rpm/grub2
SHA256
1
0
Fork 0
forked from pool/grub2
Code Pull Requests Activity

Compare commits

merge into: rpm:factory
Branches Tags
rpm:factory
rpm:devel
pool:factory
pool:devel
...
pull from: pool:factory
Branches Tags
pool:factory
pool:devel
rpm:factory
rpm:devel

35 Commits
factory ... factory

Author SHA256 Message Date
Ana Guerrero
6aa795273f Accepting request 1249587 from Base:System 
OBS-URL: https://build.opensuse.org/request/show/1249587
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/grub2?expand=0&rev=349
 2025-03-05 12:38:23 +00:00
Michael Chang
1855ad5881 - Cherry-pick upstream XFS fixes 
* 0001-fs-xfs-Add-new-superblock-features-added-in-Linux-6..patch
  * 0002-fs-xfs-Fix-grub_xfs_iterate_dir-return-value-in-case.patch
- Fix "attempt to read of write outside of partition" error message (bsc#1237844)
  * 0003-fs-xfs-fix-large-extent-counters-incompat-feature-su.patch

OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=531
 2025-03-03 05:07:03 +00:00
Dominique Leuenberger
981f57c80b Accepting request 1248263 from Base:System 
OBS-URL: https://build.opensuse.org/request/show/1248263
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/grub2?expand=0&rev=348
 2025-02-25 15:41:07 +00:00
Michael Chang
4738d190a1 - Make SLFO/SLE-16 and openSUSE have identical package structures 
- Provide grub2-<CPUARCH>-efi-bls for SLFO/SLE-16

OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=530
 2025-02-25 03:51:07 +00:00
Dominique Leuenberger
428d3cc775 Accepting request 1247577 from Base:System 
OBS-URL: https://build.opensuse.org/request/show/1247577
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/grub2?expand=0&rev=347
 2025-02-21 20:35:23 +00:00
Marcus Meissner
1d2906f958 - Fix grub-bls does not rollback via setting new default (bsc#1237198) 
* 0001-bls-Accept-.conf-suffix-in-setting-default-entry.patch

OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=529
 2025-02-21 08:55:11 +00:00
Ana Guerrero
0da320177f Accepting request 1246820 from Base:System 
OBS-URL: https://build.opensuse.org/request/show/1246820
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/grub2?expand=0&rev=346
 2025-02-19 14:58:21 +00:00
Michael Chang
8e2eae8e3f Accepting request 1246819 from home:michael-chang:branches:Base:System 
- Security fixes for 2024
  * 0001-misc-Implement-grub_strlcpy.patch
- Fix CVE-2024-45781 (bsc#1233617)
  * 0002-fs-ufs-Fix-a-heap-OOB-write.patch
- Fix CVE-2024-56737 (bsc#1234958)
- Fix CVE-2024-45782 (bsc#1233615)
  * 0003-fs-hfs-Fix-stack-OOB-write-with-grub_strcpy.patch
- Fix CVE-2024-45780 (bsc#1233614)
  * 0004-fs-tar-Integer-overflow-leads-to-heap-OOB-write.patch
- Fix CVE-2024-45783 (bsc#1233616)
  * 0005-fs-hfsplus-Set-a-grub_errno-if-mount-fails.patch
  * 0006-kern-file-Ensure-file-data-is-set.patch
  * 0007-kern-file-Implement-filesystem-reference-counting.patch
- Fix CVE-2025-0624 (bsc#1236316)
  * 0008-net-Fix-OOB-write-in-grub_net_search_config_file.patch
- Fix CVE-2024-45774 (bsc#1233609)
  * 0009-video-readers-jpeg-Do-not-permit-duplicate-SOF0-mark.patch
- Fix CVE-2024-45775 (bsc#1233610)
  * 0010-commands-extcmd-Missing-check-for-failed-allocation.patch
- Fix CVE-2025-0622 (bsc#1236317)
  * 0011-commands-pgp-Unregister-the-check_signatures-hooks-o.patch
- Fix CVE-2025-0622 (bsc#1236317)
  * 0012-normal-Remove-variables-hooks-on-module-unload.patch
- Fix CVE-2025-0622 (bsc#1236317)
  * 0013-gettext-Remove-variables-hooks-on-module-unload.patch
- Fix CVE-2024-45776 (bsc#1233612)
  * 0014-gettext-Integer-overflow-leads-to-heap-OOB-write-or-.patch
- Fix CVE-2024-45777 (bsc#1233613)
  * 0015-gettext-Integer-overflow-leads-to-heap-OOB-write.patch
- Fix CVE-2025-0690 (bsc#1237012)

OBS-URL: https://build.opensuse.org/request/show/1246819
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=528
 2025-02-19 01:23:28 +00:00
Dominique Leuenberger
d38d67959e Accepting request 1245775 from Base:System 
OBS-URL: https://build.opensuse.org/request/show/1245775
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/grub2?expand=0&rev=345
 2025-02-16 21:37:06 +00:00
Michael Chang
690c7c825e Accepting request 1245717 from home:michael-chang:branches:Base:System 
- Fix out of memory issue on PowerPC by increasing RMA size (bsc#1236744)
  * 0001-powerpc-increase-MIN-RMA-size-for-CAS-negotiation.patch

OBS-URL: https://build.opensuse.org/request/show/1245717
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=527
 2025-02-14 03:29:15 +00:00
Ana Guerrero
301279becb Accepting request 1229183 from Base:System 
OBS-URL: https://build.opensuse.org/request/show/1229183
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/grub2?expand=0&rev=344
 2024-12-10 22:42:57 +00:00
Michael Chang
9b87c1a6f8 - Update PowerPC SBAT patches to upstream (bsc#1233730) 
* 0007-grub-mkimage-Create-new-ELF-note-for-SBAT.patch
  * 0008-grub-mkimage-Add-SBAT-metadata-into-ELF-note-for-Pow.patch
- Replaced patches
  * 0007-mkimage-create-new-ELF-Note-for-SBAT.patch
  * 0008-mkimage-adding-sbat-data-into-sbat-ELF-Note-on-power.patch

- Fix missing requires in SLE package (bsc#1234264) (bsc#1234272)

OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=526
 2024-12-09 03:05:05 +00:00
Ana Guerrero
5f9867f98c Accepting request 1228130 from Base:System 
OBS-URL: https://build.opensuse.org/request/show/1228130
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/grub2?expand=0&rev=343
 2024-12-05 16:05:11 +00:00
Michael Chang
42591852c5 - Update the TPM2 patches to the upstream final version 
* Update 0001-key_protector-Add-key-protectors-framework.patch
  * Replace 0002-tpm2-Add-TPM-Software-Stack-TSS.patch with
    grub2-add-tss2-support.patch
  * Replace 0003-key_protector-Add-TPM2-Key-Protector.patch with
    0001-key_protector-Add-TPM2-Key-Protector.patch
  * Replace 0005-util-grub-protect-Add-new-tool.patch with
    0001-util-grub-protect-Add-new-tool.patch
  * Replace 0001-tpm2-Implement-NV-index.patch with
    0001-tpm2_key_protector-Implement-NV-index.patch
  * Replace 0001-tpm2-Support-authorized-policy.patch with
    0001-tpm2_key_protector-Support-authorized-policy.patch
- Refresh the TPM2 related patches
  * grub-read-pcr.patch
  * 0001-tpm2-Add-extra-RSA-SRK-types.patch
  * grub2-bsc1220338-key_protector-implement-the-blocklist.patch
  * safe_tpm_pcr_snapshot.patch
  * tpm-record-pcrs.patch

OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=525
 2024-12-04 03:59:01 +00:00
Ana Guerrero
efba483ac7 Accepting request 1227284 from Base:System 
OBS-URL: https://build.opensuse.org/request/show/1227284
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/grub2?expand=0&rev=342
 2024-11-30 12:27:24 +00:00
Michael Chang
012e0e85e4 Accepting request 1227248 from home:gary_lin:branches:Base:System 
- Support s390x Secure Execution (jsc#PED-9531)
  * grub2-s390x-secure-execution-support.patch
- Update grub2-s390x-set-hostonly.patch to add the patch header
  and the description

OBS-URL: https://build.opensuse.org/request/show/1227248
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=524
 2024-11-29 08:48:07 +00:00
Ana Guerrero
78a4db0f8e Accepting request 1223823 from Base:System 
OBS-URL: https://build.opensuse.org/request/show/1223823
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/grub2?expand=0&rev=341
 2024-11-13 14:27:20 +00:00
Michael Chang
543f21c3be - Revert the patches related to BLS support in grub2-mkconfig, as they are not 
relevant to the current BLS integration and cause issues in older KIWI
  versions, which actively force it to be enabled by default (bsc#1233196)
  * 0002-Add-BLS-support-to-grub-mkconfig.patch
  * 0003-Add-grub2-switch-to-blscfg.patch
  * 0007-grub-switch-to-blscfg-adapt-to-openSUSE.patch
  * 0008-blscfg-reading-bls-fragments-if-boot-present.patch
  * 0009-10_linux-Some-refinement-for-BLS.patch
  * 0001-10_linux-Do-not-enable-BLSCFG-on-s390-emu.patch

OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=523
 2024-11-13 01:57:36 +00:00
Dominique Leuenberger
d11da056b4 Accepting request 1222848 from Base:System 
- Fix previous change as the variable has to be set earlier 
  * 0001-10_linux-Do-not-enable-BLSCFG-on-s390-emu.patch

- Do not enable blscfg on s390-emu 
  * 0001-10_linux-Do-not-enable-BLSCFG-on-s390-emu.patch

- Fix xen package contains debug_info files with the .module suffix by moving
  them to a separate xen-debug subpackage (bsc#1232573)

OBS-URL: https://build.opensuse.org/request/show/1222848
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/grub2?expand=0&rev=340
 2024-11-09 19:54:04 +00:00
Michael Chang
f4a605c515 Add missing changelog 
- Fix previous change as the variable has to be set earlier 
  * 0001-10_linux-Do-not-enable-BLSCFG-on-s390-emu.patch

OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=522
 2024-11-08 14:49:35 +00:00
Michael Chang
7520f03d0a OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=521 2024-11-08 14:31:43 +00:00
Michael Chang
3ba6ddf1b2 - Do not enable blscfg on s390-emu 
* 0001-10_linux-Do-not-enable-BLSCFG-on-s390-emu.patch

- Fix xen package contains debug_info files with the .module suffix by moving
  them to a separate xen-debug subpackage (bsc#1232573)

OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=520
 2024-11-08 08:20:35 +00:00
Ana Guerrero
fbc7266e64 Accepting request 1221631 from Base:System 
OBS-URL: https://build.opensuse.org/request/show/1221631
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/grub2?expand=0&rev=339
 2024-11-06 15:49:26 +00:00
Michael Chang
d1a4631c13 - Fix grub.cfg is loaded from an unexpected fallback directory instead of the 
root directory during PXE boot when grub is loaded from the tftp root
  directory (bsc#1232391)
  * 0001-kern-main-Fix-cmdpath-in-root-directory.patch
  * grub2.spec: Refine PPC grub.elf early config to derive root from cmdpath
    directly, avoiding the unneeded search 

- Fix CVE-2024-49504 (bsc#1229163) (bsc#1229164)
- Restrict CLI access if the encrypted root device is automatically unlocked by
  the TPM. LUKS password authentication is required for access to be granted
  * 0001-cli_lock-Add-build-option-to-block-command-line-inte.patch
  * 0002-Requiring-authentication-after-tpm-unlock-for-CLI-ac.patch
- Obsolete, as CLI access is now locked and granted access no longer requires
  the previous restrictions
  * 0002-Restrict-file-access-on-cryptodisk-print.patch
  * 0003-Restrict-ls-and-auto-file-completion-on-cryptodisk-p.patch
- Rediff
  * 0004-Key-revocation-on-out-of-bound-file-access.patch

OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=519
 2024-11-06 05:53:45 +00:00
Dominique Leuenberger
71cae3e775 Accepting request 1219236 from Base:System 
OBS-URL: https://build.opensuse.org/request/show/1219236
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/grub2?expand=0&rev=338
 2024-10-31 15:08:51 +00:00
Michael Chang
ef8d78f744 - Enable support of Radix, Xive and Radix_gtse on Power (jsc#PED-9881) 
* 0001-kern-ieee1275-init-Add-IEEE-1275-Radix-support-for-K.patch

OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=518
 2024-10-30 02:51:32 +00:00
Ana Guerrero
ab2369bc04 Accepting request 1217306 from Base:System 
OBS-URL: https://build.opensuse.org/request/show/1217306
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/grub2?expand=0&rev=337
 2024-10-23 19:08:03 +00:00
Michael Chang
75e8a58be1 - Fix error: /boot/grub2/x86_64-efi/bli.mod not found (bsc#1231591) 
- Keep grub packaging and dependencies in the SLE-12 and SLE-15 builds

- Power guest secure boot with key management (jsc#PED-3520) (jsc#PED-9892)
  * 0001-ieee1275-Platform-Keystore-PKS-Support.patch
  * 0002-ieee1275-Read-the-DB-and-DBX-secure-boot-variables.patch
  * 0003-appendedsig-The-creation-of-trusted-and-distrusted-l.patch
  * 0004-appendedsig-While-verifying-the-kernel-use-trusted-a.patch
  * 0005-appendedsig-The-grub-command-s-trusted-and-distruste.patch
  * 0006-appendedsig-documentation.patch
  * 0007-mkimage-create-new-ELF-Note-for-SBAT.patch
  * 0008-mkimage-adding-sbat-data-into-sbat-ELF-Note-on-power.patch
  * grub2.spec : Building signed grub.elf with SBAT metadata
- Support for NVMe multipath splitter (jsc#PED-10538)
  * 0001-ieee1275-support-added-for-multiple-nvme-bootpaths.patch
- Deleted path (jsc#PED-10538)
  * 0001-grub2-Can-t-setup-a-default-boot-device-correctly-on.patch
  * 0001-grub2-Set-multiple-device-path-for-a-nvmf-boot-devic.patch

- Fix not a directory error from the minix filesystem, as leftover data on disk
  may contain its magic header so it gets misdetected (bsc#1231604)
  * grub2-install-fix-not-a-directory-error.patch

OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=517
 2024-10-23 09:59:25 +00:00
Ana Guerrero
6d39cc776d Accepting request 1205665 from Base:System 
OBS-URL: https://build.opensuse.org/request/show/1205665
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/grub2?expand=0&rev=336
 2024-10-06 15:51:21 +00:00
Michael Chang
cf7b25968b - Fix missng menu entry "Start bootloader from a read-only snapshot" by 
ensuring grub2-snapper-plugin is installed when both snapper and grub2-common
  are installed (bsc#1231271) 

- Fix OOM error in loading loopback file (bsc#1230840)
  * 0001-tpm-Skip-loopback-image-measurement.patch

- Fix UEFI PXE boot failure on tagged VLAN network (bsc#1230263)
  * 0001-efinet-Skip-virtual-VLAN-devices-during-card-enumera.patch

- Fix grub screen is filled with artifects from earlier post menu (bsc#1224465)
  * grub2-SUSE-Add-the-t-hotkey.patch
  * 0001-fix-grub-screen-filled-with-post-screen-artifects.patch

OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=516
 2024-10-04 09:29:44 +00:00
Ana Guerrero
60569aeead Accepting request 1201971 from Base:System 
OBS-URL: https://build.opensuse.org/request/show/1201971
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/grub2?expand=0&rev=335
 2024-10-02 19:32:52 +00:00
Michael Chang
3a7e8d1651 Move license to grub2-common package 
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=515
 2024-09-19 09:16:45 +00:00
Michael Chang
d9cea2d1a3 Fix missing grub.efi in BRP_PESIGN_FILES 
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=514
 2024-09-11 14:28:48 +00:00
Michael Chang
56d8c7a7b5 Correct the previous change, ensuring that a platform package is always required by grub2 meta package. 
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=513
 2024-09-03 06:43:41 +00:00
Michael Chang
d108ec594a Accepting request 1196023 from home:michael-chang:test:grub2 
- Introduces a new package, grub2-x86_64-efi-bls, which includes a
  straightforward grubbls.efi file. This file can be copied to the EFI System
  Partition (ESP) along with boot fragments in the Boot Loader Specification
  (BLS) format
  * 0001-Streamline-BLS-and-improve-PCR-stability.patch
- Fix crash in bli module (bsc#1226497)
  * 0001-bli-Fix-crash-in-get_part_uuid.patch

- Rework package dependencies: grub2-common now includes common userland
  utilities and is required by grub2 platform packages. grub2 is now a meta
  package that pulls in the default platform package.

OBS-URL: https://build.opensuse.org/request/show/1196023
OBS-URL: https://build.opensuse.org/package/show/Base:System/grub2?expand=0&rev=512
 2024-08-27 05:46:01 +00:00
72 changed files with 13579 additions and 7820 deletions
Show Stats Expand all files Collapse all files

188
0001-Streamline-BLS-and-improve-PCR-stability.patch Normal file
View File

@ -0,0 +1,188 @@
From 8201e8e6fbb7ee992c430679705852ede91efcd6 Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Tue, 20 Aug 2024 12:14:35 +0800
Subject: [PATCH] Streamline BLS and improve PCR stability
Introduce an environment variable enable_blscfg to allow looking for and
reading BLS (Boot Loader Specification) configurations right at startup,
rather than relying on the traditional grub.cfg. The benefit of this
approach is that it eliminates the layer of using an external grub.cfg
to piggyback the blscfg command. This change reduces the complexity of
managing command sequences, which would otherwise complicate the PCR
(Platform Configuration Register) policy. Managing a sequence of
commands can be difficult to maintain and ensure they remain in order
indefinitely.
Along the way, we can remove the external grub.cfg and have everything
embedded in memdisk and early embedded configurations. This approach
significantly improves the overall stability and makes it easier to
maintain a consistent and predictable PCR outcome.
The grubenv in the EFI boot directory can be used to override default
settings in the grubbls image, allowing for continued customization.
By introducing grubbls.efi for managing BLS configuration integration,
all necessary modules are built-in, and sensible default settings are
applied. This allows us to remove the following hardcoded command
sequences in blscfg:
load_video
set gfxpalyload=keep
insmod gzio
Since these are now part of the EFI image, this change effectively
simplifies the TPM event log, making it easier to handle with tools like
pcr-oracle or systemd-pcrlock.
Signed-Off-by: Michael Chang <mchang@suse.com>
---
grub-core/commands/blscfg.c | 4 ++
grub-core/normal/main.c | 82 +++++++++++++++++++++++++++++++++++++
include/grub/parser.h | 4 ++
3 files changed, 90 insertions(+)
diff --git a/grub-core/commands/blscfg.c b/grub-core/commands/blscfg.c
index cbe2a289e..e08f35817 100644
--- a/grub-core/commands/blscfg.c
+++ b/grub-core/commands/blscfg.c
@@ -953,10 +953,14 @@ static void create_entry (struct bls_entry *entry)
const char *sdval = grub_env_get("save_default");
bool savedefault = ((NULL != sdval) && (grub_strcmp(sdval, "true") == 0));
+#ifdef GRUB_MACHINE_EFI
+ src = grub_xasprintf ("%slinux %s%s%s%s\n"
+#else
src = grub_xasprintf ("%sload_video\n"
"set gfxpayload=keep\n"
"insmod gzio\n"
"linux %s%s%s%s\n"
+#endif
"%s%s",
savedefault ? "savedefault\n" : "",
#ifdef GRUB_MACHINE_EMU
diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
index 03631f07a..8e58ced67 100644
--- a/grub-core/normal/main.c
+++ b/grub-core/normal/main.c
@@ -113,6 +113,65 @@ read_config_file_getline (char **line, int cont __attribute__ ((unused)),
return GRUB_ERR_NONE;
}
+#ifdef GRUB_MACHINE_EFI
+
+static void
+read_envblk_from_cmdpath (void)
+{
+ const char *cmdpath;
+ char *envfile = NULL;
+ int found = 0;
+
+ cmdpath = grub_env_get ("cmdpath");
+
+ if (cmdpath)
+ envfile = grub_xasprintf ("%s/grubenv", cmdpath);
+
+ if (envfile)
+ {
+ grub_file_t file;
+
+ file = grub_file_open (envfile, GRUB_FILE_TYPE_FS_SEARCH
+ | GRUB_FILE_TYPE_NO_DECOMPRESS | GRUB_FILE_TYPE_SKIP_SIGNATURE);
+ if (file)
+ {
+ found = 1;
+ grub_file_close (file);
+ }
+ }
+
+ if (found)
+ {
+ char *cfg;
+
+ cfg = grub_xasprintf ("load_env -f %s\n", envfile);
+ grub_parser_execute ((char *)cfg);
+ grub_free (cfg);
+ }
+
+ grub_free (envfile);
+}
+
+static grub_menu_t
+read_blscfg (void)
+{
+ grub_menu_t newmenu;
+ newmenu = grub_env_get_menu ();
+ if (! newmenu)
+ {
+ newmenu = grub_zalloc (sizeof (*newmenu));
+ if (! newmenu)
+ return 0;
+
+ grub_env_set_menu (newmenu);
+ }
+
+ grub_parser_execute ((char *)"blscfg\n");
+ return newmenu;
+}
+
+#endif
+
static grub_menu_t
read_config_file (const char *config)
{
@@ -282,6 +341,26 @@ grub_normal_execute (const char *config, int nested, int batch)
grub_boot_time ("Executing config file");
+#ifdef GRUB_MACHINE_EFI
+ const char *val;
+
+ val = grub_env_get ("enable_blscfg");
+ if (val && (val[0] == '1' || val[0] == 'y'))
+ read_envblk_from_cmdpath ();
+
+ /* Above would be used to override enable_blscfg, so verify again */
+ val = grub_env_get ("enable_blscfg");
+ if (val && (val[0] == '1' || val[0] == 'y'))
+ {
+ menu = read_blscfg ();
+ /* Ignore any error. */
+ grub_errno = GRUB_ERR_NONE;
+ /* unset to let configfile and source commands continue to work */
+ grub_env_unset ("enable_blscfg");
+ goto check_batch;
+ }
+#endif
+
if (config)
{
menu = read_config_file (config);
@@ -307,6 +386,9 @@ grub_normal_execute (const char *config, int nested, int batch)
grub_boot_time ("Executed config file");
+#ifdef GRUB_MACHINE_EFI
+ check_batch:
+#endif
if (! batch)
{
if (menu && menu->size)
diff --git a/include/grub/parser.h b/include/grub/parser.h
index 64f9f5cc2..9d702571a 100644
--- a/include/grub/parser.h
+++ b/include/grub/parser.h
@@ -86,7 +86,11 @@ struct grub_parser
};
typedef struct grub_parser *grub_parser_t;
+#ifdef GRUB_MACHINE_EFI
+grub_err_t EXPORT_FUNC (grub_parser_execute) (char *source);
+#else
grub_err_t grub_parser_execute (char *source);
+#endif
grub_err_t
grub_rescue_parse_line (char *line,
--
2.46.0

82
0001-bli-Fix-crash-in-get_part_uuid.patch Normal file
View File

@ -0,0 +1,82 @@
From 552a2de0642bb95dd38fcdb7894ea7e07171975e Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Mon, 15 Jul 2024 11:43:07 +0800
Subject: [PATCH] bli: Fix crash in get_part_uuid
The get_part_uuid() function made an assumption that the target grub
device is a partition device and accessed device->disk->partition
without checking for NULL. There are four situations where this
assumption is problematic:
1. The device is a net device instead of a disk.
2. The device is an abstraction device, like LVM, RAID, or CRYPTO, which
is mostly logical "disk" ((lvmid/<UUID>) and so on).
3. Firmware RAID may present the ESP to grub as an EFI disk (hd0) device
if it is contained within a Linux software RAID.
4. When booting from a cdrom, the ESP is a vfat image indexed by the El
Torito boot catalog. The boot device is set to (cd0), corresponding
to the cdrom image mounted as an iso9660 filesystem.
As a result, get_part_uuid() could lead to a NULL pointer dereference
and trigger a synchronous exception during boot if the ESP falls into
one of these categories. This patch fixes the problem by adding the
necessary checks to handle cases where the ESP is not a partition
device.
Additionally, to avoid disrupting the boot process, this patch relaxes
the severity of the errors in this context to non-critical. Errors will
be logged, but they will not prevent the boot process from continuing.
Fixes: e0fa7dc84 (bli: Add a module for the Boot Loader Interface)
Signed-off-by: Michael Chang <mchang@suse.com>
Reviewed-By: Oliver Steffen <osteffen@redhat.com>
---
grub-core/commands/bli.c | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/grub-core/commands/bli.c b/grub-core/commands/bli.c
index e0d8a54f7..298c5f70a 100644
--- a/grub-core/commands/bli.c
+++ b/grub-core/commands/bli.c
@@ -48,6 +48,22 @@ get_part_uuid (const char *device_name, char **part_uuid)
if (device == NULL)
return grub_error (grub_errno, N_("cannot open device: %s"), device_name);
+ if (device->disk == NULL)
+ {
+ grub_dprintf ("bli", "%s is not a disk device, partuuid skipped\n", device_name);
+ *part_uuid = NULL;
+ grub_device_close (device);
+ return GRUB_ERR_NONE;
+ }
+
+ if (device->disk->partition == NULL)
+ {
+ grub_dprintf ("bli", "%s has no partition, partuuid skipped\n", device_name);
+ *part_uuid = NULL;
+ grub_device_close (device);
+ return GRUB_ERR_NONE;
+ }
+
disk = grub_disk_open (device->disk->name);
if (disk == NULL)
{
@@ -99,7 +115,7 @@ set_loader_device_part_uuid (void)
status = get_part_uuid (device_name, &part_uuid);
- if (status == GRUB_ERR_NONE)
+ if (status == GRUB_ERR_NONE && part_uuid)
status = grub_efi_set_variable_to_string ("LoaderDevicePartUUID", &bli_vendor_guid, part_uuid,
GRUB_EFI_VARIABLE_BOOTSERVICE_ACCESS |
GRUB_EFI_VARIABLE_RUNTIME_ACCESS);
@@ -117,4 +133,6 @@ GRUB_MOD_INIT (bli)
GRUB_EFI_VARIABLE_BOOTSERVICE_ACCESS |
GRUB_EFI_VARIABLE_RUNTIME_ACCESS);
set_loader_device_part_uuid ();
+ /* No error here is critical, other than being logged */
+ grub_print_error ();
}
--
2.46.0

44
0001-bls-Accept-.conf-suffix-in-setting-default-entry.patch Normal file
View File

@ -0,0 +1,44 @@
From e873743f4ed7841542dd7dc11a183cb136670382 Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Wed, 19 Feb 2025 14:52:52 +0800
Subject: [PATCH] bls: Accept .conf suffix in setting default entry
Signed-off-by: Michael Chang <mchang@suse.com>
---
grub-core/normal/menu.c | 20 ++++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/grub-core/normal/menu.c b/grub-core/normal/menu.c
index b11b28e0d9..dfdf0c7268 100644
--- a/grub-core/normal/menu.c
+++ b/grub-core/normal/menu.c
@@ -557,6 +557,26 @@ get_entry_number (grub_menu_t menu, const char *name)
entry = i;
break;
}
+
+ if (e->bls)
+ {
+ char *v, *ext;
+
+ if ((v = grub_strdup (val)) &&
+ (ext = grub_strrchr (v, '.')) &&
+ grub_strcmp (ext, ".conf") == 0)
+ {
+ *ext = '\0';
+ if (menuentry_eq (e->id, v))
+ {
+ entry = i;
+ grub_free (v);
+ break;
+ }
+ }
+ grub_free (v);
+ }
+
e = e->next;
/* Skip hidden entries */
--
2.48.1

374
0001-cli_lock-Add-build-option-to-block-command-line-inte.patch Normal file
View File

