SLFO-pool/grub2
SHA256
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sync from SUSE:SLFO:Main grub2 revision 3895553f59bc334a749e833369c92c1a

Browse Source
This commit is contained in:
Adrian Schröter 2024-08-23 18:23:36 +02:00
parent eb839a715e
commit a1d205fd6c
34 changed files with 3055 additions and 2167 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
0001-10_linux-Ensure-persistence-of-root-file-system-moun.patch Normal file
View File

@ -0,0 +1,51 @@
From 28440c9b5f83b82b4715554fa5c2d3f013b769e6 Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Tue, 26 Mar 2024 13:55:53 +0800
Subject: [PATCH] 10_linux: Ensure persistence of root file system mounting
This commit addresses the issue where the by-uuid or by-partuuid device
symlinks might be unavailable in an installation system. Despite the
absence of these symlinks, the resulting system remains fully functional
for mounting the root file system by using persistent names
(root=(UUID|PARTUUID)=).
The patch implemented in this commit aims to prevent fallback to the OS
name as the root= parameter, as persistent names are preferred for
stability and predictability.
To achieve this, the fallback to the OS name won't be triggered if the
corresponding by-uuid or by-partuuid symlinks are missing, ensuring the
use of persistent names. Instead, a warning will be logged for the
missing symlinks, providing visibility into the issue.
Signed-off-by: Michael Chang <mchang@suse.com>
---
util/grub.d/10_linux.in | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
index 5531239eb..4d8bdeac2 100644
--- a/util/grub.d/10_linux.in
+++ b/util/grub.d/10_linux.in
@@ -54,14 +54,16 @@ esac
if ( [ "x${GRUB_DEVICE_UUID}" = "x" ] && [ "x${GRUB_DEVICE_PARTUUID}" = "x" ] ) \
|| ( [ "x${GRUB_DISABLE_LINUX_UUID}" = "xtrue" ] \
&& [ "x${GRUB_DISABLE_LINUX_PARTUUID}" = "xtrue" ] ) \
- || ( ! test -e "/dev/disk/by-uuid/${GRUB_DEVICE_UUID}" \
- && ! test -e "/dev/disk/by-partuuid/${GRUB_DEVICE_PARTUUID}" ) \
|| ( test -e "${GRUB_DEVICE}" && uses_abstraction "${GRUB_DEVICE}" lvm ); then
LINUX_ROOT_DEVICE=${GRUB_DEVICE}
elif [ "x${GRUB_DEVICE_UUID}" = "x" ] \
|| [ "x${GRUB_DISABLE_LINUX_UUID}" = "xtrue" ]; then
+ test -e "/dev/disk/by-partuuid/${GRUB_DEVICE_PARTUUID}" ||
+ echo "WARN: Use PARTUUID=${GRUB_DEVICE_PARTUUID} despite missing by-partuuid symlink" >&2
LINUX_ROOT_DEVICE=PARTUUID=${GRUB_DEVICE_PARTUUID}
else
+ test -e "/dev/disk/by-uuid/${GRUB_DEVICE_UUID}" ||
+ echo "WARN: Use UUID=${GRUB_DEVICE_UUID} despite missing by-uuid symlink" >&2
LINUX_ROOT_DEVICE=UUID=${GRUB_DEVICE_UUID}
fi
--
2.44.0

20
0001-Improve-TPM-key-protection-on-boot-interruptions.patch
View File

@ -1,7 +1,7 @@
From fe7ed9104cef56f9e532a0c9a7164393d5d69ae1 Mon Sep 17 00:00:00 2001
From 27b3e919b9b51a4fedeb3a5aef19c87f0cd7b687 Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Fri, 17 Nov 2023 12:32:59 +0800
Subject: [PATCH 1/4] Improve TPM key protection on boot interruptions
Subject: [PATCH] Improve TPM key protection on boot interruptions
The unattended boot process for full disk encryption relies on an
authorized TPM policy to ensure the system's integrity before releasing
@ -125,7 +125,7 @@ index c2217ca98..9397bede9 100644
static grub_command_t cmd;
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index c79d4125a..d90ca06dc 100644
index aa0d43562..babc94868 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -1071,6 +1071,9 @@ grub_cryptodisk_scan_device_real (const char *name,
@ -139,14 +139,14 @@ index c79d4125a..d90ca06dc 100644
dev = grub_cryptodisk_get_by_source_disk (source);
@@ -1183,6 +1186,9 @@ grub_cryptodisk_scan_device_real (const char *name,
ret = grub_cryptodisk_insert (dev, name, source);
if (ret != GRUB_ERR_NONE)
goto error;
ret = grub_cryptodisk_insert (dev, name, source);
if (ret != GRUB_ERR_NONE)
goto error;
+#ifndef GRUB_UTIL
+ is_tpmkey = 1;
+ is_tpmkey = 1;
+#endif
goto cleanup;
}
goto cleanup;
}
}
@@ -1244,7 +1250,7 @@ grub_cryptodisk_scan_device_real (const char *name,
@ -282,5 +282,5 @@ index 113c53cfc..f86404686 100644
+grub_cryptokey_tpmkey_discard (void);
#endif /* ! GRUB_CRYPTTAB_HEADER */
--
2.42.1
2.35.3

7
0001-Unify-the-check-to-enable-btrfs-relative-path.patch
View File

@ -98,7 +98,7 @@ Signed-off-by: Michael Chang <mchang@suse.com>
{
if (!load_cfg_f)
load_cfg_f = grub_util_fopen (load_cfg, "wb");
@@ -1670,21 +1708,13 @@
@@ -1670,22 +1708,14 @@
#ifdef __linux__
@ -108,6 +108,7 @@ Signed-off-by: Michael Chang <mchang@suse.com>
{
char *subvol = NULL;
char *mount_path = NULL;
grub_uint64_t subvolid = 0;
- char **rootdir_devices = NULL;
- char *t = grub_util_path_concat (2, "/", rootdir);
- char *rootdir_path = grub_canonicalize_file_name (t);
@ -117,10 +118,10 @@ Signed-off-by: Michael Chang <mchang@suse.com>
-
- if (rootdir_devices && rootdir_devices[0])
- if (grub_strcmp (rootdir_devices[0], grub_devices[0]) == 0)
- subvol = grub_util_get_btrfs_subvol (platdir, &mount_path);
- subvol = grub_util_get_btrfs_subvol (platdir, &mount_path, &subvolid);
+
+ if (grub_strcmp (rootdir_devices[0], grub_devices[0]) == 0)
+ subvol = grub_util_get_btrfs_subvol (platdir, &mount_path);
+ subvol = grub_util_get_btrfs_subvol (platdir, &mount_path, &subvolid);
if (subvol && mount_path)
{

138
0001-grub-install-bailout-root-device-probing.patch
View File

@ -1,4 +1,4 @@
From 58dcf7985b20de876a6fc44a591aa377d0a0302c Mon Sep 17 00:00:00 2001
From db67bd0800c69f94fa3696351e7387515464d30c Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Thu, 10 Feb 2022 22:16:58 +0800
Subject: [PATCH] grub-install: bailout root device probing
@ -15,14 +15,26 @@ filesystem in it's own right.
The command is also used by grub-mkconfig for the same purpose.
v2:
Test the root device first before probing to avoid encountering
unexpected errors. If this test fails, the device is considered
irrelevant and of no interest, as it is not useful.
v2.1:
Besides verifying that the target's canonical path can be resolved,
ensure that the target is a block device file.
Signed-off-by: Michael Chang <mchang@suse.com>
---
grub-core/osdep/basic/no_platform.c | 5 +++++
grub-core/osdep/unix/platform.c | 34 +++++++++++++++++++++++++++++
grub-core/osdep/windows/platform.c | 6 +++++
include/grub/util/install.h | 3 +++
util/grub-install.c | 31 ++++++++++++++++++--------
5 files changed, 70 insertions(+), 9 deletions(-)
grub-core/osdep/basic/no_platform.c | 5 +++
grub-core/osdep/unix/getroot.c | 67 +++++++++++++++++++++++++++++
grub-core/osdep/unix/platform.c | 34 +++++++++++++++
grub-core/osdep/windows/platform.c | 6 +++
include/grub/emu/getroot.h | 3 ++
include/grub/util/install.h | 3 ++
util/grub-install.c | 45 +++++++++++++++----
7 files changed, 154 insertions(+), 9 deletions(-)
--- a/grub-core/osdep/basic/no_platform.c
+++ b/grub-core/osdep/basic/no_platform.c
@ -35,6 +47,82 @@ Signed-off-by: Michael Chang <mchang@suse.com>
+{
+ return NULL;
+}
--- a/grub-core/osdep/unix/getroot.c
+++ b/grub-core/osdep/unix/getroot.c
@@ -489,6 +489,73 @@
return 0;
}
+#ifdef __linux__
+int
+grub_can_guess_from_mountinfo (const char *dir_in)
+{
+ char **cur;
+ char **os_dev = NULL;
+ char *dir = grub_canonicalize_file_name (dir_in);
+ int ret = 0;
+
+ if (!dir)
+ return 0;
+
+ os_dev = grub_find_root_devices_from_mountinfo (dir, NULL);
+
+ if (!os_dev)
+ os_dev = find_root_devices_from_libzfs (dir);
+
+ if (!os_dev)
+ {
+ free (dir);
+ return 0;
+ }
+
+ for (cur = os_dev; *cur; cur++)
+ {
+ if (strcmp (*cur, "/dev/root") == 0
+ || strncmp (*cur, "/dev/dm-", sizeof ("/dev/dm-") - 1) == 0)
+ /* Assume known and good names */
+ continue;
+ else
+ {
+ struct stat st;
+
+ char *tmp = grub_canonicalize_file_name (*cur);
+ if (tmp == NULL)
+ break;
+
+ if (strncmp (tmp, "/dev/dm-", sizeof ("/dev/dm-") - 1) == 0)
+ continue;
+
+ if (lstat (tmp, &st) < 0)
+ {
+ free (tmp);
+ break;
+ }
+ free (tmp);
+ if (! S_ISBLK (st.st_mode))
+ /* only block device allowed */
+ break;
+ }
+ }
+
+ if (*cur == NULL)
+ /* no bogus device left, good */
+ ret = 1;
+ else
+ grub_util_info ("`%s' is not os device", *cur);
+
+ for (cur = os_dev; *cur; cur++)
+ free (*cur);
+ free (os_dev);
+ free (dir);
+
+ return ret;
+}
+#endif /* __linux__ */
+
char **
grub_guess_root_devices (const char *dir_in)
{
--- a/grub-core/osdep/unix/platform.c
+++ b/grub-core/osdep/unix/platform.c
@@ -250,3 +250,37 @@
@ -87,6 +175,18 @@ Signed-off-by: Michael Chang <mchang@suse.com>
+{
+ return NULL;
+}
--- a/include/grub/emu/getroot.h
+++ b/include/grub/emu/getroot.h
@@ -35,6 +35,9 @@
char *grub_find_device (const char *dir, dev_t dev);
void grub_util_pull_device (const char *osname);
+#ifdef __linux__
+int grub_can_guess_from_mountinfo (const char *dir);
+#endif
char **grub_guess_root_devices (const char *dir);
int grub_util_get_dev_abstraction (const char *os_dev);
char *grub_make_system_path_relative_to_its_root (const char *path);
--- a/include/grub/util/install.h
+++ b/include/grub/util/install.h
@@ -251,6 +251,9 @@
@ -101,7 +201,7 @@ Signed-off-by: Michael Chang <mchang@suse.com>
int
--- a/util/grub-install.c
+++ b/util/grub-install.c
@@ -887,7 +887,6 @@
@@ -922,7 +922,6 @@
const char *efi_file = NULL;
char **grub_devices;
grub_fs_t grub_fs;
@ -109,7 +209,7 @@ Signed-off-by: Michael Chang <mchang@suse.com>
grub_device_t grub_dev = NULL;
enum grub_install_plat platform;
char *grubdir, *device_map;
@@ -1067,8 +1066,10 @@
@@ -1102,10 +1101,22 @@
grub_host_init ();
{
@ -121,8 +221,20 @@ Signed-off-by: Michael Chang <mchang@suse.com>
+
char *t = grub_util_path_concat (2, "/", rootdir);
+#ifdef __linux__
+ if (!grub_can_guess_from_mountinfo (t))
+ {
+ free(t);
+ /* We can safely ignore the root probe here; whichever cannot be
+ * reliably detected is irrelevant and of no interest */
+ goto skip_root_probe;
+ }
+#endif
+
rootdir_path = grub_canonicalize_file_name (t);
@@ -1089,20 +1090,32 @@
if (!rootdir_path)
grub_util_error (_("failed to get canonical path of `%s'"), t);
@@ -1124,22 +1135,38 @@
rootdir_devices[0]);
rootdir_grub_dev = grub_device_open (rootdir_grub_devname);
@ -160,4 +272,10 @@ Signed-off-by: Michael Chang <mchang@suse.com>
+ grub_device_close (rootdir_grub_dev);
}
+#ifdef __linux__
+ skip_root_probe:
+#endif
+
switch (platform)
{
case GRUB_INSTALL_PLATFORM_I386_EFI:

86
0001-protectors-Add-key-protectors-framework.patch → 0001-key_protector-Add-key-protectors-framework.patch
View File

@ -1,7 +1,7 @@
From 5affde982dea827580e36ccc658e439397f51ce8 Mon Sep 17 00:00:00 2001
From bf09618c47c6632b763960e265436294ab98dd43 Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta@linux.microsoft.com>
Date: Tue, 1 Feb 2022 05:02:53 -0800
Subject: [PATCH 1/5] protectors: Add key protectors framework
Subject: [PATCH 1/5] key_protector: Add key protectors framework
A key protector encapsulates functionality to retrieve an unlocking key
for a fully-encrypted disk from a specific source. A key protector
@ -15,40 +15,53 @@ invoking a key protector by name. If a key protector with the specified
name exists and if an unlocking key is successfully retrieved by it, the
function returns to the caller the retrieved key and its length.
Cc: Vladimir Serbinenko <phcoder@gmail.com>
Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
---
grub-core/Makefile.am | 1 +
grub-core/Makefile.core.def | 1 +
grub-core/kern/protectors.c | 75 +++++++++++++++++++++++++++++++++++++
include/grub/protector.h | 48 ++++++++++++++++++++++++
4 files changed, 125 insertions(+)
create mode 100644 grub-core/kern/protectors.c
create mode 100644 include/grub/protector.h
grub-core/Makefile.am | 1 +
grub-core/Makefile.core.def | 5 +++
grub-core/disk/key_protector.c | 78 ++++++++++++++++++++++++++++++++++
include/grub/key_protector.h | 46 ++++++++++++++++++++
4 files changed, 130 insertions(+)
create mode 100644 grub-core/disk/key_protector.c
create mode 100644 include/grub/key_protector.h
diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
index f18550c1c..9d3d5f519 100644
--- a/grub-core/Makefile.am
+++ b/grub-core/Makefile.am
@@ -90,6 +90,7 @@
@@ -90,6 +90,7 @@ endif
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/parser.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/partition.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/protector.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/key_protector.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/stack_protector.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index bc893e547..4307b8e2d 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -149,6 +149,7 @@
common = kern/misc.c;
common = kern/parser.c;
common = kern/partition.c;
+ common = kern/protectors.c;
common = kern/rescue_parser.c;
common = kern/rescue_reader.c;
common = kern/term.c;
@@ -1302,6 +1302,11 @@ module = {
common = disk/raid6_recover.c;
};
+module = {
+ name = key_protector;
+ common = disk/key_protector.c;
+};
+
module = {
name = scsi;
common = disk/scsi.c;
diff --git a/grub-core/disk/key_protector.c b/grub-core/disk/key_protector.c
new file mode 100644
index 000000000..b84afe1c7
--- /dev/null
+++ b/grub-core/kern/protectors.c
@@ -0,0 +1,75 @@
+++ b/grub-core/disk/key_protector.c
@@ -0,0 +1,78 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
@ -67,17 +80,20 @@ Signed-off-by: Gary Lin <glin@suse.com>
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <grub/dl.h>
+#include <grub/list.h>
+#include <grub/misc.h>
+#include <grub/mm.h>
+#include <grub/protector.h>
+#include <grub/key_protector.h>
+
+GRUB_MOD_LICENSE ("GPLv3+");
+
+struct grub_key_protector *grub_key_protectors = NULL;
+
+grub_err_t
+grub_key_protector_register (struct grub_key_protector *protector)
+{
+ if (protector == NULL || protector->name == NULL || grub_strlen(protector->name) == 0)
+ if (protector == NULL || protector->name == NULL || grub_strlen (protector->name) == 0)
+ return GRUB_ERR_BAD_ARGUMENT;
+
+ if (grub_key_protectors &&
@ -124,9 +140,12 @@ Signed-off-by: Gary Lin <glin@suse.com>
+
+ return kp->recover_key (key, key_size);
+}
diff --git a/include/grub/key_protector.h b/include/grub/key_protector.h
new file mode 100644
index 000000000..6e6a6fb24
--- /dev/null
+++ b/include/grub/protector.h
@@ -0,0 +1,48 @@
+++ b/include/grub/key_protector.h
@@ -0,0 +1,46 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
@ -161,17 +180,18 @@ Signed-off-by: Gary Lin <glin@suse.com>
+ grub_err_t (*recover_key) (grub_uint8_t **key, grub_size_t *key_size);
+};
+
+extern struct grub_key_protector *EXPORT_VAR (grub_key_protectors);
+grub_err_t
+grub_key_protector_register (struct grub_key_protector *protector);
+
+grub_err_t
+EXPORT_FUNC (grub_key_protector_register) (struct grub_key_protector *protector);
+grub_key_protector_unregister (struct grub_key_protector *protector);
+
+grub_err_t
+EXPORT_FUNC (grub_key_protector_unregister) (struct grub_key_protector *protector);
+
+grub_err_t
+EXPORT_FUNC (grub_key_protector_recover_key) (const char *protector,
+ grub_uint8_t **key,
+ grub_size_t *key_size);
+grub_key_protector_recover_key (const char *protector,
+ grub_uint8_t **key,
+ grub_size_t *key_size);
+
+#endif /* ! GRUB_PROTECTOR_HEADER */
--
2.35.3

60
0001-net-drivers-ieee1275-ofnet-Remove-200-ms-timeout-in-.patch Normal file
View File

@ -0,0 +1,60 @@
From d35ff22516b161f6d472f7f5371a89597b072d04 Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Mon, 6 May 2024 10:34:22 +0800
Subject: [PATCH] net/drivers/ieee1275/ofnet: Remove 200 ms timeout in
get_card_packet() to reduce input latency
When GRUB image is netbooted on ppc64le, the keyboard input exhibits
significant latency, reports even say that characters are processed
about once per second. This issue makes interactively trying to debug
a ppc64le config very difficult.
It seems that the latency is largely caused by a 200 ms timeout in the
idle event loop, during which the network card interface is consistently
polled for incoming packets. Often, no packets arrive during this
period, so the timeout nearly always expires, which blocks the response
to key inputs.
Furthermore, this 200 ms timeout might not need to be enforced at this
basic layer, considering that GRUB performs synchronous reads and its
timeout management is actually handled by higher layers, not directly in
the card instance. Additionally, the idle polling, which reacts to
unsolicited packets like ICMP and SLAAC, would be fine at a less frequent
polling interval, rather than needing a timeout for receiving a response.
For these reasons, we believe the timeout in get_card_packet() should be
effectively removed. According to test results, the delay has disappeared,
and it is now much easier to use interactively.
Signed-Off-by: Michael Chang <mchang@suse.com>
Tested-by: Tony Jones <tonyj@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/net/drivers/ieee1275/ofnet.c | 8 ++------
1 file changed, 2 insertions(+), 6 deletions(-)
diff --git a/grub-core/net/drivers/ieee1275/ofnet.c b/grub-core/net/drivers/ieee1275/ofnet.c
index 78f03df8e..3bf48b3f0 100644
--- a/grub-core/net/drivers/ieee1275/ofnet.c
+++ b/grub-core/net/drivers/ieee1275/ofnet.c
@@ -82,15 +82,11 @@ get_card_packet (struct grub_net_card *dev)
grub_ssize_t actual;
int rc;
struct grub_ofnetcard_data *data = dev->data;
- grub_uint64_t start_time;
struct grub_net_buff *nb;
- start_time = grub_get_time_ms ();
- do
- rc = grub_ieee1275_read (data->handle, dev->rcvbuf, dev->rcvbufsize, &actual);
- while ((actual <= 0 || rc < 0) && (grub_get_time_ms () - start_time < 200));
+ rc = grub_ieee1275_read (data->handle, dev->rcvbuf, dev->rcvbufsize, &actual);
- if (actual <= 0)
+ if (actual <= 0 || rc < 0)
return NULL;
nb = grub_netbuff_alloc (actual + 2);
--
2.45.2

170
0001-ofdisk-Enhance-canonical-path-handling-for-bootpath.patch Normal file
View File

@ -0,0 +1,170 @@
From 84b95a121a4401be854614419ded3d383e14ac1f Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Fri, 22 Mar 2024 17:38:45 +0800
Subject: [PATCH] ofdisk: Enhance canonical path handling for bootpath
This commit addresses an issue where redundant canonical path
translation is performed on the bootpath, potentially leading to
incorrect results and subsequent boot failures, particularly in cases
where firmware translations are inconsistent.
To mitigate this, the commit introduces a check to determine if the
bootpath is already in canonical form, avoiding unnecessary translation.
Additionally, improvements have been made to enhance the resilience of
device iteration, enhancing compatibility with cross-device booting
scenarios and addressing potential issues related to firmware-based
canonical path retrieval.
These changes aim to improve the reliability and stability of the boot
process.
Signed-off-by: Michael Chang <mchang@suse.com>
---
grub-core/disk/ieee1275/ofdisk.c | 75 +++++++++++++++++++++++---------
1 file changed, 55 insertions(+), 20 deletions(-)
diff --git a/grub-core/disk/ieee1275/ofdisk.c b/grub-core/disk/ieee1275/ofdisk.c
index c5c20a5ec..36ee5314d 100644
--- a/grub-core/disk/ieee1275/ofdisk.c
+++ b/grub-core/disk/ieee1275/ofdisk.c
@@ -35,8 +35,13 @@ static grub_ieee1275_ihandle_t last_ihandle;
#define IEEE1275_DISK_ALIAS "/disk@"
#define IEEE1275_NVMEOF_DISK_ALIAS "/nvme-of/controller@"
+/* Used to check boot_type, print debug message if doesn't match, this can be
+ * useful to measure boot delays */
static char *boot_type;
+/* Used to restrict fcp to a physical boot path */
static char *boot_parent;
+/* Knowing the nvmeof in advance to avoid blind open test during iteration to
+ * validate a path */
static int is_boot_nvmeof;
struct ofdisk_hash_ent
@@ -540,20 +545,30 @@ dev_iterate (const struct grub_ieee1275_devalias *alias)
{
if (grub_strcmp (alias->type, "fcp") == 0)
{
- if (boot_type &&
- grub_strcmp (boot_type, alias->type) != 0)
+ if (boot_parent &&
+ grub_strcmp (boot_parent, alias->path) != 0)
{
- grub_dprintf ("ofdisk", "Skipped device: %s, type %s did not match boot_type %s\n",
- alias->path, alias->type, boot_type);
+ grub_dprintf ("ofdisk", "Skipped device: %s, doesn't match boot_parent %s\n",
+ alias->path, boot_parent);
goto iter_children;
}
- if (grub_strcmp (boot_parent, alias->path) == 0)
+ /* Allow set boot_parent and boot_type to NULL to force iteration */
+ if (!boot_parent)
{
- if (is_boot_nvmeof)
- dev_iterate_fcp_nvmeof(alias);
- else
- dev_iterate_fcp_disks(alias);
+ grub_dprintf ("ofdisk", "iterate %s\n", alias->path);
+ dev_iterate_fcp_nvmeof(alias);
+ dev_iterate_fcp_disks(alias);
+ }
+ else if (is_boot_nvmeof)
+ {
+ grub_dprintf ("ofdisk", "iterate nvmeof: %s\n", alias->path);
+ dev_iterate_fcp_nvmeof(alias);
+ }
+ else
+ {
+ grub_dprintf ("ofdisk", "iterate fcp: %s\n", alias->path);
+ dev_iterate_fcp_disks(alias);
}
}
else if (grub_strcmp (alias->type, "vscsi") == 0)
@@ -575,9 +590,8 @@ dev_iterate (const struct grub_ieee1275_devalias *alias)
if (boot_type &&
grub_strcmp (boot_type, alias->type) != 0)
{
- grub_dprintf ("ofdisk", "Skipped device: %s, type %s did not match boot_type %s\n",
+ grub_dprintf ("ofdisk", "WARN: device: %s, type %s not match boot_type %s\n",
alias->path, alias->type, boot_type);
- return;
}
if (grub_ieee1275_open (alias->path, &ihandle))
@@ -646,9 +660,8 @@ dev_iterate (const struct grub_ieee1275_devalias *alias)
if (boot_type &&
grub_strcmp (boot_type, alias->type) != 0)
{
- grub_dprintf ("ofdisk", "Skipped device: %s, type %s did not match boot_type %s\n",
+ grub_dprintf ("ofdisk", "WARN: device: %s, type %s not match boot_type %s\n",
alias->path, alias->type, boot_type);
- goto iter_children;
}
buf = grub_malloc (grub_strlen (alias->path) +
@@ -1116,13 +1129,37 @@ get_parent_devname (const char *devname, int *is_nvmeof)
return parent;
}
+
+static int
+is_canonical (const char *path)
+{
+ if (grub_strstr (path, IEEE1275_DISK_ALIAS) ||
+ grub_strstr (path, IEEE1275_NVMEOF_DISK_ALIAS))
+ return 1;
+ else
+ return 0;
+}
+
static char *
get_boot_device_parent (const char *bootpath, int *is_nvmeof)
{
- char *dev, *canon, *parent;
+ char *canon, *parent;
+
+ if (is_canonical (bootpath))
+ {
+ early_log ("Use %s as canonical\n", bootpath);
+ canon = grub_strdup (bootpath);
+ }
+ else
+ {
+ char *dev;
- dev = grub_ieee1275_get_aliasdevname (bootpath);
- canon = grub_ieee1275_canonicalise_devname (dev);
+ dev = grub_ieee1275_get_aliasdevname (bootpath);
+ canon = grub_ieee1275_canonicalise_devname (dev);
+ early_log ("bootpath: %s \n", bootpath);
+ early_log ("alias: %s\n", dev);
+ early_log ("canonical: %s\n", canon);
+ }
if (!canon)
{
@@ -1131,8 +1168,6 @@ get_boot_device_parent (const char *bootpath, int *is_nvmeof)
grub_print_error ();
return NULL;
}
- else
- early_log ("%s is canonical %s\n", bootpath, canon);
parent = get_parent_devname (canon, is_nvmeof);
early_log ("%s is parent of %s\n", parent, canon);
@@ -1179,9 +1214,9 @@ insert_bootpath (void)
boot_parent = get_boot_device_parent (bootpath, &is_boot_nvmeof);
boot_type = grub_ieee1275_get_device_type (boot_parent);
if (boot_type)
- early_log ("the boot device type %s is used for root device discovery, others excluded\n", boot_type);
+ early_log ("the boot device type: %s\n", boot_type);
else
- early_log ("unknown boot device type, will use all devices to discover root and may be slow\n");
+ early_log ("the boot device type is unknown\n");
}
grub_free (type);
grub_free (bootpath);
--
2.44.0

