
|
||||
(*1) https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
|
||||
(*2) https://github.com/okirch/pcr-oracle
|
||||
|
||||
Signed-off-by: Gary Lin <glin@suse.com>
|
||||
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
|
||||
---
|
||||
grub-core/tpm2/module.c | 84 +++++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 84 insertions(+)
|
||||
|
||||
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
|
||||
index 3db25ceca..e83b02865 100644
|
||||
--- a/grub-core/tpm2/module.c
|
||||
+++ b/grub-core/tpm2/module.c
|
||||
@@ -650,6 +650,87 @@ grub_tpm2_protector_policypcr (TPMI_SH_AUTH_SESSION session,
|
||||
return GRUB_ERR_NONE;
|
||||
}
|
||||
|
||||
+static grub_err_t
|
||||
+grub_tpm2_protector_policyauthorize (TPMI_SH_AUTH_SESSION session,
|
||||
+ struct grub_tpm2_buffer *cmd_buf)
|
||||
+{
|
||||
+ TPM2B_PUBLIC pubkey;
|
||||
+ TPM2B_DIGEST policy_ref;
|
||||
+ TPMT_SIGNATURE signature;
|
||||
+ TPM2B_DIGEST pcr_policy;
|
||||
+ TPM2B_DIGEST pcr_policy_hash;
|
||||
+ TPMI_ALG_HASH sig_hash;
|
||||
+ TPMT_TK_VERIFIED verification_ticket;
|
||||
+ TPM_HANDLE pubkey_handle = 0;
|
||||
+ TPM2B_NAME pubname;
|
||||
+ TPM_RC rc;
|
||||
+ grub_err_t err;
|
||||
+
|
||||
+ grub_tpm2_mu_TPM2B_PUBLIC_Unmarshal (cmd_buf, &pubkey);
|
||||
+ grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (cmd_buf, &policy_ref);
|
||||
+ grub_tpm2_mu_TPMT_SIGNATURE_Unmarshal (cmd_buf, &signature);
|
||||
+ if (cmd_buf->error != 0)
|
||||
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
||||
+ N_("Failed to unmarshal the buffer for TPM2_PolicyAuthorize"));
|
||||
+
|
||||
+ /* Retrieve Policy Digest */
|
||||
+ rc = TPM2_PolicyGetDigest (session, NULL, &pcr_policy, NULL);
|
||||
+ if (rc != TPM_RC_SUCCESS)
|
||||
+ return grub_error (GRUB_ERR_BAD_DEVICE,
|
||||
+ N_("Failed to get policy digest (TPM2_PolicyGetDigest: 0x%x)."),
|
||||
+ rc);
|
||||
+
|
||||
+ /* Calculate the digest of the polcy for VerifySignature */
|
||||
+ sig_hash = TPMT_SIGNATURE_get_hash_alg (&signature);
|
||||
+ if (sig_hash == TPM_ALG_NULL)
|
||||
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
||||
+ N_("Failed to get the hash algorithm of the signature"));
|
||||
+
|
||||
+ rc = TPM2_Hash (NULL, (TPM2B_MAX_BUFFER *)&pcr_policy, sig_hash,
|
||||
+ TPM_RH_NULL, &pcr_policy_hash, NULL, NULL);
|
||||
+ if (rc != TPM_RC_SUCCESS)
|
||||
+ return grub_error (GRUB_ERR_BAD_DEVICE,
|
||||
+ N_("Failed to create PCR policy hash (TPM2_Hash: 0x%x)"),
|
||||
+ rc);
|
||||
+
|
||||
+ /* Load the public key */
|
||||
+ rc = TPM2_LoadExternal (NULL, NULL, &pubkey, TPM_RH_OWNER,
|
||||
+ &pubkey_handle, &pubname, NULL);
|
||||
+ if (rc != TPM_RC_SUCCESS)
|
||||
+ return grub_error (GRUB_ERR_BAD_DEVICE,
|
||||
+ N_("Failed to load public key (TPM2_LoadExternal: 0x%x)"),
|
||||
+ rc);
|
||||
+
|
||||
+ /* Verify the signature against the public key and the policy digest */
|
||||
+ rc = TPM2_VerifySignature (pubkey_handle, NULL, &pcr_policy_hash, &signature,
|
||||
+ &verification_ticket, NULL);
|
||||
+ if (rc != TPM_RC_SUCCESS)
|
||||
+ {
|
||||
+ err = grub_error (GRUB_ERR_BAD_DEVICE,
|
||||
+ N_("Failed to verify signature (TPM2_VerifySignature: 0x%x)"),
|
||||
+ rc);
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
+ /* Authorize the signed policy with the public key and the verification ticket */
|
||||
+ rc = TPM2_PolicyAuthorize (session, NULL, &pcr_policy, &policy_ref, &pubname,
|
||||
+ &verification_ticket, NULL);
|
||||
+ if (rc != TPM_RC_SUCCESS)
|
||||
+ {
|
||||
+ err = grub_error (GRUB_ERR_BAD_DEVICE,
|
||||
+ N_("Failed to authorize PCR policy (TPM2_PolicyAuthorize: 0x%x)"),
|
||||
+ rc);
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
+ err = GRUB_ERR_NONE;
|
||||
+
|
||||
+error:
|
||||
+ TPM2_FlushContext (pubkey_handle);
|
||||
+
|
||||
+ return err;
|
||||
+}
|
||||
+
|
||||
static grub_err_t
|
||||
grub_tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSION session)
|
||||
{
|
||||
@@ -669,6 +750,9 @@ grub_tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSIO
|
||||
case TPM_CC_PolicyPCR:
|
||||
err = grub_tpm2_protector_policypcr (session, &buf);
|
||||
break;
|
||||
+ case TPM_CC_PolicyAuthorize:
|
||||
+ err = grub_tpm2_protector_policyauthorize (session, &buf);
|
||||
+ break;
|
||||
default:
|
||||
return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
||||
N_("Unknown TPM Command: 0x%x"), policy->cmd_code);
|
||||
--
|
||||
2.35.3
|
||||
|
@ -1,12 +1,12 @@
|
||||
From 947009d79e3f17b10a7753bdde8d3a4a7b757bed Mon Sep 17 00:00:00 2001
|
||||
From 53e24662523d033ae3506b73787b972ef332db36 Mon Sep 17 00:00:00 2001
|
||||
From: Patrick Colp <patrick.colp@oracle.com>
|
||||
Date: Mon, 31 Jul 2023 07:01:45 -0700
|
||||
Subject: [PATCH 1/4] tpm2: Implement NV index
|
||||
Subject: [PATCH] tpm2_key_protector: Implement NV index
|
||||
|
||||
Currently with the TPM2 protector, only SRK mode is supported and
|
||||
NV index support is just a stub. Implement the NV index option.
|
||||
|
||||
Note: This only extends support on the unseal path. grub2_protect
|
||||
Note: This only extends support on the unseal path. grub-protect
|
||||
has not been updated. tpm2-tools can be used to insert a key into
|
||||
the NV index.
|
||||
|
||||
@ -36,41 +36,40 @@ Then to unseal the key in grub, add this to grub.cfg:
|
||||
Signed-off-by: Patrick Colp <patrick.colp@oracle.com>
|
||||
Signed-off-by: Gary Lin <glin@suse.com>
|
||||
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/tpm2/module.c | 25 ++++++++++++++++++++-----
|
||||
1 file changed, 20 insertions(+), 5 deletions(-)
|
||||
.../commands/tpm2_key_protector/module.c | 23 +++++++++++++++----
|
||||
1 file changed, 19 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
|
||||
index e83b02865..b754b38df 100644
|
||||
--- a/grub-core/tpm2/module.c
|
||||
+++ b/grub-core/tpm2/module.c
|
||||
@@ -1035,12 +1035,27 @@ static grub_err_t
|
||||
grub_tpm2_protector_nv_recover (const struct grub_tpm2_protector_context *ctx,
|
||||
grub_uint8_t **key, grub_size_t *key_size)
|
||||
diff --git a/grub-core/commands/tpm2_key_protector/module.c b/grub-core/commands/tpm2_key_protector/module.c
|
||||
index 6b4b5d460..74e79a545 100644
|
||||
--- a/grub-core/commands/tpm2_key_protector/module.c
|
||||
+++ b/grub-core/commands/tpm2_key_protector/module.c
|
||||
@@ -973,11 +973,26 @@ tpm2_protector_srk_recover (const tpm2_protector_context_t *ctx,
|
||||
}
|
||||
|
||||
static grub_err_t
|
||||
-tpm2_protector_nv_recover (const tpm2_protector_context_t *ctx __attribute__ ((unused)),
|
||||
- grub_uint8_t **key __attribute__ ((unused)),
|
||||
- grub_size_t *key_size __attribute__ ((unused)))
|
||||
+tpm2_protector_nv_recover (const tpm2_protector_context_t *ctx,
|
||||
+ grub_uint8_t **key, grub_size_t *key_size)
|
||||
{
|
||||
- (void)ctx;
|
||||
- (void)key;
|
||||
- (void)key_size;
|
||||
+ TPM_HANDLE sealed_handle = ctx->nv;
|
||||
- return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "NV Index mode is not implemented yet");
|
||||
+ TPM_HANDLE_t sealed_handle = ctx->nv;
|
||||
+ tpm2key_policy_t policy_seq = NULL;
|
||||
+ grub_err_t err;
|
||||
+
|
||||
+ /* Create a basic policy sequence based on the given PCR selection */
|
||||
+ err = grub_tpm2_protector_simple_policy_seq (ctx, &policy_seq);
|
||||
+ err = tpm2_protector_simple_policy_seq (ctx, &policy_seq);
|
||||
+ if (err != GRUB_ERR_NONE)
|
||||
+ goto exit;
|
||||
+
|
||||
+ err = grub_tpm2_protector_unseal (policy_seq, sealed_handle, key, key_size);
|
||||
+ err = tpm2_protector_unseal (policy_seq, sealed_handle, key, key_size);
|
||||
+
|
||||
+ /* Pop error messages on success */
|
||||
+ if (err == GRUB_ERR_NONE)
|
||||
+ while (grub_error_pop ());
|
||||
+ exit:
|
||||
+ grub_tpm2_flushcontext (sealed_handle);
|
||||
+
|
||||
+exit:
|
||||
+ TPM2_FlushContext (sealed_handle);
|
||||
|
||||
- return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET,
|
||||
- N_("NV Index mode is not implemented yet"));
|
||||
+ grub_tpm2key_free_policy_seq (policy_seq);
|
||||
+
|
||||
+ return err;
|
||||
@ -78,5 +77,5 @@ index e83b02865..b754b38df 100644
|
||||
|
||||
static grub_err_t
|
||||
--
|
||||
2.35.3
|
||||
2.43.0
|
||||
|
158
0001-tpm2_key_protector-Support-authorized-policy.patch
Normal file
158
0001-tpm2_key_protector-Support-authorized-policy.patch
Normal file
@ -0,0 +1,158 @@
|
||||
From 7ef1b9b357c803cb8e30bbbebd44494b2b5c9d09 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Lin <glin@suse.com>
|
||||
Date: Thu, 6 Apr 2023 16:00:25 +0800
|
||||
Subject: [PATCH] tpm2_key_protector: Support authorized policy
|
||||
|
||||
This commit handles the TPM2_PolicyAuthorize command from the key file
|
||||
in TPM 2.0 Key File format.
|
||||
|
||||
TPM2_PolicyAuthorize is the essential command to support authorized
|
||||
policy which allows the users to sign TPM policies with their own keys.
|
||||
Per TPM 2.0 Key File(*1), CommandPolicy for TPM2_PolicyAuthorize
|
||||
comprises 'TPM2B_PUBLIC pubkey', 'TPM2B_DIGEST policy_ref', and
|
||||
'TPMT_SIGNATURE signature'. To verify the signature, the current policy
|
||||
digest is hashed with the hash algorithm written in 'signature', and then
|
||||
'signature' is verified with the hashed policy digest and 'pubkey'. Once
|
||||
TPM accepts 'signature', TPM2_PolicyAuthorize is invoked to authorize the
|
||||
signed policy.
|
||||
|
||||
To create the key file with authorized policy, here are the pcr-oracle(*2)
|
||||
commands:
|
||||
|
||||
# Generate the RSA key and create the authorized policy file
|
||||
$ pcr-oracle \
|
||||
--rsa-generate-key \
|
||||
--private-key policy-key.pem \
|
||||
--auth authorized.policy \
|
||||
create-authorized-policy 0,2,4,7,9
|
||||
|
||||
# Seal the secret with the authorized policy
|
||||
$ pcr-oracle \
|
||||
--key-format tpm2.0 \
|
||||
--auth authorized.policy \
|
||||
--input disk-secret.txt \
|
||||
--output sealed.key \
|
||||
seal-secret
|
||||
|
||||
# Sign the predicted PCR policy
|
||||
$ pcr-oracle \
|
||||
--key-format tpm2.0 \
|
||||
--private-key policy-key.pem \
|
||||
--from eventlog \
|
||||
--stop-event "grub-file=grub.cfg" \
|
||||
--after \
|
||||
--input sealed.key \
|
||||
--output /boot/efi/efi/grub/sealed.tpm \
|
||||
sign 0,2,4,7,9
|
||||
|
||||
Then specify the key file and the key protector to grub.cfg in the EFI
|
||||
system partition:
|
||||
|
||||
tpm2_key_protector_init -a RSA --tpm2key=(hd0,gpt1)/efi/grub/sealed.tpm
|
||||
cryptomount -u <PART_UUID> -P tpm2
|
||||
|
||||
For any change in the boot components, just run the 'sign' command again
|
||||
to update the signature in sealed.tpm, and TPM can unseal the key file
|
||||
with the updated PCR policy.
|
||||
|
||||
(*1) https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
|
||||
(*2) https://github.com/okirch/pcr-oracle
|
||||
|
||||
Signed-off-by: Gary Lin <glin@suse.com>
|
||||
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
.../commands/tpm2_key_protector/module.c | 70 +++++++++++++++++++
|
||||
1 file changed, 70 insertions(+)
|
||||
|
||||
diff --git a/grub-core/commands/tpm2_key_protector/module.c b/grub-core/commands/tpm2_key_protector/module.c
|
||||
index 70d4d0df7..6b4b5d460 100644
|
||||
--- a/grub-core/commands/tpm2_key_protector/module.c
|
||||
+++ b/grub-core/commands/tpm2_key_protector/module.c
|
||||
@@ -618,6 +618,73 @@ tpm2_protector_policypcr (TPMI_SH_AUTH_SESSION_t session, struct grub_tpm2_buffe
|
||||
return GRUB_ERR_NONE;
|
||||
}
|
||||
|
||||
+static grub_err_t
|
||||
+tpm2_protector_policyauthorize (TPMI_SH_AUTH_SESSION_t session, struct grub_tpm2_buffer *cmd_buf)
|
||||
+{
|
||||
+ TPM2B_PUBLIC_t pubkey;
|
||||
+ TPM2B_DIGEST_t policy_ref;
|
||||
+ TPMT_SIGNATURE_t signature;
|
||||
+ TPM2B_DIGEST_t pcr_policy;
|
||||
+ TPM2B_DIGEST_t pcr_policy_hash;
|
||||
+ TPMI_ALG_HASH_t sig_hash;
|
||||
+ TPMT_TK_VERIFIED_t verification_ticket;
|
||||
+ TPM_HANDLE_t pubkey_handle = 0;
|
||||
+ TPM2B_NAME_t pubname;
|
||||
+ TPM_RC_t rc;
|
||||
+ grub_err_t err;
|
||||
+
|
||||
+ grub_Tss2_MU_TPM2B_PUBLIC_Unmarshal (cmd_buf, &pubkey);
|
||||
+ grub_Tss2_MU_TPM2B_DIGEST_Unmarshal (cmd_buf, &policy_ref);
|
||||
+ grub_Tss2_MU_TPMT_SIGNATURE_Unmarshal (cmd_buf, &signature);
|
||||
+ if (cmd_buf->error != 0)
|
||||
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "failed to unmarshal the buffer for TPM2_PolicyAuthorize");
|
||||
+
|
||||
+ /* Retrieve Policy Digest */
|
||||
+ rc = grub_tpm2_policygetdigest (session, NULL, &pcr_policy, NULL);
|
||||
+ if (rc != TPM_RC_SUCCESS)
|
||||
+ return grub_error (GRUB_ERR_BAD_DEVICE, "failed to get policy digest (TPM2_PolicyGetDigest: 0x%x).", rc);
|
||||
+
|
||||
+ /* Calculate the digest of the polcy for VerifySignature */
|
||||
+ sig_hash = TPMT_SIGNATURE_get_hash_alg (&signature);
|
||||
+ if (sig_hash == TPM_ALG_NULL)
|
||||
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "failed to get the hash algorithm of the signature");
|
||||
+
|
||||
+ rc = grub_tpm2_hash (NULL, (TPM2B_MAX_BUFFER_t *) &pcr_policy, sig_hash,
|
||||
+ TPM_RH_NULL, &pcr_policy_hash, NULL, NULL);
|
||||
+ if (rc != TPM_RC_SUCCESS)
|
||||
+ return grub_error (GRUB_ERR_BAD_DEVICE, "failed to create PCR policy hash (TPM2_Hash: 0x%x)", rc);
|
||||
+
|
||||
+ /* Load the public key */
|
||||
+ rc = grub_tpm2_loadexternal (NULL, NULL, &pubkey, TPM_RH_OWNER, &pubkey_handle, &pubname, NULL);
|
||||
+ if (rc != TPM_RC_SUCCESS)
|
||||
+ return grub_error (GRUB_ERR_BAD_DEVICE, "failed to load public key (TPM2_LoadExternal: 0x%x)", rc);
|
||||
+
|
||||
+ /* Verify the signature against the public key and the policy digest */
|
||||
+ rc = grub_tpm2_verifysignature (pubkey_handle, NULL, &pcr_policy_hash, &signature,
|
||||
+ &verification_ticket, NULL);
|
||||
+ if (rc != TPM_RC_SUCCESS)
|
||||
+ {
|
||||
+ err = grub_error (GRUB_ERR_BAD_DEVICE, "failed to verify signature (TPM2_VerifySignature: 0x%x)", rc);
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
+ /* Authorize the signed policy with the public key and the verification ticket */
|
||||
+ rc = grub_tpm2_policyauthorize (session, NULL, &pcr_policy, &policy_ref, &pubname,
|
||||
+ &verification_ticket, NULL);
|
||||
+ if (rc != TPM_RC_SUCCESS)
|
||||
+ {
|
||||
+ err = grub_error (GRUB_ERR_BAD_DEVICE, "failed to authorize PCR policy (TPM2_PolicyAuthorize: 0x%x)", rc);
|
||||
+ goto error;
|
||||
+ }
|
||||
+
|
||||
+ err = GRUB_ERR_NONE;
|
||||
+
|
||||
+ error:
|
||||
+ grub_tpm2_flushcontext (pubkey_handle);
|
||||
+
|
||||
+ return err;
|
||||
+}
|
||||
+
|
||||
static grub_err_t
|
||||
tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSION_t session)
|
||||
{
|
||||
@@ -636,6 +703,9 @@ tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSION_t s
|
||||
case TPM_CC_PolicyPCR:
|
||||
err = tpm2_protector_policypcr (session, &buf);
|
||||
break;
|
||||
+ case TPM_CC_PolicyAuthorize:
|
||||
+ err = tpm2_protector_policyauthorize (session, &buf);
|
||||
+ break;
|
||||
default:
|
||||
return grub_error (GRUB_ERR_BAD_ARGUMENT, "unknown TPM Command: 0x%x", policy->cmd_code);
|
||||
}
|
||||
--
|
||||
2.43.0
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,411 +0,0 @@
|
||||
From 439de947262b0d8d4a02ca5afb1ef4f15853962c Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Fri, 9 Dec 2016 15:40:29 -0500
|
||||
Subject: [PATCH 2/9] Add BLS support to grub-mkconfig
|
||||
|
||||
GRUB now has BootLoaderSpec support, the user can choose to use this by
|
||||
setting GRUB_ENABLE_BLSCFG to true in /etc/default/grub. On this setup,
|
||||
the boot menu entries are not added to the grub.cfg, instead BLS config
|
||||
files are parsed by blscfg command and the entries created dynamically.
|
||||
|
||||
A 10_linux_bls grub.d snippet to generate menu entries from BLS files
|
||||
is also added that can be used on platforms where the bootloader doesn't
|
||||
have BLS support and only can parse a normal grub configuration file.
|
||||
|
||||
Portions of the 10_linux_bls were taken from the ostree-grub-generator
|
||||
script that's included in the OSTree project.
|
||||
|
||||
Fixes to support multi-devices and generate a BLS section even if no
|
||||
kernels are found in the boot directory were proposed by Yclept Nemo
|
||||
and Tom Gundersen respectively.
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
[javierm: remove outdated URL for BLS document]
|
||||
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
||||
[iwienand@redhat.com: skip machine ID check when updating entries]
|
||||
Signed-off-by: Ian Wienand <iwienand@redhat.com>
|
||||
[rharwood: commit message composits, drop man pages]
|
||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||
---
|
||||
util/grub-mkconfig.in | 9 +-
|
||||
util/grub-mkconfig_lib.in | 22 +++-
|
||||
util/grub.d/10_linux.in | 244 +++++++++++++++++++++++++++++++++++++-
|
||||
3 files changed, 269 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
|
||||
index cf5b79342..7af15df94 100644
|
||||
--- a/util/grub-mkconfig.in
|
||||
+++ b/util/grub-mkconfig.in
|
||||
@@ -49,6 +49,8 @@ grub_script_check="${bindir}/@grub_script_check@"
|
||||
export TEXTDOMAIN=@PACKAGE@
|
||||
export TEXTDOMAINDIR="@localedir@"
|
||||
|
||||
+export GRUB_GRUBENV_UPDATE="yes"
|
||||
+
|
||||
. "${pkgdatadir}/grub-mkconfig_lib"
|
||||
|
||||
# Usage: usage
|
||||
@@ -58,6 +60,7 @@ usage () {
|
||||
gettext "Generate a grub config file"; echo
|
||||
echo
|
||||
print_option_help "-o, --output=$(gettext FILE)" "$(gettext "output generated config to FILE [default=stdout]")"
|
||||
+ print_option_help "--no-grubenv-update" "$(gettext "do not update variables in the grubenv file")"
|
||||
print_option_help "-h, --help" "$(gettext "print this message and exit")"
|
||||
print_option_help "-V, --version" "$(gettext "print the version information and exit")"
|
||||
echo
|
||||
@@ -93,6 +96,9 @@ do
|
||||
--output=*)
|
||||
grub_cfg=`echo "$option" | sed 's/--output=//'`
|
||||
;;
|
||||
+ --no-grubenv-update)
|
||||
+ GRUB_GRUBENV_UPDATE="no"
|
||||
+ ;;
|
||||
-*)
|
||||
gettext_printf "Unrecognized option \`%s'\n" "$option" 1>&2
|
||||
usage
|
||||
@@ -300,7 +306,8 @@ export GRUB_DEFAULT \
|
||||
GRUB_DISABLE_SUBMENU \
|
||||
SUSE_BTRFS_SNAPSHOT_BOOTING \
|
||||
SUSE_CMDLINE_XENEFI \
|
||||
- SUSE_REMOVE_LINUX_ROOT_PARAM
|
||||
+ SUSE_REMOVE_LINUX_ROOT_PARAM \
|
||||
+ GRUB_ENABLE_BLSCFG
|
||||
|
||||
if test "x${grub_cfg}" != "x"; then
|
||||
rm -f "${grub_cfg}.new"
|
||||
diff --git a/util/grub-mkconfig_lib.in b/util/grub-mkconfig_lib.in
|
||||
index 22fb7668f..5db4337c6 100644
|
||||
--- a/util/grub-mkconfig_lib.in
|
||||
+++ b/util/grub-mkconfig_lib.in
|
||||
@@ -30,6 +30,9 @@ fi
|
||||
if test "x$grub_file" = x; then
|
||||
grub_file="${bindir}/@grub_file@"
|
||||
fi
|
||||
+if test "x$grub_editenv" = x; then
|
||||
+ grub_editenv="${bindir}/@grub_editenv@"
|
||||
+fi
|
||||
if test "x$grub_mkrelpath" = x; then
|
||||
grub_mkrelpath="${bindir}/@grub_mkrelpath@"
|
||||
fi
|
||||
@@ -123,8 +126,19 @@ EOF
|
||||
fi
|
||||
}
|
||||
|
||||
+prepare_grub_to_access_device_with_variable ()
|
||||
+{
|
||||
+ device_variable="$1"
|
||||
+ shift
|
||||
+ prepare_grub_to_access_device "$@"
|
||||
+ unset "device_variable"
|
||||
+}
|
||||
+
|
||||
prepare_grub_to_access_device ()
|
||||
{
|
||||
+ if [ -z "$device_variable" ]; then
|
||||
+ device_variable="root"
|
||||
+ fi
|
||||
old_ifs="$IFS"
|
||||
IFS='
|
||||
'
|
||||
@@ -159,18 +173,18 @@ prepare_grub_to_access_device ()
|
||||
# otherwise set root as per value in device.map.
|
||||
fs_hint="`"${grub_probe}" --device $@ --target=compatibility_hint`"
|
||||
if [ "x$fs_hint" != x ]; then
|
||||
- echo "set root='$fs_hint'"
|
||||
+ echo "set ${device_variable}='$fs_hint'"
|
||||
fi
|
||||
if [ "x${GRUB_DISABLE_UUID}" != "xtrue" ] && fs_uuid="`"${grub_probe}" --device $@ --target=fs_uuid 2> /dev/null`" ; then
|
||||
hints="`"${grub_probe}" --device $@ --target=hints_string 2> /dev/null`" || hints=
|
||||
if [ "x$hints" != x ]; then
|
||||
echo "if [ x\$feature_platform_search_hint = xy ]; then"
|
||||
- echo " search --no-floppy --fs-uuid --set=root ${hints} ${fs_uuid}"
|
||||
+ echo " search --no-floppy --fs-uuid --set=${device_variable} ${hints} ${fs_uuid}"
|
||||
echo "else"
|
||||
- echo " search --no-floppy --fs-uuid --set=root ${fs_uuid}"
|
||||
+ echo " search --no-floppy --fs-uuid --set=${device_variable} ${fs_uuid}"
|
||||
echo "fi"
|
||||
else
|
||||
- echo "search --no-floppy --fs-uuid --set=root ${fs_uuid}"
|
||||
+ echo "search --no-floppy --fs-uuid --set=${device_variable} ${fs_uuid}"
|
||||
fi
|
||||
fi
|
||||
IFS="$old_ifs"
|
||||
diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
|
||||
index 5531239eb..49eccbeaf 100644
|
||||
--- a/util/grub.d/10_linux.in
|
||||
+++ b/util/grub.d/10_linux.in
|
||||
@@ -91,6 +91,244 @@ if [ "x$SUSE_REMOVE_LINUX_ROOT_PARAM" = "xtrue" ]; then
|
||||
LINUX_ROOT_DEVICE=""
|
||||
fi
|
||||
|
||||
+populate_header_warn()
|
||||
+{
|
||||
+if [ "x${BLS_POPULATE_MENU}" = "xtrue" ]; then
|
||||
+ bls_parser="10_linux script"
|
||||
+else
|
||||
+ bls_parser="blscfg command"
|
||||
+fi
|
||||
+cat <<EOF
|
||||
+
|
||||
+# This section was generated by a script. Do not modify the generated file - all changes
|
||||
+# will be lost the next time file is regenerated. Instead edit the BootLoaderSpec files.
