Sync from SUSE:SLFO:Main grub2 revision 3895553f59bc334a749e833369c92c1a
This commit is contained in:
parent
eb839a715e
commit
a1d205fd6c
@ -0,0 +1,51 @@
|
||||
From 28440c9b5f83b82b4715554fa5c2d3f013b769e6 Mon Sep 17 00:00:00 2001
|
||||
From: Michael Chang <mchang@suse.com>
|
||||
Date: Tue, 26 Mar 2024 13:55:53 +0800
|
||||
Subject: [PATCH] 10_linux: Ensure persistence of root file system mounting
|
||||
|
||||
This commit addresses the issue where the by-uuid or by-partuuid device
|
||||
symlinks might be unavailable in an installation system. Despite the
|
||||
absence of these symlinks, the resulting system remains fully functional
|
||||
for mounting the root file system by using persistent names
|
||||
(root=(UUID|PARTUUID)=).
|
||||
|
||||
The patch implemented in this commit aims to prevent fallback to the OS
|
||||
name as the root= parameter, as persistent names are preferred for
|
||||
stability and predictability.
|
||||
|
||||
To achieve this, the fallback to the OS name won't be triggered if the
|
||||
corresponding by-uuid or by-partuuid symlinks are missing, ensuring the
|
||||
use of persistent names. Instead, a warning will be logged for the
|
||||
missing symlinks, providing visibility into the issue.
|
||||
|
||||
Signed-off-by: Michael Chang <mchang@suse.com>
|
||||
---
|
||||
util/grub.d/10_linux.in | 6 ++++--
|
||||
1 file changed, 4 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
|
||||
index 5531239eb..4d8bdeac2 100644
|
||||
--- a/util/grub.d/10_linux.in
|
||||
+++ b/util/grub.d/10_linux.in
|
||||
@@ -54,14 +54,16 @@ esac
|
||||
if ( [ "x${GRUB_DEVICE_UUID}" = "x" ] && [ "x${GRUB_DEVICE_PARTUUID}" = "x" ] ) \
|
||||
|| ( [ "x${GRUB_DISABLE_LINUX_UUID}" = "xtrue" ] \
|
||||
&& [ "x${GRUB_DISABLE_LINUX_PARTUUID}" = "xtrue" ] ) \
|
||||
- || ( ! test -e "/dev/disk/by-uuid/${GRUB_DEVICE_UUID}" \
|
||||
- && ! test -e "/dev/disk/by-partuuid/${GRUB_DEVICE_PARTUUID}" ) \
|
||||
|| ( test -e "${GRUB_DEVICE}" && uses_abstraction "${GRUB_DEVICE}" lvm ); then
|
||||
LINUX_ROOT_DEVICE=${GRUB_DEVICE}
|
||||
elif [ "x${GRUB_DEVICE_UUID}" = "x" ] \
|
||||
|| [ "x${GRUB_DISABLE_LINUX_UUID}" = "xtrue" ]; then
|
||||
+ test -e "/dev/disk/by-partuuid/${GRUB_DEVICE_PARTUUID}" ||
|
||||
+ echo "WARN: Use PARTUUID=${GRUB_DEVICE_PARTUUID} despite missing by-partuuid symlink" >&2
|
||||
LINUX_ROOT_DEVICE=PARTUUID=${GRUB_DEVICE_PARTUUID}
|
||||
else
|
||||
+ test -e "/dev/disk/by-uuid/${GRUB_DEVICE_UUID}" ||
|
||||
+ echo "WARN: Use UUID=${GRUB_DEVICE_UUID} despite missing by-uuid symlink" >&2
|
||||
LINUX_ROOT_DEVICE=UUID=${GRUB_DEVICE_UUID}
|
||||
fi
|
||||
|
||||
--
|
||||
2.44.0
|
||||
|
@ -1,7 +1,7 @@
|
||||
From fe7ed9104cef56f9e532a0c9a7164393d5d69ae1 Mon Sep 17 00:00:00 2001
|
||||
From 27b3e919b9b51a4fedeb3a5aef19c87f0cd7b687 Mon Sep 17 00:00:00 2001
|
||||
From: Michael Chang <mchang@suse.com>
|
||||
Date: Fri, 17 Nov 2023 12:32:59 +0800
|
||||
Subject: [PATCH 1/4] Improve TPM key protection on boot interruptions
|
||||
Subject: [PATCH] Improve TPM key protection on boot interruptions
|
||||
|
||||
The unattended boot process for full disk encryption relies on an
|
||||
authorized TPM policy to ensure the system's integrity before releasing
|
||||
@ -125,7 +125,7 @@ index c2217ca98..9397bede9 100644
|
||||
|
||||
static grub_command_t cmd;
|
||||
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
|
||||
index c79d4125a..d90ca06dc 100644
|
||||
index aa0d43562..babc94868 100644
|
||||
--- a/grub-core/disk/cryptodisk.c
|
||||
+++ b/grub-core/disk/cryptodisk.c
|
||||
@@ -1071,6 +1071,9 @@ grub_cryptodisk_scan_device_real (const char *name,
|
||||
@ -139,14 +139,14 @@ index c79d4125a..d90ca06dc 100644
|
||||
dev = grub_cryptodisk_get_by_source_disk (source);
|
||||
|
||||
@@ -1183,6 +1186,9 @@ grub_cryptodisk_scan_device_real (const char *name,
|
||||
ret = grub_cryptodisk_insert (dev, name, source);
|
||||
if (ret != GRUB_ERR_NONE)
|
||||
goto error;
|
||||
ret = grub_cryptodisk_insert (dev, name, source);
|
||||
if (ret != GRUB_ERR_NONE)
|
||||
goto error;
|
||||
+#ifndef GRUB_UTIL
|
||||
+ is_tpmkey = 1;
|
||||
+ is_tpmkey = 1;
|
||||
+#endif
|
||||
goto cleanup;
|
||||
}
|
||||
goto cleanup;
|
||||
}
|
||||
}
|
||||
@@ -1244,7 +1250,7 @@ grub_cryptodisk_scan_device_real (const char *name,
|
||||
|
||||
@ -282,5 +282,5 @@ index 113c53cfc..f86404686 100644
|
||||
+grub_cryptokey_tpmkey_discard (void);
|
||||
#endif /* ! GRUB_CRYPTTAB_HEADER */
|
||||
--
|
||||
2.42.1
|
||||
2.35.3
|
||||
|
||||
|
@ -98,7 +98,7 @@ Signed-off-by: Michael Chang <mchang@suse.com>
|
||||
{
|
||||
if (!load_cfg_f)
|
||||
load_cfg_f = grub_util_fopen (load_cfg, "wb");
|
||||
@@ -1670,21 +1708,13 @@
|
||||
@@ -1670,22 +1708,14 @@
|
||||
|
||||
#ifdef __linux__
|
||||
|
||||
@ -108,6 +108,7 @@ Signed-off-by: Michael Chang <mchang@suse.com>
|
||||
{
|
||||
char *subvol = NULL;
|
||||
char *mount_path = NULL;
|
||||
grub_uint64_t subvolid = 0;
|
||||
- char **rootdir_devices = NULL;
|
||||
- char *t = grub_util_path_concat (2, "/", rootdir);
|
||||
- char *rootdir_path = grub_canonicalize_file_name (t);
|
||||
@ -117,10 +118,10 @@ Signed-off-by: Michael Chang <mchang@suse.com>
|
||||
-
|
||||
- if (rootdir_devices && rootdir_devices[0])
|
||||
- if (grub_strcmp (rootdir_devices[0], grub_devices[0]) == 0)
|
||||
- subvol = grub_util_get_btrfs_subvol (platdir, &mount_path);
|
||||
- subvol = grub_util_get_btrfs_subvol (platdir, &mount_path, &subvolid);
|
||||
+
|
||||
+ if (grub_strcmp (rootdir_devices[0], grub_devices[0]) == 0)
|
||||
+ subvol = grub_util_get_btrfs_subvol (platdir, &mount_path);
|
||||
+ subvol = grub_util_get_btrfs_subvol (platdir, &mount_path, &subvolid);
|
||||
|
||||
if (subvol && mount_path)
|
||||
{
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 58dcf7985b20de876a6fc44a591aa377d0a0302c Mon Sep 17 00:00:00 2001
|
||||
From db67bd0800c69f94fa3696351e7387515464d30c Mon Sep 17 00:00:00 2001
|
||||
From: Michael Chang <mchang@suse.com>
|
||||
Date: Thu, 10 Feb 2022 22:16:58 +0800
|
||||
Subject: [PATCH] grub-install: bailout root device probing
|
||||
@ -15,14 +15,26 @@ filesystem in it's own right.
|
||||
|
||||
The command is also used by grub-mkconfig for the same purpose.
|
||||
|
||||
v2:
|
||||
|
||||
Test the root device first before probing to avoid encountering
|
||||
unexpected errors. If this test fails, the device is considered
|
||||
irrelevant and of no interest, as it is not useful.
|
||||
|
||||
v2.1:
|
||||
Besides verifying that the target's canonical path can be resolved,
|
||||
ensure that the target is a block device file.