@ -0,0 +1,374 @@
From c7dd3dd296592fef6166170121b54aafe634369f Mon Sep 17 00:00:00 2001
From: Alec Brown <alec.r.brown@oracle.com>
Date: Wed, 24 Jan 2024 06:26:37 +0000
Subject: [PATCH 1/2] cli_lock: Add build option to block command line
interface
Add functionality to disable command line interface access and editing of GRUB
menu entries if GRUB image is built with --disable-cli.
Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
docs/grub.texi | 6 ++++--
grub-core/kern/main.c | 28 ++++++++++++++++++++++++++++
grub-core/kern/rescue_reader.c | 13 +++++++++++++
grub-core/normal/auth.c | 3 +++
grub-core/normal/menu_text.c | 31 +++++++++++++++++--------------
include/grub/kernel.h | 3 ++-
include/grub/misc.h | 2 ++
include/grub/util/install.h | 8 ++++++--
util/grub-install-common.c | 11 ++++++++---
util/grub-mkimage.c | 9 ++++++++-
util/mkimage.c | 16 +++++++++++++++-
11 files changed, 106 insertions(+), 24 deletions(-)
diff --git a/docs/grub.texi b/docs/grub.texi
index 00c5fdc44..e89007920 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -6523,8 +6523,10 @@ the GRUB command line, edit menu entries, and execute any menu entry. If
@samp{superusers} is set, then use of the command line and editing of menu
entries are automatically restricted to superusers. Setting @samp{superusers}
to empty string effectively disables both access to CLI and editing of menu
-entries. Note: The environment variable needs to be exported to also affect
-the section defined by the @samp{submenu} command (@pxref{submenu}).
+entries. Building a grub image with @samp{--disable-cli} option will also
+disable access to CLI and editing of menu entries, as well as disabling rescue
+mode. Note: The environment variable needs to be exported to also affect the
+section defined by the @samp{submenu} command (@pxref{submenu}).
Other users may be allowed to execute specific menu entries by giving a list of
usernames (as above) using the @option{--users} option to the
diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
index 02df49206..07b6940d2 100644
--- a/grub-core/kern/main.c
+++ b/grub-core/kern/main.c
@@ -30,11 +30,14 @@
#include <grub/reader.h>
#include <grub/parser.h>
#include <grub/verify.h>
+#include <grub/types.h>
#ifdef GRUB_MACHINE_PCBIOS
#include <grub/machine/memory.h>
#endif
+static bool cli_disabled = false;
+
grub_addr_t
grub_modules_get_end (void)
{
@@ -237,6 +240,28 @@ grub_load_normal_mode (void)
grub_command_execute ("normal", 0, 0);
}
+bool
+grub_is_cli_disabled (void)
+{
+ return cli_disabled;
+}
+
+static void
+check_is_cli_disabled (void)
+{
+ struct grub_module_header *header;
+ header = 0;
+
+ FOR_MODULES (header)
+ {
+ if (header->type == OBJ_TYPE_DISABLE_CLI)
+ {
+ cli_disabled = true;
+ return;
+ }
+ }
+}
+
static void
reclaim_module_space (void)
{
@@ -294,6 +319,9 @@ grub_main (void)
grub_boot_time ("After loading embedded modules.");
+ /* Check if the CLI should be disabled */
+ check_is_cli_disabled ();
+
/* It is better to set the root device as soon as possible,
for convenience. */
grub_set_prefix_and_root ();
diff --git a/grub-core/kern/rescue_reader.c b/grub-core/kern/rescue_reader.c
index dcd7d4439..4259857ba 100644
--- a/grub-core/kern/rescue_reader.c
+++ b/grub-core/kern/rescue_reader.c
@@ -78,6 +78,19 @@ grub_rescue_read_line (char **line, int cont,
void __attribute__ ((noreturn))
grub_rescue_run (void)
{
+ /* Stall if the CLI has been disabled */
+ if (grub_is_cli_disabled ())
+ {
+ grub_printf ("Rescue mode has been disabled...\n");
+
+ do
+ {
+ /* Do not optimize out the loop. */
+ asm volatile ("");
+ }
+ while (1);
+ }
+
grub_printf ("Entering rescue mode...\n");
while (1)
diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c
index 517fc623f..d94020186 100644
--- a/grub-core/normal/auth.c
+++ b/grub-core/normal/auth.c
@@ -209,6 +209,9 @@ grub_auth_check_authentication (const char *userlist)
char entered[GRUB_AUTH_MAX_PASSLEN];
struct grub_auth_user *user;
+ if (grub_is_cli_disabled ())
+ return GRUB_ACCESS_DENIED;
+
grub_memset (login, 0, sizeof (login));
if (is_authenticated (userlist))
diff --git a/grub-core/normal/menu_text.c b/grub-core/normal/menu_text.c
index ae92050d7..56c6f7797 100644
--- a/grub-core/normal/menu_text.c
+++ b/grub-core/normal/menu_text.c
@@ -194,21 +194,24 @@ command-line or ESC to discard edits and return to the GRUB menu."),
grub_free (msg_translated);
#endif
- if (nested)
+ if (!grub_is_cli_disabled ())
{
- ret += grub_print_message_indented_real
- (_("Press enter to boot the selected OS, "
- "`e' to edit the commands before booting "
- "or `c' for a command-line. ESC to return previous menu."),
- STANDARD_MARGIN, STANDARD_MARGIN, term, dry_run);
- }
- else
- {
- ret += grub_print_message_indented_real
- (_("Press enter to boot the selected OS, "
- "`e' to edit the commands before booting "
- "or `c' for a command-line."),
- STANDARD_MARGIN, STANDARD_MARGIN, term, dry_run);
+ if (nested)
+ {
+ ret += grub_print_message_indented_real
+ (_("Press enter to boot the selected OS, "
+ "`e' to edit the commands before booting "
+ "or `c' for a command-line. ESC to return previous menu."),
+ STANDARD_MARGIN, STANDARD_MARGIN, term, dry_run);
+ }
+ else
+ {
+ ret += grub_print_message_indented_real
+ (_("Press enter to boot the selected OS, "
+ "`e' to edit the commands before booting "
+ "or `c' for a command-line."),
+ STANDARD_MARGIN, STANDARD_MARGIN, term, dry_run);
+ }
}
}
return ret;
diff --git a/include/grub/kernel.h b/include/grub/kernel.h
index d3aafc884..9f3e2031f 100644
--- a/include/grub/kernel.h
+++ b/include/grub/kernel.h
@@ -31,7 +31,8 @@ enum
OBJ_TYPE_GPG_PUBKEY,
OBJ_TYPE_X509_PUBKEY,
OBJ_TYPE_DTB,
- OBJ_TYPE_DISABLE_SHIM_LOCK
+ OBJ_TYPE_DISABLE_SHIM_LOCK,
+ OBJ_TYPE_DISABLE_CLI
};
/* The module header. */
diff --git a/include/grub/misc.h b/include/grub/misc.h
index 1b35a167f..1578f36c3 100644
--- a/include/grub/misc.h
+++ b/include/grub/misc.h
@@ -391,6 +391,8 @@ grub_uint64_t EXPORT_FUNC(grub_divmod64) (grub_uint64_t n,
grub_uint64_t d,
grub_uint64_t *r);
+extern bool EXPORT_FUNC(grub_is_cli_disabled) (void);
+
/* Must match softdiv group in gentpl.py. */
#if !defined(GRUB_MACHINE_EMU) && (defined(__arm__) || defined(__ia64__) || \
(defined(__riscv) && (__riscv_xlen == 32)))
diff --git a/include/grub/util/install.h b/include/grub/util/install.h
index 38c6da73b..a4aac7b85 100644
--- a/include/grub/util/install.h
+++ b/include/grub/util/install.h
@@ -72,6 +72,8 @@
{ "appended-signature-size", GRUB_INSTALL_OPTIONS_APPENDED_SIGNATURE_SIZE,\
"SIZE", 0, N_("Add a note segment reserving SIZE bytes for an appended signature"), \
1}, \
+ { "disable-cli", GRUB_INSTALL_OPTIONS_DISABLE_CLI, 0, 0, \
+ N_("disabled command line interface access"), 0 }, \
{ "verbose", 'v', 0, 0, \
N_("print verbose messages."), 1 }
@@ -136,7 +138,8 @@ enum grub_install_options {
GRUB_INSTALL_OPTIONS_DTB,
GRUB_INSTALL_OPTIONS_SBAT,
GRUB_INSTALL_OPTIONS_DISABLE_SHIM_LOCK,
- GRUB_INSTALL_OPTIONS_APPENDED_SIGNATURE_SIZE
+ GRUB_INSTALL_OPTIONS_APPENDED_SIGNATURE_SIZE,
+ GRUB_INSTALL_OPTIONS_DISABLE_CLI
};
extern char *grub_install_source_directory;
@@ -199,7 +202,8 @@ grub_install_generate_image (const char *dir, const char *prefix,
const struct grub_install_image_target_desc *image_target,
int note, size_t appsig_size,
grub_compression_t comp, const char *dtb_file,
- const char *sbat_path, const int disable_shim_lock);
+ const char *sbat_path, const int disable_shim_lock,
+ const int disable_cli);
const struct grub_install_image_target_desc *
grub_install_get_image_target (const char *arg);
diff --git a/util/grub-install-common.c b/util/grub-install-common.c
index 75fa03995..344dca664 100644
--- a/util/grub-install-common.c
+++ b/util/grub-install-common.c
@@ -469,6 +469,7 @@ static char **x509keys;
static size_t nx509keys;
static grub_compression_t compression;
static size_t appsig_size;
+static int disable_cli;
int
grub_install_parse (int key, char *arg)
@@ -514,6 +515,9 @@ grub_install_parse (int key, char *arg)
* (nx509keys + 1));
x509keys[nx509keys++] = xstrdup (arg);
return 1;
+ case GRUB_INSTALL_OPTIONS_DISABLE_CLI:
+ disable_cli = 1;
+ return 1;
case GRUB_INSTALL_OPTIONS_VERBOSITY:
verbosity++;
@@ -707,12 +711,13 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix,
grub_util_info ("grub-mkimage --directory '%s' --prefix '%s' --output '%s'"
" --format '%s' --compression '%s'"
- " --appended-signature-size %zu%s%s%s\n",
+ " --appended-signature-size %zu%s%s%s%s\n",
dir, prefix, outname,
mkimage_target, compnames[compression],
appsig_size,
note ? " --note" : "",
- disable_shim_lock ? " --disable-shim-lock" : "", s);
+ disable_shim_lock ? " --disable-shim-lock" : "",
+ disable_cli ? " --disable-cli" : "", s);
free (s);
tgt = grub_install_get_image_target (mkimage_target);
@@ -724,7 +729,7 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix,
pubkeys, npubkeys, x509keys, nx509keys,
config_path, tgt,
note, appsig_size, compression, dtb, sbat,
- disable_shim_lock);
+ disable_shim_lock, disable_cli);
while (dc--)
grub_install_pop_module ();
}
diff --git a/util/grub-mkimage.c b/util/grub-mkimage.c
index 7d61ef3ea..351a5e430 100644
--- a/util/grub-mkimage.c
+++ b/util/grub-mkimage.c
@@ -84,6 +84,7 @@ static struct argp_option options[] = {
{"compression", 'C', "(xz|none|auto)", 0, N_("choose the compression to use for core image"), 0},
{"sbat", 's', N_("FILE"), 0, N_("SBAT metadata"), 0},
{"disable-shim-lock", GRUB_INSTALL_OPTIONS_DISABLE_SHIM_LOCK, 0, 0, N_("disable shim_lock verifier"), 0},
+ {"disable-cli", GRUB_INSTALL_OPTIONS_DISABLE_CLI, 0, 0, N_("disable command line interface access"), 0},
{"verbose", 'v', 0, 0, N_("print verbose messages."), 0},
{"appended-signature-size", 'S', N_("SIZE"), 0, N_("Add a note segment reserving SIZE bytes for an appended signature"), 0},
{ 0, 0, 0, 0, 0, 0 }
@@ -133,6 +134,7 @@ struct arguments
int note;
int disable_shim_lock;
size_t appsig_size;
+ int disable_cli;
const struct grub_install_image_target_desc *image_target;
grub_compression_t comp;
};
@@ -259,6 +261,10 @@ argp_parser (int key, char *arg, struct argp_state *state)
arguments->disable_shim_lock = 1;
break;
+ case GRUB_INSTALL_OPTIONS_DISABLE_CLI:
+ arguments->disable_cli = 1;
+ break;
+
case 'v':
verbosity++;
break;
@@ -347,7 +353,8 @@ main (int argc, char *argv[])
arguments.image_target, arguments.note,
arguments.appsig_size,
arguments.comp, arguments.dtb,
- arguments.sbat, arguments.disable_shim_lock);
+ arguments.sbat, arguments.disable_shim_lock,
+ arguments.disable_cli);
if (grub_util_file_sync (fp) < 0)
grub_util_error (_("cannot sync `%s': %s"), arguments.output ? : "stdout",
diff --git a/util/mkimage.c b/util/mkimage.c
index 0737935fd..d6cc13475 100644
--- a/util/mkimage.c
+++ b/util/mkimage.c
@@ -889,7 +889,8 @@ grub_install_generate_image (const char *dir, const char *prefix,
const struct grub_install_image_target_desc *image_target,
int note, size_t appsig_size, grub_compression_t comp,
const char *dtb_path, const char *sbat_path,
- int disable_shim_lock)
+ int disable_shim_lock,
+ int disable_cli)
{
char *kernel_img, *core_img;
size_t total_module_size, core_size;
@@ -964,6 +965,9 @@ grub_install_generate_image (const char *dir, const char *prefix,
if (disable_shim_lock)
total_module_size += sizeof (struct grub_module_header);
+ if (disable_cli)
+ total_module_size += sizeof (struct grub_module_header);
+
if (config_path)
{
config_size = ALIGN_ADDR (grub_util_get_image_size (config_path) + 1);
@@ -1130,6 +1134,16 @@ grub_install_generate_image (const char *dir, const char *prefix,
offset += sizeof (*header);
}
+ if (disable_cli)
+ {
+ struct grub_module_header *header;
+
+ header = (struct grub_module_header *) (kernel_img + offset);
+ header->type = grub_host_to_target32 (OBJ_TYPE_DISABLE_CLI);
+ header->size = grub_host_to_target32 (sizeof (*header));
+ offset += sizeof (*header);
+ }
+
if (config_path)
{
struct grub_module_header *header;
--
2.46.0

55
0001-efinet-Skip-virtual-VLAN-devices-during-card-enumera.patch Normal file
View File

@ -0,0 +1,55 @@
From 8b9234c7e482edd49a9b3377da8e48fbd54aab28 Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Tue, 24 Sep 2024 18:59:34 +0800
Subject: [PATCH] efinet: Skip virtual VLAN devices during card enumeration
Similar to the fix in commit "c52ae4057 efinet: skip virtual IPv4 and
IPv6 devices during card enumeration", the UEFI PXE driver creates
additional VLAN child devices when a VLAN ID is configured on a network
interface associated with a physical NIC. These virtual VLAN devices
must be skipped during card enumeration to ensure that the subsequent
SNP exclusive open operation targets the correct physical card
instances, otherwise packet transfer would fail.
Example device path with VLAN nodes:
/MAC(123456789ABC,0x1)/Vlan(20)/IPv4(0.0.0.0,0x0,DHCP,0.0.0.0,0.0.0.0,0.0.0.0)
Signed-Off-by: Michael Chang <mchang@suse.com>
---
grub-core/net/drivers/efi/efinet.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/grub-core/net/drivers/efi/efinet.c b/grub-core/net/drivers/efi/efinet.c
index 720b5d0e1..3d0bf34fa 100644
--- a/grub-core/net/drivers/efi/efinet.c
+++ b/grub-core/net/drivers/efi/efinet.c
@@ -280,7 +280,8 @@ grub_efinet_findcards (void)
|| GRUB_EFI_DEVICE_PATH_SUBTYPE (child) == GRUB_EFI_IPV6_DEVICE_PATH_SUBTYPE)
&& parent
&& GRUB_EFI_DEVICE_PATH_TYPE (parent) == GRUB_EFI_MESSAGING_DEVICE_PATH_TYPE
- && GRUB_EFI_DEVICE_PATH_SUBTYPE (parent) == GRUB_EFI_MAC_ADDRESS_DEVICE_PATH_SUBTYPE)
+ && (GRUB_EFI_DEVICE_PATH_SUBTYPE (parent) == GRUB_EFI_MAC_ADDRESS_DEVICE_PATH_SUBTYPE
+ || GRUB_EFI_DEVICE_PATH_SUBTYPE (parent) == GRUB_EFI_VLAN_DEVICE_PATH_SUBTYPE))
continue;
net = grub_efi_open_protocol (*handle, &net_io_guid,
@@ -810,6 +811,15 @@ grub_efi_net_config_real (grub_efi_handle_t hnd, char **device,
dup_ldp->type = GRUB_EFI_END_DEVICE_PATH_TYPE;
dup_ldp->subtype = GRUB_EFI_END_ENTIRE_DEVICE_PATH_SUBTYPE;
dup_ldp->length = sizeof (*dup_ldp);
+
+ dup_ldp = grub_efi_find_last_device_path (dup_dp);
+ if (GRUB_EFI_DEVICE_PATH_SUBTYPE (dup_ldp) == GRUB_EFI_VLAN_DEVICE_PATH_SUBTYPE)
+ {
+ dup_ldp->type = GRUB_EFI_END_DEVICE_PATH_TYPE;
+ dup_ldp->subtype = GRUB_EFI_END_ENTIRE_DEVICE_PATH_SUBTYPE;
+ dup_ldp->length = sizeof (*dup_ldp);
+ }
+
match = grub_efi_compare_device_paths (dup_dp, cdp) == 0;
grub_free (dup_dp);
if (!match)
--
2.46.1

48
0001-fix-grub-screen-filled-with-post-screen-artifects.patch Normal file
View File

@ -0,0 +1,48 @@
From 44f3c7978a8ac5cc94a5c885ac9e983ba2980f5e Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Wed, 29 May 2024 12:32:32 +0800
Subject: [PATCH] fix grub screen filled with post screen artifects
---
grub-core/normal/menu.c | 7 ++++---
grub-core/term/efi/console.c | 2 +-
2 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/grub-core/normal/menu.c b/grub-core/normal/menu.c
index 1df2638d7..b11b28e0d 100644
--- a/grub-core/normal/menu.c
+++ b/grub-core/normal/menu.c
@@ -975,13 +975,14 @@ show_menu (grub_menu_t menu, int nested, int autobooted)
if (! e)
continue; /* Menu is empty. */
- grub_cls ();
-
if (auto_boot)
grub_menu_execute_with_fallback (menu, e, autobooted,
&execution_callback, &notify_boot);
else
- grub_menu_execute_entry (e, 0);
+ {
+ grub_cls ();
+ grub_menu_execute_entry (e, 0);
+ }
if (autobooted)
break;
}
diff --git a/grub-core/term/efi/console.c b/grub-core/term/efi/console.c
index bb587f39d..258b52737 100644
--- a/grub-core/term/efi/console.c
+++ b/grub-core/term/efi/console.c
@@ -432,7 +432,7 @@ grub_console_cls (struct grub_term_output *term __attribute__ ((unused)))
grub_efi_simple_text_output_interface_t *o;
grub_efi_int32_t orig_attr;
- if (grub_efi_is_finished || text_mode != GRUB_TEXT_MODE_AVAILABLE)
+ if (grub_prepare_for_text_output (term) != GRUB_ERR_NONE)
return;
o = grub_efi_system_table->con_out;
--
2.45.1

65
0001-fs-xfs-Add-new-superblock-features-added-in-Linux-6..patch Normal file
View File

@ -0,0 +1,65 @@
From 7a8d9a29358fbe9eb5dcc70e63c417c4f3cd5068 Mon Sep 17 00:00:00 2001
From: "Darrick J. Wong" <djwong@kernel.org>
Date: Mon, 3 Feb 2025 15:41:22 -0800
Subject: [PATCH 1/3] fs/xfs: Add new superblock features added in Linux
6.12/6.13
The Linux port of XFS added a few new features in 2024. The existing
GRUB driver doesn't attempt to read or write any of the new metadata,
so, all three can be added to the incompat allowlist.
On the occasion align XFS_SB_FEAT_INCOMPAT_NREXT64 value.
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/xfs.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c
index c17e54e447..e3a69fe498 100644
--- a/grub-core/fs/xfs.c
+++ b/grub-core/fs/xfs.c
@@ -88,7 +88,10 @@ GRUB_MOD_LICENSE ("GPLv3+");
#define XFS_SB_FEAT_INCOMPAT_META_UUID (1 << 2) /* metadata UUID */
#define XFS_SB_FEAT_INCOMPAT_BIGTIME (1 << 3) /* large timestamps */
#define XFS_SB_FEAT_INCOMPAT_NEEDSREPAIR (1 << 4) /* needs xfs_repair */
-#define XFS_SB_FEAT_INCOMPAT_NREXT64 (1 << 5) /* large extent counters */
+#define XFS_SB_FEAT_INCOMPAT_NREXT64 (1 << 5) /* large extent counters */
+#define XFS_SB_FEAT_INCOMPAT_EXCHRANGE (1 << 6) /* exchangerange supported */
+#define XFS_SB_FEAT_INCOMPAT_PARENT (1 << 7) /* parent pointers */
+#define XFS_SB_FEAT_INCOMPAT_METADIR (1 << 8) /* metadata dir tree */
/*
* Directory entries with ftype are explicitly handled by GRUB code.
@@ -98,6 +101,15 @@ GRUB_MOD_LICENSE ("GPLv3+");
*
* We do not currently verify metadata UUID, so it is safe to read filesystems
* with the XFS_SB_FEAT_INCOMPAT_META_UUID feature.
+ *
+ * We do not currently replay the log, so it is safe to read filesystems
+ * with the XFS_SB_FEAT_INCOMPAT_EXCHRANGE feature.
+ *
+ * We do not currently read directory parent pointers, so it is safe to read
+ * filesystems with the XFS_SB_FEAT_INCOMPAT_PARENT feature.
+ *
+ * We do not currently look at realtime or quota metadata, so it is safe to
+ * read filesystems with the XFS_SB_FEAT_INCOMPAT_METADIR feature.
*/
#define XFS_SB_FEAT_INCOMPAT_SUPPORTED \
(XFS_SB_FEAT_INCOMPAT_FTYPE | \
@@ -105,7 +117,10 @@ GRUB_MOD_LICENSE ("GPLv3+");
XFS_SB_FEAT_INCOMPAT_META_UUID | \
XFS_SB_FEAT_INCOMPAT_BIGTIME | \
XFS_SB_FEAT_INCOMPAT_NEEDSREPAIR | \
- XFS_SB_FEAT_INCOMPAT_NREXT64)
+ XFS_SB_FEAT_INCOMPAT_NREXT64 | \
+ XFS_SB_FEAT_INCOMPAT_EXCHRANGE | \
+ XFS_SB_FEAT_INCOMPAT_PARENT | \
+ XFS_SB_FEAT_INCOMPAT_METADIR)
struct grub_xfs_sblock
{
--
2.48.1

44
0001-grub2-Can-t-setup-a-default-boot-device-correctly-on.patch
View File

@ -1,44 +0,0 @@
From a59b58f6ae327a8f6949991cb5531db01e1ba14d Mon Sep 17 00:00:00 2001
From: Wen Xiong <wenxiong@linux.ibm.com>
Date: Tue, 7 Feb 2023 15:10:15 -0500
Subject: [PATCH] grub2: Can't setup a default boot device correctly on nvme
device in Beta3
The patch in Bug 200486 - SUSE1205666 - SLES15SP5 Beta1: Setup multiple dev path
for a nvmf boot device in grub2 caused the issue. That patch didn't consider
nvme devices carefully.
The new patch will check "nvme-of" instead of "nvme" to call
build_multi_boot_device().
Signed-off-by: Wen Xiong<wenxiong@linux.ibm.com>
---
grub-core/osdep/unix/platform.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/grub-core/osdep/unix/platform.c b/grub-core/osdep/unix/platform.c
index db8fa4b95..fb47c0ffa 100644
--- a/grub-core/osdep/unix/platform.c
+++ b/grub-core/osdep/unix/platform.c
@@ -288,11 +288,15 @@ grub_install_register_ieee1275 (int is_prep, const char *install_device,
}
*ptr = '\0';
}
- else if (grub_strstr(install_device, "nvme"))
- boot_device = build_multi_boot_device(install_device);
- else
+ else {
boot_device = get_ofpathname (install_device);
+ if (grub_strstr(boot_device, "nvme-of")) {
+ free (boot_device);
+ boot_device = build_multi_boot_device(install_device);
+ }
+ }
+
if (grub_util_exec ((const char * []){ "nvsetenv", "boot-device",
boot_device, NULL }))
{
--
2.39.1

164
0001-grub2-Set-multiple-device-path-for-a-nvmf-boot-devic.patch
View File

@ -1,164 +0,0 @@
From 3e77c5494fd06f430588ae9c304fea370439d531 Mon Sep 17 00:00:00 2001
From: Wen Xiong <Wen Xiong>
Date: Thu, 15 Dec 2022 21:33:41 -0500
Subject: [PATCH] grub2: Set multiple device path for a nvmf boot device
nvmf support native multipath(ANA) by default.
The patch added the support for setting multiple
device path for a nvmf boot device.
localhost:~ grub2-install -v /dev/nvme1n1p1
...
...
...
grub2-install: info: executing nvsetenv boot-device /pci@800000020000132/fibre-channel@0,1/nvme-of/controller@5005076810193675,ffff:nqn=nqn.1986-03.com.ibm:nvme:2145.0000020420006CEA/namespace@ec /pci@800000020000132/fibre-channel@0/nvme-of/controller@5005076810193675,ffff:nqn=nqn.1986-03.com.ibm:nvme:2145.0000020420006CEA/namespace@ec /pci@800000020000132/fibre-channel@0/nvme-of/controller@50050768101935e5,ffff:nqn=nqn.1986-03.com.ibm:nvme:2145.0000020420006CEA/namespace@ec /pci@800000020000132/fibre-channel@0,1/nvme-of/controller@50050768101935e5,ffff:nqn=nqn.1986-03.com.ibm:nvme:2145.0000020420006CEA/namespace@ec.
Installation finished. No error reported.
localhost:~ # bootlist -m normal -o
nvme7n1
nvme5n1
nvme1n1
nvme4n1
localhost:~ # bootlist -m normal -r
/pci@800000020000132/fibre-channel@0,1/nvme-of/controller@5005076810193675,ffff:nqn=nqn.1986-03.com.ibm:nvme:2145.0000020420006CEA/namespace@ec
/pci@800000020000132/fibre-channel@0/nvme-of/controller@5005076810193675,ffff:nqn=nqn.1986-03.com.ibm:nvme:2145.0000020420006CEA/namespace@ec
/pci@800000020000132/fibre-channel@0/nvme-of/controller@50050768101935e5,ffff:nqn=nqn.1986-03.com.ibm:nvme:2145.0000020420006CEA/namespace@ec
/pci@800000020000132/fibre-channel@0,1/nvme-of/controller@50050768101935e5,ffff:nqn=nqn.1986-03.com.ibm:nvme:2145.0000020420006CEA/namespace@ec
Signed-off-by: Wen Xiong <wenxiong@linux.ibm.com>
---
grub-core/osdep/linux/ofpath.c | 6 ++---
grub-core/osdep/unix/platform.c | 48 +++++++++++++++++++++++++++++++++
include/grub/util/install.h | 3 +++
include/grub/util/ofpath.h | 9 +++++++
4 files changed, 63 insertions(+), 3 deletions(-)
--- a/grub-core/osdep/linux/ofpath.c
+++ b/grub-core/osdep/linux/ofpath.c
@@ -209,7 +209,7 @@
}
}
-static char *
+char *
xrealpath (const char *in)
{
char *out;
@@ -224,7 +224,7 @@
return out;
}
-static char *
+char *
block_device_get_sysfs_path_and_link(const char *devicenode)
{
char *rpath;
@@ -535,7 +535,7 @@
}
-static char *
+char *
nvme_get_syspath(const char *nvmedev)
{
char *sysfs_path, *controller_node;
--- a/grub-core/osdep/unix/platform.c
+++ b/grub-core/osdep/unix/platform.c
@@ -19,6 +19,7 @@
#include <config.h>
#include <grub/util/install.h>
+#include <grub/util/ofpath.h>
#include <grub/emu/hostdisk.h>
#include <grub/util/misc.h>
#include <grub/misc.h>
@@ -131,6 +132,51 @@
return rc;
}
+char *
+build_multi_boot_device(const char *install_device)
+{
+ char *sysfs_path;
+ char *nvme_ns;
+ unsigned int nsid;
+ char *ptr;
+ char *boot_device_string;
+ struct dirent *ep;
+ DIR *dp;
+
+ nvme_ns = strchr(install_device, 'n');
+ nsid = of_path_get_nvme_nsid(nvme_ns);
+ sysfs_path = nvme_get_syspath(nvme_ns);
+ strcat(sysfs_path, "/device");
+ sysfs_path = xrealpath(sysfs_path);
+
+ dp = opendir(sysfs_path);
+ ptr = boot_device_string = xmalloc (1000);
+
+ /* We cannot have a boot list with more than five entries */
+ while((ep = readdir(dp)) != NULL){
+ char *nvme_device;
+
+ if (grub_strstr(ep->d_name, "nvme")) {
+ nvme_device = xasprintf ("%s%s%x ",
+ get_ofpathname(ep->d_name),"/namespace@", nsid);
+ if ((strlen(boot_device_string) + strlen(nvme_device)) >= 200*5 - 1) {
+ grub_util_warn (_("More than five entries cannot be specified in the bootlist"));
+ free(nvme_device);
+ break;
+ }
+
+ strncpy(ptr, nvme_device, strlen(nvme_device));
+ ptr += strlen(nvme_device);
+ free(nvme_device);
+ }
+ }
+
+ *--ptr = '\0';
+ closedir(dp);
+
+ return boot_device_string;
+}
+
int
grub_install_register_efi (const grub_disk_t *efidir_grub_disk,
const char *efifile_path,
@@ -242,6 +288,8 @@
}
*ptr = '\0';
}
+ else if (grub_strstr(install_device, "nvme"))
+ boot_device = build_multi_boot_device(install_device);
else
boot_device = get_ofpathname (install_device);
--- a/include/grub/util/install.h
+++ b/include/grub/util/install.h
@@ -241,6 +241,9 @@
const char *efi_distributor,
const char *force_disk);
+char *
+build_multi_boot_device(const char *install_device);
+
void
grub_install_register_ieee1275 (int is_prep, const char *install_device,
int partno, const char *relpath);
--- a/include/grub/util/ofpath.h
+++ b/include/grub/util/ofpath.h
@@ -32,4 +32,13 @@
char* of_find_fc_host(char* host_wwpn);
+char* nvme_get_syspath(const char *nvmedev);
+
+char* block_device_get_sysfs_path_and_link(const char *devicenode);
+
+char* xrealpath (const char *in);
+
+unsigned int of_path_get_nvme_nsid(const char* devname);
+
+
#endif /* ! GRUB_OFPATH_MACHINE_UTIL_HEADER */

171
0001-ieee1275-Platform-Keystore-PKS-Support.patch Normal file
View File

@ -0,0 +1,171 @@
From 04e8509f04a4cd123bc9f290e60f582d57b2f258 Mon Sep 17 00:00:00 2001
From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Date: Tue, 27 Dec 2022 17:47:41 +0530
Subject: [PATCH 1/8] ieee1275: Platform Keystore (PKS) Support
enhancing the infrastructure to enable the Platform Keystore (PKS) feature,
which provides access to the SB VERSION, DB, and DBX secure boot variables
from PKS.
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Tested-by: Nageswara Sastry <rnsastry@linux.ibm.com>
---
grub-core/kern/ieee1275/ieee1275.c | 117 +++++++++++++++++++++++++++++
include/grub/ieee1275/ieee1275.h | 15 ++++
2 files changed, 132 insertions(+)
diff --git a/grub-core/kern/ieee1275/ieee1275.c b/grub-core/kern/ieee1275/ieee1275.c
index 36ca2dbfc..8d0048844 100644
--- a/grub-core/kern/ieee1275/ieee1275.c
+++ b/grub-core/kern/ieee1275/ieee1275.c
@@ -807,3 +807,120 @@ grub_ieee1275_get_block_size (grub_ieee1275_ihandle_t ihandle)
return args.size;
}
+
+int
+grub_ieee1275_test (const char *name, grub_ieee1275_cell_t *missing)
+{
+ struct test_args
+ {
+ struct grub_ieee1275_common_hdr common;
+ grub_ieee1275_cell_t name;
+ grub_ieee1275_cell_t missing;
+ } args;
+
+ INIT_IEEE1275_COMMON (&args.common, "test", 1, 1);
+ args.name = (grub_ieee1275_cell_t) name;
+
+ if (IEEE1275_CALL_ENTRY_FN (&args) == -1)
+ return -1;
+
+ if (args.missing == IEEE1275_CELL_INVALID)
+ return -1;
+
+ *missing = args.missing;
+
+ return 0;
+}
+
+int
+grub_ieee1275_pks_max_object_size (grub_size_t *result)
+{
+ struct mos_args
+ {
+ struct grub_ieee1275_common_hdr common;
+ grub_ieee1275_cell_t size;
+ } args;
+
+ INIT_IEEE1275_COMMON (&args.common, "pks-max-object-size", 0, 1);
+
+ if (IEEE1275_CALL_ENTRY_FN (&args) == -1)
+ return -1;
+
+ if (args.size == IEEE1275_CELL_INVALID)
+ return -1;
+
+ *result = args.size;
+
+ return 0;
+}
+
+int
+grub_ieee1275_pks_read_object (grub_uint8_t consumer, grub_uint8_t *label,
+ grub_size_t label_len, grub_uint8_t *buffer,
+ grub_size_t buffer_len, grub_size_t *data_len,
+ grub_uint32_t *policies)
+{
+ struct pks_read_args
+ {
+ struct grub_ieee1275_common_hdr common;
+ grub_ieee1275_cell_t consumer;
+ grub_ieee1275_cell_t label;
+ grub_ieee1275_cell_t label_len;
+ grub_ieee1275_cell_t buffer;
+ grub_ieee1275_cell_t buffer_len;
+ grub_ieee1275_cell_t data_len;
+ grub_ieee1275_cell_t policies;
+ grub_ieee1275_cell_t rc;
+ } args;
+
+ INIT_IEEE1275_COMMON (&args.common, "pks-read-object", 5, 3);
+ args.consumer = (grub_ieee1275_cell_t) consumer;
+ args.label = (grub_ieee1275_cell_t) label;
+ args.label_len = (grub_ieee1275_cell_t) label_len;
+ args.buffer = (grub_ieee1275_cell_t) buffer;
+ args.buffer_len = (grub_ieee1275_cell_t) buffer_len;
+
+ if (IEEE1275_CALL_ENTRY_FN (&args) == -1)
+ return -1;
+
+ if (args.data_len == IEEE1275_CELL_INVALID)
+ return -1;
+
+ *data_len = args.data_len;
+ *policies = args.policies;
+
+ return (int) args.rc;
+}
+
+int
+grub_ieee1275_pks_read_sbvar (grub_uint8_t sbvarflags, grub_uint8_t sbvartype,
+ grub_uint8_t *buffer, grub_size_t buffer_len,
+ grub_size_t *data_len)
+{
+ struct pks_read_sbvar_args
+ {
+ struct grub_ieee1275_common_hdr common;
+ grub_ieee1275_cell_t sbvarflags;
+ grub_ieee1275_cell_t sbvartype;
+ grub_ieee1275_cell_t buffer;
+ grub_ieee1275_cell_t buffer_len;
+ grub_ieee1275_cell_t data_len;
+ grub_ieee1275_cell_t rc;
+ } args;
+
+ INIT_IEEE1275_COMMON (&args.common, "pks-read-sbvar", 4, 2);
+ args.sbvarflags = (grub_ieee1275_cell_t) sbvarflags;
+ args.sbvartype = (grub_ieee1275_cell_t) sbvartype;
+ args.buffer = (grub_ieee1275_cell_t) buffer;
+ args.buffer_len = (grub_ieee1275_cell_t) buffer_len;
+
+ if (IEEE1275_CALL_ENTRY_FN (&args) == -1)
+ return -1;
+
+ if (args.data_len == IEEE1275_CELL_INVALID)
+ return -1;
+
+ *data_len = args.data_len;
+
+ return (int) args.rc;
+}
diff --git a/include/grub/ieee1275/ieee1275.h b/include/grub/ieee1275/ieee1275.h
index ea90d79f7..6d8dd9463 100644
--- a/include/grub/ieee1275/ieee1275.h
+++ b/include/grub/ieee1275/ieee1275.h
@@ -237,6 +237,21 @@ char *EXPORT_FUNC(grub_ieee1275_encode_uint4) (grub_ieee1275_ihandle_t ihandle,
grub_size_t *size);
int EXPORT_FUNC(grub_ieee1275_get_block_size) (grub_ieee1275_ihandle_t ihandle);
+int EXPORT_FUNC (grub_ieee1275_test) (const char *name,
+ grub_ieee1275_cell_t *missing);
+
+// not exported: I don't want modules interacting with PKS.
+int grub_ieee1275_pks_max_object_size (grub_size_t *result);
+
+int grub_ieee1275_pks_read_object (grub_uint8_t consumer, grub_uint8_t *label,
+ grub_size_t label_len, grub_uint8_t *buffer,
+ grub_size_t buffer_len, grub_size_t *data_len,
+ grub_uint32_t *policies);
+
+int grub_ieee1275_pks_read_sbvar (grub_uint8_t sbvarflags, grub_uint8_t sbvartype,
+ grub_uint8_t *buffer, grub_size_t buffer_len,
+ grub_size_t *data_len);
+
grub_err_t EXPORT_FUNC(grub_claimmap) (grub_addr_t addr, grub_size_t size);
void EXPORT_FUNC(grub_releasemap) (void);
--
2.47.0

170
0001-ieee1275-support-added-for-multiple-nvme-bootpaths.patch Normal file
View File

@ -0,0 +1,170 @@
From 219b06c69d38a10349183002efb82bfec3b7ff5b Mon Sep 17 00:00:00 2001
From: Avnish Chouhan <avnish@linux.ibm.com>
Date: Wed, 21 Aug 2024 14:13:05 +0530
Subject: [PATCH] ieee1275: support added for multiple nvme bootpaths
This patch sets mupltiple NVMe boot-devices for more robust boot.
Scenario where NVMe multipaths are available, all the available bootpaths (Max 5)
will be added as the boot-device.
Signed-off-by: Avnish Chouhan <avnish@linux.ibm.com>
---
grub-core/osdep/linux/ofpath.c | 6 +--
grub-core/osdep/unix/platform.c | 65 ++++++++++++++++++++++++++++++++-
include/grub/util/install.h | 3 ++
include/grub/util/ofpath.h | 4 ++
4 files changed, 74 insertions(+), 4 deletions(-)
diff --git a/grub-core/osdep/linux/ofpath.c b/grub-core/osdep/linux/ofpath.c
index 51d331f06..55ed7ddf2 100644
--- a/grub-core/osdep/linux/ofpath.c
+++ b/grub-core/osdep/linux/ofpath.c
@@ -209,7 +209,7 @@ find_obppath (const char *sysfs_path_orig)
}
}
-static char *
+char *
xrealpath (const char *in)
{
char *out;
@@ -224,7 +224,7 @@ xrealpath (const char *in)
return out;
}
-static char *
+char *
block_device_get_sysfs_path_and_link(const char *devicenode)
{
char *rpath;
@@ -535,7 +535,7 @@ of_path_get_nvme_nsid(const char* devname)
}
-static char *
+char *
nvme_get_syspath(const char *nvmedev)
{
char *sysfs_path, *controller_node;
diff --git a/grub-core/osdep/unix/platform.c b/grub-core/osdep/unix/platform.c
index 1e2961e00..bafcc84d7 100644
--- a/grub-core/osdep/unix/platform.c
+++ b/grub-core/osdep/unix/platform.c
@@ -28,6 +28,8 @@
#include <dirent.h>
#include <string.h>
#include <errno.h>
+#include <grub/util/ofpath.h>
+#define BOOTDEV_BUFFER 1000
static char *
get_ofpathname (const char *dev)
@@ -203,6 +205,56 @@ grub_install_register_efi (const grub_disk_t *efidir_grub_disk,
return 0;
}
+char *
+add_multiple_nvme_bootdevices (const char *install_device)
+{
+ char *sysfs_path, *nvme_ns, *ptr;
+ unsigned int nsid;
+ char *multipath_boot;
+ struct dirent *ep;
+ DIR *dp;
+
+ /*
+ * Extracting the namespace from install_device.
+ * ex. install_device : /dev/nvme1n1
+ */
+ nvme_ns = grub_strstr (install_device, "nvme");
+ nsid = of_path_get_nvme_nsid (nvme_ns);
+ if (nsid == 0)
+ return NULL;
+
+ sysfs_path = nvme_get_syspath (nvme_ns);
+ strcat (sysfs_path, "/subsystem");
+ sysfs_path = xrealpath (sysfs_path);
+ dp = opendir (sysfs_path);
+ if (!dp)
+ return NULL;
+
+ ptr = multipath_boot = xmalloc (BOOTDEV_BUFFER);
+ while ((ep = readdir (dp)) != NULL)
+ {
+ char *path;
+ if (grub_strstr (ep->d_name, "nvme"))
+ {
+ path = xasprintf ("%s%s%x ", get_ofpathname (ep->d_name), "/namespace@", nsid);
+ if ((strlen (multipath_boot) + strlen (path)) > BOOTDEV_BUFFER)
+ {
+ grub_util_warn (_("Maximum five entries are allowed in the bootlist"));
+ free (path);
+ break;
+ }
+ strncpy (ptr, path, strlen (path));
+ ptr += strlen (path);
+ free (path);
+ }
+ }
+
+ *--ptr = '\0';
+ closedir (dp);
+
+ return multipath_boot;
+}
+
void
grub_install_register_ieee1275 (int is_prep, const char *install_device,
int partno, const char *relpath)
@@ -242,8 +294,19 @@ grub_install_register_ieee1275 (int is_prep, const char *install_device,
}
*ptr = '\0';
}
+ else if (grub_strstr (install_device, "nvme"))
+ {
+ boot_device = add_multiple_nvme_bootdevices (install_device);
+ }
else
- boot_device = get_ofpathname (install_device);
+ {
+ boot_device = get_ofpathname (install_device);
+ if (grub_strstr (boot_device, "nvme-of"))
+ {
+ free (boot_device);
+ boot_device = add_multiple_nvme_bootdevices (install_device);
+ }
+ }
if (grub_util_exec ((const char * []){ "nvsetenv", "boot-device",
boot_device, NULL }))
diff --git a/include/grub/util/install.h b/include/grub/util/install.h
index 563cf68e9..2fd102649 100644
--- a/include/grub/util/install.h
+++ b/include/grub/util/install.h
@@ -241,6 +241,9 @@ grub_install_register_efi (const grub_disk_t *efidir_grub_disk,
const char *efi_distributor,
const char *force_disk);
+char *
+add_multiple_nvme_bootdevices (const char *install_device);
+
void
grub_install_register_ieee1275 (int is_prep, const char *install_device,
int partno, const char *relpath);
diff --git a/include/grub/util/ofpath.h b/include/grub/util/ofpath.h
index a0ec30620..cc3c4bfbd 100644
--- a/include/grub/util/ofpath.h
+++ b/include/grub/util/ofpath.h
@@ -31,5 +31,9 @@ void add_filename_to_pile(char *filename, struct ofpath_files_list_root* root);
void find_file(char* filename, char* directory, struct ofpath_files_list_root* root, int max_depth, int depth);
char* of_find_fc_host(char* host_wwpn);
+char* nvme_get_syspath (const char *nvmedev);
+char* block_device_get_sysfs_path_and_link (const char *devicenode);
+char* xrealpath (const char *in);
+unsigned int of_path_get_nvme_nsid (const char* devname);
#endif /* ! GRUB_OFPATH_MACHINE_UTIL_HEADER */
--
2.47.0

