From e40e4a0d2388ea6ac7cb718967f1567c54957ee23e800042456883f3e07e6098 Mon Sep 17 00:00:00 2001 From: Michael Chang Date: Thu, 19 Oct 2023 06:55:40 +0000 Subject: [PATCH 1/3] Accepting request 1118820 from home:michael-chang:branches:Base:System add missing ref in changelog OBS-URL: https://build.opensuse.org/request/show/1118820 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=470 --- grub2.changes | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/grub2.changes b/grub2.changes index 96aa6ea..c35ca80 100644 --- a/grub2.changes +++ b/grub2.changes @@ -785,7 +785,7 @@ Wed Jun 8 03:25:26 UTC 2022 - Michael Chang ------------------------------------------------------------------- Wed Jun 8 03:17:29 UTC 2022 - Michael Chang -- Add patches for automatic TPM disk unlock (jsc#SLE-24018) (bsc#1196668) +- Add patches for automatic TPM disk unlock (jsc#SLE-24018) (bsc#1196668) (jsc#PED-1276) * 0001-luks2-Add-debug-message-to-align-with-luks-and-geli-.patch * 0002-cryptodisk-Refactor-to-discard-have_it-global.patch * 0003-cryptodisk-Return-failure-in-cryptomount-when-no-cry.patch @@ -868,7 +868,7 @@ Thu May 26 10:10:56 UTC 2022 - Michael Chang Tue May 17 10:46:38 UTC 2022 - Michael Chang - Fix installation over serial console ends up in infinite boot loop - (bsc#1187810) + (bsc#1187810) (bsc#1209667) (bsc#1209372) * 0001-Fix-infinite-boot-loop-on-headless-system-in-qemu.patch - Fix ppc64le build error for new IEEE long double ABI * 0001-libc-config-merge-from-glibc.patch From 8c7387ac32c08e70f8370c8a02217808e6c04f5ca24a59e3a6e8a521e725b4c3 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Wed, 25 Oct 2023 07:31:37 +0000 Subject: [PATCH 2/3] Accepting request 1120141 from home:michael-chang:branches:Base:System - Fix Xen chainloding error of no matching file path found (bsc#1216081) * grub2-efi-chainload-harder.patch - Use grub-tpm2 token to unlock keyslots to make the unsealing process more efficient and secure. * 0001-luks2-Use-grub-tpm2-token-for-TPM2-protected-volume-.patch OBS-URL: https://build.opensuse.org/request/show/1120141 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=471 --- ...pm2-token-for-TPM2-protected-volume-.patch | 142 ++++++++++++++++++ grub2-efi-chainload-harder.patch | 9 +- grub2.changes | 13 ++ grub2.spec | 1 + 4 files changed, 163 insertions(+), 2 deletions(-) create mode 100644 0001-luks2-Use-grub-tpm2-token-for-TPM2-protected-volume-.patch diff --git a/0001-luks2-Use-grub-tpm2-token-for-TPM2-protected-volume-.patch b/0001-luks2-Use-grub-tpm2-token-for-TPM2-protected-volume-.patch new file mode 100644 index 0000000..ba58d6c --- /dev/null +++ b/0001-luks2-Use-grub-tpm2-token-for-TPM2-protected-volume-.patch @@ -0,0 +1,142 @@ +From 06af22d6c893b0249712e9a486e0cbae15160e5c Mon Sep 17 00:00:00 2001 +From: Michael Chang +Date: Mon, 23 Oct 2023 16:11:53 +0800 +Subject: [PATCH] luks2: Use grub-tpm2 token for TPM2-protected volume unlock + +This commit enables the use of the grub-tpm2 token for unlocking LUKS2 +volumes protected by TPM2. The token tracks keyslots associated with a +sealed key, making the unsealing process more efficient and secure. + +Signed-Off-by Michael Chang +--- + grub-core/disk/luks2.c | 81 ++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 79 insertions(+), 2 deletions(-) + +diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c +index d5106402f..fe5ba777a 100644 +--- a/grub-core/disk/luks2.c ++++ b/grub-core/disk/luks2.c +@@ -124,6 +124,14 @@ struct grub_luks2_digest + }; + typedef struct grub_luks2_digest grub_luks2_digest_t; + ++struct grub_luks2_token_tpm ++{ ++ grub_uint64_t idx; ++ grub_uint64_t keyslots; ++ const char *timestamp; ++}; ++typedef struct grub_luks2_token_tpm grub_luks2_token_tpm_t; ++ + gcry_err_code_t AF_merge (const gcry_md_spec_t * hash, grub_uint8_t * src, + grub_uint8_t * dst, grub_size_t blocksize, + grub_size_t blocknumbers); +@@ -257,6 +265,39 @@ luks2_parse_digest (grub_luks2_digest_t *out, const grub_json_t *digest) + return GRUB_ERR_NONE; + } + ++static grub_err_t ++luks2_parse_token_tpm (grub_luks2_token_tpm_t *out, const grub_json_t *token) ++{ ++ grub_json_t keyslots, o; ++ grub_size_t i, size; ++ grub_uint64_t bit; ++ const char *type; ++ ++ if (grub_json_getstring (&type, token, "type")) ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid token type"); ++ else if (grub_strcmp (type, "grub-tpm2")) ++ return GRUB_ERR_NONE; ++ ++ if (grub_json_getvalue (&keyslots, token, "keyslots") || ++ grub_json_getstring (&out->timestamp, token, "timestamp")) ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing token parameters"); ++ ++ if (grub_json_getsize (&size, &keyslots)) ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, ++ "Token references no keyslots"); ++ ++ out->keyslots = 0; ++ for (i = 0; i < size; i++) ++ { ++ if (grub_json_getchild (&o, &keyslots, i) || ++ grub_json_getuint64 (&bit, &o, NULL)) ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid keyslot"); ++ out->keyslots |= (1 << bit); ++ } ++ ++ return GRUB_ERR_NONE; ++} ++ + static grub_err_t + luks2_get_keyslot (grub_luks2_keyslot_t *k, grub_luks2_digest_t *d, grub_luks2_segment_t *s, + const grub_json_t *root, grub_size_t keyslot_json_idx) +@@ -561,13 +602,14 @@ luks2_recover_key (grub_disk_t source, + { + grub_uint8_t candidate_key[GRUB_CRYPTODISK_MAX_KEYLEN]; + char cipher[32], *json_header = NULL, *ptr; +- grub_size_t candidate_key_len = 0, json_idx, size; ++ grub_size_t candidate_key_len = 0, json_idx, size, tsize; + grub_luks2_header_t header; + grub_luks2_keyslot_t keyslot; + grub_luks2_digest_t digest; + grub_luks2_segment_t segment; ++ grub_luks2_token_tpm_t token_tpm; + gcry_err_code_t gcry_ret; +- grub_json_t *json = NULL, keyslots; ++ grub_json_t *json = NULL, keyslots, tokens; + grub_err_t ret; + + if (cargs->key_data == NULL || cargs->key_len == 0) +@@ -605,6 +647,37 @@ luks2_recover_key (grub_disk_t source, + goto err; + } + ++ token_tpm.keyslots = 0; ++ tsize = 0; ++ if (cargs->protectors) ++ { ++ int i; ++ for (i = 0; cargs->protectors[i]; i++) ++ if (grub_strcmp(cargs->protectors[i], "tpm2") == 0) ++ break; ++ ++ if (!cargs->protectors[i] || ++ cargs->key_cache[i].invalid || ++ grub_json_getvalue (&tokens, json, "tokens") || ++ grub_json_getsize (&tsize, &tokens)) ++ grub_dprintf ("luks2", "No valid token or not a tpm2 protector\n"); ++ } ++ ++ for (json_idx = 0; json_idx < tsize; json_idx++) ++ { ++ grub_json_t token; ++ ++ if (grub_json_getchild (&token, &tokens, json_idx) || ++ grub_json_getuint64 (&token_tpm.idx, &token, NULL) || ++ grub_json_getchild (&token, &token, 0) || ++ luks2_parse_token_tpm (&token_tpm, &token)) ++ { ++ grub_dprintf ("luks2", "Could not parse token index %" PRIuGRUB_SIZE "\n", json_idx); ++ grub_errno = GRUB_ERR_NONE; ++ continue; ++ } ++ } ++ + if (grub_disk_native_sectors (source) == GRUB_DISK_SIZE_UNKNOWN) + { + /* FIXME: Allow use of source disk, and maybe cause errors in read. */ +@@ -641,6 +714,10 @@ luks2_recover_key (grub_disk_t source, + continue; + } + ++ if (token_tpm.keyslots && ++ !