|
||||
|
||||
Signed-off-by: Michael Chang <mchang@suse.com>
|
||||
---
|
||||
grub-core/osdep/basic/no_platform.c | 5 +++++
|
||||
grub-core/osdep/unix/platform.c | 34 +++++++++++++++++++++++++++++
|
||||
grub-core/osdep/windows/platform.c | 6 +++++
|
||||
include/grub/util/install.h | 3 +++
|
||||
util/grub-install.c | 31 ++++++++++++++++++--------
|
||||
5 files changed, 70 insertions(+), 9 deletions(-)
|
||||
grub-core/osdep/basic/no_platform.c | 5 +++
|
||||
grub-core/osdep/unix/getroot.c | 67 +++++++++++++++++++++++++++++
|
||||
grub-core/osdep/unix/platform.c | 34 +++++++++++++++
|
||||
grub-core/osdep/windows/platform.c | 6 +++
|
||||
include/grub/emu/getroot.h | 3 ++
|
||||
include/grub/util/install.h | 3 ++
|
||||
util/grub-install.c | 45 +++++++++++++++----
|
||||
7 files changed, 154 insertions(+), 9 deletions(-)
|
||||
|
||||
--- a/grub-core/osdep/basic/no_platform.c
|
||||
+++ b/grub-core/osdep/basic/no_platform.c
|
||||
@ -35,6 +47,82 @@ Signed-off-by: Michael Chang <mchang@suse.com>
|
||||
+{
|
||||
+ return NULL;
|
||||
+}
|
||||
--- a/grub-core/osdep/unix/getroot.c
|
||||
+++ b/grub-core/osdep/unix/getroot.c
|
||||
@@ -489,6 +489,73 @@
|
||||
return 0;
|
||||
}
|
||||
|
||||
+#ifdef __linux__
|
||||
+int
|
||||
+grub_can_guess_from_mountinfo (const char *dir_in)
|
||||
+{
|
||||
+ char **cur;
|
||||
+ char **os_dev = NULL;
|
||||
+ char *dir = grub_canonicalize_file_name (dir_in);
|
||||
+ int ret = 0;
|
||||
+
|
||||
+ if (!dir)
|
||||
+ return 0;
|
||||
+
|
||||
+ os_dev = grub_find_root_devices_from_mountinfo (dir, NULL);
|
||||
+
|
||||
+ if (!os_dev)
|
||||
+ os_dev = find_root_devices_from_libzfs (dir);
|
||||
+
|
||||
+ if (!os_dev)
|
||||
+ {
|
||||
+ free (dir);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ for (cur = os_dev; *cur; cur++)
|
||||
+ {
|
||||
+ if (strcmp (*cur, "/dev/root") == 0
|
||||
+ || strncmp (*cur, "/dev/dm-", sizeof ("/dev/dm-") - 1) == 0)
|
||||
+ /* Assume known and good names */
|
||||
+ continue;
|
||||
+ else
|
||||
+ {
|
||||
+ struct stat st;
|
||||
+
|
||||
+ char *tmp = grub_canonicalize_file_name (*cur);
|
||||
+ if (tmp == NULL)
|
||||
+ break;
|
||||
+
|
||||
+ if (strncmp (tmp, "/dev/dm-", sizeof ("/dev/dm-") - 1) == 0)
|
||||
+ continue;
|
||||
+
|
||||
+ if (lstat (tmp, &st) < 0)
|
||||
+ {
|
||||
+ free (tmp);
|
||||
+ break;
|
||||
+ }
|
||||
+ free (tmp);
|
||||
+ if (! S_ISBLK (st.st_mode))
|
||||
+ /* only block device allowed */
|
||||
+ break;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (*cur == NULL)
|
||||
+ /* no bogus device left, good */
|
||||
+ ret = 1;
|
||||
+ else
|
||||
+ grub_util_info ("`%s' is not os device", *cur);
|
||||
+
|
||||
+ for (cur = os_dev; *cur; cur++)
|
||||
+ free (*cur);
|
||||
+ free (os_dev);
|
||||
+ free (dir);
|
||||
+
|
||||
+ return ret;
|
||||
+}
|
||||
+#endif /* __linux__ */
|
||||
+
|
||||
char **
|
||||
grub_guess_root_devices (const char *dir_in)
|
||||
{
|
||||
--- a/grub-core/osdep/unix/platform.c
|
||||
+++ b/grub-core/osdep/unix/platform.c
|
||||
@@ -250,3 +250,37 @@
|
||||
@ -87,6 +175,18 @@ Signed-off-by: Michael Chang <mchang@suse.com>
|
||||
+{
|
||||
+ return NULL;
|
||||
+}
|
||||
--- a/include/grub/emu/getroot.h
|
||||
+++ b/include/grub/emu/getroot.h
|
||||
@@ -35,6 +35,9 @@
|
||||
|
||||
char *grub_find_device (const char *dir, dev_t dev);
|
||||
void grub_util_pull_device (const char *osname);
|
||||
+#ifdef __linux__
|
||||
+int grub_can_guess_from_mountinfo (const char *dir);
|
||||
+#endif
|
||||
char **grub_guess_root_devices (const char *dir);
|
||||
int grub_util_get_dev_abstraction (const char *os_dev);
|
||||
char *grub_make_system_path_relative_to_its_root (const char *path);
|
||||
--- a/include/grub/util/install.h
|
||||
+++ b/include/grub/util/install.h
|
||||
@@ -251,6 +251,9 @@
|
||||
@ -101,7 +201,7 @@ Signed-off-by: Michael Chang <mchang@suse.com>
|
||||
int
|
||||
--- a/util/grub-install.c
|
||||
+++ b/util/grub-install.c
|
||||
@@ -887,7 +887,6 @@
|
||||
@@ -922,7 +922,6 @@
|
||||
const char *efi_file = NULL;
|
||||
char **grub_devices;
|
||||
grub_fs_t grub_fs;
|
||||
@ -109,7 +209,7 @@ Signed-off-by: Michael Chang <mchang@suse.com>
|
||||
grub_device_t grub_dev = NULL;
|
||||
enum grub_install_plat platform;
|
||||
char *grubdir, *device_map;
|
||||
@@ -1067,8 +1066,10 @@
|
||||
@@ -1102,10 +1101,22 @@
|
||||
grub_host_init ();
|
||||
|
||||
{
|
||||
@ -121,8 +221,20 @@ Signed-off-by: Michael Chang <mchang@suse.com>
|
||||
+
|
||||
char *t = grub_util_path_concat (2, "/", rootdir);
|
||||
|
||||
+#ifdef __linux__
|
||||
+ if (!grub_can_guess_from_mountinfo (t))
|
||||
+ {
|
||||
+ free(t);
|
||||
+ /* We can safely ignore the root probe here; whichever cannot be
|
||||
+ * reliably detected is irrelevant and of no interest */
|
||||
+ goto skip_root_probe;
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
rootdir_path = grub_canonicalize_file_name (t);
|
||||
@@ -1089,20 +1090,32 @@
|
||||
if (!rootdir_path)
|
||||
grub_util_error (_("failed to get canonical path of `%s'"), t);
|
||||
@@ -1124,22 +1135,38 @@
|
||||
rootdir_devices[0]);
|
||||
|
||||
rootdir_grub_dev = grub_device_open (rootdir_grub_devname);
|
||||
@ -160,4 +272,10 @@ Signed-off-by: Michael Chang <mchang@suse.com>
|
||||
+ grub_device_close (rootdir_grub_dev);
|
||||
}
|
||||
|
||||
+#ifdef __linux__
|
||||
+ skip_root_probe:
|
||||
+#endif
|
||||
+
|
||||
switch (platform)
|
||||
{
|
||||
case GRUB_INSTALL_PLATFORM_I386_EFI:
|
||||
|
@ -1,7 +1,7 @@
|
||||
From 5affde982dea827580e36ccc658e439397f51ce8 Mon Sep 17 00:00:00 2001
|
||||
From bf09618c47c6632b763960e265436294ab98dd43 Mon Sep 17 00:00:00 2001
|
||||
From: Hernan Gatta <hegatta@linux.microsoft.com>
|
||||
Date: Tue, 1 Feb 2022 05:02:53 -0800
|
||||
Subject: [PATCH 1/5] protectors: Add key protectors framework
|
||||
Subject: [PATCH 1/5] key_protector: Add key protectors framework
|
||||
|
||||
A key protector encapsulates functionality to retrieve an unlocking key
|
||||
for a fully-encrypted disk from a specific source. A key protector
|
||||
@ -15,40 +15,53 @@ invoking a key protector by name. If a key protector with the specified
|
||||
name exists and if an unlocking key is successfully retrieved by it, the
|
||||
function returns to the caller the retrieved key and its length.
|
||||
|
||||
Cc: Vladimir Serbinenko <phcoder@gmail.com>
|
||||
Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
|
||||
Signed-off-by: Gary Lin <glin@suse.com>
|
||||
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
|
||||
---
|
||||
grub-core/Makefile.am | 1 +
|
||||
grub-core/Makefile.core.def | 1 +
|
||||
grub-core/kern/protectors.c | 75 +++++++++++++++++++++++++++++++++++++
|
||||
include/grub/protector.h | 48 ++++++++++++++++++++++++
|
||||
4 files changed, 125 insertions(+)
|
||||
create mode 100644 grub-core/kern/protectors.c
|
||||
create mode 100644 include/grub/protector.h
|
||||
grub-core/Makefile.am | 1 +
|
||||
grub-core/Makefile.core.def | 5 +++
|
||||
grub-core/disk/key_protector.c | 78 ++++++++++++++++++++++++++++++++++
|
||||
include/grub/key_protector.h | 46 ++++++++++++++++++++
|
||||
4 files changed, 130 insertions(+)
|
||||
create mode 100644 grub-core/disk/key_protector.c
|
||||
create mode 100644 include/grub/key_protector.h
|
||||
|
||||
diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
|
||||
index f18550c1c..9d3d5f519 100644
|
||||
--- a/grub-core/Makefile.am
|
||||
+++ b/grub-core/Makefile.am
|
||||
@@ -90,6 +90,7 @@
|
||||
@@ -90,6 +90,7 @@ endif
|
||||
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm.h
|
||||
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/parser.h
|
||||
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/partition.h
|
||||
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/protector.h
|
||||
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/key_protector.h
|
||||
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/stack_protector.h
|
||||
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h
|
||||
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h
|
||||
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
|
||||
index bc893e547..4307b8e2d 100644
|
||||
--- a/grub-core/Makefile.core.def
|
||||
+++ b/grub-core/Makefile.core.def
|
||||
@@ -149,6 +149,7 @@
|
||||
common = kern/misc.c;
|
||||
common = kern/parser.c;
|
||||
common = kern/partition.c;
|
||||
+ common = kern/protectors.c;
|
||||
common = kern/rescue_parser.c;
|
||||
common = kern/rescue_reader.c;
|
||||
common = kern/term.c;
|
||||
@@ -1302,6 +1302,11 @@ module = {
|
||||
common = disk/raid6_recover.c;
|
||||
};
|
||||
|
||||
+module = {
|
||||
+ name = key_protector;
|
||||
+ common = disk/key_protector.c;
|
||||
+};
|
||||
+
|
||||
module = {
|
||||
name = scsi;
|
||||
common = disk/scsi.c;
|
||||
diff --git a/grub-core/disk/key_protector.c b/grub-core/disk/key_protector.c
|
||||
new file mode 100644
|
||||
index 000000000..b84afe1c7
|
||||
--- /dev/null
|
||||
+++ b/grub-core/kern/protectors.c
|
||||
@@ -0,0 +1,75 @@
|
||||
+++ b/grub-core/disk/key_protector.c
|
||||
@@ -0,0 +1,78 @@
|
||||
+/*
|
||||
+ * GRUB -- GRand Unified Bootloader
|
||||
+ * Copyright (C) 2022 Microsoft Corporation
|
||||
@ -67,17 +80,20 @@ Signed-off-by: Gary Lin <glin@suse.com>
|
||||
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
||||
+ */
|
||||
+
|
||||
+#include <grub/dl.h>
|
||||
+#include <grub/list.h>
|
||||
+#include <grub/misc.h>
|
||||
+#include <grub/mm.h>
|
||||
+#include <grub/protector.h>
|
||||
+#include <grub/key_protector.h>
|
||||
+
|
||||
+GRUB_MOD_LICENSE ("GPLv3+");
|
||||
+
|
||||
+struct grub_key_protector *grub_key_protectors = NULL;
|
||||
+
|
||||
+grub_err_t
|
||||
+grub_key_protector_register (struct grub_key_protector *protector)
|
||||
+{
|
||||
+ if (protector == NULL || protector->name == NULL || grub_strlen(protector->name) == 0)
|
||||
+ if (protector == NULL || protector->name == NULL || grub_strlen (protector->name) == 0)
|
||||
+ return GRUB_ERR_BAD_ARGUMENT;
|
||||
+
|
||||
+ if (grub_key_protectors &&
|
||||
@ -124,9 +140,12 @@ Signed-off-by: Gary Lin <glin@suse.com>
|
||||
+
|
||||
+ return kp->recover_key (key, key_size);
|
||||
+}
|
||||
diff --git a/include/grub/key_protector.h b/include/grub/key_protector.h
|
||||
new file mode 100644
|
||||
index 000000000..6e6a6fb24
|
||||
--- /dev/null
|
||||
+++ b/include/grub/protector.h
|
||||
@@ -0,0 +1,48 @@
|
||||
+++ b/include/grub/key_protector.h
|
||||
@@ -0,0 +1,46 @@
|
||||
+/*
|
||||
+ * GRUB -- GRand Unified Bootloader
|
||||
+ * Copyright (C) 2022 Microsoft Corporation
|
||||
@ -161,17 +180,18 @@ Signed-off-by: Gary Lin <glin@suse.com>
|
||||
+ grub_err_t (*recover_key) (grub_uint8_t **key, grub_size_t *key_size);
|
||||
+};
|
||||
+
|
||||
+extern struct grub_key_protector *EXPORT_VAR (grub_key_protectors);
|
||||
+grub_err_t
|
||||
+grub_key_protector_register (struct grub_key_protector *protector);
|
||||
+
|
||||
+grub_err_t
|
||||
+EXPORT_FUNC (grub_key_protector_register) (struct grub_key_protector *protector);
|
||||
+grub_key_protector_unregister (struct grub_key_protector *protector);
|
||||
+
|
||||
+grub_err_t
|
||||
+EXPORT_FUNC (grub_key_protector_unregister) (struct grub_key_protector *protector);
|
||||
+
|
||||
+grub_err_t
|
||||
+EXPORT_FUNC (grub_key_protector_recover_key) (const char *protector,
|
||||
+ grub_uint8_t **key,
|
||||
+ grub_size_t *key_size);
|
||||
+grub_key_protector_recover_key (const char *protector,
|
||||
+ grub_uint8_t **key,
|
||||
+ grub_size_t *key_size);
|
||||
+
|
||||
+#endif /* ! GRUB_PROTECTOR_HEADER */
|
||||
--
|
||||
2.35.3
|
||||
|
@ -0,0 +1,60 @@
|
||||
From d35ff22516b161f6d472f7f5371a89597b072d04 Mon Sep 17 00:00:00 2001
|
||||
From: Michael Chang <mchang@suse.com>
|
||||
Date: Mon, 6 May 2024 10:34:22 +0800
|
||||
Subject: [PATCH] net/drivers/ieee1275/ofnet: Remove 200 ms timeout in
|
||||
get_card_packet() to reduce input latency
|
||||
|
||||
When GRUB image is netbooted on ppc64le, the keyboard input exhibits
|
||||
significant latency, reports even say that characters are processed
|
||||
about once per second. This issue makes interactively trying to debug
|
||||
a ppc64le config very difficult.