|
||||
+#
|
||||
+# The $bls_parser parses the BootLoaderSpec files stored in /boot/loader/entries and
|
||||
+# populates the boot menu. Please refer to the Boot Loader Specification documentation
|
||||
+# for the files format: https://systemd.io/BOOT_LOADER_SPECIFICATION/.
|
||||
+
|
||||
+EOF
|
||||
+}
|
||||
+
|
||||
+read_config()
|
||||
+{
|
||||
+ config_file=${1}
|
||||
+ title=""
|
||||
+ initrd=""
|
||||
+ options=""
|
||||
+ linux=""
|
||||
+ grub_arg=""
|
||||
+
|
||||
+ while read -r line
|
||||
+ do
|
||||
+ record=$(echo ${line} | cut -f 1 -d ' ')
|
||||
+ value=$(echo ${line} | cut -s -f2- -d ' ')
|
||||
+ case "${record}" in
|
||||
+ "title")
|
||||
+ title=${value}
|
||||
+ ;;
|
||||
+ "initrd")
|
||||
+ initrd=${value}
|
||||
+ ;;
|
||||
+ "linux")
|
||||
+ linux=${value}
|
||||
+ ;;
|
||||
+ "options")
|
||||
+ options=${value}
|
||||
+ ;;
|
||||
+ "grub_arg")
|
||||
+ grub_arg=${value}
|
||||
+ ;;
|
||||
+ esac
|
||||
+ done < ${config_file}
|
||||
+}
|
||||
+
|
||||
+blsdir="/boot/loader/entries"
|
||||
+
|
||||
+get_sorted_bls()
|
||||
+{
|
||||
+ if ! [ -d "${blsdir}" ]; then
|
||||
+ return
|
||||
+ fi
|
||||
+
|
||||
+ local IFS=$'\n'
|
||||
+
|
||||
+ files=($(for bls in ${blsdir}/*.conf; do
|
||||
+ if ! [[ -e "${bls}" ]] ; then
|
||||
+ continue
|
||||
+ fi
|
||||
+ bls="${bls%.conf}"
|
||||
+ bls="${bls##*/}"
|
||||
+ echo "${bls}"
|
||||
+ done | ${kernel_sort} 2>/dev/null | tac)) || :
|
||||
+
|
||||
+ echo "${files[@]}"
|
||||
+}
|
||||
+
|
||||
+update_bls_cmdline()
|
||||
+{
|
||||
+ local cmdline="root=${LINUX_ROOT_DEVICE} ro ${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
|
||||
+ local -a files=($(get_sorted_bls))
|
||||
+
|
||||
+ for bls in "${files[@]}"; do
|
||||
+ local options="${cmdline}"
|
||||
+ if [ -z "${bls##*debug*}" ]; then
|
||||
+ options="${options} ${GRUB_CMDLINE_LINUX_DEBUG}"
|
||||
+ fi
|
||||
+ options="$(echo "${options}" | sed -e 's/\//\\\//g')"
|
||||
+ sed -i -e "s/^options.*/options ${options}/" "${blsdir}/${bls}.conf"
|
||||
+ done
|
||||
+}
|
||||
+
|
||||
+populate_menu()
|
||||
+{
|
||||
+ local -a files=($(get_sorted_bls))
|
||||
+
|
||||
+ gettext_printf "Generating boot entries from BLS files...\n" >&2
|
||||
+
|
||||
+ for bls in "${files[@]}"; do
|
||||
+ read_config "${blsdir}/${bls}.conf"
|
||||
+
|
||||
+ menu="${menu}menuentry '${title}' ${grub_arg} --id=${bls} {\n"
|
||||
+ menu="${menu}\t linux ${linux} ${options}\n"
|
||||
+ if [ -n "${initrd}" ] ; then
|
||||
+ menu="${menu}\t initrd ${boot_prefix}${initrd}\n"
|
||||
+ fi
|
||||
+ menu="${menu}}\n\n"
|
||||
+ done
|
||||
+ # The printf command seems to be more reliable across shells for special character (\n, \t) evaluation
|
||||
+ printf "$menu"
|
||||
+}
|
||||
+
|
||||
+# Make BLS the default if GRUB_ENABLE_BLSCFG was not set and grubby is not installed.
|
||||
+if [ -z "${GRUB_ENABLE_BLSCFG}" ] && ! command -v new-kernel-pkg >/dev/null; then
|
||||
+ GRUB_ENABLE_BLSCFG="true"
|
||||
+fi
|
||||
+
|
||||
+if [ "x${GRUB_ENABLE_BLSCFG}" = "xtrue" ]; then
|
||||
+ if [ x$dirname = x/ ]; then
|
||||
+ if [ -z "${prepare_root_cache}" ]; then
|
||||
+ prepare_grub_to_access_device ${GRUB_DEVICE}
|
||||
+ fi
|
||||
+ else
|
||||
+ if [ -z "${prepare_boot_cache}" ]; then
|
||||
+ prepare_grub_to_access_device ${GRUB_DEVICE_BOOT}
|
||||
+ fi
|
||||
+ fi
|
||||
+
|
||||
+ if [ -d /sys/firmware/efi ]; then
|
||||
+ bootefi_device="`${grub_probe} --target=device /boot/efi/`"
|
||||
+ prepare_grub_to_access_device_with_variable boot ${bootefi_device}
|
||||
+ else
|
||||
+ boot_device="`${grub_probe} --target=device /boot/`"
|
||||
+ prepare_grub_to_access_device_with_variable boot ${boot_device}
|
||||
+ fi
|
||||
+
|
||||
+ arch="$(uname -m)"
|
||||
+ if [ "x${arch}" = "xppc64le" ] && [ -d /sys/firmware/opal ]; then
|
||||
+
|
||||
+ BLS_POPULATE_MENU="true"
|
||||
+ petitboot_path="/sys/firmware/devicetree/base/ibm,firmware-versions/petitboot"
|
||||
+
|
||||
+ if test -e ${petitboot_path}; then
|
||||
+ read -r -d '' petitboot_version < ${petitboot_path}
|
||||
+ petitboot_version="$(echo ${petitboot_version//v})"
|
||||
+
|
||||
+ if test -n ${petitboot_version}; then
|
||||
+ major_version="$(echo ${petitboot_version} | cut -d . -f1)"
|
||||
+ minor_version="$(echo ${petitboot_version} | cut -d . -f2)"
|
||||
+
|
||||
+ re='^[0-9]+$'
|
||||
+ if [[ $major_version =~ $re ]] && [[ $minor_version =~ $re ]] &&
|
||||
+ ([[ ${major_version} -gt 1 ]] ||
|
||||
+ [[ ${major_version} -eq 1 &&
|
||||
+ ${minor_version} -ge 8 ]]); then
|
||||
+ BLS_POPULATE_MENU="false"
|
||||
+ fi
|
||||
+ fi
|
||||
+ fi
|
||||
+ fi
|
||||
+
|
||||
+ populate_header_warn
|
||||
+
|
||||
+ cat << EOF
|
||||
+# The kernelopts variable should be defined in the grubenv file. But to ensure that menu
|
||||
+# entries populated from BootLoaderSpec files that use this variable work correctly even
|
||||
+# without a grubenv file, define a fallback kernelopts variable if this has not been set.
|
||||
+#
|
||||
+# The kernelopts variable in the grubenv file can be modified using the grubby tool or by
|
||||
+# executing the grub2-mkconfig tool. For the latter, the values of the GRUB_CMDLINE_LINUX
|
||||
+# and GRUB_CMDLINE_LINUX_DEFAULT options from /etc/default/grub file are used to set both
|
||||
+# the kernelopts variable in the grubenv file and the fallback kernelopts variable.
|
||||
+if [ -z "\${kernelopts}" ]; then
|
||||
+ set kernelopts="root=${LINUX_ROOT_DEVICE} ro ${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
|
||||
+fi
|
||||
+EOF
|
||||
+
|
||||
+ update_bls_cmdline
|
||||
+
|
||||
+ if [ "x${BLS_POPULATE_MENU}" = "xtrue" ]; then
|
||||
+ populate_menu
|
||||
+ else
|
||||
+ cat << EOF
|
||||
+
|
||||
+insmod blscfg
|
||||
+blscfg
|
||||
+EOF
|
||||
+ fi
|
||||
+
|
||||
+ if [ "x${GRUB_GRUBENV_UPDATE}" = "xyes" ]; then
|
||||
+ blsdir="/boot/loader/entries"
|
||||
+ [ -d "${blsdir}" ] && GRUB_BLS_FS="$(${grub_probe} --target=fs ${blsdir})"
|
||||
+ if [ "x${GRUB_BLS_FS}" = "xbtrfs" ] || [ "x${GRUB_BLS_FS}" = "xzfs" ]; then
|
||||
+ blsdir=$(make_system_path_relative_to_its_root "${blsdir}")
|
||||
+ if [ "x${blsdir}" != "x/loader/entries" ] && [ "x${blsdir}" != "x/boot/loader/entries" ]; then
|
||||
+ ${grub_editenv} - set blsdir="${blsdir}"
|
||||
+ fi
|
||||
+ fi
|
||||
+
|
||||
+ if [ -n "${GRUB_EARLY_INITRD_LINUX_CUSTOM}" ]; then
|
||||
+ ${grub_editenv} - set early_initrd="${GRUB_EARLY_INITRD_LINUX_CUSTOM}"
|
||||
+ fi
|
||||
+
|
||||
+ if [ -n "${GRUB_DEFAULT_DTB}" ]; then
|
||||
+ ${grub_editenv} - set devicetree="${GRUB_DEFAULT_DTB}"
|
||||
+ fi
|
||||
+
|
||||
+ if [ -n "${GRUB_SAVEDEFAULT}" ]; then
|
||||
+ ${grub_editenv} - set save_default="${GRUB_SAVEDEFAULT}"
|
||||
+ fi
|
||||
+ fi
|
||||
+
|
||||
+ exit 0
|
||||
+fi
|
||||
+
|
||||
+mktitle ()
|
||||
+{
|
||||
+ local title_type
|
||||
+ local version
|
||||
+ local OS_NAME
|
||||
+ local OS_VERS
|
||||
+
|
||||
+ title_type=$1 && shift
|
||||
+ version=$1 && shift
|
||||
+
|
||||
+ OS_NAME="$(eval $(grep ^NAME= /etc/os-release) ; echo ${NAME})"
|
||||
+ OS_VERS="$(eval $(grep ^VERSION= /etc/os-release) ; echo ${VERSION})"
|
||||
+
|
||||
+ case $title_type in
|
||||
+ recovery)
|
||||
+ title=$(printf '%s (%s) %s (recovery mode)' \
|
||||
+ "${OS_NAME}" "${version}" "${OS_VERS}")
|
||||
+ ;;
|
||||
+ *)
|
||||
+ title=$(printf '%s (%s) %s' \
|
||||
+ "${OS_NAME}" "${version}" "${OS_VERS}")
|
||||
+ ;;
|
||||
+ esac
|
||||
+ echo -n ${title}
|
||||
+}
|
||||
+
|
||||
title_correction_code=
|
||||
|
||||
hotkey=1
|
||||
@@ -124,6 +362,7 @@ linux_entry ()
|
||||
if [ -z "$boot_device_id" ]; then
|
||||
boot_device_id="$(grub_get_device_id "${GRUB_DEVICE}")"
|
||||
fi
|
||||
+
|
||||
if [ x$type != xsimple ] ; then
|
||||
case $type in
|
||||
recovery)
|
||||
@@ -298,6 +537,7 @@ fi
|
||||
is_top_level=true
|
||||
for linux in ${reverse_sorted_list}; do
|
||||
gettext_printf "Found linux image: %s\n" "$linux" >&2
|
||||
+
|
||||
basename=`basename $linux`
|
||||
dirname=`dirname $linux`
|
||||
rel_dirname=`make_system_path_relative_to_its_root $dirname`
|
||||
@@ -348,7 +588,9 @@ for linux in ${reverse_sorted_list}; do
|
||||
for i in ${initrd}; do
|
||||
initrd_display="${initrd_display} ${dirname}/${i}"
|
||||
done
|
||||
- gettext_printf "Found initrd image: %s\n" "$(echo $initrd_display)" >&2
|
||||
+ if [ "x${GRUB_ENABLE_BLSCFG}" != "xtrue" ]; then
|
||||
+ gettext_printf "Found initrd image: %s\n" "$(echo $initrd_display)" >&2
|
||||
+ fi
|
||||
fi
|
||||
|
||||
config=
|
||||
--
|
||||
2.44.0
|
||||
|
290
0002-Requiring-authentication-after-tpm-unlock-for-CLI-ac.patch
Normal file
290
0002-Requiring-authentication-after-tpm-unlock-for-CLI-ac.patch
Normal file
@ -0,0 +1,290 @@
|
||||
From af8b106667aa2ca7a7613e10d8746959e182f8f1 Mon Sep 17 00:00:00 2001
|
||||
From: Michael Chang <mchang@suse.com>
|
||||
Date: Thu, 29 Aug 2024 13:27:30 +0800
|
||||
Subject: [PATCH 2/2] Requiring authentication after tpm unlock for CLI access
|
||||
|
||||
GRUB may use TPM to verify the integrity of boot components, and the
|
||||
result can determine whether a previously sealed key can be released. If
|
||||
everything checks out, showing nothing has been tampered with, the key
|
||||
is released, and grub unlocks the encrypted root partition for the next
|
||||
stage of booting.
|
||||
|
||||
However, the liberal command line interface (CLI) can be misused by
|
||||
anyone in this case to access files in the encrypted partition one way
|
||||
or another. Despite efforts to keep the CLI secure by preventing utility
|
||||
command output from leaking file content, many techniques in the wild
|
||||
could still be used to exploit the CLI, enabling attacks or learning
|
||||
methods to attack. It's nearly impossible to account for all scenarios
|
||||
where a hack could be applied.
|
||||
|
||||
Therefore, to mitigate potential misuse of the CLI after the root device
|
||||
has been successfully unlocked via TPM, the user should be required to
|
||||
authenticate using the LUKS password. This added layer of security
|
||||
ensures that only authorized users can access the CLI, reducing the risk
|
||||
of exploitation or unauthorized access to the encrypted partition.
|
||||
|
||||
Fixes: CVE-2024-49504
|
||||
|
||||
Signed-off-by: Michael Chang <mchang@suse.com>
|
||||
---
|
||||
grub-core/disk/cryptodisk.c | 80 +++++++++++++++++++++++++++++++++++
|
||||
grub-core/kern/main.c | 12 ++++++
|
||||
grub-core/normal/auth.c | 30 +++++++++++++
|
||||
grub-core/normal/main.c | 4 ++
|
||||
grub-core/normal/menu_entry.c | 4 ++
|
||||
include/grub/auth.h | 1 +
|
||||
include/grub/cryptodisk.h | 3 ++
|
||||
include/grub/misc.h | 2 +
|
||||
8 files changed, 136 insertions(+)
|
||||
|
||||
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
|
||||
index babc94868..77bc782fd 100644
|
||||
--- a/grub-core/disk/cryptodisk.c
|
||||
+++ b/grub-core/disk/cryptodisk.c
|
||||
@@ -1188,6 +1188,7 @@ grub_cryptodisk_scan_device_real (const char *name,
|
||||
goto error;
|
||||
#ifndef GRUB_UTIL
|
||||
is_tpmkey = 1;
|
||||
+ grub_cli_set_auth_needed ();
|
||||
#endif
|
||||
goto cleanup;
|
||||
}
|
||||
@@ -1706,6 +1707,85 @@ luks_script_get (grub_size_t *sz)
|
||||
return ret;
|
||||
}
|
||||
|
||||
+#ifdef GRUB_MACHINE_EFI
|
||||
+grub_err_t
|
||||
+grub_cryptodisk_challenge_password (void)
|
||||
+{
|
||||
+ grub_cryptodisk_t cr_dev;
|
||||
+
|
||||
+ for (cr_dev = cryptodisk_list; cr_dev != NULL; cr_dev = cr_dev->next)
|
||||
+ {
|
||||
+ grub_cryptodisk_dev_t cr;
|
||||
+ grub_disk_t source = NULL;
|
||||
+ grub_err_t ret = GRUB_ERR_NONE;
|
||||
+ grub_cryptodisk_t dev = NULL;
|
||||
+ char *part = NULL;
|
||||
+ struct grub_cryptomount_args cargs = {0};
|
||||
+
|
||||
+ cargs.check_boot = 0;
|
||||
+ cargs.search_uuid = cr_dev->uuid;
|
||||
+
|
||||
+ source = grub_disk_open (cr_dev->source);
|
||||
+
|
||||
+ if (source == NULL)
|
||||
+ goto error_out;
|
||||
+
|
||||
+ FOR_CRYPTODISK_DEVS (cr)
|
||||
+ {
|
||||
+ dev = cr->scan (source, &cargs);
|
||||
+ if (grub_errno)
|
||||
+ goto error_out;
|
||||
+ if (!dev)
|
||||
+ continue;
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ if (dev == NULL)
|
||||
+ {
|
||||
+ grub_error (GRUB_ERR_BAD_MODULE,
|
||||
+ "no cryptodisk module can handle this device");
|
||||
+ goto error_out;
|
||||
+ }
|
||||
+
|
||||
+ part = grub_partition_get_name (source->partition);
|
||||
+ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
|
||||
+ source->partition != NULL ? "," : "",
|
||||
+ part != NULL ? part : N_("UNKNOWN"), cr_dev->uuid);
|
||||
+ grub_free (part);
|
||||
+
|
||||
+ cargs.key_data = grub_malloc (GRUB_CRYPTODISK_MAX_PASSPHRASE);
|
||||
+ if (cargs.key_data == NULL)
|
||||
+ goto error_out;
|
||||
+
|
||||
+ if (!grub_password_get ((char *) cargs.key_data, GRUB_CRYPTODISK_MAX_PASSPHRASE))
|
||||
+ {
|
||||
+ grub_error (GRUB_ERR_BAD_ARGUMENT, "passphrase not supplied");
|
||||
+ goto error_out;
|
||||
+ }
|
||||
+ cargs.key_len = grub_strlen ((char *) cargs.key_data);
|
||||
+ ret = cr->recover_key (source, dev, &cargs);
|
||||
+ if (ret != GRUB_ERR_NONE)
|
||||
+ goto error_out;
|
||||
+
|
||||
+ error_out:
|
||||
+ if (source)
|
||||
+ grub_disk_close (source);
|
||||
+ if (dev)
|
||||
+ cryptodisk_close (dev);
|
||||
+ if (cargs.key_data)
|
||||
+ {
|
||||
+ grub_memset (cargs.key_data, 0, cargs.key_len);
|
||||
+ grub_free (cargs.key_data);
|
||||
+ }
|
||||
+
|
||||
+ if (grub_errno != GRUB_ERR_NONE)
|
||||
+ return grub_errno;
|
||||
+ }
|
||||
+
|
||||
+ return GRUB_ERR_NONE;
|
||||
+}
|
||||
+#endif /* GRUB_MACHINE_EFI */
|
||||
+
|
||||
struct grub_procfs_entry luks_script =
|
||||
{
|
||||
.name = "luks_script",
|
||||
diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
|
||||
index 07b6940d2..ef3b3756d 100644
|
||||
--- a/grub-core/kern/main.c
|
||||
+++ b/grub-core/kern/main.c
|
||||
@@ -37,6 +37,7 @@
|
||||
#endif
|
||||
|
||||
static bool cli_disabled = false;
|
||||
+static bool cli_need_auth = false;
|
||||
|
||||
grub_addr_t
|
||||
grub_modules_get_end (void)
|
||||
@@ -246,6 +247,17 @@ grub_is_cli_disabled (void)
|
||||
return cli_disabled;
|
||||
}
|
||||
|
||||
+bool
|
||||
+grub_is_cli_need_auth (void)
|
||||
+{
|
||||
+ return cli_need_auth;
|
||||
+}
|
||||
+
|
||||
+void grub_cli_set_auth_needed (void)
|
||||
+{
|
||||
+ cli_need_auth = true;
|
||||
+}
|
||||
+
|
||||
static void
|
||||
check_is_cli_disabled (void)
|
||||
{
|
||||
diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c
|
||||
index d94020186..2931ba604 100644
|
||||
--- a/grub-core/normal/auth.c
|
||||
+++ b/grub-core/normal/auth.c
|
||||
@@ -25,6 +25,10 @@
|
||||
#include <grub/time.h>
|
||||
#include <grub/i18n.h>
|
||||
|
||||
+#ifdef GRUB_MACHINE_EFI
|
||||
+#include <grub/cryptodisk.h>
|
||||
+#endif
|
||||
+
|
||||
struct grub_auth_user
|
||||
{
|
||||
struct grub_auth_user *next;
|
||||
@@ -200,6 +204,32 @@ grub_username_get (char buf[], unsigned buf_size)
|
||||
return (key != GRUB_TERM_ESC);
|
||||
}
|
||||
|
||||
+grub_err_t
|
||||
+grub_auth_check_cli_access (void)
|
||||
+{
|
||||
+ if (grub_is_cli_need_auth () == true)
|
||||
+ {
|
||||
+#ifdef GRUB_MACHINE_EFI
|
||||
+ static bool authenticated = false;
|
||||
+
|
||||
+ if (authenticated == false)
|
||||
+ {
|
||||
+ grub_err_t ret;
|
||||
+
|
||||
+ ret = grub_cryptodisk_challenge_password ();
|
||||
+ if (ret == GRUB_ERR_NONE)
|
||||
+ authenticated = true;
|
||||
+ return ret;
|
||||
+ }
|
||||
+ return GRUB_ERR_NONE;
|
||||
+#else
|
||||
+ return GRUB_ACCESS_DENIED;
|
||||
+#endif
|
||||
+ }
|
||||
+
|
||||
+ return GRUB_ERR_NONE;
|
||||
+}
|
||||
+
|
||||
grub_err_t
|
||||
grub_auth_check_authentication (const char *userlist)
|
||||
{
|
||||
diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
|
||||
index 8e58ced67..b08fd6977 100644
|
||||
--- a/grub-core/normal/main.c
|
||||
+++ b/grub-core/normal/main.c
|
||||
@@ -560,9 +560,13 @@ grub_cmdline_run (int nested, int force_auth)
|
||||
}
|
||||
while (err && force_auth);
|
||||
|
||||
+ if (err == GRUB_ERR_NONE)
|
||||
+ err = grub_auth_check_cli_access ();
|
||||
+
|
||||
if (err)
|
||||
{
|
||||
grub_print_error ();
|
||||
+ grub_wait_after_message ();
|
||||
grub_errno = GRUB_ERR_NONE;
|
||||
return;
|
||||
}
|
||||
diff --git a/grub-core/normal/menu_entry.c b/grub-core/normal/menu_entry.c
|
||||
index e5ba91ea4..06682a396 100644
|
||||
--- a/grub-core/normal/menu_entry.c
|
||||
+++ b/grub-core/normal/menu_entry.c
|
||||
@@ -1256,9 +1256,13 @@ grub_menu_entry_run (grub_menu_entry_t entry)
|
||||
|
||||
err = grub_auth_check_authentication (NULL);
|
||||
|
||||
+ if (err == GRUB_ERR_NONE)
|
||||
+ err = grub_auth_check_cli_access ();
|
||||
+
|
||||
if (err)
|
||||
{
|
||||
grub_print_error ();
|
||||
+ grub_wait_after_message ();
|
||||
grub_errno = GRUB_ERR_NONE;
|
||||
return;
|
||||
}
|
||||
diff --git a/include/grub/auth.h b/include/grub/auth.h
|
||||
index 747334451..21d5190f0 100644
|
||||
--- a/include/grub/auth.h
|
||||
+++ b/include/grub/auth.h
|
||||
@@ -33,5 +33,6 @@ grub_err_t grub_auth_unregister_authentication (const char *user);
|
||||
grub_err_t grub_auth_authenticate (const char *user);
|
||||
grub_err_t grub_auth_deauthenticate (const char *user);
|
||||
grub_err_t grub_auth_check_authentication (const char *userlist);
|
||||
+grub_err_t grub_auth_check_cli_access (void);
|
||||
|
||||
#endif /* ! GRUB_AUTH_HEADER */
|
||||
diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
|
||||
index 0b41e249e..b3291519b 100644
|
||||
--- a/include/grub/cryptodisk.h
|
||||
+++ b/include/grub/cryptodisk.h
|
||||
@@ -203,4 +203,7 @@ grub_util_get_geli_uuid (const char *dev);
|
||||
grub_cryptodisk_t grub_cryptodisk_get_by_uuid (const char *uuid);
|
||||
grub_cryptodisk_t grub_cryptodisk_get_by_source_disk (grub_disk_t disk);
|
||||
|
||||
+#ifdef GRUB_MACHINE_EFI
|
||||
+grub_err_t grub_cryptodisk_challenge_password (void);
|
||||
+#endif
|
||||
#endif
|
||||
diff --git a/include/grub/misc.h b/include/grub/misc.h
|
||||
index 1578f36c3..6e94d18f5 100644
|
||||
--- a/include/grub/misc.h
|
||||
+++ b/include/grub/misc.h
|
||||
@@ -392,6 +392,8 @@ grub_uint64_t EXPORT_FUNC(grub_divmod64) (grub_uint64_t n,
|
||||
grub_uint64_t *r);
|
||||
|
||||
extern bool EXPORT_FUNC(grub_is_cli_disabled) (void);
|
||||
+extern bool EXPORT_FUNC(grub_is_cli_need_auth) (void);
|
||||
+extern void EXPORT_FUNC(grub_cli_set_auth_needed) (void);
|
||||
|
||||
/* Must match softdiv group in gentpl.py. */
|
||||
#if !defined(GRUB_MACHINE_EMU) && (defined(__arm__) || defined(__ia64__) || \
|
||||
--
|
||||
2.47.0
|
||||
|
@ -1,197 +0,0 @@
|
||||
From 912384e63c1e3b6aa9d90effb71cd535a17da1e2 Mon Sep 17 00:00:00 2001
|
||||
From: Michael Chang <mchang@suse.com>
|
||||
Date: Sat, 18 Nov 2023 19:02:31 +0800
|
||||
Subject: [PATCH 2/4] Restrict file access on cryptodisk print
|
||||
|
||||
When the encrypted partition is automatically unlocked by TPM, granting
|
||||
access to the system upon validation of its known good state, there's a
|
||||
potential vulnerability. Grub gains access to file systems that were
|
||||
previously inaccessible to the public, enabling certain commands from
|
||||
the grub console to print content. This arises due to grub lacking
|
||||
restrictions similar to those imposed by password authentication, which
|
||||
typically occurs before privileged access is granted.