(token_tpm.keyslots & (1 << keyslot.idx))) ++ continue; ++ + grub_dprintf ("luks2", "Trying keyslot \"%" PRIuGRUB_UINT64_T "\"\n", keyslot.idx); + + /* Sector size should be one of 512, 1024, 2048, or 4096. */ +-- +2.42.0 + diff --git a/grub2-efi-chainload-harder.patch b/grub2-efi-chainload-harder.patch index 3c2f994..68fc383 100644 --- a/grub2-efi-chainload-harder.patch +++ b/grub2-efi-chainload-harder.patch @@ -2,6 +2,10 @@ v2: Use grub_efi_get_secureboot to get secure boot status +v3: +Fix null sb_context->file_path due to missing assignment of chainloaded image's +file_path (bsc#1216081) + --- grub-core/loader/efi/chainloader.c | 62 +++++++++++++++++++++---------------- 1 file changed, 36 insertions(+), 26 deletions(-) @@ -73,7 +77,7 @@ Use grub_efi_get_secureboot to get secure boot status } static void* -@@ -604,6 +605,9 @@ +@@ -607,6 +608,9 @@ if (buffer) b->free_pool (buffer); @@ -83,7 +87,7 @@ Use grub_efi_get_secureboot to get secure boot status return 0; } -@@ -821,6 +825,30 @@ +@@ -825,6 +829,31 @@ status = b->load_image (0, grub_efi_image_handle, file_path, boot_image, size, &image_handle); @@ -105,6 +109,7 @@ Use grub_efi_get_secureboot to get secure boot status + sb_context->dev_handle = dev_handle; + sb_context->address = address; + sb_context->pages = pages; ++ sb_context->file_path = file_path; + grub_file_close (file); + grub_loader_set_ex (grub_secureboot_chainloader_boot, + grub_secureboot_chainloader_unload, sb_context, 0); diff --git a/grub2.changes b/grub2.changes index c35ca80..bc3741b 100644 --- a/grub2.changes +++ b/grub2.changes @@ -1,3 +1,16 @@ +------------------------------------------------------------------- +Wed Oct 25 01:56:09 UTC 2023 - Michael Chang + +- Fix Xen chainloding error of no matching file path found (bsc#1216081) + * grub2-efi-chainload-harder.patch + +------------------------------------------------------------------- +Mon Oct 23 13:11:45 UTC 2023 - Michael Chang + +- Use grub-tpm2 token to unlock keyslots to make the unsealing process more + efficient and secure. + * 0001-luks2-Use-grub-tpm2-token-for-TPM2-protected-volume-.patch + ------------------------------------------------------------------- Mon Oct 16 08:05:03 UTC 2023 - Michael Chang diff --git a/grub2.spec b/grub2.spec index c60f4e8..dd80a47 100644 --- a/grub2.spec +++ b/grub2.spec @@ -387,6 +387,7 @@ Patch194: 0003-fs-ntfs-Fix-an-OOB-read-when-parsing-directory-entri.patch Patch195: 0004-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch Patch196: 0005-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch Patch197: 0006-fs-ntfs-Make-code-more-readable.patch +Patch198: 0001-luks2-Use-grub-tpm2-token-for-TPM2-protected-volume-.patch Requires: gettext-runtime %if 0%{?suse_version} >= 1140 From 247022017fd138d492acd0c09310c1b92b5ea92372bdf9890b66d7f84fc07073 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Thu, 26 Oct 2023 06:43:26 +0000 Subject: [PATCH 3/3] Accepting request 1120450 from home:gary_lin:branches:Base:System - Fix a potential error when appending multiple keys into the synthesized initrd * Fix-the-size-calculation-for-the-synthesized-initrd.patch OBS-URL: https://build.opensuse.org/request/show/1120450 OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=472 --- ...lculation-for-the-synthesized-initrd.patch | 86 +++++++++++++++++++ grub2.changes | 7 ++ grub2.spec | 1 + 3 files changed, 94 insertions(+) create mode 100644 Fix-the-size-calculation-for-the-synthesized-initrd.patch diff --git a/Fix-the-size-calculation-for-the-synthesized-initrd.patch b/Fix-the-size-calculation-for-the-synthesized-initrd.patch new file mode 100644 index 0000000..8c4e2c1 --- /dev/null +++ b/Fix-the-size-calculation-for-the-synthesized-initrd.patch @@ -0,0 +1,86 @@ +From d441356c924102b43b303520cc1c62a624b014d6 Mon Sep 17 00:00:00 2001 +From: Gary Lin +Date: Thu, 26 Oct 2023 13:18:24 +0800 +Subject: [PATCH] Fix the size calculation for the synthesized