204
0001-tpm2-Add-TPM2-types-structures-and-command-constants.patch
View File

@ -1,204 +0,0 @@
From 5a417f32f1afe0ffca7f5cbff67145a157b1589b Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Tue, 7 Feb 2023 18:31:12 +0800
Subject: [PATCH 1/4] tpm2: Add TPM2 types, structures, and command constants
Add new TPM2 types and structures as the preparation to support
authorized policy.
* New types:
TPM_ALG_ECDAA, TPM_ALG_ECDSA, TPM_ALG_ECSCHNORR, TPM_ALG_RSASSA,
TPM_ALG_RSAPSS, TPM_ALG_SM2, and TPMI_ALG_SIG_SCHEME
* New structures:
TPMS_EMPTY, TPMS_SIGNATURE_RSA, TPMS_SIGNATURE_ECC,
TPMS_SIGNATURE_ECDSA, TPMS_SIGNATURE_ECDAA, TPMS_SIGNATURE_SM2,
TPMS_SIGNATURE_ECSCHNORR, TPMU_SIGNATURE, and TPMT_TK_VERIFIED
* New command constants:
TPM_CC_LoadExternal, TPM_CC_HashSequenceStart, TPM_CC_SequenceUpdate,
TPM_CC_SequenceComplete, TPM_CC_Hash, TPM_CC_VerifySignature,
TPM_CC_PolicyAuthorize
Signed-off-by: Gary Lin <glin@suse.com>
---
include/grub/tpm2/internal/structs.h | 86 ++++++++++++++++++++++++++++
include/grub/tpm2/internal/types.h | 42 +++++++++-----
2 files changed, 114 insertions(+), 14 deletions(-)
diff --git a/include/grub/tpm2/internal/structs.h b/include/grub/tpm2/internal/structs.h
index 72d71eb70..db9eb6cf6 100644
--- a/include/grub/tpm2/internal/structs.h
+++ b/include/grub/tpm2/internal/structs.h
@@ -672,4 +672,90 @@ struct TPMT_TK_CREATION
};
typedef struct TPMT_TK_CREATION TPMT_TK_CREATION;
+/* TPMS_EMPTY Structure */
+struct TPMS_EMPTY {
+ grub_uint8_t empty[1]; /* a structure with no member */
+};
+typedef struct TPMS_EMPTY TPMS_EMPTY;
+
+/* TPMS_SIGNATURE_RSA Structure */
+struct TPMS_SIGNATURE_RSA {
+ TPMI_ALG_HASH hash;
+ TPM2B_PUBLIC_KEY_RSA sig;
+};
+typedef struct TPMS_SIGNATURE_RSA TPMS_SIGNATURE_RSA;
+
+/* Definition of Types for RSA Signature */
+typedef TPMS_SIGNATURE_RSA TPMS_SIGNATURE_RSASSA;
+typedef TPMS_SIGNATURE_RSA TPMS_SIGNATURE_RSAPSS;
+
+/* TPMS_SIGNATURE_ECC Structure */
+struct TPMS_SIGNATURE_ECC {
+ TPMI_ALG_HASH hash;
+ TPM2B_ECC_PARAMETER signatureR;
+ TPM2B_ECC_PARAMETER signatureS;
+};
+typedef struct TPMS_SIGNATURE_ECC TPMS_SIGNATURE_ECC;
+
+/* Definition of Types for ECC TPMS_SIGNATURE_ECC */
+typedef TPMS_SIGNATURE_ECC TPMS_SIGNATURE_ECDSA;
+typedef TPMS_SIGNATURE_ECC TPMS_SIGNATURE_ECDAA;
+typedef TPMS_SIGNATURE_ECC TPMS_SIGNATURE_SM2;
+typedef TPMS_SIGNATURE_ECC TPMS_SIGNATURE_ECSCHNORR;
+
+/* TPMU_SIGNATURE Structure */
+union TPMU_SIGNATURE {
+ TPMS_SIGNATURE_RSASSA rsassa;
+ TPMS_SIGNATURE_RSAPSS rsapss;
+ TPMS_SIGNATURE_ECDSA ecdsa;
+ TPMS_SIGNATURE_ECDAA ecdaa;
+ TPMS_SIGNATURE_SM2 sm2;
+ TPMS_SIGNATURE_ECSCHNORR ecschnorr;
+ TPMT_HA hmac;
+ TPMS_SCHEME_HASH any;
+ TPMS_EMPTY null;
+};
+typedef union TPMU_SIGNATURE TPMU_SIGNATURE;
+
+/* TPMT_SIGNATURE Structure */
+struct TPMT_SIGNATURE {
+ TPMI_ALG_SIG_SCHEME sigAlg;
+ TPMU_SIGNATURE signature;
+};
+typedef struct TPMT_SIGNATURE TPMT_SIGNATURE;
+
+static inline TPMI_ALG_HASH
+TPMT_SIGNATURE_get_hash_alg (TPMT_SIGNATURE *sig)
+{
+ switch (sig->sigAlg)
+ {
+ case TPM_ALG_RSASSA:
+ return sig->signature.rsassa.hash;
+ case TPM_ALG_RSAPSS:
+ return sig->signature.rsapss.hash;
+ case TPM_ALG_ECDSA:
+ return sig->signature.ecdsa.hash;
+ case TPM_ALG_ECDAA:
+ return sig->signature.ecdaa.hash;
+ case TPM_ALG_SM2:
+ return sig->signature.sm2.hash;
+ case TPM_ALG_ECSCHNORR:
+ return sig->signature.ecschnorr.hash;
+ case TPM_ALG_HMAC:
+ return sig->signature.hmac.hashAlg;
+ default:
+ break;
+ }
+
+ return TPM_ALG_NULL;
+}
+
+/* TPMT_TK_VERIFIED Structure */
+struct TPMT_TK_VERIFIED {
+ TPM_ST tag;
+ TPMI_RH_HIERARCHY hierarchy;
+ TPM2B_DIGEST digest;
+};
+typedef struct TPMT_TK_VERIFIED TPMT_TK_VERIFIED;
+
#endif /* ! GRUB_TPM2_INTERNAL_STRUCTS_HEADER */
diff --git a/include/grub/tpm2/internal/types.h b/include/grub/tpm2/internal/types.h
index 9714f75d4..a1902ef0c 100644
--- a/include/grub/tpm2/internal/types.h
+++ b/include/grub/tpm2/internal/types.h
@@ -181,6 +181,9 @@ typedef grub_uint16_t TPM_ALG_ID;
#define TPM_ALG_CFB ((TPM_ALG_ID) 0x0043)
#define TPM_ALG_ECB ((TPM_ALG_ID) 0x0044)
#define TPM_ALG_ECC ((TPM_ALG_ID) 0x0023)
+#define TPM_ALG_ECDAA ((TPM_ALG_ID) 0x001A)
+#define TPM_ALG_ECDSA ((TPM_ALG_ID) 0x0018)
+#define TPM_ALG_ECSCHNORR ((TPM_ALG_ID) 0x001C)
#define TPM_ALG_HMAC ((TPM_ALG_ID) 0x0005)
#define TPM_ALG_KDF1_SP800_108 ((TPM_ALG_ID) 0x0022)
#define TPM_ALG_KDF1_SP800_56A ((TPM_ALG_ID) 0x0020)
@@ -189,10 +192,13 @@ typedef grub_uint16_t TPM_ALG_ID;
#define TPM_ALG_MGF1 ((TPM_ALG_ID) 0x0007)
#define TPM_ALG_NULL ((TPM_ALG_ID) 0x0010)
#define TPM_ALG_RSA ((TPM_ALG_ID) 0x0001)
+#define TPM_ALG_RSASSA ((TPM_ALG_ID) 0x0014)
+#define TPM_ALG_RSAPSS ((TPM_ALG_ID) 0x0016)
#define TPM_ALG_SHA1 ((TPM_ALG_ID) 0x0004)
#define TPM_ALG_SHA256 ((TPM_ALG_ID) 0x000B)
#define TPM_ALG_SHA384 ((TPM_ALG_ID) 0x000C)
#define TPM_ALG_SHA512 ((TPM_ALG_ID) 0x000D)
+#define TPM_ALG_SM2 ((TPM_ALG_ID) 0x001B)
#define TPM_ALG_SM3_256 ((TPM_ALG_ID) 0x0012)
#define TPM_ALG_SM4 ((TPM_ALG_ID) 0x0013)
#define TPM_ALG_SYMCIPHER ((TPM_ALG_ID) 0x0025)
@@ -299,20 +305,27 @@ typedef grub_uint16_t TPM2_ECC_CURVE;
/* TPM_CC Constants */
typedef grub_uint32_t TPM_CC;
-#define TPM_CC_EvictControl ((TPM_CC) 0x00000120)
-#define TPM_CC_CreatePrimary ((TPM_CC) 0x00000131)
-#define TPM_CC_Create ((TPM_CC) 0x00000153)
-#define TPM_CC_FlushContext ((TPM_CC) 0x00000165)
-#define TPM_CC_ReadPublic ((TPM_CC) 0x00000173)
-#define TPM_CC_StartAuthSession ((TPM_CC) 0x00000176)
-#define TPM_CC_PolicyPCR ((TPM_CC) 0x0000017f)
-#define TPM_CC_NV_Read ((TPM_CC) 0x0000014e)
-#define TPM_CC_NV_ReadPublic ((TPM_CC) 0x00000169)
-#define TPM_CC_GetCapability ((TPM_CC) 0x0000017a)
-#define TPM_CC_PCR_Read ((TPM_CC) 0x0000017e)
-#define TPM_CC_Load ((TPM_CC) 0x00000157)
-#define TPM_CC_Unseal ((TPM_CC) 0x0000015e)
-#define TPM_CC_PolicyGetDigest ((TPM_CC) 0x00000189)
+#define TPM_CC_EvictControl ((TPM_CC) 0x00000120)
+#define TPM_CC_CreatePrimary ((TPM_CC) 0x00000131)
+#define TPM_CC_Create ((TPM_CC) 0x00000153)
+#define TPM_CC_FlushContext ((TPM_CC) 0x00000165)
+#define TPM_CC_ReadPublic ((TPM_CC) 0x00000173)
+#define TPM_CC_StartAuthSession ((TPM_CC) 0x00000176)
+#define TPM_CC_PolicyPCR ((TPM_CC) 0x0000017f)
+#define TPM_CC_NV_Read ((TPM_CC) 0x0000014e)
+#define TPM_CC_NV_ReadPublic ((TPM_CC) 0x00000169)
+#define TPM_CC_GetCapability ((TPM_CC) 0x0000017a)
+#define TPM_CC_PCR_Read ((TPM_CC) 0x0000017e)
+#define TPM_CC_Load ((TPM_CC) 0x00000157)
+#define TPM_CC_LoadExternal ((TPM_CC) 0x00000167)
+#define TPM_CC_Unseal ((TPM_CC) 0x0000015e)
+#define TPM_CC_PolicyGetDigest ((TPM_CC) 0x00000189)
+#define TPM_CC_HashSequenceStart ((TPM_CC) 0x00000186)
+#define TPM_CC_SequenceUpdate ((TPM_CC) 0x0000015c)
+#define TPM_CC_SequenceComplete ((TPM_CC) 0x0000013e)
+#define TPM_CC_Hash ((TPM_CC) 0x0000017d)
+#define TPM_CC_VerifySignature ((TPM_CC) 0x00000177)
+#define TPM_CC_PolicyAuthorize ((TPM_CC) 0x0000016a)
/* Hash algorithm sizes */
#define TPM_SHA1_DIGEST_SIZE 20
@@ -354,6 +367,7 @@ typedef TPM_ALG_ID TPMI_ALG_ECC_SCHEME;
typedef TPM_ALG_ID TPMI_ALG_ASYM_SCHEME;
typedef TPM_ALG_ID TPMI_ALG_RSA_SCHEME;
typedef TPM_ALG_ID TPMI_ALG_SYM;
+typedef TPM_ALG_ID TPMI_ALG_SIG_SCHEME;
/* TPM_KEY_BITS Type */
typedef grub_uint16_t TPM_KEY_BITS;
--
2.35.3

97
0001-tpm2-Add-extra-RSA-SRK-types.patch Normal file
View File

@ -0,0 +1,97 @@
From f41a45b080cb9c6f59879a3e23f9ec2380015a16 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 25 Apr 2024 16:21:45 +0800
Subject: [PATCH] tpm2: Add extra RSA SRK types
Since fde-tools may set RSA3072 and RSA4096 as the SRK type, grub2 has
to support those parameters.
Signed-off-by: Gary Lin <glin@suse.com>
---
grub-core/tpm2/args.c | 12 ++++++++++++
grub-core/tpm2/module.c | 16 ++++++++++++++--
util/grub-protect.c | 4 ++--
3 files changed, 28 insertions(+), 4 deletions(-)
diff --git a/grub-core/tpm2/args.c b/grub-core/tpm2/args.c
index c11280ab9..d140364d2 100644
--- a/grub-core/tpm2/args.c
+++ b/grub-core/tpm2/args.c
@@ -92,6 +92,18 @@ grub_tpm2_protector_parse_asymmetric (const char *value,
srk_type->type = TPM_ALG_RSA;
srk_type->detail.rsa_bits = 2048;
}
+ else if (grub_strcasecmp (value, "RSA") == 0 ||
+ grub_strcasecmp (value, "RSA3072") == 0)
+ {
+ srk_type->type = TPM_ALG_RSA;
+ srk_type->detail.rsa_bits = 3072;
+ }
+ else if (grub_strcasecmp (value, "RSA") == 0 ||
+ grub_strcasecmp (value, "RSA4096") == 0)
+ {
+ srk_type->type = TPM_ALG_RSA;
+ srk_type->detail.rsa_bits = 4096;
+ }
else
return grub_error (GRUB_ERR_OUT_OF_RANGE,
N_("Value '%s' is not a valid asymmetric key type"),
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
index b754b38df..8b72ed6fa 100644
--- a/grub-core/tpm2/module.c
+++ b/grub-core/tpm2/module.c
@@ -136,8 +136,8 @@ static const struct grub_arg_option grub_tpm2_protector_init_cmd_options[] =
.arg = NULL,
.type = ARG_TYPE_STRING,
.doc =
- N_("In SRK mode, the type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)"
- "(default: ECC)"),
+ N_("In SRK mode, the type of SRK: RSA (RSA2048), RSA3072, RSA4096, "
+ "and ECC (ECC_NIST_P256). (default: ECC)"),
},
/* NV Index-mode options */
{
@@ -541,6 +541,10 @@ srk_type_to_name (grub_srk_type_t srk_type)
{
case 2048:
return "RSA2048";
+ case 3072:
+ return "RSA3072";
+ case 4096:
+ return "RSA4096";
}
}
@@ -561,6 +565,14 @@ grub_tpm2_protector_load_key (const struct grub_tpm2_protector_context *ctx,
.type = TPM_ALG_ECC,
.detail.ecc_curve = TPM_ECC_NIST_P256,
},
+ {
+ .type = TPM_ALG_RSA,
+ .detail.rsa_bits = 4096,
+ },
+ {
+ .type = TPM_ALG_RSA,
+ .detail.rsa_bits = 3072,
+ },
{
.type = TPM_ALG_RSA,
.detail.rsa_bits = 2048,
diff --git a/util/grub-protect.c b/util/grub-protect.c
index 869f45861..00be03ca0 100644
--- a/util/grub-protect.c
+++ b/util/grub-protect.c
@@ -199,8 +199,8 @@ static struct argp_option grub_protect_options[] =
.arg = "TYPE",
.flags = 0,
.doc =
- N_("The type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)."
- "(default: ECC)"),
+ N_("The type of SRK: RSA (RSA2048), RSA3072, RSA4096, "
+ "and ECC (ECC_NIST_P256). (default: ECC)"),
.group = 0
},
{
--
2.35.3

12
0001-protectors-Implement-NV-index.patch → 0001-tpm2-Implement-NV-index.patch
View File

@ -1,7 +1,7 @@
From c3efb4ecbe91b63c127b92122dad3fa53d4efc69 Mon Sep 17 00:00:00 2001
From 947009d79e3f17b10a7753bdde8d3a4a7b757bed Mon Sep 17 00:00:00 2001
From: Patrick Colp <patrick.colp@oracle.com>
Date: Mon, 31 Jul 2023 07:01:45 -0700
Subject: [PATCH 1/4] protectors: Implement NV index
Subject: [PATCH 1/4] tpm2: Implement NV index
Currently with the TPM2 protector, only SRK mode is supported and
NV index support is just a stub. Implement the NV index option.
@ -16,7 +16,7 @@ An example of inserting a key using tpm2-tools:
tpm2_getrandom 32 > key.dat
# Create primary object.
tpm2_createprimary -C o -g sha256 -G rsa -c primary.ctx
tpm2_createprimary -C o -g sha256 -G ecc -c primary.ctx
# Create policy object. `pcrs.dat` contains the PCR values to seal against.
tpm2_startauthsession -S session.dat
@ -34,15 +34,17 @@ Then to unseal the key in grub, add this to grub.cfg:
cryptomount -u <UUID> --protector tpm2
Signed-off-by: Patrick Colp <patrick.colp@oracle.com>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
---
grub-core/tpm2/module.c | 25 ++++++++++++++++++++-----
1 file changed, 20 insertions(+), 5 deletions(-)
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
index 5274296b7..d3a64187a 100644
index e83b02865..b754b38df 100644
--- a/grub-core/tpm2/module.c
+++ b/grub-core/tpm2/module.c
@@ -757,12 +757,27 @@ static grub_err_t
@@ -1035,12 +1035,27 @@ static grub_err_t
grub_tpm2_protector_nv_recover (const struct grub_tpm2_protector_context *ctx,
grub_uint8_t **key, grub_size_t *key_size)
{

15
0004-tpm2-Support-authorized-policy.patch → 0001-tpm2-Support-authorized-policy.patch
View File

@ -1,7 +1,7 @@
From 542c4fc6e067e04e8b96f798882ae968c59f4948 Mon Sep 17 00:00:00 2001
From 26a66098d5fa50b9462c8c815429a4c18f20310b Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 6 Apr 2023 16:00:25 +0800
Subject: [PATCH v7 16/20] tpm2: Support authorized policy
Subject: [PATCH] tpm2: Support authorized policy
This commit handles the TPM2_PolicyAuthorize command from the key file
in TPM 2.0 Key File format.
@ -43,12 +43,12 @@ commands:
--after \
--input sealed.key \
--output sealed.tpm \
sign 0,2,4,7.9
sign 0,2,4,7,9
Then specify the key file and the key protector to grub.cfg in the EFI
system partition:
tpm2_key_protector_init --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm
tpm2_key_protector_init -a RSA --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm
cryptomount -u <PART_UUID> -P tpm2
For any change in the boot components, just run the 'sign' command again
@ -59,15 +59,16 @@ with the updated PCR policy.
(*2) https://github.com/okirch/pcr-oracle
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
---
grub-core/tpm2/module.c | 84 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 84 insertions(+)
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
index df0727215..0cbfd06e8 100644
index 3db25ceca..e83b02865 100644
--- a/grub-core/tpm2/module.c
+++ b/grub-core/tpm2/module.c
@@ -453,6 +453,87 @@ grub_tpm2_protector_policypcr (TPMI_SH_AUTH_SESSION session,
@@ -650,6 +650,87 @@ grub_tpm2_protector_policypcr (TPMI_SH_AUTH_SESSION session,
return GRUB_ERR_NONE;
}
@ -155,7 +156,7 @@ index df0727215..0cbfd06e8 100644
static grub_err_t
grub_tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSION session)
{
@@ -472,6 +553,9 @@ grub_tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSIO
@@ -669,6 +750,9 @@ grub_tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSIO
case TPM_CC_PolicyPCR:
err = grub_tpm2_protector_policypcr (session, &buf);
break;

188
0001-util-bash-completion-Fix-for-bash-completion-2.12.patch Normal file
View File

@ -0,0 +1,188 @@
From 200dc727d1fdf3bac7aa725569b60a54b3841867 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Fri, 22 Mar 2024 16:23:38 +0800
Subject: [PATCH] util/bash-completion: Fix for bash-completion 2.12
_split_longopt() was the bash-completion private API and removed since
bash-completion 2.12. This commit initializes the bash-completion
general variables with _init_completion() to avoid the potential
'command not found' error.
Although bash-completion 2.12 introduces _comp_initialize() to deprecate
_init_completion(), _init_completion() is still chosen for the better
backward compatibility.
Signed-off-by: Gary Lin <glin@suse.com>
---
.../bash-completion.d/grub-completion.bash.in | 61 +++++++------------
1 file changed, 22 insertions(+), 39 deletions(-)
diff --git a/util/bash-completion.d/grub-completion.bash.in b/util/bash-completion.d/grub-completion.bash.in
index 4c88ee901..749a5d3cf 100644
--- a/util/bash-completion.d/grub-completion.bash.in
+++ b/util/bash-completion.d/grub-completion.bash.in
@@ -151,13 +151,10 @@ __grub_list_modules () {
# grub-set-default & grub-reboot
#
__grub_set_entry () {
- local cur prev split=false
+ local cur prev words cword split
+ _init_completion -s || return
COMPREPLY=()
- cur=`_get_cword`
- prev=${COMP_WORDS[COMP_CWORD-1]}
-
- _split_longopt && split=true
case "$prev" in
--boot-directory)
@@ -180,11 +177,10 @@ __grub_set_entry () {
# grub-editenv
#
__grub_editenv () {
- local cur prev
+ local cur prev words cword
+ _init_completion || return
COMPREPLY=()
- cur=`_get_cword`
- prev=${COMP_WORDS[COMP_CWORD-1]}
case "$prev" in
create|list|set|unset)
@@ -201,10 +197,10 @@ __grub_editenv () {
# grub-mkconfig
#
__grub_mkconfig () {
- local cur prev
+ local cur prev words cword
+ _init_completion || return
COMPREPLY=()
- cur=`_get_cword`
if [[ "$cur" == -* ]]; then
__grubcomp "$(__grub_get_options_from_help)"
@@ -217,13 +213,10 @@ __grub_mkconfig () {
# grub-setup
#
__grub_setup () {
- local cur prev split=false
+ local cur prev words cword split
+ _init_completion -s || return
COMPREPLY=()
- cur=`_get_cword`
- prev=${COMP_WORDS[COMP_CWORD-1]}
-
- _split_longopt && split=true
case "$prev" in
-d|--directory)
@@ -246,15 +239,12 @@ __grub_setup () {
# grub-install
#
__grub_install () {
- local cur prev last split=false
+ local cur prev words cword split last
+ _init_completion -s || return
COMPREPLY=()
- cur=`_get_cword`
- prev=${COMP_WORDS[COMP_CWORD-1]}
last=$(__grub_get_last_option)
- _split_longopt && split=true
-
case "$prev" in
--boot-directory)
_filedir -d
@@ -287,10 +277,10 @@ __grub_install () {
# grub-mkfont
#
__grub_mkfont () {
- local cur
+ local cur prev words cword
+ _init_completion || return
COMPREPLY=()
- cur=`_get_cword`
if [[ "$cur" == -* ]]; then
__grubcomp "$(__grub_get_options_from_help)"
@@ -304,11 +294,10 @@ __grub_mkfont () {
# grub-mkrescue
#
__grub_mkrescue () {
- local cur prev last
+ local cur prev words cword last
+ _init_completion || return
COMPREPLY=()
- cur=`_get_cword`
- prev=${COMP_WORDS[COMP_CWORD-1]}
last=$(__grub_get_last_option)
if [[ "$cur" == -* ]]; then
@@ -330,13 +319,10 @@ __grub_mkrescue () {
# grub-mkimage
#
__grub_mkimage () {
- local cur prev split=false
+ local cur prev words cword split
+ _init_completion -s || return
COMPREPLY=()
- cur=`_get_cword`
- prev=${COMP_WORDS[COMP_CWORD-1]}
-
- _split_longopt && split=true
case "$prev" in
-d|--directory|-p|--prefix)
@@ -367,10 +353,10 @@ __grub_mkimage () {
# grub-mkpasswd-pbkdf2
#
__grub_mkpasswd_pbkdf2 () {
- local cur
+ local cur prev words cword
+ _init_completion || return
COMPREPLY=()
- cur=`_get_cword`
if [[ "$cur" == -* ]]; then
__grubcomp "$(__grub_get_options_from_help)"
@@ -384,13 +370,10 @@ __grub_mkpasswd_pbkdf2 () {
# grub-probe
#
__grub_probe () {
- local cur prev split=false
+ local cur prev words cword split
+ _init_completion -s || return
COMPREPLY=()
- cur=`_get_cword`
- prev=${COMP_WORDS[COMP_CWORD-1]}
-
- _split_longopt && split=true
case "$prev" in
-t|--target)
@@ -417,10 +400,10 @@ __grub_probe () {
# grub-script-check
#
__grub_script_check () {
- local cur
+ local cur prev words cword
+ _init_completion || return
COMPREPLY=()
- cur=`_get_cword`
if [[ "$cur" == -* ]]; then
__grubcomp "$(__grub_get_options_from_help)"
--
2.35.3

33
0001-util-enable-grub-protect-only-for-EFI-systems.patch Normal file
View File

@ -0,0 +1,33 @@
From 6ce53d4db8430de5526ea4c48beac8139ba60925 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Mon, 20 May 2024 14:19:58 +0800
Subject: [PATCH] util: enable grub-protect only for EFI systems
Add 'enable = efi;' back to the grub-protect section to enable the
utility only for EFI systems.
The restriction was relaxed in the upstreaming patch to enable the
grub-emu TPM2 testcases. Since we already build the utility natively for
the architectures with EFI support, there is no need to build the
program again for grub-emu.
Signed-off-by: Gary Lin <glin@suse.com>
---
Makefile.util.def | 1 +
1 file changed, 1 insertion(+)
diff --git a/Makefile.util.def b/Makefile.util.def
index 90850125d..5085152b0 100644
--- a/Makefile.util.def
+++ b/Makefile.util.def
@@ -210,6 +210,7 @@ program = {
program = {
name = grub-protect;
mansection = 1;
+ enable = efi;
common = grub-core/kern/emu/argp_common.c;
common = grub-core/osdep/init.c;
--
2.35.3

8
0002-cryptodisk-Fallback-to-passphrase.patch
View File

@ -1,4 +1,4 @@
From 7cc578baf26986c2badce998125b429a2aeb4d33 Mon Sep 17 00:00:00 2001
From e62b26f9765e309691e014f322d4b02b220956a1 Mon Sep 17 00:00:00 2001
From: Patrick Colp <patrick.colp@oracle.com>
Date: Sun, 30 Jul 2023 12:58:18 -0700
Subject: [PATCH 2/4] cryptodisk: Fallback to passphrase
@ -10,15 +10,17 @@ the protector(s) failed. Later code (e.g., LUKS code) fails as
proceeding with the passphrase.
Signed-off-by: Patrick Colp <patrick.colp@oracle.com>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
---
grub-core/disk/cryptodisk.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index 6620fca00..cf37a0934 100644
index af4104178..f9842f776 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -1191,11 +1191,16 @@ grub_cryptodisk_scan_device_real (const char *name,
@@ -1193,11 +1193,16 @@ grub_cryptodisk_scan_device_real (const char *name,
source->name, source->partition != NULL ? "," : "",
part != NULL ? part : N_("UNKNOWN"), dev->uuid);
grub_free (part);

