From e1e2bc837a3e69011549eed10c314c7909fb7edc1f54c12776d573e25ce69fc5 Mon Sep 17 00:00:00 2001 From: Dominique Leuenberger Date: Sun, 23 Aug 2020 07:21:14 +0000 Subject: [PATCH] Accepting request 828453 from Base:System OBS-URL: https://build.opensuse.org/request/show/828453 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/grub2?expand=0&rev=225 --- ...-implements-fibre-channel-discovery-.patch | 90 +++++++++++++++ ...rnel-validation-without-shim-protoco.patch | 53 +++++++++ ...-Provide-cmdline-functions-as-module.patch | 54 +++++++++ ...erpc-enables-device-mapper-discovery.patch | 107 ++++++++++++++++++ grub2.changes | 15 +++ grub2.spec | 12 ++ 6 files changed, 331 insertions(+) create mode 100644 0001-ieee1275-powerpc-implements-fibre-channel-discovery-.patch create mode 100644 0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch create mode 100644 0002-cmdline-Provide-cmdline-functions-as-module.patch create mode 100644 0002-ieee1275-powerpc-enables-device-mapper-discovery.patch diff --git a/0001-ieee1275-powerpc-implements-fibre-channel-discovery-.patch b/0001-ieee1275-powerpc-implements-fibre-channel-discovery-.patch new file mode 100644 index 0000000..5bdc95a --- /dev/null +++ b/0001-ieee1275-powerpc-implements-fibre-channel-discovery-.patch @@ -0,0 +1,90 @@ +From ca30b3c6fd8c848f510445316d0c4a8fca6061ba Mon Sep 17 00:00:00 2001 +From: Diego Domingos +Date: Wed, 24 Jun 2020 08:17:18 -0400 +Subject: [PATCH 1/2] ieee1275/powerpc: implements fibre channel discovery for + ofpathname + +grub-ofpathname doesn't work with fibre channel because there is no +function currently implemented for it. +This patch enables it by prividing a function that looks for the port +name, building the entire path for OF devices. +--- + grub-core/osdep/linux/ofpath.c | 48 ++++++++++++++++++++++++++++++++++ + 1 file changed, 48 insertions(+) + +diff --git a/grub-core/osdep/linux/ofpath.c b/grub-core/osdep/linux/ofpath.c +index a6153d359..f2bc9fc5c 100644 +--- a/grub-core/osdep/linux/ofpath.c ++++ b/grub-core/osdep/linux/ofpath.c +@@ -399,6 +399,37 @@ of_path_of_nvme(const char *sys_devname __attribute__((unused)), + } + #endif + ++static void ++of_fc_port_name(const char *path, const char *subpath, char *port_name) ++{ ++ char *bname, *basepath, *p; ++ int fd; ++ ++ bname = xmalloc(sizeof(char)*150); ++ basepath = xmalloc(strlen(path)); ++ ++ /* Generate the path to get port name information from the drive */ ++ strncpy(basepath,path,subpath-path); ++ basepath[subpath-path-1] = '\0'; ++ p = get_basename(basepath); ++ snprintf(bname,sizeof(char)*150,"%s/fc_transport/%s/port_name",basepath,p); ++ ++ /* Read the information from the port name */ ++ fd = open (bname, O_RDONLY); ++ if (fd < 0) ++ grub_util_error (_("cannot open `%s': %s"), bname, strerror (errno)); ++ ++ if (read(fd,port_name,sizeof(char)*19) < 0) ++ grub_util_error (_("cannot read `%s': %s"), bname, strerror (errno)); ++ ++ sscanf(port_name,"0x%s",port_name); ++ ++ close(fd); ++ ++ free(bname); ++ free(basepath); ++} ++ + static int + vendor_is_ATA(const char *path) + { +@@ -577,6 +608,16 @@ of_path_of_scsi(const char *sys_devname __attribute__((unused)), const char *dev + digit_string = trailing_digits (device); + if (strncmp (of_path, "/vdevice/", sizeof ("/vdevice/") - 1) == 0) + { ++ if(strstr(of_path,"vfc-client")) ++ { ++ char * port_name = xmalloc(sizeof(char)*17); ++ of_fc_port_name(sysfs_path, p, port_name); ++ ++ snprintf(disk,sizeof(disk),"/%s@%s", disk_name, port_name); ++ free(port_name); ++ } ++ else ++ { + unsigned long id = 0x8000 | (tgt << 8) | (bus << 5) | lun; + if (*digit_string == '\0') + { +@@ -590,6 +631,13 @@ of_path_of_scsi(const char *sys_devname __attribute__((unused)), const char *dev + snprintf(disk, sizeof (disk), + "/%s@%04lx000000000000:%c", disk_name, id, 'a' + (part - 1)); + } ++ } ++ } else if (strstr(of_path,"fibre-channel")||(strstr(of_path,"vfc-client"))){ ++ char * port_name = xmalloc(sizeof(char)*17); ++ of_fc_port_name(sysfs_path, p, port_name); ++ ++ snprintf(disk,sizeof(disk),"/%s@%s", disk_name, port_name); ++ free(port_name); + } + else + { +-- +2.26.2 + diff --git a/0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch b/0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch new file mode 100644 index 0000000..2400a54 --- /dev/null +++ b/0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch @@ -0,0 +1,53 @@ +From 1b4f4b2f5cd9b804a5bb66861b659d05d9a4f35a Mon Sep 17 00:00:00 2001 +From: Michael Chang +Date: Mon, 17 Aug 2020 17:09:01 +0800 +Subject: [PATCH 1/2] linuxefi: fail kernel validation without shim protocol. + +If certificates that signed grub are installed into db, grub can be +booted directly. It will then boot any kernel without signature +validation. The booted kernel will think it was booted in secureboot +mode and will implement lockdown, yet it could have been tampered. + +This version of the patch skips calling verification, when booted +without secureboot. + +CVE-2020-15705 + +Reported-by: Mathieu Trudel-Lapierre +Also-by: Dimitri John Ledkov +Signed-off-by: Michael Chang +--- + grub-core/loader/i386/efi/linux.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c +index 61b2d5177..8017e8c05 100644 +--- a/grub-core/loader/i386/efi/linux.c ++++ b/grub-core/loader/i386/efi/linux.c +@@ -172,6 +172,23 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), + goto fail; + } + ++ if (grub_efi_secure_boot()) ++ { ++ grub_dl_t mod; ++ ++ mod = grub_dl_get ("shim_lock"); ++ if (!mod) ++ { ++ grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock module is not loaded")); ++ goto fail; ++ } ++ if (!grub_dl_is_persistent (mod)) ++ { ++ grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock protocol is not available")); ++ goto fail; ++ } ++ } ++ + file = grub_file_open (argv[0], GRUB_FILE_TYPE_LINUX_KERNEL); + if (! file) + goto fail; +-- +2.26.2 + diff --git a/0002-cmdline-Provide-cmdline-functions-as-module.patch b/0002-cmdline-Provide-cmdline-functions-as-module.patch new file mode 100644 index 0000000..12dae60 --- /dev/null +++ b/0002-cmdline-Provide-cmdline-functions-as-module.patch @@ -0,0 +1,54 @@ +From 42cb0ebbffd660608612f9e32150a6596c6933c4 Mon Sep 17 00:00:00 2001 +From: Michael Chang +Date: Mon, 17 Aug 2020 17:25:56 +0800 +Subject: [PATCH 2/2] cmdline: Provide cmdline functions as module + +The command line processing is needed by many loader modules, hence we should +make it a sharable one rather than belonging to linux loader. This can cut the +dependency to linux module among multiple loaders like multiboot linuxefi and +so on to make custom boot image much more flexible to compose. + +Signed-off-by: Michael Chang +--- + grub-core/Makefile.core.def | 6 +++++- + grub-core/lib/cmdline.c | 3 +++ + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def +index c413267a0..6045da47b 100644 +--- a/grub-core/Makefile.core.def ++++ b/grub-core/Makefile.core.def +@@ -1790,7 +1790,6 @@ module = { + riscv64 = loader/riscv/linux.c; + emu = loader/emu/linux.c; + common = loader/linux.c; +- common = lib/cmdline.c; + }; + + module = { +@@ -2518,3 +2517,8 @@ module = { + common = commands/i386/wrmsr.c; + enable = x86; + }; ++ ++module = { ++ name = cmdline; ++ common = lib/cmdline.c; ++}; +diff --git a/grub-core/lib/cmdline.c b/grub-core/lib/cmdline.c +index ed0b149dc..bd392e30f 100644 +--- a/grub-core/lib/cmdline.c ++++ b/grub-core/lib/cmdline.c +@@ -19,6 +19,9 @@ + + #include + #include ++#include ++ ++GRUB_MOD_LICENSE ("GPLv3+"); + + static unsigned int check_arg (char *c, int *has_space) + { +-- +2.26.2 + diff --git a/0002-ieee1275-powerpc-enables-device-mapper-discovery.patch b/0002-ieee1275-powerpc-enables-device-mapper-discovery.patch new file mode 100644 index 0000000..22217ca --- /dev/null +++ b/0002-ieee1275-powerpc-enables-device-mapper-discovery.patch @@ -0,0 +1,107 @@ +From 8b31ebfa42eb5af0633191d26fcdcea8c539e521 Mon Sep 17 00:00:00 2001 +From: Diego Domingos +Date: Wed, 24 Jun 2020 08:22:50 -0400 +Subject: [PATCH 2/2] ieee1275/powerpc: enables device mapper discovery + +this patch enables the device mapper discovery on ofpath.c. Currently, +when we are dealing with a device like /dev/dm-* the ofpath returns null +since there is no function implemented to handle this case. + +This patch implements a function that will look into /sys/block/dm-* +devices and search recursively inside slaves directory to find the root +disk. +--- + grub-core/osdep/linux/ofpath.c | 64 +++++++++++++++++++++++++++++++++- + 1 file changed, 63 insertions(+), 1 deletion(-) + +diff --git a/grub-core/osdep/linux/ofpath.c b/grub-core/osdep/linux/ofpath.c +index f2bc9fc5c..d1040c4e6 100644 +--- a/grub-core/osdep/linux/ofpath.c ++++ b/grub-core/osdep/linux/ofpath.c +@@ -37,6 +37,7 @@ + #include + #include + #include ++#include + + #ifdef __sparc__ + typedef enum +@@ -754,13 +755,74 @@ strip_trailing_digits (const char *p) + return new; + } + ++static char * ++get_slave_from_dm(const char * device){ ++ char *curr_device, *tmp; ++ char *directory; ++ char *ret = NULL; ++ ++ directory = grub_strdup (device); ++ tmp = get_basename(directory); ++ curr_device = grub_strdup (tmp); ++ *tmp = '\0'; ++ ++ /* Recursively check for slaves devices so we can find the root device */ ++ while ((curr_device[0] == 'd') && (curr_device[1] == 'm') && (curr_device[2] == '-')){ ++ DIR *dp; ++ struct dirent *ep; ++ char* device_path; ++ ++ device_path = grub_xasprintf ("/sys/block/%s/slaves", curr_device); ++ dp = opendir(device_path); ++ free(device_path); ++ ++ if (dp != NULL) ++ { ++ ep = readdir (dp); ++ while (ep != NULL){ ++ ++ /* avoid some system directories */ ++ if (!strcmp(ep->d_name,".")) ++ goto next_dir; ++ if (!strcmp(ep->d_name,"..")) ++ goto next_dir; ++ ++ free (curr_device); ++ free (ret); ++ curr_device = grub_strdup (ep->d_name); ++ ret = grub_xasprintf ("%s%s", directory, curr_device); ++ break; ++ ++ next_dir: ++ ep = readdir (dp); ++ continue; ++ } ++ closedir (dp); ++ } ++ else ++ grub_util_warn (_("cannot open directory `%s'"), device_path); ++ } ++ ++ free (directory); ++ free (curr_device); ++ ++ return ret; ++} ++ + char * + grub_util_devname_to_ofpath (const char *sys_devname) + { +- char *name_buf, *device, *devnode, *devicenode, *ofpath; ++ char *name_buf, *device, *devnode, *devicenode, *ofpath, *realname; + + name_buf = xrealpath (sys_devname); + ++ realname = get_slave_from_dm (name_buf); ++ if (realname) ++ { ++ free (name_buf); ++ name_buf = realname; ++ } ++ + device = get_basename (name_buf); + devnode = strip_trailing_digits (name_buf); + devicenode = strip_trailing_digits (device); +-- +2.26.2 + diff --git a/grub2.changes b/grub2.changes index 7a89503..5019eb6 100644 --- a/grub2.changes +++ b/grub2.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Fri Aug 21 04:40:48 UTC 2020 - Michael Chang + +- Add fibre channel device's ofpath support to grub-ofpathname and search hint + to speed up root device discovery (bsc#1172745) + * 0001-ieee1275-powerpc-implements-fibre-channel-discovery-.patch + * 0002-ieee1275-powerpc-enables-device-mapper-discovery.patch + +------------------------------------------------------------------- +Tue Aug 18 06:02:21 UTC 2020 - Michael Chang + +- Fix for CVE-2020-15705 (bsc#1174421) + * 0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch + * 0002-cmdline-Provide-cmdline-functions-as-module.patch + ------------------------------------------------------------------- Thu Aug 13 06:41:16 UTC 2020 - Michael Chang diff --git a/grub2.spec b/grub2.spec index e320615..59a21ea 100644 --- a/grub2.spec +++ b/grub2.spec @@ -321,6 +321,14 @@ Patch712: 0009-script-Avoid-a-use-after-free-when-redefining-a-func.patch # overflows in initrd size handling Patch713: 0010-linux-Fix-integer-overflows-in-initrd-size-handling.patch Patch714: 0001-kern-mm.c-Make-grub_calloc-inline.patch +# bsc#1174421 VUL-0: CVE-2020-15705: grub2: linuxefi: fail kernel validation +# without shim protocol +Patch715: 0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch +Patch716: 0002-cmdline-Provide-cmdline-functions-as-module.patch +# bsc#1172745 L3: SLES 12 SP4 - Slow boot of system after updated kernel - +# takes 45 minutes after grub to start loading kernel +Patch717: 0001-ieee1275-powerpc-implements-fibre-channel-discovery-.patch +Patch718: 0002-ieee1275-powerpc-enables-device-mapper-discovery.patch Requires: gettext-runtime %if 0%{?suse_version} >= 1140 @@ -637,6 +645,10 @@ swap partition while in resuming %patch712 -p1 %patch713 -p1 %patch714 -p1 +%patch715 -p1 +%patch716 -p1 +%patch717 -p1 +%patch718 -p1 %build # collect evidence to debug spurious build failure on SLE15