122
0001-kern-ieee1275-init-Add-IEEE-1275-Radix-support-for-K.patch Normal file
View File

@ -0,0 +1,122 @@
From ba65f46ffd2952a3f69d85a4534b1e55291f080c Mon Sep 17 00:00:00 2001
From: Avnish Chouhan <avnish@linux.ibm.com>
Date: Thu, 23 May 2024 18:43:14 +0530
Subject: [PATCH] kern/ieee1275/init: Add IEEE 1275 Radix support for KVM on
Power
This patch adds support for Radix, Xive and Radix_gtse in Options
vector5 which is required for KVM LPARs. KVM LPARs ONLY support
Radix and not the Hash. Not enabling Radix on any PowerVM KVM LPARs
will result in boot failure.
Signed-off-by: Avnish Chouhan <avnish@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/kern/ieee1275/init.c | 63 +++++++++++++++++++++++++++++++++-
1 file changed, 62 insertions(+), 1 deletion(-)
diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
index bb800b275..8e08e5dd5 100644
--- a/grub-core/kern/ieee1275/init.c
+++ b/grub-core/kern/ieee1275/init.c
@@ -115,6 +115,16 @@ grub_addr_t grub_ieee1275_original_stack;
#define DRC_INFO 0x40
#define BYTE22 (DY_MEM_V2 | DRC_INFO)
+/* For ibm,arch-vec-5-platform-support. */
+#define XIVE_INDEX 0x17
+#define MMU_INDEX 0x18
+#define RADIX_GTSE_INDEX 0x1a
+#define RADIX_ENABLED 0x40
+#define XIVE_ENABLED 0x40
+#define HASH_ENABLED 0x00
+#define MAX_SUPPORTED 0xC0
+#define RADIX_GTSE_ENABLED 0x40
+
void
grub_exit (void)
{
@@ -740,6 +750,10 @@ struct option_vector5
grub_uint32_t platform_facilities;
grub_uint8_t sub_processors;
grub_uint8_t byte22;
+ grub_uint8_t xive;
+ grub_uint8_t mmu;
+ grub_uint8_t hpt_ext;
+ grub_uint8_t radix_gtse;
} GRUB_PACKED;
struct pvr_entry
@@ -778,6 +792,13 @@ grub_ieee1275_ibm_cas (void)
{
int rc;
grub_ieee1275_ihandle_t root;
+ grub_uint8_t ibm_arch_platform_support[8];
+ grub_ssize_t actual;
+ grub_uint8_t xive_support = 0;
+ grub_uint8_t mmu_support = 0;
+ grub_uint8_t radix_gtse_support = 0;
+ int i = 0;
+ int prop_len = 8;
struct cas_args
{
struct grub_ieee1275_common_hdr common;
@@ -786,6 +807,46 @@ grub_ieee1275_ibm_cas (void)
grub_ieee1275_cell_t cas_addr;
grub_ieee1275_cell_t result;
} args;
+
+ grub_ieee1275_get_integer_property (grub_ieee1275_chosen,
+ "ibm,arch-vec-5-platform-support",
+ (grub_uint32_t *) ibm_arch_platform_support,
+ sizeof (ibm_arch_platform_support),
+ &actual);
+
+ for (i = 0; i < prop_len; i++)
+ {
+ switch (ibm_arch_platform_support[i])
+ {
+ case XIVE_INDEX:
+ if (ibm_arch_platform_support[i + 1] & MAX_SUPPORTED)
+ xive_support = XIVE_ENABLED;
+ else
+ xive_support = 0;
+ break;
+
+ case MMU_INDEX:
+ if (ibm_arch_platform_support[i + 1] & MAX_SUPPORTED)
+ mmu_support = RADIX_ENABLED;
+ else
+ mmu_support = HASH_ENABLED;
+ break;
+
+ case RADIX_GTSE_INDEX:
+ if (mmu_support == RADIX_ENABLED)
+ radix_gtse_support = ibm_arch_platform_support[i + 1] & RADIX_GTSE_ENABLED;
+ else
+ radix_gtse_support = 0;
+ break;
+
+ default:
+ /* Ignoring the other indexes of ibm,arch-vec-5-platform-support. */
+ break;
+ }
+ /* Skipping the property value. */
+ i++;
+ }
+
struct cas_vector vector =
{
.pvr_list = { { 0x00000000, 0xffffffff } }, /* any processor */
@@ -802,7 +863,7 @@ grub_ieee1275_ibm_cas (void)
.vec4 = 0x0001, /* set required minimum capacity % to the lowest value */
.vec5_size = 1 + sizeof (struct option_vector5) - 2,
.vec5 = {
- 0, BYTE2, 0, CMO, ASSOCIATIVITY, BIN_OPTS, 0, 0, MAX_CPU, 0, 0, PLATFORM_FACILITIES, SUB_PROCESSORS, BYTE22
+ 0, BYTE2, 0, CMO, ASSOCIATIVITY, BIN_OPTS, 0, 0, MAX_CPU, 0, 0, PLATFORM_FACILITIES, SUB_PROCESSORS, BYTE22, xive_support, mmu_support, 0, radix_gtse_support
}
};
--
2.47.0

66
0001-kern-main-Fix-cmdpath-in-root-directory.patch Normal file
View File

@ -0,0 +1,66 @@
From 56b221476d31310de485af26550c8651618832bb Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Tue, 29 Oct 2024 11:54:28 +0800
Subject: [PATCH] kern/main: Fix cmdpath in root directory
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The "cmdpath" environment variable is set at startup to the location
from which the grub image is loaded. It includes a device part and,
optionally, an absolute directory name if the grub image is booted as a
file in a local file-system directory, or in a remote server directory,
like TFTP.
This entire process relies on firmware to provide the correct device
path of the booted image.
We encountered an issue when the image is booted from the root
directory, where the absolute directory name "/" is discarded. This
makes it unclear whether the root path was missing in the firmware
provided device path or if it is simply the root directory. This
ambiguity can cause confusion in custom scripts, potentially causing
them to interpret firmware data incorrectly and trigger unintended
fallback measures.
This patch fixes the problem by properly assigning the "fwpath" returned
by "grub_machine_get_bootlocation()" to "cmdpath". The fix is based on
the fact that fwpath is NULL if the firmware didnt provide a path part
or an NUL character, "", if it represents the root directory. With this,
it becomes possible to clearly distinguish:
- cmdpath=(hd0,1) - Either the image is booted from the first (raw)
partition, or the firmware failed to provide the path part.
- cmdpath=(hd0,1)/ - The image is booted from the root directory in the
first partition.
As a side note, the fix is similar to [1], but without the renaming
part.
[1] https://mail.gnu.org/archive/html/grub-devel/2024-10/msg00155.html
Signed-off-by: Michael Chang <mchang@suse.com>
---
grub-core/kern/main.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
index ef3b3756d..f9ab12c74 100644
--- a/grub-core/kern/main.c
+++ b/grub-core/kern/main.c
@@ -136,7 +136,11 @@ grub_set_prefix_and_root (void)
{
char *cmdpath;
- cmdpath = grub_xasprintf ("(%s)%s", fwdevice, fwpath ? : "");
+ if (fwpath && *fwpath == '\0')
+ cmdpath = grub_xasprintf ("(%s)/", fwdevice);
+ else
+ cmdpath = grub_xasprintf ("(%s)%s", fwdevice, fwpath ? : "");
+
if (cmdpath)
{
grub_env_set ("cmdpath", cmdpath);
--
2.47.0

1246
0003-key_protector-Add-TPM2-Key-Protector.patch → 0001-key_protector-Add-TPM2-Key-Protector.patch
View File

File diff suppressed because it is too large Load Diff

59
0001-key_protector-Add-key-protectors-framework.patch
View File

@ -1,7 +1,7 @@
From bf09618c47c6632b763960e265436294ab98dd43 Mon Sep 17 00:00:00 2001
From 1bc53f8fc980914132040670b85a010e094559ec Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hegatta@linux.microsoft.com>
Date: Tue, 1 Feb 2022 05:02:53 -0800
Subject: [PATCH 1/5] key_protector: Add key protectors framework
Subject: [PATCH] key_protector: Add key protectors framework
A key protector encapsulates functionality to retrieve an unlocking key
for a fully-encrypted disk from a specific source. A key protector
@ -19,17 +19,18 @@ Cc: Vladimir Serbinenko <phcoder@gmail.com>
Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/Makefile.am | 1 +
grub-core/Makefile.core.def | 5 +++
grub-core/disk/key_protector.c | 78 ++++++++++++++++++++++++++++++++++
include/grub/key_protector.h | 46 ++++++++++++++++++++
4 files changed, 130 insertions(+)
grub-core/disk/key_protector.c | 73 ++++++++++++++++++++++++++++++++++
include/grub/key_protector.h | 47 ++++++++++++++++++++++
4 files changed, 126 insertions(+)
create mode 100644 grub-core/disk/key_protector.c
create mode 100644 include/grub/key_protector.h
diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
index f18550c1c..9d3d5f519 100644
index 1eda467e0..e50db8106 100644
--- a/grub-core/Makefile.am
+++ b/grub-core/Makefile.am
@@ -90,6 +90,7 @@ endif
@ -41,10 +42,10 @@ index f18550c1c..9d3d5f519 100644
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index bc893e547..4307b8e2d 100644
index a38955e18..37f131ae2 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -1302,6 +1302,11 @@ module = {
@@ -1282,6 +1282,11 @@ module = {
common = disk/raid6_recover.c;
};
@ -58,13 +59,14 @@ index bc893e547..4307b8e2d 100644
common = disk/scsi.c;
diff --git a/grub-core/disk/key_protector.c b/grub-core/disk/key_protector.c
new file mode 100644
index 000000000..b84afe1c7
index 000000000..0d146c1c0
--- /dev/null
+++ b/grub-core/disk/key_protector.c
@@ -0,0 +1,78 @@
@@ -0,0 +1,73 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
+ * Copyright (C) 2024 Free Software Foundation, Inc.
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
@ -93,16 +95,14 @@ index 000000000..b84afe1c7
+grub_err_t
+grub_key_protector_register (struct grub_key_protector *protector)
+{
+ if (protector == NULL || protector->name == NULL || grub_strlen (protector->name) == 0)
+ return GRUB_ERR_BAD_ARGUMENT;
+ if (protector == NULL || protector->name == NULL || protector->name[0] == '\0')
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid key protector for registration");
+
+ if (grub_key_protectors &&
+ grub_named_list_find (GRUB_AS_NAMED_LIST (grub_key_protectors),
+ protector->name))
+ return GRUB_ERR_BAD_ARGUMENT;
+ if (grub_key_protectors != NULL &&
+ grub_named_list_find (GRUB_AS_NAMED_LIST (grub_key_protectors), protector->name) != NULL)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Key protector '%s' already registered", protector->name);
+
+ grub_list_push (GRUB_AS_LIST_P (&grub_key_protectors),
+ GRUB_AS_LIST (protector));
+ grub_list_push (GRUB_AS_LIST_P (&grub_key_protectors), GRUB_AS_LIST (protector));
+
+ return GRUB_ERR_NONE;
+}
@ -111,7 +111,7 @@ index 000000000..b84afe1c7
+grub_key_protector_unregister (struct grub_key_protector *protector)
+{
+ if (protector == NULL)
+ return GRUB_ERR_BAD_ARGUMENT;
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid key protector for unregistration");
+
+ grub_list_remove (GRUB_AS_LIST (protector));
+
@ -125,30 +125,27 @@ index 000000000..b84afe1c7
+ struct grub_key_protector *kp = NULL;
+
+ if (grub_key_protectors == NULL)
+ return GRUB_ERR_OUT_OF_RANGE;
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, "No key protector registered");
+
+ if (protector == NULL || grub_strlen (protector) == 0)
+ return GRUB_ERR_BAD_ARGUMENT;
+ if (protector == NULL || protector[0] == '\0')
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid key protector");
+
+ kp = grub_named_list_find (GRUB_AS_NAMED_LIST (grub_key_protectors),
+ protector);
+ kp = grub_named_list_find (GRUB_AS_NAMED_LIST (grub_key_protectors), protector);
+ if (kp == NULL)
+ return grub_error (GRUB_ERR_OUT_OF_RANGE,
+ N_("A key protector with name '%s' could not be found. "
+ "Is the name spelled correctly and is the "
+ "corresponding module loaded?"), protector);
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, "Key protector '%s' not found", protector);
+
+ return kp->recover_key (key, key_size);
+}
diff --git a/include/grub/key_protector.h b/include/grub/key_protector.h
new file mode 100644
index 000000000..6e6a6fb24
index 000000000..00b15c13d
--- /dev/null
+++ b/include/grub/key_protector.h
@@ -0,0 +1,46 @@
@@ -0,0 +1,47 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
+ * Copyright (C) 2024 Free Software Foundation, Inc.
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
@ -193,5 +190,5 @@ index 000000000..6e6a6fb24
+
+#endif /* ! GRUB_PROTECTOR_HEADER */
--
2.35.3
2.43.0

68
0001-misc-Implement-grub_strlcpy.patch Normal file
View File

@ -0,0 +1,68 @@
From f0a61161f74f9855af84778261338224d926a61f Mon Sep 17 00:00:00 2001
From: B Horn <b@horn.uk>
Date: Sat, 15 Jun 2024 02:33:08 +0100
Subject: [PATCH 01/20] misc: Implement grub_strlcpy()
grub_strlcpy() acts the same way as strlcpy() does on most *NIX,
returning the length of src and ensuring dest is always NUL
terminated except when size is 0.
Signed-off-by: B Horn <b@horn.uk>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
include/grub/misc.h | 39 +++++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
diff --git a/include/grub/misc.h b/include/grub/misc.h
index 6e94d18f5a..e087e7b3e8 100644
--- a/include/grub/misc.h
+++ b/include/grub/misc.h
@@ -64,6 +64,45 @@ grub_stpcpy (char *dest, const char *src)
return d - 1;
}
+static inline grub_size_t
+grub_strlcpy (char *dest, const char *src, grub_size_t size)
+{
+ char *d = dest;
+ grub_size_t res = 0;
+ /*
+ * We do not subtract one from size here to avoid dealing with underflowing
+ * the value, which is why to_copy is always checked to be greater than one
+ * throughout this function.
+ */
+ grub_size_t to_copy = size;
+
+ /* Copy size - 1 bytes to dest. */
+ if (to_copy > 1)
+ while ((*d++ = *src++) != '\0' && ++res && --to_copy > 1)
+ ;
+
+ /*
+ * NUL terminate if size != 0. The previous step may have copied a NUL byte
+ * if it reached the end of the string, but we know dest[size - 1] must always
+ * be a NUL byte.
+ */
+ if (size != 0)
+ dest[size - 1] = '\0';
+
+ /* If there is still space in dest, but are here, we reached the end of src. */
+ if (to_copy > 1)
+ return res;
+
+ /*
+ * If we haven't reached the end of the string, iterate through to determine
+ * the strings total length.
+ */
+ while (*src++ != '\0' && ++res)
+ ;
+
+ return res;
+}
+
/* XXX: If grub_memmove is too slow, we must implement grub_memcpy. */
static inline void *
grub_memcpy (void *dest, const void *src, grub_size_t n)
--
2.48.1

102
0001-powerpc-increase-MIN-RMA-size-for-CAS-negotiation.patch Normal file
View File

@ -0,0 +1,102 @@
From 68a2663cc316d55c2670a639c8a4a2a43ffdb141 Mon Sep 17 00:00:00 2001
From: Avnish Chouhan <avnish@linux.ibm.com>
Date: Wed, 15 Jan 2025 17:46:05 +0530
Subject: [PATCH] powerpc: increase MIN RMA size for CAS negotiation
Change RMA size from 512 MB to 768 MB which will result
in more memory at boot time for PowerPC. When PowerPC LPAR use/uses vTPM,
Secure Boot or FADump, the 512 MB RMA memory is not sufficient for
booting. With this 512 MB RMA, GRUB2 run out of memory and unable to
load the necessary. Sometimes even usage of CDROM which requires more
memory for installation along with the options mentioned above troubles
the boot memory and result in boot failures. Increasing the RMA size
will resolves multiple out of memory issues observed in PowerPC.
Failure details (GRUB2 debugs):
kern/ieee1275/init.c:550: mm requested region of size 8513000, flags 1
kern/ieee1275/init.c:563: Cannot satisfy allocation and retain minimum runtime
space
kern/ieee1275/init.c:550: mm requested region of size 8513000, flags 0
kern/ieee1275/init.c:563: Cannot satisfy allocation and retain minimum runtime
space
kern/file.c:215: Closing `/ppc/ppc64/initrd.img' ...
kern/disk.c:297: Closing
`ieee1275//vdevice/v-scsi
@30000067/disk@8300000000000000'...
kern/disk.c:311: Closing
`ieee1275//vdevice/v-scsi
@30000067/disk@8300000000000000' succeeded.
kern/file.c:225: Closing `/ppc/ppc64/initrd.img' failed with 3.
kern/file.c:148: Opening `/ppc/ppc64/initrd.img' succeeded.
error: ../../grub-core/kern/mm.c:552:out of memory.
Signed-off-by: Avnish Chouhan <avnish@linux.ibm.com>
Link: https://lore.kernel.org/r/20250115121605.56049-1-avnish@linux.ibm.com
---
grub-core/kern/ieee1275/init.c | 33 +++++++++++++++++++++++++++++----
1 file changed, 29 insertions(+), 4 deletions(-)
diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
index 8e08e5dd5c..e0634603ef 100644
--- a/grub-core/kern/ieee1275/init.c
+++ b/grub-core/kern/ieee1275/init.c
@@ -855,7 +855,7 @@ grub_ieee1275_ibm_cas (void)
.vec1 = 0x80, /* ignore */
.vec2_size = 1 + sizeof (struct option_vector2) - 2,
.vec2 = {
- 0, 0, -1, -1, -1, -1, -1, 512, -1, 0, 48
+ 0, 0, -1, -1, -1, -1, -1, 768, -1, 0, 48
},
.vec3_size = 2 - 1,
.vec3 = 0x00e0, /* ask for FP + VMX + DFP but don't halt if unsatisfied */
@@ -892,6 +892,10 @@ grub_claim_heap (void)
{
grub_err_t err;
grub_uint32_t total = HEAP_MAX_SIZE;
+#if defined(__powerpc__)
+ grub_uint32_t ibm_ca_support_reboot;
+ grub_ssize_t actual;
+#endif
err = grub_ieee1275_total_mem (&rmo_top);
@@ -904,11 +908,32 @@ grub_claim_heap (void)
grub_mm_add_region_fn = grub_ieee1275_mm_add_region;
#if defined(__powerpc__)
+ /* Check if it's a CAS reboot with below property. If so, we will skip CAS call */
+ ibm_ca_support_reboot = 0;
+ if (grub_ieee1275_get_integer_property (grub_ieee1275_chosen,
+ "ibm,client-architecture-support-reboot",
+ &ibm_ca_support_reboot,
+ sizeof (ibm_ca_support_reboot),
+ &actual) >= 0)
+ grub_dprintf ("ieee1275", "ibm,client-architecture-support-reboot: %u\n",
+ ibm_ca_support_reboot);
+
if (grub_ieee1275_test_flag (GRUB_IEEE1275_FLAG_CAN_TRY_CAS_FOR_MORE_MEMORY))
{
- /* if we have an error, don't call CAS, just hope for the best */
- if (err == GRUB_ERR_NONE && rmo_top < (512 * 1024 * 1024))
- grub_ieee1275_ibm_cas ();
+ /*
+ * If we have an error or the reboot is detected as CAS reboot,
+ * don't call CAS, just hope for the best.
+ * Along with the above, if the rmo_top is 512 MB or above. We
+ * will skip the CAS call. Though if we call CAS, the rmo_top will
+ * be set to 768 MB via CAS Vector2. This condition is required to avoid the
+ * issue where the older Linux kernels are still using rmo_top as 512 MB.
+ * Calling CAS when rmo_top is less then 768 MB will result in a issue
+ * where we won't be able to boot to a newer kernel and continue to
+ * boot with older kernel having rmo_top as 512 MB.
+ */
+ if (!ibm_ca_support_reboot && err == GRUB_ERR_NONE
+ && rmo_top < (512 * 1024 * 1024))
+ grub_ieee1275_ibm_cas ();
}
#endif
--
2.48.1

44
0001-tpm-Skip-loopback-image-measurement.patch Normal file
View File

@ -0,0 +1,44 @@
From cda4b7a415eb45743ea54a7760b302c0cfe718cf Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Mon, 23 Sep 2024 10:32:18 +0800
Subject: [PATCH] tpm: Skip loopback image measurement
The loopback image is configured to function as a disk by being mapped
as a block device. Instead of measuring the entire block device, we
should focus on tracking the individual files accessed from it. For
example, we do not directly measure block devices like disk hd0, but the
files opened from it.
This method is important to avoid running out of memory, since loopback
images can be very large. Trying to read and measure the whole image at
once could cause out of memory errors and disrupt the boot process.
Signed-Off-by: Michael Chang <mchang@suse.com>
---
grub-core/commands/tpm.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/grub-core/commands/tpm.c b/grub-core/commands/tpm.c
index bb9aee210..ebbb4fef0 100644
--- a/grub-core/commands/tpm.c
+++ b/grub-core/commands/tpm.c
@@ -41,6 +41,16 @@ grub_tpm_verify_init (grub_file_t io,
{
*context = io->name;
*flags |= GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
+
+ /*
+ * The loopback image is mapped as a disk, allowing it to function like a
+ * block device. However, we measure the files read from the block device,
+ * not the device itself. For example, we don't measure block devices like
+ * disk hd0 directly. This process is crucial to prevent out-of-memory
+ * errors, as loopback images are inherently large.
+ */
+ if ((type & GRUB_FILE_TYPE_MASK) == GRUB_FILE_TYPE_LOOPBACK)
+ *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
return GRUB_ERR_NONE;
}
--
2.46.1

64
0001-tpm2-Add-extra-RSA-SRK-types.patch
View File

@ -1,4 +1,4 @@
From f41a45b080cb9c6f59879a3e23f9ec2380015a16 Mon Sep 17 00:00:00 2001
From 5b4ecd408417249dec8bfc71a3c0b7ef1070d3fa Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 25 Apr 2024 16:21:45 +0800
Subject: [PATCH] tpm2: Add extra RSA SRK types
@ -8,16 +8,16 @@ to support those parameters.
Signed-off-by: Gary Lin <glin@suse.com>
---
grub-core/tpm2/args.c | 12 ++++++++++++
grub-core/tpm2/module.c | 16 ++++++++++++++--
util/grub-protect.c | 4 ++--
grub-core/commands/tpm2_key_protector/args.c | 12 ++++++++++++
grub-core/commands/tpm2_key_protector/module.c | 16 ++++++++++++++--
util/grub-protect.c | 4 ++--
3 files changed, 28 insertions(+), 4 deletions(-)
diff --git a/grub-core/tpm2/args.c b/grub-core/tpm2/args.c
index c11280ab9..d140364d2 100644
--- a/grub-core/tpm2/args.c
+++ b/grub-core/tpm2/args.c
@@ -92,6 +92,18 @@ grub_tpm2_protector_parse_asymmetric (const char *value,
diff --git a/grub-core/commands/tpm2_key_protector/args.c b/grub-core/commands/tpm2_key_protector/args.c
index 48c39de01..b291793a7 100644
--- a/grub-core/commands/tpm2_key_protector/args.c
+++ b/grub-core/commands/tpm2_key_protector/args.c
@@ -85,6 +85,18 @@ grub_tpm2_protector_parse_asymmetric (const char *value,
srk_type->type = TPM_ALG_RSA;
srk_type->detail.rsa_bits = 2048;
}
@ -34,13 +34,13 @@ index c11280ab9..d140364d2 100644
+ srk_type->detail.rsa_bits = 4096;
+ }
else
return grub_error (GRUB_ERR_OUT_OF_RANGE,
N_("Value '%s' is not a valid asymmetric key type"),
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
index b754b38df..8b72ed6fa 100644
--- a/grub-core/tpm2/module.c
+++ b/grub-core/tpm2/module.c
@@ -136,8 +136,8 @@ static const struct grub_arg_option grub_tpm2_protector_init_cmd_options[] =
return grub_error (GRUB_ERR_OUT_OF_RANGE, N_("value '%s' is not a valid asymmetric key type"), value);
diff --git a/grub-core/commands/tpm2_key_protector/module.c b/grub-core/commands/tpm2_key_protector/module.c
index 74e79a545..ee16d7f15 100644
--- a/grub-core/commands/tpm2_key_protector/module.c
+++ b/grub-core/commands/tpm2_key_protector/module.c
@@ -138,8 +138,8 @@ static const struct grub_arg_option tpm2_protector_init_cmd_options[] =
.arg = NULL,
.type = ARG_TYPE_STRING,
.doc =
@ -51,18 +51,18 @@ index b754b38df..8b72ed6fa 100644
},
/* NV Index-mode options */
{
@@ -541,6 +541,10 @@ srk_type_to_name (grub_srk_type_t srk_type)
{
case 2048:
return "RSA2048";
+ case 3072:
+ return "RSA3072";
+ case 4096:
+ return "RSA4096";
}
}
@@ -517,6 +517,10 @@ srk_type_to_name (grub_srk_type_t srk_type)
return "ECC_NIST_P256";
else if (srk_type.type == TPM_ALG_RSA && srk_type.detail.rsa_bits == 2048)
return "RSA2048";
+ else if (srk_type.type == TPM_ALG_RSA && srk_type.detail.rsa_bits == 3072)
+ return "RSA3072";
+ else if (srk_type.type == TPM_ALG_RSA && srk_type.detail.rsa_bits == 4096)
+ return "RSA4096";
@@ -561,6 +565,14 @@ grub_tpm2_protector_load_key (const struct grub_tpm2_protector_context *ctx,
return "Unknown";
}
@@ -535,6 +539,14 @@ tpm2_protector_load_key (const tpm2_protector_context_t *ctx,
.type = TPM_ALG_ECC,
.detail.ecc_curve = TPM_ECC_NIST_P256,
},
@ -78,20 +78,20 @@ index b754b38df..8b72ed6fa 100644
.type = TPM_ALG_RSA,
.detail.rsa_bits = 2048,
diff --git a/util/grub-protect.c b/util/grub-protect.c
index 869f45861..00be03ca0 100644
index 5b7e952f4..f1108f2c5 100644
--- a/util/grub-protect.c
+++ b/util/grub-protect.c
@@ -199,8 +199,8 @@ static struct argp_option grub_protect_options[] =
@@ -202,8 +202,8 @@ static struct argp_option protect_options[] =
.arg = "TYPE",
.flags = 0,
.doc =
- N_("The type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)."
- N_("Set the type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)."
- "(default: ECC)"),
+ N_("The type of SRK: RSA (RSA2048), RSA3072, RSA4096, "
+ N_("Set the type of SRK: RSA (RSA2048), RSA3072, RSA4096, "
+ "and ECC (ECC_NIST_P256). (default: ECC)"),
.group = 0
},
{
--
2.35.3
2.43.0

171
0001-tpm2-Support-authorized-policy.patch
View File

@ -1,171 +0,0 @@
From 26a66098d5fa50b9462c8c815429a4c18f20310b Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 6 Apr 2023 16:00:25 +0800
Subject: [PATCH] tpm2: Support authorized policy
This commit handles the TPM2_PolicyAuthorize command from the key file
in TPM 2.0 Key File format.
TPM2_PolicyAuthorize is the essential command to support authorized
policy which allows the users to sign TPM policies with their own keys.
Per TPM 2.0 Key File(*1), CommandPolicy for TPM2_PolicyAuthorize
comprises 'TPM2B_PUBLIC pubkey', 'TPM2B_DIGEST policy_ref', and
'TPMT_SIGNATURE signature'. To verify the signature, the current policy
digest is hashed with the hash algorithm written in 'signature', and then
'signature' is verified with the hashed policy digest and 'pubkey'. Once
TPM accepts 'signature', TPM2_PolicyAuthorize is invoked to authorize the
signed policy.
To create the key file with authorized policy, here are the pcr-oracle(*2)
commands:
# Generate the RSA key and create the authorized policy file
$ pcr-oracle \
--rsa-generate-key \
--private-key policy-key.pem \
--auth authorized.policy \
create-authorized-policy 0,2,4,7,9
# Seal the secret with the authorized policy
$ pcr-oracle \
--key-format tpm2.0 \
--auth authorized.policy \
--input disk-secret.txt \
--output sealed.key \
seal-secret
# Sign the predicted PCR policy
$ pcr-oracle \
--key-format tpm2.0 \
--private-key policy-key.pem \
--from eventlog \
--stop-event "grub-file=grub.cfg" \
--after \
--input sealed.key \
--output sealed.tpm \
sign 0,2,4,7,9
Then specify the key file and the key protector to grub.cfg in the EFI
system partition:
tpm2_key_protector_init -a RSA --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm
cryptomount -u <PART_UUID> -P tpm2
For any change in the boot components, just run the 'sign' command again
to update the signature in sealed.tpm, and TPM can unseal the key file
with the updated PCR policy.
(*1) https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
(*2) https://github.com/okirch/pcr-oracle
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
---
grub-core/tpm2/module.c | 84 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 84 insertions(+)
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
index 3db25ceca..e83b02865 100644
--- a/grub-core/tpm2/module.c
+++ b/grub-core/tpm2/module.c
@@ -650,6 +650,87 @@ grub_tpm2_protector_policypcr (TPMI_SH_AUTH_SESSION session,
return GRUB_ERR_NONE;
}
+static grub_err_t
+grub_tpm2_protector_policyauthorize (TPMI_SH_AUTH_SESSION session,
+ struct grub_tpm2_buffer *cmd_buf)
+{
+ TPM2B_PUBLIC pubkey;
+ TPM2B_DIGEST policy_ref;
+ TPMT_SIGNATURE signature;
+ TPM2B_DIGEST pcr_policy;
+ TPM2B_DIGEST pcr_policy_hash;
+ TPMI_ALG_HASH sig_hash;
+ TPMT_TK_VERIFIED verification_ticket;
+ TPM_HANDLE pubkey_handle = 0;
+ TPM2B_NAME pubname;
+ TPM_RC rc;
+ grub_err_t err;
+
+ grub_tpm2_mu_TPM2B_PUBLIC_Unmarshal (cmd_buf, &pubkey);
+ grub_tpm2_mu_TPM2B_DIGEST_Unmarshal (cmd_buf, &policy_ref);
+ grub_tpm2_mu_TPMT_SIGNATURE_Unmarshal (cmd_buf, &signature);
+ if (cmd_buf->error != 0)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("Failed to unmarshal the buffer for TPM2_PolicyAuthorize"));
+
+ /* Retrieve Policy Digest */
+ rc = TPM2_PolicyGetDigest (session, NULL, &pcr_policy, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ return grub_error (GRUB_ERR_BAD_DEVICE,
+ N_("Failed to get policy digest (TPM2_PolicyGetDigest: 0x%x)."),
+ rc);
+
+ /* Calculate the digest of the polcy for VerifySignature */
+ sig_hash = TPMT_SIGNATURE_get_hash_alg (&signature);
+ if (sig_hash == TPM_ALG_NULL)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("Failed to get the hash algorithm of the signature"));
+
+ rc = TPM2_Hash (NULL, (TPM2B_MAX_BUFFER *)&pcr_policy, sig_hash,
+ TPM_RH_NULL, &pcr_policy_hash, NULL, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ return grub_error (GRUB_ERR_BAD_DEVICE,
+ N_("Failed to create PCR policy hash (TPM2_Hash: 0x%x)"),
+ rc);
+
+ /* Load the public key */
+ rc = TPM2_LoadExternal (NULL, NULL, &pubkey, TPM_RH_OWNER,
+ &pubkey_handle, &pubname, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ return grub_error (GRUB_ERR_BAD_DEVICE,
+ N_("Failed to load public key (TPM2_LoadExternal: 0x%x)"),
+ rc);
+
+ /* Verify the signature against the public key and the policy digest */
+ rc = TPM2_VerifySignature (pubkey_handle, NULL, &pcr_policy_hash, &signature,
+ &verification_ticket, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ {
+ err = grub_error (GRUB_ERR_BAD_DEVICE,
+ N_("Failed to verify signature (TPM2_VerifySignature: 0x%x)"),
+ rc);
+ goto error;
+ }
+
+ /* Authorize the signed policy with the public key and the verification ticket */
+ rc = TPM2_PolicyAuthorize (session, NULL, &pcr_policy, &policy_ref, &pubname,
+ &verification_ticket, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ {
+ err = grub_error (GRUB_ERR_BAD_DEVICE,
+ N_("Failed to authorize PCR policy (TPM2_PolicyAuthorize: 0x%x)"),
+ rc);
+ goto error;
+ }
+
+ err = GRUB_ERR_NONE;
+
+error:
+ TPM2_FlushContext (pubkey_handle);
+
+ return err;
+}
+
static grub_err_t
grub_tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSION session)
{
@@ -669,6 +750,9 @@ grub_tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSIO
case TPM_CC_PolicyPCR:
err = grub_tpm2_protector_policypcr (session, &buf);
break;
+ case TPM_CC_PolicyAuthorize:
+ err = grub_tpm2_protector_policyauthorize (session, &buf);
+ break;
default:
return grub_error (GRUB_ERR_BAD_ARGUMENT,
N_("Unknown TPM Command: 0x%x"), policy->cmd_code);
--
2.35.3