|
||||
|
||||
Although the automatic unlocking process ensures system integrity and a
|
||||
secure environment for grub to operate in, it doesn't directly address
|
||||
the issue of authentication for viewing encrypted partition content.
|
||||
|
||||
This commit addresses this security loophole by implementing a file
|
||||
filter upon adding a TPM key. The newly added file filter will
|
||||
specifically verify if the disk is encrypted, denying access and
|
||||
returning an "Access Denied: prohibited to view encrypted data" error
|
||||
message to alert the user.
|
||||
|
||||
Since the policy to filter out unwanted commands from leaking encrypted
|
||||
content is irreversible, it is advisable to make the loaded module
|
||||
persistent to prevent its removal.
|
||||
|
||||
This enhancement aims to bolster security measures and prevent
|
||||
unauthorized access to encrypted data.
|
||||
|
||||
Signed-Off-by Michael Chang <mchang@suse.com>
|
||||
---
|
||||
grub-core/commands/crypttab.c | 35 ++++++++++++++++++++++++++++++++++-
|
||||
grub-core/disk/diskfilter.c | 35 +++++++++++++++++++++++++++++++++++
|
||||
include/grub/disk.h | 10 ++++++++++
|
||||
include/grub/file.h | 1 +
|
||||
4 files changed, 80 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/grub-core/commands/crypttab.c b/grub-core/commands/crypttab.c
|
||||
index 9397bede9..d3acc4b59 100644
|
||||
--- a/grub-core/commands/crypttab.c
|
||||
+++ b/grub-core/commands/crypttab.c
|
||||
@@ -6,11 +6,39 @@
|
||||
#include <grub/mm.h>
|
||||
#include <grub/list.h>
|
||||
#include <grub/crypttab.h>
|
||||
+#include <grub/file.h>
|
||||
|
||||
GRUB_MOD_LICENSE ("GPLv3+");
|
||||
|
||||
grub_crypto_key_list_t *cryptokey_lst;
|
||||
|
||||
+static grub_file_t
|
||||
+grub_nocat_open (grub_file_t io, enum grub_file_type type)
|
||||
+{
|
||||
+ grub_disk_t disk;
|
||||
+
|
||||
+ /* Network device */
|
||||
+ if (!io->device->disk)
|
||||
+ return io;
|
||||
+
|
||||
+ disk = io->device->disk;
|
||||
+
|
||||
+ if (grub_disk_is_crypto (disk))
|
||||
+ {
|
||||
+ switch (type & GRUB_FILE_TYPE_MASK)
|
||||
+ {
|
||||
+ case GRUB_FILE_TYPE_CAT:
|
||||
+ case GRUB_FILE_TYPE_HEXCAT:
|
||||
+ grub_error (GRUB_ERR_ACCESS_DENIED, N_("prohibited to view encrypted data"));
|
||||
+ return NULL;
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return io;
|
||||
+}
|
||||
+
|
||||
grub_err_t
|
||||
grub_cryptokey_add_or_update (const char *uuid, const char *key, grub_size_t key_len, const char *path, int is_tpmkey)
|
||||
{
|
||||
@@ -48,7 +76,11 @@ grub_cryptokey_add_or_update (const char *uuid, const char *key, grub_size_t key
|
||||
}
|
||||
|
||||
if (is_tpmkey >= 0)
|
||||
- cur->is_tpmkey = is_tpmkey;
|
||||
+ {
|
||||
+ cur->is_tpmkey = is_tpmkey;
|
||||
+ if (is_tpmkey)
|
||||
+ grub_file_filter_register (GRUB_FILE_FILTER_NOCAT, grub_nocat_open);
|
||||
+ }
|
||||
|
||||
if (!cur->name)
|
||||
{
|
||||
@@ -121,6 +153,7 @@ GRUB_MOD_INIT(crypttab)
|
||||
{
|
||||
cmd = grub_register_command ("crypttab_entry", grub_cmd_crypttab_entry,
|
||||
N_("VOLUME-NAME ENCRYPTED-DEVICE KEY-FILE") , N_("No description"));
|
||||
+ grub_dl_set_persistent (mod);
|
||||
}
|
||||
|
||||
GRUB_MOD_FINI(crypttab)
|
||||
diff --git a/grub-core/disk/diskfilter.c b/grub-core/disk/diskfilter.c
|
||||
index 5c5fabe1a..b0c1c880d 100644
|
||||
--- a/grub-core/disk/diskfilter.c
|
||||
+++ b/grub-core/disk/diskfilter.c
|
||||
@@ -558,6 +558,39 @@ find_lv (const char *name)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+static int
|
||||
+grub_diskfilter_has_cryptodisk (const struct grub_diskfilter_lv *lv)
|
||||
+{
|
||||
+ struct grub_diskfilter_pv *pv;
|
||||
+
|
||||
+ if (!lv)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (lv->vg->pvs)
|
||||
+ for (pv = lv->vg->pvs; pv; pv = pv->next)
|
||||
+ {
|
||||
+ if (!pv->disk)
|
||||
+ {
|
||||
+ grub_dprintf ("diskfilter", _("Couldn't find physical volume `%s'."
|
||||
+ " Some modules may be missing from core image."),
|
||||
+ pv->name);
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ switch (pv->disk->dev->id)
|
||||
+ {
|
||||
+ case GRUB_DISK_DEVICE_CRYPTODISK_ID:
|
||||
+ return 1;
|
||||
+ case GRUB_DISK_DEVICE_DISKFILTER_ID:
|
||||
+ return grub_diskfilter_has_cryptodisk (pv->disk->data);
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
static grub_err_t
|
||||
grub_diskfilter_open (const char *name, grub_disk_t disk)
|
||||
{
|
||||
@@ -589,6 +622,8 @@ grub_diskfilter_open (const char *name, grub_disk_t disk)
|
||||
|
||||
disk->total_sectors = lv->size;
|
||||
disk->max_agglomerate = GRUB_DISK_MAX_MAX_AGGLOMERATE;
|
||||
+ disk->is_crypto_diskfilter = grub_diskfilter_has_cryptodisk (lv);
|
||||
+
|
||||
return 0;
|
||||
}
|
||||
|
||||
diff --git a/include/grub/disk.h b/include/grub/disk.h
|
||||
index 3b3db6222..63982f16c 100644
|
||||
--- a/include/grub/disk.h
|
||||
+++ b/include/grub/disk.h
|
||||
@@ -147,6 +147,8 @@ struct grub_disk
|
||||
|
||||
/* Device-specific data. */
|
||||
void *data;
|
||||
+
|
||||
+ int is_crypto_diskfilter;
|
||||
};
|
||||
typedef struct grub_disk *grub_disk_t;
|
||||
|
||||
@@ -314,4 +316,12 @@ void grub_mdraid1x_fini (void);
|
||||
void grub_diskfilter_fini (void);
|
||||
#endif
|
||||
|
||||
+static inline int
|
||||
+grub_disk_is_crypto (grub_disk_t disk)
|
||||
+{
|
||||
+ return ((disk->is_crypto_diskfilter ||
|
||||
+ disk->dev->id == GRUB_DISK_DEVICE_CRYPTODISK_ID) ?
|
||||
+ 1 : 0);
|
||||
+}
|
||||
+
|
||||
#endif /* ! GRUB_DISK_HEADER */
|
||||
diff --git a/include/grub/file.h b/include/grub/file.h
|
||||
index fde58f0fa..fcfd32ce2 100644
|
||||
--- a/include/grub/file.h
|
||||
+++ b/include/grub/file.h
|
||||
@@ -185,6 +185,7 @@ extern grub_disk_read_hook_t EXPORT_VAR(grub_file_progress_hook);
|
||||
/* Filters with lower ID are executed first. */
|
||||
typedef enum grub_file_filter_id
|
||||
{
|
||||
+ GRUB_FILE_FILTER_NOCAT,
|
||||
GRUB_FILE_FILTER_VERIFY,
|
||||
GRUB_FILE_FILTER_GZIO,
|
||||
GRUB_FILE_FILTER_XZIO,
|
||||
--
|
||||
2.42.1
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,385 +0,0 @@
|
||||
From 90153f1c9631498723450d84e014e25865fecc1b Mon Sep 17 00:00:00 2001
|
||||
From: Peter Jones <pjones@redhat.com>
|
||||
Date: Thu, 15 Mar 2018 14:12:40 -0400
|
||||
Subject: [PATCH 3/9] Add grub2-switch-to-blscfg
|
||||
|
||||
Signed-off-by: Peter Jones <pjones@redhat.com>
|
||||
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
||||
[jhlavac: Use ${etcdefaultgrub} instead of /etc/default/grub]
|
||||
Signed-off-by: Jan Hlavac <jhlavac@redhat.com>
|
||||
[rharwood: skip on ostree installations, migrate man to h2m]
|
||||
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
|
||||
---
|
||||
Makefile.util.def | 7 +
|
||||
docs/man/grub-switch-to-blscfg.h2m | 2 +
|
||||
util/grub-switch-to-blscfg.in | 317 +++++++++++++++++++++++++++++
|
||||
util/grub.d/10_linux.in | 2 +-
|
||||
4 files changed, 327 insertions(+), 1 deletion(-)
|
||||
create mode 100644 docs/man/grub-switch-to-blscfg.h2m
|
||||
create mode 100644 util/grub-switch-to-blscfg.in
|
||||
|
||||
diff --git a/Makefile.util.def b/Makefile.util.def
|
||||
index 6bb30c165..ffedea24a 100644
|
||||
--- a/Makefile.util.def
|
||||
+++ b/Makefile.util.def
|
||||
@@ -1460,6 +1460,13 @@ program = {
|
||||
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
|
||||
};
|
||||
|
||||
+script = {
|
||||
+ name = grub-switch-to-blscfg;
|
||||
+ common = util/grub-switch-to-blscfg.in;
|
||||
+ mansection = 8;
|
||||
+ installdir = sbin;
|
||||
+};
|
||||
+
|
||||
program = {
|
||||
name = grub-glue-efi;
|
||||
mansection = 1;
|
||||
diff --git a/docs/man/grub-switch-to-blscfg.h2m b/docs/man/grub-switch-to-blscfg.h2m
|
||||
new file mode 100644
|
||||
index 000000000..fa341426a
|
||||
--- /dev/null
|
||||
+++ b/docs/man/grub-switch-to-blscfg.h2m
|
||||
@@ -0,0 +1,2 @@
|
||||
+[NAME]
|
||||
+grub-switch-to-blscfg \- switch to using BLS config files
|
||||
diff --git a/util/grub-switch-to-blscfg.in b/util/grub-switch-to-blscfg.in
|
||||
new file mode 100644
|
||||
index 000000000..a851424be
|
||||
--- /dev/null
|
||||
+++ b/util/grub-switch-to-blscfg.in
|
||||
@@ -0,0 +1,317 @@
|
||||
+#! /bin/sh
|
||||
+#
|
||||
+# Set a default boot entry for GRUB.
|
||||
+# Copyright (C) 2004,2009 Free Software Foundation, Inc.
|
||||
+#
|
||||
+# GRUB is free software: you can redistribute it and/or modify
|
||||
+# it under the terms of the GNU General Public License as published by
|
||||
+# the Free Software Foundation, either version 3 of the License, or
|
||||
+# (at your option) any later version.
|
||||
+#
|
||||
+# GRUB is distributed in the hope that it will be useful,
|
||||
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+# GNU General Public License for more details.
|
||||
+#
|
||||
+# You should have received a copy of the GNU General Public License
|
||||
+# along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
||||
+
|
||||
+#set -eu
|
||||
+
|
||||
+# Initialize some variables.
|
||||
+prefix=@prefix@
|
||||
+exec_prefix=@exec_prefix@
|
||||
+sbindir=@sbindir@
|
||||
+bindir=@bindir@
|
||||
+sysconfdir="@sysconfdir@"
|
||||
+PACKAGE_NAME=@PACKAGE_NAME@
|
||||
+PACKAGE_VERSION=@PACKAGE_VERSION@
|
||||
+datarootdir="@datarootdir@"
|
||||
+datadir="@datadir@"
|
||||
+if [ ! -v pkgdatadir ]; then
|
||||
+ pkgdatadir="${datadir}/@PACKAGE@"
|
||||
+fi
|
||||
+
|
||||
+self=`basename $0`
|
||||
+
|
||||
+grub_get_kernel_settings="${sbindir}/@grub_get_kernel_settings@"
|
||||
+grub_editenv=${bindir}/@grub_editenv@
|
||||
+etcdefaultgrub=/etc/default/grub
|
||||
+
|
||||
+eval "$("${grub_get_kernel_settings}")" || true
|
||||
+
|
||||
+EFIDIR=$(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/' -e 's/\"//g')
|
||||
+if [ -d /sys/firmware/efi/efivars/ ]; then
|
||||
+ startlink=/etc/grub2-efi.cfg
|
||||
+ grubdir=`echo "/@bootdirname@/efi/EFI/${EFIDIR}/" | sed 's,//*,/,g'`
|
||||
+else
|
||||
+ startlink=/etc/grub2.cfg
|
||||
+ grubdir=`echo "/@bootdirname@/@grubdirname@" | sed 's,//*,/,g'`
|
||||
+fi
|
||||
+
|
||||
+blsdir=`echo "/@bootdirname@/loader/entries" | sed 's,//*,/,g'`
|
||||
+
|
||||
+backupsuffix=.bak
|
||||
+
|
||||
+arch="$(uname -m)"
|
||||
+
|
||||
+export TEXTDOMAIN=@PACKAGE@
|
||||
+export TEXTDOMAINDIR="@localedir@"
|
||||
+
|
||||
+. "${pkgdatadir}/grub-mkconfig_lib"
|
||||
+
|
||||
+# Usage: usage
|
||||
+# Print the usage.
|
||||
+usage () {
|
||||
+ gettext_printf "Usage: %s\n" "$self"
|
||||
+ gettext "Switch to BLS config files.\n"; echo
|
||||
+ echo
|
||||
+ print_option_help "-h, --help" "$(gettext "print this message and exit")"
|
||||
+ print_option_help "-V, --version" "$(gettext "print the version information and exit")"
|
||||
+ echo
|
||||
+ print_option_help "--backup-suffix=$(gettext "SUFFIX")" "$backupsuffix"
|
||||
+ print_option_help "--bls-directory=$(gettext "DIR")" "$blsdir"
|
||||
+ print_option_help "--config-file=$(gettext "FILE")" "$startlink"
|
||||
+ print_option_help "--grub-defaults=$(gettext "FILE")" "$etcdefaultgrub"
|
||||
+ print_option_help "--grub-directory=$(gettext "DIR")" "$grubdir"
|
||||
+ # echo
|
||||
+ # gettext "Report bugs to <bug-grub@gnu.org>."; echo
|
||||
+}
|
||||
+
|
||||
+argument () {
|
||||
+ opt=$1
|
||||
+ shift
|
||||
+
|
||||
+ if test $# -eq 0; then
|
||||
+ gettext_printf "%s: option requires an argument -- \`%s'\n" "$self" "$opt" 1>&2
|
||||
+ exit 1
|
||||
+ fi
|
||||
+ echo $1
|
||||
+}
|
||||
+
|
||||
+# Check the arguments.
|
||||
+while test $# -gt 0
|
||||
+do
|
||||
+ option=$1
|
||||
+ shift
|
||||
+
|
||||
+ case "$option" in
|
||||
+ -h | --help)
|
||||
+ usage
|
||||
+ exit 0 ;;
|
||||
+ -V | --version)
|
||||
+ echo "$self (${PACKAGE_NAME}) ${PACKAGE_VERSION}"
|
||||
+ exit 0 ;;
|
||||
+
|
||||
+ --backup-suffix)
|
||||
+ backupsuffix=`argument $option "$@"`
|
||||
+ shift
|
||||
+ ;;
|
||||
+ --backup-suffix=*)
|
||||
+ backupsuffix=`echo "$option" | sed 's/--backup-suffix=//'`
|
||||
+ ;;
|
||||
+
|
||||
+ --bls-directory)
|
||||
+ blsdir=`argument $option "$@"`
|
||||
+ shift
|
||||
+ ;;
|
||||
+ --bls-directory=*)
|
||||
+ blsdir=`echo "$option" | sed 's/--bls-directory=//'`
|
||||
+ ;;
|
||||
+
|
||||
+ --config-file)
|
||||
+ startlink=`argument $option "$@"`
|
||||
+ shift
|
||||
+ ;;
|
||||
+ --config-file=*)
|
||||
+ startlink=`echo "$option" | sed 's/--config-file=//'`
|
||||
+ ;;
|
||||
+
|
||||
+ --grub-defaults)
|
||||
+ etcdefaultgrub=`argument $option "$@"`
|
||||
+ shift
|
||||
+ ;;
|
||||
+ --grub-defaults=*)
|
||||
+ etcdefaultgrub=`echo "$option" | sed 's/--grub-defaults=//'`
|
||||
+ ;;
|
||||
+
|
||||
+ --grub-directory)
|
||||
+ grubdir=`argument $option "$@"`
|
||||
+ shift
|
||||
+ ;;
|
||||
+ --grub-directory=*)
|
||||
+ grubdir=`echo "$option" | sed 's/--grub-directory=//'`
|
||||
+ ;;
|
||||
+
|
||||
+ *)
|
||||
+ gettext_printf "Unrecognized option \`%s'\n" "$option" 1>&2
|
||||
+ usage
|
||||
+ exit 1
|
||||
+ ;;
|
||||
+ esac
|
||||
+done
|
||||
+
|
||||
+find_grub_cfg() {
|
||||
+ local candidate=""
|
||||
+ while [ -e "${candidate}" -o $# -gt 0 ]
|
||||
+ do
|
||||
+ if [ ! -e "${candidate}" ] ; then
|
||||
+ candidate="$1"
|
||||
+ shift
|
||||
+ fi
|
||||
+
|
||||
+ if [ -L "${candidate}" ]; then
|
||||
+ candidate="$(realpath "${candidate}")"
|
||||
+ fi
|
||||
+
|
||||
+ if [ -f "${candidate}" ]; then
|
||||
+ export GRUB_CONFIG_FILE="${candidate}"
|
||||
+ return 0
|
||||
+ fi
|
||||
+ done
|
||||
+ return 1
|
||||
+}
|
||||
+
|
||||
+if ! find_grub_cfg ${startlink} ${grubdir}/grub.cfg ; then
|
||||
+ gettext_printf "Couldn't find config file\n" 1>&2
|
||||
+ exit 1
|
||||
+fi
|
||||
+
|
||||
+if [ ! -d "${blsdir}" ]; then
|
||||
+ install -m 700 -d "${blsdir}"
|
||||
+fi
|
||||
+
|
||||
+if [ -f /etc/machine-id ]; then
|
||||
+ MACHINE_ID=$(cat /etc/machine-id)
|
||||
+else
|
||||
+ MACHINE_ID=$(dmesg | sha256sum)
|
||||
+fi
|
||||
+
|
||||
+mkbls() {
|
||||
+ local kernelver=$1 && shift
|
||||
+ local datetime=$1 && shift
|
||||
+ local kernelopts=$1 && shift
|
||||
+
|
||||
+ local debugname=""
|
||||
+ local debugid=""
|
||||
+ local flavor=""
|
||||
+
|
||||
+ if [ "$kernelver" == *\+* ] ; then
|
||||
+ local flavor=-"${kernelver##*+}"
|
||||
+ if [ "${flavor}" == "-debug" ]; then
|
||||
+ local debugname=" with debugging"
|
||||
+ local debugid="-debug"
|
||||
+ fi
|
||||
+ fi
|
||||
+ (
|
||||
+ source /etc/os-release
|
||||
+
|
||||
+ cat <<EOF
|
||||
+title ${NAME} (${kernelver}) ${VERSION}${debugname}
|
||||
+version ${kernelver}${debugid}
|
||||
+linux /vmlinuz-${kernelver}
|
||||
+initrd /initramfs-${kernelver}.img
|
||||
+options ${kernelopts}
|
||||
+grub_users \$grub_users
|
||||
+grub_arg --unrestricted
|
||||
+grub_class kernel${flavor}
|
||||
+EOF
|
||||
+ ) | cat
|
||||
+}
|
||||
+
|
||||
+copy_bls() {
|
||||
+ for kernelver in $(cd /lib/modules/ ; ls -1) "" ; do
|
||||
+ bls_target="${blsdir}/${MACHINE_ID}-${kernelver}.conf"
|
||||
+ linux="/vmlinuz-${kernelver}"
|
||||
+ linux_path="/boot${linux}"
|
||||
+ kernel_dir="/lib/modules/${kernelver}"
|
||||
+
|
||||
+ if [ ! -d "${kernel_dir}" ] ; then
|
||||
+ continue
|
||||
+ fi
|
||||
+ if [ ! -f "${linux_path}" ]; then
|
||||
+ continue
|
||||
+ fi
|
||||
+
|
||||
+ linux_relpath="$("${grub_mkrelpath}" "${linux_path}")"
|
||||
+ bootprefix="${linux_relpath%%"${linux}"}"
|
||||
+ cmdline="root=${LINUX_ROOT_DEVICE} ro ${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
|
||||
+
|
||||
+ mkbls "${kernelver}" \
|
||||
+ "$(date -u +%Y%m%d%H%M%S -d "$(stat -c '%y' "${kernel_dir}")")" \
|
||||
+ "${bootprefix}" "${cmdline}" >"${bls_target}"
|
||||
+
|
||||
+ if [ "x$GRUB_LINUX_MAKE_DEBUG" = "xtrue" ]; then
|
||||
+ bls_debug="$(echo ${bls_target} | sed -e "s/${kernelver}/${kernelver}~debug/")"
|
||||
+ cp -aT "${bls_target}" "${bls_debug}"
|
||||
+ title="$(grep '^title[ \t]' "${bls_debug}" | sed -e 's/^title[ \t]*//')"
|
||||
+ options="$(echo "${cmdline} ${GRUB_CMDLINE_LINUX_DEBUG}" | sed -e 's/\//\\\//g')"
|
||||
+ sed -i -e "s/^title.*/title ${title}${GRUB_LINUX_DEBUG_TITLE_POSTFIX}/" "${bls_debug}"
|
||||
+ sed -i -e "s/^options.*/options ${options}/" "${bls_debug}"
|
||||
+ fi
|
||||
+ done
|
||||
+
|
||||
+ if [ -f "/boot/vmlinuz-0-rescue-${MACHINE_ID}" ]; then
|
||||
+ mkbls "0-rescue-${MACHINE_ID}" "0" "${bootprefix}" >"${blsdir}/${MACHINE_ID}-0-rescue.conf"
|
||||
+ fi
|
||||
+}
|
||||
+
|
||||
+# The grub2 EFI binary is not copied to the ESP as a part of an ostree
|
||||
+# transaction. Make sure a grub2 version with BLS support is installed
|
||||
+# but only do this if the blsdir is not set, to make sure that the BLS
|
||||
+# parsing module will search for the BLS snippets in the default path.
