Accepting request 828453 from Base:System

OBS-URL: https://build.opensuse.org/request/show/828453 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/grub2?expand=0&rev=225
2020-08-23 07:21:14 +00:00 · 2020-08-23 07:21:14 +00:00 · e1e2bc837a
commit e1e2bc837a
parent 72a96948f0
6 changed files with 331 additions and 0 deletions
--- a/0001-ieee1275-powerpc-implements-fibre-channel-discovery-.patch
+++ b/0001-ieee1275-powerpc-implements-fibre-channel-discovery-.patch
@ -0,0 +1,90 @@
+From ca30b3c6fd8c848f510445316d0c4a8fca6061ba Mon Sep 17 00:00:00 2001
+From: Diego Domingos <diegodo@br.ibm.com>
+Date: Wed, 24 Jun 2020 08:17:18 -0400
+Subject: [PATCH 1/2] ieee1275/powerpc: implements fibre channel discovery for
+ ofpathname
+
+grub-ofpathname doesn't work with fibre channel because there is no
+function currently implemented for it.
+This patch enables it by prividing a function that looks for the port
+name, building the entire path for OF devices.
+---
+ grub-core/osdep/linux/ofpath.c | 48 ++++++++++++++++++++++++++++++++++
+ 1 file changed, 48 insertions(+)
+
+diff --git a/grub-core/osdep/linux/ofpath.c b/grub-core/osdep/linux/ofpath.c
+index a6153d359..f2bc9fc5c 100644
+--- a/grub-core/osdep/linux/ofpath.c
+++ b/grub-core/osdep/linux/ofpath.c
+@@ -399,6 +399,37 @@ of_path_of_nvme(const char *sys_devname __attribute__((unused)),
+ }
+ #endif
+ 
+static void
+of_fc_port_name(const char *path, const char *subpath, char *port_name)
+{
+  char *bname, *basepath, *p;
+  int fd;
+
+  bname = xmalloc(sizeof(char)*150);
+  basepath = xmalloc(strlen(path));
+
+  /* Generate the path to get port name information from the drive */
+  strncpy(basepath,path,subpath-path);
+  basepath[subpath-path-1] = '\0';
+  p = get_basename(basepath);
+  snprintf(bname,sizeof(char)*150,"%s/fc_transport/%s/port_name",basepath,p);
+
+  /* Read the information from the port name */
+  fd = open (bname, O_RDONLY);
+  if (fd < 0)
+    grub_util_error (_("cannot open `%s': %s"), bname, strerror (errno));
+
+  if (read(fd,port_name,sizeof(char)*19) < 0)
+    grub_util_error (_("cannot read `%s': %s"), bname, strerror (errno));
+
+  sscanf(port_name,"0x%s",port_name);
+
+  close(fd);
+
+  free(bname);
+  free(basepath);
+}
+
+ static int
+ vendor_is_ATA(const char *path)
+ {
+@@ -577,6 +608,16 @@ of_path_of_scsi(const char *sys_devname __attribute__((unused)), const char *dev
+   digit_string = trailing_digits (device);
+   if (strncmp (of_path, "/vdevice/", sizeof ("/vdevice/") - 1) == 0)
+     {
+      if(strstr(of_path,"vfc-client"))
+      {
+	char * port_name = xmalloc(sizeof(char)*17);
+	of_fc_port_name(sysfs_path, p, port_name);
+
+	snprintf(disk,sizeof(disk),"/%s@%s", disk_name, port_name);
+	free(port_name);
+      }
+      else
+      {
+       unsigned long id = 0x8000 | (tgt << 8) | (bus << 5) | lun;
+       if (*digit_string == '\0')
+ 	{
+@@ -590,6 +631,13 @@ of_path_of_scsi(const char *sys_devname __attribute__((unused)), const char *dev
+ 	  snprintf(disk, sizeof (disk),
+ 		   "/%s@%04lx000000000000:%c", disk_name, id, 'a' + (part - 1));
+ 	}
+	}
+    } else if (strstr(of_path,"fibre-channel")||(strstr(of_path,"vfc-client"))){
+	char * port_name = xmalloc(sizeof(char)*17);
+	of_fc_port_name(sysfs_path, p, port_name);
+
+	snprintf(disk,sizeof(disk),"/%s@%s", disk_name, port_name);
+	free(port_name);
+     }
+   else
+     {
+-- 
+2.26.2
+
--- a/0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch
+++ b/0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch
@ -0,0 +1,53 @@
+From 1b4f4b2f5cd9b804a5bb66861b659d05d9a4f35a Mon Sep 17 00:00:00 2001
+From: Michael Chang <mchang@suse.com>
+Date: Mon, 17 Aug 2020 17:09:01 +0800
+Subject: [PATCH 1/2] linuxefi: fail kernel validation without shim protocol.