|
||||
|
||||
It seems that the latency is largely caused by a 200 ms timeout in the
|
||||
idle event loop, during which the network card interface is consistently
|
||||
polled for incoming packets. Often, no packets arrive during this
|
||||
period, so the timeout nearly always expires, which blocks the response
|
||||
to key inputs.
|
||||
|
||||
Furthermore, this 200 ms timeout might not need to be enforced at this
|
||||
basic layer, considering that GRUB performs synchronous reads and its
|
||||
timeout management is actually handled by higher layers, not directly in
|
||||
the card instance. Additionally, the idle polling, which reacts to
|
||||
unsolicited packets like ICMP and SLAAC, would be fine at a less frequent
|
||||
polling interval, rather than needing a timeout for receiving a response.
|
||||
|
||||
For these reasons, we believe the timeout in get_card_packet() should be
|
||||
effectively removed. According to test results, the delay has disappeared,
|
||||
and it is now much easier to use interactively.
|
||||
|
||||
Signed-Off-by: Michael Chang <mchang@suse.com>
|
||||
Tested-by: Tony Jones <tonyj@suse.com>
|
||||
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||
---
|
||||
grub-core/net/drivers/ieee1275/ofnet.c | 8 ++------
|
||||
1 file changed, 2 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/grub-core/net/drivers/ieee1275/ofnet.c b/grub-core/net/drivers/ieee1275/ofnet.c
|
||||
index 78f03df8e..3bf48b3f0 100644
|
||||
--- a/grub-core/net/drivers/ieee1275/ofnet.c
|
||||
+++ b/grub-core/net/drivers/ieee1275/ofnet.c
|
||||
@@ -82,15 +82,11 @@ get_card_packet (struct grub_net_card *dev)
|
||||
grub_ssize_t actual;
|
||||
int rc;
|
||||
struct grub_ofnetcard_data *data = dev->data;
|
||||
- grub_uint64_t start_time;
|
||||
struct grub_net_buff *nb;
|
||||
|
||||
- start_time = grub_get_time_ms ();
|
||||
- do
|
||||
- rc = grub_ieee1275_read (data->handle, dev->rcvbuf, dev->rcvbufsize, &actual);
|
||||
- while ((actual <= 0 || rc < 0) && (grub_get_time_ms () - start_time < 200));
|
||||
+ rc = grub_ieee1275_read (data->handle, dev->rcvbuf, dev->rcvbufsize, &actual);
|
||||
|
||||
- if (actual <= 0)
|
||||
+ if (actual <= 0 || rc < 0)
|
||||
return NULL;
|
||||
|
||||
nb = grub_netbuff_alloc (actual + 2);
|
||||
--
|
||||
2.45.2
|
||||
|
170
0001-ofdisk-Enhance-canonical-path-handling-for-bootpath.patch
Normal file
170
0001-ofdisk-Enhance-canonical-path-handling-for-bootpath.patch
Normal file
@ -0,0 +1,170 @@
|
||||
From 84b95a121a4401be854614419ded3d383e14ac1f Mon Sep 17 00:00:00 2001
|
||||
From: Michael Chang <mchang@suse.com>
|
||||
Date: Fri, 22 Mar 2024 17:38:45 +0800
|
||||
Subject: [PATCH] ofdisk: Enhance canonical path handling for bootpath
|
||||
|
||||
This commit addresses an issue where redundant canonical path
|
||||
translation is performed on the bootpath, potentially leading to
|
||||
incorrect results and subsequent boot failures, particularly in cases
|
||||
where firmware translations are inconsistent.
|
||||
|
||||
To mitigate this, the commit introduces a check to determine if the
|
||||
bootpath is already in canonical form, avoiding unnecessary translation.
|
||||
Additionally, improvements have been made to enhance the resilience of
|
||||
device iteration, enhancing compatibility with cross-device booting
|
||||
scenarios and addressing potential issues related to firmware-based
|
||||
canonical path retrieval.
|
||||
|
||||
These changes aim to improve the reliability and stability of the boot
|
||||
process.
|
||||
|
||||
Signed-off-by: Michael Chang <mchang@suse.com>
|
||||
---
|
||||
grub-core/disk/ieee1275/ofdisk.c | 75 +++++++++++++++++++++++---------
|
||||
1 file changed, 55 insertions(+), 20 deletions(-)
|
||||
|
||||
diff --git a/grub-core/disk/ieee1275/ofdisk.c b/grub-core/disk/ieee1275/ofdisk.c
|
||||
index c5c20a5ec..36ee5314d 100644
|
||||
--- a/grub-core/disk/ieee1275/ofdisk.c
|
||||
+++ b/grub-core/disk/ieee1275/ofdisk.c
|
||||
@@ -35,8 +35,13 @@ static grub_ieee1275_ihandle_t last_ihandle;
|
||||
#define IEEE1275_DISK_ALIAS "/disk@"
|
||||
#define IEEE1275_NVMEOF_DISK_ALIAS "/nvme-of/controller@"
|
||||
|
||||
+/* Used to check boot_type, print debug message if doesn't match, this can be
|
||||
+ * useful to measure boot delays */
|
||||
static char *boot_type;
|
||||
+/* Used to restrict fcp to a physical boot path */
|
||||
static char *boot_parent;
|
||||
+/* Knowing the nvmeof in advance to avoid blind open test during iteration to
|
||||
+ * validate a path */
|
||||
static int is_boot_nvmeof;
|
||||
|
||||
struct ofdisk_hash_ent
|
||||
@@ -540,20 +545,30 @@ dev_iterate (const struct grub_ieee1275_devalias *alias)
|
||||
{
|
||||
if (grub_strcmp (alias->type, "fcp") == 0)
|
||||
{
|
||||
- if (boot_type &&
|
||||
- grub_strcmp (boot_type, alias->type) != 0)
|
||||
+ if (boot_parent &&
|
||||
+ grub_strcmp (boot_parent, alias->path) != 0)
|
||||
{
|
||||
- grub_dprintf ("ofdisk", "Skipped device: %s, type %s did not match boot_type %s\n",
|
||||
- alias->path, alias->type, boot_type);
|
||||
+ grub_dprintf ("ofdisk", "Skipped device: %s, doesn't match boot_parent %s\n",
|
||||
+ alias->path, boot_parent);
|
||||
goto iter_children;
|
||||
}
|
||||
|
||||
- if (grub_strcmp (boot_parent, alias->path) == 0)
|
||||
+ /* Allow set boot_parent and boot_type to NULL to force iteration */
|
||||
+ if (!boot_parent)
|
||||
{
|
||||
- if (is_boot_nvmeof)
|
||||
- dev_iterate_fcp_nvmeof(alias);
|
||||
- else
|
||||
- dev_iterate_fcp_disks(alias);
|
||||
+ grub_dprintf ("ofdisk", "iterate %s\n", alias->path);
|
||||
+ dev_iterate_fcp_nvmeof(alias);
|
||||
+ dev_iterate_fcp_disks(alias);
|
||||
+ }
|
||||
+ else if (is_boot_nvmeof)
|
||||
+ {
|
||||
+ grub_dprintf ("ofdisk", "iterate nvmeof: %s\n", alias->path);
|
||||
+ dev_iterate_fcp_nvmeof(alias);
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ grub_dprintf ("ofdisk", "iterate fcp: %s\n", alias->path);
|
||||
+ dev_iterate_fcp_disks(alias);
|
||||
}
|
||||
}
|
||||
else if (grub_strcmp (alias->type, "vscsi") == 0)
|
||||
@@ -575,9 +590,8 @@ dev_iterate (const struct grub_ieee1275_devalias *alias)
|
||||
if (boot_type &&
|
||||
grub_strcmp (boot_type, alias->type) != 0)
|
||||
{
|
||||
- grub_dprintf ("ofdisk", "Skipped device: %s, type %s did not match boot_type %s\n",
|
||||
+ grub_dprintf ("ofdisk", "WARN: device: %s, type %s not match boot_type %s\n",
|
||||
alias->path, alias->type, boot_type);
|
||||
- return;
|
||||
}
|
||||
|
||||
if (grub_ieee1275_open (alias->path, &ihandle))
|
||||
@@ -646,9 +660,8 @@ dev_iterate (const struct grub_ieee1275_devalias *alias)
|
||||
if (boot_type &&
|
||||
grub_strcmp (boot_type, alias->type) != 0)
|
||||
{
|
||||
- grub_dprintf ("ofdisk", "Skipped device: %s, type %s did not match boot_type %s\n",
|
||||
+ grub_dprintf ("ofdisk", "WARN: device: %s, type %s not match boot_type %s\n",
|
||||
alias->path, alias->type, boot_type);
|
||||
- goto iter_children;
|
||||
}
|
||||
|
||||
buf = grub_malloc (grub_strlen (alias->path) +
|
||||