|
||||
+if test -f /run/ostree-booted && test -d /sys/firmware/efi/efivars && \
|
||||
+ ! ${grub_editenv} - list | grep -q blsdir && \
|
||||
+ mountpoint -q /boot; then
|
||||
+ grub_binary="$(find /usr/lib/ostree-boot/efi/EFI/${EFIDIR}/ -name grub*.efi)"
|
||||
+ install -m 700 ${grub_binary} ${grubdir} || exit 1
|
||||
+ # Create a hidden file to indicate that grub2 now has BLS support.
|
||||
+ touch /boot/grub2/.grub2-blscfg-supported
|
||||
+fi
|
||||
+
|
||||
+GENERATE=0
|
||||
+if grep '^GRUB_ENABLE_BLSCFG=.*' "${etcdefaultgrub}" \
|
||||
+ | grep -vq '^GRUB_ENABLE_BLSCFG="*true"*\s*$' ; then
|
||||
+ if ! sed -i"${backupsuffix}" \
|
||||
+ -e 's,^GRUB_ENABLE_BLSCFG=.*,GRUB_ENABLE_BLSCFG=true,' \
|
||||
+ "${etcdefaultgrub}" ; then
|
||||
+ gettext_printf "Updating %s failed\n" "${etcdefaultgrub}"
|
||||
+ exit 1
|
||||
+ fi
|
||||
+ GENERATE=1
|
||||
+elif ! grep -q '^GRUB_ENABLE_BLSCFG=.*' "${etcdefaultgrub}" ; then
|
||||
+ if ! echo 'GRUB_ENABLE_BLSCFG=true' >> "${etcdefaultgrub}" ; then
|
||||
+ gettext_printf "Updating %s failed\n" "${etcdefaultgrub}"
|
||||
+ exit 1
|
||||
+ fi
|
||||
+ GENERATE=1
|
||||
+fi
|
||||
+
|
||||
+if [ "${GENERATE}" -eq 1 ] ; then
|
||||
+ copy_bls
|
||||
+
|
||||
+ if [ $arch = "x86_64" ] && [ ! -d /sys/firmware/efi ]; then
|
||||
+ mod_dir="i386-pc"
|
||||
+ elif [ $arch = "ppc64" -o $arch = "ppc64le" ] && [ ! -d /sys/firmware/opal ]; then
|
||||
+ mod_dir="powerpc-ieee1275"
|
||||
+ fi
|
||||
+
|
||||
+ if [ -n "${mod_dir}" ]; then
|
||||
+ for mod in blscfg increment; do
|
||||
+ install -m 700 ${prefix}/lib/grub/${mod_dir}/${mod}.mod ${grubdir}/$mod_dir/ || exit 1
|
||||
+ done
|
||||
+ fi
|
||||
+
|
||||
+ cp -af "${GRUB_CONFIG_FILE}" "${GRUB_CONFIG_FILE}${backupsuffix}"
|
||||
+ if ! grub2-mkconfig -o "${GRUB_CONFIG_FILE}" ; then
|
||||
+ install -m 700 "${GRUB_CONFIG_FILE}${backupsuffix}" "${GRUB_CONFIG_FILE}"
|
||||
+ sed -i"${backupsuffix}" \
|
||||
+ -e 's,^GRUB_ENABLE_BLSCFG=.*,GRUB_ENABLE_BLSCFG=false,' \
|
||||
+ "${etcdefaultgrub}"
|
||||
+ gettext_printf "Updating %s failed\n" "${GRUB_CONFIG_FILE}"
|
||||
+ exit 1
|
||||
+ fi
|
||||
+fi
|
||||
+
|
||||
+# Bye.
|
||||
+exit 0
|
||||
diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
|
||||
index 49eccbeaf..45eefb332 100644
|
||||
--- a/util/grub.d/10_linux.in
|
||||
+++ b/util/grub.d/10_linux.in
|
||||
@@ -147,7 +147,7 @@ blsdir="/boot/loader/entries"
|
||||
|
||||
get_sorted_bls()
|
||||
{
|
||||
- if ! [ -d "${blsdir}" ]; then
|
||||
+ if ! [ -d "${blsdir}" ] || [ -f /run/ostree-booted ] || [ -d /ostree/repo ]; then
|
||||
return
|
||||
fi
|
||||
|
||||
--
|
||||
2.44.0
|
||||
|
@ -1,117 +0,0 @@
|
||||
From 6c8d390809956d355fed8bc830f64e86838e3e82 Mon Sep 17 00:00:00 2001
|
||||
From: Michael Chang <mchang@suse.com>
|
||||
Date: Sat, 18 Nov 2023 21:42:00 +0800
|
||||
Subject: [PATCH 3/4] Restrict 'ls' and auto file completion on cryptodisk
|
||||
print
|
||||
|
||||
The 'ls' command allows file listing, while file completion assists in
|
||||
providing matched file names by partially inputting via the TAB key.
|
||||
Both functionalities should be restricted when the disk is automatically
|
||||
unlocked for the same reasons as highlighted in the previous patch
|
||||
addressing the limitation on file access to the cryptodisk.
|
||||
|
||||
Given that no file is explicitly opened for listing, employing file
|
||||
filters becomes impractical. Consequently, this patch focuses on
|
||||
modifying relevant routines separately to incorporate necessary checks.
|
||||
The objective is to introduce measures that prevent 'ls' and auto file
|
||||
completion from accessing encrypted data when the disk is automatically
|
||||
unlocked.
|
||||
|
||||
By implementing these modifications, any attempt to utilize 'ls' or file
|
||||
completion on the cryptodisk will result in an "Access Denied:
|
||||
prohibited to browse encrypted data" error message, thus effectively
|
||||
alerting the user about the restricted access.
|
||||
|
||||
While protecting content within disk files from viewing is essential,
|
||||
it's equally crucial to restrict access to in-memory content. This
|
||||
includes prohibiting access to the decrypted in-memory copies of disk
|
||||
files.
|
||||
|
||||
This enhancement aims to fortify security protocols by extending
|
||||
restrictions to additional functionalities beyond direct file access.
|
||||
|
||||
Signed-Off-by Michael Chang <mchang@suse.com>
|
||||
---
|
||||
grub-core/commands/ls.c | 8 ++++++++
|
||||
grub-core/commands/minicmd.c | 6 ++++++
|
||||
grub-core/kern/corecmd.c | 8 ++++++++
|
||||
grub-core/normal/completion.c | 8 ++++++++
|
||||
4 files changed, 30 insertions(+)
|
||||
|
||||
diff --git a/grub-core/commands/ls.c b/grub-core/commands/ls.c
|
||||
index 8e98c73cc..aeb336a73 100644
|
||||
--- a/grub-core/commands/ls.c
|
||||
+++ b/grub-core/commands/ls.c
|
||||
@@ -183,6 +183,14 @@ grub_ls_list_files (char *dirname, int longlist, int all, int human)
|
||||
if (! dev)
|
||||
goto fail;
|
||||
|
||||
+ if (dev->disk &&
|
||||
+ grub_disk_is_crypto (dev->disk) &&
|
||||
+ grub_file_filters[GRUB_FILE_FILTER_NOCAT])
|
||||
+ {
|
||||
+ grub_error (GRUB_ERR_ACCESS_DENIED, N_("prohibited to browse encrypted content"));
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
fs = grub_fs_probe (dev);
|
||||
path = grub_strchr (dirname, ')');
|
||||
if (! path)
|
||||
diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c
|
||||
index fa498931e..8f2ac0539 100644
|
||||
--- a/grub-core/commands/minicmd.c
|
||||
+++ b/grub-core/commands/minicmd.c
|
||||
@@ -101,6 +101,12 @@ grub_mini_cmd_dump (struct grub_command *cmd __attribute__ ((unused)),
|
||||
if (argc == 0)
|
||||
return grub_error (GRUB_ERR_BAD_ARGUMENT, "no address specified");
|
||||
|
||||
+ /* NOCAT filter is applied to prevent cat alike command from revealing file
|
||||
+ * content, the dump command should also be prohibited to revealing memory
|
||||
+ * content as well */
|
||||
+ if (grub_file_filters[GRUB_FILE_FILTER_NOCAT])
|
||||
+ return grub_error (GRUB_ERR_ACCESS_DENIED, N_("prohibited by security policy"));
|
||||
+
|
||||
#if GRUB_CPU_SIZEOF_VOID_P == GRUB_CPU_SIZEOF_LONG
|
||||
#define grub_strtoaddr grub_strtoul
|
||||
#else
|
||||
diff --git a/grub-core/kern/corecmd.c b/grub-core/kern/corecmd.c
|
||||
index 62d434ba9..b639bc3ae 100644
|
||||
--- a/grub-core/kern/corecmd.c
|
||||
+++ b/grub-core/kern/corecmd.c
|
||||
@@ -135,6 +135,14 @@ grub_core_cmd_ls (struct grub_command *cmd __attribute__ ((unused)),
|
||||
if (! dev)
|
||||
goto fail;
|
||||
|
||||
+ if (dev->disk &&
|
||||
+ grub_disk_is_crypto (dev->disk) &&
|
||||
+ grub_file_filters[GRUB_FILE_FILTER_NOCAT])
|
||||
+ {
|
||||
+ grub_error (GRUB_ERR_ACCESS_DENIED, N_("prohibited to browse encrypted content"));
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
fs = grub_fs_probe (dev);
|
||||
path = grub_strchr (argv[0], ')');
|
||||
if (! path)
|
||||
diff --git a/grub-core/normal/completion.c b/grub-core/normal/completion.c
|
||||
index 18cadfa85..d003ec37d 100644
|
||||
--- a/grub-core/normal/completion.c
|
||||
+++ b/grub-core/normal/completion.c
|
||||
@@ -259,6 +259,14 @@ complete_file (void)
|
||||
goto fail;
|
||||
}
|
||||
|
||||
+ if (dev->disk &&
|
||||
+ grub_disk_is_crypto (dev->disk) &&
|
||||
+ grub_file_filters[GRUB_FILE_FILTER_NOCAT])
|
||||
+ {
|
||||
+ grub_error (GRUB_ERR_ACCESS_DENIED, N_("prohibited to browse encrypted content"));
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
fs = grub_fs_probe (dev);
|
||||
if (! fs)
|
||||
{
|
||||
--
|
||||
2.42.1
|
||||
|
@ -20,11 +20,17 @@ Signed-Off-by Michael Chang <mchang@suse.com>
|
||||
include/grub/file.h | 1 +
|
||||
2 files changed, 37 insertions(+)
|
||||
|
||||
diff --git a/grub-core/commands/crypttab.c b/grub-core/commands/crypttab.c
|
||||
index d3acc4b59..e09296c57 100644
|
||||
--- a/grub-core/commands/crypttab.c
|
||||
+++ b/grub-core/commands/crypttab.c
|
||||
@@ -121,6 +121,41 @@ grub_cryptokey_tpmkey_discard (void)
|
||||
@@ -6,6 +6,7 @@
|
||||
#include <grub/mm.h>
|
||||
#include <grub/list.h>
|
||||
#include <grub/crypttab.h>
|
||||
+#include <grub/file.h>
|
||||
|
||||
GRUB_MOD_LICENSE ("GPLv3+");
|
||||
|
||||
@@ -89,6 +90,41 @@
|
||||
grub_cryptokey_discard();
|
||||
}
|
||||
|
||||
@ -66,26 +72,97 @@ index d3acc4b59..e09296c57 100644
|
||||
static grub_err_t
|
||||
grub_cmd_crypttab_entry (grub_command_t cmd __attribute__ ((unused)),
|
||||
int argc, char **argv)
|
||||
@@ -153,6 +188,7 @@ GRUB_MOD_INIT(crypttab)
|
||||
@@ -121,6 +157,8 @@
|
||||
{
|
||||
cmd = grub_register_command ("crypttab_entry", grub_cmd_crypttab_entry,
|
||||
N_("VOLUME-NAME ENCRYPTED-DEVICE KEY-FILE") , N_("No description"));
|
||||
+ grub_file_filter_register (GRUB_FILE_FILTER_DISTRUST, grub_distrust_open);
|
||||
grub_dl_set_persistent (mod);
|
||||
+ grub_dl_set_persistent (mod);
|
||||
}
|
||||
|
||||
diff --git a/include/grub/file.h b/include/grub/file.h
|
||||
index fcfd32ce2..daf23a9c9 100644
|
||||
GRUB_MOD_FINI(crypttab)
|
||||
--- a/include/grub/file.h
|
||||
+++ b/include/grub/file.h
|
||||
@@ -185,6 +185,7 @@ extern grub_disk_read_hook_t EXPORT_VAR(grub_file_progress_hook);
|
||||
@@ -185,6 +185,7 @@
|
||||
/* Filters with lower ID are executed first. */
|
||||
typedef enum grub_file_filter_id
|
||||
{
|
||||
+ GRUB_FILE_FILTER_DISTRUST,
|
||||
GRUB_FILE_FILTER_NOCAT,
|
||||
GRUB_FILE_FILTER_VERIFY,
|
||||
GRUB_FILE_FILTER_GZIO,
|
||||
--
|
||||
2.42.1
|
||||
GRUB_FILE_FILTER_XZIO,
|
||||
--- a/grub-core/disk/diskfilter.c
|
||||
+++ b/grub-core/disk/diskfilter.c
|
||||
@@ -558,6 +558,39 @@
|
||||
return NULL;
|
||||
}
|
||||
|
||||
+static int
|
||||
+grub_diskfilter_has_cryptodisk (const struct grub_diskfilter_lv *lv)
|
||||
+{
|
||||
+ struct grub_diskfilter_pv *pv;
|
||||
+
|
||||
+ if (!lv)
|
||||
+ return 0;
|
||||
+
|
||||
+ if (lv->vg->pvs)
|
||||
+ for (pv = lv->vg->pvs; pv; pv = pv->next)
|
||||
+ {
|
||||
+ if (!pv->disk)
|
||||
+ {
|
||||
+ grub_dprintf ("diskfilter", _("Couldn't find physical volume `%s'."
|
||||
+ " Some modules may be missing from core image."),
|
||||
+ pv->name);
|
||||
+ continue;
|
||||
+ }
|
||||
+
|
||||
+ switch (pv->disk->dev->id)
|
||||
+ {
|
||||
+ case GRUB_DISK_DEVICE_CRYPTODISK_ID:
|
||||
+ return 1;
|
||||
+ case GRUB_DISK_DEVICE_DISKFILTER_ID:
|
||||
+ return grub_diskfilter_has_cryptodisk (pv->disk->data);
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
static grub_err_t
|
||||
grub_diskfilter_open (const char *name, grub_disk_t disk)
|
||||
{
|
||||
@@ -589,6 +622,8 @@
|
||||
|
||||
disk->total_sectors = lv->size;
|
||||
disk->max_agglomerate = GRUB_DISK_MAX_MAX_AGGLOMERATE;
|
||||
+ disk->is_crypto_diskfilter = grub_diskfilter_has_cryptodisk (lv);
|
||||
+
|
||||
return 0;
|
||||
}
|
||||
|
||||
--- a/include/grub/disk.h
|
||||
+++ b/include/grub/disk.h
|
||||
@@ -147,6 +147,8 @@
|
||||
|
||||
/* Device-specific data. */
|
||||
void *data;
|
||||
+
|
||||
+ int is_crypto_diskfilter;
|
||||
};
|
||||
typedef struct grub_disk *grub_disk_t;
|
||||
|
||||
@@ -317,4 +319,12 @@
|
||||
void grub_diskfilter_fini (void);
|
||||
#endif
|
||||
|
||||
+static inline int
|
||||
+grub_disk_is_crypto (grub_disk_t disk)
|
||||
+{
|
||||
+ return ((disk->is_crypto_diskfilter ||
|
||||
+ disk->dev->id == GRUB_DISK_DEVICE_CRYPTODISK_ID) ?
|
||||
+ 1 : 0);
|
||||
+}
|
||||
+
|
||||
#endif /* ! GRUB_DISK_HEADER */
|
||||
|
@ -1,19 +1,21 @@
|
||||
From 77316f09f133e9c7c5e1026b2b4f5749daac644a Mon Sep 17 00:00:00 2001
|
||||
From 6701b4a9e1994c8a05c87a7167694bc3dd71e7d6 Mon Sep 17 00:00:00 2001
|
||||
From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
|
||||
Date: Wed, 17 Apr 2024 23:48:51 +0530
|
||||
Subject: [PATCH 7/8] mkimage: create new ELF Note for SBAT
|
||||
Date: Wed, 23 Oct 2024 17:54:32 +0530
|
||||
Subject: [PATCH 7/8] grub-mkimage: Create new ELF note for SBAT
|
||||
|
||||
we add a new ELF note for SBAT which store the SBAT data.
|
||||
The name field of shall be the string "Secure-Boot-Advanced-Targeting", zero-padded
|
||||
to 4 byte alignment. The type field shall be 0x41536967 (the ASCII values
|
||||
for the string "sbat").
|
||||
In order to store the SBAT data we create a new ELF note. The string
|
||||
".sbat", zero-padded to 4 byte alignment, shall be entered in the name
|
||||
field. The string "SBAT"'s ASCII values, 0x53424154, should be entered
|
||||
in the type field.
|
||||
|
||||
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
|
||||
Co-authored-by: Daniel Axtens <dja@axtens.net>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
include/grub/util/mkimage.h | 4 +-
|
||||
util/grub-mkimagexx.c | 92 +++++++++++++++++++++++++++----------
|
||||
2 files changed, 71 insertions(+), 25 deletions(-)
|
||||
util/mkimage.c | 5 +-
|
||||
3 files changed, 74 insertions(+), 27 deletions(-)
|
||||
|
||||
diff --git a/include/grub/util/mkimage.h b/include/grub/util/mkimage.h
|
||||
index 6f1da89b9..881e3031f 100644
|
||||
@ -35,24 +37,24 @@ index 6f1da89b9..881e3031f 100644
|
||||
struct grub_mkimage_layout *layout);
|
||||
|
||||
diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c
|
||||
index 9488f0525..0041b2d0b 100644
|
||||
index 9488f0525..b507d4ade 100644
|
||||
--- a/util/grub-mkimagexx.c
|
||||
+++ b/util/grub-mkimagexx.c
|
||||
@@ -85,6 +85,14 @@ struct grub_ieee1275_note
|
||||
struct grub_ieee1275_note_desc descriptor;
|
||||
@@ -116,6 +116,14 @@ struct section_metadata
|
||||
const char *strtab;
|
||||
};
|
||||
|
||||
+#define GRUB_SBAT_NOTE_NAME "Secure-Boot-Advanced-Targeting"
|
||||
+#define GRUB_SBAT_NOTE_TYPE 0x73626174 /* "sbat" */
|
||||
+#define GRUB_SBAT_NOTE_NAME ".sbat"
|
||||
+#define GRUB_SBAT_NOTE_TYPE 0x53424154 /* "SBAT" */
|
||||
+
|
||||
+struct grub_sbat_note {
|
||||
+ Elf32_Nhdr header;
|
||||
+ char name[ALIGN_UP(sizeof(GRUB_SBAT_NOTE_NAME), 4)];
|
||||
+};
|
||||
+
|
||||
#define GRUB_APPENDED_SIGNATURE_NOTE_NAME "Appended-Signature"
|
||||
#define GRUB_APPENDED_SIGNATURE_NOTE_TYPE 0x41536967 /* "ASig" */
|
||||
|
||||
static int
|
||||
is_relocatable (const struct grub_install_image_target_desc *image_target)
|
||||
{
|
||||
@@ -217,7 +225,7 @@ grub_arm_reloc_jump24 (grub_uint32_t *target, Elf32_Addr sym_addr)
|
||||
|
||||
void
|
||||
@ -138,8 +140,8 @@ index 9488f0525..0041b2d0b 100644
|
||||
- }
|
||||
+ if (sbat)
|
||||
+ {
|
||||
+ int note_size = ALIGN_UP(sizeof (struct grub_sbat_note) + layout->sbat_size, 4);
|
||||
+ struct grub_sbat_note *note_ptr = (struct grub_sbat_note *)footer;
|
||||
+ int note_size = ALIGN_UP (sizeof (struct grub_sbat_note) + layout->sbat_size, 4);
|
||||
+ struct grub_sbat_note *note_ptr = (struct grub_sbat_note *) footer;
|
||||
+
|
||||
+ note_ptr->header.n_namesz = grub_host_to_target32 (sizeof (GRUB_SBAT_NOTE_NAME));
|
||||
+ note_ptr->header.n_descsz = grub_host_to_target32 (ALIGN_UP(layout->sbat_size, 4));
|
||||
@ -184,6 +186,31 @@ index 9488f0525..0041b2d0b 100644
|
||||
|
||||
{
|
||||
char *str_start = (elf_img + sizeof (*ehdr) + phnum * sizeof (*phdr)
|
||||
diff --git a/util/mkimage.c b/util/mkimage.c
|
||||
index 0737935fd..be7f02c5c 100644
|
||||
--- a/util/mkimage.c
|
||||
+++ b/util/mkimage.c
|
||||
@@ -1835,6 +1835,7 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||||
case IMAGE_I386_IEEE1275:
|
||||
{
|
||||
grub_uint64_t target_addr;
|
||||
+ char *sbat = NULL;
|
||||
if (image_target->id == IMAGE_LOONGSON_ELF)
|
||||
{
|
||||
if (comp == GRUB_COMPRESSION_NONE)
|
||||
@@ -1846,10 +1847,10 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||||
else
|
||||
target_addr = image_target->link_addr;
|
||||
if (image_target->voidp_sizeof == 4)
|
||||
- grub_mkimage_generate_elf32 (image_target, note, appsig_size, &core_img,
|
||||
+ grub_mkimage_generate_elf32 (image_target, note, appsig_size, sbat, &core_img,
|
||||
&core_size, target_addr, &layout);
|
||||
else
|
||||
- grub_mkimage_generate_elf64 (image_target, note, appsig_size, &core_img,
|
||||
+ grub_mkimage_generate_elf64 (image_target, note, appsig_size, sbat, &core_img,
|
||||
&core_size, target_addr, &layout);
|
||||
}
|
||||
break;
|
||||
--
|
||||
2.47.0
|
||||
2.47.1
|
||||
|
@ -1,279 +0,0 @@
|
||||
From 96e5a28d120856057fe7fc9b281f11f8933063b7 Mon Sep 17 00:00:00 2001
|
||||
From: Michael Chang <mchang@suse.com>
|
||||
Date: Fri, 30 Jun 2023 14:37:41 +0800
|
||||
Subject: [PATCH 7/9] grub-switch-to-blscfg: adapt to openSUSE
|
||||
|
||||
A few tweaks to make it 'just works' for openSUSE:
|
||||
|
||||
- remove RHEL specific $grub_get_kernel_settings and all reference to it.