1232
0002-tpm2-Add-TPM-Software-Stack-TSS.patch
View File

File diff suppressed because it is too large Load Diff

427
0002-tpm2-Add-more-marshal-unmarshal-functions.patch
View File

@ -1,427 +0,0 @@
From 1d34522075949581ccb34a08dd73607566517824 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Tue, 7 Feb 2023 18:33:42 +0800
Subject: [PATCH 2/4] tpm2: Add more marshal/unmarshal functions
Add a few more marshal/unmarshal functions to support authorized policy.
* Marshal:
grub_tpm2_mu_TPMU_SENSITIVE_COMPOSITE_Marshal()
grub_tpm2_mu_TPMT_SENSITIVE_Marshal()
grub_tpm2_mu_TPM2B_SENSITIVE_Marshal()
grub_tpm2_mu_TPMS_SIGNATURE_RSA_Marshal()
grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal()
grub_tpm2_mu_TPMU_HA_Marshal()
grub_tpm2_mu_TPMT_HA_Marshal()
grub_tpm2_mu_TPMU_SIGNATURE_Marshal()
grub_tpm2_mu_TPMT_SIGNATURE_Marshal()
grub_tpm2_mu_TPMT_TK_VERIFIED_Marshal()
* Unmarshal:
grub_tpm2_mu_TPMT_TK_HASHCHECK_Unmarshal()
grub_tpm2_mu_TPMT_TK_VERIFIED_Unmarshal()
grub_tpm2_mu_TPMS_SIGNATURE_RSA_Unmarshal()
grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal()
grub_tpm2_mu_TPMU_HA_Unmarshal()
grub_tpm2_mu_TPMT_HA_Unmarshal()
grub_tpm2_mu_TPMU_SIGNATURE_Unmarshal()
grub_tpm2_mu_TPMT_SIGNATURE_Unmarshal()
Signed-off-by: Gary Lin <glin@suse.com>
---
grub-core/tpm2/mu.c | 262 +++++++++++++++++++++++++++++++++++++++++
include/grub/tpm2/mu.h | 75 ++++++++++++
2 files changed, 337 insertions(+)
diff --git a/grub-core/tpm2/mu.c b/grub-core/tpm2/mu.c
index 1617f37cd..3a9a3c1be 100644
--- a/grub-core/tpm2/mu.c
+++ b/grub-core/tpm2/mu.c
@@ -383,6 +383,49 @@ grub_tpm2_mu_TPMS_SENSITIVE_CREATE_Marshal (grub_tpm2_buffer_t buffer,
grub_tpm2_mu_TPM2B_Marshal (buffer, p->data.size, p->data.buffer);
}
+void
+grub_tpm2_mu_TPMU_SENSITIVE_COMPOSITE_Marshal (grub_tpm2_buffer_t buffer,
+ const TPMI_ALG_PUBLIC type,
+ const TPMU_SENSITIVE_COMPOSITE *p)
+{
+ switch(type)
+ {
+ case TPM_ALG_RSA:
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->rsa.size, p->rsa.buffer);
+ break;
+ case TPM_ALG_ECC:
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->ecc.size, p->ecc.buffer);
+ break;
+ case TPM_ALG_KEYEDHASH:
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->bits.size, p->bits.buffer);
+ break;
+ case TPM_ALG_SYMCIPHER:
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->sym.size, p->sym.buffer);
+ break;
+ default:
+ buffer->error = 1;
+ }
+}
+
+void
+grub_tpm2_mu_TPMT_SENSITIVE_Marshal (grub_tpm2_buffer_t buffer,
+ const TPMT_SENSITIVE *p)
+{
+ grub_tpm2_buffer_pack_u16 (buffer, p->sensitiveType);
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->authValue.size, p->authValue.buffer);
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->seedValue.size, p->seedValue.buffer);
+ grub_tpm2_mu_TPMU_SENSITIVE_COMPOSITE_Marshal (buffer, p->sensitiveType,
+ &p->sensitive);
+}
+
+void
+grub_tpm2_mu_TPM2B_SENSITIVE_Marshal (grub_tpm2_buffer_t buffer,
+ const TPM2B_SENSITIVE *p)
+{
+ grub_tpm2_buffer_pack_u16 (buffer, p->size);
+ grub_tpm2_mu_TPMT_SENSITIVE_Marshal (buffer, &p->sensitiveArea);
+}
+
void
grub_tpm2_mu_TPM2B_SENSITIVE_CREATE_Marshal (grub_tpm2_buffer_t buffer,
const TPM2B_SENSITIVE_CREATE *sensitiveCreate)
@@ -405,6 +448,113 @@ grub_tpm2_mu_TPM2B_SENSITIVE_CREATE_Marshal (grub_tpm2_buffer_t buffer,
grub_tpm2_buffer_pack_u16 (buffer, 0);
}
+void
+grub_tpm2_mu_TPMS_SIGNATURE_RSA_Marshal (grub_tpm2_buffer_t buffer,
+ const TPMS_SIGNATURE_RSA *p)
+{
+ grub_tpm2_buffer_pack_u16 (buffer, p->hash);
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->sig.size, p->sig.buffer);
+}
+
+void
+grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (grub_tpm2_buffer_t buffer,
+ const TPMS_SIGNATURE_ECC *p)
+{
+ grub_tpm2_buffer_pack_u16 (buffer, p->hash);
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->signatureR.size, p->signatureR.buffer);
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->signatureS.size, p->signatureS.buffer);
+}
+
+void
+grub_tpm2_mu_TPMU_HA_Marshal (grub_tpm2_buffer_t buffer,
+ const TPMI_ALG_HASH hashAlg,
+ const TPMU_HA *p)
+{
+ switch (hashAlg)
+ {
+ case TPM_ALG_SHA1:
+ for (grub_uint16_t i = 0; i < TPM_SHA1_DIGEST_SIZE; i++)
+ grub_tpm2_buffer_pack_u8 (buffer, p->sha1[i]);
+ break;
+ case TPM_ALG_SHA256:
+ for (grub_uint16_t i = 0; i < TPM_SHA256_DIGEST_SIZE; i++)
+ grub_tpm2_buffer_pack_u8 (buffer, p->sha256[i]);
+ break;
+ case TPM_ALG_SHA384:
+ for (grub_uint16_t i = 0; i < TPM_SHA384_DIGEST_SIZE; i++)
+ grub_tpm2_buffer_pack_u8 (buffer, p->sha384[i]);
+ break;
+ case TPM_ALG_SHA512:
+ for (grub_uint16_t i = 0; i < TPM_SHA512_DIGEST_SIZE; i++)
+ grub_tpm2_buffer_pack_u8 (buffer, p->sha512[i]);
+ break;
+ default:
+ buffer->error = 1;
+ break;
+ }
+}
+
+void
+grub_tpm2_mu_TPMT_HA_Marshal (grub_tpm2_buffer_t buffer,
+ const TPMT_HA *p)
+{
+ grub_tpm2_buffer_pack_u16 (buffer, p->hashAlg);
+ grub_tpm2_mu_TPMU_HA_Marshal (buffer, p->hashAlg, &p->digest);
+}
+
+void
+grub_tpm2_mu_TPMU_SIGNATURE_Marshal (grub_tpm2_buffer_t buffer,
+ const TPMI_ALG_SIG_SCHEME sigAlg,
+ const TPMU_SIGNATURE *p)
+{
+ switch (sigAlg)
+ {
+ case TPM_ALG_RSASSA:
+ grub_tpm2_mu_TPMS_SIGNATURE_RSA_Marshal (buffer, (TPMS_SIGNATURE_RSA *)&p->rsassa);
+ break;
+ case TPM_ALG_RSAPSS:
+ grub_tpm2_mu_TPMS_SIGNATURE_RSA_Marshal (buffer, (TPMS_SIGNATURE_RSA *)&p->rsapss);
+ break;
+ case TPM_ALG_ECDSA:
+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecdsa);
+ break;
+ case TPM_ALG_ECDAA:
+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecdaa);
+ break;
+ case TPM_ALG_SM2:
+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (buffer, (TPMS_SIGNATURE_ECC *)&p->sm2);
+ break;
+ case TPM_ALG_ECSCHNORR:
+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecschnorr);
+ break;
+ case TPM_ALG_HMAC:
+ grub_tpm2_mu_TPMT_HA_Marshal (buffer, &p->hmac);
+ break;
+ case TPM_ALG_NULL:
+ break;
+ default:
+ buffer->error = 1;
+ break;
+ }
+}
+
+void
+grub_tpm2_mu_TPMT_SIGNATURE_Marshal (grub_tpm2_buffer_t buffer,
+ const TPMT_SIGNATURE *p)
+{
+ grub_tpm2_buffer_pack_u16 (buffer, p->sigAlg);
+ grub_tpm2_mu_TPMU_SIGNATURE_Marshal (buffer, p->sigAlg, &p->signature);
+}
+
+void
+grub_tpm2_mu_TPMT_TK_VERIFIED_Marshal (grub_tpm2_buffer_t buffer,
+ const TPMT_TK_VERIFIED *p)
+{
+ grub_tpm2_buffer_pack_u16 (buffer, p->tag);
+ grub_tpm2_buffer_pack_u32 (buffer, p->hierarchy);
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->digest.size, p->digest.buffer);
+}
+
void
grub_tpm2_mu_TPM2B_Unmarshal (grub_tpm2_buffer_t buffer,
TPM2B* p)
@@ -775,6 +925,24 @@ grub_tpm2_mu_TPMT_TK_CREATION_Unmarshal (grub_tpm2_buffer_t buffer,
grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*) &p->digest);
}
+void
+grub_tpm2_mu_TPMT_TK_HASHCHECK_Unmarshal (grub_tpm2_buffer_t buffer,
+ TPMT_TK_HASHCHECK *p)
+{
+ grub_tpm2_buffer_unpack_u16 (buffer, &p->tag);
+ grub_tpm2_buffer_unpack_u32 (buffer, &p->hierarchy);
+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*) &p->digest);
+}
+
+void
+grub_tpm2_mu_TPMT_TK_VERIFIED_Unmarshal (grub_tpm2_buffer_t buffer,
+ TPMT_TK_VERIFIED *p)
+{
+ grub_tpm2_buffer_unpack_u16 (buffer, &p->tag);
+ grub_tpm2_buffer_unpack_u32 (buffer, &p->hierarchy);
+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*) &p->digest);
+}
+
void
grub_tpm2_mu_TPMS_PCR_SELECTION_Unmarshal (grub_tpm2_buffer_t buf,
TPMS_PCR_SELECTION* pcrSelection)
@@ -805,3 +973,97 @@ grub_tpm2_mu_TPML_DIGEST_Unmarshal (grub_tpm2_buffer_t buf,
for (grub_uint32_t i = 0; i < digest->count; i++)
grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (buf, &digest->digests[i]);
}
+
+void
+grub_tpm2_mu_TPMS_SIGNATURE_RSA_Unmarshal (grub_tpm2_buffer_t buffer,
+ TPMS_SIGNATURE_RSA *rsa)
+{
+ grub_tpm2_buffer_unpack_u16 (buffer, &rsa->hash);
+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*)&rsa->sig);
+}
+
+void
+grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal (grub_tpm2_buffer_t buffer,
+ TPMS_SIGNATURE_ECC *ecc)
+{
+ grub_tpm2_buffer_unpack_u16 (buffer, &ecc->hash);
+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*)&ecc->signatureR);
+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*)&ecc->signatureS);
+}
+
+void
+grub_tpm2_mu_TPMU_HA_Unmarshal (grub_tpm2_buffer_t buffer,
+ TPMI_ALG_HASH hashAlg,
+ TPMU_HA *p)
+{
+ switch (hashAlg)
+ {
+ case TPM_ALG_SHA1:
+ grub_tpm2_buffer_unpack (buffer, &p->sha1, TPM_SHA1_DIGEST_SIZE);
+ break;
+ case TPM_ALG_SHA256:
+ grub_tpm2_buffer_unpack (buffer, &p->sha256, TPM_SHA256_DIGEST_SIZE);
+ break;
+ case TPM_ALG_SHA384:
+ grub_tpm2_buffer_unpack (buffer, &p->sha384, TPM_SHA384_DIGEST_SIZE);
+ break;
+ case TPM_ALG_SHA512:
+ grub_tpm2_buffer_unpack (buffer, &p->sha512, TPM_SHA512_DIGEST_SIZE);
+ break;
+ default:
+ buffer->error = 1;
+ break;
+ }
+}
+
+void
+grub_tpm2_mu_TPMT_HA_Unmarshal (grub_tpm2_buffer_t buffer,
+ TPMT_HA *p)
+{
+ grub_tpm2_buffer_unpack_u16 (buffer, &p->hashAlg);
+ grub_tpm2_mu_TPMU_HA_Unmarshal (buffer, p->hashAlg, &p->digest);
+}
+
+void
+grub_tpm2_mu_TPMU_SIGNATURE_Unmarshal (grub_tpm2_buffer_t buffer,
+ TPMI_ALG_SIG_SCHEME sigAlg,
+ TPMU_SIGNATURE *p)
+{
+ switch (sigAlg)
+ {
+ case TPM_ALG_RSASSA:
+ grub_tpm2_mu_TPMS_SIGNATURE_RSA_Unmarshal (buffer, (TPMS_SIGNATURE_RSA *)&p->rsassa);
+ break;
+ case TPM_ALG_RSAPSS:
+ grub_tpm2_mu_TPMS_SIGNATURE_RSA_Unmarshal (buffer, (TPMS_SIGNATURE_RSA *)&p->rsapss);
+ break;
+ case TPM_ALG_ECDSA:
+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecdsa);
+ break;
+ case TPM_ALG_ECDAA:
+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecdaa);
+ break;
+ case TPM_ALG_SM2:
+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal (buffer, (TPMS_SIGNATURE_ECC *)&p->sm2);
+ break;
+ case TPM_ALG_ECSCHNORR:
+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecschnorr);
+ break;
+ case TPM_ALG_HMAC:
+ grub_tpm2_mu_TPMT_HA_Unmarshal (buffer, &p->hmac);
+ break;
+ case TPM_ALG_NULL:
+ break;
+ default:
+ buffer->error = 1;
+ break;
+ }
+}
+
+void
+grub_tpm2_mu_TPMT_SIGNATURE_Unmarshal (grub_tpm2_buffer_t buffer,
+ TPMT_SIGNATURE *p)
+{
+ grub_tpm2_buffer_unpack_u16 (buffer, &p->sigAlg);
+ grub_tpm2_mu_TPMU_SIGNATURE_Unmarshal (buffer, p->sigAlg, &p->signature);
+}
diff --git a/include/grub/tpm2/mu.h b/include/grub/tpm2/mu.h
index c545976db..afb842ab5 100644
--- a/include/grub/tpm2/mu.h
+++ b/include/grub/tpm2/mu.h
@@ -147,6 +147,47 @@ grub_tpm2_mu_TPM2B_SENSITIVE_CREATE_Marshal (grub_tpm2_buffer_t buf,
const TPM2B_SENSITIVE_CREATE *sensitiveCreate);
void
+grub_tpm2_mu_TPMU_SENSITIVE_COMPOSITE_Marshal (grub_tpm2_buffer_t buf,
+ const TPMI_ALG_PUBLIC type,
+ const TPMU_SENSITIVE_COMPOSITE *p);
+void
+grub_tpm2_mu_TPMT_SENSITIVE_Marshal (grub_tpm2_buffer_t buf,
+ const TPMT_SENSITIVE *p);
+
+void
+grub_tpm2_mu_TPM2B_SENSITIVE_Marshal (grub_tpm2_buffer_t buf,
+ const TPM2B_SENSITIVE *p);
+
+void
+grub_tpm2_mu_TPMS_SIGNATURE_RSA_Marshal (grub_tpm2_buffer_t buf,
+ const TPMS_SIGNATURE_RSA *p);
+
+void
+grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (grub_tpm2_buffer_t buf,
+ const TPMS_SIGNATURE_ECC *p);
+
+void
+grub_tpm2_mu_TPMU_HA_Marshal (grub_tpm2_buffer_t buf,
+ const TPMI_ALG_HASH hashAlg,
+ const TPMU_HA *p);
+
+void
+grub_tpm2_mu_TPMT_HA_Marshal (grub_tpm2_buffer_t buf,
+ const TPMT_HA *p);
+
+void
+grub_tpm2_mu_TPMU_SIGNATURE_Marshal (grub_tpm2_buffer_t buf,
+ const TPMI_ALG_SIG_SCHEME sigAlg,
+ const TPMU_SIGNATURE *p);
+
+void
+grub_tpm2_mu_TPMT_SIGNATURE_Marshal (grub_tpm2_buffer_t buf,
+ const TPMT_SIGNATURE *p);
+
+void
+grub_tpm2_mu_TPMT_TK_VERIFIED_Marshal (grub_tpm2_buffer_t buf,
+ const TPMT_TK_VERIFIED *p);
+void
grub_tpm2_mu_TPM2B_Unmarshal (grub_tpm2_buffer_t buf,
TPM2B* p);
@@ -277,6 +318,14 @@ void
grub_tpm2_mu_TPMT_TK_CREATION_Unmarshal (grub_tpm2_buffer_t buf,
TPMT_TK_CREATION *p);
+void
+grub_tpm2_mu_TPMT_TK_HASHCHECK_Unmarshal (grub_tpm2_buffer_t buf,
+ TPMT_TK_HASHCHECK *p);
+
+void
+grub_tpm2_mu_TPMT_TK_VERIFIED_Unmarshal (grub_tpm2_buffer_t buf,
+ TPMT_TK_VERIFIED *p);
+
void
grub_tpm2_mu_TPMS_PCR_SELECTION_Unmarshal (grub_tpm2_buffer_t buf,
TPMS_PCR_SELECTION* pcrSelection);
@@ -289,4 +338,30 @@ void
grub_tpm2_mu_TPML_DIGEST_Unmarshal (grub_tpm2_buffer_t buf,
TPML_DIGEST* digest);
+void
+grub_tpm2_mu_TPMS_SIGNATURE_RSA_Unmarshal (grub_tpm2_buffer_t buf,
+ TPMS_SIGNATURE_RSA *p);
+
+void
+grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal (grub_tpm2_buffer_t buf,
+ TPMS_SIGNATURE_ECC *p);
+
+void
+grub_tpm2_mu_TPMU_HA_Unmarshal (grub_tpm2_buffer_t buf,
+ TPMI_ALG_HASH hashAlg,
+ TPMU_HA *p);
+
+void
+grub_tpm2_mu_TPMT_HA_Unmarshal (grub_tpm2_buffer_t buf,
+ TPMT_HA *p);
+
+void
+grub_tpm2_mu_TPMU_SIGNATURE_Unmarshal (grub_tpm2_buffer_t buf,
+ TPMI_ALG_SIG_SCHEME sigAlg,
+ TPMU_SIGNATURE *p);
+
+void
+grub_tpm2_mu_TPMT_SIGNATURE_Unmarshal (grub_tpm2_buffer_t buf,
+ TPMT_SIGNATURE *p);
+
#endif /* ! GRUB_TPM2_MU_HEADER */
--
2.35.3

8
0003-cryptodisk-wipe-out-the-cached-keys-from-protectors.patch
View File

@ -1,4 +1,4 @@
From 64494ffc442a5de05b237ad48d27c70d22849a44 Mon Sep 17 00:00:00 2001
From 370e435b6ada53314888f04dcd8f096fc11cfadb Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 3 Aug 2023 15:52:52 +0800
Subject: [PATCH 3/4] cryptodisk: wipe out the cached keys from protectors
@ -9,16 +9,18 @@ protector fails to unlock the fake root, it's not wiped out cleanly so
the attacker could dump the memory to retrieve the secret key. To defend
such attack, wipe out the cached key when we don't need it.
Cc: Fabian Vogt <fvogt@suse.com>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
---
grub-core/disk/cryptodisk.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index cf37a0934..f42437f4e 100644
index f9842f776..aa0d43562 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -1348,7 +1348,11 @@ grub_cryptodisk_clear_key_cache (struct grub_cryptomount_args *cargs)
@@ -1355,7 +1355,11 @@ grub_cryptodisk_clear_key_cache (struct grub_cryptomount_args *cargs)
return;
for (i = 0; cargs->protectors[i]; i++)

565
0003-protectors-Add-TPM2-Key-Protector.patch → 0003-key_protector-Add-TPM2-Key-Protector.patch
View File