@@ -1116,13 +1129,37 @@ get_parent_devname (const char *devname, int *is_nvmeof)
|
||||
return parent;
|
||||
}
|
||||
|
||||
+
|
||||
+static int
|
||||
+is_canonical (const char *path)
|
||||
+{
|
||||
+ if (grub_strstr (path, IEEE1275_DISK_ALIAS) ||
|
||||
+ grub_strstr (path, IEEE1275_NVMEOF_DISK_ALIAS))
|
||||
+ return 1;
|
||||
+ else
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
static char *
|
||||
get_boot_device_parent (const char *bootpath, int *is_nvmeof)
|
||||
{
|
||||
- char *dev, *canon, *parent;
|
||||
+ char *canon, *parent;
|
||||
+
|
||||
+ if (is_canonical (bootpath))
|
||||
+ {
|
||||
+ early_log ("Use %s as canonical\n", bootpath);
|
||||
+ canon = grub_strdup (bootpath);
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ char *dev;
|
||||
|
||||
- dev = grub_ieee1275_get_aliasdevname (bootpath);
|
||||
- canon = grub_ieee1275_canonicalise_devname (dev);
|
||||
+ dev = grub_ieee1275_get_aliasdevname (bootpath);
|
||||
+ canon = grub_ieee1275_canonicalise_devname (dev);
|
||||
+ early_log ("bootpath: %s \n", bootpath);
|
||||
+ early_log ("alias: %s\n", dev);
|
||||
+ early_log ("canonical: %s\n", canon);
|
||||
+ }
|
||||
|
||||
if (!canon)
|
||||
{
|
||||
@@ -1131,8 +1168,6 @@ get_boot_device_parent (const char *bootpath, int *is_nvmeof)
|
||||
grub_print_error ();
|
||||
return NULL;
|
||||
}
|
||||
- else
|
||||
- early_log ("%s is canonical %s\n", bootpath, canon);
|
||||
|
||||
parent = get_parent_devname (canon, is_nvmeof);
|
||||
early_log ("%s is parent of %s\n", parent, canon);
|
||||
@@ -1179,9 +1214,9 @@ insert_bootpath (void)
|
||||
boot_parent = get_boot_device_parent (bootpath, &is_boot_nvmeof);
|
||||
boot_type = grub_ieee1275_get_device_type (boot_parent);
|
||||
if (boot_type)
|
||||
- early_log ("the boot device type %s is used for root device discovery, others excluded\n", boot_type);
|
||||
+ early_log ("the boot device type: %s\n", boot_type);
|
||||
else
|
||||
- early_log ("unknown boot device type, will use all devices to discover root and may be slow\n");
|
||||
+ early_log ("the boot device type is unknown\n");
|
||||
}
|
||||
grub_free (type);
|
||||
grub_free (bootpath);
|
||||
--
|
||||
2.44.0
|
||||
|
@ -1,204 +0,0 @@
|
||||
From 5a417f32f1afe0ffca7f5cbff67145a157b1589b Mon Sep 17 00:00:00 2001
|
||||
From: Gary Lin <glin@suse.com>
|
||||
Date: Tue, 7 Feb 2023 18:31:12 +0800
|
||||
Subject: [PATCH 1/4] tpm2: Add TPM2 types, structures, and command constants
|
||||
|
||||
Add new TPM2 types and structures as the preparation to support
|
||||
authorized policy.
|
||||
|
||||
* New types:
|
||||
TPM_ALG_ECDAA, TPM_ALG_ECDSA, TPM_ALG_ECSCHNORR, TPM_ALG_RSASSA,
|
||||
TPM_ALG_RSAPSS, TPM_ALG_SM2, and TPMI_ALG_SIG_SCHEME
|
||||
|
||||
* New structures:
|
||||
TPMS_EMPTY, TPMS_SIGNATURE_RSA, TPMS_SIGNATURE_ECC,
|
||||
TPMS_SIGNATURE_ECDSA, TPMS_SIGNATURE_ECDAA, TPMS_SIGNATURE_SM2,
|
||||
TPMS_SIGNATURE_ECSCHNORR, TPMU_SIGNATURE, and TPMT_TK_VERIFIED
|
||||
|
||||
* New command constants:
|
||||
TPM_CC_LoadExternal, TPM_CC_HashSequenceStart, TPM_CC_SequenceUpdate,
|
||||
TPM_CC_SequenceComplete, TPM_CC_Hash, TPM_CC_VerifySignature,
|
||||
TPM_CC_PolicyAuthorize
|
||||
|
||||
Signed-off-by: Gary Lin <glin@suse.com>
|
||||
---
|
||||
include/grub/tpm2/internal/structs.h | 86 ++++++++++++++++++++++++++++
|
||||
include/grub/tpm2/internal/types.h | 42 +++++++++-----
|
||||
2 files changed, 114 insertions(+), 14 deletions(-)
|
||||
|
||||
diff --git a/include/grub/tpm2/internal/structs.h b/include/grub/tpm2/internal/structs.h
|
||||
index 72d71eb70..db9eb6cf6 100644
|
||||
--- a/include/grub/tpm2/internal/structs.h
|
||||
+++ b/include/grub/tpm2/internal/structs.h
|
||||
@@ -672,4 +672,90 @@ struct TPMT_TK_CREATION
|
||||
};
|
||||
typedef struct TPMT_TK_CREATION TPMT_TK_CREATION;
|
||||
|
||||
+/* TPMS_EMPTY Structure */
|
||||
+struct TPMS_EMPTY {
|
||||
+ grub_uint8_t empty[1]; /* a structure with no member */
|
||||
+};
|
||||
+typedef struct TPMS_EMPTY TPMS_EMPTY;
|
||||
+
|
||||
+/* TPMS_SIGNATURE_RSA Structure */
|
||||
+struct TPMS_SIGNATURE_RSA {
|
||||
+ TPMI_ALG_HASH hash;
|
||||
+ TPM2B_PUBLIC_KEY_RSA sig;
|
||||
+};
|
||||
+typedef struct TPMS_SIGNATURE_RSA TPMS_SIGNATURE_RSA;
|
||||
+
|
||||
+/* Definition of Types for RSA Signature */
|
||||
+typedef TPMS_SIGNATURE_RSA TPMS_SIGNATURE_RSASSA;
|
||||
+typedef TPMS_SIGNATURE_RSA TPMS_SIGNATURE_RSAPSS;
|
||||
+
|
||||
+/* TPMS_SIGNATURE_ECC Structure */
|
||||
+struct TPMS_SIGNATURE_ECC {
|
||||
+ TPMI_ALG_HASH hash;
|
||||
+ TPM2B_ECC_PARAMETER signatureR;
|
||||
+ TPM2B_ECC_PARAMETER signatureS;
|
||||
+};
|
||||
+typedef struct TPMS_SIGNATURE_ECC TPMS_SIGNATURE_ECC;
|
||||
+
|
||||
+/* Definition of Types for ECC TPMS_SIGNATURE_ECC */
|
||||
+typedef TPMS_SIGNATURE_ECC TPMS_SIGNATURE_ECDSA;
|
||||
+typedef TPMS_SIGNATURE_ECC TPMS_SIGNATURE_ECDAA;
|
||||
+typedef TPMS_SIGNATURE_ECC TPMS_SIGNATURE_SM2;
|
||||
+typedef TPMS_SIGNATURE_ECC TPMS_SIGNATURE_ECSCHNORR;
|
||||
+
|
||||
+/* TPMU_SIGNATURE Structure */
|
||||
+union TPMU_SIGNATURE {
|
||||
+ TPMS_SIGNATURE_RSASSA rsassa;
|
||||
+ TPMS_SIGNATURE_RSAPSS rsapss;
|
||||
+ TPMS_SIGNATURE_ECDSA ecdsa;
|
||||
+ TPMS_SIGNATURE_ECDAA ecdaa;
|
||||
+ TPMS_SIGNATURE_SM2 sm2;
|
||||
+ TPMS_SIGNATURE_ECSCHNORR ecschnorr;
|
||||
+ TPMT_HA hmac;
|
||||
+ TPMS_SCHEME_HASH any;
|
||||
+ TPMS_EMPTY null;
|
||||
+};
|
||||
+typedef union TPMU_SIGNATURE TPMU_SIGNATURE;
|
||||
+
|
||||
+/* TPMT_SIGNATURE Structure */
|
||||
+struct TPMT_SIGNATURE {
|
||||
+ TPMI_ALG_SIG_SCHEME sigAlg;
|
||||
+ TPMU_SIGNATURE signature;
|
||||
+};
|
||||
+typedef struct TPMT_SIGNATURE TPMT_SIGNATURE;
|
||||
+
|
||||
+static inline TPMI_ALG_HASH
|
||||
+TPMT_SIGNATURE_get_hash_alg (TPMT_SIGNATURE *sig)
|
||||
+{
|
||||
+ switch (sig->sigAlg)
|
||||
+ {
|
||||
+ case TPM_ALG_RSASSA:
|
||||
+ return sig->signature.rsassa.hash;
|
||||
+ case TPM_ALG_RSAPSS:
|
||||
+ return sig->signature.rsapss.hash;
|
||||
+ case TPM_ALG_ECDSA:
|
||||
+ return sig->signature.ecdsa.hash;
|
||||
+ case TPM_ALG_ECDAA:
|
||||
+ return sig->signature.ecdaa.hash;
|
||||
+ case TPM_ALG_SM2:
|
||||
+ return sig->signature.sm2.hash;
|
||||
+ case TPM_ALG_ECSCHNORR:
|
||||
+ return sig->signature.ecschnorr.hash;
|
||||
+ case TPM_ALG_HMAC:
|
||||
+ return sig->signature.hmac.hashAlg;
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ return TPM_ALG_NULL;
|
||||
+}
|
||||
+
|
||||
+/* TPMT_TK_VERIFIED Structure */
|
||||
+struct TPMT_TK_VERIFIED {
|
||||
+ TPM_ST tag;
|
||||
+ TPMI_RH_HIERARCHY hierarchy;
|
||||
+ TPM2B_DIGEST digest;
|
||||
+};
|
||||
+typedef struct TPMT_TK_VERIFIED TPMT_TK_VERIFIED;
|
||||
+
|
||||
#endif /* ! GRUB_TPM2_INTERNAL_STRUCTS_HEADER */
|
||||
diff --git a/include/grub/tpm2/internal/types.h b/include/grub/tpm2/internal/types.h
|
||||
index 9714f75d4..a1902ef0c 100644
|
||||
--- a/include/grub/tpm2/internal/types.h
|
||||
+++ b/include/grub/tpm2/internal/types.h
|
||||
@@ -181,6 +181,9 @@ typedef grub_uint16_t TPM_ALG_ID;
|
||||
#define TPM_ALG_CFB ((TPM_ALG_ID) 0x0043)
|
||||