|
||||
- make $grubdir and $startlink to the path in openSUSE
|
||||
- change the bls template to openSUSE
|
||||
- make $cmdline account for btrfs subvolumes, among others
|
||||
- remove RHEL specific $GRUB_LINUX_MAKE_DEBUG and all related code
|
||||
- remove ostree specific hack
|
||||
- ignore increment.mod
|
||||
- fix error in dash shell script
|
||||
- fix kernel flavor parsing in openSUSE
|
||||
|
||||
Signed-off-by: Michael Chang <mchang@suse.com>
|
||||
---
|
||||
util/grub-switch-to-blscfg.in | 156 ++++++++++++++++++++--------------
|
||||
1 file changed, 94 insertions(+), 62 deletions(-)
|
||||
|
||||
diff --git a/util/grub-switch-to-blscfg.in b/util/grub-switch-to-blscfg.in
|
||||
index a851424be..145c22add 100644
|
||||
--- a/util/grub-switch-to-blscfg.in
|
||||
+++ b/util/grub-switch-to-blscfg.in
|
||||
@@ -28,27 +28,24 @@ PACKAGE_NAME=@PACKAGE_NAME@
|
||||
PACKAGE_VERSION=@PACKAGE_VERSION@
|
||||
datarootdir="@datarootdir@"
|
||||
datadir="@datadir@"
|
||||
-if [ ! -v pkgdatadir ]; then
|
||||
+if [ -z "${pkgdatadir+x}" ]; then
|
||||
pkgdatadir="${datadir}/@PACKAGE@"
|
||||
fi
|
||||
|
||||
self=`basename $0`
|
||||
|
||||
-grub_get_kernel_settings="${sbindir}/@grub_get_kernel_settings@"
|
||||
grub_editenv=${bindir}/@grub_editenv@
|
||||
-etcdefaultgrub=/etc/default/grub
|
||||
+grub_probe="${sbindir}/@grub_probe@"
|
||||
+etcdefaultgrub=${sysconfdir}/default/grub
|
||||
|
||||
-eval "$("${grub_get_kernel_settings}")" || true
|
||||
-
|
||||
-EFIDIR=$(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/' -e 's/\"//g')
|
||||
-if [ -d /sys/firmware/efi/efivars/ ]; then
|
||||
- startlink=/etc/grub2-efi.cfg
|
||||
- grubdir=`echo "/@bootdirname@/efi/EFI/${EFIDIR}/" | sed 's,//*,/,g'`
|
||||
-else
|
||||
- startlink=/etc/grub2.cfg
|
||||
- grubdir=`echo "/@bootdirname@/@grubdirname@" | sed 's,//*,/,g'`
|
||||
+if test -f "$etcdefaultgrub" ; then
|
||||
+ # shellcheck source=/etc/default/grub
|
||||
+ . "$etcdefaultgrub"
|
||||
fi
|
||||
|
||||
+grubdir=`echo "/@bootdirname@/@grubdirname@" | sed 's,//*,/,g'`
|
||||
+startlink="${grubdir}/grub.cfg"
|
||||
+
|
||||
blsdir=`echo "/@bootdirname@/loader/entries" | sed 's,//*,/,g'`
|
||||
|
||||
backupsuffix=.bak
|
||||
@@ -58,19 +55,80 @@ arch="$(uname -m)"
|
||||
export TEXTDOMAIN=@PACKAGE@
|
||||
export TEXTDOMAINDIR="@localedir@"
|
||||
|
||||
+# shellcheck source=/usr/share/grub2/grub-mkconfig_lib
|
||||
. "${pkgdatadir}/grub-mkconfig_lib"
|
||||
|
||||
+# FIXME: Abort if grub_probe fails
|
||||
+
|
||||
+GRUB_DEVICE="`${grub_probe} --target=device /`"
|
||||
+GRUB_DEVICE_UUID="`${grub_probe} --device ${GRUB_DEVICE} --target=fs_uuid 2> /dev/null`" || true
|
||||
+GRUB_DEVICE_PARTUUID="`${grub_probe} --device ${GRUB_DEVICE} --target=partuuid 2> /dev/null`" || true
|
||||
+GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"
|
||||
+
|
||||
+# loop-AES arranges things so that /dev/loop/X can be our root device, but
|
||||
+# the initrds that Linux uses don't like that.
|
||||
+case ${GRUB_DEVICE} in
|
||||
+ /dev/loop/*|/dev/loop[0-9])
|
||||
+ GRUB_DEVICE=$(losetup "${GRUB_DEVICE}" | sed -e "s/^[^(]*(\([^)]\+\)).*/\1/")
|
||||
+ ;;
|
||||
+esac
|
||||
+
|
||||
+# Default to disabling partition uuid support to maintian compatibility with
|
||||
+# older kernels.
|
||||
+GRUB_DISABLE_LINUX_PARTUUID=${GRUB_DISABLE_LINUX_PARTUUID-true}
|
||||
+
|
||||
+# btrfs may reside on multiple devices. We cannot pass them as value of root= parameter
|
||||
+# and mounting btrfs requires user space scanning, so force UUID in this case.
|
||||
+if ( [ "x${GRUB_DEVICE_UUID}" = "x" ] && [ "x${GRUB_DEVICE_PARTUUID}" = "x" ] ) \
|
||||
+ || ( [ "x${GRUB_DISABLE_LINUX_UUID}" = "xtrue" ] \
|
||||
+ && [ "x${GRUB_DISABLE_LINUX_PARTUUID}" = "xtrue" ] ) \
|
||||
+ || ( ! test -e "/dev/disk/by-uuid/${GRUB_DEVICE_UUID}" \
|
||||
+ && ! test -e "/dev/disk/by-partuuid/${GRUB_DEVICE_PARTUUID}" ) \
|
||||
+ || ( test -e "${GRUB_DEVICE}" && uses_abstraction "${GRUB_DEVICE}" lvm ); then
|
||||
+ LINUX_ROOT_DEVICE=${GRUB_DEVICE}
|
||||
+elif [ "x${GRUB_DEVICE_UUID}" = "x" ] \
|
||||
+ || [ "x${GRUB_DISABLE_LINUX_UUID}" = "xtrue" ]; then
|
||||
+ LINUX_ROOT_DEVICE=PARTUUID=${GRUB_DEVICE_PARTUUID}
|
||||
+else
|
||||
+ LINUX_ROOT_DEVICE=UUID=${GRUB_DEVICE_UUID}
|
||||
+fi
|
||||
+
|
||||
+if [ "x$GRUB_CONMODE" != "x" ]; then
|
||||
+ GRUB_CMDLINE_LINUX="conmode=${GRUB_CONMODE} ${GRUB_CMDLINE_LINUX}"
|
||||
+fi
|
||||
+
|
||||
+case x"$GRUB_FS" in
|
||||
+ xbtrfs)
|
||||
+ if [ "x${SUSE_BTRFS_SNAPSHOT_BOOTING}" != "xtrue" ]; then
|
||||
+ rootsubvol="`make_system_path_relative_to_its_root /`"
|
||||
+ rootsubvol="${rootsubvol#/}"
|
||||
+ if [ "x${rootsubvol}" != x ] && [ "x$SUSE_REMOVE_LINUX_ROOT_PARAM" != "xtrue" ]; then
|
||||
+ GRUB_CMDLINE_LINUX="rootflags=subvol=${rootsubvol} ${GRUB_CMDLINE_LINUX}"
|
||||
+ fi
|
||||
+ fi
|
||||
+ ;;
|
||||
+ xzfs)
|
||||
+ rpool=`${grub_probe} --device ${GRUB_DEVICE} --target=fs_label 2>/dev/null || true`
|
||||
+ bootfs="`make_system_path_relative_to_its_root / | sed -e "s,@$,,"`"
|
||||
+ LINUX_ROOT_DEVICE="ZFS=${rpool}${bootfs%/}"
|
||||
+ ;;
|
||||
+esac
|
||||
+
|
||||
+if [ "x$SUSE_REMOVE_LINUX_ROOT_PARAM" = "xtrue" ]; then
|
||||
+ LINUX_ROOT_DEVICE=""
|
||||
+fi
|
||||
+
|
||||
# Usage: usage
|
||||
# Print the usage.
|
||||
usage () {
|
||||
gettext_printf "Usage: %s\n" "$self"
|
||||
- gettext "Switch to BLS config files.\n"; echo
|
||||
+ gettext "Switch to BLS config files. Only for testing purpose !!!\n"; echo
|
||||
echo
|
||||
print_option_help "-h, --help" "$(gettext "print this message and exit")"
|
||||
print_option_help "-V, --version" "$(gettext "print the version information and exit")"
|
||||
echo
|
||||
print_option_help "--backup-suffix=$(gettext "SUFFIX")" "$backupsuffix"
|
||||
- print_option_help "--bls-directory=$(gettext "DIR")" "$blsdir"
|
||||
+ print_option_help "--bls-directory=$(gettext "DIR")" "Noop, always $blsdir"
|
||||
print_option_help "--config-file=$(gettext "FILE")" "$startlink"
|
||||
print_option_help "--grub-defaults=$(gettext "FILE")" "$etcdefaultgrub"
|
||||
print_option_help "--grub-directory=$(gettext "DIR")" "$grubdir"
|
||||
@@ -112,11 +170,15 @@ do
|
||||
;;
|
||||
|
||||
--bls-directory)
|
||||
- blsdir=`argument $option "$@"`
|
||||
+ # blsdir=`argument $option "$@"`
|
||||
+ gettext_printf "WARN: --bls-directory is currently disabled, it's always $blsdir !!!\n"
|
||||
+ gettext_printf "WARN: use kernel-install instead if you want to test bls directory on ESP !!!\n"
|
||||
shift
|
||||
;;
|
||||
--bls-directory=*)
|
||||
- blsdir=`echo "$option" | sed 's/--bls-directory=//'`
|
||||
+ # blsdir=`echo "$option" | sed 's/--bls-directory=//'`
|
||||
+ gettext_printf "WARN: --bls-directory is currently disabled, it's always $blsdir !!!\n"
|
||||
+ gettext_printf "WARN: use kernel-install instead if you want to test bls directory on ESP !!!\n"
|
||||
;;
|
||||
|
||||
--config-file)
|
||||
@@ -172,7 +234,7 @@ find_grub_cfg() {
|
||||
return 1
|
||||
}
|
||||
|
||||
-if ! find_grub_cfg ${startlink} ${grubdir}/grub.cfg ; then
|
||||
+if ! find_grub_cfg "${startlink}" ; then
|
||||
gettext_printf "Couldn't find config file\n" 1>&2
|
||||
exit 1
|
||||
fi
|
||||
@@ -190,27 +252,24 @@ fi
|
||||
mkbls() {
|
||||
local kernelver=$1 && shift
|
||||
local datetime=$1 && shift
|
||||
+ local prefix=$1 && shift
|
||||
local kernelopts=$1 && shift
|
||||
|
||||
- local debugname=""
|
||||
- local debugid=""
|
||||
local flavor=""
|
||||
|
||||
- if [ "$kernelver" == *\+* ] ; then
|
||||
- local flavor=-"${kernelver##*+}"
|
||||
- if [ "${flavor}" == "-debug" ]; then
|
||||
- local debugname=" with debugging"
|
||||
- local debugid="-debug"
|
||||
- fi
|
||||
- fi
|
||||
+ case "$kernelver" in
|
||||
+ *-*-*)
|
||||
+ flavor=-"${kernelver##*-}"
|
||||
+ ;;
|
||||
+ esac
|
||||
(
|
||||
- source /etc/os-release
|
||||
+ . /etc/os-release
|
||||
|
||||
cat <<EOF
|
||||
-title ${NAME} (${kernelver}) ${VERSION}${debugname}
|
||||
-version ${kernelver}${debugid}
|
||||
-linux /vmlinuz-${kernelver}
|
||||
-initrd /initramfs-${kernelver}.img
|
||||
+title ${NAME} (${kernelver}) ${VERSION}
|
||||
+version ${kernelver}
|
||||
+linux ${prefix}/vmlinuz-${kernelver}
|
||||
+initrd ${prefix}/initrd-${kernelver}
|
||||
options ${kernelopts}
|
||||
grub_users \$grub_users
|
||||
grub_arg --unrestricted
|
||||
@@ -233,42 +292,15 @@ copy_bls() {
|
||||
continue
|
||||
fi
|
||||
|
||||
- linux_relpath="$("${grub_mkrelpath}" "${linux_path}")"
|
||||
- bootprefix="${linux_relpath%%"${linux}"}"
|
||||
+ bootprefix="$(make_system_path_relative_to_its_root /boot)"
|
||||
cmdline="root=${LINUX_ROOT_DEVICE} ro ${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
|
||||
|
||||
mkbls "${kernelver}" \
|
||||
"$(date -u +%Y%m%d%H%M%S -d "$(stat -c '%y' "${kernel_dir}")")" \
|
||||
"${bootprefix}" "${cmdline}" >"${bls_target}"
|
||||
-
|
||||
- if [ "x$GRUB_LINUX_MAKE_DEBUG" = "xtrue" ]; then
|
||||
- bls_debug="$(echo ${bls_target} | sed -e "s/${kernelver}/${kernelver}~debug/")"
|
||||
- cp -aT "${bls_target}" "${bls_debug}"
|
||||
- title="$(grep '^title[ \t]' "${bls_debug}" | sed -e 's/^title[ \t]*//')"
|
||||
- options="$(echo "${cmdline} ${GRUB_CMDLINE_LINUX_DEBUG}" | sed -e 's/\//\\\//g')"
|
||||
- sed -i -e "s/^title.*/title ${title}${GRUB_LINUX_DEBUG_TITLE_POSTFIX}/" "${bls_debug}"
|
||||
- sed -i -e "s/^options.*/options ${options}/" "${bls_debug}"
|
||||
- fi
|
||||
done
|
||||
-
|
||||
- if [ -f "/boot/vmlinuz-0-rescue-${MACHINE_ID}" ]; then
|
||||
- mkbls "0-rescue-${MACHINE_ID}" "0" "${bootprefix}" >"${blsdir}/${MACHINE_ID}-0-rescue.conf"
|
||||
- fi
|
||||
}
|
||||
|
||||
-# The grub2 EFI binary is not copied to the ESP as a part of an ostree
|
||||
-# transaction. Make sure a grub2 version with BLS support is installed
|
||||
-# but only do this if the blsdir is not set, to make sure that the BLS
|
||||
-# parsing module will search for the BLS snippets in the default path.
|
||||
-if test -f /run/ostree-booted && test -d /sys/firmware/efi/efivars && \
|
||||
- ! ${grub_editenv} - list | grep -q blsdir && \
|
||||
- mountpoint -q /boot; then
|
||||
- grub_binary="$(find /usr/lib/ostree-boot/efi/EFI/${EFIDIR}/ -name grub*.efi)"
|
||||
- install -m 700 ${grub_binary} ${grubdir} || exit 1
|
||||
- # Create a hidden file to indicate that grub2 now has BLS support.
|
||||
- touch /boot/grub2/.grub2-blscfg-supported
|
||||
-fi
|
||||
-
|
||||
GENERATE=0
|
||||
if grep '^GRUB_ENABLE_BLSCFG=.*' "${etcdefaultgrub}" \
|
||||
| grep -vq '^GRUB_ENABLE_BLSCFG="*true"*\s*$' ; then
|
||||
@@ -297,9 +329,7 @@ if [ "${GENERATE}" -eq 1 ] ; then
|
||||
fi
|
||||
|
||||
if [ -n "${mod_dir}" ]; then
|
||||
- for mod in blscfg increment; do
|
||||
- install -m 700 ${prefix}/lib/grub/${mod_dir}/${mod}.mod ${grubdir}/$mod_dir/ || exit 1
|
||||
- done
|
||||
+ install -m 700 "${pkgdatadir}/${mod_dir}/blscfg.mod" "${grubdir}/$mod_dir/" || exit 1
|
||||
fi
|
||||
|
||||
cp -af "${GRUB_CONFIG_FILE}" "${GRUB_CONFIG_FILE}${backupsuffix}"
|
||||
@@ -311,6 +341,8 @@ if [ "${GENERATE}" -eq 1 ] ; then
|
||||
gettext_printf "Updating %s failed\n" "${GRUB_CONFIG_FILE}"
|
||||
exit 1
|
||||
fi
|
||||
+else
|
||||
+ gettext_printf "Do nothing because \$GRUB_ENABLE_BLSCFG is already true in %s\n" "${GRUB_CONFIG_FILE}"
|
||||
fi
|
||||
|
||||
# Bye.
|
||||
--
|
||||
2.45.2
|
||||
|
@ -1,75 +0,0 @@
|
||||
From 2b0e6effc31ec166bbbe35a3cd2b4c73051f38bb Mon Sep 17 00:00:00 2001
|
||||
From: Michael Chang <mchang@suse.com>
|
||||
Date: Fri, 16 Jun 2023 15:54:50 +0800
|
||||
Subject: [PATCH 8/9] blscfg: reading bls fragments if boot present
|
||||
|
||||
The Boot Loader Specification (BLS) designates the EFI System Partition
|
||||
(ESP) as a primary location for $BOOT, where boot menu entries can be
|
||||
stored. The specification encourages boot loaders to retrieve menu
|
||||
entries from the ESP, even when XBOOTLDR is present.
|
||||
|
||||
This commit aligns with the BLS specification by introducing the
|
||||
capability to search for the ESP in addition to the default root
|
||||
partition or any specified location via blscfg's command line. The $boot
|
||||
environment variable is utilized as a reference to the ESP device for
|
||||
the blscfg command. Initialization of $boot in grub.cfg is demonstrated
|
||||
as follows:
|
||||
|
||||
insmod part_gpt
|
||||
insmod fat
|
||||
search --no-floppy --fs-uuid --set=boot F414-5A9F
|
||||
|
||||
If $boot is unset, no additional search for the BLS location will be
|
||||
performed.
|
||||
|
||||
Signed-off-by: Michael Chang <mchang@suse.com>
|
||||
---
|
||||
grub-core/commands/blscfg.c | 10 ++++++++++
|
||||
util/grub.d/10_linux.in | 3 ++-
|
||||
2 files changed, 12 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/grub-core/commands/blscfg.c b/grub-core/commands/blscfg.c
|
||||
index c872bcef0..cbe2a289e 100644
|
||||
--- a/grub-core/commands/blscfg.c
|
||||
+++ b/grub-core/commands/blscfg.c
|
||||
@@ -1186,6 +1186,7 @@ grub_cmd_blscfg (grub_extcmd_context_t ctxt UNUSED,
|
||||
char *entry_id = NULL;
|
||||
bool show_default = true;
|
||||
bool show_non_default = true;
|
||||
+ const char *boot = NULL;
|
||||
|
||||
if (argc == 1) {
|
||||
if (grub_strcmp (args[0], "default") == 0) {
|
||||
@@ -1205,6 +1206,15 @@ grub_cmd_blscfg (grub_extcmd_context_t ctxt UNUSED,
|
||||
if (r)
|
||||
return r;
|
||||
|
||||
+ boot = grub_env_get("boot");
|
||||
+ path = (boot) ? grub_xasprintf("(%s)" GRUB_BLS_CONFIG_PATH, boot) : NULL;
|
||||
+ if (path)
|
||||
+ {
|
||||
+ bls_load_entries(path);
|
||||
+ grub_print_error();
|
||||
+ }
|
||||
+ grub_free(path);
|
||||
+
|
||||
return bls_create_entries(show_default, show_non_default, entry_id);
|
||||
}
|
||||
|
||||
diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
|
||||
index 45eefb332..edf0fca55 100644
|
||||
--- a/util/grub.d/10_linux.in
|
||||
+++ b/util/grub.d/10_linux.in
|
||||
@@ -201,7 +201,8 @@ populate_menu()
|
||||
}
|
||||
|
||||
# Make BLS the default if GRUB_ENABLE_BLSCFG was not set and grubby is not installed.
|
||||
-if [ -z "${GRUB_ENABLE_BLSCFG}" ] && ! command -v new-kernel-pkg >/dev/null; then
|
||||
+# FIXME: The test should be aligned to openSUSE, grubby is not our default tool
|
||||
+if [ -z "${GRUB_ENABLE_BLSCFG}" ] && ! command -v new-kernel-pkg >/dev/null && false; then
|
||||
GRUB_ENABLE_BLSCFG="true"
|
||||
fi
|
||||
|
||||
--
|
||||
2.44.0
|
||||
|
@ -0,0 +1,48 @@
|
||||
From 312edf1f0ebaebba72e348ae88d95b29fa24c09c Mon Sep 17 00:00:00 2001
|
||||
From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
|
||||
Date: Wed, 23 Oct 2024 17:54:33 +0530
|
||||
Subject: [PATCH 8/8] grub-mkimage: Add SBAT metadata into ELF note for PowerPC
|
||||
targets
|
||||
|
||||
The SBAT metadata is read from CSV file and transformed into an ELF note
|
||||
with the -s option.
|
||||
|
||||
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
util/mkimage.c | 11 +++++++++--
|
||||
1 file changed, 9 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/util/mkimage.c b/util/mkimage.c
|
||||
index be7f02c5c..d3948937b 100644
|
||||
--- a/util/mkimage.c
|
||||
+++ b/util/mkimage.c
|
||||
@@ -958,8 +958,8 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||||
total_module_size += dtb_size + sizeof (struct grub_module_header);
|
||||
}
|
||||
|
||||
- if (sbat_path != NULL && image_target->id != IMAGE_EFI)
|
||||
- grub_util_error (_(".sbat section can be embedded into EFI images only"));
|
||||
+ if (sbat_path != NULL && (image_target->id != IMAGE_EFI && image_target->id != IMAGE_PPC))
|
||||
+ grub_util_error (_("SBAT data can be added only to EFI or powerpc-ieee1275 images"));
|
||||
|
||||
if (disable_shim_lock)
|
||||
total_module_size += sizeof (struct grub_module_header);
|
||||
@@ -1836,6 +1836,13 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||||
{
|
||||
grub_uint64_t target_addr;
|
||||
char *sbat = NULL;
|
||||
+ if (sbat_path != NULL)
|
||||
+ {
|
||||
+ sbat_size = grub_util_get_image_size (sbat_path);
|
||||
+ sbat = xmalloc (sbat_size);
|
||||
+ grub_util_load_image (sbat_path, sbat);
|
||||
+ layout.sbat_size = sbat_size;
|
||||
+ }
|
||||
if (image_target->id == IMAGE_LOONGSON_ELF)
|
||||
{
|
||||
if (comp == GRUB_COMPRESSION_NONE)
|
||||
--
|
||||
2.47.1
|
||||
|
@ -1,66 +0,0 @@
|
||||
From 32d4823762e5a0e7f8bfc5a878d39e1a019392fe Mon Sep 17 00:00:00 2001
|
||||
From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
|
||||
Date: Thu, 18 Apr 2024 00:00:55 +0530
|
||||
Subject: [PATCH 8/8] mkimage: adding sbat data into sbat ELF Note on powerpc
|
||||
|
||||
it reads the SBAT data from sbat.csv and create the ELF Note for it then
|
||||
store the SBAT data on it while generate image with -s option
|
||||
|
||||
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
|
||||
Co-authored-by: Daniel Axtens <dja@axtens.net>
|
||||
---
|
||||
util/mkimage.c | 23 +++++++++++++++++------
|
||||
1 file changed, 17 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/util/mkimage.c b/util/mkimage.c
|
||||
index 0737935fd..136e4a90c 100644
|
||||
--- a/util/mkimage.c
|
||||
+++ b/util/mkimage.c
|
||||
@@ -958,8 +958,9 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||||
total_module_size += dtb_size + sizeof (struct grub_module_header);
|
||||
}
|
||||
|
||||
- if (sbat_path != NULL && image_target->id != IMAGE_EFI)
|
||||
- grub_util_error (_(".sbat section can be embedded into EFI images only"));
|
||||
+ if (sbat_path != NULL && (image_target->id != IMAGE_EFI && image_target->id != IMAGE_PPC))
|
||||
+ grub_util_error (_(".sbat section can be embedded into EFI images/"
|
||||
+ "sbat ELF Note cab be added into powerpc-ieee1275 images only"));
|
||||
|
||||
if (disable_shim_lock)
|
||||
total_module_size += sizeof (struct grub_module_header);
|
||||
@@ -1835,6 +1836,16 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||||
case IMAGE_I386_IEEE1275:
|
||||
{
|
||||
grub_uint64_t target_addr;
|
||||
+ char *sbat = NULL;
|
||||
+
|
||||
+ if (sbat_path != NULL)
|
||||
+ {
|
||||
+ sbat_size = grub_util_get_image_size (sbat_path);
|
||||
+ sbat = xmalloc (sbat_size);
|
||||
+ grub_util_load_image (sbat_path, sbat);
|
||||
+ layout.sbat_size = sbat_size;
|
||||
+ }
|
||||
+
|
||||
if (image_target->id == IMAGE_LOONGSON_ELF)
|
||||
{
|
||||
if (comp == GRUB_COMPRESSION_NONE)
|
||||
@@ -1846,11 +1857,11 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||||
else
|
||||
target_addr = image_target->link_addr;
|
||||
if (image_target->voidp_sizeof == 4)
|
||||
- grub_mkimage_generate_elf32 (image_target, note, appsig_size, &core_img,
|
||||
- &core_size, target_addr, &layout);
|
||||
+ grub_mkimage_generate_elf32 (image_target, note, appsig_size, sbat, &core_img, &core_size,
|
||||
+ target_addr, &layout);
|
||||
else
|
||||
- grub_mkimage_generate_elf64 (image_target, note, appsig_size, &core_img,
|
||||
- &core_size, target_addr, &layout);
|
||||
+ grub_mkimage_generate_elf64 (image_target, note, appsig_size, sbat, &core_img, &core_size,
|
||||
+ target_addr, &layout);
|
||||
}
|
||||
break;
|
||||
}
|
||||
--
|
||||
2.47.0
|
||||
|
@ -1,252 +0,0 @@
|
||||
From abd8b83cdc6398c52c7d2b71b378938cf51872fd Mon Sep 17 00:00:00 2001
|
||||
From: Michael Chang <mchang@suse.com>
|
||||
Date: Wed, 13 Mar 2024 15:26:42 +0800
|
||||
Subject: [PATCH 9/9] 10_linux: Some refinement for BLS
|
||||
|
||||
Remove BLS_POPULATE_MENU as it is not being used currently and removing
|
||||
kernelopts assignment in the grub boot config itself to fully delegate
|
||||
the responsibility of generating kernel options to a functioning BLS
|
||||
generator.