initrd + +When calculating the size of the synthesized initrd in +grub_initrd_component(), the ending "TRAILER!!!" is counted in for every +synthesized initrd. However, in grub_initrd_load(), only one "TRAILER!!!" +will be appended for one group of consecutive synthesized initrds. The +additional size calculation for the ending "TRAILER!!!" could make the +linux kernel to read uninitialized bytes and result in the error message +like this: + +Initramfs unpacking failed: invalid magic at start of compressed archive + +To fit into the original 'newc' design, the ending "TRAILER!!!" is +removed from grub_initrd_component(). Instead, in grub_initrd_init(), +the 'newc' flag is set when calculating size of the synthesized initrd +to append the ending "TRAILER!!!" later. As for grub_initrd_load(), +since the path to the unsealed key is specified in 'newc_name', it's +unnecessary to set the 'newc' flag while copying the unsealed key +because the flag is already set when parsing the path name. + +Signed-off-by: Gary Lin +--- + grub-core/loader/linux.c | 23 ++++++++--------------- + 1 file changed, 8 insertions(+), 15 deletions(-) + +diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c +index 4e028f5..9ee8f37 100644 +--- a/grub-core/loader/linux.c ++++ b/grub-core/loader/linux.c +@@ -209,13 +209,6 @@ grub_initrd_component (const char *buf, int bufsz, const char *newc_name, + &initrd_ctx->size)) + goto overflow; + +- initrd_ctx->size = ALIGN_UP (initrd_ctx->size, 4); +- if (grub_add (initrd_ctx->size, +- ALIGN_UP (sizeof (struct newc_head) +- + sizeof ("TRAILER!!!") - 1, 4), +- &initrd_ctx->size)) +- goto overflow; +- + free_dir (root); + root = 0; + return GRUB_ERR_NONE; +@@ -312,6 +305,13 @@ grub_initrd_init (int argc, char *argv[], + goto overflow; + } + ++ FOR_LIST_ELEMENTS (pk, kpuber) ++ if (pk->key && pk->path) ++ { ++ grub_initrd_component (pk->key, pk->key_len, pk->path, initrd_ctx); ++ newc = 1; ++ } ++ + if (newc) + { + initrd_ctx->size = ALIGN_UP (initrd_ctx->size, 4); +@@ -324,10 +324,6 @@ grub_initrd_init (int argc, char *argv[], + root = 0; + } + +- FOR_LIST_ELEMENTS (pk, kpuber) +- if (pk->key && pk->path) +- grub_initrd_component (pk->key, pk->key_len, pk->path, initrd_ctx); +- + return GRUB_ERR_NONE; + + overflow: +@@ -404,10 +400,7 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx, + + cursize = initrd_ctx->components[i].size; + if (initrd_ctx->components[i].buf) +- { +- grub_memcpy (ptr, initrd_ctx->components[i].buf, cursize); +- newc = 1; +- } ++ grub_memcpy (ptr, initrd_ctx->components[i].buf, cursize); + else if (grub_file_read (initrd_ctx->components[i].file, ptr, cursize) + != cursize) + { +-- +2.35.3 + diff --git a/grub2.changes b/grub2.changes index bc3741b..c106789 100644 --- a/grub2.changes +++ b/grub2.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Oct 26 06:04:54 UTC 2023 - Gary Ching-Pang Lin + +- Fix a potential error when appending multiple keys into the + synthesized initrd + * Fix-the-size-calculation-for-the-synthesized-initrd.patch + ------------------------------------------------------------------- Wed Oct 25 01:56:09 UTC 2023 - Michael Chang diff --git a/grub2.spec b/grub2.spec index dd80a47..e93700c 100644 --- a/grub2.spec +++ b/grub2.spec @@ -388,6 +388,7 @@ Patch195: 0004-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch Patch196: 0005-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch Patch197: 0006-fs-ntfs-Make-code-more-readable.patch Patch198: 0001-luks2-Use-grub-tpm2-token-for-TPM2-protected-volume-.patch +Patch199: Fix-the-size-calculation-for-the-synthesized-initrd.patch Requires: gettext-runtime %if 0%{?suse_version} >= 1140