#define TPM_ALG_ECB ((TPM_ALG_ID) 0x0044)
|
||||
#define TPM_ALG_ECC ((TPM_ALG_ID) 0x0023)
|
||||
+#define TPM_ALG_ECDAA ((TPM_ALG_ID) 0x001A)
|
||||
+#define TPM_ALG_ECDSA ((TPM_ALG_ID) 0x0018)
|
||||
+#define TPM_ALG_ECSCHNORR ((TPM_ALG_ID) 0x001C)
|
||||
#define TPM_ALG_HMAC ((TPM_ALG_ID) 0x0005)
|
||||
#define TPM_ALG_KDF1_SP800_108 ((TPM_ALG_ID) 0x0022)
|
||||
#define TPM_ALG_KDF1_SP800_56A ((TPM_ALG_ID) 0x0020)
|
||||
@@ -189,10 +192,13 @@ typedef grub_uint16_t TPM_ALG_ID;
|
||||
#define TPM_ALG_MGF1 ((TPM_ALG_ID) 0x0007)
|
||||
#define TPM_ALG_NULL ((TPM_ALG_ID) 0x0010)
|
||||
#define TPM_ALG_RSA ((TPM_ALG_ID) 0x0001)
|
||||
+#define TPM_ALG_RSASSA ((TPM_ALG_ID) 0x0014)
|
||||
+#define TPM_ALG_RSAPSS ((TPM_ALG_ID) 0x0016)
|
||||
#define TPM_ALG_SHA1 ((TPM_ALG_ID) 0x0004)
|
||||
#define TPM_ALG_SHA256 ((TPM_ALG_ID) 0x000B)
|
||||
#define TPM_ALG_SHA384 ((TPM_ALG_ID) 0x000C)
|
||||
#define TPM_ALG_SHA512 ((TPM_ALG_ID) 0x000D)
|
||||
+#define TPM_ALG_SM2 ((TPM_ALG_ID) 0x001B)
|
||||
#define TPM_ALG_SM3_256 ((TPM_ALG_ID) 0x0012)
|
||||
#define TPM_ALG_SM4 ((TPM_ALG_ID) 0x0013)
|
||||
#define TPM_ALG_SYMCIPHER ((TPM_ALG_ID) 0x0025)
|
||||
@@ -299,20 +305,27 @@ typedef grub_uint16_t TPM2_ECC_CURVE;
|
||||
/* TPM_CC Constants */
|
||||
typedef grub_uint32_t TPM_CC;
|
||||
|
||||
-#define TPM_CC_EvictControl ((TPM_CC) 0x00000120)
|
||||
-#define TPM_CC_CreatePrimary ((TPM_CC) 0x00000131)
|
||||
-#define TPM_CC_Create ((TPM_CC) 0x00000153)
|
||||
-#define TPM_CC_FlushContext ((TPM_CC) 0x00000165)
|
||||
-#define TPM_CC_ReadPublic ((TPM_CC) 0x00000173)
|
||||
-#define TPM_CC_StartAuthSession ((TPM_CC) 0x00000176)
|
||||
-#define TPM_CC_PolicyPCR ((TPM_CC) 0x0000017f)
|
||||
-#define TPM_CC_NV_Read ((TPM_CC) 0x0000014e)
|
||||
-#define TPM_CC_NV_ReadPublic ((TPM_CC) 0x00000169)
|
||||
-#define TPM_CC_GetCapability ((TPM_CC) 0x0000017a)
|
||||
-#define TPM_CC_PCR_Read ((TPM_CC) 0x0000017e)
|
||||
-#define TPM_CC_Load ((TPM_CC) 0x00000157)
|
||||
-#define TPM_CC_Unseal ((TPM_CC) 0x0000015e)
|
||||
-#define TPM_CC_PolicyGetDigest ((TPM_CC) 0x00000189)
|
||||
+#define TPM_CC_EvictControl ((TPM_CC) 0x00000120)
|
||||
+#define TPM_CC_CreatePrimary ((TPM_CC) 0x00000131)
|
||||
+#define TPM_CC_Create ((TPM_CC) 0x00000153)
|
||||
+#define TPM_CC_FlushContext ((TPM_CC) 0x00000165)
|
||||
+#define TPM_CC_ReadPublic ((TPM_CC) 0x00000173)
|
||||
+#define TPM_CC_StartAuthSession ((TPM_CC) 0x00000176)
|
||||
+#define TPM_CC_PolicyPCR ((TPM_CC) 0x0000017f)
|
||||
+#define TPM_CC_NV_Read ((TPM_CC) 0x0000014e)
|
||||
+#define TPM_CC_NV_ReadPublic ((TPM_CC) 0x00000169)
|
||||
+#define TPM_CC_GetCapability ((TPM_CC) 0x0000017a)
|
||||
+#define TPM_CC_PCR_Read ((TPM_CC) 0x0000017e)
|
||||
+#define TPM_CC_Load ((TPM_CC) 0x00000157)
|
||||
+#define TPM_CC_LoadExternal ((TPM_CC) 0x00000167)
|
||||
+#define TPM_CC_Unseal ((TPM_CC) 0x0000015e)
|
||||
+#define TPM_CC_PolicyGetDigest ((TPM_CC) 0x00000189)
|
||||
+#define TPM_CC_HashSequenceStart ((TPM_CC) 0x00000186)
|
||||
+#define TPM_CC_SequenceUpdate ((TPM_CC) 0x0000015c)
|
||||
+#define TPM_CC_SequenceComplete ((TPM_CC) 0x0000013e)
|
||||
+#define TPM_CC_Hash ((TPM_CC) 0x0000017d)
|
||||
+#define TPM_CC_VerifySignature ((TPM_CC) 0x00000177)
|
||||
+#define TPM_CC_PolicyAuthorize ((TPM_CC) 0x0000016a)
|
||||
|
||||
/* Hash algorithm sizes */
|
||||
#define TPM_SHA1_DIGEST_SIZE 20
|
||||
@@ -354,6 +367,7 @@ typedef TPM_ALG_ID TPMI_ALG_ECC_SCHEME;
|
||||
typedef TPM_ALG_ID TPMI_ALG_ASYM_SCHEME;
|
||||
typedef TPM_ALG_ID TPMI_ALG_RSA_SCHEME;
|
||||
typedef TPM_ALG_ID TPMI_ALG_SYM;
|
||||
+typedef TPM_ALG_ID TPMI_ALG_SIG_SCHEME;
|
||||
|
||||
/* TPM_KEY_BITS Type */
|
||||
typedef grub_uint16_t TPM_KEY_BITS;
|
||||
--
|
||||
2.35.3
|
||||
|
97
0001-tpm2-Add-extra-RSA-SRK-types.patch
Normal file
97
0001-tpm2-Add-extra-RSA-SRK-types.patch
Normal file
@ -0,0 +1,97 @@
|
||||
From f41a45b080cb9c6f59879a3e23f9ec2380015a16 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Lin <glin@suse.com>
|
||||
Date: Thu, 25 Apr 2024 16:21:45 +0800
|
||||
Subject: [PATCH] tpm2: Add extra RSA SRK types
|
||||
|
||||
Since fde-tools may set RSA3072 and RSA4096 as the SRK type, grub2 has
|
||||
to support those parameters.
|
||||
|
||||
Signed-off-by: Gary Lin <glin@suse.com>
|
||||
---
|
||||
grub-core/tpm2/args.c | 12 ++++++++++++
|
||||
grub-core/tpm2/module.c | 16 ++++++++++++++--
|
||||
util/grub-protect.c | 4 ++--
|
||||
3 files changed, 28 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/grub-core/tpm2/args.c b/grub-core/tpm2/args.c
|
||||
index c11280ab9..d140364d2 100644
|
||||
--- a/grub-core/tpm2/args.c
|
||||
+++ b/grub-core/tpm2/args.c
|
||||
@@ -92,6 +92,18 @@ grub_tpm2_protector_parse_asymmetric (const char *value,
|
||||
srk_type->type = TPM_ALG_RSA;
|
||||
srk_type->detail.rsa_bits = 2048;
|
||||
}
|
||||
+ else if (grub_strcasecmp (value, "RSA") == 0 ||
|
||||
+ grub_strcasecmp (value, "RSA3072") == 0)
|
||||
+ {
|
||||
+ srk_type->type = TPM_ALG_RSA;
|
||||
+ srk_type->detail.rsa_bits = 3072;
|
||||
+ }
|
||||
+ else if (grub_strcasecmp (value, "RSA") == 0 ||
|
||||
+ grub_strcasecmp (value, "RSA4096") == 0)
|
||||
+ {
|
||||
+ srk_type->type = TPM_ALG_RSA;
|
||||
+ srk_type->detail.rsa_bits = 4096;
|
||||
+ }
|
||||
else
|
||||
return grub_error (GRUB_ERR_OUT_OF_RANGE,
|
||||
N_("Value '%s' is not a valid asymmetric key type"),
|
||||
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
|
||||
index b754b38df..8b72ed6fa 100644
|
||||
--- a/grub-core/tpm2/module.c
|
||||
+++ b/grub-core/tpm2/module.c
|
||||
@@ -136,8 +136,8 @@ static const struct grub_arg_option grub_tpm2_protector_init_cmd_options[] =
|
||||
.arg = NULL,
|
||||
.type = ARG_TYPE_STRING,
|
||||
.doc =
|
||||
- N_("In SRK mode, the type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)"
|
||||
- "(default: ECC)"),
|
||||
+ N_("In SRK mode, the type of SRK: RSA (RSA2048), RSA3072, RSA4096, "
|
||||
+ "and ECC (ECC_NIST_P256). (default: ECC)"),
|
||||
},
|
||||
/* NV Index-mode options */
|
||||
{
|
||||
@@ -541,6 +541,10 @@ srk_type_to_name (grub_srk_type_t srk_type)
|
||||
{
|
||||
case 2048:
|
||||
return "RSA2048";
|
||||
+ case 3072:
|
||||
+ return "RSA3072";
|
||||
+ case 4096:
|
||||
+ return "RSA4096";
|
||||
}
|
||||
}
|
||||
|
||||
@@ -561,6 +565,14 @@ grub_tpm2_protector_load_key (const struct grub_tpm2_protector_context *ctx,
|
||||
.type = TPM_ALG_ECC,
|
||||
.detail.ecc_curve = TPM_ECC_NIST_P256,
|
||||
},
|
||||
+ {
|
||||
+ .type = TPM_ALG_RSA,
|
||||
+ .detail.rsa_bits = 4096,
|
||||
+ },
|
||||
+ {
|
||||
+ .type = TPM_ALG_RSA,
|
||||
+ .detail.rsa_bits = 3072,
|
||||
+ },
|
||||
{
|
||||
.type = TPM_ALG_RSA,
|
||||
.detail.rsa_bits = 2048,
|
||||
diff --git a/util/grub-protect.c b/util/grub-protect.c
|
||||
index 869f45861..00be03ca0 100644
|
||||
--- a/util/grub-protect.c
|
||||
+++ b/util/grub-protect.c
|
||||
@@ -199,8 +199,8 @@ static struct argp_option grub_protect_options[] =
|
||||
.arg = "TYPE",
|
||||
.flags = 0,
|
||||
.doc =
|
||||
- N_("The type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)."