53
0001-tpm2-Implement-NV-index.patch → 0001-tpm2_key_protector-Implement-NV-index.patch
View File

@ -1,12 +1,12 @@
From 947009d79e3f17b10a7753bdde8d3a4a7b757bed Mon Sep 17 00:00:00 2001
From 53e24662523d033ae3506b73787b972ef332db36 Mon Sep 17 00:00:00 2001
From: Patrick Colp <patrick.colp@oracle.com>
Date: Mon, 31 Jul 2023 07:01:45 -0700
Subject: [PATCH 1/4] tpm2: Implement NV index
Subject: [PATCH] tpm2_key_protector: Implement NV index
Currently with the TPM2 protector, only SRK mode is supported and
NV index support is just a stub. Implement the NV index option.
Note: This only extends support on the unseal path. grub2_protect
Note: This only extends support on the unseal path. grub-protect
has not been updated. tpm2-tools can be used to insert a key into
the NV index.
@ -36,41 +36,40 @@ Then to unseal the key in grub, add this to grub.cfg:
Signed-off-by: Patrick Colp <patrick.colp@oracle.com>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/tpm2/module.c | 25 ++++++++++++++++++++-----
1 file changed, 20 insertions(+), 5 deletions(-)
.../commands/tpm2_key_protector/module.c | 23 +++++++++++++++----
1 file changed, 19 insertions(+), 4 deletions(-)
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
index e83b02865..b754b38df 100644
--- a/grub-core/tpm2/module.c
+++ b/grub-core/tpm2/module.c
@@ -1035,12 +1035,27 @@ static grub_err_t
grub_tpm2_protector_nv_recover (const struct grub_tpm2_protector_context *ctx,
grub_uint8_t **key, grub_size_t *key_size)
diff --git a/grub-core/commands/tpm2_key_protector/module.c b/grub-core/commands/tpm2_key_protector/module.c
index 6b4b5d460..74e79a545 100644
--- a/grub-core/commands/tpm2_key_protector/module.c
+++ b/grub-core/commands/tpm2_key_protector/module.c
@@ -973,11 +973,26 @@ tpm2_protector_srk_recover (const tpm2_protector_context_t *ctx,
}
static grub_err_t
-tpm2_protector_nv_recover (const tpm2_protector_context_t *ctx __attribute__ ((unused)),
- grub_uint8_t **key __attribute__ ((unused)),
- grub_size_t *key_size __attribute__ ((unused)))
+tpm2_protector_nv_recover (const tpm2_protector_context_t *ctx,
+ grub_uint8_t **key, grub_size_t *key_size)
{
- (void)ctx;
- (void)key;
- (void)key_size;
+ TPM_HANDLE sealed_handle = ctx->nv;
- return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "NV Index mode is not implemented yet");
+ TPM_HANDLE_t sealed_handle = ctx->nv;
+ tpm2key_policy_t policy_seq = NULL;
+ grub_err_t err;
+
+ /* Create a basic policy sequence based on the given PCR selection */
+ err = grub_tpm2_protector_simple_policy_seq (ctx, &policy_seq);
+ err = tpm2_protector_simple_policy_seq (ctx, &policy_seq);
+ if (err != GRUB_ERR_NONE)
+ goto exit;
+
+ err = grub_tpm2_protector_unseal (policy_seq, sealed_handle, key, key_size);
+ err = tpm2_protector_unseal (policy_seq, sealed_handle, key, key_size);
+
+ /* Pop error messages on success */
+ if (err == GRUB_ERR_NONE)
+ while (grub_error_pop ());
+ exit:
+ grub_tpm2_flushcontext (sealed_handle);
+
+exit:
+ TPM2_FlushContext (sealed_handle);
- return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET,
- N_("NV Index mode is not implemented yet"));
+ grub_tpm2key_free_policy_seq (policy_seq);
+
+ return err;
@ -78,5 +77,5 @@ index e83b02865..b754b38df 100644
static grub_err_t
--
2.35.3
2.43.0

158
0001-tpm2_key_protector-Support-authorized-policy.patch Normal file
View File

@ -0,0 +1,158 @@
From 7ef1b9b357c803cb8e30bbbebd44494b2b5c9d09 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Thu, 6 Apr 2023 16:00:25 +0800
Subject: [PATCH] tpm2_key_protector: Support authorized policy
This commit handles the TPM2_PolicyAuthorize command from the key file
in TPM 2.0 Key File format.
TPM2_PolicyAuthorize is the essential command to support authorized
policy which allows the users to sign TPM policies with their own keys.
Per TPM 2.0 Key File(*1), CommandPolicy for TPM2_PolicyAuthorize
comprises 'TPM2B_PUBLIC pubkey', 'TPM2B_DIGEST policy_ref', and
'TPMT_SIGNATURE signature'. To verify the signature, the current policy
digest is hashed with the hash algorithm written in 'signature', and then
'signature' is verified with the hashed policy digest and 'pubkey'. Once
TPM accepts 'signature', TPM2_PolicyAuthorize is invoked to authorize the
signed policy.
To create the key file with authorized policy, here are the pcr-oracle(*2)
commands:
# Generate the RSA key and create the authorized policy file
$ pcr-oracle \
--rsa-generate-key \
--private-key policy-key.pem \
--auth authorized.policy \
create-authorized-policy 0,2,4,7,9
# Seal the secret with the authorized policy
$ pcr-oracle \
--key-format tpm2.0 \
--auth authorized.policy \
--input disk-secret.txt \
--output sealed.key \
seal-secret
# Sign the predicted PCR policy
$ pcr-oracle \
--key-format tpm2.0 \
--private-key policy-key.pem \
--from eventlog \
--stop-event "grub-file=grub.cfg" \
--after \
--input sealed.key \
--output /boot/efi/efi/grub/sealed.tpm \
sign 0,2,4,7,9
Then specify the key file and the key protector to grub.cfg in the EFI
system partition:
tpm2_key_protector_init -a RSA --tpm2key=(hd0,gpt1)/efi/grub/sealed.tpm
cryptomount -u <PART_UUID> -P tpm2
For any change in the boot components, just run the 'sign' command again
to update the signature in sealed.tpm, and TPM can unseal the key file
with the updated PCR policy.
(*1) https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
(*2) https://github.com/okirch/pcr-oracle
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
.../commands/tpm2_key_protector/module.c | 70 +++++++++++++++++++
1 file changed, 70 insertions(+)
diff --git a/grub-core/commands/tpm2_key_protector/module.c b/grub-core/commands/tpm2_key_protector/module.c
index 70d4d0df7..6b4b5d460 100644
--- a/grub-core/commands/tpm2_key_protector/module.c
+++ b/grub-core/commands/tpm2_key_protector/module.c
@@ -618,6 +618,73 @@ tpm2_protector_policypcr (TPMI_SH_AUTH_SESSION_t session, struct grub_tpm2_buffe
return GRUB_ERR_NONE;
}
+static grub_err_t
+tpm2_protector_policyauthorize (TPMI_SH_AUTH_SESSION_t session, struct grub_tpm2_buffer *cmd_buf)
+{
+ TPM2B_PUBLIC_t pubkey;
+ TPM2B_DIGEST_t policy_ref;
+ TPMT_SIGNATURE_t signature;
+ TPM2B_DIGEST_t pcr_policy;
+ TPM2B_DIGEST_t pcr_policy_hash;
+ TPMI_ALG_HASH_t sig_hash;
+ TPMT_TK_VERIFIED_t verification_ticket;
+ TPM_HANDLE_t pubkey_handle = 0;
+ TPM2B_NAME_t pubname;
+ TPM_RC_t rc;
+ grub_err_t err;
+
+ grub_Tss2_MU_TPM2B_PUBLIC_Unmarshal (cmd_buf, &pubkey);
+ grub_Tss2_MU_TPM2B_DIGEST_Unmarshal (cmd_buf, &policy_ref);
+ grub_Tss2_MU_TPMT_SIGNATURE_Unmarshal (cmd_buf, &signature);
+ if (cmd_buf->error != 0)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "failed to unmarshal the buffer for TPM2_PolicyAuthorize");
+
+ /* Retrieve Policy Digest */
+ rc = grub_tpm2_policygetdigest (session, NULL, &pcr_policy, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ return grub_error (GRUB_ERR_BAD_DEVICE, "failed to get policy digest (TPM2_PolicyGetDigest: 0x%x).", rc);
+
+ /* Calculate the digest of the polcy for VerifySignature */
+ sig_hash = TPMT_SIGNATURE_get_hash_alg (&signature);
+ if (sig_hash == TPM_ALG_NULL)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "failed to get the hash algorithm of the signature");
+
+ rc = grub_tpm2_hash (NULL, (TPM2B_MAX_BUFFER_t *) &pcr_policy, sig_hash,
+ TPM_RH_NULL, &pcr_policy_hash, NULL, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ return grub_error (GRUB_ERR_BAD_DEVICE, "failed to create PCR policy hash (TPM2_Hash: 0x%x)", rc);
+
+ /* Load the public key */
+ rc = grub_tpm2_loadexternal (NULL, NULL, &pubkey, TPM_RH_OWNER, &pubkey_handle, &pubname, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ return grub_error (GRUB_ERR_BAD_DEVICE, "failed to load public key (TPM2_LoadExternal: 0x%x)", rc);
+
+ /* Verify the signature against the public key and the policy digest */
+ rc = grub_tpm2_verifysignature (pubkey_handle, NULL, &pcr_policy_hash, &signature,
+ &verification_ticket, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ {
+ err = grub_error (GRUB_ERR_BAD_DEVICE, "failed to verify signature (TPM2_VerifySignature: 0x%x)", rc);
+ goto error;
+ }
+
+ /* Authorize the signed policy with the public key and the verification ticket */
+ rc = grub_tpm2_policyauthorize (session, NULL, &pcr_policy, &policy_ref, &pubname,
+ &verification_ticket, NULL);
+ if (rc != TPM_RC_SUCCESS)
+ {
+ err = grub_error (GRUB_ERR_BAD_DEVICE, "failed to authorize PCR policy (TPM2_PolicyAuthorize: 0x%x)", rc);
+ goto error;
+ }
+
+ err = GRUB_ERR_NONE;
+
+ error:
+ grub_tpm2_flushcontext (pubkey_handle);
+
+ return err;
+}
+
static grub_err_t
tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSION_t session)
{
@@ -636,6 +703,9 @@ tpm2_protector_enforce_policy (tpm2key_policy_t policy, TPMI_SH_AUTH_SESSION_t s
case TPM_CC_PolicyPCR:
err = tpm2_protector_policypcr (session, &buf);
break;
+ case TPM_CC_PolicyAuthorize:
+ err = tpm2_protector_policyauthorize (session, &buf);
+ break;
default:
return grub_error (GRUB_ERR_BAD_ARGUMENT, "unknown TPM Command: 0x%x", policy->cmd_code);
}
--
2.43.0

792
0005-util-grub-protect-Add-new-tool.patch → 0001-util-grub-protect-Add-new-tool.patch
View File

File diff suppressed because it is too large Load Diff

411
0002-Add-BLS-support-to-grub-mkconfig.patch
View File

@ -1,411 +0,0 @@
From 439de947262b0d8d4a02ca5afb1ef4f15853962c Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Fri, 9 Dec 2016 15:40:29 -0500
Subject: [PATCH 2/9] Add BLS support to grub-mkconfig
GRUB now has BootLoaderSpec support, the user can choose to use this by
setting GRUB_ENABLE_BLSCFG to true in /etc/default/grub. On this setup,
the boot menu entries are not added to the grub.cfg, instead BLS config
files are parsed by blscfg command and the entries created dynamically.
A 10_linux_bls grub.d snippet to generate menu entries from BLS files
is also added that can be used on platforms where the bootloader doesn't
have BLS support and only can parse a normal grub configuration file.
Portions of the 10_linux_bls were taken from the ostree-grub-generator
script that's included in the OSTree project.
Fixes to support multi-devices and generate a BLS section even if no
kernels are found in the boot directory were proposed by Yclept Nemo
and Tom Gundersen respectively.
Signed-off-by: Peter Jones <pjones@redhat.com>
[javierm: remove outdated URL for BLS document]
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
[iwienand@redhat.com: skip machine ID check when updating entries]
Signed-off-by: Ian Wienand <iwienand@redhat.com>
[rharwood: commit message composits, drop man pages]
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
util/grub-mkconfig.in | 9 +-
util/grub-mkconfig_lib.in | 22 +++-
util/grub.d/10_linux.in | 244 +++++++++++++++++++++++++++++++++++++-
3 files changed, 269 insertions(+), 6 deletions(-)
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
index cf5b79342..7af15df94 100644
--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
@@ -49,6 +49,8 @@ grub_script_check="${bindir}/@grub_script_check@"
export TEXTDOMAIN=@PACKAGE@
export TEXTDOMAINDIR="@localedir@"
+export GRUB_GRUBENV_UPDATE="yes"
+
. "${pkgdatadir}/grub-mkconfig_lib"
# Usage: usage
@@ -58,6 +60,7 @@ usage () {
gettext "Generate a grub config file"; echo
echo
print_option_help "-o, --output=$(gettext FILE)" "$(gettext "output generated config to FILE [default=stdout]")"
+ print_option_help "--no-grubenv-update" "$(gettext "do not update variables in the grubenv file")"
print_option_help "-h, --help" "$(gettext "print this message and exit")"
print_option_help "-V, --version" "$(gettext "print the version information and exit")"
echo
@@ -93,6 +96,9 @@ do
--output=*)
grub_cfg=`echo "$option" | sed 's/--output=//'`
;;
+ --no-grubenv-update)
+ GRUB_GRUBENV_UPDATE="no"
+ ;;
-*)
gettext_printf "Unrecognized option \`%s'\n" "$option" 1>&2
usage
@@ -300,7 +306,8 @@ export GRUB_DEFAULT \
GRUB_DISABLE_SUBMENU \
SUSE_BTRFS_SNAPSHOT_BOOTING \
SUSE_CMDLINE_XENEFI \
- SUSE_REMOVE_LINUX_ROOT_PARAM
+ SUSE_REMOVE_LINUX_ROOT_PARAM \
+ GRUB_ENABLE_BLSCFG
if test "x${grub_cfg}" != "x"; then
rm -f "${grub_cfg}.new"
diff --git a/util/grub-mkconfig_lib.in b/util/grub-mkconfig_lib.in
index 22fb7668f..5db4337c6 100644
--- a/util/grub-mkconfig_lib.in
+++ b/util/grub-mkconfig_lib.in
@@ -30,6 +30,9 @@ fi
if test "x$grub_file" = x; then
grub_file="${bindir}/@grub_file@"
fi
+if test "x$grub_editenv" = x; then
+ grub_editenv="${bindir}/@grub_editenv@"
+fi
if test "x$grub_mkrelpath" = x; then
grub_mkrelpath="${bindir}/@grub_mkrelpath@"
fi
@@ -123,8 +126,19 @@ EOF
fi
}
+prepare_grub_to_access_device_with_variable ()
+{
+ device_variable="$1"
+ shift
+ prepare_grub_to_access_device "$@"
+ unset "device_variable"
+}
+
prepare_grub_to_access_device ()
{
+ if [ -z "$device_variable" ]; then
+ device_variable="root"
+ fi
old_ifs="$IFS"
IFS='
'
@@ -159,18 +173,18 @@ prepare_grub_to_access_device ()
# otherwise set root as per value in device.map.
fs_hint="`"${grub_probe}" --device $@ --target=compatibility_hint`"
if [ "x$fs_hint" != x ]; then
- echo "set root='$fs_hint'"
+ echo "set ${device_variable}='$fs_hint'"
fi
if [ "x${GRUB_DISABLE_UUID}" != "xtrue" ] && fs_uuid="`"${grub_probe}" --device $@ --target=fs_uuid 2> /dev/null`" ; then
hints="`"${grub_probe}" --device $@ --target=hints_string 2> /dev/null`" || hints=
if [ "x$hints" != x ]; then
echo "if [ x\$feature_platform_search_hint = xy ]; then"
- echo " search --no-floppy --fs-uuid --set=root ${hints} ${fs_uuid}"
+ echo " search --no-floppy --fs-uuid --set=${device_variable} ${hints} ${fs_uuid}"
echo "else"
- echo " search --no-floppy --fs-uuid --set=root ${fs_uuid}"
+ echo " search --no-floppy --fs-uuid --set=${device_variable} ${fs_uuid}"
echo "fi"
else
- echo "search --no-floppy --fs-uuid --set=root ${fs_uuid}"
+ echo "search --no-floppy --fs-uuid --set=${device_variable} ${fs_uuid}"
fi
fi
IFS="$old_ifs"
diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
index 5531239eb..49eccbeaf 100644
--- a/util/grub.d/10_linux.in
+++ b/util/grub.d/10_linux.in
@@ -91,6 +91,244 @@ if [ "x$SUSE_REMOVE_LINUX_ROOT_PARAM" = "xtrue" ]; then
LINUX_ROOT_DEVICE=""
fi
+populate_header_warn()
+{
+if [ "x${BLS_POPULATE_MENU}" = "xtrue" ]; then
+ bls_parser="10_linux script"
+else
+ bls_parser="blscfg command"
+fi
+cat <<EOF
+
+# This section was generated by a script. Do not modify the generated file - all changes
+# will be lost the next time file is regenerated. Instead edit the BootLoaderSpec files.
+#
+# The $bls_parser parses the BootLoaderSpec files stored in /boot/loader/entries and
+# populates the boot menu. Please refer to the Boot Loader Specification documentation
+# for the files format: https://systemd.io/BOOT_LOADER_SPECIFICATION/.
+
+EOF
+}
+
+read_config()
+{
+ config_file=${1}
+ title=""
+ initrd=""
+ options=""
+ linux=""
+ grub_arg=""
+
+ while read -r line
+ do
+ record=$(echo ${line} | cut -f 1 -d ' ')
+ value=$(echo ${line} | cut -s -f2- -d ' ')
+ case "${record}" in
+ "title")
+ title=${value}
+ ;;
+ "initrd")
+ initrd=${value}
+ ;;
+ "linux")
+ linux=${value}
+ ;;
+ "options")
+ options=${value}
+ ;;
+ "grub_arg")
+ grub_arg=${value}
+ ;;
+ esac
+ done < ${config_file}
+}
+
+blsdir="/boot/loader/entries"
+
+get_sorted_bls()
+{
+ if ! [ -d "${blsdir}" ]; then
+ return
+ fi
+
+ local IFS=$'\n'
+
+ files=($(for bls in ${blsdir}/*.conf; do
+ if ! [[ -e "${bls}" ]] ; then
+ continue
+ fi
+ bls="${bls%.conf}"
+ bls="${bls##*/}"
+ echo "${bls}"
+ done | ${kernel_sort} 2>/dev/null | tac)) || :
+
+ echo "${files[@]}"
+}
+
+update_bls_cmdline()
+{
+ local cmdline="root=${LINUX_ROOT_DEVICE} ro ${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
+ local -a files=($(get_sorted_bls))
+
+ for bls in "${files[@]}"; do
+ local options="${cmdline}"
+ if [ -z "${bls##*debug*}" ]; then
+ options="${options} ${GRUB_CMDLINE_LINUX_DEBUG}"
+ fi
+ options="$(echo "${options}" | sed -e 's/\//\\\//g')"
+ sed -i -e "s/^options.*/options ${options}/" "${blsdir}/${bls}.conf"
+ done
+}
+
+populate_menu()
+{
+ local -a files=($(get_sorted_bls))
+
+ gettext_printf "Generating boot entries from BLS files...\n" >&2
+
+ for bls in "${files[@]}"; do
+ read_config "${blsdir}/${bls}.conf"
+
+ menu="${menu}menuentry '${title}' ${grub_arg} --id=${bls} {\n"
+ menu="${menu}\t linux ${linux} ${options}\n"
+ if [ -n "${initrd}" ] ; then
+ menu="${menu}\t initrd ${boot_prefix}${initrd}\n"
+ fi
+ menu="${menu}}\n\n"
+ done
+ # The printf command seems to be more reliable across shells for special character (\n, \t) evaluation
+ printf "$menu"
+}
+
+# Make BLS the default if GRUB_ENABLE_BLSCFG was not set and grubby is not installed.
+if [ -z "${GRUB_ENABLE_BLSCFG}" ] && ! command -v new-kernel-pkg >/dev/null; then
+ GRUB_ENABLE_BLSCFG="true"
+fi
+
+if [ "x${GRUB_ENABLE_BLSCFG}" = "xtrue" ]; then
+ if [ x$dirname = x/ ]; then
+ if [ -z "${prepare_root_cache}" ]; then
+ prepare_grub_to_access_device ${GRUB_DEVICE}
+ fi
+ else
+ if [ -z "${prepare_boot_cache}" ]; then
+ prepare_grub_to_access_device ${GRUB_DEVICE_BOOT}
+ fi
+ fi
+
+ if [ -d /sys/firmware/efi ]; then
+ bootefi_device="`${grub_probe} --target=device /boot/efi/`"
+ prepare_grub_to_access_device_with_variable boot ${bootefi_device}
+ else
+ boot_device="`${grub_probe} --target=device /boot/`"
+ prepare_grub_to_access_device_with_variable boot ${boot_device}
+ fi
+
+ arch="$(uname -m)"
+ if [ "x${arch}" = "xppc64le" ] && [ -d /sys/firmware/opal ]; then
+
+ BLS_POPULATE_MENU="true"
+ petitboot_path="/sys/firmware/devicetree/base/ibm,firmware-versions/petitboot"
+
+ if test -e ${petitboot_path}; then
+ read -r -d '' petitboot_version < ${petitboot_path}
+ petitboot_version="$(echo ${petitboot_version//v})"
+
+ if test -n ${petitboot_version}; then
+ major_version="$(echo ${petitboot_version} | cut -d . -f1)"
+ minor_version="$(echo ${petitboot_version} | cut -d . -f2)"
+
+ re='^[0-9]+$'
+ if [[ $major_version =~ $re ]] && [[ $minor_version =~ $re ]] &&
+ ([[ ${major_version} -gt 1 ]] ||
+ [[ ${major_version} -eq 1 &&
+ ${minor_version} -ge 8 ]]); then
+ BLS_POPULATE_MENU="false"
+ fi
+ fi
+ fi
+ fi
+
+ populate_header_warn
+
+ cat << EOF
+# The kernelopts variable should be defined in the grubenv file. But to ensure that menu
+# entries populated from BootLoaderSpec files that use this variable work correctly even
+# without a grubenv file, define a fallback kernelopts variable if this has not been set.
+#
+# The kernelopts variable in the grubenv file can be modified using the grubby tool or by
+# executing the grub2-mkconfig tool. For the latter, the values of the GRUB_CMDLINE_LINUX
+# and GRUB_CMDLINE_LINUX_DEFAULT options from /etc/default/grub file are used to set both
+# the kernelopts variable in the grubenv file and the fallback kernelopts variable.
+if [ -z "\${kernelopts}" ]; then
+ set kernelopts="root=${LINUX_ROOT_DEVICE} ro ${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
+fi
+EOF
+
+ update_bls_cmdline
+
+ if [ "x${BLS_POPULATE_MENU}" = "xtrue" ]; then
+ populate_menu
+ else
+ cat << EOF
+
+insmod blscfg
+blscfg
+EOF
+ fi
+
+ if [ "x${GRUB_GRUBENV_UPDATE}" = "xyes" ]; then
+ blsdir="/boot/loader/entries"
+ [ -d "${blsdir}" ] && GRUB_BLS_FS="$(${grub_probe} --target=fs ${blsdir})"
+ if [ "x${GRUB_BLS_FS}" = "xbtrfs" ] || [ "x${GRUB_BLS_FS}" = "xzfs" ]; then
+ blsdir=$(make_system_path_relative_to_its_root "${blsdir}")
+ if [ "x${blsdir}" != "x/loader/entries" ] && [ "x${blsdir}" != "x/boot/loader/entries" ]; then
+ ${grub_editenv} - set blsdir="${blsdir}"
+ fi
+ fi
+
+ if [ -n "${GRUB_EARLY_INITRD_LINUX_CUSTOM}" ]; then
+ ${grub_editenv} - set early_initrd="${GRUB_EARLY_INITRD_LINUX_CUSTOM}"
+ fi
+
+ if [ -n "${GRUB_DEFAULT_DTB}" ]; then
+ ${grub_editenv} - set devicetree="${GRUB_DEFAULT_DTB}"
+ fi
+
+ if [ -n "${GRUB_SAVEDEFAULT}" ]; then
+ ${grub_editenv} - set save_default="${GRUB_SAVEDEFAULT}"
+ fi
+ fi
+
+ exit 0
+fi
+
+mktitle ()
+{
+ local title_type
+ local version
+ local OS_NAME
+ local OS_VERS
+
+ title_type=$1 && shift
+ version=$1 && shift
+
+ OS_NAME="$(eval $(grep ^NAME= /etc/os-release) ; echo ${NAME})"
+ OS_VERS="$(eval $(grep ^VERSION= /etc/os-release) ; echo ${VERSION})"
+
+ case $title_type in
+ recovery)
+ title=$(printf '%s (%s) %s (recovery mode)' \
+ "${OS_NAME}" "${version}" "${OS_VERS}")
+ ;;
+ *)
+ title=$(printf '%s (%s) %s' \
+ "${OS_NAME}" "${version}" "${OS_VERS}")
+ ;;
+ esac
+ echo -n ${title}
+}
+
title_correction_code=
hotkey=1
@@ -124,6 +362,7 @@ linux_entry ()
if [ -z "$boot_device_id" ]; then
boot_device_id="$(grub_get_device_id "${GRUB_DEVICE}")"
fi
+
if [ x$type != xsimple ] ; then
case $type in
recovery)
@@ -298,6 +537,7 @@ fi
is_top_level=true
for linux in ${reverse_sorted_list}; do
gettext_printf "Found linux image: %s\n" "$linux" >&2
+
basename=`basename $linux`
dirname=`dirname $linux`
rel_dirname=`make_system_path_relative_to_its_root $dirname`
@@ -348,7 +588,9 @@ for linux in ${reverse_sorted_list}; do
for i in ${initrd}; do
initrd_display="${initrd_display} ${dirname}/${i}"
done
- gettext_printf "Found initrd image: %s\n" "$(echo $initrd_display)" >&2
+ if [ "x${GRUB_ENABLE_BLSCFG}" != "xtrue" ]; then
+ gettext_printf "Found initrd image: %s\n" "$(echo $initrd_display)" >&2
+ fi
fi
config=
--
2.44.0

295
0002-Requiring-authentication-after-tpm-unlock-for-CLI-ac.patch Normal file
View File

@ -0,0 +1,295 @@
From 0ed98269c5631c4d094b2cee81ce385687803730 Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Thu, 29 Aug 2024 13:27:30 +0800
Subject: [PATCH 2/2] Requiring authentication after tpm unlock for CLI access
The GRUB may use TPM to verify the integrity of boot components and the
result can determine whether a previously sealed key can be released. If
everything checks out, showing nothing has been tampered with, the key
is released and GRUB unlocks the encrypted root partition for the next
stage of booting.
However, the liberal Command Line Interface (CLI) can be misused by
anyone in this case to access files in the encrypted partition one way
or another. Despite efforts to keep the CLI secure by preventing utility
command output from leaking file content, many techniques in the wild
could still be used to exploit the CLI, enabling attacks or learning
methods to attack. It's nearly impossible to account for all scenarios
where a hack could be applied.
Therefore, to mitigate potential misuse of the CLI after the root device
has been successfully unlocked via TPM, the user should be required to
authenticate using the LUKS password. This added layer of security
ensures that only authorized users can access the CLI reducing the risk
of exploitation or unauthorized access to the encrypted partition.
Fixes: CVE-2024-49504
Signed-off-by: Michael Chang <mchang@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/disk/cryptodisk.c | 84 +++++++++++++++++++++++++++++++++++
grub-core/kern/main.c | 12 +++++
grub-core/normal/auth.c | 30 +++++++++++++
grub-core/normal/main.c | 4 ++
grub-core/normal/menu_entry.c | 4 ++
include/grub/auth.h | 1 +
include/grub/cryptodisk.h | 3 ++
include/grub/misc.h | 2 +
8 files changed, 140 insertions(+)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index babc94868d..21bf22ead1 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -1188,6 +1188,7 @@ grub_cryptodisk_scan_device_real (const char *name,
goto error;
#ifndef GRUB_UTIL
is_tpmkey = 1;
+ grub_cli_set_auth_needed ();
#endif
goto cleanup;
}
@@ -1706,6 +1707,89 @@ luks_script_get (grub_size_t *sz)
return ret;
}
+#ifdef GRUB_MACHINE_EFI
+grub_err_t
+grub_cryptodisk_challenge_password (void)
+{
+ grub_cryptodisk_t cr_dev;
+
+ for (cr_dev = cryptodisk_list; cr_dev != NULL; cr_dev = cr_dev->next)
+ {
+ grub_cryptodisk_dev_t cr;
+ grub_disk_t source = NULL;
+ grub_err_t ret = GRUB_ERR_NONE;
+ grub_cryptodisk_t dev = NULL;
+ char *part = NULL;
+ struct grub_cryptomount_args cargs = {0};
+
+ cargs.check_boot = 0;
+ cargs.search_uuid = cr_dev->uuid;
+
+ source = grub_disk_open (cr_dev->source);
+
+ if (source == NULL)
+ {
+ ret = grub_errno;
+ goto error_out;
+ }
+
+ FOR_CRYPTODISK_DEVS (cr)
+ {
+ dev = cr->scan (source, &cargs);
+ if (grub_errno)
+ {
+ ret = grub_errno;
+ goto error_out;
+ }
+ if (dev == NULL)
+ continue;
+ break;
+ }
+
+ if (dev == NULL)
+ {
+ ret = grub_error (GRUB_ERR_BAD_MODULE, "no cryptodisk module can handle this device");
+ goto error_out;
+ }
+
+ part = grub_partition_get_name (source->partition);
+ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
+ source->partition != NULL ? "," : "",
+ part != NULL ? part : N_("UNKNOWN"), cr_dev->uuid);
+ grub_free (part);
+
+ cargs.key_data = grub_malloc (GRUB_CRYPTODISK_MAX_PASSPHRASE);
+ if (cargs.key_data == NULL)
+ {
+ ret = grub_errno;
+ goto error_out;
+ }
+
+ if (!grub_password_get ((char *) cargs.key_data, GRUB_CRYPTODISK_MAX_PASSPHRASE))
+ {
+ ret = grub_error (GRUB_ERR_BAD_ARGUMENT, "passphrase not supplied");
+ goto error_out;
+ }
+ cargs.key_len = grub_strlen ((char *) cargs.key_data);
+ ret = cr->recover_key (source, dev, &cargs);
+
+ error_out:
+ grub_disk_close (source);
+ if (dev != NULL)
+ cryptodisk_close (dev);
+ if (cargs.key_data)
+ {
+ grub_memset (cargs.key_data, 0, cargs.key_len);
+ grub_free (cargs.key_data);
+ }
+
+ return ret;
+ }
+
+ return GRUB_ERR_NONE;
+}
+#endif /* GRUB_MACHINE_EFI */
+
struct grub_procfs_entry luks_script =
{
.name = "luks_script",
diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
index 07b6940d2e..ef3b3756de 100644
--- a/grub-core/kern/main.c
+++ b/grub-core/kern/main.c
@@ -37,6 +37,7 @@
#endif
static bool cli_disabled = false;
+static bool cli_need_auth = false;
grub_addr_t
grub_modules_get_end (void)
@@ -246,6 +247,17 @@ grub_is_cli_disabled (void)
return cli_disabled;
}
+bool
+grub_is_cli_need_auth (void)
+{
+ return cli_need_auth;
+}
+
+void grub_cli_set_auth_needed (void)
+{
+ cli_need_auth = true;
+}
+
static void
check_is_cli_disabled (void)
{
diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c
index d940201866..2931ba604a 100644
--- a/grub-core/normal/auth.c
+++ b/grub-core/normal/auth.c
@@ -25,6 +25,10 @@
#include <grub/time.h>
#include <grub/i18n.h>
+#ifdef GRUB_MACHINE_EFI
+#include <grub/cryptodisk.h>
+#endif
+
struct grub_auth_user
{
struct grub_auth_user *next;
@@ -200,6 +204,32 @@ grub_username_get (char buf[], unsigned buf_size)
return (key != GRUB_TERM_ESC);
}
+grub_err_t
+grub_auth_check_cli_access (void)
+{
+ if (grub_is_cli_need_auth () == true)
+ {
+#ifdef GRUB_MACHINE_EFI
+ static bool authenticated = false;
+
+ if (authenticated == false)
+ {
+ grub_err_t ret;
+
+ ret = grub_cryptodisk_challenge_password ();
+ if (ret == GRUB_ERR_NONE)
+ authenticated = true;
+ return ret;
+ }
+ return GRUB_ERR_NONE;
+#else
+ return GRUB_ACCESS_DENIED;
+#endif
+ }
+
+ return GRUB_ERR_NONE;
+}
+
grub_err_t
grub_auth_check_authentication (const char *userlist)
{
diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
index 8e58ced679..b08fd6977d 100644
--- a/grub-core/normal/main.c
+++ b/grub-core/normal/main.c
@@ -560,9 +560,13 @@ grub_cmdline_run (int nested, int force_auth)
}
while (err && force_auth);
+ if (err == GRUB_ERR_NONE)
+ err = grub_auth_check_cli_access ();
+
if (err)
{
grub_print_error ();
+ grub_wait_after_message ();
grub_errno = GRUB_ERR_NONE;
return;
}
diff --git a/grub-core/normal/menu_entry.c b/grub-core/normal/menu_entry.c
index e5ba91ea4d..06682a396d 100644
--- a/grub-core/normal/menu_entry.c
+++ b/grub-core/normal/menu_entry.c
@@ -1256,9 +1256,13 @@ grub_menu_entry_run (grub_menu_entry_t entry)
err = grub_auth_check_authentication (NULL);
+ if (err == GRUB_ERR_NONE)
+ err = grub_auth_check_cli_access ();
+
if (err)
{
grub_print_error ();
+ grub_wait_after_message ();
grub_errno = GRUB_ERR_NONE;
return;
}
diff --git a/include/grub/auth.h b/include/grub/auth.h
index 7473344517..21d5190f04 100644
--- a/include/grub/auth.h
+++ b/include/grub/auth.h
@@ -33,5 +33,6 @@ grub_err_t grub_auth_unregister_authentication (const char *user);
grub_err_t grub_auth_authenticate (const char *user);
grub_err_t grub_auth_deauthenticate (const char *user);
grub_err_t grub_auth_check_authentication (const char *userlist);
+grub_err_t grub_auth_check_cli_access (void);
#endif /* ! GRUB_AUTH_HEADER */
diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
index 0b41e249e8..b3291519b1 100644
--- a/include/grub/cryptodisk.h
+++ b/include/grub/cryptodisk.h
@@ -203,4 +203,7 @@ grub_util_get_geli_uuid (const char *dev);
grub_cryptodisk_t grub_cryptodisk_get_by_uuid (const char *uuid);
grub_cryptodisk_t grub_cryptodisk_get_by_source_disk (grub_disk_t disk);
+#ifdef GRUB_MACHINE_EFI
+grub_err_t grub_cryptodisk_challenge_password (void);
+#endif
#endif
diff --git a/include/grub/misc.h b/include/grub/misc.h
index 1578f36c3c..6e94d18f5a 100644
--- a/include/grub/misc.h
+++ b/include/grub/misc.h
@@ -392,6 +392,8 @@ grub_uint64_t EXPORT_FUNC(grub_divmod64) (grub_uint64_t n,
grub_uint64_t *r);
extern bool EXPORT_FUNC(grub_is_cli_disabled) (void);
+extern bool EXPORT_FUNC(grub_is_cli_need_auth) (void);
+extern void EXPORT_FUNC(grub_cli_set_auth_needed) (void);
/* Must match softdiv group in gentpl.py. */
#if !defined(GRUB_MACHINE_EMU) && (defined(__arm__) || defined(__ia64__) || \
--
2.47.1