@ -1,7 +1,7 @@
From 2a63876ca714d177f919b2392d8efa0e3bd3ebe2 Mon Sep 17 00:00:00 2001
From 2cb2b00028ca7f43fc069472fbad7b9f129ec24b Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta@linux.microsoft.com>
Date: Tue, 1 Feb 2022 05:02:55 -0800
Subject: [PATCH v7 10/20] protectors: Add TPM2 Key Protector
Subject: [PATCH 3/5] key_protector: Add TPM2 Key Protector
The TPM2 key protector is a module that enables the automatic retrieval
of a fully-encrypted disk's unlocking key from a TPM 2.0.
@ -36,6 +36,8 @@ is mandatory. There are two supported key formats:
policy [1] EXPLICIT SEQUENCE OF TPMPolicy OPTIONAL
secret [2] EXPLICIT OCTET STRING OPTIONAL
authPolicy [3] EXPLICIT SEQUENCE OF TPMAuthPolicy OPTIONAL
description [4] EXPLICIT UTF8String OPTIONAL,
rsaParent [5] EXPLICIT BOOLEAN OPTIONAL,
parent INTEGER
pubkey OCTET STRING
privkey OCTET STRING
@ -109,22 +111,24 @@ TPM 2.0 Key file without 'authPolicy' and 'policy', so the "TPMPolicy"
sequence is always based on the PCR selection from the command
parameters.
Currently, there is only one supported policy command: TPM2_PolicyPCR.
The command set can be extended to support advanced features, such as
authorized policy, in the future.
This commit only supports one policy command: TPM2_PolicyPCR. The
command set will be extended to support advanced features, such as
authorized policy, in the later commits.
Cc: Stefan Berger <stefanb@linux.ibm.com>
Cc: James Bottomley <jejb@linux.ibm.com>
Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
Signed-off-by: Gary Lin <glin@suse.com>
---
grub-core/Makefile.core.def | 13 +
grub-core/tpm2/args.c | 177 +++++
grub-core/tpm2/module.c | 1028 +++++++++++++++++++++++++++++
grub-core/tpm2/tpm2key.asn | 31 +
grub-core/tpm2/tpm2key.c | 447 +++++++++++++
grub-core/tpm2/tpm2key_asn1_tab.c | 41 ++
include/grub/tpm2/internal/args.h | 41 ++
include/grub/tpm2/tpm2key.h | 83 +++
8 files changed, 1861 insertions(+)
grub-core/tpm2/args.c | 140 ++++
grub-core/tpm2/module.c | 1226 +++++++++++++++++++++++++++++
grub-core/tpm2/tpm2key.asn | 33 +
grub-core/tpm2/tpm2key.c | 476 +++++++++++
grub-core/tpm2/tpm2key_asn1_tab.c | 45 ++
include/grub/tpm2/internal/args.h | 49 ++
include/grub/tpm2/tpm2key.h | 86 ++
8 files changed, 2068 insertions(+)
create mode 100644 grub-core/tpm2/args.c
create mode 100644 grub-core/tpm2/module.c
create mode 100644 grub-core/tpm2/tpm2key.asn
@ -134,10 +138,10 @@ Signed-off-by: Gary Lin <glin@suse.com>
create mode 100644 include/grub/tpm2/tpm2key.h
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index 5831d4265..38571119e 100644
index 4307b8e2d..a3c728442 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -2553,6 +2553,19 @@ module = {
@@ -2612,6 +2612,19 @@ module = {
enable = efi;
};
@ -159,10 +163,10 @@ index 5831d4265..38571119e 100644
common = commands/tr.c;
diff --git a/grub-core/tpm2/args.c b/grub-core/tpm2/args.c
new file mode 100644
index 000000000..274f4fef0
index 000000000..c11280ab9
--- /dev/null
+++ b/grub-core/tpm2/args.c
@@ -0,0 +1,177 @@
@@ -0,0 +1,140 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
@ -243,56 +247,19 @@ index 000000000..274f4fef0
+
+grub_err_t
+grub_tpm2_protector_parse_asymmetric (const char *value,
+ TPM_ALG_ID *asymmetric,
+ TPM_KEY_BITS *rsa_bits,
+ TPM_ECC_CURVE *ecc_curve)
+ grub_srk_type_t *srk_type)
+{
+ if (grub_strcasecmp (value, "ECC") == 0 ||
+ grub_strcasecmp (value, "ECC_NIST_P256") == 0)
+ {
+ *asymmetric = TPM_ALG_ECC;
+ *ecc_curve = TPM_ECC_NIST_P256;
+ srk_type->type = TPM_ALG_ECC;
+ srk_type->detail.ecc_curve = TPM_ECC_NIST_P256;
+ }
+ else if (grub_strcasecmp (value, "RSA") == 0 ||
+ grub_strcasecmp (value, "RSA2048") == 0)
+ {
+ *asymmetric = TPM_ALG_RSA;
+ *rsa_bits = 2048;
+ }
+ else if (grub_strcasecmp (value, "RSA3072") == 0)
+ {
+ *asymmetric = TPM_ALG_RSA;
+ *rsa_bits = 3072;
+ }
+ else if (grub_strcasecmp (value, "RSA4096") == 0)
+ {
+ *asymmetric = TPM_ALG_RSA;
+ *rsa_bits = 4096;
+ }
+ else if (grub_strcasecmp (value, "ECC_NIST_P384") == 0)
+ {
+ *asymmetric = TPM_ALG_ECC;
+ *ecc_curve = TPM_ECC_NIST_P384;
+ }
+ else if (grub_strcasecmp (value, "ECC_NIST_P521") == 0)
+ {
+ *asymmetric = TPM_ALG_ECC;
+ *ecc_curve = TPM_ECC_NIST_P521;
+ }
+ else if (grub_strcasecmp (value, "ECC_BN_P256") == 0)
+ {
+ *asymmetric = TPM_ALG_ECC;
+ *ecc_curve = TPM_ECC_BN_P256;
+ }
+ else if (grub_strcasecmp (value, "ECC_BN_P638") == 0)
+ {
+ *asymmetric = TPM_ALG_ECC;
+ *ecc_curve = TPM_ECC_BN_P638;
+ }
+ else if (grub_strcasecmp (value, "ECC_SM2_P256") == 0)
+ {
+ *asymmetric = TPM_ALG_ECC;
+ *ecc_curve = TPM_ECC_SM2_P256;
+ srk_type->type = TPM_ALG_RSA;
+ srk_type->detail.rsa_bits = 2048;
+ }
+ else
+ return grub_error (GRUB_ERR_OUT_OF_RANGE,
@ -342,10 +309,10 @@ index 000000000..274f4fef0
+}
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
new file mode 100644
index 000000000..df0727215
index 000000000..3db25ceca
--- /dev/null
+++ b/grub-core/tpm2/module.c
@@ -0,0 +1,1028 @@
@@ -0,0 +1,1226 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
@ -371,7 +338,7 @@ index 000000000..df0727215
+#include <grub/list.h>
+#include <grub/misc.h>
+#include <grub/mm.h>
+#include <grub/protector.h>
+#include <grub/key_protector.h>
+#include <grub/tpm2/buffer.h>
+#include <grub/tpm2/internal/args.h>
+#include <grub/tpm2/internal/types.h>
@ -405,9 +372,7 @@ index 000000000..df0727215
+ grub_tpm2_protector_mode_t mode;
+ grub_uint8_t pcrs[TPM_MAX_PCRS];
+ grub_uint8_t pcr_count;
+ TPM_ALG_ID asymmetric;
+ TPM_KEY_BITS rsa_bits;
+ TPM_ECC_CURVE ecc_curve;
+ grub_srk_type_t srk_type;
+ TPM_ALG_ID bank;
+ const char *tpm2key;
+ const char *keyfile;
@ -436,7 +401,7 @@ index 000000000..df0727215
+ .type = ARG_TYPE_STRING,
+ .doc =
+ N_("Comma-separated list of PCRs used to authorize key release "
+ "(e.g., '7,11', default is 7."),
+ "e.g., '7,11'. (default: 7)"),
+ },
+ {
+ .longarg = "bank",
@ -446,7 +411,7 @@ index 000000000..df0727215
+ .type = ARG_TYPE_STRING,
+ .doc =
+ N_("Bank of PCRs used to authorize key release: "
+ "SHA1, SHA256 (default), SHA384 or SHA512."),
+ "SHA1, SHA256, SHA384 or SHA512. (default: SHA256)"),
+ },
+ /* SRK-mode options */
+ {
@ -456,8 +421,8 @@ index 000000000..df0727215
+ .arg = NULL,
+ .type = ARG_TYPE_STRING,
+ .doc =
+ N_("Required in SRK mode, path to the key file in TPM 2.0 Key File Format "
+ "to unseal using the TPM (e.g., (hd0,gpt1)/boot/grub2/secret.tpm)."),
+ N_("In SRK mode, path to the key file in the TPM 2.0 Key File format "
+ "to unseal using the TPM (e.g., (hd0,gpt1)/boot/grub2/sealed.tpm)."),
+ },
+ {
+ .longarg = "keyfile",
@ -466,9 +431,9 @@ index 000000000..df0727215
+ .arg = NULL,
+ .type = ARG_TYPE_STRING,
+ .doc =
+ N_("Required in SRK mode, path to the sealed key file to unseal using "
+ "the TPM (e.g., (hd0,gpt1)/boot/grub2/sealed_key). "
+ "Use '-tpm2key' instead"),
+ N_("In SRK mode, path to the key file in the raw format to unseal "
+ "using the TPM (e.g., (hd0,gpt1)/boot/grub2/sealed.key). "
+ "(Mainly for backward compatibility. Please use '--tpm2key'.)"),
+ },
+ {
+ .longarg = "srk",
@ -486,10 +451,8 @@ index 000000000..df0727215
+ .arg = NULL,
+ .type = ARG_TYPE_STRING,
+ .doc =
+ N_("In SRK mode, the type of SRK: RSA (RSA2048), RSA3072, "
+ "RSA4096, ECC (ECC_NIST_P256), ECC_NIST_P384, "
+ "ECC_NIST_P521, ECC_BN_P256, ECC_BN_P638, and ECC_SM2_P256. "
+ "(default is RSA2048)"),
+ N_("In SRK mode, the type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)"
+ "(default: ECC)"),
+ },
+ /* NV Index-mode options */
+ {
@ -567,7 +530,8 @@ index 000000000..df0727215
+ err = GRUB_ERR_NONE;
+
+error:
+ grub_file_close (file);
+ if (file != NULL)
+ grub_file_close (file);
+
+ return err;
+}
@ -589,7 +553,7 @@ index 000000000..df0727215
+ buf.size = sealed_key_size;
+
+ grub_tpm2_mu_TPM2B_PUBLIC_Unmarshal (&buf, &sk->public);
+ grub_tpm2_mu_TPM2B_Unmarshal (&buf, (TPM2B *)&sk->private);
+ grub_tpm2_mu_TPM2B_PRIVATE_Unmarshal (&buf, &sk->private);
+
+ if (buf.error)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Malformed TPM wire key file"));
@ -602,10 +566,12 @@ index 000000000..df0727215
+ grub_size_t sealed_key_size,
+ tpm2key_policy_t *policy_seq,
+ tpm2key_authpolicy_t *authpol_seq,
+ grub_uint8_t *rsaparent,
+ grub_uint32_t *parent,
+ TPM2_SEALED_KEY *sk)
+{
+ asn1_node tpm2key = NULL;
+ grub_uint8_t rsaparent_tmp;
+ grub_uint32_t parent_tmp;
+ void *sealed_pub = NULL;
+ grub_size_t sealed_pub_size;
@ -622,6 +588,8 @@ index 000000000..df0727215
+ * policy [1] EXPLICIT SEQUENCE OF TPMPolicy OPTIONAL,
+ * secret [2] EXPLICIT OCTET STRING OPTIONAL,
+ * authPolicy [3] EXPLICIT SEQUENCE OF TPMAuthPolicy OPTIONAL,
+ * description [4] EXPLICIT UTF8String OPTIONAL,
+ * rsaParent [5] EXPLICIT BOOLEAN OPTIONAL,
+ * parent INTEGER,
+ * pubkey OCTET STRING,
+ * privkey OCTET STRING
@ -647,10 +615,25 @@ index 000000000..df0727215
+ if (err != GRUB_ERR_NONE)
+ goto error;
+
+ /* Retrieve rsaParent */
+ err = grub_tpm2key_get_rsaparent (tpm2key, &rsaparent_tmp);
+ if (err != GRUB_ERR_NONE)
+ goto error;
+
+ *rsaparent = rsaparent_tmp;
+
+ /* Retrieve the parent handle */
+ err = grub_tpm2key_get_parent (tpm2key, &parent_tmp);
+ if (err != GRUB_ERR_NONE)
+ goto error;
+
+ /* The parent handle should be either PERMANENT or PERSISTENT. */
+ if (!TPM_HT_IS_PERMANENT (parent_tmp) && !TPM_HT_IS_PERSISTENT (parent_tmp))
+ {
+ err = GRUB_ERR_OUT_OF_RANGE;
+ goto error;
+ }
+
+ *parent = parent_tmp;
+
+ /* Retrieve the public part of the sealed key */
@ -679,7 +662,7 @@ index 000000000..df0727215
+ buf.offset = 0;
+
+ grub_tpm2_mu_TPM2B_PUBLIC_Unmarshal (&buf, &sk->public);
+ grub_tpm2_mu_TPM2B_Unmarshal (&buf, (TPM2B *)&sk->private);
+ grub_tpm2_mu_TPM2B_PRIVATE_Unmarshal (&buf, &sk->private);
+
+ if (buf.error)
+ {
@ -698,12 +681,31 @@ index 000000000..df0727215
+ return err;
+}
+
+/* Check if the SRK exists in the specified handle */
+static grub_err_t
+grub_tpm2_protector_srk_get (const struct grub_tpm2_protector_context *ctx,
+ TPM_HANDLE parent, TPM_HANDLE *srk)
+grub_tpm2_protector_srk_check (const TPM_HANDLE srk_handle)
+{
+ TPM_RC rc;
+ TPM2B_PUBLIC public;
+
+ /* Find SRK */
+ rc = TPM2_ReadPublic (srk_handle, NULL, &public);
+ if (rc == TPM_RC_SUCCESS)
+ return GRUB_ERR_NONE;
+
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("Failed to retrieve SRK from 0x%x (TPM2_ReadPublic: 0x%x)"),
+ srk_handle, rc);
+}
+
+/* Get the SRK with the template */
+static grub_err_t
+grub_tpm2_protector_srk_get (const grub_srk_type_t srk_type,
+ const TPM_HANDLE parent,
+ TPM_HANDLE *srk_handle)
+{
+ TPM_RC rc;
+ TPMT_PUBLIC_PARMS parms = { 0 };
+ TPMS_AUTH_COMMAND authCommand = { 0 };
+ TPM2B_SENSITIVE_CREATE inSensitive = { 0 };
+ TPM2B_PUBLIC inPublic = { 0 };
@ -714,27 +716,10 @@ index 000000000..df0727215
+ TPM2B_DIGEST creationHash = { 0 };
+ TPMT_TK_CREATION creationTicket = { 0 };
+ TPM2B_NAME srkName = { 0 };
+ TPM_HANDLE srkHandle;
+ TPM_HANDLE tmp_handle = 0;
+
+ if (ctx->srk != 0)
+ {
+ /* Find SRK */
+ rc = TPM2_ReadPublic (ctx->srk, NULL, &public);
+ if (rc == TPM_RC_SUCCESS)
+ {
+ *srk = ctx->srk;
+ return GRUB_ERR_NONE;
+ }
+
+ return grub_error (GRUB_ERR_BAD_DEVICE,
+ N_("Failed to retrieve SRK (TPM2_ReadPublic: 0x%x)"),
+ rc);
+ }
+
+ /* Create SRK */
+ authCommand.sessionHandle = TPM_RS_PW;
+ inPublic.publicArea.type = ctx->asymmetric;
+ inPublic.publicArea.nameAlg = TPM_ALG_SHA256;
+ inPublic.publicArea.type = srk_type.type;
+ inPublic.publicArea.nameAlg = TPM_ALG_SHA256;
+ inPublic.publicArea.objectAttributes.restricted = 1;
+ inPublic.publicArea.objectAttributes.userWithAuth = 1;
+ inPublic.publicArea.objectAttributes.decrypt = 1;
@ -743,29 +728,42 @@ index 000000000..df0727215
+ inPublic.publicArea.objectAttributes.sensitiveDataOrigin = 1;
+ inPublic.publicArea.objectAttributes.noDA = 1;
+
+ if (ctx->asymmetric == TPM_ALG_RSA)
+ if (srk_type.type == TPM_ALG_RSA)
+ {
+ inPublic.publicArea.parameters.rsaDetail.symmetric.algorithm = TPM_ALG_AES;
+ inPublic.publicArea.parameters.rsaDetail.symmetric.keyBits.aes = 128;
+ inPublic.publicArea.parameters.rsaDetail.symmetric.mode.aes = TPM_ALG_CFB;
+ inPublic.publicArea.parameters.rsaDetail.scheme.scheme = TPM_ALG_NULL;
+ inPublic.publicArea.parameters.rsaDetail.keyBits = ctx->rsa_bits;
+ inPublic.publicArea.parameters.rsaDetail.keyBits = srk_type.detail.rsa_bits;
+ inPublic.publicArea.parameters.rsaDetail.exponent = 0;
+ }
+ else if (ctx->asymmetric == TPM_ALG_ECC)
+ else if (srk_type.type == TPM_ALG_ECC)
+ {
+ inPublic.publicArea.parameters.eccDetail.symmetric.algorithm = TPM_ALG_AES;
+ inPublic.publicArea.parameters.eccDetail.symmetric.keyBits.aes = 128;
+ inPublic.publicArea.parameters.eccDetail.symmetric.mode.aes = TPM_ALG_CFB;
+ inPublic.publicArea.parameters.eccDetail.scheme.scheme = TPM_ALG_NULL;
+ inPublic.publicArea.parameters.eccDetail.curveID = ctx->ecc_curve;
+ inPublic.publicArea.parameters.eccDetail.curveID = srk_type.detail.ecc_curve;
+ inPublic.publicArea.parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
+ }
+ else
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("Unknown SRK algorithm"));
+
+ /* Test the parameters before SRK generation */
+ parms.type = srk_type.type;
+ grub_memcpy (&parms.parameters, &inPublic.publicArea.parameters,
+ sizeof (TPMU_PUBLIC_PARMS));
+
+ rc = TPM2_TestParms (&parms, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("Unsupported SRK template (TPM2_TestParms: 0x%x)"),
+ rc);
+
+ /* Create SRK */
+ authCommand.sessionHandle = TPM_RS_PW;
+ rc = TPM2_CreatePrimary (parent, &authCommand, &inSensitive, &inPublic,
+ &outsideInfo, &creationPcr, &srkHandle, &outPublic,
+ &outsideInfo, &creationPcr, &tmp_handle, &outPublic,
+ &creationData, &creationHash, &creationTicket,
+ &srkName, NULL);
+ if (rc != TPM_RC_SUCCESS)
@ -773,11 +771,177 @@ index 000000000..df0727215
+ N_("Could not create SRK (TPM2_CreatePrimary: 0x%x)"),
+ rc);
+
+ *srk = srkHandle;
+ *srk_handle = tmp_handle;
+
+ return GRUB_ERR_NONE;
+}
+
+/* Load the SRK from the persistent handle or create one with a given type of
+ template, and then associate the sealed key with the SRK
+ Return values:
+ * GRUB_ERR_NONE: Everything is fine.
+ * GRUB_ERR_BAD_ARGUMENT: The SRK doesn't match. Try another one.
+ * Other: Something went wrong.
+*/
+static grub_err_t
+grub_tpm2_protector_srk_load (const grub_srk_type_t srk_type,
+ const TPM2_SEALED_KEY *sealed_key,
+ const TPM_HANDLE parent,
+ TPM_HANDLE *sealed_handle,
+ TPM_HANDLE *srk_handle)
+{
+ TPMS_AUTH_COMMAND authCmd = { 0 };
+ TPM2B_NAME name = { 0 };
+ TPM_RC rc;
+ grub_err_t err;
+
+ if (srk_handle == NULL)
+ return GRUB_ERR_BUG;
+
+ if (*srk_handle != 0)
+ {
+ err = grub_tpm2_protector_srk_check (*srk_handle);
+ if (err != GRUB_ERR_NONE)
+ return err;
+ }
+ else
+ {
+ err = grub_tpm2_protector_srk_get (srk_type, parent, srk_handle);
+ if (err != GRUB_ERR_NONE)
+ return err;
+ }
+
+ /* Load the sealed key and associate it with the SRK */
+ authCmd.sessionHandle = TPM_RS_PW;
+ rc = TPM2_Load (*srk_handle, &authCmd, &sealed_key->private, &sealed_key->public,
+ sealed_handle, &name, NULL);
+ /* If TPM2_Load returns (TPM_RC_INTEGRITY | TPM_RC_P | TPM_RC_1), then it
+ implies the wrong SRK is used. */
+ if (rc == (TPM_RC_INTEGRITY | TPM_RC_P | TPM_RC_1))
+ {
+ err = grub_error (GRUB_ERR_BAD_ARGUMENT, N_("SRK not matched"));
+ goto error;
+ }
+ else if (rc != TPM_RC_SUCCESS)
+ {
+ err = grub_error (GRUB_ERR_BAD_DEVICE,
+ N_("Failed to load sealed key (TPM2_Load: 0x%x)"),
+ rc);
+ goto error;
+ }
+
+ return GRUB_ERR_NONE;
+
+error:
+ if (!TPM_HT_IS_PERSISTENT (*srk_handle))
+ TPM2_FlushContext (*srk_handle);
+
+ return err;
+}
+
+static const char *
+srk_type_to_name (grub_srk_type_t srk_type)
+{
+ if (srk_type.type == TPM_ALG_ECC)
+ {
+ switch (srk_type.detail.ecc_curve)
+ {
+ case TPM_ECC_NIST_P256:
+ return "ECC_NIST_P256";
+ }
+ }
+ else if (srk_type.type == TPM_ALG_RSA)
+ {
+ switch (srk_type.detail.rsa_bits)
+ {
+ case 2048:
+ return "RSA2048";
+ }
+ }
+
+ return "Unknown";
+}
+
+static grub_err_t
+grub_tpm2_protector_load_key (const struct grub_tpm2_protector_context *ctx,
+ const TPM2_SEALED_KEY *sealed_key,
+ const TPM_HANDLE parent_handle,
+ TPM_HANDLE *sealed_handle,
+ TPM_HANDLE *srk_handle)
+{
+ grub_err_t err;
+ int i;
+ grub_srk_type_t fallback_srks[] = {
+ {
+ .type = TPM_ALG_ECC,
+ .detail.ecc_curve = TPM_ECC_NIST_P256,
+ },
+ {
+ .type = TPM_ALG_RSA,
+ .detail.rsa_bits = 2048,
+ },
+ {
+ .type = TPM_ALG_ERROR,
+ }
+ };
+
+ /* Try the given persistent SRK if exists */
+ if (*srk_handle != 0)
+ {
+ err = grub_tpm2_protector_srk_load (ctx->srk_type, sealed_key,
+ parent_handle, sealed_handle,
+ srk_handle);
+ if (err != GRUB_ERR_BAD_ARGUMENT)
+ return err;
+
+ grub_print_error ();
+ grub_printf_ (N_("Trying the specified SRK algorithm: %s\n"),
+ srk_type_to_name (ctx->srk_type));
+ grub_errno = GRUB_ERR_NONE;
+ *srk_handle = 0;
+ }
+
+ /* Try the specified algorithm for the SRK template */
+ if (*srk_handle == 0)
+ {
+ err = grub_tpm2_protector_srk_load (ctx->srk_type, sealed_key,
+ parent_handle, sealed_handle,
+ srk_handle);
+ if (err != GRUB_ERR_BAD_ARGUMENT)
+ return err;
+
+ grub_print_error ();
+ grub_errno = GRUB_ERR_NONE;
+ *srk_handle = 0;
+ }
+
+ /* Try all the fallback SRK templates */
+ for (i = 0; fallback_srks[i].type != TPM_ALG_ERROR; i++)
+ {
+ /* Skip the specified algorithm */
+ if (fallback_srks[i].type == ctx->srk_type.type &&
+ (fallback_srks[i].detail.rsa_bits == ctx->srk_type.detail.rsa_bits ||
+ fallback_srks[i].detail.ecc_curve == ctx->srk_type.detail.ecc_curve))
+ continue;
+
+ grub_printf_ (N_("Trying fallback %s template\n"),
+ srk_type_to_name (fallback_srks[i]));
+
+ *srk_handle = 0;
+
+ err = grub_tpm2_protector_srk_load (fallback_srks[i], sealed_key,
+ parent_handle, sealed_handle,
+ srk_handle);
+ if (err != GRUB_ERR_BAD_ARGUMENT)
+ return err;
+
+ grub_print_error ();
+ grub_errno = GRUB_ERR_NONE;
+ }
+
+ return err;
+}
+
+static grub_err_t
+grub_tpm2_protector_policypcr (TPMI_SH_AUTH_SESSION session,
+ struct grub_tpm2_buffer *cmd_buf)
@ -970,18 +1134,16 @@ index 000000000..df0727215
+grub_tpm2_protector_srk_recover (const struct grub_tpm2_protector_context *ctx,
+ grub_uint8_t **key, grub_size_t *key_size)
+{
+ TPMS_AUTH_COMMAND authCmd = { 0 };
+ TPM2_SEALED_KEY sealed_key = { 0 };
+ TPM2B_NAME name = { 0 };
+ void *file_bytes = NULL;
+ grub_size_t file_size = 0;
+ grub_uint8_t rsaparent = 0;
+ TPM_HANDLE parent_handle = 0;
+ TPM_HANDLE srk_handle = 0;
+ TPM_HANDLE sealed_handle = 0;
+ tpm2key_policy_t policy_seq = NULL;
+ tpm2key_authpolicy_t authpol = NULL;
+ tpm2key_authpolicy_t authpol_seq = NULL;
+ TPM_RC rc;
+ grub_err_t err;
+
+ /*
@ -999,10 +1161,21 @@ index 000000000..df0727215
+ file_size,
+ &policy_seq,
+ &authpol_seq,
+ &rsaparent,
+ &parent_handle,
+ &sealed_key);
+ if (err != GRUB_ERR_NONE)
+ goto exit1;
+
+ if (rsaparent == 1)
+ {
+ struct grub_tpm2_protector_context *ctx_w;
+
+ /* Overwrite the SRK type as noted in the key */
+ ctx_w = (struct grub_tpm2_protector_context *)ctx;
+ ctx_w->srk_type.type = TPM_ALG_RSA;
+ ctx_w->srk_type.detail.rsa_bits = 2048;
+ }
+ }
+ else
+ {
@ -1019,23 +1192,18 @@ index 000000000..df0727215
+ goto exit1;
+ }
+
+ /* Get the SRK to unseal the sealed key */
+ err = grub_tpm2_protector_srk_get (ctx, parent_handle, &srk_handle);
+ /* Set the SRK handle if it is specified with '--srk' or inside the key file */
+ if (ctx->srk != 0)
+ srk_handle = ctx->srk;
+ else if (TPM_HT_IS_PERSISTENT (parent_handle))
+ srk_handle = parent_handle;
+
+ /* Load the sealed key into TPM and associate it with the SRK */
+ err = grub_tpm2_protector_load_key (ctx, &sealed_key, parent_handle,
+ &sealed_handle, &srk_handle);
+ if (err != GRUB_ERR_NONE)
+ goto exit1;
+
+ /* Load the sealed key and associate it with the SRK */
+ authCmd.sessionHandle = TPM_RS_PW;
+ rc = TPM2_Load (srk_handle, &authCmd, &sealed_key.private, &sealed_key.public,
+ &sealed_handle, &name, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ {
+ err = grub_error (GRUB_ERR_BAD_DEVICE,
+ N_("Failed to load sealed key (TPM2_Load: 0x%x)"),
+ rc);
+ goto exit2;
+ }
+
+ /*
+ * Set err to an error code to trigger the standalone policy sequence
+ * if there is no authpolicy sequence
@ -1071,7 +1239,7 @@ index 000000000..df0727215
+ {
+ err = grub_tpm2_protector_simple_policy_seq (ctx, &policy_seq);
+ if (err != GRUB_ERR_NONE)
+ goto exit3;
+ goto exit2;
+ }
+
+ err = grub_tpm2_protector_unseal (policy_seq, sealed_handle, key, key_size);
@ -1081,11 +1249,11 @@ index 000000000..df0727215
+ if (err == GRUB_ERR_NONE)
+ while (grub_error_pop ());
+
+exit3:
+exit2:
+ TPM2_FlushContext (sealed_handle);
+
+exit2:
+ TPM2_FlushContext (srk_handle);
+ if (!TPM_HT_IS_PERSISTENT (srk_handle))
+ TPM2_FlushContext (srk_handle);
+
+exit1:
+ grub_tpm2key_free_policy_seq (policy_seq);
@ -1143,19 +1311,19 @@ index 000000000..df0727215
+ ctx->mode = GRUB_TPM2_PROTECTOR_MODE_SRK;
+
+ /* Checks for SRK mode */
+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_SRK && ctx->keyfile == NULL
+ && ctx->tpm2key == NULL)
+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_SRK &&
+ (ctx->keyfile == NULL && ctx->tpm2key == NULL))
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("In SRK mode, a key file must be specified: "
+ "--tpm2key/-T or --keyfile/-k"));
+
+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_SRK && ctx->keyfile
+ && ctx->tpm2key)
+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_SRK &&
+ (ctx->keyfile != NULL && ctx->tpm2key != NULL))
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("In SRK mode, please specify a key file with "
+ "only --tpm2key/-T or --keyfile/-k"));
+
+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_SRK && ctx->nv)
+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_SRK && ctx->nv != 0)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("In SRK mode, an NV Index cannot be specified"));
+
@ -1166,15 +1334,16 @@ index 000000000..df0727215
+ "--nvindex or -n"));
+
+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_NV &&
+ (ctx->tpm2key || ctx->keyfile))
+ (ctx->tpm2key != NULL || ctx->keyfile != NULL))
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("In NV Index mode, a keyfile cannot be specified"));
+
+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_NV && ctx->srk)
+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_NV && ctx->srk != 0)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("In NV Index mode, an SRK cannot be specified"));
+
+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_NV && ctx->asymmetric)
+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_NV &&
+ ctx->srk_type.type != TPM_ALG_ERROR)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("In NV Index mode, an asymmetric key type cannot be "
+ "specified"));
@ -1189,13 +1358,11 @@ index 000000000..df0727215
+ ctx->pcr_count = 1;
+ }
+
+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_SRK)
+ if (ctx->mode == GRUB_TPM2_PROTECTOR_MODE_SRK &&
+ ctx->srk_type.type == TPM_ALG_ERROR)
+ {
+ if (!ctx->asymmetric)
+ {
+ ctx->asymmetric = TPM_ALG_RSA;
+ ctx->rsa_bits = 2048;
+ }
+ ctx->srk_type.type = TPM_ALG_ECC;
+ ctx->srk_type.detail.ecc_curve = TPM_ECC_NIST_P256;
+ }
+
+ return GRUB_ERR_NONE;
@ -1299,9 +1466,7 @@ index 000000000..df0727215
+ if (state[OPTION_ASYMMETRIC].set) /* asymmetric */
+ {
+ err = grub_tpm2_protector_parse_asymmetric (state[OPTION_ASYMMETRIC].arg,
+ &grub_tpm2_protector_ctx.asymmetric,
+ &grub_tpm2_protector_ctx.rsa_bits,
+ &grub_tpm2_protector_ctx.ecc_curve);
+ &grub_tpm2_protector_ctx.srk_type);
+ if (err != GRUB_ERR_NONE)
+ return err;
+ }
@ -1376,10 +1541,10 @@ index 000000000..df0727215
+}
diff --git a/grub-core/tpm2/tpm2key.asn b/grub-core/tpm2/tpm2key.asn
new file mode 100644
index 000000000..e3b6a03e0
index 000000000..7ad4b6a2a
--- /dev/null
+++ b/grub-core/tpm2/tpm2key.asn
@@ -0,0 +1,31 @@
@@ -0,0 +1,33 @@
+--
+-- TPM 2.0 key file format
+-- To generate tpm2key_asn1_tab.c: asn1Parser tpm2key.asn
@ -1405,6 +1570,8 @@ index 000000000..e3b6a03e0
+ policy [1] EXPLICIT SEQUENCE OF TPMPolicy OPTIONAL,
+ secret [2] EXPLICIT OCTET STRING OPTIONAL,
+ authPolicy [3] EXPLICIT SEQUENCE OF TPMAuthPolicy OPTIONAL,
+ description [4] EXPLICIT UTF8String OPTIONAL,
+ rsaParent [5] EXPLICIT BOOLEAN OPTIONAL,
+ parent INTEGER,
+ pubkey OCTET STRING,
+ privkey OCTET STRING
@ -1413,10 +1580,10 @@ index 000000000..e3b6a03e0
+END
diff --git a/grub-core/tpm2/tpm2key.c b/grub-core/tpm2/tpm2key.c
new file mode 100644
index 000000000..a26c287c9
index 000000000..7a55644e5
--- /dev/null
+++ b/grub-core/tpm2/tpm2key.c
@@ -0,0 +1,447 @@
@@ -0,0 +1,476 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2023 SUSE LLC
@ -1518,17 +1685,19 @@ index 000000000..a26c287c9
+ grub_err_t err;
+
+ /*
+ TPMKey ::= SEQUENCE {
+ type OBJECT IDENTIFIER,
+ emptyAuth [0] EXPLICIT BOOLEAN OPTIONAL,
+ policy [1] EXPLICIT SEQUENCE OF TPMPolicy OPTIONAL,
+ secret [2] EXPLICIT OCTET STRING OPTIONAL,
+ authPolicy [3] EXPLICIT SEQUENCE OF TPMAuthPolicy OPTIONAL,
+ parent INTEGER,
+ pubkey OCTET STRING,
+ privkey OCTET STRING
+ }
+ */
+ * TPMKey ::= SEQUENCE {
+ * type OBJECT IDENTIFIER,
+ * emptyAuth [0] EXPLICIT BOOLEAN OPTIONAL,
+ * policy [1] EXPLICIT SEQUENCE OF TPMPolicy OPTIONAL,
+ * secret [2] EXPLICIT OCTET STRING OPTIONAL,
+ * authPolicy [3] EXPLICIT SEQUENCE OF TPMAuthPolicy OPTIONAL,
+ * description [4] EXPLICIT UTF8String OPTIONAL,
+ * rsaParent [5] EXPLICIT BOOLEAN OPTIONAL,
+ * parent INTEGER,
+ * pubkey OCTET STRING,
+ * privkey OCTET STRING
+ * }
+ */
+ ret = asn1_array2tree (tpm2key_asn1_tab, &tpm2key_asn1, NULL);
+ if (ret != ASN1_SUCCESS)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
@ -1579,11 +1748,8 @@ index 000000000..a26c287c9
+ err = GRUB_ERR_NONE;
+
+error:
+ if (type_oid)
+ grub_free (type_oid);
+
+ if (empty_auth)
+ grub_free (empty_auth);
+ grub_free (type_oid);
+ grub_free (empty_auth);
+
+ return err;
+}
@ -1591,12 +1757,42 @@ index 000000000..a26c287c9
+void
+grub_tpm2key_end_parsing (asn1_node tpm2key)
+{
+ if (tpm2key)
+ asn1_delete_structure (&tpm2key);
+ asn1_delete_structure (&tpm2key);
+ tpm2key = NULL;
+}
+
+grub_err_t
+grub_tpm2key_get_rsaparent (asn1_node tpm2key, grub_uint8_t *rsaparent)
+{
+ void *bool_str = NULL;
+ grub_size_t bool_str_size = 0;
+ int ret;
+
+ if (rsaparent == NULL)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("NULL pointer detected"));
+
+ if (tpm2key == NULL)
+ return grub_error (GRUB_ERR_READ_ERROR, N_("Invalid parent node"));
+
+ ret = asn1_allocate_and_read (tpm2key, "rsaParent", &bool_str, &bool_str_size);
+ if (ret == ASN1_SUCCESS)
+ {
+ if (grub_strncmp ("TRUE", bool_str, bool_str_size) == 0)
+ *rsaparent = 1;
+ else
+ *rsaparent = 0;
+ }
+ else if (ret == ASN1_ELEMENT_NOT_FOUND)
+ *rsaparent = 0;
+ else
+ return grub_error (GRUB_ERR_READ_ERROR, N_("Failed to retrieve rsaParent"));
+
+ grub_free (bool_str);
+
+ return GRUB_ERR_NONE;
+}
+
+grub_err_t
+grub_tpm2key_get_parent (asn1_node tpm2key, grub_uint32_t *parent)
+{
+ int ret;
@ -1805,7 +2001,7 @@ index 000000000..a26c287c9
+ /* Limit the number of authPolicy elements to two digits (99) */
+ if (authpol_n > 100 || authpol_n < 1)
+ return grub_error (GRUB_ERR_OUT_OF_RANGE,
+ N_("Invalid number of autoPolicy elements"));
+ N_("Invalid number of authPolicy elements"));
+
+ /*
+ * Iterate the authPolicy elements backwards since grub_list_push() prepends
@ -1866,10 +2062,10 @@ index 000000000..a26c287c9
+}
diff --git a/grub-core/tpm2/tpm2key_asn1_tab.c b/grub-core/tpm2/tpm2key_asn1_tab.c
new file mode 100644
index 000000000..551fc46ec
index 000000000..6868924f9
--- /dev/null
+++ b/grub-core/tpm2/tpm2key_asn1_tab.c
@@ -0,0 +1,41 @@
@@ -0,0 +1,45 @@
+/*
+ * This file is generated by 'asn1Parser tpm2key.asn' and the '#include'
+ * headers are replaced with the ones in grub2.
@ -1906,6 +2102,10 @@ index 000000000..551fc46ec
+ { "authPolicy", 1610637323, NULL },
+ { NULL, 1073743880, "3"},
+ { NULL, 2, "TPMAuthPolicy"},
+ { "description", 1610637346, NULL },
+ { NULL, 2056, "4"},
+ { "rsaParent", 1610637316, NULL },
+ { NULL, 2056, "5"},
+ { "parent", 1073741827, NULL },
+ { "pubkey", 1073741831, NULL },
+ { "privkey", 7, NULL },
@ -1913,10 +2113,10 @@ index 000000000..551fc46ec
+};
diff --git a/include/grub/tpm2/internal/args.h b/include/grub/tpm2/internal/args.h
new file mode 100644
index 000000000..58d13e031
index 000000000..9f4c0eb9f
--- /dev/null
+++ b/include/grub/tpm2/internal/args.h
@@ -0,0 +1,41 @@
@@ -0,0 +1,49 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
@ -1941,15 +2141,23 @@ index 000000000..58d13e031
+#include <grub/err.h>
+#include <grub/tpm2/tpm2.h>
+
+struct grub_srk_type
+{
+ TPMI_ALG_PUBLIC type;
+ union {
+ TPM_KEY_BITS rsa_bits;
+ TPM_ECC_CURVE ecc_curve;
+ } detail;
+};
+typedef struct grub_srk_type grub_srk_type_t;
+
+grub_err_t
+grub_tpm2_protector_parse_pcrs (char *value, grub_uint8_t *pcrs,
+ grub_uint8_t *pcr_count);
+
+grub_err_t
+grub_tpm2_protector_parse_asymmetric (const char *value,
+ TPM_ALG_ID *asymmetric,
+ TPM_KEY_BITS *rsa_bits,
+ TPM_ECC_CURVE *ecc_curve);
+ grub_srk_type_t *srk_type);
+
+grub_err_t
+grub_tpm2_protector_parse_bank (const char *value, TPM_ALG_ID *bank);
@ -1960,10 +2168,10 @@ index 000000000..58d13e031
+#endif /* ! GRUB_TPM2_INTERNAL_ARGS_HEADER */
diff --git a/include/grub/tpm2/tpm2key.h b/include/grub/tpm2/tpm2key.h
new file mode 100644
index 000000000..df46203e3
index 000000000..c27b5305e
--- /dev/null
+++ b/include/grub/tpm2/tpm2key.h
@@ -0,0 +1,83 @@
@@ -0,0 +1,86 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2023 SUSE LLC
@ -2026,6 +2234,9 @@ index 000000000..df46203e3
+grub_tpm2key_end_parsing (asn1_node tpm2key);
+
+grub_err_t
+grub_tpm2key_get_rsaparent (asn1_node tpm2key, grub_uint8_t *rsaparent);
+
+grub_err_t
+grub_tpm2key_get_parent (asn1_node tpm2key, grub_uint32_t *parent);
+
+grub_err_t