|
||||
- "(default: ECC)"),
|
||||
+ N_("The type of SRK: RSA (RSA2048), RSA3072, RSA4096, "
|
||||
+ "and ECC (ECC_NIST_P256). (default: ECC)"),
|
||||
.group = 0
|
||||
},
|
||||
{
|
||||
--
|
||||
2.35.3
|
||||
|
@ -1,7 +1,7 @@
|
||||
From c3efb4ecbe91b63c127b92122dad3fa53d4efc69 Mon Sep 17 00:00:00 2001
|
||||
From 947009d79e3f17b10a7753bdde8d3a4a7b757bed Mon Sep 17 00:00:00 2001
|
||||
From: Patrick Colp <patrick.colp@oracle.com>
|
||||
Date: Mon, 31 Jul 2023 07:01:45 -0700
|
||||
Subject: [PATCH 1/4] protectors: Implement NV index
|
||||
Subject: [PATCH 1/4] tpm2: Implement NV index
|
||||
|
||||
Currently with the TPM2 protector, only SRK mode is supported and
|
||||
NV index support is just a stub. Implement the NV index option.
|
||||
@ -16,7 +16,7 @@ An example of inserting a key using tpm2-tools:
|
||||
tpm2_getrandom 32 > key.dat
|
||||
|
||||
# Create primary object.
|
||||
tpm2_createprimary -C o -g sha256 -G rsa -c primary.ctx
|
||||
tpm2_createprimary -C o -g sha256 -G ecc -c primary.ctx
|
||||
|
||||
# Create policy object. `pcrs.dat` contains the PCR values to seal against.
|
||||
tpm2_startauthsession -S session.dat
|
||||
@ -34,15 +34,17 @@ Then to unseal the key in grub, add this to grub.cfg:
|
||||
cryptomount -u <UUID> --protector tpm2
|
||||
|
||||
Signed-off-by: Patrick Colp <patrick.colp@oracle.com>
|
||||
Signed-off-by: Gary Lin <glin@suse.com>
|
||||
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
|
||||
---
|
||||
grub-core/tpm2/module.c | 25 ++++++++++++++++++++-----
|
||||
1 file changed, 20 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
|
||||
index 5274296b7..d3a64187a 100644
|
||||
index e83b02865..b754b38df 100644
|
||||
--- a/grub-core/tpm2/module.c
|
||||
+++ b/grub-core/tpm2/module.c
|
||||
@@ -757,12 +757,27 @@ static grub_err_t
|
||||
@@ -1035,12 +1035,27 @@ static grub_err_t
|
||||
grub_tpm2_protector_nv_recover (const struct grub_tpm2_protector_context *ctx,
|
||||
grub_uint8_t **key, grub_size_t *key_size)
|
||||
{
|
@ -1,7 +1,7 @@
|
||||
From 542c4fc6e067e04e8b96f798882ae968c59f4948 Mon Sep 17 00:00:00 2001
|
||||
From 26a66098d5fa50b9462c8c815429a4c18f20310b Mon Sep 17 00:00:00 2001
|
||||
From: Gary Lin <glin@suse.com>
|
||||
Date: Thu, 6 Apr 2023 16:00:25 +0800
|
||||
Subject: [PATCH v7 16/20] tpm2: Support authorized policy
|
||||
Subject: [PATCH] tpm2: Support authorized policy
|
||||
|
||||
This commit handles the TPM2_PolicyAuthorize command from the key file
|
||||
in TPM 2.0 Key File format.
|
||||
@ -43,12 +43,12 @@ commands:
|
||||
--after \
|
||||
--input sealed.key \
|
||||
--output sealed.tpm \
|
||||
sign 0,2,4,7.9
|
||||
sign 0,2,4,7,9
|
||||
|
||||
Then specify the key file and the key protector to grub.cfg in the EFI
|
||||
system partition:
|
||||
|
||||
tpm2_key_protector_init --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm
|
||||
tpm2_key_protector_init -a RSA --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm
|
||||
cryptomount -u <PART_UUID> -P tpm2
|
||||
|
||||
For any change in the boot components, just run the 'sign' command again
|
||||
@ -59,15 +59,16 @@ with the updated PCR policy.
|
||||
(*2) https://github.com/okirch/pcr-oracle
|
||||
|
||||
Signed-off-by: Gary Lin <glin@suse.com>
|
||||
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
|
||||
---
|
||||
grub-core/tpm2/module.c | 84 +++++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 84 insertions(+)
|
||||
|
||||
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
|
||||
index df0727215..0cbfd06e8 100644
|
||||
index 3db25ceca..e83b02865 100644
|
||||
--- a/grub-core/tpm2/module.c
|
||||
+++ b/grub-core/tpm2/module.c
|
||||
@@ -453,6 +453,87 @@ grub_tpm2_protector_policypcr (TPMI_SH_AUTH_SESSION session,
|
||||
@@ -650,6 +650,87 @@ grub_tpm2_protector_policypcr (TPMI_SH_AUTH_SESSION session,
|
||||
return GRUB_ERR_NONE;
|
||||
}
|
||||
|
||||
@ -155,7 +156,7 @@ index df0727215..0cbfd06e8 100644
|
||||
static grub_err_t
|
||||
grub_tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSION session)
|
||||
{
|
||||
@@ -472,6 +553,9 @@ grub_tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSIO
|
||||
@@ -669,6 +750,9 @@ grub_tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSIO
|
||||
case TPM_CC_PolicyPCR:
|
||||
err = grub_tpm2_protector_policypcr (session, &buf);
|
||||
break;
|
188
0001-util-bash-completion-Fix-for-bash-completion-2.12.patch
Normal file
188
0001-util-bash-completion-Fix-for-bash-completion-2.12.patch
Normal file
@ -0,0 +1,188 @@
|
||||
From 200dc727d1fdf3bac7aa725569b60a54b3841867 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Lin <glin@suse.com>
|
||||
Date: Fri, 22 Mar 2024 16:23:38 +0800
|
||||
Subject: [PATCH] util/bash-completion: Fix for bash-completion 2.12
|
||||
|
||||
_split_longopt() was the bash-completion private API and removed since
|
||||
bash-completion 2.12. This commit initializes the bash-completion
|
||||
general variables with _init_completion() to avoid the potential
|
||||
'command not found' error.
|
||||
|
||||
Although bash-completion 2.12 introduces _comp_initialize() to deprecate
|
||||
_init_completion(), _init_completion() is still chosen for the better
|
||||
backward compatibility.
|
||||
|
||||
Signed-off-by: Gary Lin <glin@suse.com>
|
||||
---
|
||||
.../bash-completion.d/grub-completion.bash.in | 61 +++++++------------
|
||||
1 file changed, 22 insertions(+), 39 deletions(-)
|
||||
|
||||
diff --git a/util/bash-completion.d/grub-completion.bash.in b/util/bash-completion.d/grub-completion.bash.in
|
||||
index 4c88ee901..749a5d3cf 100644
|
||||
--- a/util/bash-completion.d/grub-completion.bash.in
|
||||
+++ b/util/bash-completion.d/grub-completion.bash.in
|
||||
@@ -151,13 +151,10 @@ __grub_list_modules () {
|
||||
# grub-set-default & grub-reboot
|
||||
#
|
||||
__grub_set_entry () {
|
||||
- local cur prev split=false
|
||||
+ local cur prev words cword split
|
||||
+ _init_completion -s || return
|
||||
|
||||
COMPREPLY=()
|
||||
- cur=`_get_cword`
|
||||
- prev=${COMP_WORDS[COMP_CWORD-1]}
|
||||
-
|
||||
- _split_longopt && split=true
|
||||
|
||||
case "$prev" in
|
||||
--boot-directory)
|
||||
@@ -180,11 +177,10 @@ __grub_set_entry () {
|
||||
# grub-editenv
|
||||
#
|
||||
__grub_editenv () {
|
||||
- local cur prev
|
||||
+ local cur prev words cword
|
||||
+ _init_completion || return
|
||||
|
||||
COMPREPLY=()
|
||||
- cur=`_get_cword`
|
||||
- prev=${COMP_WORDS[COMP_CWORD-1]}
|
||||
|
||||
case "$prev" in
|
||||
create|list|set|unset)
|
||||
@@ -201,10 +197,10 @@ __grub_editenv () {
|
||||
# grub-mkconfig
|
||||
#
|
||||
__grub_mkconfig () {
|
||||
- local cur prev
|
||||
+ local cur prev words cword
|
||||
+ _init_completion || return
|
||||
|
||||
COMPREPLY=()
|
||||
- cur=`_get_cword`
|
||||
|
||||
if [[ "$cur" == -* ]]; then
|
||||
__grubcomp "$(__grub_get_options_from_help)"
|
||||
@@ -217,13 +213,10 @@ __grub_mkconfig () {
|
||||
# grub-setup
|
||||
#
|
||||
__grub_setup () {
|
||||
- local cur prev split=false
|
||||
+ local cur prev words cword split
|
||||
+ _init_completion -s || return
|
||||
|
||||
COMPREPLY=()
|
||||
- cur=`_get_cword`
|
||||
- prev=${COMP_WORDS[COMP_CWORD-1]}
|
||||
-
|
||||
- _split_longopt && split=true
|
||||
|
||||
case "$prev" in
|
||||
-d|--directory)
|
||||
@@ -246,15 +239,12 @@ __grub_setup () {
|
||||
# grub-install
|
||||
#
|
||||
__grub_install () {
|
||||
- local cur prev last split=false
|
||||
+ local cur prev words cword split last
|
||||
+ _init_completion -s || return
|
||||
|
||||
COMPREPLY=()
|
||||
- cur=`_get_cword`
|
||||
- prev=${COMP_WORDS[COMP_CWORD-1]}
|
||||
last=$(__grub_get_last_option)
|
||||
|
||||
- _split_longopt && split=true
|
||||
-
|
||||
case "$prev" in
|
||||
--boot-directory)
|
||||
_filedir -d
|
||||
@@ -287,10 +277,10 @@ __grub_install () {
|
||||
# grub-mkfont
|
||||
#
|
||||
__grub_mkfont () {
|