197
0002-Restrict-file-access-on-cryptodisk-print.patch
View File

@ -1,197 +0,0 @@
From 912384e63c1e3b6aa9d90effb71cd535a17da1e2 Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Sat, 18 Nov 2023 19:02:31 +0800
Subject: [PATCH 2/4] Restrict file access on cryptodisk print
When the encrypted partition is automatically unlocked by TPM, granting
access to the system upon validation of its known good state, there's a
potential vulnerability. Grub gains access to file systems that were
previously inaccessible to the public, enabling certain commands from
the grub console to print content. This arises due to grub lacking
restrictions similar to those imposed by password authentication, which
typically occurs before privileged access is granted.
Although the automatic unlocking process ensures system integrity and a
secure environment for grub to operate in, it doesn't directly address
the issue of authentication for viewing encrypted partition content.
This commit addresses this security loophole by implementing a file
filter upon adding a TPM key. The newly added file filter will
specifically verify if the disk is encrypted, denying access and
returning an "Access Denied: prohibited to view encrypted data" error
message to alert the user.
Since the policy to filter out unwanted commands from leaking encrypted
content is irreversible, it is advisable to make the loaded module
persistent to prevent its removal.
This enhancement aims to bolster security measures and prevent
unauthorized access to encrypted data.
Signed-Off-by Michael Chang <mchang@suse.com>
---
grub-core/commands/crypttab.c | 35 ++++++++++++++++++++++++++++++++++-
grub-core/disk/diskfilter.c | 35 +++++++++++++++++++++++++++++++++++
include/grub/disk.h | 10 ++++++++++
include/grub/file.h | 1 +
4 files changed, 80 insertions(+), 1 deletion(-)
diff --git a/grub-core/commands/crypttab.c b/grub-core/commands/crypttab.c
index 9397bede9..d3acc4b59 100644
--- a/grub-core/commands/crypttab.c
+++ b/grub-core/commands/crypttab.c
@@ -6,11 +6,39 @@
#include <grub/mm.h>
#include <grub/list.h>
#include <grub/crypttab.h>
+#include <grub/file.h>
GRUB_MOD_LICENSE ("GPLv3+");
grub_crypto_key_list_t *cryptokey_lst;
+static grub_file_t
+grub_nocat_open (grub_file_t io, enum grub_file_type type)
+{
+ grub_disk_t disk;
+
+ /* Network device */
+ if (!io->device->disk)
+ return io;
+
+ disk = io->device->disk;
+
+ if (grub_disk_is_crypto (disk))
+ {
+ switch (type & GRUB_FILE_TYPE_MASK)
+ {
+ case GRUB_FILE_TYPE_CAT:
+ case GRUB_FILE_TYPE_HEXCAT:
+ grub_error (GRUB_ERR_ACCESS_DENIED, N_("prohibited to view encrypted data"));
+ return NULL;
+ default:
+ break;
+ }
+ }
+
+ return io;
+}
+
grub_err_t
grub_cryptokey_add_or_update (const char *uuid, const char *key, grub_size_t key_len, const char *path, int is_tpmkey)
{
@@ -48,7 +76,11 @@ grub_cryptokey_add_or_update (const char *uuid, const char *key, grub_size_t key
}
if (is_tpmkey >= 0)
- cur->is_tpmkey = is_tpmkey;
+ {
+ cur->is_tpmkey = is_tpmkey;
+ if (is_tpmkey)
+ grub_file_filter_register (GRUB_FILE_FILTER_NOCAT, grub_nocat_open);
+ }
if (!cur->name)
{
@@ -121,6 +153,7 @@ GRUB_MOD_INIT(crypttab)
{
cmd = grub_register_command ("crypttab_entry", grub_cmd_crypttab_entry,
N_("VOLUME-NAME ENCRYPTED-DEVICE KEY-FILE") , N_("No description"));
+ grub_dl_set_persistent (mod);
}
GRUB_MOD_FINI(crypttab)
diff --git a/grub-core/disk/diskfilter.c b/grub-core/disk/diskfilter.c
index 5c5fabe1a..b0c1c880d 100644
--- a/grub-core/disk/diskfilter.c
+++ b/grub-core/disk/diskfilter.c
@@ -558,6 +558,39 @@ find_lv (const char *name)
return NULL;
}
+static int
+grub_diskfilter_has_cryptodisk (const struct grub_diskfilter_lv *lv)
+{
+ struct grub_diskfilter_pv *pv;
+
+ if (!lv)
+ return 0;
+
+ if (lv->vg->pvs)
+ for (pv = lv->vg->pvs; pv; pv = pv->next)
+ {
+ if (!pv->disk)
+ {
+ grub_dprintf ("diskfilter", _("Couldn't find physical volume `%s'."
+ " Some modules may be missing from core image."),
+ pv->name);
+ continue;
+ }
+
+ switch (pv->disk->dev->id)
+ {
+ case GRUB_DISK_DEVICE_CRYPTODISK_ID:
+ return 1;
+ case GRUB_DISK_DEVICE_DISKFILTER_ID:
+ return grub_diskfilter_has_cryptodisk (pv->disk->data);
+ default:
+ break;
+ }
+ }
+
+ return 0;
+}
+
static grub_err_t
grub_diskfilter_open (const char *name, grub_disk_t disk)
{
@@ -589,6 +622,8 @@ grub_diskfilter_open (const char *name, grub_disk_t disk)
disk->total_sectors = lv->size;
disk->max_agglomerate = GRUB_DISK_MAX_MAX_AGGLOMERATE;
+ disk->is_crypto_diskfilter = grub_diskfilter_has_cryptodisk (lv);
+
return 0;
}
diff --git a/include/grub/disk.h b/include/grub/disk.h
index 3b3db6222..63982f16c 100644
--- a/include/grub/disk.h
+++ b/include/grub/disk.h
@@ -147,6 +147,8 @@ struct grub_disk
/* Device-specific data. */
void *data;
+
+ int is_crypto_diskfilter;
};
typedef struct grub_disk *grub_disk_t;
@@ -314,4 +316,12 @@ void grub_mdraid1x_fini (void);
void grub_diskfilter_fini (void);
#endif
+static inline int
+grub_disk_is_crypto (grub_disk_t disk)
+{
+ return ((disk->is_crypto_diskfilter ||
+ disk->dev->id == GRUB_DISK_DEVICE_CRYPTODISK_ID) ?
+ 1 : 0);
+}
+
#endif /* ! GRUB_DISK_HEADER */
diff --git a/include/grub/file.h b/include/grub/file.h
index fde58f0fa..fcfd32ce2 100644
--- a/include/grub/file.h
+++ b/include/grub/file.h
@@ -185,6 +185,7 @@ extern grub_disk_read_hook_t EXPORT_VAR(grub_file_progress_hook);
/* Filters with lower ID are executed first. */
typedef enum grub_file_filter_id
{
+ GRUB_FILE_FILTER_NOCAT,
GRUB_FILE_FILTER_VERIFY,
GRUB_FILE_FILTER_GZIO,
GRUB_FILE_FILTER_XZIO,
--
2.42.1

34
0002-fs-ufs-Fix-a-heap-OOB-write.patch Normal file
View File

@ -0,0 +1,34 @@
From daec67a7ea73b859e1e0b6a4e9122157c7525676 Mon Sep 17 00:00:00 2001
From: B Horn <b@horn.uk>
Date: Sun, 12 May 2024 02:03:33 +0100
Subject: [PATCH 02/20] fs/ufs: Fix a heap OOB write
grub_strcpy() was used to copy a symlink name from the filesystem
image to a heap allocated buffer. This led to a OOB write to adjacent
heap allocations. Fix by using grub_strlcpy().
Fixes: CVE-2024-45781
Reported-by: B Horn <b@horn.uk>
Signed-off-by: B Horn <b@horn.uk>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/ufs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/grub-core/fs/ufs.c b/grub-core/fs/ufs.c
index a354c92d93..01235101b4 100644
--- a/grub-core/fs/ufs.c
+++ b/grub-core/fs/ufs.c
@@ -463,7 +463,7 @@ grub_ufs_lookup_symlink (struct grub_ufs_data *data, int ino)
/* Check against zero is paylindromic, no need to swap. */
if (data->inode.nblocks == 0
&& INODE_SIZE (data) <= sizeof (data->inode.symlink))
- grub_strcpy (symlink, (char *) data->inode.symlink);
+ grub_strlcpy (symlink, (char *) data->inode.symlink, sz);
else
{
if (grub_ufs_read_file (data, 0, 0, 0, sz, symlink) < 0)
--
2.48.1

52
0002-fs-xfs-Fix-grub_xfs_iterate_dir-return-value-in-case.patch Normal file
View File

@ -0,0 +1,52 @@
From 3a69e9126d532214d940c1386f2933a124611a6c Mon Sep 17 00:00:00 2001
From: Egor Ignatov <egori@altlinux.org>
Date: Thu, 23 Jan 2025 20:44:14 +0300
Subject: [PATCH 2/3] fs/xfs: Fix grub_xfs_iterate_dir() return value in case
of failure
Commit ef7850c757 (fs/xfs: Fix issues found while fuzzing the XFS
filesystem) introduced multiple boundary checks in grub_xfs_iterate_dir()
but handled the error incorrectly returning error code instead of 0.
Fix it. Also change the error message so that it doesn't match the
message in grub_xfs_read_inode().
Fixes: ef7850c757 (fs/xfs: Fix issues found while fuzzing the XFS filesystem)
Signed-off-by: Egor Ignatov <egori@altlinux.org>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/xfs.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c
index e3a69fe498..30e3e7f6d9 100644
--- a/grub-core/fs/xfs.c
+++ b/grub-core/fs/xfs.c
@@ -859,7 +859,11 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir,
grub_uint8_t c;
if ((inopos + (smallino ? 4 : 8)) > (grub_uint8_t *) dir + grub_xfs_fshelp_size (dir->data))
- return grub_error (GRUB_ERR_BAD_FS, "not a correct XFS inode");
+ {
+ grub_error (GRUB_ERR_BAD_FS, "invalid XFS inode");
+ return 0;
+ }
+
/* inopos might be unaligned. */
if (smallino)
@@ -968,7 +972,10 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir,
filename = (char *)(direntry + 1);
if (filename + direntry->len + 1 > (char *) end)
- return grub_error (GRUB_ERR_BAD_FS, "invalid XFS directory entry");
+ {
+ grub_error (GRUB_ERR_BAD_FS, "invalid XFS directory entry");
+ return 0;
+ }
/* The byte after the filename is for the filetype, padding, or
tag, which is not used by GRUB. So it can be overwritten. */
--
2.48.1

671
0002-ieee1275-Read-the-DB-and-DBX-secure-boot-variables.patch Normal file
View File

@ -0,0 +1,671 @@
From 8ef821ea18ed35f5969b98f2df6a76fefb71b175 Mon Sep 17 00:00:00 2001
From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Date: Wed, 28 Dec 2022 17:49:24 +0530
Subject: [PATCH 2/8] ieee1275: Read the DB and DBX secure boot variables
If secure boot is enabled with PKS, it will read secure boot variables
such as db and dbx from PKS and extract certificates from ESL.
It would be saved in the platform keystore buffer, and
the appendedsig (module) would read it later to extract
the certificate's details.
In the following scenarios, static key mode will be activated:
1. When secure boot is enabled with static
2. When SB Version is unavailable but Secure Boot is enabled
3. When PKS support is unavailable but secure boot is enabled
Note:-
SB Version - secure boot mode
1 - PKS
0 - static key (embeded key)
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Tested-by: Nageswara Sastry <rnsastry@linux.ibm.com>
---
grub-core/Makefile.am | 1 +
grub-core/Makefile.core.def | 1 +
grub-core/kern/ieee1275/init.c | 12 +-
grub-core/kern/ieee1275/platform_keystore.c | 377 ++++++++++++++++++++
include/grub/platform_keystore.h | 190 ++++++++++
5 files changed, 580 insertions(+), 1 deletion(-)
create mode 100644 grub-core/kern/ieee1275/platform_keystore.c
create mode 100644 include/grub/platform_keystore.h
diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
index 9d3d5f519..4630e2ba3 100644
--- a/grub-core/Makefile.am
+++ b/grub-core/Makefile.am
@@ -79,6 +79,7 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/file.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/fs.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/i18n.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/kernel.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/platform_keystore.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/list.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/lockdown.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/misc.h
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index dc639dd24..4ff35afb7 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -170,6 +170,7 @@ kernel = {
ieee1275 = kern/ieee1275/openfw.c;
ieee1275 = term/ieee1275/console.c;
ieee1275 = kern/ieee1275/init.c;
+ ieee1275 = kern/ieee1275/platform_keystore.c;
uboot = disk/uboot/ubootdisk.c;
uboot = kern/uboot/uboot.c;
diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
index 38f1f1f6e..bb800b275 100644
--- a/grub-core/kern/ieee1275/init.c
+++ b/grub-core/kern/ieee1275/init.c
@@ -50,6 +50,7 @@
#include <grub/ieee1275/alloc.h>
#endif
#include <grub/lockdown.h>
+#include <grub/platform_keystore.h>
/* The maximum heap size we're going to claim at boot. Not used by sparc. */
#ifdef __i386__
@@ -915,7 +916,16 @@ grub_get_ieee1275_secure_boot (void)
* We only support enforce.
*/
if (rc >= 0 && is_sb >= 2)
- grub_lockdown ();
+ {
+ grub_printf ("secure boot enabled\n");
+ rc = grub_platform_keystore_init ();
+ if (rc != GRUB_ERR_NONE)
+ grub_printf ("Warning: initialization of the platform keystore failed!\n");
+
+ grub_lockdown ();
+ }
+ else
+ grub_printf ("secure boot disabled\n");
}
grub_addr_t grub_modbase;
diff --git a/grub-core/kern/ieee1275/platform_keystore.c b/grub-core/kern/ieee1275/platform_keystore.c
new file mode 100644
index 000000000..976e4e9b5
--- /dev/null
+++ b/grub-core/kern/ieee1275/platform_keystore.c
@@ -0,0 +1,377 @@
+#include <grub/mm.h>
+#include <grub/ieee1275/ieee1275.h>
+#include <grub/types.h>
+#include <grub/misc.h>
+#include <grub/lockdown.h>
+#include <grub/platform_keystore.h>
+
+#define PKS_CONSUMER_FW 1
+#define SB_VERSION_KEY_NAME ((grub_uint8_t *) "SB_VERSION")
+#define SB_VERSION_KEY_LEN 10
+#define DB 1
+#define DBX 2
+
+#define PKS_OBJECT_NOT_FOUND -7
+#define PKS_UNPACK_ERROR 0x200
+#define PKS_UNPACK_VERSION_ERROR 0x201
+
+struct pks_timestamp
+{
+ grub_uint16_t year;
+ grub_uint8_t month;
+ grub_uint8_t day;
+ grub_uint8_t hour;
+ grub_uint8_t minute;
+ grub_uint8_t second;
+} GRUB_PACKED;
+
+struct pks_signed_var
+{
+ grub_uint8_t version;
+ struct pks_timestamp time;
+} GRUB_PACKED;
+
+/* Platform Keystore */
+static grub_size_t pks_max_object_size;
+grub_uint8_t grub_use_platform_keystore = 0;
+grub_pks_t grub_platform_keystore = { .use_static_keys = 0, .db = NULL, .dbx = NULL, .db_entries = 0, .dbx_entries = 0 };
+
+/* converts the esl data into the ESL */
+static grub_esl_t *
+grub_convert_to_esl (const grub_uint8_t *esl_data, const grub_size_t esl_data_size)
+{
+ grub_esl_t *esl = NULL;
+
+ if (esl_data_size < sizeof (grub_esl_t) || esl_data == NULL)
+ return esl;
+
+ esl = (grub_esl_t *) esl_data;
+
+ return esl;
+}
+
+/*
+ * imports the GUID, esd, and its size into the pks sd buffer and
+ * pks sd entries from the EFI signature list.
+ */
+static grub_err_t
+grub_esd_from_esl (const grub_uint8_t *esl_data, grub_size_t esl_size,
+ const grub_size_t signature_size, const grub_uuid_t *guid,
+ grub_pks_sd_t **pks_sd, grub_size_t *pks_sd_entries)
+{
+ grub_esd_t *esd = NULL;
+ grub_pks_sd_t *signature = *pks_sd;
+ grub_size_t entries = *pks_sd_entries;
+ grub_size_t data_size = 0, offset = 0;
+
+ /* reads the esd from esl */
+ while (esl_size > 0)
+ {
+ esd = (grub_esd_t *) (esl_data + offset);
+ data_size = signature_size - sizeof (grub_esd_t);
+
+ if (signature != NULL)
+ signature = grub_realloc (signature, (entries + 1) * sizeof (grub_pks_sd_t));
+ else
+ signature = grub_malloc (sizeof (grub_pks_sd_t));
+
+ if (signature == NULL)
+ return grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of memory");
+
+ signature[entries].data = grub_malloc (data_size * sizeof (grub_uint8_t));
+ if (signature[entries].data == NULL)
+ {
+ /*
+ * allocated memory will be freed by
+ * grub_release_platform_keystore
+ */
+ *pks_sd = signature;
+ *pks_sd_entries = entries + 1;
+ return grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of memory");
+ }
+
+ grub_memcpy (signature[entries].data, esd->signaturedata, data_size);
+ signature[entries].data_size = data_size;
+ signature[entries].guid = *guid;
+ entries++;
+ esl_size -= signature_size;
+ offset += signature_size;
+ }
+
+ *pks_sd = signature;
+ *pks_sd_entries = entries;
+
+ return GRUB_ERR_NONE;
+}
+
+/*
+ * extracts the esd after removing the esl header from esl.
+ */
+static grub_err_t
+grub_esl_to_esd (const grub_uint8_t *esl_data, grub_size_t *next_esl,
+ grub_pks_sd_t **pks_sd, grub_size_t *pks_sd_entries)
+{
+ grub_uuid_t guid = { 0 };
+ grub_esl_t *esl = NULL;
+ grub_size_t offset = 0, esl_size = 0,
+ signature_size = 0, signature_header_size = 0;
+
+ esl = grub_convert_to_esl (esl_data, *next_esl);
+ if (esl == NULL)
+ return grub_error (GRUB_ERR_BUG, "invalid ESL");
+
+ esl_size = grub_le_to_cpu32 (esl->signaturelistsize);
+ signature_header_size = grub_le_to_cpu32 (esl->signatureheadersize);
+ signature_size = grub_le_to_cpu32 (esl->signaturesize);
+ guid = esl->signaturetype;
+
+ if (esl_size < sizeof (grub_esl_t) || esl_size > *next_esl)
+ return grub_error (GRUB_ERR_BUG, "invalid ESL size (%u)\n", esl_size);
+
+ *next_esl = esl_size;
+ offset = sizeof (grub_esl_t) + signature_header_size;
+ esl_size = esl_size - offset;
+
+ return grub_esd_from_esl (esl_data + offset, esl_size, signature_size, &guid,
+ pks_sd, pks_sd_entries);
+}
+
+/*
+ * imports the EFI signature data and the number of esd from the esl
+ * into the pks sd buffer and pks sd entries.
+ */
+static grub_err_t
+grub_pks_sd_from_esl (const grub_uint8_t *esl_data, grub_size_t esl_size,
+ grub_pks_sd_t **pks_sd, grub_size_t *pks_sd_entries)
+{
+ grub_err_t rc = GRUB_ERR_NONE;
+ grub_size_t next_esl = esl_size;
+
+ do
+ {
+ rc = grub_esl_to_esd (esl_data, &next_esl, pks_sd, pks_sd_entries);
+ if (rc != GRUB_ERR_NONE)
+ break;
+
+ esl_data += next_esl;
+ esl_size -= next_esl;
+ next_esl = esl_size;
+ }
+ while (esl_size > 0);
+
+ return rc;
+}
+
+/*
+ * unpacking the signed secure boot variable
+ * return error if size too small or version mismatch
+ * discards timestamp, only needed in verifying updates
+ */
+static grub_err_t
+grub_unpack_signed_variable (grub_uint8_t *indata, grub_size_t insize,
+ grub_uint8_t **data, grub_size_t *size)
+{
+ struct pks_signed_var *psv = NULL;
+
+ /* do not permit negative or size 0 data */
+ if (insize <= sizeof (struct pks_signed_var))
+ return PKS_UNPACK_ERROR;
+
+ psv = (struct pks_signed_var *) indata;
+ if (psv->version != 0)
+ return PKS_UNPACK_VERSION_ERROR;
+
+ *data = indata + sizeof (struct pks_signed_var);
+ *size = insize - sizeof (struct pks_signed_var);
+
+ return GRUB_ERR_NONE;
+}
+
+/*
+ * reads the secure boot version from PKS as an object.
+ * caller must free result
+ */
+static grub_err_t
+grub_sbversion_from_pks (grub_uint8_t **out, grub_size_t *outlen, grub_size_t *policy)
+{
+ *out = grub_malloc (pks_max_object_size);
+ if (*out == NULL)
+ return grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of memory");
+
+ return grub_ieee1275_pks_read_object (PKS_CONSUMER_FW, SB_VERSION_KEY_NAME,
+ SB_VERSION_KEY_LEN, *out, pks_max_object_size,
+ outlen, policy);
+}
+
+/*
+ * reads the secure boot variable from PKS.
+ * caller must free result
+ */
+static grub_err_t
+grub_sbvar_from_pks (const grub_uint8_t sbvarflags, const grub_uint8_t sbvartype,
+ grub_uint8_t **out, grub_size_t *outlen)
+{
+ *out = grub_malloc (pks_max_object_size);
+ if (*out == NULL)
+ return grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of memory");
+
+ return grub_ieee1275_pks_read_sbvar (sbvarflags, sbvartype, *out,
+ pks_max_object_size, outlen);
+}
+
+/* Test the availability of PKS support. */
+static grub_err_t
+grub_is_support_pks (void)
+{
+ grub_err_t rc = GRUB_ERR_NONE;
+ grub_ieee1275_cell_t missing = 0;
+
+ rc = grub_ieee1275_test ("pks-max-object-size", &missing);
+ if (rc != GRUB_ERR_NONE || (int) missing == -1)
+ grub_printf ("Warning: doesn't have PKS support!\n");
+ else
+ {
+ rc = grub_ieee1275_pks_max_object_size (&pks_max_object_size);
+ if (rc != GRUB_ERR_NONE)
+ grub_printf ("Warning: PKS support is there but it has zero objects!\n");
+ }
+
+ return rc;
+}
+
+/*
+ * retrieves the secure boot variable from PKS, unpacks it, reads the esd
+ * from ESL, and stores the information in the pks sd buffer.
+ */
+static grub_err_t
+grub_secure_boot_variables (const grub_uint8_t sbvarflags, const grub_uint8_t sbvartype,
+ grub_pks_sd_t **pks_sd, grub_size_t *pks_sd_entries)
+{
+ grub_err_t rc = GRUB_ERR_NONE;
+ grub_uint8_t *data = NULL, *esl_data = NULL;
+ grub_size_t data_len = 0, esl_data_size = 0;
+
+ rc = grub_sbvar_from_pks (sbvarflags, sbvartype, &data, &data_len);
+ /*
+ * at this point we have SB_VERSION, so any error is worth
+ * at least some user-visible info
+ */
+ if (rc != GRUB_ERR_NONE)
+ rc = grub_error (rc, "secure boot variable %s reading (%d)",
+ (sbvartype == DB ? "db" : "dbx"), rc);
+ else
+ {
+ rc = grub_unpack_signed_variable (data, data_len, &esl_data, &esl_data_size);
+ if (rc != GRUB_ERR_NONE)
+ rc = grub_error (rc, "unpacking of signed variable %s structure (%d)",
+ (sbvartype == DB ? "db" : "dbx"), rc);
+ else
+ rc = grub_pks_sd_from_esl ((const grub_uint8_t *) esl_data, esl_data_size,
+ pks_sd, pks_sd_entries);
+ }
+
+ grub_free (data);
+
+ return rc;
+}
+
+/* reads secure boot version (SB_VERSION) */
+static grub_err_t
+grub_secure_boot_version (void)
+{
+ grub_err_t rc = GRUB_ERR_NONE;
+ grub_uint8_t *data = NULL;
+ grub_size_t len = 0, policy = 0;
+
+ rc = grub_sbversion_from_pks (&data, &len, &policy);
+ if (rc != GRUB_ERR_NONE)
+ grub_printf ("Warning: SB version read failed! (%d)\n", rc);
+ else if (len != 1 || (*data != 1 && *data != 0))
+ {
+ grub_printf ("Warning: found unexpected SB version! (%d)\n", *data);
+ rc = GRUB_ERR_INVALID_COMMAND;
+ }
+
+ if (rc != GRUB_ERR_NONE)
+ {
+ grub_printf ("Warning: switch to static key!\n");
+ if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
+ grub_fatal ("Secure Boot locked down");
+ }
+ else
+ grub_use_platform_keystore = *data;
+
+ grub_free (data);
+
+ return rc;
+}
+
+/* releasing allocated memory */
+void
+grub_release_platform_keystore (void)
+{
+ grub_size_t i = 0;
+
+ for (i = 0; i < grub_platform_keystore.db_entries; i++)
+ grub_free (grub_platform_keystore.db[i].data);
+
+ for (i = 0; i < grub_platform_keystore.dbx_entries; i++)
+ grub_free (grub_platform_keystore.dbx[i].data);
+
+ grub_free (grub_platform_keystore.db);
+ grub_free (grub_platform_keystore.dbx);
+ grub_memset (&grub_platform_keystore, 0x00, sizeof (grub_pks_t));
+}
+
+/* initialization of the Platform Keystore */
+grub_err_t
+grub_platform_keystore_init (void)
+{
+ grub_err_t rc = GRUB_ERR_NONE;
+
+ grub_printf ("trying to load Platform Keystore\n");
+
+ rc = grub_is_support_pks ();
+ if (rc != GRUB_ERR_NONE)
+ {
+ grub_printf ("Warning: switch to static key!\n");
+ return rc;
+ }
+
+ /* SB_VERSION */
+ rc = grub_secure_boot_version ();
+ if (rc != GRUB_ERR_NONE)
+ return rc;
+
+ if (grub_use_platform_keystore)
+ {
+ grub_memset (&grub_platform_keystore, 0x00, sizeof (grub_pks_t));
+ /* DB */
+ rc = grub_secure_boot_variables (0, DB, &grub_platform_keystore.db,
+ &grub_platform_keystore.db_entries);
+ if ((int)rc == PKS_OBJECT_NOT_FOUND)
+ {
+ rc = GRUB_ERR_NONE;
+ /* DB variable won't be available by default in PKS, So, it will loads the Default Keys from ELF Note */
+ grub_platform_keystore.use_static_keys = 1;
+ }
+
+ if (rc == GRUB_ERR_NONE)
+ {
+ /* DBX */
+ rc = grub_secure_boot_variables (0, DBX, &grub_platform_keystore.dbx,
+ &grub_platform_keystore.dbx_entries);
+ if ((int)rc == PKS_OBJECT_NOT_FOUND)
+ {
+ grub_printf ("Warning: dbx is not found!\n");
+ rc = GRUB_ERR_NONE;
+ }
+ }
+
+ }
+
+ if (rc != GRUB_ERR_NONE)
+ grub_release_platform_keystore ();
+
+ return rc;
+}
diff --git a/include/grub/platform_keystore.h b/include/grub/platform_keystore.h
new file mode 100644
index 000000000..8cc4266c9
--- /dev/null
+++ b/include/grub/platform_keystore.h
@@ -0,0 +1,190 @@
+#ifndef __PLATFORM_KEYSTORE_H__
+#define __PLATFORM_KEYSTORE_H__
+
+#include <grub/symbol.h>
+#include <grub/mm.h>
+#include <grub/types.h>
+
+#if __GNUC__ >= 9
+#pragma GCC diagnostic ignored "-Waddress-of-packed-member"
+#endif
+
+#define GRUB_UUID_SIZE 16
+#define GRUB_MAX_HASH_SIZE 64
+
+typedef struct grub_uuid grub_uuid_t;
+typedef struct grub_esd grub_esd_t;
+typedef struct grub_esl grub_esl_t;
+
+/* The structure of a UUID.*/
+struct grub_uuid
+{
+ grub_uint8_t b[GRUB_UUID_SIZE];
+};
+
+/* The structure of an EFI signature database (ESD).*/
+struct grub_esd
+{
+ /*
+ * An identifier which identifies the agent which added
+ * the signature to the list.
+ */
+ grub_uuid_t signatureowner;
+ /* The format of the signature is defined by the SignatureType.*/
+ grub_uint8_t signaturedata[];
+} GRUB_PACKED;
+
+/* The structure of an EFI signature list (ESL).*/
+struct grub_esl
+{
+ /* Type of the signature. GUID signature types are defined in below.*/
+ grub_uuid_t signaturetype;
+ /* Total size of the signature list, including this header.*/
+ grub_uint32_t signaturelistsize;
+ /*
+ * Size of the signature header which precedes
+ * the array of signatures.
+ */
+ grub_uint32_t signatureheadersize;
+ /* Size of each signature.*/
+ grub_uint32_t signaturesize;
+} GRUB_PACKED;
+
+/*
+ * The GRUB_PKS_CERT_* is derived from the following files referred from edk2-staging[1] repo
+ * of tianocore
+ *
+ * MdePkg/Include/Guid/ImageAuthentication.h
+ *
+ * [1] https://github.com/tianocore/edk2-staging
+ */
+
+#define GRUB_PKS_CERT_X509_GUID \
+ (grub_uuid_t) \
+ { \
+ { \
+ 0xa1, 0x59, 0xc0, 0xa5, 0xe4, 0x94, \
+ 0xa7, 0x4a, 0x87, 0xb5, 0xab, 0x15, \
+ 0x5c, 0x2b, 0xf0, 0x72 \
+ } \
+ }
+
+#define GRUB_PKS_CERT_SHA1_GUID \
+ (grub_uuid_t) \
+ { \
+ { \
+ 0x12, 0xa5, 0x6c, 0x82, 0x10, 0xcf, \
+ 0xc9, 0x4a, 0xb1, 0x87, 0xbe, 0x1, \
+ 0x49, 0x66, 0x31, 0xbd \
+ } \
+ }
+
+#define GRUB_PKS_CERT_SHA224_GUID \
+ (grub_uuid_t) \
+ { \
+ { \
+ 0x33, 0x52, 0x6e, 0xb, 0x5c, 0xa6, \
+ 0xc9, 0x44, 0x94, 0x7, 0xd9, 0xab, \
+ 0x83, 0xbf, 0xc8, 0xbd \
+ } \
+ }
+
+#define GRUB_PKS_CERT_SHA256_GUID \
+ (grub_uuid_t) \
+ { \
+ { \
+ 0x26, 0x16, 0xc4, 0xc1, 0x4c, 0x50, \
+ 0x92, 0x40, 0xac, 0xa9, 0x41, 0xf9, \
+ 0x36, 0x93, 0x43, 0x28 \
+ } \
+ }
+
+#define GRUB_PKS_CERT_SHA384_GUID \
+ (grub_uuid_t) \
+ { \
+ { \
+ 0x07, 0x53, 0x3e, 0xff, 0xd0, 0x9f, \
+ 0xc9, 0x48, 0x85, 0xf1, 0x8a, 0xd5, \
+ 0x6c, 0x70, 0x1e, 0x1 \
+ } \
+ }
+
+#define GRUB_PKS_CERT_SHA512_GUID \
+ (grub_uuid_t) \
+ { \
+ { \
+ 0xae, 0x0f, 0x3e, 0x09, 0xc4, 0xa6, \
+ 0x50, 0x4f, 0x9f, 0x1b, 0xd4, 0x1e, \
+ 0x2b, 0x89, 0xc1, 0x9a \
+ } \
+ }
+
+#define GRUB_PKS_CERT_X509_SHA256_GUID \
+ (grub_uuid_t) \
+ { \
+ { \
+ 0x92, 0xa4, 0xd2, 0x3b, 0xc0, 0x96, \
+ 0x79, 0x40, 0xb4, 0x20, 0xfc, 0xf9, \
+ 0x8e, 0xf1, 0x03, 0xed \
+ } \
+ }
+
+#define GRUB_PKS_CERT_X509_SHA384_GUID \
+ (grub_uuid_t) \
+ { \
+ { \
+ 0x6e, 0x87, 0x76, 0x70, 0xc2, 0x80, \
+ 0xe6, 0x4e, 0xaa, 0xd2, 0x28, 0xb3, \
+ 0x49, 0xa6, 0x86, 0x5b \
+ } \
+ }
+
+#define GRUB_PKS_CERT_X509_SHA512_GUID \
+ (grub_uuid_t) \
+ { \
+ { \
+ 0x63, 0xbf, 0x6d, 0x44, 0x02, 0x25, \
+ 0xda, 0x4c, 0xbc, 0xfa, 0x24, 0x65, \
+ 0xd2, 0xb0, 0xfe, 0x9d \
+ } \
+ }
+
+typedef struct grub_pks_sd grub_pks_sd_t;
+typedef struct grub_pks grub_pks_t;
+
+/* The structure of a PKS signature data.*/
+struct grub_pks_sd
+{
+ grub_uuid_t guid; /* signature type */
+ grub_uint8_t *data; /* signature data */
+ grub_size_t data_size; /* size of signature data */
+} GRUB_PACKED;
+
+/* The structure of a PKS.*/
+struct grub_pks
+{
+ grub_uint8_t use_static_keys;
+ grub_pks_sd_t *db; /* signature database */
+ grub_pks_sd_t *dbx; /* forbidden signature database */
+ grub_size_t db_entries; /* size of signature database */
+ grub_size_t dbx_entries; /* size of forbidden signature database */
+} GRUB_PACKED;
+
+#ifdef __powerpc__
+
+/* initialization of the Platform Keystore */
+grub_err_t grub_platform_keystore_init (void);
+/* releasing allocated memory */
+void EXPORT_FUNC(grub_release_platform_keystore) (void);
+extern grub_uint8_t EXPORT_VAR(grub_use_platform_keystore);
+extern grub_pks_t EXPORT_VAR(grub_platform_keystore);
+
+#else
+
+#define grub_use_platform_keystore 0
+grub_pks_t grub_platform_keystore = {0, NULL, NULL, 0, 0};
+void grub_release_platform_keystore (void);
+
+#endif
+
+#endif
--
2.47.0