543
0003-tpm2-Implement-more-TPM2-commands.patch
View File

@ -1,543 +0,0 @@
From a49c4dcbcb04078434f461ed3356c04042be461a Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Wed, 8 Feb 2023 10:30:55 +0800
Subject: [PATCH 3/4] tpm2: Implement more TPM2 commands
This commit implements a few more TPM2 commands as the preparation for
the authorized policy support.
* TPM2_LoadExternal
This command is added to load the external public key to verify the
signed policy digest
* TPM2_HashSequenceStart, TPM2_SequenceUpdate, TPM2_SequenceComplete,
and TPM2_Hash
With those commands, we can use the TPM as a coprocessor to calculate
the hash of a given binary blob.
* TPM2_VerifySignature
This command verifies the given signature with the given public key
and returns the validation ticket to authorize the policy.
* TPM2_PolicyAuthorize
This command approves the given policy digest so that we can unseal
the key with the newly authorized policy.
Signed-off-by: Gary Lin <glin@suse.com>
---
grub-core/tpm2/tpm2.c | 424 +++++++++++++++++++++++++
include/grub/tpm2/internal/functions.h | 57 ++++
2 files changed, 481 insertions(+)
diff --git a/grub-core/tpm2/tpm2.c b/grub-core/tpm2/tpm2.c
index d67699a24..159353b08 100644
--- a/grub-core/tpm2/tpm2.c
+++ b/grub-core/tpm2/tpm2.c
@@ -427,6 +427,73 @@ TPM2_Load (const TPMI_DH_OBJECT parent_handle,
return TPM_RC_SUCCESS;
}
+TPM_RC
+TPM2_LoadExternal (const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_SENSITIVE *inPrivate,
+ const TPM2B_PUBLIC *inPublic,
+ const TPMI_RH_HIERARCHY hierarchy,
+ TPM_HANDLE *objectHandle,
+ TPM2B_NAME *name,
+ TPMS_AUTH_RESPONSE *authResponse)
+{
+ TPM_RC rc;
+ struct grub_tpm2_buffer in;
+ struct grub_tpm2_buffer out;
+ TPM_HANDLE objectHandleTmp;
+ TPM2B_NAME nameTmp;
+ TPMS_AUTH_RESPONSE authResponseTmp;
+ TPMI_ST_COMMAND_TAG tag = authCommand ? TPM_ST_SESSIONS : TPM_ST_NO_SESSIONS;
+ TPM_RC responseCode;
+ grub_uint32_t param_size;
+
+ if (!inPublic)
+ return TPM_RC_VALUE;
+
+ if (!objectHandle)
+ objectHandle = &objectHandleTmp;
+ if (!name)
+ name = &nameTmp;
+ if (!authResponse)
+ authResponse = &authResponseTmp;
+
+ grub_memset (objectHandle, 0, sizeof (*objectHandle));
+ grub_memset (name, 0, sizeof (*name));
+ grub_memset (authResponse, 0, sizeof (*authResponse));
+
+ /* Marshal */
+ grub_tpm2_buffer_init (&in);
+ if (authCommand)
+ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand);
+ if (inPrivate)
+ grub_tpm2_mu_TPM2B_SENSITIVE_Marshal (&in, inPrivate);
+ else
+ grub_tpm2_buffer_pack_u16 (&in, 0);
+ grub_tpm2_mu_TPM2B_PUBLIC_Marshal (&in, inPublic);
+ grub_tpm2_buffer_pack_u32 (&in, hierarchy);
+ if (in.error)
+ return TPM_RC_FAILURE;
+
+ /* Submit */
+ grub_tpm2_buffer_init (&out);
+ rc = grub_tpm2_submit_command (tag, TPM_CC_LoadExternal, &responseCode, &in, &out);
+ if (rc != TPM_RC_SUCCESS)
+ return rc;
+ if (responseCode != TPM_RC_SUCCESS)
+ return responseCode;
+
+ /* Unmarshal*/
+ grub_tpm2_buffer_unpack_u32 (&out, objectHandle);
+ if (tag == TPM_ST_SESSIONS)
+ grub_tpm2_buffer_unpack_u32 (&out, &param_size);
+ grub_tpm2_mu_TPM2B_Unmarshal (&out, (TPM2B*)name);
+ if (tag == TPM_ST_SESSIONS)
+ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal (&out, authResponse);
+ if (out.error)
+ return TPM_RC_FAILURE;
+
+ return TPM_RC_SUCCESS;
+}
+
TPM_RC
TPM2_Unseal (const TPMI_DH_OBJECT itemHandle,
const TPMS_AUTH_COMMAND *authCommand,
@@ -759,3 +826,360 @@ TPM2_EvictControl (const TPMI_RH_PROVISION auth,
return TPM_RC_SUCCESS;
}
+
+TPM_RC
+TPM2_HashSequenceStart (const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_AUTH *auth,
+ const TPMI_ALG_HASH hashAlg,
+ TPMI_DH_OBJECT *sequenceHandle,
+ TPMS_AUTH_RESPONSE *authResponse)
+{
+ struct grub_tpm2_buffer in;
+ struct grub_tpm2_buffer out;
+ TPMI_DH_OBJECT sequenceHandleTmp;
+ TPMS_AUTH_RESPONSE authResponseTmp;
+ TPMI_ST_COMMAND_TAG tag = authCommand ? TPM_ST_SESSIONS : TPM_ST_NO_SESSIONS;
+ TPM_RC responseCode;
+ TPM_RC rc;
+ grub_uint32_t parameterSize;
+
+ if (!auth)
+ return TPM_RC_VALUE;
+
+ if (!sequenceHandle)
+ sequenceHandle = &sequenceHandleTmp;
+ if (!authResponse)
+ authResponse = &authResponseTmp;
+
+ grub_memset (sequenceHandle, 0, sizeof (*sequenceHandle));
+ grub_memset (authResponse, 0, sizeof (*authResponse));
+
+ /* Marshal */
+ grub_tpm2_buffer_init (&in);
+ if (authCommand)
+ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand);
+ grub_tpm2_mu_TPM2B_Marshal (&in, auth->size, auth->buffer);
+ grub_tpm2_buffer_pack_u16 (&in, hashAlg);
+ if (in.error)
+ return TPM_RC_FAILURE;
+
+ /* Submit */
+ grub_tpm2_buffer_init (&out);
+ rc = grub_tpm2_submit_command (tag, TPM_CC_HashSequenceStart, &responseCode, &in,
+ &out);
+ if (rc != TPM_RC_SUCCESS)
+ return rc;
+ if (responseCode != TPM_RC_SUCCESS)
+ return responseCode;
+
+ /* Unmarshal */
+ grub_tpm2_buffer_unpack_u32 (&out, sequenceHandle);
+ if (tag == TPM_ST_SESSIONS)
+ {
+ grub_tpm2_buffer_unpack_u32 (&out, &parameterSize);
+ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal(&out, authResponse);
+ }
+ if (out.error)
+ return TPM_RC_FAILURE;
+
+ return TPM_RC_SUCCESS;
+}
+
+TPM_RC
+TPM2_SequenceUpdate (const TPMI_DH_OBJECT sequenceHandle,
+ const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_MAX_BUFFER *buffer,
+ TPMS_AUTH_RESPONSE *authResponse)
+{
+ struct grub_tpm2_buffer in;
+ struct grub_tpm2_buffer out;
+ TPMS_AUTH_RESPONSE authResponseTmp;
+ TPM_RC responseCode;
+ TPM_RC rc;
+ grub_uint32_t parameterSize;
+
+ if (!authCommand)
+ return TPM_RC_VALUE;
+
+ if (!authResponse)
+ authResponse = &authResponseTmp;
+
+ grub_memset (authResponse, 0, sizeof (*authResponse));
+
+ /* Marshal */
+ grub_tpm2_buffer_init (&in);
+ grub_tpm2_buffer_pack_u32 (&in, sequenceHandle);
+ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand);
+ if (buffer)
+ grub_tpm2_mu_TPM2B_Marshal (&in, buffer->size, buffer->buffer);
+ else
+ grub_tpm2_buffer_pack_u16 (&in, 0);
+ if (in.error)
+ return TPM_RC_FAILURE;
+
+ /* Submit */
+ grub_tpm2_buffer_init (&out);
+ rc = grub_tpm2_submit_command (TPM_ST_SESSIONS, TPM_CC_SequenceUpdate,
+ &responseCode, &in, &out);
+ if (rc != TPM_RC_SUCCESS)
+ return rc;
+ if (responseCode != TPM_RC_SUCCESS)
+ return responseCode;
+
+ /* Unmarshal */
+ grub_tpm2_buffer_unpack_u32 (&out, &parameterSize);
+ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal(&out, authResponse);
+ if (out.error)
+ return TPM_RC_FAILURE;
+
+ return TPM_RC_SUCCESS;
+}
+
+TPM_RC
+TPM2_SequenceComplete (const TPMI_DH_OBJECT sequenceHandle,
+ const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_MAX_BUFFER *buffer,
+ const TPMI_RH_HIERARCHY hierarchy,
+ TPM2B_DIGEST *result,
+ TPMT_TK_HASHCHECK *validation,
+ TPMS_AUTH_RESPONSE *authResponse)
+{
+ struct grub_tpm2_buffer in;
+ struct grub_tpm2_buffer out;
+ TPM2B_DIGEST resultTmp;
+ TPMT_TK_HASHCHECK validationTmp;
+ TPMS_AUTH_RESPONSE authResponseTmp;
+ TPM_RC responseCode;
+ TPM_RC rc;
+ grub_uint32_t parameterSize;
+
+ if (!authCommand)
+ return TPM_RC_VALUE;
+
+ if (!result)
+ result = &resultTmp;
+ if (!validation)
+ validation = &validationTmp;
+ if (!authResponse)
+ authResponse = &authResponseTmp;
+
+ grub_memset (result, 0, sizeof (*result));
+ grub_memset (validation, 0, sizeof (*validation));
+ grub_memset (authResponse, 0, sizeof (*authResponse));
+
+ /* Marshal */
+ grub_tpm2_buffer_init (&in);
+ grub_tpm2_buffer_pack_u32 (&in, sequenceHandle);
+ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand);
+ if (buffer)
+ grub_tpm2_mu_TPM2B_Marshal (&in, buffer->size, buffer->buffer);
+ else
+ grub_tpm2_buffer_pack_u16 (&in, 0);
+ grub_tpm2_buffer_pack_u32 (&in, hierarchy);
+
+ if (in.error)
+ return TPM_RC_FAILURE;
+
+ /* Submit */
+ grub_tpm2_buffer_init (&out);
+ rc = grub_tpm2_submit_command (TPM_ST_SESSIONS, TPM_CC_SequenceComplete,
+ &responseCode, &in, &out);
+ if (rc != TPM_RC_SUCCESS)
+ return rc;
+ if (responseCode != TPM_RC_SUCCESS)
+ return responseCode;
+
+ /* Unmarshal */
+ grub_tpm2_buffer_unpack_u32 (&out, &parameterSize);
+ grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (&out, result);
+ grub_tpm2_mu_TPMT_TK_HASHCHECK_Unmarshal (&out, validation);
+ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal(&out, authResponse);
+ if (out.error)
+ return TPM_RC_FAILURE;
+
+ return TPM_RC_SUCCESS;
+}
+
+TPM_RC
+TPM2_Hash (const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_MAX_BUFFER *data,
+ const TPMI_ALG_HASH hashAlg,
+ const TPMI_RH_HIERARCHY hierarchy,
+ TPM2B_DIGEST *outHash,
+ TPMT_TK_HASHCHECK *validation,
+ TPMS_AUTH_RESPONSE *authResponse)
+{
+ TPM_RC rc;
+ struct grub_tpm2_buffer in;
+ struct grub_tpm2_buffer out;
+ TPMS_AUTH_RESPONSE authResponseTmp;
+ TPM2B_DIGEST outHashTmp;
+ TPMT_TK_HASHCHECK validationTmp;
+ TPMI_ST_COMMAND_TAG tag = authCommand ? TPM_ST_SESSIONS : TPM_ST_NO_SESSIONS;
+ TPM_RC responseCode;
+ grub_uint32_t param_size;
+
+ if (hashAlg == TPM_ALG_NULL)
+ return TPM_RC_VALUE;
+
+ if (!outHash)
+ outHash = &outHashTmp;
+ if (!validation)
+ validation = &validationTmp;
+ if (!authResponse)
+ authResponse = &authResponseTmp;
+
+ grub_memset (outHash, 0, sizeof (*outHash));
+ grub_memset (validation, 0, sizeof (*validation));
+ grub_memset (authResponse, 0, sizeof (*authResponse));
+
+ /* Marshal */
+ grub_tpm2_buffer_init (&in);
+ if (authCommand)
+ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand);
+ if (data)
+ grub_tpm2_mu_TPM2B_Marshal (&in, data->size, data->buffer);
+ else
+ grub_tpm2_buffer_pack_u16 (&in, 0);
+ grub_tpm2_buffer_pack_u16 (&in, hashAlg);
+ grub_tpm2_buffer_pack_u32 (&in, hierarchy);
+ if (in.error)
+ return TPM_RC_FAILURE;
+
+ /* Submit */
+ grub_tpm2_buffer_init (&out);
+ rc = grub_tpm2_submit_command (tag, TPM_CC_Hash, &responseCode, &in, &out);
+ if (rc != TPM_RC_SUCCESS)
+ return rc;
+ if (responseCode != TPM_RC_SUCCESS)
+ return responseCode;
+
+ /* Unmarshal*/
+ if (tag == TPM_ST_SESSIONS)
+ grub_tpm2_buffer_unpack_u32 (&out, &param_size);
+ grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (&out, outHash);
+ grub_tpm2_mu_TPMT_TK_HASHCHECK_Unmarshal (&out, validation);
+ if (tag == TPM_ST_SESSIONS)
+ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal (&out, authResponse);
+ if (out.error)
+ return TPM_RC_FAILURE;
+
+ return TPM_RC_SUCCESS;
+}
+
+TPM_RC
+TPM2_VerifySignature (const TPMI_DH_OBJECT keyHandle,
+ const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_DIGEST *digest,
+ const TPMT_SIGNATURE *signature,
+ TPMT_TK_VERIFIED *validation,
+ TPMS_AUTH_RESPONSE *authResponse)
+{
+ TPM_RC rc;
+ struct grub_tpm2_buffer in;
+ struct grub_tpm2_buffer out;
+ TPMS_AUTH_RESPONSE authResponseTmp;
+ TPMI_ST_COMMAND_TAG tag = authCommand ? TPM_ST_SESSIONS : TPM_ST_NO_SESSIONS;
+ TPMT_TK_VERIFIED validationTmp;
+ TPM_RC responseCode;
+ grub_uint32_t param_size;
+
+ if (!digest || !signature)
+ return TPM_RC_VALUE;
+
+ if (!validation)
+ validation = &validationTmp;
+ if (!authResponse)
+ authResponse = &authResponseTmp;
+
+ grub_memset (validation, 0, sizeof (*validation));
+ grub_memset (authResponse, 0, sizeof (*authResponse));
+
+ /* Marshal */
+ grub_tpm2_buffer_init (&in);
+ if (authCommand)
+ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand);
+ grub_tpm2_buffer_pack_u32 (&in, keyHandle);
+ grub_tpm2_mu_TPM2B_Marshal (&in, digest->size, digest->buffer);
+ grub_tpm2_mu_TPMT_SIGNATURE_Marshal (&in, signature);
+ if (in.error)
+ return TPM_RC_FAILURE;
+
+ /* Submit */
+ grub_tpm2_buffer_init (&out);
+ rc = grub_tpm2_submit_command (tag, TPM_CC_VerifySignature, &responseCode, &in, &out);
+ if (rc != TPM_RC_SUCCESS)
+ return rc;
+ if (responseCode != TPM_RC_SUCCESS)
+ return responseCode;
+
+ /* Unmarshal*/
+ if (tag == TPM_ST_SESSIONS)
+ grub_tpm2_buffer_unpack_u32 (&out, &param_size);
+ grub_tpm2_mu_TPMT_TK_VERIFIED_Unmarshal (&out, validation);
+ if (tag == TPM_ST_SESSIONS)
+ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal (&out, authResponse);
+ if (out.error)
+ return TPM_RC_FAILURE;
+
+ return TPM_RC_SUCCESS;
+}
+
+TPM_RC
+TPM2_PolicyAuthorize (const TPMI_SH_POLICY policySession,
+ const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_DIGEST *approvedPolicy,
+ const TPM2B_NONCE *policyRef,
+ const TPM2B_NAME *keySign,
+ const TPMT_TK_VERIFIED *checkTicket,
+ TPMS_AUTH_RESPONSE *authResponse)
+{
+ TPM_RC rc;
+ struct grub_tpm2_buffer in;
+ struct grub_tpm2_buffer out;
+ TPMS_AUTH_RESPONSE authResponseTmp;
+ TPMI_ST_COMMAND_TAG tag = authCommand ? TPM_ST_SESSIONS : TPM_ST_NO_SESSIONS;
+ TPM_RC responseCode;
+ grub_uint32_t param_size;
+
+ if (!approvedPolicy || !keySign || !checkTicket)
+ return TPM_RC_VALUE;
+
+ if (!authResponse)
+ authResponse = &authResponseTmp;
+
+ grub_memset (authResponse, 0, sizeof (*authResponse));
+
+ /* Marshal */
+ grub_tpm2_buffer_init (&in);
+ grub_tpm2_buffer_pack_u32 (&in, policySession);
+ if (authCommand)
+ grub_tpm2_mu_TPMS_AUTH_COMMAND_Marshal (&in, authCommand);
+ grub_tpm2_mu_TPM2B_Marshal (&in, approvedPolicy->size, approvedPolicy->buffer);
+ if (policyRef)
+ grub_tpm2_mu_TPM2B_Marshal (&in, policyRef->size, policyRef->buffer);
+ else
+ grub_tpm2_buffer_pack_u16 (&in, 0);
+ grub_tpm2_mu_TPM2B_Marshal (&in, keySign->size, keySign->name);
+ grub_tpm2_mu_TPMT_TK_VERIFIED_Marshal (&in, checkTicket);
+ if (in.error)
+ return TPM_RC_FAILURE;
+
+ /* Submit */
+ grub_tpm2_buffer_init (&out);
+ rc = grub_tpm2_submit_command (tag, TPM_CC_PolicyAuthorize, &responseCode, &in, &out);
+ if (rc != TPM_RC_SUCCESS)
+ return rc;
+ if (responseCode != TPM_RC_SUCCESS)
+ return responseCode;
+
+ /* Unmarshal*/
+ if (tag == TPM_ST_SESSIONS)
+ grub_tpm2_buffer_unpack_u32 (&out, &param_size);
+ if (tag == TPM_ST_SESSIONS)
+ grub_tpm2_mu_TPMS_AUTH_RESPONSE_Unmarshal (&out, authResponse);
+ if (out.error)
+ return TPM_RC_FAILURE;
+
+ return TPM_RC_SUCCESS;
+}
diff --git a/include/grub/tpm2/internal/functions.h b/include/grub/tpm2/internal/functions.h
index 9380f26a2..67b78fab8 100644
--- a/include/grub/tpm2/internal/functions.h
+++ b/include/grub/tpm2/internal/functions.h
@@ -70,6 +70,15 @@ TPM2_Load (const TPMI_DH_OBJECT parent_handle,
TPM2B_NAME *name,
TPMS_AUTH_RESPONSE *authResponse);
+TPM_RC
+TPM2_LoadExternal (const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_SENSITIVE *inPrivate,
+ const TPM2B_PUBLIC *inPublic,
+ const TPMI_RH_HIERARCHY hierarchy,
+ TPM_HANDLE *objectHandle,
+ TPM2B_NAME *name,
+ TPMS_AUTH_RESPONSE *authResponse);
+
TPM_RC
TPM2_Unseal (const TPMI_DH_OBJECT item_handle,
const TPMS_AUTH_COMMAND *authCommand,
@@ -114,4 +123,52 @@ TPM2_EvictControl (const TPMI_RH_PROVISION auth,
const TPMI_DH_PERSISTENT persistentHandle,
TPMS_AUTH_RESPONSE *authResponse);
+TPM_RC
+TPM2_HashSequenceStart (const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_AUTH *auth,
+ const TPMI_ALG_HASH hashAlg,
+ TPMI_DH_OBJECT *sequenceHandle,
+ TPMS_AUTH_RESPONSE *authResponse);
+
+TPM_RC
+TPM2_SequenceUpdate (const TPMI_DH_OBJECT sequenceHandle,
+ const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_MAX_BUFFER *buffer,
+ TPMS_AUTH_RESPONSE *authResponse);
+
+TPM_RC
+TPM2_SequenceComplete (const TPMI_DH_OBJECT sequenceHandle,
+ const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_MAX_BUFFER *buffer,
+ const TPMI_RH_HIERARCHY hierarchy,
+ TPM2B_DIGEST *result,
+ TPMT_TK_HASHCHECK *validation,
+ TPMS_AUTH_RESPONSE *authResponse);
+
+TPM_RC
+TPM2_Hash (const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_MAX_BUFFER *data,
+ const TPMI_ALG_HASH hashAlg,
+ const TPMI_RH_HIERARCHY hierarchy,
+ TPM2B_DIGEST *outHash,
+ TPMT_TK_HASHCHECK *validation,
+ TPMS_AUTH_RESPONSE *authResponse);
+
+TPM_RC
+TPM2_VerifySignature (const TPMI_DH_OBJECT keyHandle,
+ const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_DIGEST *digest,
+ const TPMT_SIGNATURE *signature,
+ TPMT_TK_VERIFIED *validation,
+ TPMS_AUTH_RESPONSE *authResponse);
+
+TPM_RC
+TPM2_PolicyAuthorize (const TPMI_SH_POLICY policySession,
+ const TPMS_AUTH_COMMAND *authCommand,
+ const TPM2B_DIGEST *approvedPolicy,
+ const TPM2B_NONCE *policyRef,
+ const TPM2B_NAME *keySign,
+ const TPMT_TK_VERIFIED *checkTicket,
+ TPMS_AUTH_RESPONSE *authResponse);
+
#endif /* ! GRUB_TPM2_INTERNAL_FUNCTIONS_HEADER */
--
2.35.3

114
0004-cryptodisk-Support-key-protectors.patch
View File

@ -1,42 +1,50 @@
From 9888bf40d960339a59dc18fb6e1df5f65b4668e3 Mon Sep 17 00:00:00 2001
From 7ce7b7889ce73174a0d8091978254ecf2d2e205f Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta@linux.microsoft.com>
Date: Tue, 1 Feb 2022 05:02:56 -0800
Subject: [PATCH 13/14] cryptodisk: Support key protectors
Subject: [PATCH 4/5] cryptodisk: Support key protectors
Add a new parameter to cryptomount to support the key protectors framework: -k.
Add a new parameter to cryptomount to support the key protectors framework: -P.
The parameter is used to automatically retrieve a key from specified key
protectors. The parameter may be repeated to specify any number of key
protectors. These are tried in order until one provides a usable key for any
given disk.
Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
Signed-off-by: Michael Chang <mchang@suse.com>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
---
Makefile.util.def | 1 +
grub-core/disk/cryptodisk.c | 166 +++++++++++++++++++++++++++++-------
include/grub/cryptodisk.h | 14 +++
3 files changed, 151 insertions(+), 30 deletions(-)
grub-core/disk/cryptodisk.c | 172 +++++++++++++++++++++++++++++-------
include/grub/cryptodisk.h | 16 ++++
3 files changed, 158 insertions(+), 31 deletions(-)
diff --git a/Makefile.util.def b/Makefile.util.def
index 3b9435307..252d70af2 100644
--- a/Makefile.util.def
+++ b/Makefile.util.def
@@ -35,6 +35,7 @@
common = grub-core/kern/list.c;
common = grub-core/kern/misc.c;
common = grub-core/kern/partition.c;
+ common = grub-core/kern/protectors.c;
common = grub-core/lib/crypto.c;
common = grub-core/lib/json/json.c;
@@ -40,6 +40,7 @@ library = {
common = grub-core/disk/luks.c;
common = grub-core/disk/luks2.c;
common = grub-core/disk/geli.c;
+ common = grub-core/disk/key_protector.c;
common = grub-core/disk/cryptodisk.c;
common = grub-core/disk/AFSplitter.c;
common = grub-core/lib/pbkdf2.c;
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index 2246af51b..b7648ffb7 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -26,6 +26,7 @@
#include <grub/file.h>
#include <grub/procfs.h>
#include <grub/partition.h>
+#include <grub/protector.h>
+#include <grub/key_protector.h>
#ifdef GRUB_UTIL
#include <grub/emu/hostdisk.h>
@@ -44,7 +45,8 @@
@@ -44,7 +45,8 @@ enum
OPTION_KEYFILE,
OPTION_KEYFILE_OFFSET,
OPTION_KEYFILE_SIZE,
@ -46,7 +54,7 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
};
static const struct grub_arg_option options[] =
@@ -58,6 +60,8 @@
@@ -58,6 +60,8 @@ static const struct grub_arg_option options[] =
{"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT},
{"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_TYPE_INT},
{"header", 'H', 0, N_("Read header from file"), 0, ARG_TYPE_STRING},
@ -55,7 +63,7 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
{0, 0, 0, 0, 0, 0}
};
@@ -1061,6 +1065,7 @@
@@ -1061,6 +1065,7 @@ grub_cryptodisk_scan_device_real (const char *name,
grub_err_t ret = GRUB_ERR_NONE;
grub_cryptodisk_t dev;
grub_cryptodisk_dev_t cr;
@ -63,7 +71,7 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
struct cryptodisk_read_hook_ctx read_hook_data = {0};
int askpass = 0;
char *part = NULL;
@@ -1113,41 +1118,112 @@
@@ -1113,41 +1118,112 @@ grub_cryptodisk_scan_device_real (const char *name,
goto error_no_close;
if (!dev)
continue;
@ -84,13 +92,7 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
- cargs->key_data = grub_malloc (GRUB_CRYPTODISK_MAX_PASSPHRASE);
- if (cargs->key_data == NULL)
- goto error_no_close;
+ if (dev == NULL)
+ {
+ grub_error (GRUB_ERR_BAD_MODULE,
+ "no cryptodisk module can handle this device");
+ goto error_no_close;
+ }
-
- if (!grub_password_get ((char *) cargs->key_data, GRUB_CRYPTODISK_MAX_PASSPHRASE))
- {
- grub_error (GRUB_ERR_BAD_ARGUMENT, "passphrase not supplied");
@ -98,16 +100,23 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
- }
- cargs->key_len = grub_strlen ((char *) cargs->key_data);
- }
+ if (dev == NULL)
+ {
+ grub_error (GRUB_ERR_BAD_MODULE,
+ "no cryptodisk module can handle this device");
+ goto error_no_close;
+ }
- ret = cr->recover_key (source, dev, cargs);
- if (ret != GRUB_ERR_NONE)
- goto error;
+ if (cargs->protectors)
+ {
+ for (i = 0; cargs->protectors[i]; i++)
+ {
+ if (cargs->key_cache[i].invalid)
+ continue;
- ret = cr->recover_key (source, dev, cargs);
- if (ret != GRUB_ERR_NONE)
- goto error;
+
+ if (cargs->key_cache[i].key == NULL)
+ {
+ ret = grub_key_protector_recover_key (cargs->protectors[i],
@ -146,16 +155,16 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
+ cargs->protectors[i], source->name,
+ source->partition != NULL ? "," : "",
+ part != NULL ? part : N_("UNKNOWN"), dev->uuid);
+ grub_free (part);
+ continue;
+ grub_free (part);
+ continue;
+ }
+ else
+ {
+ ret = grub_cryptodisk_insert (dev, name, source);
+ if (ret != GRUB_ERR_NONE)
+ goto error;
+ goto cleanup;
+ }
+ else
+ {
+ ret = grub_cryptodisk_insert (dev, name, source);
+ if (ret != GRUB_ERR_NONE)
+ goto error;
+ goto cleanup;
+ }
+ }
- ret = grub_cryptodisk_insert (dev, name, source);
@ -205,7 +214,7 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
goto cleanup;
error:
@@ -1258,6 +1334,20 @@
@@ -1259,6 +1335,20 @@ grub_cryptodisk_scan_device (const char *name,
return ret;
}
@ -226,7 +235,7 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
static grub_err_t
grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
{
@@ -1270,6 +1360,10 @@
@@ -1271,6 +1361,10 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
if (grub_cryptodisk_list == NULL)
return grub_error (GRUB_ERR_BAD_MODULE, "no cryptodisk modules loaded");
@ -237,7 +246,7 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
if (state[OPTION_PASSWORD].set) /* password */
{
cargs.key_data = (grub_uint8_t *) state[OPTION_PASSWORD].arg;
@@ -1362,6 +1456,15 @@
@@ -1363,6 +1457,15 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
return grub_errno;
}
@ -253,7 +262,7 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
if (state[OPTION_UUID].set) /* uuid */
{
int found_uuid;
@@ -1370,6 +1473,7 @@
@@ -1371,6 +1474,7 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
dev = grub_cryptodisk_get_by_uuid (args[0]);
if (dev)
{
@ -261,7 +270,7 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
grub_dprintf ("cryptodisk",
"already mounted as crypto%lu\n", dev->id);
return GRUB_ERR_NONE;
@@ -1378,6 +1482,7 @@
@@ -1379,6 +1483,7 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
cargs.check_boot = state[OPTION_BOOT].set;
cargs.search_uuid = args[0];
found_uuid = grub_device_iterate (&grub_cryptodisk_scan_device, &cargs);
@ -269,7 +278,7 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
if (found_uuid)
return GRUB_ERR_NONE;
@@ -1397,6 +1502,7 @@
@@ -1398,6 +1503,7 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
{
cargs.check_boot = state[OPTION_BOOT].set;
grub_device_iterate (&grub_cryptodisk_scan_device, &cargs);
@ -277,7 +286,7 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
return GRUB_ERR_NONE;
}
else
@@ -1420,6 +1526,7 @@
@@ -1421,6 +1527,7 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
disk = grub_disk_open (diskname);
if (!disk)
{
@ -285,7 +294,7 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
if (disklast)
*disklast = ')';
return grub_errno;
@@ -1430,12 +1537,14 @@
@@ -1431,12 +1538,14 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
{
grub_dprintf ("cryptodisk", "already mounted as crypto%lu\n", dev->id);
grub_disk_close (disk);
@ -300,7 +309,7 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
grub_disk_close (disk);
if (disklast)
@@ -1576,6 +1685,7 @@
@@ -1590,6 +1699,7 @@ GRUB_MOD_INIT (cryptodisk)
cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0,
N_("[ [-p password] | [-k keyfile"
" [-O keyoffset] [-S keysize] ] ] [-H file]"
@ -308,9 +317,11 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
" <SOURCE|-u UUID|-a|-b>"),
N_("Mount a crypto device."), options);
grub_procfs_register ("luks_script", &luks_script);
diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
index d94df68b6..0b41e249e 100644
--- a/include/grub/cryptodisk.h
+++ b/include/grub/cryptodisk.h
@@ -70,6 +70,18 @@
@@ -70,6 +70,18 @@ typedef gcry_err_code_t
(*grub_cryptodisk_rekey_func_t) (struct grub_cryptodisk *dev,
grub_uint64_t zoneno);
@ -329,7 +340,7 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
struct grub_cryptomount_args
{
/* scan: Flag to indicate that only bootable volumes should be decrypted */
@@ -81,6 +93,10 @@
@@ -81,6 +93,10 @@ struct grub_cryptomount_args
/* recover_key: Length of key_data */
grub_size_t key_len;
grub_file_t hdr_file;
@ -340,3 +351,6 @@ Signed-off-by: <Hernan Gatta hegatta@linux.microsoft.com>
};
typedef struct grub_cryptomount_args *grub_cryptomount_args_t;
--
2.35.3