||||
- local cur
|
||||
+ local cur prev words cword
|
||||
+ _init_completion || return
|
||||
|
||||
COMPREPLY=()
|
||||
- cur=`_get_cword`
|
||||
|
||||
if [[ "$cur" == -* ]]; then
|
||||
__grubcomp "$(__grub_get_options_from_help)"
|
||||
@@ -304,11 +294,10 @@ __grub_mkfont () {
|
||||
# grub-mkrescue
|
||||
#
|
||||
__grub_mkrescue () {
|
||||
- local cur prev last
|
||||
+ local cur prev words cword last
|
||||
+ _init_completion || return
|
||||
|
||||
COMPREPLY=()
|
||||
- cur=`_get_cword`
|
||||
- prev=${COMP_WORDS[COMP_CWORD-1]}
|
||||
last=$(__grub_get_last_option)
|
||||
|
||||
if [[ "$cur" == -* ]]; then
|
||||
@@ -330,13 +319,10 @@ __grub_mkrescue () {
|
||||
# grub-mkimage
|
||||
#
|
||||
__grub_mkimage () {
|
||||
- local cur prev split=false
|
||||
+ local cur prev words cword split
|
||||
+ _init_completion -s || return
|
||||
|
||||
COMPREPLY=()
|
||||
- cur=`_get_cword`
|
||||
- prev=${COMP_WORDS[COMP_CWORD-1]}
|
||||
-
|
||||
- _split_longopt && split=true
|
||||
|
||||
case "$prev" in
|
||||
-d|--directory|-p|--prefix)
|
||||
@@ -367,10 +353,10 @@ __grub_mkimage () {
|
||||
# grub-mkpasswd-pbkdf2
|
||||
#
|
||||
__grub_mkpasswd_pbkdf2 () {
|
||||
- local cur
|
||||
+ local cur prev words cword
|
||||
+ _init_completion || return
|
||||
|
||||
COMPREPLY=()
|
||||
- cur=`_get_cword`
|
||||
|
||||
if [[ "$cur" == -* ]]; then
|
||||
__grubcomp "$(__grub_get_options_from_help)"
|
||||
@@ -384,13 +370,10 @@ __grub_mkpasswd_pbkdf2 () {
|
||||
# grub-probe
|
||||
#
|
||||
__grub_probe () {
|
||||
- local cur prev split=false
|
||||
+ local cur prev words cword split
|
||||
+ _init_completion -s || return
|
||||
|
||||
COMPREPLY=()
|
||||
- cur=`_get_cword`
|
||||
- prev=${COMP_WORDS[COMP_CWORD-1]}
|
||||
-
|
||||
- _split_longopt && split=true
|
||||
|
||||
case "$prev" in
|
||||
-t|--target)
|
||||
@@ -417,10 +400,10 @@ __grub_probe () {
|
||||
# grub-script-check
|
||||
#
|
||||
__grub_script_check () {
|
||||
- local cur
|
||||
+ local cur prev words cword
|
||||
+ _init_completion || return
|
||||
|
||||
COMPREPLY=()
|
||||
- cur=`_get_cword`
|
||||
|
||||
if [[ "$cur" == -* ]]; then
|
||||
__grubcomp "$(__grub_get_options_from_help)"
|
||||
--
|
||||
2.35.3
|
||||
|
33
0001-util-enable-grub-protect-only-for-EFI-systems.patch
Normal file
33
0001-util-enable-grub-protect-only-for-EFI-systems.patch
Normal file
@ -0,0 +1,33 @@
|
||||
From 6ce53d4db8430de5526ea4c48beac8139ba60925 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Lin <glin@suse.com>
|
||||
Date: Mon, 20 May 2024 14:19:58 +0800
|
||||
Subject: [PATCH] util: enable grub-protect only for EFI systems
|
||||
|
||||
Add 'enable = efi;' back to the grub-protect section to enable the
|
||||
utility only for EFI systems.
|
||||
|
||||
The restriction was relaxed in the upstreaming patch to enable the
|
||||
grub-emu TPM2 testcases. Since we already build the utility natively for
|
||||
the architectures with EFI support, there is no need to build the
|
||||
program again for grub-emu.
|
||||
|
||||
Signed-off-by: Gary Lin <glin@suse.com>
|
||||
---
|
||||
Makefile.util.def | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/Makefile.util.def b/Makefile.util.def
|
||||
index 90850125d..5085152b0 100644
|
||||
--- a/Makefile.util.def
|
||||
+++ b/Makefile.util.def
|
||||
@@ -210,6 +210,7 @@ program = {
|
||||
program = {
|
||||
name = grub-protect;
|
||||
mansection = 1;
|
||||
+ enable = efi;
|
||||
|
||||
common = grub-core/kern/emu/argp_common.c;
|
||||
common = grub-core/osdep/init.c;
|
||||
--
|
||||
2.35.3
|
||||
|
@ -1,4 +1,4 @@
|
||||
From 7cc578baf26986c2badce998125b429a2aeb4d33 Mon Sep 17 00:00:00 2001
|
||||
From e62b26f9765e309691e014f322d4b02b220956a1 Mon Sep 17 00:00:00 2001
|
||||
From: Patrick Colp <patrick.colp@oracle.com>
|
||||
Date: Sun, 30 Jul 2023 12:58:18 -0700
|
||||
Subject: [PATCH 2/4] cryptodisk: Fallback to passphrase
|
||||
@ -10,15 +10,17 @@ the protector(s) failed. Later code (e.g., LUKS code) fails as
|
||||
proceeding with the passphrase.
|
||||
|
||||
Signed-off-by: Patrick Colp <patrick.colp@oracle.com>
|
||||
Signed-off-by: Gary Lin <glin@suse.com>
|
||||
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
|
||||
---
|
||||
grub-core/disk/cryptodisk.c | 7 ++++++-
|
||||
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
|
||||
index 6620fca00..cf37a0934 100644
|
||||
index af4104178..f9842f776 100644
|
||||
--- a/grub-core/disk/cryptodisk.c
|
||||
+++ b/grub-core/disk/cryptodisk.c
|
||||
@@ -1191,11 +1191,16 @@ grub_cryptodisk_scan_device_real (const char *name,
|
||||
@@ -1193,11 +1193,16 @@ grub_cryptodisk_scan_device_real (const char *name,
|
||||
source->name, source->partition != NULL ? "," : "",
|
||||
part != NULL ? part : N_("UNKNOWN"), dev->uuid);
|
||||
grub_free (part);
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,427 +0,0 @@
|
||||
From 1d34522075949581ccb34a08dd73607566517824 Mon Sep 17 00:00:00 2001
|
||||
From: Gary Lin <glin@suse.com>
|
||||
Date: Tue, 7 Feb 2023 18:33:42 +0800
|
||||
Subject: [PATCH 2/4] tpm2: Add more marshal/unmarshal functions
|
||||
|
||||
Add a few more marshal/unmarshal functions to support authorized policy.
|
||||
|
||||
* Marshal:
|
||||
grub_tpm2_mu_TPMU_SENSITIVE_COMPOSITE_Marshal()
|
||||
grub_tpm2_mu_TPMT_SENSITIVE_Marshal()
|
||||
grub_tpm2_mu_TPM2B_SENSITIVE_Marshal()
|
||||
grub_tpm2_mu_TPMS_SIGNATURE_RSA_Marshal()
|
||||
grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal()
|
||||
grub_tpm2_mu_TPMU_HA_Marshal()
|
||||
grub_tpm2_mu_TPMT_HA_Marshal()
|
||||
grub_tpm2_mu_TPMU_SIGNATURE_Marshal()
|
||||
grub_tpm2_mu_TPMT_SIGNATURE_Marshal()
|
||||
grub_tpm2_mu_TPMT_TK_VERIFIED_Marshal()
|
||||
|
||||
* Unmarshal:
|
||||
grub_tpm2_mu_TPMT_TK_HASHCHECK_Unmarshal()
|
||||
grub_tpm2_mu_TPMT_TK_VERIFIED_Unmarshal()
|
||||
grub_tpm2_mu_TPMS_SIGNATURE_RSA_Unmarshal()
|
||||
grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal()
|
||||
grub_tpm2_mu_TPMU_HA_Unmarshal()
|
||||
grub_tpm2_mu_TPMT_HA_Unmarshal()
|
||||
grub_tpm2_mu_TPMU_SIGNATURE_Unmarshal()
|
||||
grub_tpm2_mu_TPMT_SIGNATURE_Unmarshal()
|
||||
|
||||
Signed-off-by: Gary Lin <glin@suse.com>
|
||||
---
|
||||
grub-core/tpm2/mu.c | 262 +++++++++++++++++++++++++++++++++++++++++
|
||||
include/grub/tpm2/mu.h | 75 ++++++++++++
|
||||
2 files changed, 337 insertions(+)
|
||||
|
||||
diff --git a/grub-core/tpm2/mu.c b/grub-core/tpm2/mu.c
|
||||
index 1617f37cd..3a9a3c1be 100644
|
||||
--- a/grub-core/tpm2/mu.c
|
||||
+++ b/grub-core/tpm2/mu.c
|
||||
@@ -383,6 +383,49 @@ grub_tpm2_mu_TPMS_SENSITIVE_CREATE_Marshal (grub_tpm2_buffer_t buffer,
|
||||
grub_tpm2_mu_TPM2B_Marshal (buffer, p->data.size, p->data.buffer);
|
||||
}
|
||||
|
||||
+void
|
||||
+grub_tpm2_mu_TPMU_SENSITIVE_COMPOSITE_Marshal (grub_tpm2_buffer_t buffer,
|
||||
+ const TPMI_ALG_PUBLIC type,
|
||||
+ const TPMU_SENSITIVE_COMPOSITE *p)
|
||||
+{
|
||||
+ switch(type)
|
||||
+ {
|
||||
+ case TPM_ALG_RSA:
|
||||
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->rsa.size, p->rsa.buffer);
|
||||
+ break;
|
||||
+ case TPM_ALG_ECC:
|
||||
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->ecc.size, p->ecc.buffer);
|
||||
+ break;
|
||||
+ case TPM_ALG_KEYEDHASH:
|
||||
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->bits.size, p->bits.buffer);
|
||||
+ break;
|
||||
+ case TPM_ALG_SYMCIPHER:
|
||||
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->sym.size, p->sym.buffer);
|
||||
+ break;
|
||||
+ default:
|
||||
+ buffer->error = 1;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+grub_tpm2_mu_TPMT_SENSITIVE_Marshal (grub_tpm2_buffer_t buffer,
|
||||
+ const TPMT_SENSITIVE *p)
|
||||
+{
|
||||
+ grub_tpm2_buffer_pack_u16 (buffer, p->sensitiveType);
|
||||
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->authValue.size, p->authValue.buffer);
|
||||