+
+If certificates that signed grub are installed into db, grub can be
+booted directly. It will then boot any kernel without signature
+validation. The booted kernel will think it was booted in secureboot
+mode and will implement lockdown, yet it could have been tampered.
+
+This version of the patch skips calling verification, when booted
+without secureboot.
+
+CVE-2020-15705
+
+Reported-by: Mathieu Trudel-Lapierre <cyphermox@ubuntu.com>
+Also-by: Dimitri John Ledkov <xnox@ubuntu.com>
+Signed-off-by: Michael Chang <mchang@suse.com>
+---
+ grub-core/loader/i386/efi/linux.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
+index 61b2d5177..8017e8c05 100644
+--- a/grub-core/loader/i386/efi/linux.c
+++ b/grub-core/loader/i386/efi/linux.c
+@@ -172,6 +172,23 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
+       goto fail;
+     }
+ 
+  if (grub_efi_secure_boot())
+    {
+      grub_dl_t mod;
+
+      mod = grub_dl_get ("shim_lock");
+      if (!mod)
+	{
+	  grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock module is not loaded"));
+	  goto fail;
+	}
+      if (!grub_dl_is_persistent (mod))
+	{
+	  grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock protocol is not available"));
+	  goto fail;
+	}
+    }
+
+   file = grub_file_open (argv[0], GRUB_FILE_TYPE_LINUX_KERNEL);
+   if (! file)
+     goto fail;
+-- 
+2.26.2
+
--- a/0002-cmdline-Provide-cmdline-functions-as-module.patch
+++ b/0002-cmdline-Provide-cmdline-functions-as-module.patch
@ -0,0 +1,54 @@
+From 42cb0ebbffd660608612f9e32150a6596c6933c4 Mon Sep 17 00:00:00 2001
+From: Michael Chang <mchang@suse.com>
+Date: Mon, 17 Aug 2020 17:25:56 +0800
+Subject: [PATCH 2/2] cmdline: Provide cmdline functions as module
+
+The command line processing is needed by many loader modules, hence we should
+make it a sharable one rather than belonging to linux loader. This can cut the
+dependency to linux module among multiple loaders like multiboot linuxefi and
+so on to make custom boot image much more flexible to compose.
+
+Signed-off-by: Michael Chang <mchang@suse.com>
+---
+ grub-core/Makefile.core.def | 6 +++++-
+ grub-core/lib/cmdline.c     | 3 +++
+ 2 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
+index c413267a0..6045da47b 100644
+--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
+@@ -1790,7 +1790,6 @@ module = {
+   riscv64 = loader/riscv/linux.c;
+   emu = loader/emu/linux.c;
+   common = loader/linux.c;
+-  common = lib/cmdline.c;
+ };
+ 
+ module = {
+@@ -2518,3 +2517,8 @@ module = {
+   common = commands/i386/wrmsr.c;
+   enable = x86;
+ };
+
+module = {
+  name = cmdline;
+  common = lib/cmdline.c;
+};
+diff --git a/grub-core/lib/cmdline.c b/grub-core/lib/cmdline.c
+index ed0b149dc..bd392e30f 100644
+--- a/grub-core/lib/cmdline.c
+++ b/grub-core/lib/cmdline.c
+@@ -19,6 +19,9 @@
+ 
+ #include <grub/lib/cmdline.h>
+ #include <grub/misc.h>
+#include <grub/dl.h>
+
+GRUB_MOD_LICENSE ("GPLv3+");
+ 
+ static unsigned int check_arg (char *c, int *has_space)
+ {
+-- 
+2.26.2
+
--- a/0002-ieee1275-powerpc-enables-device-mapper-discovery.patch
+++ b/0002-ieee1275-powerpc-enables-device-mapper-discovery.patch
@ -0,0 +1,107 @@
+From 8b31ebfa42eb5af0633191d26fcdcea8c539e521 Mon Sep 17 00:00:00 2001
+From: Diego Domingos <diegodo@br.ibm.com>
+Date: Wed, 24 Jun 2020 08:22:50 -0400
+Subject: [PATCH 2/2] ieee1275/powerpc: enables device mapper discovery
+
+this patch enables the device mapper discovery on ofpath.c. Currently,
+when we are dealing with a device like /dev/dm-* the ofpath returns null
+since there is no function implemented to handle this case.
+
+This patch implements a function that will look into /sys/block/dm-*
+devices and search recursively inside slaves directory to find the root
+disk.