18
0004-diskfilter-look-up-cryptodisk-devices-first.patch
View File

@ -1,4 +1,4 @@
From b7e2fb6a680447b7bb7eb18bb7570afa8d2b7f09 Mon Sep 17 00:00:00 2001
From 91a99dffbe78b91a0c18b32ebecf755ba9d74032 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 10 Aug 2023 10:19:29 +0800
Subject: [PATCH 4/4] diskfilter: look up cryptodisk devices first
@ -12,15 +12,15 @@ look like this:
Since the disk search order is based on the order of module loading, the
attacker could insert a malicious disk with the same FS-UUID root to
trick grub2 to boot into th malicious root and further dump memory to
trick grub2 to boot into the malicious root and further dump memory to
steal the unsealed key.
To defend such attack, we can specify the hint provided by 'grub-probe'
to search the encrypted partition first:
Do defend against such an attack, we can specify the hint provided by
'grub-probe' to search the encrypted partition first:
search --fs-uuid --set=root --hint='cryptouuid/<PART-UUID>' <FS-UUID>
However, for LVM on a encrypted partition, the search hint provided by
However, for LVM on an encrypted partition, the search hint provided by
'grub-probe' is:
--hint='lvmid/<VG-UUID>/<LV-UUID>'
@ -29,20 +29,22 @@ It doesn't guarantee to look up the logical volume from the encrypted
partition, so the attacker may have the chance to fool grub2 to boot
into the malicious disk.
To mininize the attack surface, this commit tweaks the disk device search
To minimize the attack surface, this commit tweaks the disk device search
in diskfilter to look up cryptodisk devices first and then others, so
that the auto-unlocked disk will be found first, not the attacker's disk.
Cc: Fabian Vogt <fvogt@suse.com>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
---
grub-core/disk/diskfilter.c | 35 ++++++++++++++++++++++++++---------
1 file changed, 26 insertions(+), 9 deletions(-)
diff --git a/grub-core/disk/diskfilter.c b/grub-core/disk/diskfilter.c
index 61a311efd..94832c8dd 100644
index 41e177549..c45bef1ca 100644
--- a/grub-core/disk/diskfilter.c
+++ b/grub-core/disk/diskfilter.c
@@ -226,15 +226,32 @@ scan_devices (const char *arname)
@@ -322,15 +322,32 @@ scan_devices (const char *arname)
int need_rescan;
for (pull = 0; pull < GRUB_DISK_PULL_MAX; pull++)

386
0005-util-grub-protect-Add-new-tool.patch
View File

@ -1,7 +1,7 @@
From 1116bc4b9a27aceaec53421e89eb887e6ad3aef8 Mon Sep 17 00:00:00 2001
From c8c567c463cbe6090e086430251efc0dd4f58164 Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta@linux.microsoft.com>
Date: Tue, 1 Feb 2022 05:02:57 -0800
Subject: [PATCH v7 12/20] util/grub-protect: Add new tool
Subject: [PATCH 5/5] util/grub-protect: Add new tool
To utilize the key protectors framework, there must be a way to protect
full-disk encryption keys in the first place. The grub-protect tool
@ -27,6 +27,7 @@ To seal the key with TPM 2.0 Key File (recommended):
$ sudo grub-protect --action=add \
--protector=tpm2 \
--tpm2-pcrs=0,2,4,7,9 \
--tpm2key \
--tpm2-keyfile=luks-key \
--tpm2-outfile=/boot/efi/boot/grub2/sealed.tpm
@ -35,6 +36,7 @@ Or, to seal the key with the raw sealed key:
$ sudo grub-protect --action=add \
--protector=tpm2 \
--tpm2-pcrs=0,2,4,7,9 \
--tpm2-keyfile=luks-key \
--tpm2-outfile=/boot/efi/boot/grub2/sealed.key
@ -45,29 +47,38 @@ cryptomount -u <SDB1_UUID> -P tpm2
Or, for the raw sealed key:
tpm2_key_protector_init --keyfile=(hd0,gpt1)/boot/grub2/sealed.key
tpm2_key_protector_init --keyfile=(hd0,gpt1)/boot/grub2/sealed.key --pcrs=0,2,4,7,9
cryptomount -u <SDB1_UUID> -P tpm2
The benefit of using TPM 2.0 Key File is that the PCR set is already
written in the key file, so there is no need to specify PCRs when
invoking tpm2_key_protector_init.
Cc: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
Signed-off-by: Gary Lin <glin@suse.com>
---
Makefile.util.def | 22 +
configure.ac | 9 +
util/grub-protect.c | 1492 +++++++++++++++++++++++++++++++++++++++++++
4 files changed, 1525 insertions(+)
.gitignore | 2 +
Makefile.util.def | 24 +
configure.ac | 30 +
docs/man/grub-protect.h2m | 4 +
util/grub-protect.c | 1420 +++++++++++++++++++++++++++++++++++++
5 files changed, 1480 insertions(+)
create mode 100644 docs/man/grub-protect.h2m
create mode 100644 util/grub-protect.c
diff --git a/Makefile.util.def b/Makefile.util.def
index e89abb38f..f43c223b9 100644
--- a/Makefile.util.def
+++ b/Makefile.util.def
@@ -207,6 +207,28 @@ program = {
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
Index: grub-2.12/Makefile.util.def
===================================================================
--- grub-2.12.orig/Makefile.util.def
+++ grub-2.12/Makefile.util.def
@@ -208,6 +208,30 @@ program = {
};
+program = {
program = {
+ name = grub-protect;
+ mansection = 1;
+
+ common = grub-core/kern/emu/argp_common.c;
+ common = grub-core/osdep/init.c;
+ common = grub-core/tpm2/args.c;
+ common = grub-core/tpm2/buffer.c;
@ -84,16 +95,17 @@ index e89abb38f..f43c223b9 100644
+ ldadd = '$(LIBTASN1)';
+ ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBUTIL) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
+
+ enable = efi;
+ condition = COND_GRUB_PROTECT;
+};
+
program = {
+program = {
name = grub-mkrelpath;
mansection = 1;
diff --git a/configure.ac b/configure.ac
index c19779c14..9796e5f9b 100644
--- a/configure.ac
+++ b/configure.ac
Index: grub-2.12/configure.ac
===================================================================
--- grub-2.12.orig/configure.ac
+++ grub-2.12/configure.ac
@@ -76,6 +76,7 @@ grub_TRANSFORM([grub-mkpasswd-pbkdf2])
grub_TRANSFORM([grub-mkrelpath])
grub_TRANSFORM([grub-mkrescue])
@ -102,27 +114,70 @@ index c19779c14..9796e5f9b 100644
grub_TRANSFORM([grub-reboot])
grub_TRANSFORM([grub-script-check])
grub_TRANSFORM([grub-set-default])
@@ -2018,6 +2019,14 @@ fi
@@ -2057,6 +2058,29 @@ fi
AC_SUBST([LIBZFS])
AC_SUBST([LIBNVPAIR])
+AC_ARG_ENABLE([grub-protect],
+ [AS_HELP_STRING([--enable-grub-protect],
+ [build and install the `grub-protect' utility (default=guessed)])])
+if test x"$enable_grub_protect" = xno ; then
+ grub_protect_excuse="explicitly disabled"
+fi
+
+LIBTASN1=
+if test x"$platform" = xefi; then
+ AC_CHECK_LIB([tasn1], [asn1_write_value], [],
+ [AC_MSG_ERROR([Your platform requires libtasn1])])
+ LIBTASN1="-ltasn1"
+if test x"$grub_protect_excuse" = x ; then
+ AC_CHECK_LIB([tasn1], [asn1_write_value], [LIBTASN1="-ltasn1"], [grub_protect_excuse="need libtasn1 library"])
+fi
+AC_SUBST([LIBTASN1])
+
+if test x"$enable_grub_protect" = xyes && test x"$grub_protect_excuse" != x ; then
+ AC_MSG_ERROR([grub-protect was explicitly requested but can't be compiled ($grub_protect_excuse)])
+fi
+if test x"$grub_protect_excuse" = x ; then
+enable_grub_protect=yes
+else
+enable_grub_protect=no
+fi
+AC_SUBST([enable_grub_protect])
+
LIBS=""
AC_SUBST([FONT_SOURCE])
diff --git a/util/grub-protect.c b/util/grub-protect.c
new file mode 100644
index 000000000..c6d41ea40
@@ -2177,6 +2201,7 @@ AM_CONDITIONAL([COND_GRUB_EMU_SDL], [tes
AM_CONDITIONAL([COND_GRUB_EMU_PCI], [test x$enable_grub_emu_pci = xyes])
AM_CONDITIONAL([COND_GRUB_MKFONT], [test x$enable_grub_mkfont = xyes])
AM_CONDITIONAL([COND_GRUB_MOUNT], [test x$enable_grub_mount = xyes])
+AM_CONDITIONAL([COND_GRUB_PROTECT], [test x$enable_grub_protect = xyes])
AM_CONDITIONAL([COND_HAVE_FONT_SOURCE], [test x$FONT_SOURCE != x])
if test x$FONT_SOURCE != x ; then
HAVE_FONT_SOURCE=1
@@ -2304,6 +2329,11 @@ echo grub-mount: Yes
else
echo grub-mount: No "($grub_mount_excuse)"
fi
+if [ x"$grub_protect_excuse" = x ]; then
+echo grub-protect: Yes
+else
+echo grub-protect: No "($grub_protect_excuse)"
+fi
if [ x"$starfield_excuse" = x ]; then
echo starfield theme: Yes
echo With DejaVuSans font from $DJVU_FONT_SOURCE
Index: grub-2.12/docs/man/grub-protect.h2m
===================================================================
--- /dev/null
+++ b/util/grub-protect.c
@@ -0,0 +1,1492 @@
+++ grub-2.12/docs/man/grub-protect.h2m
@@ -0,0 +1,4 @@
+[NAME]
+grub-protect \- protect a disk key with a key protector
+[DESCRIPTION]
+grub-protect helps to pretect a disk encryption key with a specified key protector.
Index: grub-2.12/util/grub-protect.c
===================================================================
--- /dev/null
+++ grub-2.12/util/grub-protect.c
@@ -0,0 +1,1420 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
@ -151,8 +206,6 @@ index 000000000..c6d41ea40
+#include <string.h>
+#include <unistd.h>
+
+#include <grub/crypto.h>
+#include <grub/emu/getroot.h>
+#include <grub/emu/hostdisk.h>
+#include <grub/emu/misc.h>
+#include <grub/tpm2/buffer.h>
@ -228,9 +281,7 @@ index 000000000..c6d41ea40
+ const char *tpm2_device;
+ grub_uint8_t tpm2_pcrs[TPM_MAX_PCRS];
+ grub_uint8_t tpm2_pcr_count;
+ TPM_ALG_ID tpm2_asymmetric;
+ TPM_KEY_BITS rsa_bits;
+ TPM_ECC_CURVE ecc_curve;
+ grub_srk_type_t srk_type;
+ TPM_ALG_ID tpm2_bank;
+ TPM_HANDLE tpm2_srk;
+ const char *tpm2_keyfile;
@ -267,7 +318,7 @@ index 000000000..c6d41ea40
+ .arg = "FILE",
+ .flags = 0,
+ .doc =
+ N_("Path to the TPM2 device (default is /dev/tpm0)."),
+ N_("Path to the TPM2 device. (default: /dev/tpm0)"),
+ .group = 0
+ },
+ {
@ -277,7 +328,11 @@ index 000000000..c6d41ea40
+ .flags = 0,
+ .doc =
+ N_("Comma-separated list of PCRs used to authorize key release "
+ "(e.g., '7,11', default is 7."),
+ "e.g., '7,11'. Please be aware that PCR 0~7 are used by the "
+ "firmware and the measurement result may change after a "
+ "firmware update (for baremetal systems) or a package "
+ "(OVMF/SeaBIOS/SLOF) update in the VM host. This may lead to"
+ "the failure of key unsealing. (default: 7)"),
+ .group = 0
+ },
+ {
@ -287,7 +342,7 @@ index 000000000..c6d41ea40
+ .flags = 0,
+ .doc =
+ N_("Bank of PCRs used to authorize key release: "
+ "SHA1, SHA256 (default), or SHA512."),
+ "SHA1, SHA256, SHA384, or SHA512. (default: SHA256)"),
+ .group = 0
+ },
+ {
@ -324,10 +379,8 @@ index 000000000..c6d41ea40
+ .arg = "TYPE",
+ .flags = 0,
+ .doc =
+ N_("The type of SRK: RSA (RSA2048), RSA3072, RSA4096, "
+ "ECC (ECC_NIST_P256), ECC_NIST_P384, ECC_NIST_P521, "
+ "ECC_BN_P256, ECC_BN_P638, and ECC_SM2_P256. "
+ "(default is RSA2048)"),
+ N_("The type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)."
+ "(default: ECC)"),
+ .group = 0
+ },
+ {
@ -374,7 +427,7 @@ index 000000000..c6d41ea40
+ }
+
+ len = ftell (f);
+ if (len == 0)
+ if (len <= 0)
+ {
+ err = GRUB_ERR_FILE_READ_ERROR;
+ goto exit1;
@ -434,88 +487,6 @@ index 000000000..c6d41ea40
+ return err;
+}
+
+static grub_err_t
+grub_protect_get_grub_drive_for_file (const char *filepath, char **drive)
+{
+ grub_err_t err = GRUB_ERR_IO;
+ char *disk;
+ char **devices;
+ char *grub_dev;
+ char *grub_path;
+ char *efi_drive;
+ char *partition;
+ char *grub_drive;
+ grub_device_t dev;
+ grub_size_t grub_drive_len;
+ int n;
+
+ grub_path = grub_canonicalize_file_name (filepath);
+ if (grub_path == NULL)
+ goto exit1;
+
+ devices = grub_guess_root_devices (grub_path);
+ if (devices == NULL || devices[0] == NULL)
+ goto exit2;
+
+ disk = devices[0];
+
+ grub_util_pull_device (disk);
+
+ grub_dev = grub_util_get_grub_dev (disk);
+ if (grub_dev == NULL)
+ goto exit3;
+
+ dev = grub_device_open (grub_dev);
+ if (dev == NULL)
+ goto exit4;
+
+ efi_drive = grub_util_guess_efi_drive (disk);
+ if (efi_drive == NULL)
+ goto exit5;
+
+ partition = grub_partition_get_name (dev->disk->partition);
+ if (partition == NULL)
+ goto exit6;
+
+ grub_drive_len = grub_strlen (efi_drive) + grub_strlen (partition) + 3;
+ grub_drive = grub_malloc (grub_drive_len + 1);
+ if (grub_drive == NULL)
+ goto exit7;
+
+ n = grub_snprintf (grub_drive, grub_drive_len + 1, "(%s,%s)", efi_drive,
+ partition);
+ if (n != grub_drive_len)
+ goto exit8;
+
+ *drive = grub_drive;
+ grub_drive = NULL;
+ err = GRUB_ERR_NONE;
+
+exit8:
+ grub_free (grub_drive);
+
+exit7:
+ grub_free (partition);
+
+exit6:
+ grub_free (efi_drive);
+
+exit5:
+ grub_device_close (dev);
+
+exit4:
+ grub_free (grub_dev);
+
+exit3:
+ grub_free (devices);
+
+exit2:
+ grub_free (grub_path);
+
+exit1:
+ return err;
+}
+
+grub_err_t
+grub_tcg2_get_max_output_size (grub_size_t *size)
+{
@ -552,7 +523,7 @@ index 000000000..c6d41ea40
+ grub_protector_tpm2_fd = open (dev_node, O_RDWR);
+ if (grub_protector_tpm2_fd == -1)
+ {
+ fprintf (stderr, _("Could not open TPM device (Error: %u).\n"), errno);
+ fprintf (stderr, _("Could not open TPM device (%s).\n"), strerror (errno));
+ return GRUB_ERR_FILE_NOT_FOUND;
+ }
+
@ -595,20 +566,15 @@ index 000000000..c6d41ea40
+ };
+ TPML_PCR_SELECTION pcr_sel_out = { 0 };
+ TPML_DIGEST pcr_values = { 0 };
+ grub_uint8_t *pcr_digest;
+ TPM2B_DIGEST pcr_digest = { 0 };
+ grub_size_t pcr_digest_len;
+ grub_uint8_t *pcr_concat;
+ TPM2B_MAX_BUFFER pcr_concat = { 0 };
+ grub_size_t pcr_concat_len;
+ grub_uint8_t *pcr_cursor;
+ const gcry_md_spec_t *hash_spec;
+ TPM2B_NONCE nonce = { 0 };
+ TPM2B_ENCRYPTED_SECRET salt = { 0 };
+ TPMT_SYM_DEF symmetric = { 0 };
+ TPMI_SH_AUTH_SESSION session = 0;
+ TPM2B_DIGEST pcr_digest_in = {
+ .size = TPM_SHA256_DIGEST_SIZE,
+ .buffer = { 0 }
+ };
+ TPM2B_DIGEST policy_digest = { 0 };
+ grub_uint8_t i;
+ grub_err_t err;
@ -637,40 +603,28 @@ index 000000000..c6d41ea40
+ {
+ case TPM_ALG_SHA1:
+ pcr_digest_len = TPM_SHA1_DIGEST_SIZE;
+ hash_spec = GRUB_MD_SHA1;
+ break;
+ case TPM_ALG_SHA256:
+ pcr_digest_len = TPM_SHA256_DIGEST_SIZE;
+ hash_spec = GRUB_MD_SHA256;
+ break;
+ case TPM_ALG_SHA384:
+ pcr_digest_len = TPM_SHA384_DIGEST_SIZE;
+ break;
+ case TPM_ALG_SHA512:
+ pcr_digest_len = TPM_SHA512_DIGEST_SIZE;
+ hash_spec = GRUB_MD_SHA512;
+ break;
+ /* Although SHA384 can be parsed by grub_tpm2_protector_parse_bank(),
+ it's not supported by the built-in libgcrypt, and we won't be able to
+ calculate the PCR digest, so SHA384 is marked as unsupported. */
+ default:
+ return GRUB_ERR_BAD_ARGUMENT;
+ }
+
+ pcr_digest = grub_malloc (pcr_digest_len);
+ if (!pcr_digest)
+ {
+ fprintf (stderr, _("Failed to allocate PCR digest buffer.\n"));
+ return GRUB_ERR_OUT_OF_MEMORY;
+ }
+
+ pcr_concat_len = pcr_digest_len * args->tpm2_pcr_count;
+ pcr_concat = grub_malloc (pcr_concat_len);
+ if (pcr_concat == NULL)
+ if (pcr_concat_len > TPM_MAX_DIGEST_BUFFER)
+ {
+ err = GRUB_ERR_OUT_OF_MEMORY;
+ fprintf (stderr, _("Failed to allocate PCR concatenation buffer.\n"));
+ goto exit1;
+ fprintf (stderr, _("PCR concatenation buffer not enough.\n"));
+ return GRUB_ERR_OUT_OF_RANGE;
+ }
+
+ pcr_cursor = pcr_concat;
+ pcr_cursor = pcr_concat.buffer;
+ for (i = 0; i < args->tpm2_pcr_count; i++)
+ {
+ if (pcr_values.digests[i].size != pcr_digest_len)
@ -678,14 +632,21 @@ index 000000000..c6d41ea40
+ fprintf (stderr,
+ _("Bad PCR value size: expected %" PRIuGRUB_SIZE " bytes but got %u bytes.\n"),
+ pcr_digest_len, pcr_values.digests[i].size);
+ goto exit2;
+ return GRUB_ERR_BAD_ARGUMENT;
+ }
+
+ grub_memcpy (pcr_cursor, pcr_values.digests[i].buffer, pcr_digest_len);
+ pcr_cursor += pcr_digest_len;
+ }
+ pcr_concat.size = pcr_concat_len;
+
+ grub_crypto_hash (hash_spec, pcr_digest, pcr_concat, pcr_concat_len);
+ rc = TPM2_Hash (NULL, &pcr_concat, args->tpm2_bank, TPM_RH_NULL, &pcr_digest,
+ NULL, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ {
+ fprintf (stderr, _("Failed to generate PCR digest (TPM2_Hash: 0x%x)\n"), rc);
+ return GRUB_ERR_BAD_DEVICE;
+ }
+
+ /* Start Trial Session */
+ nonce.size = TPM_SHA256_DIGEST_SIZE;
@ -699,20 +660,17 @@ index 000000000..c6d41ea40
+ fprintf (stderr,
+ _("Failed to start trial policy session (TPM2_StartAuthSession: 0x%x).\n"),
+ rc);
+ err = GRUB_ERR_BAD_DEVICE;
+ goto exit2;
+ return GRUB_ERR_BAD_DEVICE;
+ }
+
+ /* PCR Policy */
+ memcpy (pcr_digest_in.buffer, pcr_digest, TPM_SHA256_DIGEST_SIZE);
+
+ rc = TPM2_PolicyPCR (session, NULL, &pcr_digest_in, &pcr_sel, NULL);
+ rc = TPM2_PolicyPCR (session, NULL, &pcr_digest, &pcr_sel, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ {
+ fprintf (stderr, _("Failed to submit PCR policy (TPM2_PolicyPCR: 0x%x).\n"),
+ rc);
+ err = GRUB_ERR_BAD_DEVICE;
+ goto exit3;
+ goto error;
+ }
+
+ /* Retrieve Policy Digest */
@ -722,22 +680,16 @@ index 000000000..c6d41ea40
+ fprintf (stderr, _("Failed to get policy digest (TPM2_PolicyGetDigest: 0x%x).\n"),
+ rc);
+ err = GRUB_ERR_BAD_DEVICE;
+ goto exit3;
+ goto error;
+ }
+
+ /* Epilogue */
+ *digest = policy_digest;
+ err = GRUB_ERR_NONE;
+
+exit3:
+error:
+ TPM2_FlushContext (session);
+
+exit2:
+ grub_free (pcr_concat);
+
+exit1:
+ grub_free (pcr_digest);
+
+ return err;
+}
+
@ -781,8 +733,8 @@ index 000000000..c6d41ea40
+
+ /* Create SRK */
+ authCommand.sessionHandle = TPM_RS_PW;
+ inPublic.publicArea.type = args->tpm2_asymmetric;
+ inPublic.publicArea.nameAlg = TPM_ALG_SHA256;
+ inPublic.publicArea.type = args->srk_type.type;
+ inPublic.publicArea.nameAlg = TPM_ALG_SHA256;
+ inPublic.publicArea.objectAttributes.restricted = 1;
+ inPublic.publicArea.objectAttributes.userWithAuth = 1;
+ inPublic.publicArea.objectAttributes.decrypt = 1;
@ -791,14 +743,14 @@ index 000000000..c6d41ea40
+ inPublic.publicArea.objectAttributes.sensitiveDataOrigin = 1;
+ inPublic.publicArea.objectAttributes.noDA = 1;
+
+ switch (args->tpm2_asymmetric)
+ switch (args->srk_type.type)
+ {
+ case TPM_ALG_RSA:
+ inPublic.publicArea.parameters.rsaDetail.symmetric.algorithm = TPM_ALG_AES;
+ inPublic.publicArea.parameters.rsaDetail.symmetric.keyBits.aes = 128;
+ inPublic.publicArea.parameters.rsaDetail.symmetric.mode.aes = TPM_ALG_CFB;
+ inPublic.publicArea.parameters.rsaDetail.scheme.scheme = TPM_ALG_NULL;
+ inPublic.publicArea.parameters.rsaDetail.keyBits = args->rsa_bits;
+ inPublic.publicArea.parameters.rsaDetail.keyBits = args->srk_type.detail.rsa_bits;
+ inPublic.publicArea.parameters.rsaDetail.exponent = 0;
+ break;
+
@ -807,7 +759,7 @@ index 000000000..c6d41ea40
+ inPublic.publicArea.parameters.eccDetail.symmetric.keyBits.aes = 128;
+ inPublic.publicArea.parameters.eccDetail.symmetric.mode.aes = TPM_ALG_CFB;
+ inPublic.publicArea.parameters.eccDetail.scheme.scheme = TPM_ALG_NULL;
+ inPublic.publicArea.parameters.eccDetail.curveID = args->ecc_curve;
+ inPublic.publicArea.parameters.eccDetail.curveID = args->srk_type.detail.ecc_curve;
+ inPublic.publicArea.parameters.eccDetail.kdf.scheme = TPM_ALG_NULL;
+ break;
+
@ -948,6 +900,7 @@ index 000000000..c6d41ea40
+ ret = asn1_write_value (tpm2key, "type", sealed_key_oid, 1);
+ if (ret != ASN1_SUCCESS)
+ {
+ fprintf (stderr, _("Failed to set 'type': 0x%u\n"), ret);
+ err = GRUB_ERR_BAD_ARGUMENT;
+ goto error;
+ }
@ -956,6 +909,7 @@ index 000000000..c6d41ea40
+ ret = asn1_write_value (tpm2key, "emptyAuth", "TRUE", 1);
+ if (ret != ASN1_SUCCESS)
+ {
+ fprintf (stderr, _("Failed to set 'emptyAuth': 0x%x\n"), ret);
+ err = GRUB_ERR_BAD_ARGUMENT;
+ goto error;
+ }
@ -964,6 +918,7 @@ index 000000000..c6d41ea40
+ ret = asn1_write_value (tpm2key, "policy", "NEW", 1);
+ if (ret != ASN1_SUCCESS)
+ {
+ fprintf (stderr, _("Failed to set 'policy': 0x%x\n"), ret);
+ err = GRUB_ERR_BAD_ARGUMENT;
+ goto error;
+ }
@ -972,6 +927,7 @@ index 000000000..c6d41ea40
+ sizeof (cmd_code));
+ if (ret != ASN1_SUCCESS)
+ {
+ fprintf (stderr, _("Failed to set 'policy CommandCode': 0x%x\n"), ret);
+ err = GRUB_ERR_BAD_ARGUMENT;
+ goto error;
+ }
@ -979,6 +935,7 @@ index 000000000..c6d41ea40
+ pol_buf.size);
+ if (ret != ASN1_SUCCESS)
+ {
+ fprintf (stderr, _("Failed to set 'policy CommandPolicy': 0x%x\n"), ret);
+ err = GRUB_ERR_BAD_ARGUMENT;
+ goto error;
+ }
@ -987,6 +944,7 @@ index 000000000..c6d41ea40
+ ret = asn1_write_value (tpm2key, "secret", NULL, 0);
+ if (ret != ASN1_SUCCESS)
+ {
+ fprintf (stderr, _("Failed to remove 'secret': 0x%x\n"), ret);
+ err = GRUB_ERR_BAD_ARGUMENT;
+ goto error;
+ }
@ -995,15 +953,48 @@ index 000000000..c6d41ea40
+ ret = asn1_write_value (tpm2key, "authPolicy", NULL, 0);
+ if (ret != ASN1_SUCCESS)
+ {
+ fprintf (stderr, _("Failed to remove 'authPolicy': 0x%x\n"), ret);
+ err = GRUB_ERR_BAD_ARGUMENT;
+ goto error;
+ }
+
+ /* Use TPM_RH_OWNER as the default parent handle */
+ parent = grub_cpu_to_be32 (TPM_RH_OWNER);
+ /* Remove 'description' */
+ ret = asn1_write_value (tpm2key, "description", NULL, 0);
+ if (ret != ASN1_SUCCESS)
+ {
+ fprintf (stderr, _("Failed to remove 'description': 0x%x\n"), ret);
+ err = GRUB_ERR_BAD_ARGUMENT;
+ goto error;
+ }
+
+ /*
+ * Use the SRK handle as the parent handle if specified
+ * Otherwise, Use TPM_RH_OWNER as the default parent handle
+ */
+ if (args->tpm2_srk != 0)
+ parent = grub_cpu_to_be32 (args->tpm2_srk);
+ else
+ parent = grub_cpu_to_be32 (TPM_RH_OWNER);
+ ret = asn1_write_value (tpm2key, "parent", &parent, sizeof (parent));
+ if (ret != ASN1_SUCCESS)
+ {
+ fprintf (stderr, _("Failed to set 'parent': 0x%x\n"), ret);
+ err = GRUB_ERR_BAD_ARGUMENT;
+ goto error;
+ }
+
+ /*
+ * Set 'rsaParent' to TRUE if the RSA SRK is specified and the SRK
+ * handle is not persistent. Otherwise, remove 'rsaParent'.
+ */
+ if (args->tpm2_srk == 0 && args->srk_type.type == TPM_ALG_RSA)
+ ret = asn1_write_value (tpm2key, "rsaParent", "TRUE", 1);
+ else
+ ret = asn1_write_value (tpm2key, "rsaParent", NULL, 0);
+
+ if (ret != ASN1_SUCCESS)
+ {
+ fprintf (stderr, _("Failed to set 'rsaParent': 0x%x\n"), ret);
+ err = GRUB_ERR_BAD_ARGUMENT;
+ goto error;
+ }
@ -1012,6 +1003,7 @@ index 000000000..c6d41ea40
+ ret = asn1_write_value (tpm2key, "pubkey", pub_buf.data, pub_buf.size);
+ if (ret != ASN1_SUCCESS)
+ {
+ fprintf (stderr, _("Failed to set 'pubkey': 0x%x\n"), ret);
+ err = GRUB_ERR_BAD_ARGUMENT;
+ goto error;
+ }
@ -1020,6 +1012,7 @@ index 000000000..c6d41ea40
+ ret = asn1_write_value (tpm2key, "privkey", priv_buf.data, priv_buf.size);
+ if (ret != ASN1_SUCCESS)
+ {
+ fprintf (stderr, _("Failed to set 'privkey': 0x%x\n"), ret);
+ err = GRUB_ERR_BAD_ARGUMENT;
+ goto error;
+ }
@ -1027,10 +1020,17 @@ index 000000000..c6d41ea40
+ /* Create the DER binary */
+ der_buf_size = 0;
+ ret = asn1_der_coding (tpm2key, "", NULL, &der_buf_size, NULL);
+ if (ret != ASN1_MEM_ERROR)
+ {
+ fprintf (stderr, _("Failed to get DER size: 0x%x\n"), ret);
+ err = GRUB_ERR_BAD_ARGUMENT;
+ goto error;
+ }
+
+ der_buf = grub_malloc (der_buf_size);
+ if (der_buf == NULL)
+ {
+ fprintf (stderr, _("Failed to allocate memory for DER encoding\n"));
+ err = GRUB_ERR_OUT_OF_MEMORY;
+ goto error;
+ }
@ -1038,6 +1038,7 @@ index 000000000..c6d41ea40
+ ret = asn1_der_coding (tpm2key, "", der_buf, &der_buf_size, NULL);
+ if (ret != ASN1_SUCCESS)
+ {
+ fprintf (stderr, "DER coding error: 0x%x\n", ret);
+ err = GRUB_ERR_BAD_ARGUMENT;
+ goto error;
+ }
@ -1082,14 +1083,11 @@ index 000000000..c6d41ea40
+grub_protect_tpm2_add (struct grub_protect_args *args)
+{
+ grub_err_t err;
+ grub_uint8_t *key;
+ grub_uint8_t *key = NULL;
+ grub_size_t key_size;
+ TPM_HANDLE srk;
+ TPM2B_DIGEST policy_digest;
+ TPM2_SEALED_KEY sealed_key;
+ char *grub_drive = NULL;
+
+ grub_protect_get_grub_drive_for_file (args->tpm2_outfile, &grub_drive);
+
+ err = grub_protect_tpm2_open_device (args->tpm2_device);
+ if (err != GRUB_ERR_NONE)
@ -1104,7 +1102,8 @@ index 000000000..c6d41ea40
+ fprintf (stderr,
+ _("Input key is too long, maximum allowed size is %u bytes.\n"),
+ TPM_MAX_SYM_DATA);
+ return GRUB_ERR_OUT_OF_RANGE;
+ err = GRUB_ERR_OUT_OF_RANGE;
+ goto exit2;
+ }
+
+ err = grub_protect_tpm2_get_srk (args, &srk);
@ -1127,19 +1126,6 @@ index 000000000..c6d41ea40
+ if (err != GRUB_ERR_NONE)
+ goto exit3;
+
+ if (grub_drive)
+ {
+ printf (_("GRUB drive for the sealed key file: %s\n"), grub_drive);
+ grub_free (grub_drive);
+ }
+ else
+ {
+ fprintf (stderr,
+ _("Warning: Could not determine GRUB drive for sealed key "
+ "file.\n"));
+ err = GRUB_ERR_NONE;
+ }
+
+exit3:
+ TPM2_FlushContext (srk);
+
@ -1254,10 +1240,10 @@ index 000000000..c6d41ea40
+ args->tpm2_pcr_count = 1;
+ }
+
+ if (args->tpm2_asymmetric == TPM_ALG_ERROR)
+ if (args->srk_type.type == TPM_ALG_ERROR)
+ {
+ args->tpm2_asymmetric = TPM_ALG_RSA;
+ args->rsa_bits = 2048;
+ args->srk_type.type = TPM_ALG_ECC;
+ args->srk_type.detail.ecc_curve = TPM_ECC_NIST_P256;
+ }
+
+ if (args->tpm2_bank == TPM_ALG_ERROR)
@ -1424,8 +1410,7 @@ index 000000000..c6d41ea40
+ return EINVAL;
+ }
+
+ err = grub_tpm2_protector_parse_asymmetric (arg, &args->tpm2_asymmetric,
+ &args->rsa_bits, &args->ecc_curve);
+ err = grub_tpm2_protector_parse_asymmetric (arg, &args->srk_type);
+ if (err != GRUB_ERR_NONE)
+ {
+ if (grub_errno != GRUB_ERR_NONE)
@ -1555,7 +1540,6 @@ index 000000000..c6d41ea40
+ grub_util_biosdisk_init (NULL);
+
+ grub_init_all ();
+ grub_gcry_init_all ();
+
+ grub_lvm_fini ();
+ grub_mdraid09_fini ();
@ -1570,7 +1554,6 @@ index 000000000..c6d41ea40
+static void
+grub_protect_fini (void)
+{
+ grub_gcry_fini_all ();
+ grub_fini_all ();
+ grub_util_biosdisk_fini ();
+}
@ -1615,6 +1598,3 @@ index 000000000..c6d41ea40
+
+ return err;
+}
--
2.35.3