|
||||
|
||||
Additionally, removing unused dead code, which is often blamed for
|
||||
causing errors in the dash shell script.
|
||||
|
||||
Signed-off-by: Michael Chang <mchang@suse.com>
|
||||
---
|
||||
util/grub.d/10_linux.in | 194 ----------------------------------------
|
||||
1 file changed, 194 deletions(-)
|
||||
|
||||
diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
|
||||
index edf0fca55..666eae995 100644
|
||||
--- a/util/grub.d/10_linux.in
|
||||
+++ b/util/grub.d/10_linux.in
|
||||
@@ -93,11 +93,7 @@ fi
|
||||
|
||||
populate_header_warn()
|
||||
{
|
||||
-if [ "x${BLS_POPULATE_MENU}" = "xtrue" ]; then
|
||||
- bls_parser="10_linux script"
|
||||
-else
|
||||
bls_parser="blscfg command"
|
||||
-fi
|
||||
cat <<EOF
|
||||
|
||||
# This section was generated by a script. Do not modify the generated file - all changes
|
||||
@@ -110,102 +106,6 @@ cat <<EOF
|
||||
EOF
|
||||
}
|
||||
|
||||
-read_config()
|
||||
-{
|
||||
- config_file=${1}
|
||||
- title=""
|
||||
- initrd=""
|
||||
- options=""
|
||||
- linux=""
|
||||
- grub_arg=""
|
||||
-
|
||||
- while read -r line
|
||||
- do
|
||||
- record=$(echo ${line} | cut -f 1 -d ' ')
|
||||
- value=$(echo ${line} | cut -s -f2- -d ' ')
|
||||
- case "${record}" in
|
||||
- "title")
|
||||
- title=${value}
|
||||
- ;;
|
||||
- "initrd")
|
||||
- initrd=${value}
|
||||
- ;;
|
||||
- "linux")
|
||||
- linux=${value}
|
||||
- ;;
|
||||
- "options")
|
||||
- options=${value}
|
||||
- ;;
|
||||
- "grub_arg")
|
||||
- grub_arg=${value}
|
||||
- ;;
|
||||
- esac
|
||||
- done < ${config_file}
|
||||
-}
|
||||
-
|
||||
-blsdir="/boot/loader/entries"
|
||||
-
|
||||
-get_sorted_bls()
|
||||
-{
|
||||
- if ! [ -d "${blsdir}" ] || [ -f /run/ostree-booted ] || [ -d /ostree/repo ]; then
|
||||
- return
|
||||
- fi
|
||||
-
|
||||
- local IFS=$'\n'
|
||||
-
|
||||
- files=($(for bls in ${blsdir}/*.conf; do
|
||||
- if ! [[ -e "${bls}" ]] ; then
|
||||
- continue
|
||||
- fi
|
||||
- bls="${bls%.conf}"
|
||||
- bls="${bls##*/}"
|
||||
- echo "${bls}"
|
||||
- done | ${kernel_sort} 2>/dev/null | tac)) || :
|
||||
-
|
||||
- echo "${files[@]}"
|
||||
-}
|
||||
-
|
||||
-update_bls_cmdline()
|
||||
-{
|
||||
- local cmdline="root=${LINUX_ROOT_DEVICE} ro ${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
|
||||
- local -a files=($(get_sorted_bls))
|
||||
-
|
||||
- for bls in "${files[@]}"; do
|
||||
- local options="${cmdline}"
|
||||
- if [ -z "${bls##*debug*}" ]; then
|
||||
- options="${options} ${GRUB_CMDLINE_LINUX_DEBUG}"
|
||||
- fi
|
||||
- options="$(echo "${options}" | sed -e 's/\//\\\//g')"
|
||||
- sed -i -e "s/^options.*/options ${options}/" "${blsdir}/${bls}.conf"
|
||||
- done
|
||||
-}
|
||||
-
|
||||
-populate_menu()
|
||||
-{
|
||||
- local -a files=($(get_sorted_bls))
|
||||
-
|
||||
- gettext_printf "Generating boot entries from BLS files...\n" >&2
|
||||
-
|
||||
- for bls in "${files[@]}"; do
|
||||
- read_config "${blsdir}/${bls}.conf"
|
||||
-
|
||||
- menu="${menu}menuentry '${title}' ${grub_arg} --id=${bls} {\n"
|
||||
- menu="${menu}\t linux ${linux} ${options}\n"
|
||||
- if [ -n "${initrd}" ] ; then
|
||||
- menu="${menu}\t initrd ${boot_prefix}${initrd}\n"
|
||||
- fi
|
||||
- menu="${menu}}\n\n"
|
||||
- done
|
||||
- # The printf command seems to be more reliable across shells for special character (\n, \t) evaluation
|
||||
- printf "$menu"
|
||||
-}
|
||||
-
|
||||
-# Make BLS the default if GRUB_ENABLE_BLSCFG was not set and grubby is not installed.
|
||||
-# FIXME: The test should be aligned to openSUSE, grubby is not our default tool
|
||||
-if [ -z "${GRUB_ENABLE_BLSCFG}" ] && ! command -v new-kernel-pkg >/dev/null && false; then
|
||||
- GRUB_ENABLE_BLSCFG="true"
|
||||
-fi
|
||||
-
|
||||
if [ "x${GRUB_ENABLE_BLSCFG}" = "xtrue" ]; then
|
||||
if [ x$dirname = x/ ]; then
|
||||
if [ -z "${prepare_root_cache}" ]; then
|
||||
@@ -225,111 +125,17 @@ if [ "x${GRUB_ENABLE_BLSCFG}" = "xtrue" ]; then
|
||||
prepare_grub_to_access_device_with_variable boot ${boot_device}
|
||||
fi
|
||||
|
||||
- arch="$(uname -m)"
|
||||
- if [ "x${arch}" = "xppc64le" ] && [ -d /sys/firmware/opal ]; then
|
||||
-
|
||||
- BLS_POPULATE_MENU="true"
|
||||
- petitboot_path="/sys/firmware/devicetree/base/ibm,firmware-versions/petitboot"
|
||||
-
|
||||
- if test -e ${petitboot_path}; then
|
||||
- read -r -d '' petitboot_version < ${petitboot_path}
|
||||
- petitboot_version="$(echo ${petitboot_version//v})"
|
||||
-
|
||||
- if test -n ${petitboot_version}; then
|
||||
- major_version="$(echo ${petitboot_version} | cut -d . -f1)"
|
||||
- minor_version="$(echo ${petitboot_version} | cut -d . -f2)"
|
||||
-
|
||||
- re='^[0-9]+$'
|
||||
- if [[ $major_version =~ $re ]] && [[ $minor_version =~ $re ]] &&
|
||||
- ([[ ${major_version} -gt 1 ]] ||
|
||||
- [[ ${major_version} -eq 1 &&
|
||||
- ${minor_version} -ge 8 ]]); then
|
||||
- BLS_POPULATE_MENU="false"
|
||||
- fi
|
||||
- fi
|
||||
- fi
|
||||
- fi
|
||||
-
|
||||
populate_header_warn
|
||||
|
||||
- cat << EOF
|
||||
-# The kernelopts variable should be defined in the grubenv file. But to ensure that menu
|
||||
-# entries populated from BootLoaderSpec files that use this variable work correctly even
|
||||
-# without a grubenv file, define a fallback kernelopts variable if this has not been set.
|
||||
-#
|
||||
-# The kernelopts variable in the grubenv file can be modified using the grubby tool or by
|
||||
-# executing the grub2-mkconfig tool. For the latter, the values of the GRUB_CMDLINE_LINUX
|
||||
-# and GRUB_CMDLINE_LINUX_DEFAULT options from /etc/default/grub file are used to set both
|
||||
-# the kernelopts variable in the grubenv file and the fallback kernelopts variable.
|
||||
-if [ -z "\${kernelopts}" ]; then
|
||||
- set kernelopts="root=${LINUX_ROOT_DEVICE} ro ${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
|
||||
-fi
|
||||
-EOF
|
||||
-
|
||||
- update_bls_cmdline
|
||||
-
|
||||
- if [ "x${BLS_POPULATE_MENU}" = "xtrue" ]; then
|
||||
- populate_menu
|
||||
- else
|
||||
cat << EOF
|
||||
|
||||
insmod blscfg
|
||||
blscfg
|
||||
EOF
|
||||
- fi
|
||||
-
|
||||
- if [ "x${GRUB_GRUBENV_UPDATE}" = "xyes" ]; then
|
||||
- blsdir="/boot/loader/entries"
|
||||
- [ -d "${blsdir}" ] && GRUB_BLS_FS="$(${grub_probe} --target=fs ${blsdir})"
|
||||
- if [ "x${GRUB_BLS_FS}" = "xbtrfs" ] || [ "x${GRUB_BLS_FS}" = "xzfs" ]; then
|
||||
- blsdir=$(make_system_path_relative_to_its_root "${blsdir}")
|
||||
- if [ "x${blsdir}" != "x/loader/entries" ] && [ "x${blsdir}" != "x/boot/loader/entries" ]; then
|
||||
- ${grub_editenv} - set blsdir="${blsdir}"
|
||||
- fi
|
||||
- fi
|
||||
-
|
||||
- if [ -n "${GRUB_EARLY_INITRD_LINUX_CUSTOM}" ]; then
|
||||
- ${grub_editenv} - set early_initrd="${GRUB_EARLY_INITRD_LINUX_CUSTOM}"
|
||||
- fi
|
||||
-
|
||||
- if [ -n "${GRUB_DEFAULT_DTB}" ]; then
|
||||
- ${grub_editenv} - set devicetree="${GRUB_DEFAULT_DTB}"
|
||||
- fi
|
||||
-
|
||||
- if [ -n "${GRUB_SAVEDEFAULT}" ]; then
|
||||
- ${grub_editenv} - set save_default="${GRUB_SAVEDEFAULT}"
|
||||
- fi
|
||||
- fi
|
||||
|
||||
exit 0
|
||||
fi
|
||||
|
||||
-mktitle ()
|
||||
-{
|
||||
- local title_type
|
||||
- local version
|
||||
- local OS_NAME
|
||||
- local OS_VERS
|
||||
-
|
||||
- title_type=$1 && shift
|
||||
- version=$1 && shift
|
||||
-
|
||||
- OS_NAME="$(eval $(grep ^NAME= /etc/os-release) ; echo ${NAME})"
|
||||
- OS_VERS="$(eval $(grep ^VERSION= /etc/os-release) ; echo ${VERSION})"
|
||||
-
|
||||
- case $title_type in
|
||||
- recovery)
|
||||
- title=$(printf '%s (%s) %s (recovery mode)' \
|
||||
- "${OS_NAME}" "${version}" "${OS_VERS}")
|
||||
- ;;
|
||||
- *)
|
||||
- title=$(printf '%s (%s) %s' \
|
||||
- "${OS_NAME}" "${version}" "${OS_VERS}")
|
||||
- ;;
|
||||
- esac
|
||||
- echo -n ${title}
|
||||
-}
|
||||
-
|
||||
title_correction_code=
|
||||
|
||||
hotkey=1
|
||||
--
|
||||
2.45.2
|
||||
|
@ -1,5 +1,7 @@
|
||||
--- a/include/grub/tpm.h
|
||||
+++ b/include/grub/tpm.h
|
||||
Index: grub-2.12/include/grub/tpm.h
|
||||
===================================================================
|
||||
--- grub-2.12.orig/include/grub/tpm.h
|
||||
+++ grub-2.12/include/grub/tpm.h
|
||||
@@ -36,6 +36,12 @@
|
||||
|
||||
#define EV_IPL 0x0d
|
||||
@ -13,7 +15,7 @@
|
||||
grub_err_t grub_tpm_measure (unsigned char *buf, grub_size_t size,
|
||||
grub_uint8_t pcr, const char *description);
|
||||
int grub_tpm_present (void);
|
||||
@@ -45,5 +51,7 @@
|
||||
@@ -45,5 +51,7 @@ grub_is_tpm_fail_fatal (void)
|
||||
{
|
||||
return grub_env_get_bool ("tpm_fail_fatal", false);
|
||||
}
|
||||
@ -21,29 +23,32 @@
|
||||
+void grub_tpm_digest_free (struct grub_tpm_digest *d);
|
||||
|
||||
#endif
|
||||
--- a/grub-core/commands/efi/tpm.c
|
||||
+++ b/grub-core/commands/efi/tpm.c
|
||||
@@ -24,6 +24,7 @@
|
||||
#include <grub/efi/efi.h>
|
||||
#include <grub/efi/cc.h>
|
||||
#include <grub/efi/tpm.h>
|
||||
+#include <grub/tpm2/tpm2.h>
|
||||
#include <grub/mm.h>
|
||||
Index: grub-2.12/grub-core/commands/efi/tpm.c
|
||||
===================================================================
|
||||
--- grub-2.12.orig/grub-core/commands/efi/tpm.c
|
||||
+++ grub-2.12/grub-core/commands/efi/tpm.c
|
||||
@@ -28,6 +28,8 @@
|
||||
#include <grub/tpm.h>
|
||||
#include <grub/term.h>
|
||||
@@ -186,6 +187,91 @@
|
||||
|
||||
+#include <tpm2_cmd.h>
|
||||
+
|
||||
typedef TCG_PCR_EVENT grub_tpm_event_t;
|
||||
|
||||
static grub_guid_t tpm_guid = EFI_TPM_GUID;
|
||||
@@ -186,6 +188,91 @@ grub_tpm1_log_event (grub_efi_handle_t t
|
||||
return grub_efi_log_event_status (status);
|
||||
}
|
||||
|
||||
+static void
|
||||
+grub_tpm2_select_pcr(TPML_PCR_SELECTION *o, unsigned int pcrIndex, unsigned int algo)
|
||||
+grub_tpm2_select_pcr (TPML_PCR_SELECTION_t *o, unsigned int pcrIndex, unsigned int algo)
|
||||
+{
|
||||
+ TPMS_PCR_SELECTION *pcr;
|
||||
+ TPMS_PCR_SELECTION_t *pcr;
|
||||
+
|
||||
+ pcr = &o->pcrSelections[o->count++];
|
||||
+ pcr->hash = algo;
|
||||
+ pcr->sizeOfSelect = 3;
|
||||
+ pcr->pcrSelect[TPM2_PCR_TO_SELECT(pcrIndex)] |= TPM2_PCR_TO_BIT(pcrIndex);
|
||||
+ TPMS_PCR_SELECTION_SelectPCR (pcr, pcrIndex);
|
||||
+}
|
||||
+
|
||||
+struct grub_tpm_hash_info {
|
||||
@ -77,10 +82,10 @@
|
||||
+grub_tpm2_read_pcr (grub_int8_t pcrIndex, const char *algo, struct grub_tpm_digest **ret)
|
||||
+{
|
||||
+ const struct grub_tpm_hash_info *info;
|
||||
+ TPML_PCR_SELECTION inSelection, outSelection;
|
||||
+ TPML_PCR_SELECTION_t inSelection, outSelection;
|
||||
+ grub_uint32_t pcrUpdateCounter;
|
||||
+ TPML_DIGEST digests = { 0 };
|
||||
+ TPM2B_DIGEST *d;
|
||||
+ TPML_DIGEST_t digests = { 0 };
|
||||
+ TPM2B_DIGEST_t *d;
|
||||
+ struct grub_tpm_digest *result;
|
||||
+ int rc;
|
||||
+
|
||||
@ -92,7 +97,7 @@
|
||||
+ grub_memset(&outSelection, 0, sizeof(outSelection));
|
||||
+ grub_tpm2_select_pcr(&inSelection, pcrIndex, info->id);
|
||||
+
|
||||
+ rc = TPM2_PCR_Read(
|
||||
+ rc = grub_tpm2_pcr_read(
|
||||
+ NULL,
|
||||
+ &inSelection,
|
||||
+ &pcrUpdateCounter,
|
||||
@ -123,7 +128,7 @@
|
||||
static grub_err_t
|
||||
grub_tpm2_log_event (grub_efi_handle_t tpm_handle, unsigned char *buf,
|
||||
grub_size_t size, grub_uint8_t pcr,
|
||||
@@ -323,3 +409,26 @@
|
||||
@@ -323,3 +410,26 @@ grub_tpm_present (void)
|
||||
return grub_tpm2_present (tpm);
|
||||
}
|
||||
}
|
||||
@ -150,16 +155,15 @@
|
||||
+
|
||||
+ return result;
|
||||
+}
|
||||
--- a/include/grub/tpm2/tpm2.h
|
||||
+++ b/include/grub/tpm2/tpm2.h
|
||||
@@ -23,6 +23,10 @@
|
||||
#include <grub/tpm2/internal/structs.h>
|
||||
#include <grub/tpm2/internal/functions.h>
|
||||
|
||||
+/* Defined in: TCG TPM Specification, v1.59, Part 2, Section 10.6.1. */
|
||||
+#define TPM2_PCR_TO_SELECT(x) ((x) / 8)
|
||||
+#define TPM2_PCR_TO_BIT(x) (1 << ((x) % 8))
|
||||
+
|
||||
/* Well-Known Windows SRK handle */
|
||||
#define TPM2_SRK_HANDLE 0x81000001
|
||||
Index: grub-2.12/grub-core/Makefile.core.def
|
||||
===================================================================
|
||||
--- grub-2.12.orig/grub-core/Makefile.core.def
|
||||
+++ grub-2.12/grub-core/Makefile.core.def
|
||||
@@ -2606,6 +2606,7 @@ module = {
|
||||
common = commands/tpm.c;
|
||||
efi = commands/efi/tpm.c;
|
||||
enable = efi;
|
||||
+ cppflags = '-I$(srcdir)/lib/tss2';
|
||||
};
|
||||
|
||||
module = {
|
||||
|
4586
grub2-add-tss2-support.patch
Normal file
4586
grub2-add-tss2-support.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,4 +1,4 @@
|
||||
From beb26b1be325ea55f3f9a230152d170a3faa85d5 Mon Sep 17 00:00:00 2001
|
||||
From 32e07f7b99a1dbae933f4d916b0342a82e7ccf35 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Lin <glin@suse.com>
|
||||
Date: Mon, 18 Mar 2024 14:53:11 +0800
|
||||
Subject: [PATCH] key_protector: implement the blocklist
|
||||
@ -15,11 +15,11 @@ Signed-off-by: Gary Lin <glin@suse.com>
|
||||
include/grub/efi/api.h | 5 +++++
|
||||
2 files changed, 36 insertions(+)
|
||||
|
||||
diff --git a/grub-core/disk/key_protector.c b/grub-core/disk/key_protector.c
|
||||
index b84afe1c7..3d630ca4f 100644
|
||||
--- a/grub-core/disk/key_protector.c
|
||||
+++ b/grub-core/disk/key_protector.c
|
||||
@@ -24,6 +24,10 @@
|
||||
Index: grub-2.12/grub-core/disk/key_protector.c
|
||||
===================================================================
|
||||
--- grub-2.12.orig/grub-core/disk/key_protector.c
|
||||
+++ grub-2.12/grub-core/disk/key_protector.c
|
||||
@@ -25,6 +25,10 @@
|
||||
|
||||
GRUB_MOD_LICENSE ("GPLv3+");
|
||||
|
||||
@ -30,7 +30,7 @@ index b84afe1c7..3d630ca4f 100644
|
||||
struct grub_key_protector *grub_key_protectors = NULL;
|
||||
|
||||
grub_err_t
|
||||
@@ -54,11 +58,34 @@ grub_key_protector_unregister (struct grub_key_protector *protector)
|
||||
@@ -53,11 +57,34 @@ grub_key_protector_unregister (struct gr
|
||||
return GRUB_ERR_NONE;
|
||||
}
|
||||
|
||||
@ -64,10 +64,10 @@ index b84afe1c7..3d630ca4f 100644
|
||||
+ grub_err_t err;
|
||||
|
||||
if (grub_key_protectors == NULL)
|
||||
return GRUB_ERR_OUT_OF_RANGE;
|
||||
@@ -74,5 +101,9 @@ grub_key_protector_recover_key (const char *protector, grub_uint8_t **key,
|
||||
"Is the name spelled correctly and is the "
|
||||
"corresponding module loaded?"), protector);
|
||||
return grub_error (GRUB_ERR_OUT_OF_RANGE, "No key protector registered");
|
||||
@@ -69,5 +96,9 @@ grub_key_protector_recover_key (const ch
|
||||
if (kp == NULL)
|
||||
return grub_error (GRUB_ERR_OUT_OF_RANGE, "Key protector '%s' not found", protector);
|
||||
|
||||
+ err = grub_key_protector_check_blocklist ();
|
||||
+ if (err != GRUB_ERR_NONE)
|
||||
@ -75,10 +75,10 @@ index b84afe1c7..3d630ca4f 100644
|
||||
+
|
||||
return kp->recover_key (key, key_size);
|
||||
}
|
||||
diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h
|
||||
index 7947cf592..975b90b09 100644
|
||||
--- a/include/grub/efi/api.h
|
||||
+++ b/include/grub/efi/api.h
|
||||
Index: grub-2.12/include/grub/efi/api.h
|
||||
===================================================================
|
||||
--- grub-2.12.orig/include/grub/efi/api.h
|
||||
+++ grub-2.12/include/grub/efi/api.h
|
||||
@@ -389,6 +389,11 @@
|
||||
{ 0x89, 0x29, 0x48, 0xbc, 0xd9, 0x0a, 0xd3, 0x1a } \
|
||||
}
|
||||
@ -91,6 +91,3 @@ index 7947cf592..975b90b09 100644
|
||||
struct grub_efi_sal_system_table
|
||||
{
|
||||
grub_uint32_t signature;
|
||||
--
|
||||
2.35.3
|
||||
|
||||
|
361
grub2-s390x-secure-execution-support.patch
Normal file
361
grub2-s390x-secure-execution-support.patch
Normal file
@ -0,0 +1,361 @@
|
||||
From 023b569648eece7a7fe2ae38d731185a1f2abeb5 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Lin <glin@suse.com>
|
||||
Date: Fri, 23 Aug 2024 09:57:03 +0800
|
||||
Subject: [PATCH] s390x: add Secure Execution support
|
||||
|
||||
To support Secure Execution, 2 extra files and 5 environment variables
|
||||
are introduced.