+---
+ grub-core/osdep/linux/ofpath.c | 64 +++++++++++++++++++++++++++++++++-
+ 1 file changed, 63 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/osdep/linux/ofpath.c b/grub-core/osdep/linux/ofpath.c
+index f2bc9fc5c..d1040c4e6 100644
+--- a/grub-core/osdep/linux/ofpath.c
+++ b/grub-core/osdep/linux/ofpath.c
+@@ -37,6 +37,7 @@
+ #include <fcntl.h>
+ #include <errno.h>
+ #include <ctype.h>
+#include <dirent.h>
+ 
+ #ifdef __sparc__
+ typedef enum
+@@ -754,13 +755,74 @@ strip_trailing_digits (const char *p)
+   return new;
+ }
+ 
+static char *
+get_slave_from_dm(const char * device){
+  char *curr_device, *tmp;
+  char *directory;
+  char *ret = NULL;
+
+  directory = grub_strdup (device);
+  tmp = get_basename(directory);
+  curr_device = grub_strdup (tmp);
+  *tmp = '\0';
+
+  /* Recursively check for slaves devices so we can find the root device */
+  while ((curr_device[0] == 'd') && (curr_device[1] == 'm') && (curr_device[2] == '-')){
+    DIR *dp;
+    struct dirent *ep;
+    char* device_path;
+
+    device_path = grub_xasprintf ("/sys/block/%s/slaves", curr_device);
+    dp = opendir(device_path);
+    free(device_path);
+
+    if (dp != NULL)
+    {
+      ep = readdir (dp);
+      while (ep != NULL){
+
+	/* avoid some system directories */
+        if (!strcmp(ep->d_name,"."))
+            goto next_dir;
+        if (!strcmp(ep->d_name,".."))
+            goto next_dir;
+
+	free (curr_device);
+	free (ret);
+	curr_device = grub_strdup (ep->d_name);
+	ret = grub_xasprintf ("%s%s", directory, curr_device);
+	break;
+
+        next_dir:
+         ep = readdir (dp);
+         continue;
+      }
+      closedir (dp);
+    }
+    else
+      grub_util_warn (_("cannot open directory `%s'"), device_path);
+  }
+
+  free (directory);
+  free (curr_device);
+
+  return ret;
+}
+
+ char *
+ grub_util_devname_to_ofpath (const char *sys_devname)
+ {
+-  char *name_buf, *device, *devnode, *devicenode, *ofpath;
+  char *name_buf, *device, *devnode, *devicenode, *ofpath, *realname;
+ 
+   name_buf = xrealpath (sys_devname);
+ 
+  realname = get_slave_from_dm (name_buf);
+  if (realname)
+    {
+      free (name_buf);
+      name_buf = realname;
+    }
+
+   device = get_basename (name_buf);
+   devnode = strip_trailing_digits (name_buf);
+   devicenode = strip_trailing_digits (device);
+-- 
+2.26.2
+
--- a/grub2.changes
+++ b/grub2.changes
@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Fri Aug 21 04:40:48 UTC 2020 - Michael Chang <mchang@suse.com>
+
+- Add fibre channel device's ofpath support to grub-ofpathname and search hint
+  to speed up root device discovery (bsc#1172745)
+  * 0001-ieee1275-powerpc-implements-fibre-channel-discovery-.patch
+  * 0002-ieee1275-powerpc-enables-device-mapper-discovery.patch
+
+-------------------------------------------------------------------
+Tue Aug 18 06:02:21 UTC 2020 - Michael Chang <mchang@suse.com>
+
+- Fix for CVE-2020-15705 (bsc#1174421) 
+  * 0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch
+  * 0002-cmdline-Provide-cmdline-functions-as-module.patch
+
 -------------------------------------------------------------------
 Thu Aug 13 06:41:16 UTC 2020 - Michael Chang <mchang@suse.com>

--- a/grub2.spec
+++ b/grub2.spec
@ -321,6 +321,14 @@ Patch712:       0009-script-Avoid-a-use-after-free-when-redefining-a-func.patch
 # overflows in initrd size handling
 Patch713:       0010-linux-Fix-integer-overflows-in-initrd-size-handling.patch
 Patch714:       0001-kern-mm.c-Make-grub_calloc-inline.patch
+# bsc#1174421 VUL-0: CVE-2020-15705: grub2: linuxefi: fail kernel validation
+# without shim protocol
+Patch715:       0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch
+Patch716:       0002-cmdline-Provide-cmdline-functions-as-module.patch
+# bsc#1172745 L3: SLES 12 SP4 - Slow boot of system after updated kernel -
+# takes 45 minutes after grub to start loading kernel
+Patch717:       0001-ieee1275-powerpc-implements-fibre-channel-discovery-.patch
+Patch718:       0002-ieee1275-powerpc-enables-device-mapper-discovery.patch

 Requires:       gettext-runtime
 %if 0%{?suse_version} >= 1140
@ -637,6 +645,10 @@ swap partition while in resuming
 %patch712 -p1
 %patch713 -p1
 %patch714 -p1
+%patch715 -p1
+%patch716 -p1
+%patch717 -p1
+%patch718 -p1

 %build
 # collect evidence to debug spurious build failure on SLE15