45
0007-grub-switch-to-blscfg-adapt-to-openSUSE.patch
View File

@ -1,4 +1,4 @@
From 855b3e5cd4d672e961a366ff0f53e3a09a1ad0cc Mon Sep 17 00:00:00 2001
From 96e5a28d120856057fe7fc9b281f11f8933063b7 Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Fri, 30 Jun 2023 14:37:41 +0800
Subject: [PATCH 7/9] grub-switch-to-blscfg: adapt to openSUSE
@ -12,17 +12,26 @@ A few tweaks to make it 'just works' for openSUSE:
- remove RHEL specific $GRUB_LINUX_MAKE_DEBUG and all related code
- remove ostree specific hack
- ignore increment.mod
- fix error in dash shell script
- fix kernel flavor parsing in openSUSE
Signed-off-by: Michael Chang <mchang@suse.com>
---
util/grub-switch-to-blscfg.in | 144 ++++++++++++++++++++--------------
1 file changed, 87 insertions(+), 57 deletions(-)
util/grub-switch-to-blscfg.in | 156 ++++++++++++++++++++--------------
1 file changed, 94 insertions(+), 62 deletions(-)
diff --git a/util/grub-switch-to-blscfg.in b/util/grub-switch-to-blscfg.in
index a851424be..66ecc0cae 100644
index a851424be..145c22add 100644
--- a/util/grub-switch-to-blscfg.in
+++ b/util/grub-switch-to-blscfg.in
@@ -34,21 +34,18 @@ fi
@@ -28,27 +28,24 @@ PACKAGE_NAME=@PACKAGE_NAME@
PACKAGE_VERSION=@PACKAGE_VERSION@
datarootdir="@datarootdir@"
datadir="@datadir@"
-if [ ! -v pkgdatadir ]; then
+if [ -z "${pkgdatadir+x}" ]; then
pkgdatadir="${datadir}/@PACKAGE@"
fi
self=`basename $0`
@ -162,7 +171,7 @@ index a851424be..66ecc0cae 100644
gettext_printf "Couldn't find config file\n" 1>&2
exit 1
fi
@@ -190,27 +252,22 @@ fi
@@ -190,27 +252,24 @@ fi
mkbls() {
local kernelver=$1 && shift
local datetime=$1 && shift
@ -173,15 +182,21 @@ index a851424be..66ecc0cae 100644
- local debugid=""
local flavor=""
if [ "$kernelver" == *\+* ] ; then
local flavor=-"${kernelver##*+}"
- if [ "$kernelver" == *\+* ] ; then
- local flavor=-"${kernelver##*+}"
- if [ "${flavor}" == "-debug" ]; then
- local debugname=" with debugging"
- local debugid="-debug"
- fi
fi
- fi
+ case "$kernelver" in
+ *-*-*)
+ flavor=-"${kernelver##*-}"
+ ;;
+ esac
(
source /etc/os-release
- source /etc/os-release
+ . /etc/os-release
cat <<EOF
-title ${NAME} (${kernelver}) ${VERSION}${debugname}
@ -189,13 +204,13 @@ index a851424be..66ecc0cae 100644
-linux /vmlinuz-${kernelver}
-initrd /initramfs-${kernelver}.img
+title ${NAME} (${kernelver}) ${VERSION}
+version ${kernelver}$
+version ${kernelver}
+linux ${prefix}/vmlinuz-${kernelver}
+initrd ${prefix}/initrd-${kernelver}
options ${kernelopts}
grub_users \$grub_users
grub_arg --unrestricted
@@ -233,42 +290,15 @@ copy_bls() {
@@ -233,42 +292,15 @@ copy_bls() {
continue
fi
@ -239,7 +254,7 @@ index a851424be..66ecc0cae 100644
GENERATE=0
if grep '^GRUB_ENABLE_BLSCFG=.*' "${etcdefaultgrub}" \
| grep -vq '^GRUB_ENABLE_BLSCFG="*true"*\s*$' ; then
@@ -297,9 +327,7 @@ if [ "${GENERATE}" -eq 1 ] ; then
@@ -297,9 +329,7 @@ if [ "${GENERATE}" -eq 1 ] ; then
fi
if [ -n "${mod_dir}" ]; then
@ -250,7 +265,7 @@ index a851424be..66ecc0cae 100644
fi
cp -af "${GRUB_CONFIG_FILE}" "${GRUB_CONFIG_FILE}${backupsuffix}"
@@ -311,6 +339,8 @@ if [ "${GENERATE}" -eq 1 ] ; then
@@ -311,6 +341,8 @@ if [ "${GENERATE}" -eq 1 ] ; then
gettext_printf "Updating %s failed\n" "${GRUB_CONFIG_FILE}"
exit 1
fi
@ -260,5 +275,5 @@ index a851424be..66ecc0cae 100644
# Bye.
--
2.44.0
2.45.2

196
0009-10_linux-Some-refinement-for-BLS.patch
View File

@ -1,4 +1,4 @@
From 72a72facc6cbaf58fda136286af78bbbd48bd88c Mon Sep 17 00:00:00 2001
From abd8b83cdc6398c52c7d2b71b378938cf51872fd Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Wed, 13 Mar 2024 15:26:42 +0800
Subject: [PATCH 9/9] 10_linux: Some refinement for BLS
@ -8,13 +8,16 @@ kernelopts assignment in the grub boot config itself to fully delegate
the responsibility of generating kernel options to a functioning BLS
generator.
Additionally, removing unused dead code, which is often blamed for
causing errors in the dash shell script.
Signed-off-by: Michael Chang <mchang@suse.com>
---
util/grub.d/10_linux.in | 29 -----------------------------
1 file changed, 29 deletions(-)
util/grub.d/10_linux.in | 194 ----------------------------------------
1 file changed, 194 deletions(-)
diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
index edf0fca55..7cbff7466 100644
index edf0fca55..666eae995 100644
--- a/util/grub.d/10_linux.in
+++ b/util/grub.d/10_linux.in
@@ -93,11 +93,7 @@ fi
@ -29,20 +32,138 @@ index edf0fca55..7cbff7466 100644
cat <<EOF
# This section was generated by a script. Do not modify the generated file - all changes
@@ -200,11 +196,6 @@ populate_menu()
printf "$menu"
@@ -110,102 +106,6 @@ cat <<EOF
EOF
}
-read_config()
-{
- config_file=${1}
- title=""
- initrd=""
- options=""
- linux=""
- grub_arg=""
-
- while read -r line
- do
- record=$(echo ${line} | cut -f 1 -d ' ')
- value=$(echo ${line} | cut -s -f2- -d ' ')
- case "${record}" in
- "title")
- title=${value}
- ;;
- "initrd")
- initrd=${value}
- ;;
- "linux")
- linux=${value}
- ;;
- "options")
- options=${value}
- ;;
- "grub_arg")
- grub_arg=${value}
- ;;
- esac
- done < ${config_file}
-}
-
-blsdir="/boot/loader/entries"
-
-get_sorted_bls()
-{
- if ! [ -d "${blsdir}" ] || [ -f /run/ostree-booted ] || [ -d /ostree/repo ]; then
- return
- fi
-
- local IFS=$'\n'
-
- files=($(for bls in ${blsdir}/*.conf; do
- if ! [[ -e "${bls}" ]] ; then
- continue
- fi
- bls="${bls%.conf}"
- bls="${bls##*/}"
- echo "${bls}"
- done | ${kernel_sort} 2>/dev/null | tac)) || :
-
- echo "${files[@]}"
-}
-
-update_bls_cmdline()
-{
- local cmdline="root=${LINUX_ROOT_DEVICE} ro ${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
- local -a files=($(get_sorted_bls))
-
- for bls in "${files[@]}"; do
- local options="${cmdline}"
- if [ -z "${bls##*debug*}" ]; then
- options="${options} ${GRUB_CMDLINE_LINUX_DEBUG}"
- fi
- options="$(echo "${options}" | sed -e 's/\//\\\//g')"
- sed -i -e "s/^options.*/options ${options}/" "${blsdir}/${bls}.conf"
- done
-}
-
-populate_menu()
-{
- local -a files=($(get_sorted_bls))
-
- gettext_printf "Generating boot entries from BLS files...\n" >&2
-
- for bls in "${files[@]}"; do
- read_config "${blsdir}/${bls}.conf"
-
- menu="${menu}menuentry '${title}' ${grub_arg} --id=${bls} {\n"
- menu="${menu}\t linux ${linux} ${options}\n"
- if [ -n "${initrd}" ] ; then
- menu="${menu}\t initrd ${boot_prefix}${initrd}\n"
- fi
- menu="${menu}}\n\n"
- done
- # The printf command seems to be more reliable across shells for special character (\n, \t) evaluation
- printf "$menu"
-}
-
-# Make BLS the default if GRUB_ENABLE_BLSCFG was not set and grubby is not installed.
-# FIXME: The test should be aligned to openSUSE, grubby is not our default tool
-if [ -z "${GRUB_ENABLE_BLSCFG}" ] && ! command -v new-kernel-pkg >/dev/null && false; then
- GRUB_ENABLE_BLSCFG="true"
-fi
-
if [ "x${GRUB_ENABLE_BLSCFG}" = "xtrue" ]; then
if [ x$dirname = x/ ]; then
@@ -252,31 +243,11 @@ if [ "x${GRUB_ENABLE_BLSCFG}" = "xtrue" ]; then
if [ -z "${prepare_root_cache}" ]; then
@@ -225,111 +125,17 @@ if [ "x${GRUB_ENABLE_BLSCFG}" = "xtrue" ]; then
prepare_grub_to_access_device_with_variable boot ${boot_device}
fi
- arch="$(uname -m)"
- if [ "x${arch}" = "xppc64le" ] && [ -d /sys/firmware/opal ]; then
-
- BLS_POPULATE_MENU="true"
- petitboot_path="/sys/firmware/devicetree/base/ibm,firmware-versions/petitboot"
-
- if test -e ${petitboot_path}; then
- read -r -d '' petitboot_version < ${petitboot_path}
- petitboot_version="$(echo ${petitboot_version//v})"
-
- if test -n ${petitboot_version}; then
- major_version="$(echo ${petitboot_version} | cut -d . -f1)"
- minor_version="$(echo ${petitboot_version} | cut -d . -f2)"
-
- re='^[0-9]+$'
- if [[ $major_version =~ $re ]] && [[ $minor_version =~ $re ]] &&
- ([[ ${major_version} -gt 1 ]] ||
- [[ ${major_version} -eq 1 &&
- ${minor_version} -ge 8 ]]); then
- BLS_POPULATE_MENU="false"
- fi
- fi
- fi
- fi
-
populate_header_warn
- cat << EOF
@ -69,10 +190,63 @@ index edf0fca55..7cbff7466 100644
insmod blscfg
blscfg
EOF
- fi
-
- if [ "x${GRUB_GRUBENV_UPDATE}" = "xyes" ]; then
- blsdir="/boot/loader/entries"
- [ -d "${blsdir}" ] && GRUB_BLS_FS="$(${grub_probe} --target=fs ${blsdir})"
- if [ "x${GRUB_BLS_FS}" = "xbtrfs" ] || [ "x${GRUB_BLS_FS}" = "xzfs" ]; then
- blsdir=$(make_system_path_relative_to_its_root "${blsdir}")
- if [ "x${blsdir}" != "x/loader/entries" ] && [ "x${blsdir}" != "x/boot/loader/entries" ]; then
- ${grub_editenv} - set blsdir="${blsdir}"
- fi
- fi
-
- if [ -n "${GRUB_EARLY_INITRD_LINUX_CUSTOM}" ]; then
- ${grub_editenv} - set early_initrd="${GRUB_EARLY_INITRD_LINUX_CUSTOM}"
- fi
-
- if [ -n "${GRUB_DEFAULT_DTB}" ]; then
- ${grub_editenv} - set devicetree="${GRUB_DEFAULT_DTB}"
- fi
-
- if [ -n "${GRUB_SAVEDEFAULT}" ]; then
- ${grub_editenv} - set save_default="${GRUB_SAVEDEFAULT}"
- fi
- fi
if [ "x${GRUB_GRUBENV_UPDATE}" = "xyes" ]; then
blsdir="/boot/loader/entries"
exit 0
fi
-mktitle ()
-{
- local title_type
- local version
- local OS_NAME
- local OS_VERS
-
- title_type=$1 && shift
- version=$1 && shift
-
- OS_NAME="$(eval $(grep ^NAME= /etc/os-release) ; echo ${NAME})"
- OS_VERS="$(eval $(grep ^VERSION= /etc/os-release) ; echo ${VERSION})"
-
- case $title_type in
- recovery)
- title=$(printf '%s (%s) %s (recovery mode)' \
- "${OS_NAME}" "${version}" "${OS_VERS}")
- ;;
- *)
- title=$(printf '%s (%s) %s' \
- "${OS_NAME}" "${version}" "${OS_VERS}")
- ;;
- esac
- echo -n ${title}
-}
-
title_correction_code=
hotkey=1
--
2.44.0
2.45.2

88
20_memtest86+
View File

@ -1,88 +0,0 @@
#! /bin/sh
set -e
# grub-mkconfig helper script.
# Copyright (C) 2011 Michal Ambroz <rebus@seznam.cz>
# Adapted for openSUSE by Andrey Borzenkov <arvidjaar@gmail.com>
# Adapted for EFI by Hans-Peter Jansen <hpj@urpla.net>
#
# you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with the script. If not, see <http://www.gnu.org/licenses/>.
# WARNING WARNING WARNING WARNING WARNING WARNING WARNING
# This file is deprecated, it is going to be removed soon
# and it's functionality has been disabled.
# The package memtest86+ is going to provide a similar file.
# Until that happens, you can reenable this file by
# adding to it the execute permission.
# WARNING WARNING WARNING WARNING WARNING WARNING WARNING
. "$pkgdatadir/grub-mkconfig_lib"
export TEXTDOMAIN=grub2
export TEXTDOMAINDIR=/usr/share/locale
CLASS="--class memtest86 --class gnu --class tools"
if [ "x${GRUB_DISTRIBUTOR}" = "x" ] ; then
OS=Memtest
else
OS="${GRUB_DISTRIBUTOR} Memtest"
CLASS="--class $(echo ${GRUB_DISTRIBUTOR} | tr 'A-Z' 'a-z' | cut -d' ' -f1) ${CLASS}"
fi
# memtest86+ comes in two flavours, one EFI and one suitable for x86 real mode.
# The EFI module requires security disabled in BIOS (Boot Mode: Other OS)
if [ -d /sys/firmware/efi ]; then
if [ -f /boot/efi/EFI/memtest86/memtest.efi ]; then
memtest=/boot/efi/EFI/memtest86/memtest.efi
elif [ -f /usr/lib/memtest86+/memtest.efi ]; then
memtest=/usr/lib/memtest86+/memtest.efi
else
#memtest.efi not found
exit 0
fi
loader='linux '
message="$(gettext_printf "Loading EFI memtest ...\n" | grub_quote)"
else
if [ -f /boot/memtest.bin ]; then
memtest=/boot/memtest.bin
elif [ -f /usr/lib/memtest86+/memtest.bin ]; then
memtest=/usr/lib/memtest86+/memtest.bin
else
#memtest.bin not found
exit 0
fi
loader='linux16'
message="$(gettext_printf "Loading x86 memtest ...\n" | grub_quote)"
fi
# locate the real partition
GRUB_DEVICE_BOOT=$(grub2-probe -t device "$memtest")
if grub_file_is_not_garbage "$memtest" ; then
gettext_printf "Found memtest image: %s\n" "$memtest" >&2
basename=`basename $memtest`
dirname=`dirname $memtest`
rel_dirname=`make_system_path_relative_to_its_root $dirname`
boot_device_id="$(grub_get_device_id "${GRUB_DEVICE_BOOT}")"
printf "menuentry '%s' %s \$menuentry_id_option '%s' {\n" "${OS}" "${CLASS}" "memtest-$boot_device_id"
prepare_boot_cache="$(prepare_grub_to_access_device ${GRUB_DEVICE_BOOT} | sed -e "s/^/\t/")"
printf '%s\n' "${prepare_boot_cache}"
cat << EOF
echo '$message'
${loader} ${rel_dirname}/${basename}
}
EOF
fi

35
grub2-bsc1220338-key_protector-implement-the-blocklist.patch
View File

@ -1,4 +1,4 @@
From 139dc1c2590683cb8c0c1c13424d2436b81bffb7 Mon Sep 17 00:00:00 2001
From beb26b1be325ea55f3f9a230152d170a3faa85d5 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Mon, 18 Mar 2024 14:53:11 +0800
Subject: [PATCH] key_protector: implement the blocklist
@ -11,17 +11,17 @@ action for the key recovery.
Signed-off-by: Gary Lin <glin@suse.com>
---
grub-core/kern/protectors.c | 31 +++++++++++++++++++++++++++++++
include/grub/efi/api.h | 5 +++++
grub-core/disk/key_protector.c | 31 +++++++++++++++++++++++++++++++
include/grub/efi/api.h | 5 +++++
2 files changed, 36 insertions(+)
Index: grub-2.12/grub-core/kern/protectors.c
===================================================================
--- grub-2.12.orig/grub-core/kern/protectors.c
+++ grub-2.12/grub-core/kern/protectors.c
@@ -21,6 +21,10 @@
#include <grub/mm.h>
#include <grub/protector.h>
diff --git a/grub-core/disk/key_protector.c b/grub-core/disk/key_protector.c
index b84afe1c7..3d630ca4f 100644
--- a/grub-core/disk/key_protector.c
+++ b/grub-core/disk/key_protector.c
@@ -24,6 +24,10 @@
GRUB_MOD_LICENSE ("GPLv3+");
+#ifdef GRUB_MACHINE_EFI
+#include <grub/efi/efi.h>
@ -30,7 +30,7 @@ Index: grub-2.12/grub-core/kern/protectors.c
struct grub_key_protector *grub_key_protectors = NULL;
grub_err_t
@@ -51,11 +55,34 @@ grub_key_protector_unregister (struct gr
@@ -54,11 +58,34 @@ grub_key_protector_unregister (struct grub_key_protector *protector)
return GRUB_ERR_NONE;
}
@ -65,7 +65,7 @@ Index: grub-2.12/grub-core/kern/protectors.c
if (grub_key_protectors == NULL)
return GRUB_ERR_OUT_OF_RANGE;
@@ -71,5 +98,9 @@ grub_key_protector_recover_key (const ch
@@ -74,5 +101,9 @@ grub_key_protector_recover_key (const char *protector, grub_uint8_t **key,
"Is the name spelled correctly and is the "
"corresponding module loaded?"), protector);
@ -75,10 +75,10 @@ Index: grub-2.12/grub-core/kern/protectors.c
+
return kp->recover_key (key, key_size);
}
Index: grub-2.12/include/grub/efi/api.h
===================================================================
--- grub-2.12.orig/include/grub/efi/api.h
+++ grub-2.12/include/grub/efi/api.h
diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h
index 7947cf592..975b90b09 100644
--- a/include/grub/efi/api.h
+++ b/include/grub/efi/api.h
@@ -389,6 +389,11 @@
{ 0x89, 0x29, 0x48, 0xbc, 0xd9, 0x0a, 0xd3, 0x1a } \
}
@ -91,3 +91,6 @@ Index: grub-2.12/include/grub/efi/api.h
struct grub_efi_sal_system_table
{
grub_uint32_t signature;
--
2.35.3

50
grub2-btrfs-06-subvol-mount.patch
View File

@ -7,6 +7,10 @@ v3:
* Fix executable stack on which function trampoline is constructed to support
closure (nested function). The closure sematic is replaced.
v4:
* Fix btrfs subvolume for platform modules not mounting at runtime when the
default subvolume is the topmost root tree (bsc#1228124)
--- a/grub-core/fs/btrfs.c
+++ b/grub-core/fs/btrfs.c
@@ -44,6 +44,7 @@
@ -57,7 +61,7 @@ v3:
if (err)
return grub_error(GRUB_ERR_FILE_NOT_FOUND, "couldn't locate %s\n", path);
@@ -2321,11 +2345,20 @@
@@ -2323,11 +2347,20 @@
grub_uint64_t tree;
grub_uint8_t type;
grub_size_t est_size = 0;
@ -79,7 +83,7 @@ v3:
if (err)
{
grub_btrfs_unmount (data);
@@ -2452,11 +2485,21 @@
@@ -2454,11 +2487,21 @@
struct grub_btrfs_inode inode;
grub_uint8_t type;
struct grub_btrfs_key key_in;
@ -102,7 +106,7 @@ v3:
if (err)
{
grub_btrfs_unmount (data);
@@ -2691,6 +2734,150 @@
@@ -2693,6 +2736,150 @@
return 0;
}
@ -253,7 +257,7 @@ v3:
static grub_err_t
get_fs_root(struct grub_btrfs_data *data, grub_uint64_t tree,
grub_uint64_t objectid, grub_uint64_t offset,
@@ -2903,6 +3090,7 @@
@@ -2905,6 +3092,7 @@
};
static grub_command_t cmd_info;
@ -261,7 +265,7 @@ v3:
static grub_extcmd_t cmd_list_subvols;
static char *
@@ -2966,6 +3154,9 @@
@@ -2968,6 +3156,9 @@
cmd_info = grub_register_command("btrfs-info", grub_cmd_btrfs_info,
"DEVICE",
"Print BtrFS info about DEVICE.");
@ -288,18 +292,22 @@ v3:
struct btrfs_ioctl_search_args {
struct btrfs_ioctl_search_key key;
grub_uint64_t buf[(4096 - sizeof(struct btrfs_ioctl_search_key))
@@ -375,6 +383,109 @@
@@ -375,6 +383,117 @@
int use_relative_path_on_btrfs = 0;
+static char *
+get_btrfs_subvol (const char *path)
+get_btrfs_subvol (const char *path, grub_uint64_t *subvolid)
+{
+ struct btrfs_ioctl_ino_lookup_args args;
+ grub_uint64_t tree_id;
+ grub_uint64_t ret_id;
+ int fd = -1;
+ char *ret = NULL;
+
+ if (subvolid)
+ *subvolid = 0;
+
+ fd = open (path, O_RDONLY);
+
+ if (fd < 0)
@ -312,6 +320,7 @@ v3:
+ goto error;
+
+ tree_id = args.treeid;
+ ret_id = args.treeid;
+
+ while (tree_id != GRUB_BTRFS_ROOT_VOL_OBJECTID)
+ {
@ -380,6 +389,9 @@ v3:
+ }
+ }
+
+ if (subvolid)
+ *subvolid = ret_id;
+
+ close (fd);
+ return ret;
+
@ -398,7 +410,7 @@ v3:
char **
grub_find_root_devices_from_mountinfo (const char *dir, char **relroot)
{
@@ -516,12 +627,17 @@
@@ -516,12 +635,17 @@
else if (grub_strcmp (entries[i].fstype, "btrfs") == 0)
{
ret = grub_find_root_devices_from_btrfs (dir);
@ -419,13 +431,13 @@ v3:
}
}
else if (!retry && grub_strcmp (entries[i].fstype, "autofs") == 0)
@@ -1202,6 +1318,24 @@
@@ -1202,6 +1326,24 @@
return grub_dev;
}
+
+char *
+grub_util_get_btrfs_subvol (const char *path, char **mount_path)
+grub_util_get_btrfs_subvol (const char *path, char **mount_path, grub_uint64_t *subvolid)
+{
+ if (mount_path)
+ *mount_path = NULL;
@ -438,7 +450,7 @@ v3:
+ if (mount_path)
+ *mount_path = grub_strdup (grub_btrfs_mount_path);
+
+ return get_btrfs_subvol (grub_btrfs_mount_path);
+ return get_btrfs_subvol (grub_btrfs_mount_path, subvolid);
+}
+
char *
@ -446,7 +458,7 @@ v3:
{
--- a/util/grub-install.c
+++ b/util/grub-install.c
@@ -1645,6 +1645,58 @@
@@ -1646,6 +1646,58 @@
prefix_drive = xasprintf ("(%s)", grub_drives[0]);
}
@ -457,6 +469,7 @@ v3:
+ {
+ char *subvol = NULL;
+ char *mount_path = NULL;
+ grub_uint64_t subvolid = 0;
+ char **rootdir_devices = NULL;
+ char *t = grub_util_path_concat (2, "/", rootdir);
+ char *rootdir_path = grub_canonicalize_file_name (t);
@ -466,15 +479,15 @@ v3:
+
+ if (rootdir_devices && rootdir_devices[0])
+ if (grub_strcmp (rootdir_devices[0], grub_devices[0]) == 0)
+ subvol = grub_util_get_btrfs_subvol (platdir, &mount_path);
+ subvol = grub_util_get_btrfs_subvol (platdir, &mount_path, &subvolid);
+
+ if (subvol && mount_path)
+ {
+ char *def_subvol;
+ grub_uint64_t def_subvolid = 0;
+
+ def_subvol = grub_util_get_btrfs_subvol (rootdir_path, NULL);
+ grub_free (grub_util_get_btrfs_subvol (rootdir_path, NULL, &def_subvolid));
+
+ if (def_subvol)
+ if (def_subvolid)
+ {
+ char *rootdir_mount_path = NULL;
+ if (!load_cfg_f)
@ -484,10 +497,9 @@ v3:
+ if (grub_strncmp (rootdir_path, mount_path, grub_strlen (rootdir_path)) == 0)
+ rootdir_mount_path = grub_util_path_concat (2, "/", mount_path + grub_strlen (rootdir_path));
+
+ if (grub_strcmp (subvol, def_subvol) != 0 && rootdir_mount_path)
+ if (subvolid != def_subvolid && rootdir_mount_path)
+ fprintf (load_cfg_f, "btrfs-mount-subvol ($root) %s %s\n", rootdir_mount_path, subvol);
+ free (rootdir_mount_path);
+ free (def_subvol);
+ }
+ }
+
@ -513,7 +525,7 @@ v3:
+#ifdef __linux__
+char *
+grub_util_get_btrfs_subvol (const char *path, char **mount_path);
+grub_util_get_btrfs_subvol (const char *path, char **mount_path, grub_uint64_t *subvolid);
+#endif
+
/* Devmapper functions provided by getroot_devmapper.c. */