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->seedValue.size, p->seedValue.buffer);
|
||||
+ grub_tpm2_mu_TPMU_SENSITIVE_COMPOSITE_Marshal (buffer, p->sensitiveType,
|
||||
+ &p->sensitive);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+grub_tpm2_mu_TPM2B_SENSITIVE_Marshal (grub_tpm2_buffer_t buffer,
|
||||
+ const TPM2B_SENSITIVE *p)
|
||||
+{
|
||||
+ grub_tpm2_buffer_pack_u16 (buffer, p->size);
|
||||
+ grub_tpm2_mu_TPMT_SENSITIVE_Marshal (buffer, &p->sensitiveArea);
|
||||
+}
|
||||
+
|
||||
void
|
||||
grub_tpm2_mu_TPM2B_SENSITIVE_CREATE_Marshal (grub_tpm2_buffer_t buffer,
|
||||
const TPM2B_SENSITIVE_CREATE *sensitiveCreate)
|
||||
@@ -405,6 +448,113 @@ grub_tpm2_mu_TPM2B_SENSITIVE_CREATE_Marshal (grub_tpm2_buffer_t buffer,
|
||||
grub_tpm2_buffer_pack_u16 (buffer, 0);
|
||||
}
|
||||
|
||||
+void
|
||||
+grub_tpm2_mu_TPMS_SIGNATURE_RSA_Marshal (grub_tpm2_buffer_t buffer,
|
||||
+ const TPMS_SIGNATURE_RSA *p)
|
||||
+{
|
||||
+ grub_tpm2_buffer_pack_u16 (buffer, p->hash);
|
||||
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->sig.size, p->sig.buffer);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (grub_tpm2_buffer_t buffer,
|
||||
+ const TPMS_SIGNATURE_ECC *p)
|
||||
+{
|
||||
+ grub_tpm2_buffer_pack_u16 (buffer, p->hash);
|
||||
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->signatureR.size, p->signatureR.buffer);
|
||||
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->signatureS.size, p->signatureS.buffer);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+grub_tpm2_mu_TPMU_HA_Marshal (grub_tpm2_buffer_t buffer,
|
||||
+ const TPMI_ALG_HASH hashAlg,
|
||||
+ const TPMU_HA *p)
|
||||
+{
|
||||
+ switch (hashAlg)
|
||||
+ {
|
||||
+ case TPM_ALG_SHA1:
|
||||
+ for (grub_uint16_t i = 0; i < TPM_SHA1_DIGEST_SIZE; i++)
|
||||
+ grub_tpm2_buffer_pack_u8 (buffer, p->sha1[i]);
|
||||
+ break;
|
||||
+ case TPM_ALG_SHA256:
|
||||
+ for (grub_uint16_t i = 0; i < TPM_SHA256_DIGEST_SIZE; i++)
|
||||
+ grub_tpm2_buffer_pack_u8 (buffer, p->sha256[i]);
|
||||
+ break;
|
||||
+ case TPM_ALG_SHA384:
|
||||
+ for (grub_uint16_t i = 0; i < TPM_SHA384_DIGEST_SIZE; i++)
|
||||
+ grub_tpm2_buffer_pack_u8 (buffer, p->sha384[i]);
|
||||
+ break;
|
||||
+ case TPM_ALG_SHA512:
|
||||
+ for (grub_uint16_t i = 0; i < TPM_SHA512_DIGEST_SIZE; i++)
|
||||
+ grub_tpm2_buffer_pack_u8 (buffer, p->sha512[i]);
|
||||
+ break;
|
||||
+ default:
|
||||
+ buffer->error = 1;
|
||||
+ break;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+grub_tpm2_mu_TPMT_HA_Marshal (grub_tpm2_buffer_t buffer,
|
||||
+ const TPMT_HA *p)
|
||||
+{
|
||||
+ grub_tpm2_buffer_pack_u16 (buffer, p->hashAlg);
|
||||
+ grub_tpm2_mu_TPMU_HA_Marshal (buffer, p->hashAlg, &p->digest);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+grub_tpm2_mu_TPMU_SIGNATURE_Marshal (grub_tpm2_buffer_t buffer,
|
||||
+ const TPMI_ALG_SIG_SCHEME sigAlg,
|
||||
+ const TPMU_SIGNATURE *p)
|
||||
+{
|
||||
+ switch (sigAlg)
|
||||
+ {
|
||||
+ case TPM_ALG_RSASSA:
|
||||
+ grub_tpm2_mu_TPMS_SIGNATURE_RSA_Marshal (buffer, (TPMS_SIGNATURE_RSA *)&p->rsassa);
|
||||
+ break;
|
||||
+ case TPM_ALG_RSAPSS:
|
||||
+ grub_tpm2_mu_TPMS_SIGNATURE_RSA_Marshal (buffer, (TPMS_SIGNATURE_RSA *)&p->rsapss);
|
||||
+ break;
|
||||
+ case TPM_ALG_ECDSA:
|
||||
+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecdsa);
|
||||
+ break;
|
||||
+ case TPM_ALG_ECDAA:
|
||||
+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecdaa);
|
||||
+ break;
|
||||
+ case TPM_ALG_SM2:
|
||||
+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (buffer, (TPMS_SIGNATURE_ECC *)&p->sm2);
|
||||
+ break;
|
||||
+ case TPM_ALG_ECSCHNORR:
|
||||
+ grub_tpm2_mu_TPMS_SIGNATURE_ECC_Marshal (buffer, (TPMS_SIGNATURE_ECC *)&p->ecschnorr);
|
||||
+ break;
|
||||
+ case TPM_ALG_HMAC:
|
||||
+ grub_tpm2_mu_TPMT_HA_Marshal (buffer, &p->hmac);
|
||||
+ break;
|
||||
+ case TPM_ALG_NULL:
|
||||
+ break;
|
||||
+ default:
|
||||
+ buffer->error = 1;
|
||||
+ break;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+grub_tpm2_mu_TPMT_SIGNATURE_Marshal (grub_tpm2_buffer_t buffer,
|
||||
+ const TPMT_SIGNATURE *p)
|
||||
+{
|
||||
+ grub_tpm2_buffer_pack_u16 (buffer, p->sigAlg);
|
||||
+ grub_tpm2_mu_TPMU_SIGNATURE_Marshal (buffer, p->sigAlg, &p->signature);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+grub_tpm2_mu_TPMT_TK_VERIFIED_Marshal (grub_tpm2_buffer_t buffer,
|
||||
+ const TPMT_TK_VERIFIED *p)
|
||||
+{
|
||||
+ grub_tpm2_buffer_pack_u16 (buffer, p->tag);
|
||||
+ grub_tpm2_buffer_pack_u32 (buffer, p->hierarchy);
|
||||
+ grub_tpm2_mu_TPM2B_Marshal (buffer, p->digest.size, p->digest.buffer);
|
||||
+}
|
||||
+
|
||||
void
|
||||
grub_tpm2_mu_TPM2B_Unmarshal (grub_tpm2_buffer_t buffer,
|
||||
TPM2B* p)
|
||||
@@ -775,6 +925,24 @@ grub_tpm2_mu_TPMT_TK_CREATION_Unmarshal (grub_tpm2_buffer_t buffer,
|
||||
grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*) &p->digest);
|
||||
}
|
||||
|
||||
+void
|
||||
+grub_tpm2_mu_TPMT_TK_HASHCHECK_Unmarshal (grub_tpm2_buffer_t buffer,
|
||||
+ TPMT_TK_HASHCHECK *p)
|
||||
+{
|
||||
+ grub_tpm2_buffer_unpack_u16 (buffer, &p->tag);
|
||||
+ grub_tpm2_buffer_unpack_u32 (buffer, &p->hierarchy);
|
||||
+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*) &p->digest);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+grub_tpm2_mu_TPMT_TK_VERIFIED_Unmarshal (grub_tpm2_buffer_t buffer,
|
||||
+ TPMT_TK_VERIFIED *p)
|
||||
+{
|
||||
+ grub_tpm2_buffer_unpack_u16 (buffer, &p->tag);
|
||||
+ grub_tpm2_buffer_unpack_u32 (buffer, &p->hierarchy);
|
||||
+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*) &p->digest);
|
||||
+}
|
||||
+
|
||||
void
|
||||
grub_tpm2_mu_TPMS_PCR_SELECTION_Unmarshal (grub_tpm2_buffer_t buf,
|
||||
TPMS_PCR_SELECTION* pcrSelection)
|
||||
@@ -805,3 +973,97 @@ grub_tpm2_mu_TPML_DIGEST_Unmarshal (grub_tpm2_buffer_t buf,
|
||||
for (grub_uint32_t i = 0; i < digest->count; i++)
|
||||
grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (buf, &digest->digests[i]);
|
||||
}
|
||||
+
|
||||
+void
|
||||
+grub_tpm2_mu_TPMS_SIGNATURE_RSA_Unmarshal (grub_tpm2_buffer_t buffer,
|
||||
+ TPMS_SIGNATURE_RSA *rsa)
|
||||
+{
|
||||
+ grub_tpm2_buffer_unpack_u16 (buffer, &rsa->hash);
|
||||
+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*)&rsa->sig);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+grub_tpm2_mu_TPMS_SIGNATURE_ECC_Unmarshal (grub_tpm2_buffer_t buffer,
|
||||
+ TPMS_SIGNATURE_ECC *ecc)
|
||||
+{
|
||||
+ grub_tpm2_buffer_unpack_u16 (buffer, &ecc->hash);
|
||||
+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*)&ecc->signatureR);
|
||||
+ grub_tpm2_mu_TPM2B_Unmarshal (buffer, (TPM2B*)&ecc->signatureS);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+grub_tpm2_mu_TPMU_HA_Unmarshal (grub_tpm2_buffer_t buffer,
|
||||
+ TPMI_ALG_HASH hashAlg,
|
||||
+ TPMU_HA *p)
|
||||
+{
|
||||
+ switch (hashAlg)
|
||||
+ {
|
||||
+ case TPM_ALG_SHA1:
|
||||
+ grub_tpm2_buffer_unpack (buffer, &p->sha1, TPM_SHA1_DIGEST_SIZE);
|
||||
+ break;
|
||||
+ case TPM_ALG_SHA256:
|
||||
+ grub_tpm2_buffer_unpack (buffer, &p->sha256, TPM_SHA256_DIGEST_SIZE);
|
||||
+ break;
|
||||
+ case TPM_ALG_SHA384:
|
||||
+ grub_tpm2_buffer_unpack (buffer, &p->sha384, TPM_SHA384_DIGEST_SIZE);
|
||||
+ break;
|
||||
+ case TPM_ALG_SHA512:
|
||||
+ grub_tpm2_buffer_unpack (buffer, &p->sha512, TPM_SHA512_DIGEST_SIZE);
|
||||
+ break;
|
||||
+ default:
|
||||
+ buffer->error = 1;
|
||||
+ break;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+grub_tpm2_mu_TPMT_HA_Unmarshal (grub_tpm2_buffer_t buffer,
|
||||
+ TPMT_HA *p)
|
||||
+{
|
||||
+ grub_tpm2_buffer_unpack_u16 (buffer, &p->hashAlg);
|
||||
+ grub_tpm2_mu_TPMU_HA_Unmarshal (buffer, p->hashAlg, &p->digest);
|
||||
+}
|
||||
+
|
||||
+void
|
||||
+grub_tpm2_mu_TPMU_SIGNATURE_Unmarshal (grub_tpm2_buffer_t buffer,
|
||||
+ TPMI_ALG_SIG_SCHEME sigAlg,
|
||||
+ TPMU_SIGNATURE *p)
|
||||