|
||||
|
||||
- se-parm.conf.in
|
||||
The template file for the kernel parameter to be used by 'genprotimg'
|
||||
|
||||
- se-zipl2grub.conf.in
|
||||
The template file of zipl.conf for secure execution
|
||||
|
||||
- SUSE_S390_SE_ENABLE
|
||||
The variable to enable s390x Secure Execution
|
||||
|
||||
- SUSE_S390_SE_HOST_KEY
|
||||
The variable to set the file list to the host key documents
|
||||
|
||||
- SUSE_S390_SE_HOST_KEY_SIGNING_KEY
|
||||
The variable to set the file list to the signing key certificates
|
||||
|
||||
- SUSE_S390_SE_CA_CERT
|
||||
The variable to set the file path to the CA certificate
|
||||
|
||||
- SUSE_S390_SE_REVOCATION_LIST
|
||||
The variable to set the file list of the host key revocation lists
|
||||
|
||||
When enabling Secure Execution, the zipl initrd is generated in
|
||||
"/dev/shm/zipl-se" instead of "/boot/zipl" because the zipl initrd
|
||||
may contain the LUKS key for the encrypted root partition. Then,
|
||||
'genprotimg' stores the encrypted image, a combination of the zipl
|
||||
kernel, zipl initrd, and the kernel parameters, as
|
||||
"/boot/secure-linux-$version". To make the image ready for zipl,
|
||||
it is copied to "/boot/zipl/secure-linux-$version" and linked to
|
||||
"/boot/zipl/secure-linux" which is expected by the zipl config.
|
||||
---
|
||||
Makefile.util.def | 17 +++
|
||||
util/s390x/se-parm.conf.in | 1 +
|
||||
util/s390x/se-zipl2grub.conf.in | 17 +++
|
||||
util/s390x/zipl2grub.pl.in | 202 ++++++++++++++++++++++++++------
|
||||
4 files changed, 198 insertions(+), 39 deletions(-)
|
||||
create mode 100644 util/s390x/se-parm.conf.in
|
||||
create mode 100644 util/s390x/se-zipl2grub.conf.in
|
||||
|
||||
diff --git a/Makefile.util.def b/Makefile.util.def
|
||||
index ffedea24a..722542933 100644
|
||||
--- a/Makefile.util.def
|
||||
+++ b/Makefile.util.def
|
||||
@@ -796,6 +796,23 @@ data = {
|
||||
emu_condition = COND_s390x;
|
||||
};
|
||||
|
||||
+data = {
|
||||
+ name = se-parm.conf.in;
|
||||
+ common = util/s390x/se-parm.conf.in;
|
||||
+ installdir = grubconf;
|
||||
+ enable = emu;
|
||||
+ emu_condition = COND_s390x;
|
||||
+};
|
||||
+
|
||||
+data = {
|
||||
+ name = se-zipl2grub.conf.in;
|
||||
+ common = util/s390x/se-zipl2grub.conf.in;
|
||||
+ installdir = grubconf;
|
||||
+ enable = emu;
|
||||
+ emu_condition = COND_s390x;
|
||||
+};
|
||||
+
|
||||
+
|
||||
script = {
|
||||
name = dracut-module-setup.sh;
|
||||
common = util/s390x/dracut-module-setup.sh.in;
|
||||
diff --git a/util/s390x/se-parm.conf.in b/util/s390x/se-parm.conf.in
|
||||
new file mode 100644
|
||||
index 000000000..63959b753
|
||||
--- /dev/null
|
||||
+++ b/util/s390x/se-parm.conf.in
|
||||
@@ -0,0 +1 @@
|
||||
+root=@GRUB_DEVICE@ @GRUB_EMU_CONMODE@ @GRUB_CMDLINE_LINUX@ @GRUB_CMDLINE_LINUX_DEFAULT@ initgrub quiet splash=silent plymouth.enable=0
|
||||
diff --git a/util/s390x/se-zipl2grub.conf.in b/util/s390x/se-zipl2grub.conf.in
|
||||
new file mode 100644
|
||||
index 000000000..e9feeb9b6
|
||||
--- /dev/null
|
||||
+++ b/util/s390x/se-zipl2grub.conf.in
|
||||
@@ -0,0 +1,17 @@
|
||||
+## This is the template for '@zipldir@/config' and is subject to
|
||||
+## rpm's %config file handling in case of grub2-s390x-emu package update.
|
||||
+
|
||||
+[defaultboot]
|
||||
+defaultmenu = menu
|
||||
+
|
||||
+[grub2-secure]
|
||||
+ target = @zipldir@
|
||||
+ image = @zipldir@/secure-linux
|
||||
+
|
||||
+:menu
|
||||
+ target = @zipldir@
|
||||
+ timeout = 60
|
||||
+ default = 1
|
||||
+ prompt = 0
|
||||
+ secure = @SUSE_SECURE_BOOT@
|
||||
+ 1 = grub2-secure
|
||||
diff --git a/util/s390x/zipl2grub.pl.in b/util/s390x/zipl2grub.pl.in
|
||||
index 46b902209..930ecc4cd 100644
|
||||
--- a/util/s390x/zipl2grub.pl.in
|
||||
+++ b/util/s390x/zipl2grub.pl.in
|
||||
@@ -12,10 +12,19 @@ my $definitrd = "/boot/initrd";
|
||||
my $Image = "$defimage";
|
||||
my $previous = ".prev";
|
||||
my $zipldir = "";
|
||||
+my $imgdir = "";
|
||||
my $running = "";
|
||||
my $refresh = 1; # needs to default to "on" until most bugs are shaken out!
|
||||
my $force = 0;
|
||||
my $hostonly = 1;
|
||||
+my $secure_exec = 0;
|
||||
+my $sehostkey = "";
|
||||
+my $sesignkey = "";
|
||||
+my $secacert = "";
|
||||
+my $serevoke = "";
|
||||
+my $separm= "";
|
||||
+my $se_zipconf = '@sysconfdir@/default/se-zipl2grub.conf.in';
|
||||
+my $se_kernparm = '@sysconfdir@/default/se-parm.conf.in';
|
||||
my $verbose = 0;
|
||||
my $debug = 0;
|
||||
my $miss = 0;
|
||||
@@ -183,6 +192,55 @@ sub ChkInitrd($$) {
|
||||
return $found;
|
||||
}
|
||||
|
||||
+sub GenSEImage($$$$) {
|
||||
+ my( $kernel, $initrd, $parm, $out_image) = @_;
|
||||
+
|
||||
+ # genprotimg -i <kernel-image-file> \
|
||||
+ # -r <initrd-file>> \
|
||||
+ # -p <parm-file> \
|
||||
+ # --host-key-document <host-key-doc> \
|
||||
+ # --cert ibm-z-host-key-signing.crt \
|
||||
+ # --cert DigiCertCA.crt \
|
||||
+ # --crl revocation.crl \
|
||||
+ # -o /boot/zipl/secure-linux
|
||||
+
|
||||
+ my @C = ( "genprotimg", "-i", $kernel, "-r", $initrd, "-p", $parm,
|
||||
+ "--cert", $secacert);
|
||||
+
|
||||
+ # Handle the host key document list
|
||||
+ if ($sehostkey) {
|
||||
+ my @sehostkey_list = split('[,\s]+', $sehostkey);
|
||||
+ my $hkd;
|
||||
+ foreach $hkd (@sehostkey_list) {
|
||||
+ Panic( 1, "$C: host key document '$hkd' not readable!?\n") unless (-r $hkd);
|
||||
+ push @C, "--host-key-document", $hkd;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ # Handle the signing key list
|
||||
+ if ($sesignkey) {
|
||||
+ my @sesignkey_list = split('[,\s]+', $sesignkey);
|
||||
+ my $signkey;
|
||||
+ foreach $signkey (@sesignkey_list) {
|
||||
+ Panic( 1, "$C: signing key '$signkey' not readable!?\n") unless (-r $signkey);
|
||||
+ push @C, "--cert", $signkey;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ # Handle the revocation list files
|
||||
+ if ($serevoke) {
|
||||
+ my @serevoke_list = split('[,\s]+', $serevoke);
|
||||
+ my $crl;
|
||||
+ foreach $crl (@serevoke_list) {
|
||||
+ Panic( 1, "$C: revocation list '$crl' not readable!?\n") unless (-r $crl);
|
||||
+ push @C, "--crl", $crl;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ push @C, "-o", "$out_image";
|
||||
+ System( @C);
|
||||
+}
|
||||
+
|
||||
sub Usage($) {
|
||||
my @cat = ("",
|
||||
"Parameter error.",
|
||||
@@ -401,49 +459,91 @@ if ( $debug && $verbose > 2 ) {
|
||||
}
|
||||
}
|
||||
|
||||
-open( IN, "< $in") ||
|
||||
- Panic( 1, "$C: Failed to open 'zipl.conf' template: $!.\n");
|
||||
-while ( <IN> ) {
|
||||
- Info( 4, "$.. <$_$.. >");
|
||||
- if ( $. == 1 && m{^## This} ) {
|
||||
- $_ = "## This file was written by 'grub2-install/$C'\n" .
|
||||
- "## filling '$in' as template\n";
|
||||
- } elsif ( $. == 2 && m{^## rpm's} ) {
|
||||
- $_ = "## with values from '$default'.\n" .
|
||||
- "## In-place modifications will eventually go missing!\n";
|
||||
+#
|
||||
+# s390x Secure Execution variables
|
||||
+#
|
||||
+# SUSE_S390_SE_ENABLE: enabling s390x Secure Execution
|
||||
+# SUSE_S390_SE_HOST_KEY: the host key
|
||||
+# SUSE_S390_SE_HOST_KEY_SIGNING_KEY: the signing key of the host key
|
||||
+# SUSE_S390_SE_CA_CERT: the CA certificate
|
||||
+# SUSE_S390_SE_REVOCATION_LIST: the revocation list
|
||||
+#
|
||||
+if ( -r $C{SUSE_S390_SE_HOST_KEY} && -r $C{SUSE_S390_SE_HOST_KEY_SIGNING_KEY} &&
|
||||
+ -r $C{SUSE_S390_SE_CA_CERT}) {
|
||||
+
|
||||
+ $sehostkey = $C{SUSE_S390_SE_HOST_KEY};
|
||||
+ $sesignkey = $C{SUSE_S390_SE_HOST_KEY_SIGNING_KEY};
|
||||
+ $secacert = $C{SUSE_S390_SE_CA_CERT};
|
||||
+
|
||||
+ $serevoke = $C{SUSE_S390_SE_REVOCATION_LIST} if $C{SUSE_S390_SE_REVOCATION_LIST};
|
||||
+
|
||||
+ if ( $C{SUSE_S390_SE_ENABLE} =~ m{^(yes|true|1)$} ) {
|
||||
+ $secure_exec = 1;
|
||||
}
|
||||
- while ( m{\@([^\@\s]+)\@} ) {
|
||||
- my $k = $1;
|
||||
- my $v;
|
||||
- if ( exists( $C{$k}) ) {
|
||||
- $v = $C{$k};
|
||||
- } elsif ( exists( $Mandatory{$k}) ) {
|
||||
- $v = "$k";
|
||||
- $miss++;
|
||||
- } else {
|
||||
- $v = "";
|
||||
+}
|
||||
+
|
||||
+sub MkConfig($$) {
|
||||
+ my( $template, $name) = @_;
|
||||
+ open( IN, "< $template") ||
|
||||
+ Panic( 1, "$C: Failed to open '$name' template: $!.\n");
|
||||
+ while ( <IN> ) {
|
||||
+ Info( 4, "$.. <$_$.. >");
|
||||
+ if ( $. == 1 && m{^## This} ) {
|
||||
+ $_ = "## This file was written by 'grub2-install/$C'\n" .
|
||||
+ "## filling '$template' as template\n";
|
||||
+ } elsif ( $. == 2 && m{^## rpm's} ) {
|
||||
+ $_ = "## with values from '$default'.\n" .
|
||||
+ "## In-place modifications will eventually go missing!\n";
|
||||
}
|
||||
- if ($k eq "GRUB_DEVICE") {
|
||||
- if (($v !~ /^UUID/ && ! -e $v) ||
|
||||
- (exists( $C{SUSE_REMOVE_LINUX_ROOT_PARAM}) &&
|
||||
- $C{SUSE_REMOVE_LINUX_ROOT_PARAM} eq "true")) {
|
||||
- s{root=\@$k\@}{}g;
|
||||
- next;
|
||||
+ while ( m{\@([^\@\s]+)\@} ) {
|
||||
+ my $k = $1;
|
||||
+ my $v;
|
||||
+ if ( exists( $C{$k}) ) {
|
||||
+ $v = $C{$k};
|
||||
+ } elsif ( exists( $Mandatory{$k}) ) {
|
||||
+ $v = "$k";
|
||||
+ $miss++;
|
||||
+ } else {
|
||||
+ $v = "";
|
||||
+ }
|
||||
+ if ($k eq "GRUB_DEVICE") {
|
||||
+ if (($v !~ /^UUID/ && ! -e $v) ||
|
||||
+ (exists( $C{SUSE_REMOVE_LINUX_ROOT_PARAM}) &&
|
||||
+ $C{SUSE_REMOVE_LINUX_ROOT_PARAM} eq "true")) {
|
||||
+ s{root=\@$k\@}{}g;
|
||||
+ next;
|
||||
+ }
|
||||
}
|
||||
+ s{\@$k\@}{$v}g;
|
||||
}
|
||||
- s{\@$k\@}{$v}g;
|
||||
+ Info( 3, $_);
|
||||
+ $cfg .= $_;
|
||||
+ }
|
||||
+ if ( $miss ) {
|
||||
+ Info( 1, "Partially filled config:\n===\n$cfg===\n");
|
||||
+ Panic( 1, "$C: '$name' template could not be filled. \n");
|
||||
}
|
||||
- Info( 3, $_);
|
||||
- $cfg .= $_;
|
||||
}
|
||||
-if ( $miss ) {
|
||||
- Info( 1, "Partially filled config:\n===\n$cfg===\n");
|
||||
- Panic( 1, "$C: 'zipl.conf' template could not be filled. \n");
|
||||
+
|
||||
+if ( $secure_exec ) {
|
||||
+ # create the kernel parameter file
|
||||
+ MkConfig($se_kernparm, "parm.conf");
|
||||
+ $separm = $cfg;
|
||||
+
|
||||
+ # clean up $cfg to reuse the variable for zipl.conf
|
||||
+ $cfg = "";
|
||||
+ MkConfig($se_zipconf, "zipl.conf");
|
||||
+ $imgdir = "/dev/shm/zipl-se";
|
||||
+
|
||||
+ mkdir ($imgdir, 0700) unless (-d $imgdir);
|
||||
+} else {
|
||||
+ MkConfig($in, "zipl.conf");
|
||||
+ $imgdir = $zipldir;
|
||||
}
|
||||
|
||||
# copy out kernel and initrd
|
||||
-my $ziplimage = "$zipldir/image";
|
||||
-my $ziplinitrd = "$zipldir/initrd";
|
||||
+my $ziplimage = "$imgdir/image";
|
||||
+my $ziplinitrd = "$imgdir/initrd";
|
||||
|
||||
if ( ! $running && ! $force ) {
|
||||
chomp( $running = qx{uname -r});
|
||||
@@ -478,18 +578,42 @@ my $initrd = "initrd-$version";
|
||||
$image = "image-$version";
|
||||
|
||||
if ( ! -r $ziplimage || ! -r $ziplinitrd || $refresh ) {
|
||||
- BootCopy( $Image, $image, $zipldir, "image");
|
||||
- BootCopy( $initrd, $initrd, $zipldir, "initrd")
|
||||
+ BootCopy( $Image, $image, $imgdir, "image");
|
||||
+ BootCopy( $initrd, $initrd, $imgdir, "initrd")
|
||||
if (-r "/boot/$initrd" && ! exists( $fsdev{"/boot"}));
|
||||
}
|
||||
-if ( $refresh || ChkInitrd( $zipldir, "initrd") <= 0 ) {
|
||||
- MkInitrd( $initrd, $zipldir, $version);
|
||||
+if ( $refresh || ChkInitrd( $imgdir, "initrd") <= 0 ) {
|
||||
+ MkInitrd( $initrd, $imgdir, $version);
|
||||
}
|
||||
-if ( ChkInitrd( $zipldir, "initrd") == 0 ) {
|
||||
+if ( ChkInitrd( $imgdir, "initrd") == 0 ) {
|
||||
Info( 0, "$C: dracut does not work as expected! Help needed!\n");
|
||||
$miss++;
|
||||
}
|
||||
|
||||
+if ( $secure_exec ) {
|
||||
+ my $seimage = "secure-linux-$version";
|
||||
+ my $parmconf = "$imgdir/parm.conf";
|
||||
+ my $bootseimg = "/boot/$seimage";
|
||||
+
|
||||
+ # write parm.conf
|
||||
+ if ( ! $debug ) {
|
||||
+ open( OUT, "> $parmconf") || die;
|
||||
+ print( OUT $separm) || die;
|
||||
+ close( OUT);
|
||||
+ } else {
|
||||
+ print( STDERR $separm);
|
||||
+ }
|
||||
+
|
||||
+ # Create the secure-execution image in /boot first
|
||||
+ GenSEImage( $ziplimage, $ziplinitrd, $parmconf, $bootseimg );
|
||||
+
|
||||
+ # check /boot/$seimage
|
||||
+ Panic( 1, "$C: Secure Image '$bootseimg' not readable!?\n") unless (-r "$bootseimg");
|
||||
+
|
||||
+ # copy /boot/$seimage to $zipldir
|
||||
+ BootCopy($seimage, $seimage, $zipldir, "secure-linux");
|
||||
+}
|
||||
+
|
||||
# write zipl config file
|
||||
my $ziplconf = "$zipldir/config";
|
||||
$cfg =~ s{#@}{}g if ( -r "$ziplimage$previous" && -r "$ziplinitrd$previous" );
|
||||
--
|
||||
2.43.0
|
||||
|
@ -1,3 +1,24 @@
|
||||
From 2a86e5f9e3abb622d2e16ee5f05b1ba2df1f756d Mon Sep 17 00:00:00 2001
|
||||
From: Gary Lin <glin@suse.com>
|
||||
Date: Tue, 6 Aug 2024 14:46:17 +0800
|
||||
Subject: [PATCH] zipl2grub.pl.in: add the switch for hostonly/no-hostonly
|
||||
|
||||
Since the kiwi build environment could be very different from the real
|
||||
system environment, it may cause some problem to build the zipl initrd
|
||||
with '--hostonly' since some critical files could be omitted
|
||||
accidentally. To avoid the potential issues, this commit introduces a
|
||||
variable, SUSE_S390_DRACUT_HOSTONLY, as the switch to use hostonly or
|
||||
no-hostonly for the zipl initrd. By default, it's detected automatically
|
||||
by tracing the root partition to the root block device. If the root
|
||||
block device is a loop device, then it's likely to be a build
|
||||
environment, and then '--no-hostonly' will be used to create the zipl
|
||||
initrd.