7
grub2-fix-menu-in-xen-host-server.patch
View File

@ -21,6 +21,11 @@ Create only hypervisor pointed by /boot/xen.gz symlink to not clutter
the menu with multiple versions and also not include -dbg. Use custom.cfg
if you need any other custom entries.
v3:
References: bsc#1224226
Fix the error in /etc/grub.d/20_linux_xen where file_is_not_sym was not
found, as it has been renamed to file_is_not_xen_garbage.
---
util/grub-mkconfig_lib.in | 5 +++++
util/grub.d/10_linux.in | 12 ++++++++++--
@ -59,7 +64,7 @@ if you need any other custom entries.
+ # wildcard expasion with correct suffix (.gz) for not generating many duplicated menu entries
+ xen_list=
+ for i in /boot/xen*.gz; do
+ if grub_file_is_not_garbage "$i" && file_is_not_sym "$i" ; then xen_list="$xen_list $i" ; fi
+ if grub_file_is_not_garbage "$i" && file_is_not_xen_garbage "$i" ; then xen_list="$xen_list $i" ; fi
+ done
+fi
prepare_boot_cache=

33
grub2-grubenv-in-btrfs-header.patch
View File

@ -9,6 +9,17 @@ v3:
* Use xcalloc for overflow check and return NULL when it would
occur.
v4:
* Fix gcc error with CFLAGS=-Og
../util/grub-editenv.c: In function read_envblk_fs:
../util/grub-editenv.c:172:14: error: sz may be used uninitialized [-Werror=maybe-uninitialized]
172 | sz <<= GRUB_DISK_SECTOR_BITS;
../util/grub-editenv.c:155:16: note: sz was declared here
155 | int off, sz;
| ^~
cc1: all warnings being treated as errors
---
--- a/grub-core/kern/fs.c
+++ b/grub-core/kern/fs.c
@ -49,7 +60,7 @@ v3:
#include <stdio.h>
#include <unistd.h>
@@ -120,6 +123,140 @@
@@ -120,6 +123,142 @@
NULL, help_filter, NULL
};
@ -88,6 +99,8 @@ v3:
+ off = strtol (value, &p, 10);
+ if (*p == '+')
+ sz = strtol (p+1, &p, 10);
+ else
+ return 0;
+
+ if (*p == '\0')
+ {
@ -190,7 +203,7 @@ v3:
static grub_envblk_t
open_envblk_file (const char *name)
{
@@ -182,10 +319,17 @@
@@ -182,10 +321,17 @@
list_variables (const char *name)
{
grub_envblk_t envblk;
@ -208,7 +221,7 @@ v3:
}
static void
@@ -209,6 +353,38 @@
@@ -209,6 +355,38 @@
}
static void
@ -247,7 +260,7 @@ v3:
set_variables (const char *name, int argc, char *argv[])
{
grub_envblk_t envblk;
@@ -224,8 +400,27 @@
@@ -224,8 +402,27 @@
*(p++) = 0;
@ -277,7 +290,7 @@ v3:
argc--;
argv++;
@@ -233,26 +428,158 @@
@@ -233,26 +430,158 @@
write_envblk (name, envblk);
grub_envblk_close (envblk);
@ -315,8 +328,8 @@ v3:
+ write_envblk_fs (envblk_fs);
+ grub_envblk_close (envblk_fs);
+ }
+}
+
}
+int have_abstraction = 0;
+static void
+probe_abstraction (grub_disk_t disk)
@ -329,8 +342,8 @@ v3:
+ {
+ have_abstraction = 1;
+ }
}
+}
+
+static fs_envblk_t
+probe_fs_envblk (fs_envblk_spec_t spec)
+{
@ -436,7 +449,7 @@ v3:
int
main (int argc, char *argv[])
{
@@ -284,6 +611,9 @@
@@ -284,6 +613,9 @@
command = argv[curindex++];
}

8
grub2-pass-corret-root-for-nfsroot.patch
View File

@ -13,6 +13,7 @@ grub2-probe not work in probing nfs mounted path. The fix is merely
on the script level and not use grub2-probe for above reasons.
v2: Filter out autofs and securityfs from /proc/self/mountinfo (bsc#1069094)
v3: Fix the wrong order of GRUB_FS/GRUB_DEVICE (bsc#1221904)
---
util/grub-mkconfig.in | 37 ++++++++++++++++++++++++++++++-------
@ -20,7 +21,7 @@ v2: Filter out autofs and securityfs from /proc/self/mountinfo (bsc#1069094)
--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
@@ -131,26 +131,54 @@
@@ -131,26 +131,55 @@
exit 1
fi
@ -65,16 +66,17 @@ v2: Filter out autofs and securityfs from /proc/self/mountinfo (bsc#1069094)
+ GRUB_DEVICE_PARTUUID=""
+ GRUB_FS="unknown"
+else
+ # Device containing our userland. Typically used for root= parameter.
+ GRUB_DEVICE="`${grub_probe} --target=device /`"
+ # Filesystem for the device containing our userland. Used for stuff like
+ # choosing Hurd filesystem module.
+ GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"
+ # Device containing our userland. Typically used for root= parameter.
+ GRUB_DEVICE="`${grub_probe} --target=device /`"
+ GRUB_DEVICE_UUID="`${grub_probe} --device ${GRUB_DEVICE} --target=fs_uuid 2> /dev/null`" || true
+ GRUB_DEVICE_PARTUUID="`${grub_probe} --device ${GRUB_DEVICE} --target=partuuid 2> /dev/null`" || true
+fi
-if [ x"$GRUB_FS" = xunknown ]; then
+# Strive to circumvent grub to enable unsupported filesystem, for eg, nfsroot
+if [ x"$GRUB_FS" = x ] || [ x"$GRUB_FS" = xunknown ]; then
GRUB_FS="$(stat -f -c %T / || echo unknown)"
fi

52
grub2-s390x-set-hostonly.patch Normal file
View File

@ -0,0 +1,52 @@
diff --git a/util/s390x/zipl2grub.pl.in b/util/s390x/zipl2grub.pl.in
index f4f997100..46b902209 100644
--- a/util/s390x/zipl2grub.pl.in
+++ b/util/s390x/zipl2grub.pl.in
@@ -15,6 +15,7 @@ my $zipldir = "";
my $running = "";
my $refresh = 1; # needs to default to "on" until most bugs are shaken out!
my $force = 0;
+my $hostonly = 1;
my $verbose = 0;
my $debug = 0;
my $miss = 0;
@@ -114,8 +115,13 @@ sub BootCopy($$$$) {
}
sub MkInitrd($$$) {
my( $initrd, $dir, $version) = @_;
- my @C = ( "dracut", "--hostonly", "--force");
+ my @C = ( "dracut", "--force");
my $uuid;
+ if ($hostonly) {
+ push @C, "--hostonly";
+ } else {
+ push @C, "--no-hostonly";
+ }
push @C, "--quiet" unless ($verbose > 1);
if ( exists( $fsdev{"/boot"}) ) {
chomp( $uuid = qx{grub2-probe --target=fs_uuid /boot});
@@ -368,6 +374,24 @@ foreach ("GRUB_EMU_CONMODE", "GRUB_CONMODE") {
$C{$_} = "conmode=" . $C{$_};
}
+if ( !exists( $C{SUSE_S390_DRACUT_HOSTONLY}) || $C{SUSE_S390_DRACUT_HOSTONLY} eq "auto" ) {
+ # Auto-detection mode
+ #
+ # Check if the root block device of the root partition is a loop device.
+ # If yes, it is the image building system, e.g. kiwi. Then, set 'hostonly' to 0.
+ my ( $dev, $lsblk );
+
+ chomp( $dev = qx{grub2-probe -t device /});
+ if ($dev) {
+ chomp( $lsblk = qx{lsblk -snrp -o NAME $dev});
+ $hostonly = 0 if ( $lsblk =~ m{\/loop} );
+ }
+} elsif ( $C{SUSE_S390_DRACUT_HOSTONLY} =~ m{^(no|false|0)$} ) {
+ $hostonly = 0;
+} else {
+ $hostonly = 1;
+}
+
if ( $debug && $verbose > 2 ) {
foreach ( sort( keys( %C)) ) {
printf( "%s=\"%s\"\n", $_, $C{$_});

6
grub2-xen-pv-firmware.cfg
View File

@ -69,6 +69,9 @@ for c in ${hdcfg_list}; do
btrfs_relative_path=1
if search -s hddev -f "${c}"; then
btrfs_relative_path=0
if [ "${hddev}" = "memdisk" ]; then
break
fi
menuentry "${hddev} Boot From Hard Disk (${c})" "${hddev}" "${c}" {
set root="${2}"
set cfg="${3}"
@ -88,6 +91,9 @@ for c in ${hdlst_list}; do
btrfs_relative_path=1
if search -s hddev -f "${c}"; then
btrfs_relative_path=0
if [ "${hddev}" = "memdisk" ]; then
break
fi
menuentry "${hddev} Boot From Hard Disk (${c})" "${hddev}" "${c}" {
set root="${2}"
set cfg="${3}"

135
grub2.changes
View File

@ -1,12 +1,38 @@
-------------------------------------------------------------------
Tue Mar 19 07:08:02 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
Fri Aug 2 08:44:40 UTC 2024 - Michael Chang <mchang@suse.com>
- Add grub2-bsc1220338-key_protector-implement-the-blocklist.patch
to implement a blocklist in the key protector and check the
unwanted UEFI variables (bsc#1220338)
- Fix btrfs subvolume for platform modules not mounting at runtime when the
default subvolume is the topmost root tree (bsc#1228124)
* grub2-btrfs-06-subvol-mount.patch
- Rediff
* 0001-Unify-the-check-to-enable-btrfs-relative-path.patch
-------------------------------------------------------------------
Tue Mar 5 06:53:25 UTC 2024 - Michael Chang <mchang@suse.com>
Fri Aug 2 02:22:21 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
- Switch to '--no-hostonly' when creating the ZIPL initrd in the
KIWI build environment to avoid some potential issues due to the
missing modules
* grub2-s390x-set-hostonly.patch
-------------------------------------------------------------------
Fri Jul 19 09:59:15 UTC 2024 - Michael Chang <mchang@suse.com>
- Fix error in grub-install when root is on tmpfs (bsc#1226100)
* 0001-grub-install-bailout-root-device-probing.patch
- Fix incorrect Platform tag in rpm header (bsc#1217967)
-------------------------------------------------------------------
Fri Jul 5 12:23:06 UTC 2024 - Michael Chang <mchang@suse.com>
- Fix error if dash shell script is used (bsc#1226453)
* 0007-grub-switch-to-blscfg-adapt-to-openSUSE.patch
* 0009-10_linux-Some-refinement-for-BLS.patch
- Fix input handling in ppc64le grub2 has high latency (bsc#1223535)
* 0001-net-drivers-ieee1275-ofnet-Remove-200-ms-timeout-in-.patch
-------------------------------------------------------------------
Fri Jun 7 02:13:08 UTC 2024 - Michael Chang <mchang@suse.com>
- Add blscfg support
* 0001-blscfg-add-blscfg-module-to-parse-Boot-Loader-Specif.patch
@ -19,6 +45,105 @@ Tue Mar 5 06:53:25 UTC 2024 - Michael Chang <mchang@suse.com>
* 0008-blscfg-reading-bls-fragments-if-boot-present.patch
* 0009-10_linux-Some-refinement-for-BLS.patch
-------------------------------------------------------------------
Mon May 20 07:22:09 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
- Only enable grub-protect for EFI systems
* 0001-util-enable-grub-protect-only-for-EFI-systems.patch
-------------------------------------------------------------------
Wed May 15 06:19:54 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
- Update to the latest upstreaming TPM2 patches
* 0001-key_protector-Add-key-protectors-framework.patch
- Replace 0001-protectors-Add-key-protectors-framework.patch
* 0002-tpm2-Add-TPM-Software-Stack-TSS.patch
- Merge other TSS patches
* 0001-tpm2-Add-TPM2-types-structures-and-command-constants.patch
* 0002-tpm2-Add-more-marshal-unmarshal-functions.patch
* 0003-tpm2-Implement-more-TPM2-commands.patch
* 0003-key_protector-Add-TPM2-Key-Protector.patch
- Replace 0003-protectors-Add-TPM2-Key-Protector.patch
* 0004-cryptodisk-Support-key-protectors.patch
* 0005-util-grub-protect-Add-new-tool.patch
* 0001-tpm2-Support-authorized-policy.patch
- Replace 0004-tpm2-Support-authorized-policy.patch
* 0001-tpm2-Add-extra-RSA-SRK-types.patch
* 0001-tpm2-Implement-NV-index.patch
- Replace 0001-protectors-Implement-NV-index.patch
* 0002-cryptodisk-Fallback-to-passphrase.patch
* 0003-cryptodisk-wipe-out-the-cached-keys-from-protectors.patch
* 0004-diskfilter-look-up-cryptodisk-devices-first.patch
- Refresh affected patches
* 0001-Improve-TPM-key-protection-on-boot-interruptions.patch
* grub2-bsc1220338-key_protector-implement-the-blocklist.patch
- New manpage for grub2-protect
-------------------------------------------------------------------
Wed May 15 00:46:14 UTC 2024 - Michael Chang <mchang@suse.com>
- Fix error in /etc/grub.d/20_linux_xen: file_is_not_sym not found, renamed to
file_is_not_xen_garbage (bsc#1224226)
* grub2-fix-menu-in-xen-host-server.patch
-------------------------------------------------------------------
Thu May 2 07:48:30 UTC 2024 - Michael Chang <mchang@suse.com>
- Fix gcc error with CFLAGS=-Og
* grub2-grubenv-in-btrfs-header.patch
-------------------------------------------------------------------
Fri Apr 19 21:50:53 UTC 2024 - Giacomo Comes <gcomes.obs@gmail.com>
- remove deprecated file 20_memtest86+
* a similar file is provided by the package memtest86+
-------------------------------------------------------------------
Thu Apr 11 02:55:05 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
- Fix the compatibility issue with bash-completion 2.12
(bsc#1221849)
* 0001-util-bash-completion-Fix-for-bash-completion-2.12.patch
-------------------------------------------------------------------
Fri Mar 29 01:58:00 UTC 2024 - Michael Chang <mchang@suse.com>
- Fix os name is used for root file system mount (bsc#1220949)
* 0001-10_linux-Ensure-persistence-of-root-file-system-moun.patch
-------------------------------------------------------------------
Wed Mar 27 04:51:33 UTC 2024 - Michael Chang <mchang@suse.com>
- Fix LPAR falls into grub shell after installation with lvm (bsc#1221866)
* 0001-ofdisk-Enhance-canonical-path-handling-for-bootpath.patch
-------------------------------------------------------------------
Mon Mar 25 02:20:38 UTC 2024 - Michael Chang <mchang@suse.com>
- Correct the erroneous sequence in determining GRUB_FS and GRUB_DEVICE
(bsc#1221904)
* grub2-pass-corret-root-for-nfsroot.patch
-------------------------------------------------------------------
Fri Mar 22 06:01:13 UTC 2024 - Michael Chang <mchang@suse.com>
- Fix memdisk becomes the default boot entry, resolving no graphic display
device error in guest vnc console (bsc#1221779)
* grub2-xen-pv-firmware.cfg
-------------------------------------------------------------------
Wed Mar 20 06:16:45 UTC 2024 - Michael Chang <mchang@suse.com>
- Cleanup spec file to adhere to update-bootloader-rpm-macros definition
entirely (bsc#1218241)
-------------------------------------------------------------------
Tue Mar 19 07:08:02 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
- Add grub2-bsc1220338-key_protector-implement-the-blocklist.patch
to implement a blocklist in the key protector and check the
unwanted UEFI variables (bsc#1220338)
-------------------------------------------------------------------
Mon Mar 4 08:57:36 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>

185
grub2.spec
View File

@ -177,7 +177,6 @@ Source1: 90_persistent
Source2: grub.default
Source4: grub2.rpmlintrc
Source6: grub2-once
Source7: 20_memtest86+
Source8: README.ibm3215
Source10: openSUSE-UEFI-CA-Certificate.crt
Source11: SLES-UEFI-CA-Certificate.crt
@ -339,9 +338,9 @@ Patch146: 0001-install-fix-software-raid1-on-esp.patch
Patch147: 0001-grub-probe-Deduplicate-probed-partmap-output.patch
Patch148: 0001-Fix-infinite-boot-loop-on-headless-system-in-qemu.patch
Patch149: 0001-ofdisk-improve-boot-time-by-lookup-boot-disk-first.patch
Patch150: 0001-protectors-Add-key-protectors-framework.patch
Patch150: 0001-key_protector-Add-key-protectors-framework.patch
Patch151: 0002-tpm2-Add-TPM-Software-Stack-TSS.patch
Patch152: 0003-protectors-Add-TPM2-Key-Protector.patch
Patch152: 0003-key_protector-Add-TPM2-Key-Protector.patch
Patch153: 0004-cryptodisk-Support-key-protectors.patch
Patch154: 0005-util-grub-protect-Add-new-tool.patch
Patch155: 0008-linuxefi-Use-common-grub_initrd_load.patch
@ -359,10 +358,8 @@ Patch166: 0002-Mark-environmet-blocks-as-used-for-image-embedding.patch
Patch167: grub2-increase-crypttab-path-buffer.patch
Patch168: 0001-grub2-Set-multiple-device-path-for-a-nvmf-boot-devic.patch
Patch169: 0001-grub2-Can-t-setup-a-default-boot-device-correctly-on.patch
Patch170: 0001-tpm2-Add-TPM2-types-structures-and-command-constants.patch
Patch171: 0002-tpm2-Add-more-marshal-unmarshal-functions.patch
Patch172: 0003-tpm2-Implement-more-TPM2-commands.patch
Patch173: 0004-tpm2-Support-authorized-policy.patch
Patch170: 0001-tpm2-Support-authorized-policy.patch
Patch171: 0001-tpm2-Add-extra-RSA-SRK-types.patch
Patch174: 0001-clean-up-crypttab-and-linux-modules-dependency.patch
Patch175: 0002-discard-cached-key-before-entering-grub-shell-and-ed.patch
Patch176: 0001-ieee1275-ofdisk-retry-on-open-and-read-failure.patch
@ -373,7 +370,7 @@ Patch180: 0001-xen_boot-add-missing-grub_arch_efi_linux_load_image_.patch
Patch181: 0001-font-Try-memdisk-fonts-with-the-same-name.patch
Patch182: 0001-Make-grub.cfg-compatible-to-old-binaries.patch
Patch183: grub2-change-bash-completion-dir.patch
Patch184: 0001-protectors-Implement-NV-index.patch
Patch184: 0001-tpm2-Implement-NV-index.patch
Patch185: 0002-cryptodisk-Fallback-to-passphrase.patch
Patch186: 0003-cryptodisk-wipe-out-the-cached-keys-from-protectors.patch
Patch187: 0004-diskfilter-look-up-cryptodisk-devices-first.patch
@ -393,16 +390,22 @@ Patch199: 0001-squash-ieee1275-ofpath-enable-NVMeoF-logical-device-.patch
Patch200: 0001-ofdisk-enhance-boot-time-by-focusing-on-boot-disk-re.patch
Patch201: 0002-ofdisk-add-early_log-support.patch
Patch202: 0001-disk-Optimize-disk-iteration-by-moving-memdisk-to-th.patch
Patch203: 0001-blscfg-add-blscfg-module-to-parse-Boot-Loader-Specif.patch
Patch204: 0002-Add-BLS-support-to-grub-mkconfig.patch
Patch205: 0003-Add-grub2-switch-to-blscfg.patch
Patch206: 0004-blscfg-Don-t-root-device-in-emu-builds.patch
Patch207: 0005-blscfg-check-for-mounted-boot-in-emu.patch
Patch208: 0006-Follow-the-device-where-blscfg-is-discovered.patch
Patch209: 0007-grub-switch-to-blscfg-adapt-to-openSUSE.patch
Patch210: 0008-blscfg-reading-bls-fragments-if-boot-present.patch
Patch211: 0009-10_linux-Some-refinement-for-BLS.patch
Patch212: grub2-bsc1220338-key_protector-implement-the-blocklist.patch
Patch203: grub2-bsc1220338-key_protector-implement-the-blocklist.patch
Patch204: 0001-ofdisk-Enhance-canonical-path-handling-for-bootpath.patch
Patch205: 0001-10_linux-Ensure-persistence-of-root-file-system-moun.patch
Patch206: 0001-util-bash-completion-Fix-for-bash-completion-2.12.patch
Patch207: 0001-util-enable-grub-protect-only-for-EFI-systems.patch
Patch208: 0001-blscfg-add-blscfg-module-to-parse-Boot-Loader-Specif.patch
Patch209: 0002-Add-BLS-support-to-grub-mkconfig.patch
Patch210: 0003-Add-grub2-switch-to-blscfg.patch
Patch211: 0004-blscfg-Don-t-root-device-in-emu-builds.patch
Patch212: 0005-blscfg-check-for-mounted-boot-in-emu.patch
Patch213: 0006-Follow-the-device-where-blscfg-is-discovered.patch
Patch214: 0007-grub-switch-to-blscfg-adapt-to-openSUSE.patch
Patch215: 0008-blscfg-reading-bls-fragments-if-boot-present.patch
Patch216: 0009-10_linux-Some-refinement-for-BLS.patch
Patch217: 0001-net-drivers-ieee1275-ofnet-Remove-200-ms-timeout-in-.patch
Patch218: grub2-s390x-set-hostonly.patch
Requires: gettext-runtime
%if 0%{?suse_version} >= 1140
@ -466,12 +469,7 @@ BuildArch: noarch
%endif
Requires: %{name} = %{version}
Requires(post): %{name} = %{version}
%if 0%{?update_bootloader_requires:1}
%update_bootloader_requires
%else
Requires: perl-Bootloader
Requires(post): perl-Bootloader
%endif
%{?update_bootloader_requires}
%description %{grubarch}
The GRand Unified Bootloader (GRUB) is a highly configurable and customizable
@ -520,12 +518,7 @@ Requires: efibootmgr
Requires(post): efibootmgr
Requires: %{name} = %{version}
Requires(post): %{name} = %{version}
%if 0%{?update_bootloader_requires:1}
%update_bootloader_requires
%else
Requires: perl-Bootloader >= 0.706
Requires(post): perl-Bootloader >= 0.706
%endif
%{?update_bootloader_requires}
%{?fde_tpm_update_requires}
Provides: %{name}-efi = %{version}-%{release}
Obsoletes: %{name}-efi < %{version}-%{release}
@ -793,12 +786,6 @@ cd ..
%if ! 0%{?only_efi:1}
cd build
# 64-bit x86-64 machines use 32-bit boot loader
# (We cannot just redefine _target_cpu, as we'd get i386.rpm packages then)
%ifarch x86_64
%define _target_platform i386-%{_vendor}-%{_target_os}%{?_gnu}
%endif
%if "%{platform}" != "emu"
%define arch_specific --enable-device-mapper
TLFLAGS="-static"
@ -1025,9 +1012,6 @@ find %{buildroot}/%{_datadir}/%{name} \
# Script that makes part of grub.cfg persist across updates
install -m 755 %{SOURCE1} %{buildroot}/%{_sysconfdir}/grub.d/
# Script to generate memtest86+ menu entry
install -m 644 %{SOURCE7} %{buildroot}/%{_sysconfdir}/grub.d/
# Ghost config file
install -d %{buildroot}/boot/%{name}
touch %{buildroot}/boot/%{name}/grub.cfg
@ -1053,10 +1037,6 @@ install -m 755 -D %{SOURCE19} %{buildroot}/%{_libexecdir}/grub2-instdev-fixup.pl
%endif
R="%{buildroot}"
%ifarch %{ix86} x86_64
%else
rm -f $R%{_sysconfdir}/grub.d/20_memtest86+
%endif
%ifarch ppc ppc64 ppc64le
rm -f $R%{_sysconfdir}/grub.d/95_textmode
@ -1130,51 +1110,7 @@ grep -E ${EXTRA_PATTERN} %{grubarch}-mod-all.lst > %{grubarch}-mod-extras.lst
%if ! 0%{?only_efi:1}
%post %{grubarch}
%if 0%{?update_bootloader_check_type_reinit_post:1}
%update_bootloader_check_type_reinit_post grub2
%else
# To check by current loader settings
if [ -f %{_sysconfdir}/sysconfig/bootloader ]; then
. %{_sysconfdir}/sysconfig/bootloader
fi
# If the grub is the current loader, we'll handle the grub2 testing entry
if [ "x${LOADER_TYPE}" = "xgrub" ]; then
exec >/dev/null 2>&1
# check if entry for grub2's core.img exists in the config
# if yes, we will correct obsoleted path and update grub2 stuff and config to make it work
# if no, do nothing
if [ -f /boot/grub/menu.lst ]; then
# If grub config contains obsolete core.img path, remove and use the new one
if /usr/bin/grep -l "^\s*kernel\s*.*/boot/%{name}/core.img" /boot/grub/menu.lst; then
/sbin/update-bootloader --remove --image /boot/%{name}/core.img || true
/sbin/update-bootloader --add --image /boot/%{name}/i386-pc/core.img --name "GNU GRUB 2" || true
fi
# Install grub2 stuff and config to make the grub2 testing entry to work with updated version
if /usr/bin/grep -l "^\s*kernel\s*.*/boot/%{name}/i386-pc/core.img" /boot/grub/menu.lst; then
# Determine the partition with /boot
BOOT_PARTITION=$(df -h /boot | sed -n '2s/[[:blank:]].*//p')
# Generate core.img, but don't let it be installed in boot sector
%{name}-install --no-bootsector $BOOT_PARTITION || true
# Create a working grub2 config, otherwise that entry is un-bootable
/usr/sbin/grub2-mkconfig -o /boot/%{name}/grub.cfg
fi
fi
elif [ "x${LOADER_TYPE}" = "xgrub2" ]; then
# It's enought to call update-bootloader to install grub2 and update it's config
# Use new --reinit, if not available use --refresh
# --reinit: install and update bootloader config
# --refresh: update bootloader config
/sbin/update-bootloader --reinit 2>&1 | grep -q 'Unknown option: reinit' &&
/sbin/update-bootloader --refresh || true
fi
%endif
%{?update_bootloader_check_type_reinit_post:%update_bootloader_check_type_reinit_post grub2}
%posttrans %{grubarch}
%{?update_bootloader_posttrans}
@ -1188,38 +1124,7 @@ fi
%fde_tpm_update_post grub2-efi
%endif
%if 0%{?update_bootloader_check_type_reinit_post:1}
%update_bootloader_check_type_reinit_post grub2-efi
%else
# To check by current loader settings
if [ -f %{_sysconfdir}/sysconfig/bootloader ]; then
. %{_sysconfdir}/sysconfig/bootloader
fi
if [ "x${LOADER_TYPE}" = "xgrub2-efi" ]; then
if [ -d /boot/%{name}-efi ]; then
# Migrate settings to standard prefix /boot/grub2
for i in custom.cfg grubenv; do
[ -f /boot/%{name}-efi/$i ] && cp -a /boot/%{name}-efi/$i /boot/%{name} || :
done
fi
# It's enough to call update-bootloader to install grub2 and update it's config
# Use new --reinit, if not available use --refresh
# --reinit: install and update bootloader config
# --refresh: update bootloader config
/sbin/update-bootloader --reinit 2>&1 | grep -q 'Unknown option: reinit' &&
/sbin/update-bootloader --refresh || true
fi
if [ -d /boot/%{name}-efi ]; then
mv /boot/%{name}-efi /boot/%{name}-efi.rpmsave
fi
exit 0
%endif
%{?update_bootloader_check_type_reinit_post:%update_bootloader_check_type_reinit_post grub2-efi}
%posttrans %{grubefiarch}
%{?update_bootloader_posttrans}
@ -1229,40 +1134,6 @@ exit 0
%preun
%service_del_preun grub2-once.service
# We did not add core.img to grub1 menu.lst in new update-bootloader macro as what
# the old %%post ever did, then the %%preun counterpart which removed the added core.img
# entry from old %%post can be skipped entirely if having new macro in use.
%if ! 0%{?update_bootloader_posttrans:1}%{?only_efi:1}
if [ $1 = 0 ]; then
# To check by current loader settings
if [ -f %{_sysconfdir}/sysconfig/bootloader ]; then
. %{_sysconfdir}/sysconfig/bootloader
fi
if [ "x${LOADER_TYPE}" = "xgrub" ]; then
exec >/dev/null 2>&1
if [ -f /boot/grub/menu.lst ]; then
# Remove grub2 testing entry in menu.lst if has any
for i in /boot/%{name}/core.img /boot/%{name}/i386-pc/core.img; do
if /usr/bin/grep -l "^\s*kernel\s*.*$i" /boot/grub/menu.lst; then
/sbin/update-bootloader --remove --image "$i" || true
fi
done
fi
# Cleanup config, to not confuse some tools determining bootloader in use
rm -f /boot/%{name}/grub.cfg
# Cleanup installed files
# Unless grub2 provides grub2-uninstall, we don't remove any file because
# we have no idea what's been installed. (And a blind remove is dangerous
# to remove user's or other package's file accidently ..)
fi
fi
%endif
%postun
%service_del_postun grub2-once.service
@ -1299,9 +1170,6 @@ fi
%ifnarch ppc ppc64 ppc64le
%config(noreplace) %{_sysconfdir}/grub.d/95_textmode
%endif
%ifarch %{ix86} x86_64
%config(noreplace) %{_sysconfdir}/grub.d/20_memtest86+
%endif
%ifarch ppc ppc64 ppc64le
%config(noreplace) %{_sysconfdir}/grub.d/20_ppc_terminfo
%endif
@ -1390,6 +1258,9 @@ fi
%{_mandir}/man8/%{name}-ofpathname.8.*
%{_mandir}/man8/%{name}-sparc64-setup.8.*
%endif
%ifarch %{efi}
%{_mandir}/man1/%{name}-protect.1.*
%endif
%files branding-upstream
%defattr(-,root,root,-)