4489
0002-tpm2-Add-TPM-Software-Stack-TSS.patch
View File

File diff suppressed because it is too large Load Diff

385
0003-Add-grub2-switch-to-blscfg.patch
View File

@ -1,385 +0,0 @@
From 90153f1c9631498723450d84e014e25865fecc1b Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 15 Mar 2018 14:12:40 -0400
Subject: [PATCH 3/9] Add grub2-switch-to-blscfg
Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
[jhlavac: Use ${etcdefaultgrub} instead of /etc/default/grub]
Signed-off-by: Jan Hlavac <jhlavac@redhat.com>
[rharwood: skip on ostree installations, migrate man to h2m]
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
Makefile.util.def | 7 +
docs/man/grub-switch-to-blscfg.h2m | 2 +
util/grub-switch-to-blscfg.in | 317 +++++++++++++++++++++++++++++
util/grub.d/10_linux.in | 2 +-
4 files changed, 327 insertions(+), 1 deletion(-)
create mode 100644 docs/man/grub-switch-to-blscfg.h2m
create mode 100644 util/grub-switch-to-blscfg.in
diff --git a/Makefile.util.def b/Makefile.util.def
index 6bb30c165..ffedea24a 100644
--- a/Makefile.util.def
+++ b/Makefile.util.def
@@ -1460,6 +1460,13 @@ program = {
ldadd = '$(LIBINTL) $(LIBDEVMAPPER) $(LIBZFS) $(LIBNVPAIR) $(LIBGEOM)';
};
+script = {
+ name = grub-switch-to-blscfg;
+ common = util/grub-switch-to-blscfg.in;
+ mansection = 8;
+ installdir = sbin;
+};
+
program = {
name = grub-glue-efi;
mansection = 1;
diff --git a/docs/man/grub-switch-to-blscfg.h2m b/docs/man/grub-switch-to-blscfg.h2m
new file mode 100644
index 000000000..fa341426a
--- /dev/null
+++ b/docs/man/grub-switch-to-blscfg.h2m
@@ -0,0 +1,2 @@
+[NAME]
+grub-switch-to-blscfg \- switch to using BLS config files
diff --git a/util/grub-switch-to-blscfg.in b/util/grub-switch-to-blscfg.in
new file mode 100644
index 000000000..a851424be
--- /dev/null
+++ b/util/grub-switch-to-blscfg.in
@@ -0,0 +1,317 @@
+#! /bin/sh
+#
+# Set a default boot entry for GRUB.
+# Copyright (C) 2004,2009 Free Software Foundation, Inc.
+#
+# GRUB is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# GRUB is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+
+#set -eu
+
+# Initialize some variables.
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+sbindir=@sbindir@
+bindir=@bindir@
+sysconfdir="@sysconfdir@"
+PACKAGE_NAME=@PACKAGE_NAME@
+PACKAGE_VERSION=@PACKAGE_VERSION@
+datarootdir="@datarootdir@"
+datadir="@datadir@"
+if [ ! -v pkgdatadir ]; then
+ pkgdatadir="${datadir}/@PACKAGE@"
+fi
+
+self=`basename $0`
+
+grub_get_kernel_settings="${sbindir}/@grub_get_kernel_settings@"
+grub_editenv=${bindir}/@grub_editenv@
+etcdefaultgrub=/etc/default/grub
+
+eval "$("${grub_get_kernel_settings}")" || true
+
+EFIDIR=$(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/' -e 's/\"//g')
+if [ -d /sys/firmware/efi/efivars/ ]; then
+ startlink=/etc/grub2-efi.cfg
+ grubdir=`echo "/@bootdirname@/efi/EFI/${EFIDIR}/" | sed 's,//*,/,g'`
+else
+ startlink=/etc/grub2.cfg
+ grubdir=`echo "/@bootdirname@/@grubdirname@" | sed 's,//*,/,g'`
+fi
+
+blsdir=`echo "/@bootdirname@/loader/entries" | sed 's,//*,/,g'`
+
+backupsuffix=.bak
+
+arch="$(uname -m)"
+
+export TEXTDOMAIN=@PACKAGE@
+export TEXTDOMAINDIR="@localedir@"
+
+. "${pkgdatadir}/grub-mkconfig_lib"
+
+# Usage: usage
+# Print the usage.
+usage () {
+ gettext_printf "Usage: %s\n" "$self"
+ gettext "Switch to BLS config files.\n"; echo
+ echo
+ print_option_help "-h, --help" "$(gettext "print this message and exit")"
+ print_option_help "-V, --version" "$(gettext "print the version information and exit")"
+ echo
+ print_option_help "--backup-suffix=$(gettext "SUFFIX")" "$backupsuffix"
+ print_option_help "--bls-directory=$(gettext "DIR")" "$blsdir"
+ print_option_help "--config-file=$(gettext "FILE")" "$startlink"
+ print_option_help "--grub-defaults=$(gettext "FILE")" "$etcdefaultgrub"
+ print_option_help "--grub-directory=$(gettext "DIR")" "$grubdir"
+ # echo
+ # gettext "Report bugs to <bug-grub@gnu.org>."; echo
+}
+
+argument () {
+ opt=$1
+ shift
+
+ if test $# -eq 0; then
+ gettext_printf "%s: option requires an argument -- \`%s'\n" "$self" "$opt" 1>&2
+ exit 1
+ fi
+ echo $1
+}
+
+# Check the arguments.
+while test $# -gt 0
+do
+ option=$1
+ shift
+
+ case "$option" in
+ -h | --help)
+ usage
+ exit 0 ;;
+ -V | --version)
+ echo "$self (${PACKAGE_NAME}) ${PACKAGE_VERSION}"
+ exit 0 ;;
+
+ --backup-suffix)
+ backupsuffix=`argument $option "$@"`
+ shift
+ ;;
+ --backup-suffix=*)
+ backupsuffix=`echo "$option" | sed 's/--backup-suffix=//'`
+ ;;
+
+ --bls-directory)
+ blsdir=`argument $option "$@"`
+ shift
+ ;;
+ --bls-directory=*)
+ blsdir=`echo "$option" | sed 's/--bls-directory=//'`
+ ;;
+
+ --config-file)
+ startlink=`argument $option "$@"`
+ shift
+ ;;
+ --config-file=*)
+ startlink=`echo "$option" | sed 's/--config-file=//'`
+ ;;
+
+ --grub-defaults)
+ etcdefaultgrub=`argument $option "$@"`
+ shift
+ ;;
+ --grub-defaults=*)
+ etcdefaultgrub=`echo "$option" | sed 's/--grub-defaults=//'`
+ ;;
+
+ --grub-directory)
+ grubdir=`argument $option "$@"`
+ shift
+ ;;
+ --grub-directory=*)
+ grubdir=`echo "$option" | sed 's/--grub-directory=//'`
+ ;;
+
+ *)
+ gettext_printf "Unrecognized option \`%s'\n" "$option" 1>&2
+ usage
+ exit 1
+ ;;
+ esac
+done
+
+find_grub_cfg() {
+ local candidate=""
+ while [ -e "${candidate}" -o $# -gt 0 ]
+ do
+ if [ ! -e "${candidate}" ] ; then
+ candidate="$1"
+ shift
+ fi
+
+ if [ -L "${candidate}" ]; then
+ candidate="$(realpath "${candidate}")"
+ fi
+
+ if [ -f "${candidate}" ]; then
+ export GRUB_CONFIG_FILE="${candidate}"
+ return 0
+ fi
+ done
+ return 1
+}
+
+if ! find_grub_cfg ${startlink} ${grubdir}/grub.cfg ; then
+ gettext_printf "Couldn't find config file\n" 1>&2
+ exit 1
+fi
+
+if [ ! -d "${blsdir}" ]; then
+ install -m 700 -d "${blsdir}"
+fi
+
+if [ -f /etc/machine-id ]; then
+ MACHINE_ID=$(cat /etc/machine-id)
+else
+ MACHINE_ID=$(dmesg | sha256sum)
+fi
+
+mkbls() {
+ local kernelver=$1 && shift
+ local datetime=$1 && shift
+ local kernelopts=$1 && shift
+
+ local debugname=""
+ local debugid=""
+ local flavor=""
+
+ if [ "$kernelver" == *\+* ] ; then
+ local flavor=-"${kernelver##*+}"
+ if [ "${flavor}" == "-debug" ]; then
+ local debugname=" with debugging"
+ local debugid="-debug"
+ fi
+ fi
+ (
+ source /etc/os-release
+
+ cat <<EOF
+title ${NAME} (${kernelver}) ${VERSION}${debugname}
+version ${kernelver}${debugid}
+linux /vmlinuz-${kernelver}
+initrd /initramfs-${kernelver}.img
+options ${kernelopts}
+grub_users \$grub_users
+grub_arg --unrestricted
+grub_class kernel${flavor}
+EOF
+ ) | cat
+}
+
+copy_bls() {
+ for kernelver in $(cd /lib/modules/ ; ls -1) "" ; do
+ bls_target="${blsdir}/${MACHINE_ID}-${kernelver}.conf"
+ linux="/vmlinuz-${kernelver}"
+ linux_path="/boot${linux}"
+ kernel_dir="/lib/modules/${kernelver}"
+
+ if [ ! -d "${kernel_dir}" ] ; then
+ continue
+ fi
+ if [ ! -f "${linux_path}" ]; then
+ continue
+ fi
+
+ linux_relpath="$("${grub_mkrelpath}" "${linux_path}")"
+ bootprefix="${linux_relpath%%"${linux}"}"
+ cmdline="root=${LINUX_ROOT_DEVICE} ro ${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
+
+ mkbls "${kernelver}" \
+ "$(date -u +%Y%m%d%H%M%S -d "$(stat -c '%y' "${kernel_dir}")")" \
+ "${bootprefix}" "${cmdline}" >"${bls_target}"
+
+ if [ "x$GRUB_LINUX_MAKE_DEBUG" = "xtrue" ]; then
+ bls_debug="$(echo ${bls_target} | sed -e "s/${kernelver}/${kernelver}~debug/")"
+ cp -aT "${bls_target}" "${bls_debug}"
+ title="$(grep '^title[ \t]' "${bls_debug}" | sed -e 's/^title[ \t]*//')"
+ options="$(echo "${cmdline} ${GRUB_CMDLINE_LINUX_DEBUG}" | sed -e 's/\//\\\//g')"
+ sed -i -e "s/^title.*/title ${title}${GRUB_LINUX_DEBUG_TITLE_POSTFIX}/" "${bls_debug}"
+ sed -i -e "s/^options.*/options ${options}/" "${bls_debug}"
+ fi
+ done
+
+ if [ -f "/boot/vmlinuz-0-rescue-${MACHINE_ID}" ]; then
+ mkbls "0-rescue-${MACHINE_ID}" "0" "${bootprefix}" >"${blsdir}/${MACHINE_ID}-0-rescue.conf"
+ fi
+}
+
+# The grub2 EFI binary is not copied to the ESP as a part of an ostree
+# transaction. Make sure a grub2 version with BLS support is installed
+# but only do this if the blsdir is not set, to make sure that the BLS
+# parsing module will search for the BLS snippets in the default path.
+if test -f /run/ostree-booted && test -d /sys/firmware/efi/efivars && \
+ ! ${grub_editenv} - list | grep -q blsdir && \
+ mountpoint -q /boot; then
+ grub_binary="$(find /usr/lib/ostree-boot/efi/EFI/${EFIDIR}/ -name grub*.efi)"
+ install -m 700 ${grub_binary} ${grubdir} || exit 1
+ # Create a hidden file to indicate that grub2 now has BLS support.
+ touch /boot/grub2/.grub2-blscfg-supported
+fi
+
+GENERATE=0
+if grep '^GRUB_ENABLE_BLSCFG=.*' "${etcdefaultgrub}" \
+ | grep -vq '^GRUB_ENABLE_BLSCFG="*true"*\s*$' ; then
+ if ! sed -i"${backupsuffix}" \
+ -e 's,^GRUB_ENABLE_BLSCFG=.*,GRUB_ENABLE_BLSCFG=true,' \
+ "${etcdefaultgrub}" ; then
+ gettext_printf "Updating %s failed\n" "${etcdefaultgrub}"
+ exit 1
+ fi
+ GENERATE=1
+elif ! grep -q '^GRUB_ENABLE_BLSCFG=.*' "${etcdefaultgrub}" ; then
+ if ! echo 'GRUB_ENABLE_BLSCFG=true' >> "${etcdefaultgrub}" ; then
+ gettext_printf "Updating %s failed\n" "${etcdefaultgrub}"
+ exit 1
+ fi
+ GENERATE=1
+fi
+
+if [ "${GENERATE}" -eq 1 ] ; then
+ copy_bls
+
+ if [ $arch = "x86_64" ] && [ ! -d /sys/firmware/efi ]; then
+ mod_dir="i386-pc"
+ elif [ $arch = "ppc64" -o $arch = "ppc64le" ] && [ ! -d /sys/firmware/opal ]; then
+ mod_dir="powerpc-ieee1275"
+ fi
+
+ if [ -n "${mod_dir}" ]; then
+ for mod in blscfg increment; do
+ install -m 700 ${prefix}/lib/grub/${mod_dir}/${mod}.mod ${grubdir}/$mod_dir/ || exit 1
+ done
+ fi
+
+ cp -af "${GRUB_CONFIG_FILE}" "${GRUB_CONFIG_FILE}${backupsuffix}"
+ if ! grub2-mkconfig -o "${GRUB_CONFIG_FILE}" ; then
+ install -m 700 "${GRUB_CONFIG_FILE}${backupsuffix}" "${GRUB_CONFIG_FILE}"
+ sed -i"${backupsuffix}" \
+ -e 's,^GRUB_ENABLE_BLSCFG=.*,GRUB_ENABLE_BLSCFG=false,' \
+ "${etcdefaultgrub}"
+ gettext_printf "Updating %s failed\n" "${GRUB_CONFIG_FILE}"
+ exit 1
+ fi
+fi
+
+# Bye.
+exit 0
diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
index 49eccbeaf..45eefb332 100644
--- a/util/grub.d/10_linux.in
+++ b/util/grub.d/10_linux.in
@@ -147,7 +147,7 @@ blsdir="/boot/loader/entries"
get_sorted_bls()
{
- if ! [ -d "${blsdir}" ]; then
+ if ! [ -d "${blsdir}" ] || [ -f /run/ostree-booted ] || [ -d /ostree/repo ]; then
return
fi
--
2.44.0

117
0003-Restrict-ls-and-auto-file-completion-on-cryptodisk-p.patch
View File

@ -1,117 +0,0 @@
From 6c8d390809956d355fed8bc830f64e86838e3e82 Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Sat, 18 Nov 2023 21:42:00 +0800
Subject: [PATCH 3/4] Restrict 'ls' and auto file completion on cryptodisk
print
The 'ls' command allows file listing, while file completion assists in
providing matched file names by partially inputting via the TAB key.
Both functionalities should be restricted when the disk is automatically
unlocked for the same reasons as highlighted in the previous patch
addressing the limitation on file access to the cryptodisk.
Given that no file is explicitly opened for listing, employing file
filters becomes impractical. Consequently, this patch focuses on
modifying relevant routines separately to incorporate necessary checks.
The objective is to introduce measures that prevent 'ls' and auto file
completion from accessing encrypted data when the disk is automatically
unlocked.
By implementing these modifications, any attempt to utilize 'ls' or file
completion on the cryptodisk will result in an "Access Denied:
prohibited to browse encrypted data" error message, thus effectively
alerting the user about the restricted access.
While protecting content within disk files from viewing is essential,
it's equally crucial to restrict access to in-memory content. This
includes prohibiting access to the decrypted in-memory copies of disk
files.
This enhancement aims to fortify security protocols by extending
restrictions to additional functionalities beyond direct file access.
Signed-Off-by Michael Chang <mchang@suse.com>
---
grub-core/commands/ls.c | 8 ++++++++
grub-core/commands/minicmd.c | 6 ++++++
grub-core/kern/corecmd.c | 8 ++++++++
grub-core/normal/completion.c | 8 ++++++++
4 files changed, 30 insertions(+)
diff --git a/grub-core/commands/ls.c b/grub-core/commands/ls.c
index 8e98c73cc..aeb336a73 100644
--- a/grub-core/commands/ls.c
+++ b/grub-core/commands/ls.c
@@ -183,6 +183,14 @@ grub_ls_list_files (char *dirname, int longlist, int all, int human)
if (! dev)
goto fail;
+ if (dev->disk &&
+ grub_disk_is_crypto (dev->disk) &&
+ grub_file_filters[GRUB_FILE_FILTER_NOCAT])
+ {
+ grub_error (GRUB_ERR_ACCESS_DENIED, N_("prohibited to browse encrypted content"));
+ goto fail;
+ }
+
fs = grub_fs_probe (dev);
path = grub_strchr (dirname, ')');
if (! path)
diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c
index fa498931e..8f2ac0539 100644
--- a/grub-core/commands/minicmd.c
+++ b/grub-core/commands/minicmd.c
@@ -101,6 +101,12 @@ grub_mini_cmd_dump (struct grub_command *cmd __attribute__ ((unused)),
if (argc == 0)
return grub_error (GRUB_ERR_BAD_ARGUMENT, "no address specified");
+ /* NOCAT filter is applied to prevent cat alike command from revealing file
+ * content, the dump command should also be prohibited to revealing memory
+ * content as well */
+ if (grub_file_filters[GRUB_FILE_FILTER_NOCAT])
+ return grub_error (GRUB_ERR_ACCESS_DENIED, N_("prohibited by security policy"));
+
#if GRUB_CPU_SIZEOF_VOID_P == GRUB_CPU_SIZEOF_LONG
#define grub_strtoaddr grub_strtoul
#else
diff --git a/grub-core/kern/corecmd.c b/grub-core/kern/corecmd.c
index 62d434ba9..b639bc3ae 100644
--- a/grub-core/kern/corecmd.c
+++ b/grub-core/kern/corecmd.c
@@ -135,6 +135,14 @@ grub_core_cmd_ls (struct grub_command *cmd __attribute__ ((unused)),
if (! dev)
goto fail;
+ if (dev->disk &&
+ grub_disk_is_crypto (dev->disk) &&
+ grub_file_filters[GRUB_FILE_FILTER_NOCAT])
+ {
+ grub_error (GRUB_ERR_ACCESS_DENIED, N_("prohibited to browse encrypted content"));
+ goto fail;
+ }
+
fs = grub_fs_probe (dev);
path = grub_strchr (argv[0], ')');
if (! path)
diff --git a/grub-core/normal/completion.c b/grub-core/normal/completion.c
index 18cadfa85..d003ec37d 100644
--- a/grub-core/normal/completion.c
+++ b/grub-core/normal/completion.c
@@ -259,6 +259,14 @@ complete_file (void)
goto fail;
}
+ if (dev->disk &&
+ grub_disk_is_crypto (dev->disk) &&
+ grub_file_filters[GRUB_FILE_FILTER_NOCAT])
+ {
+ grub_error (GRUB_ERR_ACCESS_DENIED, N_("prohibited to browse encrypted content"));
+ goto fail;
+ }
+
fs = grub_fs_probe (dev);
if (! fs)
{
--
2.42.1

831
0003-appendedsig-The-creation-of-trusted-and-distrusted-l.patch Normal file
View File