|
||||
|
||||
Signed-off-by: Gary Lin <glin@suse.com>
|
||||
---
|
||||
util/s390x/zipl2grub.pl.in | 26 +++++++++++++++++++++++++-
|
||||
1 file changed, 25 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/util/s390x/zipl2grub.pl.in b/util/s390x/zipl2grub.pl.in
|
||||
index f4f997100..46b902209 100644
|
||||
--- a/util/s390x/zipl2grub.pl.in
|
||||
@ -50,3 +71,6 @@ index f4f997100..46b902209 100644
|
||||
if ( $debug && $verbose > 2 ) {
|
||||
foreach ( sort( keys( %C)) ) {
|
||||
printf( "%s=\"%s\"\n", $_, $C{$_});
|
||||
--
|
||||
2.35.3
|
||||
|
||||
|
101
grub2.changes
101
grub2.changes
@ -1,3 +1,104 @@
|
||||
-------------------------------------------------------------------
|
||||
Sun Dec 8 10:22:43 UTC 2024 - Michael Chang <mchang@suse.com>
|
||||
|
||||
- Update PowerPC SBAT patches to upstream (bsc#1233730)
|
||||
* 0007-grub-mkimage-Create-new-ELF-note-for-SBAT.patch
|
||||
* 0008-grub-mkimage-Add-SBAT-metadata-into-ELF-note-for-Pow.patch
|
||||
- Replaced patches
|
||||
* 0007-mkimage-create-new-ELF-Note-for-SBAT.patch
|
||||
* 0008-mkimage-adding-sbat-data-into-sbat-ELF-Note-on-power.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Dec 6 16:40:54 UTC 2024 - Michael Chang <mchang@suse.com>
|
||||
|
||||
- Fix missing requires in SLE package (bsc#1234264) (bsc#1234272)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Tue Dec 3 07:18:32 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
|
||||
|
||||
- Update the TPM2 patches to the upstream final version
|
||||
* Update 0001-key_protector-Add-key-protectors-framework.patch
|
||||
* Replace 0002-tpm2-Add-TPM-Software-Stack-TSS.patch with
|
||||
grub2-add-tss2-support.patch
|
||||
* Replace 0003-key_protector-Add-TPM2-Key-Protector.patch with
|
||||
0001-key_protector-Add-TPM2-Key-Protector.patch
|
||||
* Replace 0005-util-grub-protect-Add-new-tool.patch with
|
||||
0001-util-grub-protect-Add-new-tool.patch
|
||||
* Replace 0001-tpm2-Implement-NV-index.patch with
|
||||
0001-tpm2_key_protector-Implement-NV-index.patch
|
||||
* Replace 0001-tpm2-Support-authorized-policy.patch with
|
||||
0001-tpm2_key_protector-Support-authorized-policy.patch
|
||||
- Refresh the TPM2 related patches
|
||||
* grub-read-pcr.patch
|
||||
* 0001-tpm2-Add-extra-RSA-SRK-types.patch
|
||||
* grub2-bsc1220338-key_protector-implement-the-blocklist.patch
|
||||
* safe_tpm_pcr_snapshot.patch
|
||||
* tpm-record-pcrs.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Nov 29 05:56:22 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
|
||||
|
||||
- Support s390x Secure Execution (jsc#PED-9531)
|
||||
* grub2-s390x-secure-execution-support.patch
|
||||
- Update grub2-s390x-set-hostonly.patch to add the patch header
|
||||
and the description
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Nov 13 01:09:47 UTC 2024 - Michael Chang <mchang@suse.com>
|
||||
|
||||
- Revert the patches related to BLS support in grub2-mkconfig, as they are not
|
||||
relevant to the current BLS integration and cause issues in older KIWI
|
||||
versions, which actively force it to be enabled by default (bsc#1233196)
|
||||
* 0002-Add-BLS-support-to-grub-mkconfig.patch
|
||||
* 0003-Add-grub2-switch-to-blscfg.patch
|
||||
* 0007-grub-switch-to-blscfg-adapt-to-openSUSE.patch
|
||||
* 0008-blscfg-reading-bls-fragments-if-boot-present.patch
|
||||
* 0009-10_linux-Some-refinement-for-BLS.patch
|
||||
* 0001-10_linux-Do-not-enable-BLSCFG-on-s390-emu.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Nov 8 14:42:12 UTC 2024 - Michael Chang <mchang@suse.com>
|
||||
|
||||
- Fix previous change as the variable has to be set earlier
|
||||
* 0001-10_linux-Do-not-enable-BLSCFG-on-s390-emu.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Nov 8 05:21:47 UTC 2024 - Michael Chang <mchang@suse.com>
|
||||
|
||||
- Do not enable blscfg on s390-emu
|
||||
* 0001-10_linux-Do-not-enable-BLSCFG-on-s390-emu.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Nov 6 07:45:21 UTC 2024 - Michael Chang <mchang@suse.com>
|
||||
|
||||
- Fix xen package contains debug_info files with the .module suffix by moving
|
||||
them to a separate xen-debug subpackage (bsc#1232573)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Nov 1 08:46:36 UTC 2024 - Michael Chang <mchang@suse.com>
|
||||
|
||||
- Fix grub.cfg is loaded from an unexpected fallback directory instead of the
|
||||
root directory during PXE boot when grub is loaded from the tftp root
|
||||
directory (bsc#1232391)
|
||||
* 0001-kern-main-Fix-cmdpath-in-root-directory.patch
|
||||
* grub2.spec: Refine PPC grub.elf early config to derive root from cmdpath
|
||||
directly, avoiding the unneeded search
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 30 08:24:15 UTC 2024 - Michael Chang <mchang@suse.com>
|
||||
|
||||
- Fix CVE-2024-49504 (bsc#1229163) (bsc#1229164)
|
||||
- Restrict CLI access if the encrypted root device is automatically unlocked by
|
||||
the TPM. LUKS password authentication is required for access to be granted
|
||||
* 0001-cli_lock-Add-build-option-to-block-command-line-inte.patch
|
||||
* 0002-Requiring-authentication-after-tpm-unlock-for-CLI-ac.patch
|
||||
- Obsolete, as CLI access is now locked and granted access no longer requires
|
||||
the previous restrictions
|
||||
* 0002-Restrict-file-access-on-cryptodisk-print.patch
|
||||
* 0003-Restrict-ls-and-auto-file-completion-on-cryptodisk-p.patch
|
||||
- Rediff
|
||||
* 0004-Key-revocation-on-out-of-bound-file-access.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Oct 30 00:44:41 UTC 2024 - Michael Chang <mchang@suse.com>
|
||||
|
||||
|
115
grub2.spec
115
grub2.spec
@ -339,10 +339,10 @@ Patch147: 0001-grub-probe-Deduplicate-probed-partmap-output.patch
|
||||
Patch148: 0001-Fix-infinite-boot-loop-on-headless-system-in-qemu.patch
|
||||
Patch149: 0001-ofdisk-improve-boot-time-by-lookup-boot-disk-first.patch
|
||||
Patch150: 0001-key_protector-Add-key-protectors-framework.patch
|
||||
Patch151: 0002-tpm2-Add-TPM-Software-Stack-TSS.patch
|
||||
Patch152: 0003-key_protector-Add-TPM2-Key-Protector.patch
|
||||
Patch151: grub2-add-tss2-support.patch
|
||||
Patch152: 0001-key_protector-Add-TPM2-Key-Protector.patch
|
||||
Patch153: 0004-cryptodisk-Support-key-protectors.patch
|
||||
Patch154: 0005-util-grub-protect-Add-new-tool.patch
|
||||
Patch154: 0001-util-grub-protect-Add-new-tool.patch
|
||||
Patch155: 0008-linuxefi-Use-common-grub_initrd_load.patch
|
||||
Patch156: 0009-Add-crypttab_entry-to-obviate-the-need-to-input-pass.patch
|
||||
Patch157: 0010-templates-import-etc-crypttab-to-grub.cfg.patch
|
||||
@ -356,7 +356,7 @@ Patch164: 0003-ieee1275-change-the-logic-of-ieee1275_get_devargs.patch
|
||||
Patch165: 0004-ofpath-controller-name-update.patch
|
||||
Patch166: 0002-Mark-environmet-blocks-as-used-for-image-embedding.patch
|
||||
Patch167: grub2-increase-crypttab-path-buffer.patch
|
||||
Patch170: 0001-tpm2-Support-authorized-policy.patch
|
||||
Patch170: 0001-tpm2_key_protector-Support-authorized-policy.patch
|
||||
Patch171: 0001-tpm2-Add-extra-RSA-SRK-types.patch
|
||||
Patch174: 0001-clean-up-crypttab-and-linux-modules-dependency.patch
|
||||
Patch175: 0002-discard-cached-key-before-entering-grub-shell-and-ed.patch
|
||||
@ -368,7 +368,7 @@ Patch180: 0001-xen_boot-add-missing-grub_arch_efi_linux_load_image_.patch
|
||||
Patch181: 0001-font-Try-memdisk-fonts-with-the-same-name.patch
|
||||
Patch182: 0001-Make-grub.cfg-compatible-to-old-binaries.patch
|
||||
Patch183: grub2-change-bash-completion-dir.patch
|
||||
Patch184: 0001-tpm2-Implement-NV-index.patch
|
||||
Patch184: 0001-tpm2_key_protector-Implement-NV-index.patch
|
||||
Patch185: 0002-cryptodisk-Fallback-to-passphrase.patch
|
||||
Patch186: 0003-cryptodisk-wipe-out-the-cached-keys-from-protectors.patch
|
||||
Patch187: 0004-diskfilter-look-up-cryptodisk-devices-first.patch
|
||||
@ -377,8 +377,6 @@ Patch189: arm64-Use-proper-memory-type-for-kernel-allocation.patch
|
||||
Patch190: 0001-luks2-Use-grub-tpm2-token-for-TPM2-protected-volume-.patch
|
||||
Patch191: Fix-the-size-calculation-for-the-synthesized-initrd.patch
|
||||
Patch192: 0001-Improve-TPM-key-protection-on-boot-interruptions.patch
|
||||
Patch193: 0002-Restrict-file-access-on-cryptodisk-print.patch
|
||||
Patch194: 0003-Restrict-ls-and-auto-file-completion-on-cryptodisk-p.patch
|
||||
Patch195: 0004-Key-revocation-on-out-of-bound-file-access.patch
|
||||
# Workaround for 2.12 tarball
|
||||
Patch196: fix_no_extra_deps_in_release_tarball.patch
|
||||
@ -394,14 +392,9 @@ Patch205: 0001-10_linux-Ensure-persistence-of-root-file-system-moun.patch
|
||||
Patch206: 0001-util-bash-completion-Fix-for-bash-completion-2.12.patch
|
||||
Patch207: 0001-util-enable-grub-protect-only-for-EFI-systems.patch
|
||||
Patch208: 0001-blscfg-add-blscfg-module-to-parse-Boot-Loader-Specif.patch
|
||||
Patch209: 0002-Add-BLS-support-to-grub-mkconfig.patch
|
||||
Patch210: 0003-Add-grub2-switch-to-blscfg.patch
|
||||
Patch211: 0004-blscfg-Don-t-root-device-in-emu-builds.patch
|
||||
Patch212: 0005-blscfg-check-for-mounted-boot-in-emu.patch
|
||||
Patch213: 0006-Follow-the-device-where-blscfg-is-discovered.patch
|
||||
Patch214: 0007-grub-switch-to-blscfg-adapt-to-openSUSE.patch
|
||||
Patch215: 0008-blscfg-reading-bls-fragments-if-boot-present.patch
|
||||
Patch216: 0009-10_linux-Some-refinement-for-BLS.patch
|
||||
Patch217: 0001-net-drivers-ieee1275-ofnet-Remove-200-ms-timeout-in-.patch
|
||||
Patch218: grub2-s390x-set-hostonly.patch
|
||||
Patch219: 0001-bli-Fix-crash-in-get_part_uuid.patch
|
||||
@ -415,10 +408,42 @@ Patch226: 0003-appendedsig-The-creation-of-trusted-and-distrusted-l.patch
|
||||
Patch227: 0004-appendedsig-While-verifying-the-kernel-use-trusted-a.patch
|
||||
Patch228: 0005-appendedsig-The-grub-command-s-trusted-and-distruste.patch
|
||||
Patch229: 0006-appendedsig-documentation.patch
|
||||
Patch230: 0007-mkimage-create-new-ELF-Note-for-SBAT.patch
|
||||
Patch231: 0008-mkimage-adding-sbat-data-into-sbat-ELF-Note-on-power.patch
|
||||
Patch230: 0007-grub-mkimage-Create-new-ELF-note-for-SBAT.patch
|
||||
Patch231: 0008-grub-mkimage-Add-SBAT-metadata-into-ELF-note-for-Pow.patch
|
||||
Patch232: 0001-ieee1275-support-added-for-multiple-nvme-bootpaths.patch
|
||||
Patch233: 0001-kern-ieee1275-init-Add-IEEE-1275-Radix-support-for-K.patch
|
||||
Patch234: 0001-cli_lock-Add-build-option-to-block-command-line-inte.patch
|
||||
Patch235: 0002-Requiring-authentication-after-tpm-unlock-for-CLI-ac.patch
|
||||
Patch236: 0001-kern-main-Fix-cmdpath-in-root-directory.patch
|
||||
Patch237: grub2-s390x-secure-execution-support.patch
|
||||
|
||||
%if 0%{?suse_version} <= 1600
|
||||
Requires: gettext-runtime
|
||||
%if 0%{?suse_version} >= 1140
|
||||
%ifnarch s390x
|
||||
Recommends: os-prober
|
||||
%endif
|
||||
# xorriso not available using grub2-mkrescue (bnc#812681)
|
||||
# downgrade to suggest as minimal system can't afford pulling in tcl/tk and half of the x11 stack (bsc#1102515)
|
||||
Suggests: libburnia-tools
|
||||
Suggests: mtools
|
||||
%endif
|
||||
%ifarch s390x
|
||||
# required utilities by grub2-s390x-04-grub2-install.patch
|
||||
# use 'showconsole' to determine console device. (bnc#876743)
|
||||
Requires: kexec-tools
|
||||
Requires: (/sbin/showconsole or /usr/sbin/showconsole)
|
||||
# for /sbin/zipl used by grub2-zipl-setup
|
||||
Requires: s390-tools
|
||||
%endif
|
||||
%ifarch ppc64 ppc64le
|
||||
Requires: powerpc-utils
|
||||
%endif
|
||||
%ifarch %{ix86}
|
||||
# meanwhile, memtest is available as EFI executable
|
||||
Recommends: memtest86+
|
||||
%endif
|
||||
%endif
|
||||
|
||||
%if 0%{?suse_version} > 1600
|
||||
# Always requires a default cpu-platform package
|
||||
@ -445,9 +470,7 @@ computer architectures and hardware devices.
|
||||
%package common
|
||||
Summary: Utilies to manage grub
|
||||
Group: System/Boot
|
||||
%endif
|
||||
Requires: gettext-runtime
|
||||
%if 0%{?suse_version} >= 1140
|
||||
%ifnarch s390x
|
||||
Recommends: os-prober
|
||||
%endif
|
||||
@ -455,7 +478,6 @@ Recommends: os-prober
|
||||
# downgrade to suggest as minimal system can't afford pulling in tcl/tk and half of the x11 stack (bsc#1102515)
|
||||
Suggests: libburnia-tools
|
||||
Suggests: mtools
|
||||
%endif
|
||||
%ifarch s390x
|
||||
# required utilities by grub2-s390x-04-grub2-install.patch
|
||||
# use 'showconsole' to determine console device. (bnc#876743)
|
||||
@ -472,7 +494,6 @@ Requires: powerpc-utils
|
||||
Recommends: memtest86+
|
||||
%endif
|
||||
|
||||
%if 0%{?suse_version} > 1600
|
||||
%description common
|
||||
This package includes user space utlities to manage GRUB on your system.
|
||||
%endif
|
||||
@ -638,6 +659,18 @@ Provides: %{name}-%{grubxenarch}:%{_datadir}/%{name}/%{grubxenarch}/zfsinf
|
||||
%description %{grubxenarch}-extras
|
||||
Unsupported modules for %{name}-%{grubxenarch}
|
||||
|
||||
%package %{grubxenarch}-debug
|
||||
Summary: Debug symbols for %{grubxenarch}
|
||||
Group: System/Boot
|
||||
BuildArch: noarch
|
||||
Requires: %{name}-%{grubxenarch} = %{version}
|
||||
|
||||
%description %{grubxenarch}-debug
|
||||
Debug symbols for %{name}-%{grubxenarch}
|
||||
|
||||
Information on how to debug grub can be found online:
|
||||
https://www.cnblogs.com/coryxie/archive/2013/03/12/2956807.html
|
||||
|
||||
%endif
|
||||
|
||||
%package snapper-plugin
|
||||
@ -770,7 +803,7 @@ CD_MODULES="all_video boot cat configfile echo true \
|
||||
PXE_MODULES="tftp http"
|
||||
CRYPTO_MODULES="luks luks2 gcry_rijndael gcry_sha1 gcry_sha256 gcry_sha512 crypttab"
|
||||
%ifarch %{efi}
|
||||
CD_MODULES="${CD_MODULES} chain efifwsetup efinet read tpm tpm2 memdisk tar squash4 xzio blscfg"
|
||||
CD_MODULES="${CD_MODULES} chain efifwsetup efinet read tpm tss2 tpm2_key_protector memdisk tar squash4 xzio blscfg"
|
||||
PXE_MODULES="${PXE_MODULES} efinet"
|
||||
%else
|
||||
CD_MODULES="${CD_MODULES} net ofnet"
|
||||
@ -868,7 +901,7 @@ mksquashfs ./boot memdisk.sqsh -keep-as-directory -comp xz -quiet -no-progress
|
||||
%{?sbat_generation:--sbat sbat.csv} \
|
||||
-d grub-core \
|
||||
all_video boot font gfxmenu gfxterm gzio halt jpeg minicmd normal part_gpt png reboot video \
|
||||
fat tpm tpm2 memdisk tar squash4 xzio blscfg linux bli regexp loadenv test echo true sleep
|
||||
fat tpm tss2 tpm2_key_protector memdisk tar squash4 xzio blscfg linux bli regexp loadenv test echo true sleep
|
||||
%endif
|
||||
|
||||
%ifarch x86_64 aarch64
|
||||
@ -948,8 +981,6 @@ echo "bpath=$bpath"
|
||||
if regexp '^(tftp|http)$' "$bdev"; then
|
||||
if [ -z "$bpath" ]; then
|
||||
echo "network booting via $bdev but firmware didn't provide loaded path from sever root"
|
||||
bpath="/boot/grub2/powerpc-ieee1275"
|
||||
echo "using bpath=$bpath as fallback path"
|
||||
fi
|
||||
elif [ -z "$ENV_FS_UUID" ]; then
|
||||
echo "Reading vars from ($bdev)"
|
||||
@ -994,6 +1025,17 @@ set prefix=""
|
||||
set root=""
|
||||
set cfg="grub.cfg"
|
||||
|
||||
if regexp '^(tftp|http)$' "$bdev"; then
|
||||
cfg_dir=""
|
||||
root="$bdev$bpart"
|
||||
if [ -z "$bpath" ]; then
|
||||
bpath="/boot/grub2/powerpc-ieee1275"
|
||||
echo "using bpath=$bpath as fallback path"
|
||||
fi
|
||||
prefix="($root)$bpath"
|
||||
cfg="grub.cfg"
|
||||
fi
|
||||
|
||||
for uuid in $ENV_CRYPTO_UUID; do
|
||||
cryptomount -u $uuid
|
||||
done
|
||||
@ -1176,7 +1218,11 @@ rm -f $R%{_sysconfdir}/grub.d/20_ppc_terminfo
|
||||
|
||||
%ifarch s390x
|
||||
mv $R%{_sysconfdir}/{grub.d,default}/zipl2grub.conf.in
|
||||
mv $R%{_sysconfdir}/{grub.d,default}/se-zipl2grub.conf.in
|
||||
mv $R%{_sysconfdir}/{grub.d,default}/se-parm.conf.in
|
||||
chmod 600 $R%{_sysconfdir}/default/zipl2grub.conf.in
|
||||
chmod 600 $R%{_sysconfdir}/default/se-zipl2grub.conf.in
|
||||
chmod 600 $R%{_sysconfdir}/default/se-parm.conf.in
|
||||
|
||||
%define dracutlibdir %{_prefix}/lib/dracut
|
||||
%define dracutgrubmoddir %{dracutlibdir}/modules.d/99grub2
|
||||
@ -1211,9 +1257,9 @@ perl -ni -e '
|
||||
# EXTRA_PATTERN='pattern1|pattern2|pattern3|...'
|
||||
EXTRA_PATTERN="zfs"
|
||||
%ifarch %{ix86} x86_64
|
||||
find %{buildroot}/%{_datadir}/%{name}/%{grubxenarch}/ -type f | sed 's,%{buildroot},,' > %{grubxenarch}-all.lst
|
||||
grep -v -E ${EXTRA_PATTERN} %{grubxenarch}-all.lst > %{grubxenarch}.lst
|
||||
grep -E ${EXTRA_PATTERN} %{grubxenarch}-all.lst > %{grubxenarch}-extras.lst
|
||||
find %{buildroot}/%{_datadir}/%{name}/%{grubxenarch}/ -name '*.mod' | sed 's,%{buildroot},,' > %{grubxenarch}-mod-all.lst
|
||||
grep -v -E ${EXTRA_PATTERN} %{grubxenarch}-mod-all.lst > %{grubxenarch}-mod.lst
|
||||
grep -E ${EXTRA_PATTERN} %{grubxenarch}-mod-all.lst > %{grubxenarch}-mod-extras.lst
|
||||
%endif
|
||||
|
||||
%ifarch %{efi}
|
||||
@ -1342,6 +1388,8 @@ grep -E ${EXTRA_PATTERN} %{grubarch}-mod-all.lst > %{grubarch}-mod-extras.lst
|
||||
%endif
|
||||
%ifarch s390x
|
||||
%config(noreplace) %{_sysconfdir}/default/zipl2grub.conf.in
|
||||
%config(noreplace) %{_sysconfdir}/default/se-zipl2grub.conf.in
|
||||
%config(noreplace) %{_sysconfdir}/default/se-parm.conf.in
|
||||
%{dracutlibdir}
|
||||
%{_sbindir}/%{name}-zipl-setup
|
||||
%{_datadir}/%{name}/zipl-refresh
|
||||
@ -1352,7 +1400,6 @@ grep -E ${EXTRA_PATTERN} %{grubarch}-mod-all.lst > %{grubarch}-mod-extras.lst
|
||||
%{_sbindir}/%{name}-probe
|
||||
%{_sbindir}/%{name}-reboot
|
||||
%{_sbindir}/%{name}-set-default
|
||||
%{_sbindir}/%{name}-switch-to-blscfg
|
||||
%{_sbindir}/%{name}-check-default
|
||||
%{_bindir}/%{name}-editenv
|
||||
%{_bindir}/%{name}-file
|
||||
@ -1405,7 +1452,6 @@ grep -E ${EXTRA_PATTERN} %{grubarch}-mod-all.lst > %{grubarch}-mod-extras.lst
|
||||
%{_mandir}/man8/%{name}-probe.8.*
|
||||
%{_mandir}/man8/%{name}-reboot.8.*
|
||||
%{_mandir}/man8/%{name}-set-default.8.*
|
||||
%{_mandir}/man8/%{name}-switch-to-blscfg.8.*
|
||||
%if %{emu}
|
||||
%{_bindir}/%{name}-emu
|
||||
%{_mandir}/man1/%{name}-emu.1.*
|
||||
@ -1526,16 +1572,27 @@ grep -E ${EXTRA_PATTERN} %{grubarch}-mod-all.lst > %{grubarch}-mod-extras.lst
|
||||
%{_libdir}/snapper/plugins/grub
|
||||
|
||||
%ifarch %{ix86} x86_64
|
||||
%files %{grubxenarch} -f %{grubxenarch}.lst
|
||||
%files %{grubxenarch} -f %{grubxenarch}-mod.lst
|
||||
%defattr(-,root,root,-)
|
||||
%dir %{_datadir}/%{name}/%{grubxenarch}
|
||||
# provide compatibility sym-link for VM definitions pointing to old location
|
||||
%dir %{_libdir}/%{name}
|
||||
%{_libdir}/%{name}/%{grubxenarch}
|
||||
%{_datadir}/%{name}/%{grubxenarch}/grub.xen
|
||||
%{_datadir}/%{name}/%{grubxenarch}/*.img
|
||||
%{_datadir}/%{name}/%{grubxenarch}/*.lst
|
||||
%{_datadir}/%{name}/%{grubxenarch}/kernel.exec
|
||||
%{_datadir}/%{name}/%{grubxenarch}/modinfo.sh
|
||||
|
||||
%files %{grubxenarch}-extras -f %{grubxenarch}-extras.lst
|
||||
%files %{grubxenarch}-extras -f %{grubxenarch}-mod-extras.lst
|
||||
%defattr(-,root,root,-)
|
||||
%dir %{_datadir}/%{name}/%{grubxenarch}
|
||||
|
||||
%files %{grubxenarch}-debug
|
||||
%defattr(-,root,root,-)
|
||||
%{_datadir}/%{name}/%{grubxenarch}/gdb_grub
|
||||
%{_datadir}/%{name}/%{grubxenarch}/gdb_helper.py
|
||||
%{_datadir}/%{name}/%{grubxenarch}/*.module
|
||||
%endif
|
||||
|
||||
%if 0%{?has_systemd:1}
|
||||
|
@ -3,20 +3,21 @@
|
||||
util/grub-install.c | 6 ++++--
|
||||
2 files changed, 40 insertions(+), 12 deletions(-)
|
||||
|
||||
--- a/grub-core/commands/tpm.c
|
||||
+++ b/grub-core/commands/tpm.c
|
||||
@@ -27,8 +27,10 @@
|
||||
Index: grub-2.12/grub-core/commands/tpm.c
|
||||
===================================================================
|
||||
--- grub-2.12.orig/grub-core/commands/tpm.c
|
||||
+++ grub-2.12/grub-core/commands/tpm.c
|
||||
@@ -27,7 +27,9 @@
|
||||
#include <grub/verify.h>
|
||||
#include <grub/dl.h>
|
||||
#include <grub/extcmd.h>
|
||||
+#ifdef GRUB_MACHINE_EFI
|
||||
#include <grub/tpm2/tpm2.h>
|
||||
#include <grub/efi/efi.h>
|
||||
+#endif
|
||||
|
||||
GRUB_MOD_LICENSE ("GPLv3+");
|
||||
|
||||
@@ -97,12 +99,6 @@
|
||||
@@ -96,12 +98,6 @@ struct grub_file_verifier grub_tpm_verif
|
||||
.verify_string = grub_tpm_verify_string,
|
||||
};
|
||||
|
||||
@ -29,7 +30,7 @@
|
||||
static const struct grub_arg_option grub_tpm_record_pcrs_options[] =
|
||||
{
|
||||
{
|
||||
@@ -118,6 +114,14 @@
|
||||
@@ -117,6 +113,14 @@ static const struct grub_arg_option grub
|
||||
{0, 0, 0, 0, 0, 0}
|
||||
};
|
||||
|
||||
@ -44,7 +45,7 @@
|
||||
static grub_err_t
|
||||
grub_tpm_parse_pcr_index (const char *word, const char **end_ret, unsigned int *index)
|
||||
{
|
||||
@@ -269,6 +273,10 @@
|
||||
@@ -268,6 +272,10 @@ grub_tpm_record_pcrs (grub_extcmd_contex
|
||||
grub_size_t size = 0;
|
||||
int n, rv = 1;
|
||||
|
||||
@ -55,7 +56,7 @@
|
||||
if (argc == 0)
|
||||
pcr_bitmask = GRUB2_PCR_BITMASK_DEFAULT;
|
||||
else
|
||||
@@ -297,6 +305,18 @@
|
||||
@@ -296,6 +304,18 @@ out:
|
||||
return rv;
|
||||
}
|
||||
|
||||
@ -74,9 +75,11 @@
|
||||
static grub_extcmd_t cmd;
|
||||
|
||||
GRUB_MOD_INIT (tpm)
|
||||
--- a/util/grub-install.c
|
||||
+++ b/util/grub-install.c
|
||||
@@ -1560,8 +1560,9 @@
|
||||
Index: grub-2.12/util/grub-install.c
|
||||
===================================================================
|
||||
--- grub-2.12.orig/util/grub-install.c
|
||||
+++ grub-2.12/util/grub-install.c
|
||||
@@ -1574,8 +1574,9 @@ main (int argc, char *argv[])
|
||||
|
||||
grub_util_unlink (load_cfg);
|
||||
|
||||
@ -87,7 +90,7 @@
|
||||
load_cfg_f = grub_util_fopen (load_cfg, "wb");
|
||||
have_load_cfg = 1;
|
||||
fprintf (load_cfg_f, "tpm_record_pcrs 0-9\n");
|
||||
@@ -1569,7 +1570,8 @@
|
||||
@@ -1583,7 +1584,8 @@ main (int argc, char *argv[])
|
||||
|
||||
if (debug_image && debug_image[0])
|
||||
{
|
||||
|
@ -1,16 +1,17 @@
|
||||
--- a/grub-core/commands/tpm.c
|
||||
+++ b/grub-core/commands/tpm.c
|
||||
@@ -26,6 +26,9 @@
|
||||
Index: grub-2.12/grub-core/commands/tpm.c
|
||||
===================================================================
|
||||
--- grub-2.12.orig/grub-core/commands/tpm.c
|
||||
+++ grub-2.12/grub-core/commands/tpm.c
|
||||
@@ -26,6 +26,8 @@
|
||||
#include <grub/term.h>
|
||||
#include <grub/verify.h>
|
||||
#include <grub/dl.h>
|
||||
+#include <grub/extcmd.h>
|
||||
+#include <grub/tpm2/tpm2.h>
|
||||
+#include <grub/efi/efi.h>
|
||||
|
||||
GRUB_MOD_LICENSE ("GPLv3+");
|
||||
|
||||
@@ -94,8 +97,214 @@
|
||||
@@ -94,8 +96,214 @@ struct grub_file_verifier grub_tpm_verif
|
||||
.verify_string = grub_tpm_verify_string,
|
||||
};
|
||||
|
||||
@ -225,7 +226,7 @@
|
||||
/*
|
||||
* Even though this now calls ibmvtpm's grub_tpm_present() from GRUB_MOD_INIT(),
|
||||
* it does seem to call it late enough in the initialization sequence so
|
||||
@@ -109,6 +318,7 @@
|
||||
@@ -109,6 +317,7 @@ GRUB_MOD_INIT (tpm)
|
||||
|
||||
GRUB_MOD_FINI (tpm)
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user