From 9f18541245858f53fea72d8d60304f9015d88b5f Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Fri, 17 Mar 2023 22:00:23 +0800
Subject: [PATCH 2/2] Restrict cryptsetup key file permission for better
 security

GRUB's default permission 777 for concatenated initrd files was too
permissive for the cryptsetup key file, causing a complaint from
systemd-cryptsetup during boot. This commit replaces the 0777 permission
with a more secure 0400 permission for the key file.

Signed-off-by: Michael Chang <mchang@suse.com>
---
 grub-core/loader/linux.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/grub-core/loader/linux.c
+++ b/grub-core/loader/linux.c
@@ -32,6 +32,7 @@
   char *buf;
   char *newc_name;
   grub_off_t size;
+  grub_uint32_t mode;
 };
 
 struct dir
@@ -203,6 +204,7 @@
   grub_memcpy (comp->buf, buf, bufsz);
   initrd_ctx->nfiles++;
   comp->size = bufsz;
+  comp->mode = 0100400;
   if (grub_add (initrd_ctx->size, comp->size,
 		&initrd_ctx->size))
     goto overflow;
@@ -272,6 +274,7 @@
 		  grub_initrd_close (initrd_ctx);
 		  return grub_errno;
 		}
+	      initrd_ctx->components[i].mode = 0100777;
 	      name_len = grub_strlen (initrd_ctx->components[i].newc_name) + 1;
 	      if (grub_add (initrd_ctx->size,
 			    ALIGN_UP (sizeof (struct newc_head) + name_len, 4),
@@ -374,6 +377,7 @@
       if (initrd_ctx->components[i].newc_name)
 	{
 	  grub_size_t dir_size;
+	  grub_uint32_t mode = initrd_ctx->components[i].mode; 
 
 	  if (insert_dir (initrd_ctx->components[i].newc_name, &root, ptr,
 			  &dir_size))
@@ -385,7 +389,7 @@
 	  ptr += dir_size;
 	  ptr = make_header (ptr, initrd_ctx->components[i].newc_name,
 			     grub_strlen (initrd_ctx->components[i].newc_name) + 1,
-			     0100777,
+			     mode,
 			     initrd_ctx->components[i].size);
 	  newc = 1;
 	}