@ -0,0 +1,831 @@
From 350e8d823db1febc2c81635115ef3c4c0f41f3e7 Mon Sep 17 00:00:00 2001
From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Date: Tue, 17 Jan 2023 22:38:05 +0530
Subject: [PATCH 3/8] appendedsig: The creation of trusted and distrusted lists
The trusted certificates and binary hashes, distrusted certificates and
binary/certificate hashes will be extracted from the platform keystore buffer
if Secure Boot is enabled with PKS.
In order to verify the integerity of the kernel, the extracted data
would be stored in the buffer db and dbx.
The trusted certificates will be extracted from the grub ELFNOTE if Secure Boot is
enabled with static key. In order to verify the integerity of the kernel,
the extracted data would be stored in the buffer db.
Note:-
if the trusted certificate nor binary hash exists in the distrusted list (DBX),
rejected it while extracting it from the platform keystore buffer.
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Tested-by: Nageswara Sastry <rnsastry@linux.ibm.com>
---
grub-core/commands/appendedsig/appendedsig.c | 701 +++++++++++++++++--
1 file changed, 635 insertions(+), 66 deletions(-)
diff --git a/grub-core/commands/appendedsig/appendedsig.c b/grub-core/commands/appendedsig/appendedsig.c
index e63ad1ac6..5bb09e349 100644
--- a/grub-core/commands/appendedsig/appendedsig.c
+++ b/grub-core/commands/appendedsig/appendedsig.c
@@ -33,7 +33,7 @@
#include <grub/libtasn1.h>
#include <grub/env.h>
#include <grub/lockdown.h>
-
+#include <grub/platform_keystore.h>
#include "appendedsig.h"
GRUB_MOD_LICENSE ("GPLv3+");
@@ -66,8 +66,23 @@ struct grub_appended_signature
struct pkcs7_signedData pkcs7; /* Parsed PKCS#7 data */
};
-/* Trusted certificates for verifying appended signatures */
-struct x509_certificate *grub_trusted_key;
+/* This represents a trusted/distrusted list*/
+struct grub_database
+{
+ struct x509_certificate *keys; /* Certificates */
+ grub_size_t key_entries; /* Number of certificates */
+ grub_uint8_t **signatures; /* Certificate/binary hashes */
+ grub_size_t *signature_size; /* Size of certificate/binary hashes */
+ grub_size_t signature_entries; /* Number of certificate/binary hashes */
+};
+
+/* Trusted list */
+struct grub_database grub_db = {.keys = NULL, .key_entries = 0, .signatures = NULL,
+ .signature_size = NULL, .signature_entries = 0};
+
+/* Distrusted list */
+struct grub_database grub_dbx = {.signatures = NULL, .signature_size = NULL,
+ .signature_entries = 0};
/*
* Force gcry_rsa to be a module dependency.
@@ -90,12 +105,263 @@ struct x509_certificate *grub_trusted_key;
*/
extern gcry_pk_spec_t _gcry_pubkey_spec_rsa;
+extern gcry_md_spec_t _gcry_digest_spec_sha224;
+extern gcry_md_spec_t _gcry_digest_spec_sha384;
+
+/* releasing trusted list memory */
+static void grub_release_trusted_list (void);
+/* releasing distrusted list memory */
+static void grub_release_distrusted_list (void);
+
static enum
{ check_sigs_no = 0,
check_sigs_enforce = 1,
check_sigs_forced = 2
} check_sigs = check_sigs_no;
+/*
+ * GUID can be used to determine the hashing function and
+ * generate the hash using determined hashing function.
+ */
+static grub_err_t
+grub_get_hash (const grub_uuid_t *guid, const grub_uint8_t *data, const grub_size_t data_size,
+ grub_uint8_t *hash, grub_size_t *hash_size)
+{
+ gcry_md_spec_t *hash_func = NULL;
+
+ if (guid == NULL)
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, "signature data type is null");
+
+ if (grub_memcmp (guid, &GRUB_PKS_CERT_SHA256_GUID, GRUB_UUID_SIZE) == 0 ||
+ grub_memcmp (guid, &GRUB_PKS_CERT_X509_SHA256_GUID, GRUB_UUID_SIZE) == 0)
+ hash_func = &_gcry_digest_spec_sha256;
+ else if (grub_memcmp (guid, &GRUB_PKS_CERT_SHA384_GUID, GRUB_UUID_SIZE) == 0 ||
+ grub_memcmp (guid, &GRUB_PKS_CERT_X509_SHA384_GUID, GRUB_UUID_SIZE) == 0)
+ hash_func = &_gcry_digest_spec_sha384;
+ else if (grub_memcmp (guid, &GRUB_PKS_CERT_SHA512_GUID, GRUB_UUID_SIZE) == 0 ||
+ grub_memcmp (guid, &GRUB_PKS_CERT_X509_SHA512_GUID, GRUB_UUID_SIZE) == 0)
+ hash_func = &_gcry_digest_spec_sha512;
+ else
+ return GRUB_ERR_UNKNOWN_COMMAND;
+
+ grub_memset (hash, 0x00, GRUB_MAX_HASH_SIZE);
+ grub_crypto_hash (hash_func, hash, data, data_size);
+ *hash_size = hash_func->mdlen;
+
+ return GRUB_ERR_NONE;
+}
+
+/* adding the certificate/binary hash into the trusted/distrusted list */
+static grub_err_t
+grub_add_hash (const grub_uint8_t **data, const grub_size_t data_size,
+ grub_uint8_t ***signature_list, grub_size_t **signature_size_list,
+ grub_size_t *signature_list_entries)
+{
+ grub_uint8_t **signatures = *signature_list;
+ grub_size_t *signature_size = *signature_size_list;
+ grub_size_t signature_entries = *signature_list_entries;
+
+ if (*data == NULL || data_size == 0)
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, "certificate/binary hash data/size is null");
+
+ if (signatures == NULL && signature_size == NULL)
+ {
+ signatures = grub_zalloc (sizeof (grub_uint8_t *));
+ signature_size = grub_zalloc (sizeof (grub_size_t));
+ }
+ else
+ {
+ signatures = grub_realloc (signatures, sizeof (grub_uint8_t *) * (signature_entries + 1));
+ signature_size = grub_realloc (signature_size,
+ sizeof (grub_size_t) * (signature_entries + 1));
+ }
+
+ if (signatures == NULL || signature_size == NULL)
+ {
+ /*
+ * allocated memory will be freed by
+ * grub_release_trusted_list/grub_release_distrusted_list
+ */
+ if (signatures != NULL)
+ {
+ *signature_list = signatures;
+ *signature_list_entries = signature_entries + 1;
+ }
+
+ if (signature_size != NULL)
+ *signature_size_list = signature_size;
+
+ return grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of memory");
+ }
+
+ signatures[signature_entries] = (grub_uint8_t *) *data;
+ signature_size[signature_entries] = data_size;
+ signature_entries++;
+ *data = NULL;
+
+ *signature_list = signatures;
+ *signature_size_list = signature_size;
+ *signature_list_entries = signature_entries;
+
+ return GRUB_ERR_NONE;
+}
+
+static grub_err_t
+grub_is_x509 (const grub_uuid_t *guid)
+{
+ if (grub_memcmp (guid, &GRUB_PKS_CERT_X509_GUID, GRUB_UUID_SIZE) == 0)
+ return GRUB_ERR_NONE;
+
+ return GRUB_ERR_UNKNOWN_COMMAND;
+}
+
+static grub_err_t
+grub_is_cert_match (const struct x509_certificate *distrusted_cert,
+ const struct x509_certificate *db_cert)
+{
+
+ if (grub_memcmp (distrusted_cert->subject, db_cert->subject, db_cert->subject_len) == 0
+ && grub_memcmp (distrusted_cert->serial, db_cert->serial, db_cert->serial_len) == 0
+ && grub_memcmp (distrusted_cert->mpis[0], db_cert->mpis[0], sizeof (db_cert->mpis[0])) == 0
+ && grub_memcmp (distrusted_cert->mpis[1], db_cert->mpis[1], sizeof (db_cert->mpis[1])) == 0)
+ return GRUB_ERR_NONE;
+
+ return GRUB_ERR_UNKNOWN_COMMAND;
+}
+
+/*
+ * verify the certificate against the certificate from platform keystore buffer's
+ * distrusted list, if it is present, return a bad signature.
+ * else, no errors.
+ */
+static grub_err_t
+grub_is_distrusted_cert (const struct x509_certificate *db_cert)
+{
+ grub_err_t rc = GRUB_ERR_NONE;
+ grub_size_t i = 0;
+ struct x509_certificate *distrusted_cert = NULL;
+
+ for (i = 0; i < grub_platform_keystore.dbx_entries; i++)
+ {
+ if (grub_platform_keystore.dbx[i].data == NULL &&
+ grub_platform_keystore.dbx[i].data_size == 0)
+ continue;
+
+ if (grub_is_x509 (&grub_platform_keystore.dbx[i].guid) == GRUB_ERR_NONE)
+ {
+ distrusted_cert = grub_zalloc (sizeof (struct x509_certificate));
+ if (distrusted_cert == NULL)
+ return grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of memory");
+
+ rc = parse_x509_certificate (grub_platform_keystore.dbx[i].data,
+ grub_platform_keystore.dbx[i].data_size, distrusted_cert);
+ if (rc != GRUB_ERR_NONE)
+ {
+ grub_free (distrusted_cert);
+ continue;
+ }
+
+ if (grub_is_cert_match (distrusted_cert, db_cert) == GRUB_ERR_NONE)
+ {
+ grub_printf ("Warning: a trusted certificate CN='%s' is ignored "
+ "because it is on the distrusted list (dbx).\n", db_cert->subject);
+ grub_free (grub_platform_keystore.dbx[i].data);
+ grub_memset (&grub_platform_keystore.dbx[i], 0x00,
+ sizeof (grub_platform_keystore.dbx[i]));
+ certificate_release (distrusted_cert);
+ grub_free (distrusted_cert);
+ return GRUB_ERR_BAD_SIGNATURE;
+ }
+
+ certificate_release (distrusted_cert);
+ grub_free (distrusted_cert);
+ }
+ }
+
+ return GRUB_ERR_NONE;
+}
+
+/* adding the certificate into the trusted/distrusted list */
+static grub_err_t
+grub_add_certificate (const grub_uint8_t *data, const grub_size_t data_size,
+ struct grub_database *database, const grub_uint8_t is_db)
+{
+ grub_err_t rc = GRUB_ERR_NONE;
+ grub_size_t key_entries = database->key_entries;
+ struct x509_certificate *cert = NULL;
+
+ if (data == NULL || data_size == 0)
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, "certificate data/size is null");
+
+ cert = grub_zalloc (sizeof (struct x509_certificate));
+ if (cert == NULL)
+ return grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of memory");
+
+ rc = parse_x509_certificate (data, data_size, cert);
+ if (rc != GRUB_ERR_NONE)
+ {
+ grub_printf ("Warning: skipping %s certificate (%d)\n",
+ (is_db ? "trusted":"distrused"), rc);
+ grub_free (cert);
+ return rc;
+ }
+
+ if (is_db)
+ {
+ rc = grub_is_distrusted_cert (cert);
+ if (rc != GRUB_ERR_NONE)
+ {
+ certificate_release (cert);
+ grub_free (cert);
+ return rc;
+ }
+ }
+
+ grub_dprintf ("appendedsig", "add a %s certificate CN='%s'\n",
+ (is_db ? "trusted":"distrused"), cert->subject);
+
+ key_entries++;
+ cert->next = database->keys;
+ database->keys = cert;
+ database->key_entries = key_entries;
+
+ return rc;
+}
+
+static grub_err_t
+grub_read_file (const grub_file_t file, grub_uint8_t **data, grub_ssize_t *data_size)
+{
+ grub_uint8_t *buffer = NULL;
+ grub_ssize_t read_size = 0;
+ grub_off_t total_read_size = 0;
+ grub_off_t file_size = grub_file_size (file);
+
+ if (file_size == GRUB_FILE_SIZE_UNKNOWN)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("could not parse the unknown size of the file."));
+
+ buffer = grub_zalloc (file_size);
+ if (buffer == NULL)
+ return grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("out of memory"));
+
+ while (total_read_size < file_size)
+ {
+ read_size = grub_file_read (file, &buffer[total_read_size], file_size - total_read_size);
+ if (read_size < 0)
+ {
+ grub_free (buffer);
+ return grub_error (GRUB_ERR_READ_ERROR, N_("unable to read the file"));
+ }
+
+ total_read_size += read_size;
+ }
+
+ *data = buffer;
+ *data_size = total_read_size;
+
+ return GRUB_ERR_NONE;
+}
+
static const char *
grub_env_read_sec (struct grub_env_var *var __attribute__((unused)),
const char *val __attribute__((unused)))
@@ -153,10 +419,7 @@ file_read_all (grub_file_t file, grub_uint8_t **buf, grub_size_t *len)
while (total_read_size < file_size)
{
- read_size =
- grub_file_read (file, *buf + total_read_size,
- file_size - total_read_size);
-
+ read_size = grub_file_read (file, *buf + total_read_size, file_size - total_read_size);
if (read_size < 0)
{
grub_free (*buf);
@@ -267,9 +530,8 @@ grub_verify_appended_signature (const grub_uint8_t *buf, grub_size_t bufsize)
struct pkcs7_signerInfo *si;
int i;
- if (!grub_trusted_key)
- return grub_error (GRUB_ERR_BAD_SIGNATURE,
- N_("No trusted keys to verify against"));
+ if (!grub_db.key_entries)
+ return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("No trusted keys to verify against"));
err = extract_appended_signature (buf, bufsize, &sig);
if (err != GRUB_ERR_NONE)
@@ -299,17 +561,16 @@ grub_verify_appended_signature (const grub_uint8_t *buf, grub_size_t bufsize)
datasize, i, hash[0], hash[1], hash[2], hash[3]);
err = GRUB_ERR_BAD_SIGNATURE;
- for (pk = grub_trusted_key; pk; pk = pk->next)
- {
- rc = grub_crypto_rsa_pad (&hashmpi, hash, si->hash, pk->mpis[0]);
- if (rc)
- {
- err = grub_error (GRUB_ERR_BAD_SIGNATURE,
- N_("Error padding hash for RSA verification: %d"),
- rc);
- grub_free (context);
- goto cleanup;
- }
+ for (pk = grub_db.keys; pk; pk = pk->next)
+ {
+ rc = grub_crypto_rsa_pad (&hashmpi, hash, si->hash, pk->mpis[0]);
+ if (rc)
+ {
+ err = grub_error (GRUB_ERR_BAD_SIGNATURE,
+ N_("Error padding hash for RSA verification: %d"), rc);
+ grub_free (context);
+ goto cleanup;
+ }
rc = _gcry_pubkey_spec_rsa.verify (0, hashmpi, &si->sig_mpi,
pk->mpis, NULL, NULL);
@@ -402,16 +663,16 @@ grub_cmd_distrust (grub_command_t cmd __attribute__((unused)),
if (cert_num == 1)
{
- cert = grub_trusted_key;
- grub_trusted_key = cert->next;
+ cert = grub_db.keys;
+ grub_db.keys = cert->next;
certificate_release (cert);
grub_free (cert);
return GRUB_ERR_NONE;
}
i = 2;
- prev = grub_trusted_key;
- cert = grub_trusted_key->next;
+ prev = grub_db.keys;
+ cert = grub_db.keys->next;
while (cert)
{
if (i == cert_num)
@@ -464,8 +725,8 @@ grub_cmd_trust (grub_command_t cmd __attribute__((unused)),
grub_dprintf ("appendedsig", "Loaded certificate with CN: %s\n",
cert->subject);
- cert->next = grub_trusted_key;
- grub_trusted_key = cert;
+ cert->next = grub_db.keys;
+ grub_db.keys = cert;
return GRUB_ERR_NONE;
}
@@ -479,7 +740,7 @@ grub_cmd_list (grub_command_t cmd __attribute__((unused)),
int cert_num = 1;
grub_size_t i;
- for (cert = grub_trusted_key; cert; cert = cert->next)
+ for (cert = grub_db.keys; cert; cert = cert->next)
{
grub_printf (N_("Certificate %d:\n"), cert_num);
@@ -577,6 +838,305 @@ static struct grub_fs pseudo_fs = {
.fs_read = pseudo_read
};
+/*
+ * verify the trusted certificate against the certificate hashes from platform keystore buffer's
+ * distrusted list, if it is present, return a bad signature.
+ * else, no errors.
+ */
+static grub_err_t
+grub_is_distrusted_cert_hash (const grub_uint8_t *data, const grub_size_t data_size)
+{
+ grub_err_t rc = GRUB_ERR_NONE;
+ grub_size_t i = 0, cert_hash_size = 0;
+ grub_uint8_t cert_hash[GRUB_MAX_HASH_SIZE] = { 0 };
+
+ if (data == NULL || data_size == 0)
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, "trusted certificate data/size is null");
+
+ for (i = 0; i < grub_platform_keystore.dbx_entries; i++)
+ {
+ if (grub_platform_keystore.dbx[i].data == NULL &&
+ grub_platform_keystore.dbx[i].data_size == 0)
+ continue;
+
+ rc = grub_get_hash (&grub_platform_keystore.dbx[i].guid, data, data_size,
+ cert_hash, &cert_hash_size);
+ if (rc != GRUB_ERR_NONE)
+ continue;
+
+ if (cert_hash_size == grub_platform_keystore.dbx[i].data_size &&
+ grub_memcmp (grub_platform_keystore.dbx[i].data, cert_hash, cert_hash_size) == 0)
+ {
+ grub_printf ("Warning: a trusted certificate (%02x%02x%02x%02x) is ignored "
+ "because this certificate hash is on the distrusted list (dbx).\n",
+ cert_hash[0], cert_hash[1], cert_hash[2], cert_hash[3]);
+ grub_free (grub_platform_keystore.dbx[i].data);
+ grub_memset (&grub_platform_keystore.dbx[i], 0x00,
+ sizeof (grub_platform_keystore.dbx[i]));
+ return GRUB_ERR_BAD_SIGNATURE;
+ }
+ }
+
+ return GRUB_ERR_NONE;
+}
+
+/*
+ * verify the trusted binary hash against the platform keystore buffer's
+ * distrusted list, if it is present, return a bad signature.
+ * else, no errors.
+ */
+static grub_err_t
+grub_is_distrusted_binary_hash (const grub_uint8_t *binary_hash,
+ const grub_size_t binary_hash_size)
+{
+ grub_size_t i = 0;
+
+ for (i = 0; i < grub_platform_keystore.dbx_entries; i++)
+ {
+ if (grub_platform_keystore.dbx[i].data == NULL &&
+ grub_platform_keystore.dbx[i].data_size == 0)
+ continue;
+
+ if (binary_hash_size == grub_platform_keystore.dbx[i].data_size &&
+ grub_memcmp (grub_platform_keystore.dbx[i].data, binary_hash, binary_hash_size) == 0)
+ {
+ grub_printf ("Warning: a trusted binary hash (%02x%02x%02x%02x) is ignored"
+ " because it is on the distrusted list (dbx).\n",
+ binary_hash[0], binary_hash[1], binary_hash[2], binary_hash[3]);
+ grub_free (grub_platform_keystore.dbx[i].data);
+ grub_memset (&grub_platform_keystore.dbx[i], 0x00,
+ sizeof (grub_platform_keystore.dbx[i]));
+ return GRUB_ERR_BAD_SIGNATURE;
+ }
+ }
+
+ return GRUB_ERR_NONE;
+}
+
+/*
+ * extracts the binary hashes from the platform keystore buffer,
+ * and adds it to the trusted list if not exists in distrusted list.
+ */
+static grub_err_t
+grub_add_trusted_binary_hash (const grub_uint8_t **data, const grub_size_t data_size)
+{
+ grub_err_t rc = GRUB_ERR_NONE;
+
+ if (*data == NULL || data_size == 0)
+ return grub_error (GRUB_ERR_OUT_OF_RANGE, "trusted binary hash data/size is null");
+
+ rc = grub_is_distrusted_binary_hash (*data, data_size);
+ if (rc != GRUB_ERR_NONE)
+ return rc;
+
+ rc = grub_add_hash (data, data_size, &grub_db.signatures, &grub_db.signature_size,
+ &grub_db.signature_entries);
+ return rc;
+}
+
+static grub_err_t
+grub_is_hash (const grub_uuid_t *guid)
+{
+ /* GUID type of the binary hash */
+ if (grub_memcmp (guid, &GRUB_PKS_CERT_SHA256_GUID, GRUB_UUID_SIZE) == 0 ||
+ grub_memcmp (guid, &GRUB_PKS_CERT_SHA384_GUID, GRUB_UUID_SIZE) == 0 ||
+ grub_memcmp (guid, &GRUB_PKS_CERT_SHA512_GUID, GRUB_UUID_SIZE) == 0)
+ return GRUB_ERR_NONE;
+
+ /* GUID type of the certificate hash */
+ if (grub_memcmp (guid, &GRUB_PKS_CERT_X509_SHA256_GUID, GRUB_UUID_SIZE) == 0 ||
+ grub_memcmp (guid, &GRUB_PKS_CERT_X509_SHA384_GUID, GRUB_UUID_SIZE) == 0 ||
+ grub_memcmp (guid, &GRUB_PKS_CERT_X509_SHA512_GUID, GRUB_UUID_SIZE) == 0)
+ return GRUB_ERR_NONE;
+
+ return GRUB_ERR_UNKNOWN_COMMAND;
+}
+
+/*
+ * extracts the x509 certificates/binary hashes from the platform keystore buffer,
+ * parses it, and adds it to the trusted list.
+ */
+static grub_err_t
+grub_create_trusted_list (void)
+{
+ grub_err_t rc = GRUB_ERR_NONE;
+ grub_size_t i = 0;
+
+ for (i = 0; i < grub_platform_keystore.db_entries; i++)
+ {
+ if (grub_is_hash (&grub_platform_keystore.db[i].guid) == GRUB_ERR_NONE)
+ {
+ rc = grub_add_trusted_binary_hash ((const grub_uint8_t **)
+ &grub_platform_keystore.db[i].data,
+ grub_platform_keystore.db[i].data_size);
+ if (rc == GRUB_ERR_OUT_OF_MEMORY)
+ return rc;
+
+ continue;
+ }
+ else if (grub_is_x509 (&grub_platform_keystore.db[i].guid) == GRUB_ERR_NONE)
+ {
+
+ rc = grub_is_distrusted_cert_hash (grub_platform_keystore.db[i].data,
+ grub_platform_keystore.db[i].data_size);
+ if (rc != GRUB_ERR_NONE)
+ continue;
+
+ rc = grub_add_certificate (grub_platform_keystore.db[i].data,
+ grub_platform_keystore.db[i].data_size, &grub_db, 1);
+ if (rc == GRUB_ERR_OUT_OF_MEMORY)
+ return rc;
+ else if (rc != GRUB_ERR_NONE)
+ continue;
+ }
+ else
+ grub_printf ("Warning: unsupported signature data type and "
+ "skipping trusted data (%" PRIuGRUB_SIZE ")\n", i + 1);
+ }
+
+ return GRUB_ERR_NONE;
+}
+
+/*
+ * extracts the certificates, certificate/binary hashes out of the platform keystore buffer,
+ * and adds it to the distrusted list.
+ */
+static grub_err_t
+grub_create_distrusted_list (void)
+{
+ grub_err_t rc = GRUB_ERR_NONE;
+ grub_size_t i = 0;
+
+ for (i = 0; i < grub_platform_keystore.dbx_entries; i++)
+ {
+ if (grub_platform_keystore.dbx[i].data != NULL &&
+ grub_platform_keystore.dbx[i].data_size > 0)
+ {
+ if (grub_is_x509 (&grub_platform_keystore.dbx[i].guid))
+ {
+ rc = grub_add_certificate (grub_platform_keystore.dbx[i].data,
+ grub_platform_keystore.dbx[i].data_size, &grub_dbx, 0);
+ if (rc == GRUB_ERR_OUT_OF_MEMORY)
+ return rc;
+ }
+ else if (grub_is_hash (&grub_platform_keystore.dbx[i].guid) == GRUB_ERR_NONE)
+ {
+ rc = grub_add_hash ((const grub_uint8_t **) &grub_platform_keystore.dbx[i].data,
+ grub_platform_keystore.dbx[i].data_size,
+ &grub_dbx.signatures, &grub_dbx.signature_size,
+ &grub_dbx.signature_entries);
+ if (rc != GRUB_ERR_NONE)
+ return rc;
+ }
+ else
+ grub_printf ("Warning: unsupported signature data type and "
+ "skipping distrusted data (%" PRIuGRUB_SIZE ")\n", i + 1);
+ }
+ }
+
+ return rc;
+}
+
+/*
+ * extracts the x509 certificates from the ELF note header,
+ * parses it, and adds it to the trusted list.
+ */
+static grub_err_t
+grub_build_static_trusted_list (const struct grub_module_header *header, bool mode)
+{
+ grub_err_t err = GRUB_ERR_NONE;
+ struct grub_file pseudo_file;
+ grub_uint8_t *cert_data = NULL;
+ grub_ssize_t cert_data_size = 0;
+
+ grub_memset (&pseudo_file, 0, sizeof (pseudo_file));
+ pseudo_file.fs = &pseudo_fs;
+ pseudo_file.size = header->size - sizeof (struct grub_module_header);
+ pseudo_file.data = (char *) header + sizeof (struct grub_module_header);
+
+ grub_dprintf ("appendedsig", "found an x509 key, size=%" PRIuGRUB_UINT64_T "\n",
+ pseudo_file.size);
+
+ err = grub_read_file (&pseudo_file, &cert_data, &cert_data_size);
+ if (err != GRUB_ERR_NONE)
+ return err;
+
+ if (mode)
+ {
+ err = grub_is_distrusted_cert_hash (cert_data, cert_data_size);
+ if (err != GRUB_ERR_NONE)
+ return err;
+ }
+
+ err = grub_add_certificate (cert_data, cert_data_size, &grub_db, mode);
+ if (cert_data != NULL)
+ grub_free (cert_data);
+
+ return err;
+}
+
+/* releasing memory */
+static void
+grub_release_trusted_list (void)
+{
+ struct x509_certificate *cert;
+ grub_size_t i = 0;
+
+ while (grub_db.keys != NULL)
+ {
+ cert = grub_db.keys;
+ grub_db.keys = grub_db.keys->next;
+ certificate_release (cert);
+ grub_free (cert);
+ }
+
+ for (i = 0; i < grub_db.signature_entries; i++)
+ grub_free (grub_db.signatures[i]);
+
+ grub_free (grub_db.signatures);
+ grub_free (grub_db.signature_size);
+ grub_memset (&grub_db, 0x00, sizeof (grub_db));
+}
+
+/* releasing memory */
+static void
+grub_release_distrusted_list (void)
+{
+ struct x509_certificate *cert;
+ grub_size_t i = 0;
+
+ while (grub_dbx.keys != NULL)
+ {
+ cert = grub_dbx.keys;
+ grub_dbx.keys = grub_dbx.keys->next;
+ certificate_release (cert);
+ grub_free (cert);
+ }
+
+ for (i = 0; i < grub_dbx.signature_entries; i++)
+ grub_free (grub_dbx.signatures[i]);
+
+ grub_free (grub_dbx.signatures);
+ grub_free (grub_dbx.signature_size);
+ grub_memset (&grub_dbx, 0x00, sizeof (grub_dbx));
+}
+
+static grub_err_t
+grub_load_static_keys (struct grub_module_header *header, bool mode)
+{
+ int rc = GRUB_ERR_NONE;
+
+ FOR_MODULES (header)
+ {
+ /* Not an ELF module, skip. */
+ if (header->type != OBJ_TYPE_X509_PUBKEY)
+ continue;
+ rc = grub_build_static_trusted_list (header, mode);
+ }
+
+ return rc;
+}
+
static grub_command_t cmd_verify, cmd_list, cmd_distrust, cmd_trust;
GRUB_MOD_INIT (appendedsig)
@@ -588,10 +1148,7 @@ GRUB_MOD_INIT (appendedsig)
if (grub_is_lockdown () == GRUB_LOCKDOWN_ENABLED)
check_sigs = check_sigs_forced;
- grub_trusted_key = NULL;
-
- grub_register_variable_hook ("check_appended_signatures",
- grub_env_read_sec, grub_env_write_sec);
+ grub_register_variable_hook ("check_appended_signatures", grub_env_read_sec, grub_env_write_sec);
grub_env_export ("check_appended_signatures");
rc = asn1_init ();
@@ -599,40 +1156,52 @@ GRUB_MOD_INIT (appendedsig)
grub_fatal ("Error initing ASN.1 data structures: %d: %s\n", rc,
asn1_strerror (rc));
- FOR_MODULES (header)
- {
- struct grub_file pseudo_file;
- struct x509_certificate *pk = NULL;
- grub_err_t err;
-
- /* Not an ELF module, skip. */
- if (header->type != OBJ_TYPE_X509_PUBKEY)
- continue;
-
- grub_memset (&pseudo_file, 0, sizeof (pseudo_file));
- pseudo_file.fs = &pseudo_fs;
- pseudo_file.size = header->size - sizeof (struct grub_module_header);
- pseudo_file.data = (char *) header + sizeof (struct grub_module_header);
-
- grub_dprintf ("appendedsig",
- "Found an x509 key, size=%" PRIuGRUB_UINT64_T "\n",
- pseudo_file.size);
-
- pk = grub_zalloc (sizeof (struct x509_certificate));
- if (!pk)
- {
- grub_fatal ("Out of memory loading initial certificates");
- }
-
- err = read_cert_from_file (&pseudo_file, pk);
- if (err != GRUB_ERR_NONE)
- grub_fatal ("Error loading initial key: %s", grub_errmsg);
-
- grub_dprintf ("appendedsig", "loaded certificate CN='%s'\n", pk->subject);
-
- pk->next = grub_trusted_key;
- grub_trusted_key = pk;
- }
+ if (!grub_use_platform_keystore && check_sigs == check_sigs_forced)
+ {
+ rc = grub_load_static_keys (header, 0);
+ if (rc != GRUB_ERR_NONE)
+ {
+ grub_release_trusted_list ();
+ grub_error (rc, "static trusted list creation failed");
+ }
+ else
+ grub_printf ("appendedsig: the trusted list now has %" PRIuGRUB_SIZE " static keys\n",
+ grub_db.key_entries);
+ }
+ else if (grub_use_platform_keystore && check_sigs == check_sigs_forced)
+ {
+ if (grub_platform_keystore.use_static_keys == 1)
+ {
+ grub_printf ("Warning: db variable not available and using a static key"
+ "as a default key in trusted list");
+ rc = grub_load_static_keys (header, 1);
+ }
+ else
+ rc = grub_create_trusted_list ();
+
+ if (rc != GRUB_ERR_NONE)
+ {
+ grub_release_trusted_list ();
+ grub_error (rc, "trusted list creation failed");
+ }
+ else
+ {
+ rc = grub_create_distrusted_list ();
+ if (rc != GRUB_ERR_NONE)
+ {
+ grub_release_trusted_list ();
+ grub_release_distrusted_list ();
+ grub_error (rc, "distrusted list creation failed");
+ }
+ else
+ grub_printf ("appendedsig: the trusted list now has %" PRIuGRUB_SIZE " keys.\n"
+ "appendedsig: the distrusted list now has %" PRIuGRUB_SIZE " keys.\n",
+ grub_db.signature_entries + grub_db.key_entries,
+ grub_dbx.signature_entries);
+ }
+
+ grub_release_platform_keystore ();
+ }
cmd_trust =
grub_register_command ("trust_certificate", grub_cmd_trust,
--
2.47.0

34
0003-fs-hfs-Fix-stack-OOB-write-with-grub_strcpy.patch Normal file
View File

@ -0,0 +1,34 @@
From 96f51e8fb8daf43da636f6475827d697829fdb8b Mon Sep 17 00:00:00 2001
From: B Horn <b@horn.uk>
Date: Sun, 12 May 2024 02:48:33 +0100
Subject: [PATCH 03/20] fs/hfs: Fix stack OOB write with grub_strcpy()
Replaced with grub_strlcpy().
Fixes: CVE-2024-45782
Fixes: CVE-2024-56737
Fixes: https://savannah.gnu.org/bugs/?66599
Reported-by: B Horn <b@horn.uk>
Signed-off-by: B Horn <b@horn.uk>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/hfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/grub-core/fs/hfs.c b/grub-core/fs/hfs.c
index 91dc0e69c3..920112b03e 100644
--- a/grub-core/fs/hfs.c
+++ b/grub-core/fs/hfs.c
@@ -379,7 +379,7 @@ grub_hfs_mount (grub_disk_t disk)
volume name. */
key.parent_dir = grub_cpu_to_be32_compile_time (1);
key.strlen = data->sblock.volname[0];
- grub_strcpy ((char *) key.str, (char *) (data->sblock.volname + 1));
+ grub_strlcpy ((char *) key.str, (char *) (data->sblock.volname + 1), sizeof (key.str));
if (grub_hfs_find_node (data, (char *) &key, data->cat_root,
0, (char *) &dir, sizeof (dir)) == 0)
--
2.48.1

49
0003-fs-xfs-fix-large-extent-counters-incompat-feature-su.patch Normal file
View File

@ -0,0 +1,49 @@
From 846b1d8bebd316a18fae9fb90efb3e8451ec70cc Mon Sep 17 00:00:00 2001
From: Eric Sandeen <sandeen@redhat.com>
Date: Wed, 4 Dec 2024 07:50:28 -0600
Subject: [PATCH 3/3] fs/xfs: fix large extent counters incompat feature
support
When large extent counter / NREXT64 support was added to grub, it missed
a couple of direct reads of nextents which need to be changed to the new
NREXT64-aware helper as well. Without this, we'll have mis-reads of some
directories with this feature enabled.
(The large extent counter fix likely raced on merge with
07318ee7e ("fs/xfs: Fix XFS directory extent parsing") which added the new
direct nextents reads just prior, causing this issue.)
Fixes: aa7c1322671e ("fs/xfs: Add large extent counters incompat feature support")
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Reviewed-by: Anthony Iliopoulos <ailiop@suse.com>
Reviewed-by: Jon DeVree <nuxi@vault24.org>
Link: https://lore.kernel.org/r/985816b8-35e6-4083-994f-ec9138bd35d2@redhat.com
---
grub-core/fs/xfs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c
index 30e3e7f6d9..3ba232436e 100644
--- a/grub-core/fs/xfs.c
+++ b/grub-core/fs/xfs.c
@@ -937,7 +937,7 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir,
* Leaf and tail information are only in the data block if the number
* of extents is 1.
*/
- if (dir->inode.nextents == grub_cpu_to_be32_compile_time (1))
+ if (grub_xfs_get_inode_nextents(&dir->inode) == 1)
{
end = (char *) tail;
@@ -992,7 +992,7 @@ grub_xfs_iterate_dir (grub_fshelp_node_t dir,
* The expected number of directory entries is only tracked for the
* single extent case.
*/
- if (dir->inode.nextents == grub_cpu_to_be32_compile_time (1))
+ if (grub_xfs_get_inode_nextents(&dir->inode) == 1)
{
/* Check if last direntry in this block is reached. */
entries--;
--
2.48.1

101
0004-Key-revocation-on-out-of-bound-file-access.patch
View File

@ -20,11 +20,17 @@ Signed-Off-by Michael Chang <mchang@suse.com>
include/grub/file.h | 1 +
2 files changed, 37 insertions(+)
diff --git a/grub-core/commands/crypttab.c b/grub-core/commands/crypttab.c
index d3acc4b59..e09296c57 100644
--- a/grub-core/commands/crypttab.c
+++ b/grub-core/commands/crypttab.c
@@ -121,6 +121,41 @@ grub_cryptokey_tpmkey_discard (void)
@@ -6,6 +6,7 @@
#include <grub/mm.h>
#include <grub/list.h>
#include <grub/crypttab.h>
+#include <grub/file.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -89,6 +90,41 @@
grub_cryptokey_discard();
}
@ -66,26 +72,97 @@ index d3acc4b59..e09296c57 100644
static grub_err_t
grub_cmd_crypttab_entry (grub_command_t cmd __attribute__ ((unused)),
int argc, char **argv)
@@ -153,6 +188,7 @@ GRUB_MOD_INIT(crypttab)
@@ -121,6 +157,8 @@
{
cmd = grub_register_command ("crypttab_entry", grub_cmd_crypttab_entry,
N_("VOLUME-NAME ENCRYPTED-DEVICE KEY-FILE") , N_("No description"));
+ grub_file_filter_register (GRUB_FILE_FILTER_DISTRUST, grub_distrust_open);
grub_dl_set_persistent (mod);
+ grub_dl_set_persistent (mod);
}
diff --git a/include/grub/file.h b/include/grub/file.h
index fcfd32ce2..daf23a9c9 100644
GRUB_MOD_FINI(crypttab)
--- a/include/grub/file.h
+++ b/include/grub/file.h
@@ -185,6 +185,7 @@ extern grub_disk_read_hook_t EXPORT_VAR(grub_file_progress_hook);
@@ -185,6 +185,7 @@
/* Filters with lower ID are executed first. */
typedef enum grub_file_filter_id
{
+ GRUB_FILE_FILTER_DISTRUST,
GRUB_FILE_FILTER_NOCAT,
GRUB_FILE_FILTER_VERIFY,
GRUB_FILE_FILTER_GZIO,
--
2.42.1
GRUB_FILE_FILTER_XZIO,
--- a/grub-core/disk/diskfilter.c
+++ b/grub-core/disk/diskfilter.c
@@ -558,6 +558,39 @@
return NULL;
}
+static int
+grub_diskfilter_has_cryptodisk (const struct grub_diskfilter_lv *lv)
+{
+ struct grub_diskfilter_pv *pv;
+
+ if (!lv)
+ return 0;
+
+ if (lv->vg->pvs)
+ for (pv = lv->vg->pvs; pv; pv = pv->next)
+ {
+ if (!pv->disk)
+ {
+ grub_dprintf ("diskfilter", _("Couldn't find physical volume `%s'."
+ " Some modules may be missing from core image."),
+ pv->name);
+ continue;
+ }
+
+ switch (pv->disk->dev->id)
+ {
+ case GRUB_DISK_DEVICE_CRYPTODISK_ID:
+ return 1;
+ case GRUB_DISK_DEVICE_DISKFILTER_ID:
+ return grub_diskfilter_has_cryptodisk (pv->disk->data);
+ default:
+ break;
+ }
+ }
+
+ return 0;
+}
+
static grub_err_t
grub_diskfilter_open (const char *name, grub_disk_t disk)
{
@@ -589,6 +622,8 @@
disk->total_sectors = lv->size;
disk->max_agglomerate = GRUB_DISK_MAX_MAX_AGGLOMERATE;
+ disk->is_crypto_diskfilter = grub_diskfilter_has_cryptodisk (lv);
+
return 0;
}
--- a/include/grub/disk.h
+++ b/include/grub/disk.h
@@ -147,6 +147,8 @@
/* Device-specific data. */
void *data;
+
+ int is_crypto_diskfilter;
};
typedef struct grub_disk *grub_disk_t;
@@ -317,4 +319,12 @@
void grub_diskfilter_fini (void);
#endif
+static inline int
+grub_disk_is_crypto (grub_disk_t disk)
+{
+ return ((disk->is_crypto_diskfilter ||
+ disk->dev->id == GRUB_DISK_DEVICE_CRYPTODISK_ID) ?
+ 1 : 0);
+}
+
#endif /* ! GRUB_DISK_HEADER */

253
0004-appendedsig-While-verifying-the-kernel-use-trusted-a.patch Normal file
View File

@ -0,0 +1,253 @@
From 5bff27911bb6575b80b5decf5364b7e6bde801d3 Mon Sep 17 00:00:00 2001
From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Date: Wed, 18 Jan 2023 23:04:38 +0530
Subject: [PATCH 4/8] appendedsig: While verifying the kernel, use trusted and
distrusted lists
To verify the kernel's, the trusted key will be used from
the trusted key list. If it fails, verify it against the list of hashes
that are distrusted and trusted.
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Tested-by: Nageswara Sastry <rnsastry@linux.ibm.com>
---
grub-core/commands/appendedsig/appendedsig.c | 187 +++++++++++++------
1 file changed, 131 insertions(+), 56 deletions(-)
diff --git a/grub-core/commands/appendedsig/appendedsig.c b/grub-core/commands/appendedsig/appendedsig.c
index 5bb09e349..f9638220e 100644
--- a/grub-core/commands/appendedsig/appendedsig.c
+++ b/grub-core/commands/appendedsig/appendedsig.c
@@ -36,6 +36,10 @@
#include <grub/platform_keystore.h>
#include "appendedsig.h"
+#define SHA256_LEN 32
+#define SHA384_LEN 48
+#define SHA512_LEN 64
+
GRUB_MOD_LICENSE ("GPLv3+");
const char magic[] = "~Module signature appended~\n";
@@ -516,6 +520,80 @@ extract_appended_signature (const grub_uint8_t *buf, grub_size_t bufsize,
return GRUB_ERR_NONE;
}
+static grub_err_t
+grub_get_binary_hash (const grub_size_t binary_hash_size, const grub_uint8_t *data,
+ const grub_size_t data_size, grub_uint8_t *hash, grub_size_t *hash_size)
+{
+ grub_uuid_t guid = { 0 };
+
+ /* support SHA256, SHA384 and SHA512 for binary hash */
+ if (binary_hash_size == SHA256_LEN)
+ grub_memcpy (&guid, &GRUB_PKS_CERT_SHA256_GUID, GRUB_UUID_SIZE);
+ else if (binary_hash_size == SHA384_LEN)
+ grub_memcpy (&guid, &GRUB_PKS_CERT_SHA384_GUID, GRUB_UUID_SIZE);
+ else if (binary_hash_size == SHA512_LEN)
+ grub_memcpy (&guid, &GRUB_PKS_CERT_SHA512_GUID, GRUB_UUID_SIZE);
+ else
+ {
+ grub_dprintf ("appendedsig", "unsupported hash type (%" PRIuGRUB_SIZE ") and skipping binary hash\n",
+ binary_hash_size);
+ return GRUB_ERR_UNKNOWN_COMMAND;
+ }
+
+ return grub_get_hash (&guid, data, data_size, hash, hash_size);
+}
+
+/*
+ * verify binary hash against the list of binary hashes that are distrusted
+ * and trusted.
+ */
+static grub_err_t
+grub_verify_binary_hash (const grub_uint8_t *data, const grub_size_t data_size)
+{
+ grub_err_t rc = GRUB_ERR_NONE;
+ grub_size_t i = 0, hash_size = 0;
+ grub_uint8_t hash[GRUB_MAX_HASH_SIZE] = { 0 };
+
+ for (i = 0; i < grub_dbx.signature_entries; i++)
+ {
+ rc = grub_get_binary_hash (grub_dbx.signature_size[i], data, data_size,
+ hash, &hash_size);
+ if (rc != GRUB_ERR_NONE)
+ continue;
+
+ if (hash_size == grub_dbx.signature_size[i] &&
+ grub_memcmp (grub_dbx.signatures[i], hash, hash_size) == 0)
+ {
+ grub_dprintf ("appendedsig", "the binary hash (%02x%02x%02x%02x) was listed "
+ "as distrusted\n", hash[0], hash[1], hash[2], hash[3]);
+ return GRUB_ERR_BAD_SIGNATURE;
+ }
+ }
+
+ for (i = 0; i < grub_db.signature_entries; i++)
+ {
+ rc = grub_get_binary_hash (grub_db.signature_size[i], data, data_size,
+ hash, &hash_size);
+ if (rc != GRUB_ERR_NONE)
+ continue;
+
+ if (hash_size == grub_db.signature_size[i] &&
+ grub_memcmp (grub_db.signatures[i], hash, hash_size) == 0)
+ {
+ grub_dprintf ("appendedsig", "verified with a trusted binary hash "
+ "(%02x%02x%02x%02x)\n", hash[0], hash[1], hash[2], hash[3]);
+ return GRUB_ERR_NONE;
+ }
+ }
+
+ return GRUB_ERR_EOF;
+}
+
+/*
+ * verify the kernel's integrity, the trusted key will be used from
+ * the trusted key list. If it fails, verify it against the list of binary hashes
+ * that are distrusted and trusted.
+ */
static grub_err_t
grub_verify_appended_signature (const grub_uint8_t *buf, grub_size_t bufsize)
{
@@ -525,12 +603,12 @@ grub_verify_appended_signature (const grub_uint8_t *buf, grub_size_t bufsize)
unsigned char *hash;
gcry_mpi_t hashmpi;
gcry_err_code_t rc;
- struct x509_certificate *pk;
+ struct x509_certificate *cert;
struct grub_appended_signature sig;
struct pkcs7_signerInfo *si;
int i;
- if (!grub_db.key_entries)
+ if (!grub_db.key_entries && !grub_db.signature_entries)
return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("No trusted keys to verify against"));
err = extract_appended_signature (buf, bufsize, &sig);
@@ -538,70 +616,67 @@ grub_verify_appended_signature (const grub_uint8_t *buf, grub_size_t bufsize)
return err;
datasize = bufsize - sig.signature_len;
-
- for (i = 0; i < sig.pkcs7.signerInfo_count; i++)
+ /* checking kernel binary hash is presents in trusted list (db)/distrusted list (dbx) */
+ err = grub_verify_binary_hash (buf, datasize);
+ if (err == GRUB_ERR_EOF)
{
- /* This could be optimised in a couple of ways:
- - we could only compute hashes once per hash type
- - we could track signer information and only verify where IDs match
- For now we do the naive O(trusted keys * pkcs7 signers) approach.
- */
- si = &sig.pkcs7.signerInfos[i];
- context = grub_zalloc (si->hash->contextsize);
- if (!context)
- return grub_errno;
-
- si->hash->init (context);
- si->hash->write (context, buf, datasize);
- si->hash->final (context);
- hash = si->hash->read (context);
-
- grub_dprintf ("appendedsig",
- "data size %" PRIxGRUB_SIZE ", signer %d hash %02x%02x%02x%02x...\n",
- datasize, i, hash[0], hash[1], hash[2], hash[3]);
-
- err = GRUB_ERR_BAD_SIGNATURE;
- for (pk = grub_db.keys; pk; pk = pk->next)
+ /* verifying kernel binary signature using trusted keys from trusted list (db) */
+ for (i = 0; i < sig.pkcs7.signerInfo_count; i++)
{
- rc = grub_crypto_rsa_pad (&hashmpi, hash, si->hash, pk->mpis[0]);
- if (rc)
+ si = &sig.pkcs7.signerInfos[i];
+ context = grub_zalloc (si->hash->contextsize);
+ if (!context)
+ return grub_errno;
+
+ si->hash->init (context);
+ si->hash->write (context, buf, datasize);
+ si->hash->final (context);
+ hash = si->hash->read (context);
+
+ grub_dprintf ("appendedsig",
+ "data size %" PRIxGRUB_SIZE ", signer %d hash %02x%02x%02x%02x...\n",
+ datasize, i, hash[0], hash[1], hash[2], hash[3]);
+
+ err = GRUB_ERR_BAD_SIGNATURE;
+ for (cert = grub_db.keys; cert; cert = cert->next)
{
- err = grub_error (GRUB_ERR_BAD_SIGNATURE,
- N_("Error padding hash for RSA verification: %d"), rc);
- grub_free (context);
- goto cleanup;
+ rc = grub_crypto_rsa_pad (&hashmpi, hash, si->hash, cert->mpis[0]);
+ if (rc)
+ {
+ err = grub_error (GRUB_ERR_BAD_SIGNATURE,
+ N_("Error padding hash for RSA verification: %d"), rc);
+ grub_free (context);
+ pkcs7_signedData_release (&sig.pkcs7);
+ return err;
+ }
+
+ rc = _gcry_pubkey_spec_rsa.verify (0, hashmpi, &si->sig_mpi, cert->mpis, NULL, NULL);
+ gcry_mpi_release (hashmpi);
+
+ if (rc == 0)
+ {
+ grub_dprintf ("appendedsig", "verify signer %d with key '%s' succeeded\n",
+ i, cert->subject);
+ err = GRUB_ERR_NONE;
+ break;
+ }
+
+ grub_dprintf ("appendedsig", "verify signer %d with key '%s' failed with %d\n",
+ i, cert->subject, rc);
}
- rc = _gcry_pubkey_spec_rsa.verify (0, hashmpi, &si->sig_mpi,
- pk->mpis, NULL, NULL);
- gcry_mpi_release (hashmpi);
-
- if (rc == 0)
- {
- grub_dprintf ("appendedsig",
- "verify signer %d with key '%s' succeeded\n", i,
- pk->subject);
- err = GRUB_ERR_NONE;
- break;
- }
-
- grub_dprintf ("appendedsig",
- "verify signer %d with key '%s' failed with %d\n", i,
- pk->subject, rc);
- }
-
- grub_free (context);
+ grub_free (context);
- if (err == GRUB_ERR_NONE)
- break;
+ if (err == GRUB_ERR_NONE)
+ break;
+ }
}
- /* If we didn't verify, provide a neat message */
if (err != GRUB_ERR_NONE)
- err = grub_error (GRUB_ERR_BAD_SIGNATURE,
- N_("Failed to verify signature against a trusted key"));
+ grub_printf ("appendedsig: failed to verify signature with any trusted key\n");
+ else
+ grub_printf ("appendedsig: successfully verified the signature with a trusted key\n");
-cleanup:
pkcs7_signedData_release (&sig.pkcs7);
return err;
--
2.47.0

92
0004-fs-tar-Integer-overflow-leads-to-heap-OOB-write.patch Normal file
View File

@ -0,0 +1,92 @@
From 8f99c43384b9122eedeab1411ab5076ca5878ef9 Mon Sep 17 00:00:00 2001
From: Lidong Chen <lidong.chen@oracle.com>
Date: Fri, 22 Nov 2024 06:27:58 +0000
Subject: [PATCH 04/20] fs/tar: Integer overflow leads to heap OOB write
Both namesize and linksize are derived from hd.size, a 12-digit octal
number parsed by read_number(). Later direct arithmetic calculation like
"namesize + 1" and "linksize + 1" may exceed the maximum value of
grub_size_t leading to heap OOB write. This patch fixes the issue by
using grub_add() and checking for an overflow.
Fixes: CVE-2024-45780
Reported-by: Nils Langius <nils@langius.de>
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
---
grub-core/fs/tar.c | 23 ++++++++++++++++++-----
1 file changed, 18 insertions(+), 5 deletions(-)
diff --git a/grub-core/fs/tar.c b/grub-core/fs/tar.c
index c551ed6b52..a9e39b0eb6 100644
--- a/grub-core/fs/tar.c
+++ b/grub-core/fs/tar.c
@@ -25,6 +25,7 @@
#include <grub/mm.h>
#include <grub/dl.h>
#include <grub/i18n.h>
+#include <grub/safemath.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -76,6 +77,7 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,
{
struct head hd;
int reread = 0, have_longname = 0, have_longlink = 0;
+ grub_size_t sz;
data->hofs = data->next_hofs;
@@ -97,7 +99,11 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,
{
grub_err_t err;
grub_size_t namesize = read_number (hd.size, sizeof (hd.size));
- *name = grub_malloc (namesize + 1);
+
+ if (grub_add (namesize, 1, &sz))
+ return grub_error (GRUB_ERR_BAD_FS, N_("name size overflow"));
+
+ *name = grub_malloc (sz);
if (*name == NULL)
return grub_errno;
err = grub_disk_read (data->disk, 0,
@@ -117,15 +123,19 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,
{
grub_err_t err;
grub_size_t linksize = read_number (hd.size, sizeof (hd.size));
- if (data->linkname_alloc < linksize + 1)
+
+ if (grub_add (linksize, 1, &sz))
+ return grub_error (GRUB_ERR_BAD_FS, N_("link size overflow"));
+
+ if (data->linkname_alloc < sz)
{
char *n;
- n = grub_calloc (2, linksize + 1);
+ n = grub_calloc (2, sz);
if (!n)
return grub_errno;
grub_free (data->linkname);
data->linkname = n;
- data->linkname_alloc = 2 * (linksize + 1);
+ data->linkname_alloc = 2 * (sz);
}
err = grub_disk_read (data->disk, 0,
@@ -148,7 +158,10 @@ grub_cpio_find_file (struct grub_archelp_data *data, char **name,
while (extra_size < sizeof (hd.prefix)
&& hd.prefix[extra_size])
extra_size++;
- *name = grub_malloc (sizeof (hd.name) + extra_size + 2);
+
+ if (grub_add (sizeof (hd.name) + 2, extra_size, &sz))
+ return grub_error (GRUB_ERR_BAD_FS, N_("long name size overflow"));
+ *name = grub_malloc (sz);
if (*name == NULL)
return grub_errno;
if (hd.prefix[0])
--
2.48.1

684
0005-appendedsig-The-grub-command-s-trusted-and-distruste.patch Normal file
View File

@ -0,0 +1,684 @@
From f05acf089fb80fc44112a7feec3529af494a41f7 Mon Sep 17 00:00:00 2001
From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Date: Wed, 1 Feb 2023 21:42:36 +0530
Subject: [PATCH 5/8] appendedsig: The grub command's trusted and distrusted
support
To support the following trusted and distrusted commands
1. trusted_list:
It will show the list of trusted certificates and binary hashes
2. distrusted_list:
It will show the list of distrusted certificates and binary/certificate hashes
3. trusted_certificate:
It will add the trusted certificate to the trusted list
4. trusted_signature:
It will add the certificate/binary hash to the trusted list
5. distrusted_certificate:
It will remove the trusted certificate from trsuted list
6. distrusted_signature:
It will add the certificate/binary hash to the distrsuted list
Note:-
The addition/deletion of trusted certificates and binary hashes
are not allowed in grub command prompt while secure boot is enabled.
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Tested-by: Nageswara Sastry <rnsastry@linux.ibm.com>
---
grub-core/commands/appendedsig/appendedsig.c | 547 ++++++++++++-------
1 file changed, 361 insertions(+), 186 deletions(-)
diff --git a/grub-core/commands/appendedsig/appendedsig.c b/grub-core/commands/appendedsig/appendedsig.c
index f9638220e..7d2bba079 100644
--- a/grub-core/commands/appendedsig/appendedsig.c
+++ b/grub-core/commands/appendedsig/appendedsig.c
@@ -123,6 +123,38 @@ static enum
check_sigs_forced = 2
} check_sigs = check_sigs_no;
+enum
+{
+ OPTION_BINARY_HASH = 0,
+ OPTION_CERT_HASH = 1
+};
+
+static const struct grub_arg_option options[] =
+{
+ {"binary-hash", 'b', 0, N_("hash file of the binary."), 0, ARG_TYPE_NONE},
+ {"cert-hash", 'c', 1, N_("hash file of the certificate."), 0, ARG_TYPE_NONE},
+ {0, 0, 0, 0, 0, 0}
+};
+
+static void
+grub_printhex (const grub_uint8_t *data, const grub_size_t length)
+{
+ grub_size_t i, count = 0;
+
+ for (i = 0; i < length-1; i++)
+ {
+ grub_printf ("%02x:", data[i]);
+ count++;
+ if (count == 16)
+ {
+ grub_printf ("\n\t ");
+ count = 0;
+ }
+ }
+
+ grub_printf ("%02x\n", data[i]);
+}
+
/*
* GUID can be used to determine the hashing function and
* generate the hash using determined hashing function.
@@ -396,75 +428,6 @@ grub_env_write_sec (struct grub_env_var *var __attribute__((unused)),
return grub_strdup (grub_env_read_sec (NULL, NULL));
}
-static grub_err_t
-file_read_all (grub_file_t file, grub_uint8_t **buf, grub_size_t *len)
-{
- grub_off_t full_file_size;
- grub_size_t file_size, total_read_size = 0;
- grub_ssize_t read_size;
-
- full_file_size = grub_file_size (file);
- if (full_file_size == GRUB_FILE_SIZE_UNKNOWN)
- return grub_error (GRUB_ERR_BAD_ARGUMENT,
- N_("Cannot read a file of unknown size into a buffer"));
-
- if (full_file_size > GRUB_SIZE_MAX)
- return grub_error (GRUB_ERR_OUT_OF_RANGE,
- N_("File is too large to read: %" PRIuGRUB_UINT64_T
- " bytes"), full_file_size);
-
- file_size = (grub_size_t) full_file_size;
-
- *buf = grub_malloc (file_size);
- if (!*buf)
- return grub_error (GRUB_ERR_OUT_OF_MEMORY,
- N_("Could not allocate file data buffer size %"
- PRIuGRUB_SIZE), file_size);
-
- while (total_read_size < file_size)
- {
- read_size = grub_file_read (file, *buf + total_read_size, file_size - total_read_size);
- if (read_size < 0)
- {
- grub_free (*buf);
- return grub_errno;
- }
- else if (read_size == 0)
- {
- grub_free (*buf);
- return grub_error (GRUB_ERR_IO,
- N_("Could not read full file size (%"
- PRIuGRUB_SIZE "), only %" PRIuGRUB_SIZE
- " bytes read"), file_size, total_read_size);
- }
-
- total_read_size += read_size;
- }
- *len = file_size;
- return GRUB_ERR_NONE;
-}
-
-static grub_err_t
-read_cert_from_file (grub_file_t f, struct x509_certificate *certificate)
-{
- grub_err_t err;
- grub_uint8_t *buf;
- grub_size_t file_size;
-
- err = file_read_all (f, &buf, &file_size);
- if (err != GRUB_ERR_NONE)
- return err;
-
- err = parse_x509_certificate (buf, file_size, certificate);
- if (err != GRUB_ERR_NONE)
- {
- grub_free (buf);
- return err;
- }
-
- return GRUB_ERR_NONE;
-}
-
static grub_err_t
extract_appended_signature (const grub_uint8_t *buf, grub_size_t bufsize,
struct grub_appended_signature *sig)
@@ -686,159 +649,357 @@ static grub_err_t
grub_cmd_verify_signature (grub_command_t cmd __attribute__((unused)),
int argc, char **args)
{
- grub_file_t f;
grub_err_t err = GRUB_ERR_NONE;
- grub_uint8_t *data;
- grub_size_t file_size;
+ grub_file_t signed_file = NULL;
+ grub_uint8_t *signed_data = NULL;
+ grub_ssize_t signed_data_size = 0;
+
+ if (argc != 1)
+ {
+ grub_printf (N_("a signed file is expected\n"
+ "Example:\n\tverify_appended <SIGNED FILE>\n"));
+ return GRUB_ERR_BAD_ARGUMENT;
+ }
- if (argc < 1)
- return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
+ if (grub_strlen (args[0]) == 0)
+ return grub_error (GRUB_ERR_BAD_FILENAME, N_("missing signed file"));
grub_dprintf ("appendedsig", "verifying %s\n", args[0]);
- f = grub_file_open (args[0], GRUB_FILE_TYPE_VERIFY_SIGNATURE);
- if (!f)
+ signed_file = grub_file_open (args[0], GRUB_FILE_TYPE_VERIFY_SIGNATURE);
+ if (signed_file == NULL)
+ return grub_error (GRUB_ERR_FILE_NOT_FOUND, N_("unable to open a signed file"));
+
+ err = grub_read_file (signed_file, &signed_data, &signed_data_size);
+ if (err != GRUB_ERR_NONE)
+ {
+ grub_file_close (signed_file);
+ return err;
+ }
+
+ grub_file_close (signed_file);
+ err = grub_verify_appended_signature (signed_data, signed_data_size);
+ grub_free (signed_data);
+
+ return err;
+}
+
+static grub_err_t
+grub_cmd_trusted_list (grub_command_t cmd __attribute__((unused)),
+ int argc __attribute__((unused)), char **args __attribute__((unused)))
+{
+ struct x509_certificate *cert = NULL;
+ grub_size_t i = 0, cert_num = 1;
+
+ for (cert = grub_db.keys; cert; cert = cert->next)
+ {
+ grub_printf (N_("trusted certificate %" PRIuGRUB_SIZE ":\n"), cert_num);
+ grub_printf (N_("\tserial: "));
+
+ for (i = 0; i < cert->serial_len - 1; i++)
+ grub_printf ("%02x:", cert->serial[i]);
+
+ grub_printf ("%02x\n", cert->serial[cert->serial_len - 1]);
+ grub_printf ("\tCN: %s\n\n", cert->subject);
+ cert_num++;
+
+ }
+
+ for (i = 0; i < grub_db.signature_entries; i++)
{
- err = grub_errno;
- goto cleanup;
+ grub_printf (N_("trusted binary hash %" PRIuGRUB_SIZE ":\n"), i+1);
+ grub_printf (N_("\thash: "));
+ grub_printhex (grub_db.signatures[i], grub_db.signature_size[i]);
}
- err = file_read_all (f, &data, &file_size);
+ return GRUB_ERR_NONE;
+}
+
+static grub_err_t
+grub_cmd_distrusted_list (grub_command_t cmd __attribute__((unused)),
+ int argc __attribute__((unused)),
+ char **args __attribute__((unused)))
+{
+ struct x509_certificate *cert = NULL;
+ grub_size_t i = 0, cert_num = 1;
+
+ for (cert = grub_dbx.keys; cert; cert = cert->next)
+ {
+ grub_printf (N_("distrusted certificate %" PRIuGRUB_SIZE ":\n"), cert_num);
+ grub_printf (N_("\tserial: "));
+
+ for (i = 0; i < cert->serial_len - 1; i++)
+ grub_printf ("%02x:", cert->serial[i]);
+
+ grub_printf ("%02x\n", cert->serial[cert->serial_len - 1]);
+ grub_printf ("\tCN: %s\n\n", cert->subject);
+ cert_num++;
+ }
+
+ for (i = 0; i < grub_dbx.signature_entries; i++)
+ {
+ grub_printf (N_("distrusted certificate/binary hash %" PRIuGRUB_SIZE ":\n"), i+1);
+ grub_printf (N_("\thash: "));
+ grub_printhex (grub_dbx.signatures[i], grub_dbx.signature_size[i]);
+ }
+
+ return GRUB_ERR_NONE;
+}
+
+static grub_err_t
+grub_cmd_trusted_cert (grub_command_t cmd __attribute__((unused)),
+ int argc, char **args)
+{
+ grub_err_t err = GRUB_ERR_NONE;
+ grub_file_t cert_file = NULL;
+ grub_uint8_t *cert_data = NULL;
+ grub_ssize_t cert_data_size = 0;
+
+ if (argc != 1)
+ {
+ grub_printf (N_("a trusted X.509 certificate file is expected\n"
+ "Example:\n\ttrusted_certificate <CERT FILE>\n"));
+ return GRUB_ERR_BAD_ARGUMENT;
+ }
+
+ if (check_sigs == check_sigs_forced)
+ {
+ grub_printf ("Warning: since secure boot is enabled, "
+ "adding of trusted X.509 certificate is not permitted!\n");
+ return grub_errno;
+ }
+
+ if (grub_strlen (args[0]) == 0)
+ return grub_error (GRUB_ERR_BAD_FILENAME,
+ N_("missing trusted X.509 certificate file"));
+
+ cert_file = grub_file_open (args[0], GRUB_FILE_TYPE_CERTIFICATE_TRUST |
+ GRUB_FILE_TYPE_NO_DECOMPRESS);
+ if (cert_file == NULL)
+ return grub_error (GRUB_ERR_FILE_NOT_FOUND,
+ N_("unable to open the trusted X.509 certificate file"));
+
+ err = grub_read_file (cert_file, &cert_data, &cert_data_size);
if (err != GRUB_ERR_NONE)
- goto cleanup;
+ {
+ grub_file_close (cert_file);
+ return err;
+ }
- err = grub_verify_appended_signature (data, file_size);
+ grub_file_close (cert_file);
+ err = grub_add_certificate (cert_data, cert_data_size, &grub_db, 1);
+ if (err != GRUB_ERR_NONE)
+ {
+ grub_release_trusted_list ();
+ grub_release_distrusted_list ();
+ grub_error (err, "adding of trusted certificate failed");
+ }
- grub_free (data);
+ grub_free (cert_data);
-cleanup:
- if (f)
- grub_file_close (f);
return err;
}
static grub_err_t
-grub_cmd_distrust (grub_command_t cmd __attribute__((unused)),
- int argc, char **args)
+grub_cmd_trusted_hash (grub_command_t cmd __attribute__((unused)), int argc, char**args)
{
- unsigned long cert_num, i;
- struct x509_certificate *cert, *prev;
+ grub_err_t rc = GRUB_ERR_NONE;
+ grub_file_t hash_file = NULL;
+ grub_uint8_t *hash_data = NULL;
+ grub_ssize_t hash_data_size = 0;
if (argc != 1)
- return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("One argument expected"));
+ {
+ grub_printf (N_("a trusted binary hash file is expected\n"
+ "Example:\n\ttrusted_signature <BINARY HASH FILE>\n"));
+ return GRUB_ERR_BAD_ARGUMENT;
+ }
- grub_errno = GRUB_ERR_NONE;
- cert_num = grub_strtoul (args[0], NULL, 10);
- if (grub_errno != GRUB_ERR_NONE)
- return grub_errno;
+ if (check_sigs == check_sigs_forced)
+ {
+ grub_printf ("Warning: since secure boot is enabled, "
+ "adding of trusted binary hash is not permitted!\n");
+ return grub_errno;
+ }
- if (cert_num < 1)
- return grub_error (GRUB_ERR_BAD_ARGUMENT,
- N_("Certificate number too small - numbers start at 1"));
+ if (grub_strlen (args[0]) == 0)
+ return grub_error (GRUB_ERR_BAD_FILENAME, N_("missing trusted binary hash file"));
- if (cert_num == 1)
- {
- cert = grub_db.keys;
- grub_db.keys = cert->next;
+ hash_file = grub_file_open (args[0], GRUB_FILE_TYPE_TO_HASH | GRUB_FILE_TYPE_NO_DECOMPRESS);
+ if (hash_file == NULL)
+ return grub_error (GRUB_ERR_FILE_NOT_FOUND,
+ N_("unable to open the trusted binary hash file"));
- certificate_release (cert);
- grub_free (cert);
- return GRUB_ERR_NONE;
+ rc = grub_read_file (hash_file, &hash_data, &hash_data_size);
+ if (rc != GRUB_ERR_NONE)
+ {
+ grub_file_close (hash_file);
+ return rc;
}
- i = 2;
- prev = grub_db.keys;
- cert = grub_db.keys->next;
- while (cert)
+
+ grub_file_close (hash_file);
+
+ grub_dprintf ("appendedsig", "adding a trusted binary hash %s\n with size of %" PRIdGRUB_SSIZE "\n",
+ hash_data, hash_data_size);
+
+ /* only accept SHA256, SHA384 and SHA512 binary hash */
+ if (hash_data_size != SHA256_LEN && hash_data_size != SHA384_LEN &&
+ hash_data_size != SHA512_LEN)
+ return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("unacceptable trusted binary hash type"));
+
+ rc = grub_add_hash ((const grub_uint8_t **) &hash_data, hash_data_size, &grub_db.signatures,
+ &grub_db.signature_size, &grub_db.signature_entries);
+ if (rc != GRUB_ERR_NONE)
{
- if (i == cert_num)
- {
- prev->next = cert->next;
- certificate_release (cert);
- grub_free (cert);
- return GRUB_ERR_NONE;
- }
- i++;
- prev = cert;
- cert = cert->next;
+ grub_release_trusted_list ();
+ grub_release_distrusted_list ();
+ grub_error (rc, "adding of trusted binary hash failed");
}
- return grub_error (GRUB_ERR_BAD_ARGUMENT,
- N_("No certificate number %lu found - only %lu certificates in the store"),
- cert_num, i - 1);
+ grub_free (hash_data);
+
+ return rc;
}
static grub_err_t
-grub_cmd_trust (grub_command_t cmd __attribute__((unused)),
- int argc, char **args)
+grub_cmd_distrusted_cert (grub_command_t cmd __attribute__((unused)), int argc, char **args)
{
- grub_file_t certf;
- struct x509_certificate *cert = NULL;
- grub_err_t err;
+ grub_size_t cert_num = 0, i = 1;
+ struct x509_certificate *current_cert = grub_db.keys;
+ struct x509_certificate *previous_cert = grub_db.keys;
if (argc != 1)
- return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
+ {
+ grub_printf (N_("trusted certificate number is expected\n"
+ "Example:\n\tdistrusted_certificate <CERT_NUMER>\n"));
+ return GRUB_ERR_BAD_ARGUMENT;
+ }
- certf = grub_file_open (args[0],
- GRUB_FILE_TYPE_CERTIFICATE_TRUST
- | GRUB_FILE_TYPE_NO_DECOMPRESS);
- if (!certf)
- return grub_errno;
+ if (check_sigs == check_sigs_forced)
+ {
+ grub_printf ("Warning: since secure boot is enabled, "
+ "removing of trusted certificate is not permitted!\n");
+ return grub_errno;
+ }
+ cert_num = grub_strtoul (args[0], NULL, 10);
+ if (cert_num < 1)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("trusted certificate number should to begin with 1"));
- cert = grub_zalloc (sizeof (struct x509_certificate));
- if (!cert)
- return grub_error (GRUB_ERR_OUT_OF_MEMORY,
- N_("Could not allocate memory for certificate"));
+ if (cert_num > grub_db.key_entries)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("trusted certificate number should not exceed %" PRIuGRUB_SIZE),
+ grub_db.key_entries);
+ else if (cert_num < grub_db.key_entries)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ N_("there is no certificate on the trusted list. so, not permitted"));
- err = read_cert_from_file (certf, cert);
- grub_file_close (certf);
- if (err != GRUB_ERR_NONE)
+ for (i = 1; i < grub_db.key_entries; i++)
{
- grub_free (cert);
- return err;
+ if (cert_num == 1)
+ {
+ previous_cert = current_cert->next;
+ break;
+ }
+ else if (cert_num == i)
+ {
+ previous_cert->next = current_cert->next;
+ break;
+ }
+
+ previous_cert = current_cert;
+ current_cert = current_cert->next;
}
- grub_dprintf ("appendedsig", "Loaded certificate with CN: %s\n",
- cert->subject);
- cert->next = grub_db.keys;
- grub_db.keys = cert;
+ certificate_release (current_cert);
+ grub_free (current_cert);
return GRUB_ERR_NONE;
}
static grub_err_t
-grub_cmd_list (grub_command_t cmd __attribute__((unused)),
- int argc __attribute__((unused)),
- char **args __attribute__((unused)))
+grub_cmd_distrusted_hash (grub_extcmd_context_t ctxt, int argc, char **args)
{
- struct x509_certificate *cert;
- int cert_num = 1;
- grub_size_t i;
+ grub_err_t rc = GRUB_ERR_NONE;
+ grub_file_t hash_file = NULL;
+ grub_uint8_t *hash_data = NULL;
+ grub_ssize_t hash_data_size = 0;
- for (cert = grub_db.keys; cert; cert = cert->next)
+ if (argc != 2)
{
- grub_printf (N_("Certificate %d:\n"), cert_num);
+ grub_printf (N_("a distrusted certificate/binary hash file is expected\n"
+ "Example:\n\tdistrusted_signature [option] <FILE>\n"
+ "option:\n[-b|--binary-hash] FILE [BINARY HASH FILE]\n"
+ "[-c|--cert-hash] FILE [CERTFICATE HASH FILE]\n"));
+ return GRUB_ERR_BAD_ARGUMENT;
+ }
- grub_printf (N_("\tSerial: "));
- for (i = 0; i < cert->serial_len - 1; i++)
- {
- grub_printf ("%02x:", cert->serial[i]);
- }
- grub_printf ("%02x\n", cert->serial[cert->serial_len - 1]);
+ if (check_sigs == check_sigs_forced)
+ {
+ grub_printf ("Warning: since secure boot is enabled, "
+ "adding of distrusted certificate/binary hash is not permitted!\n");
+ return grub_errno;
+ }
- grub_printf ("\tCN: %s\n\n", cert->subject);
- cert_num++;
+ if (!ctxt->state[OPTION_BINARY_HASH].set && !ctxt->state[OPTION_CERT_HASH].set)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("missing options and use --help to konw"));
+
+ if (grub_strlen (args[1]) == 0)
+ return grub_error (GRUB_ERR_BAD_FILENAME,
+ N_("missing distrusted certificate/binary hash file"));
+
+ hash_file = grub_file_open (args[1], GRUB_FILE_TYPE_TO_HASH | GRUB_FILE_TYPE_NO_DECOMPRESS);
+ if (hash_file == NULL)
+ return grub_error (GRUB_ERR_FILE_NOT_FOUND,
+ N_("unable to open the distrusted certificate/binary hash file"));
+ rc = grub_read_file (hash_file, &hash_data, &hash_data_size);
+ if (rc != GRUB_ERR_NONE)
+ {
+ grub_file_close (hash_file);
+ return rc;
}
- return GRUB_ERR_NONE;
+ grub_file_close (hash_file);
+
+ grub_dprintf ("appendedsig", "adding a distrusted certificate/binary hash %s\n"
+ " with size of %" PRIdGRUB_SSIZE "\n", hash_data, hash_data_size);
+
+ if (ctxt->state[OPTION_BINARY_HASH].set)
+ {
+ /* only accept SHA256, SHA384 and SHA512 binary hash */
+ if (hash_data_size != SHA256_LEN && hash_data_size != SHA384_LEN &&
+ hash_data_size != SHA512_LEN)
+ return grub_error (GRUB_ERR_BAD_SIGNATURE,
+ N_("unacceptable distrusted binary hash type"));
+ }
+ else if (ctxt->state[OPTION_CERT_HASH].set)
+ {
+ /* only accept SHA256, SHA384 and SHA512 certificate hash */
+ if (hash_data_size != SHA256_LEN && hash_data_size != SHA384_LEN &&
+ hash_data_size != SHA512_LEN)
+ return grub_error (GRUB_ERR_BAD_SIGNATURE,
+ N_("unacceptable distrusted certificate hash type"));
+ }
+
+ rc = grub_add_hash ((const grub_uint8_t **) &hash_data, hash_data_size, &grub_dbx.signatures,
+ &grub_dbx.signature_size, &grub_dbx.signature_entries);
+ if (rc != GRUB_ERR_NONE)
+ {
+ grub_release_trusted_list ();
+ grub_release_distrusted_list ();
+ grub_error (rc, "adding of distrusted binary/certificate hash failed");
+ }
+
+ grub_free (hash_data);
+
+ return rc;
}
static grub_err_t
-appendedsig_init (grub_file_t io __attribute__((unused)),
- enum grub_file_type type,
- void **context __attribute__((unused)),
- enum grub_verify_flags *flags)
+appendedsig_init (grub_file_t io __attribute__ ((unused)), enum grub_file_type type,
+ void **context __attribute__ ((unused)), enum grub_verify_flags *flags)
{
if (check_sigs == check_sigs_no)
{
@@ -1212,7 +1373,9 @@ grub_load_static_keys (struct grub_module_header *header, bool mode)
return rc;
}
-static grub_command_t cmd_verify, cmd_list, cmd_distrust, cmd_trust;
+static grub_extcmd_t cmd_distrusted_hash;
+static grub_command_t cmd_verify, cmd_trusted_list, cmd_trusted_cert, cmd_trusted_hash,
+ cmd_distrusted_list, cmd_distrusted_cert;
GRUB_MOD_INIT (appendedsig)
{
@@ -1278,21 +1441,31 @@ GRUB_MOD_INIT (appendedsig)
grub_release_platform_keystore ();
}
- cmd_trust =
- grub_register_command ("trust_certificate", grub_cmd_trust,
- N_("X509_CERTIFICATE"),
- N_("Add X509_CERTIFICATE to trusted certificates."));
- cmd_list =
- grub_register_command ("list_certificates", grub_cmd_list, 0,
- N_("Show the list of trusted x509 certificates."));
- cmd_verify =
- grub_register_command ("verify_appended", grub_cmd_verify_signature,
- N_("FILE"),
- N_("Verify FILE against the trusted x509 certificates."));
- cmd_distrust =
- grub_register_command ("distrust_certificate", grub_cmd_distrust,
- N_("CERT_NUMBER"),
- N_("Remove CERT_NUMBER (as listed by list_certificates) from trusted certificates."));
+ cmd_trusted_cert = grub_register_command ("trusted_certificate", grub_cmd_trusted_cert,
+ N_("X509_CERTIFICATE"),
+ N_("Add X509_CERTIFICATE to trusted list."));
+ cmd_trusted_hash = grub_register_command ("trusted_signature", grub_cmd_trusted_hash,
+ N_("BINARY HASH FILE"),
+ N_("Add trusted BINARY HASH to trusted list."));
+ cmd_distrusted_cert = grub_register_command ("distrusted_certificate", grub_cmd_distrusted_cert,
+ N_("CERT_NUMBER"),
+ N_("Remove CERT_NUMBER (as listed by list_trusted)"
+ " from trusted list."));
+ cmd_distrusted_hash = grub_register_extcmd ("distrusted_signature", grub_cmd_distrusted_hash, 0,
+ N_("[-b|--binary-hash] FILE [BINARY HASH FILE]\n"
+ "[-c|--cert-hash] FILE [CERTFICATE HASH FILE]"),
+ N_("Add distrusted CERTFICATE/BINARY HASH "
+ "to distrusted list."),
+ options);
+ cmd_trusted_list = grub_register_command ("trusted_list", grub_cmd_trusted_list, 0,
+ N_("Show the list of trusted x509 certificates and"
+ " trusted binary hashes."));
+ cmd_distrusted_list = grub_register_command ("distrusted_list", grub_cmd_distrusted_list, 0,
+ N_("Show the list of distrusted certificates and"
+ " certificate/binary hashes"));
+ cmd_verify = grub_register_command ("verify_appended", grub_cmd_verify_signature, N_("FILE"),
+ N_("Verify FILE against the trusted x509 certificates/"
+ "trusted binary hashes."));
grub_verifier_register (&grub_appendedsig_verifier);
grub_dl_set_persistent (mod);
@@ -1304,10 +1477,12 @@ GRUB_MOD_FINI (appendedsig)
* grub_dl_set_persistent should prevent this from actually running, but
* it does still run under emu.
*/
-
grub_verifier_unregister (&grub_appendedsig_verifier);
grub_unregister_command (cmd_verify);
- grub_unregister_command (cmd_list);
- grub_unregister_command (cmd_trust);
- grub_unregister_command (cmd_distrust);
+ grub_unregister_command (cmd_trusted_list);
+ grub_unregister_command (cmd_distrusted_list);
+ grub_unregister_command (cmd_trusted_cert);
+ grub_unregister_command (cmd_distrusted_cert);
+ grub_unregister_command (cmd_trusted_hash);
+ grub_unregister_extcmd (cmd_distrusted_hash);
}
--
2.47.0

38
0005-fs-hfsplus-Set-a-grub_errno-if-mount-fails.patch Normal file
View File

@ -0,0 +1,38 @@
From 3f1980191c693670380aa9aa5a949c5574a3bd04 Mon Sep 17 00:00:00 2001
From: B Horn <b@horn.uk>
Date: Sun, 12 May 2024 06:22:51 +0100
Subject: [PATCH 05/20] fs/hfsplus: Set a grub_errno if mount fails
It was possible for mount to fail but not set grub_errno. This led to
a possible double decrement of the module reference count if the NULL
page was mapped.
Fixing in general as a similar bug was fixed in commit 61b13c187
(fs/hfsplus: Set grub_errno to prevent NULL pointer access) and there
are likely more variants around.
Fixes: CVE-2024-45783
Reported-by: B Horn <b@horn.uk>
Signed-off-by: B Horn <b@horn.uk>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/hfsplus.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
index 295822f694..de71fd486b 100644
--- a/grub-core/fs/hfsplus.c
+++ b/grub-core/fs/hfsplus.c
@@ -405,7 +405,7 @@ grub_hfsplus_mount (grub_disk_t disk)
fail:
- if (grub_errno == GRUB_ERR_OUT_OF_RANGE)
+ if (grub_errno == GRUB_ERR_OUT_OF_RANGE || grub_errno == GRUB_ERR_NONE)
grub_error (GRUB_ERR_BAD_FS, "not a HFS+ filesystem");
grub_free (data);
--
2.48.1

223
0006-appendedsig-documentation.patch Normal file
View File

@ -0,0 +1,223 @@
From 87831c6ce3536e5e2eeb3e2cd8a6184b9509ee04 Mon Sep 17 00:00:00 2001
From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Date: Wed, 17 Apr 2024 23:04:43 +0530
Subject: [PATCH 6/8] appendedsig: documentation
This explains appended signatures static key and dynamic key,
and documents the commands and variables introduced.
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
---
docs/grub.texi | 115 ++++++++++++++++++++++++++++++++++---------------
1 file changed, 80 insertions(+), 35 deletions(-)
diff --git a/docs/grub.texi b/docs/grub.texi
index 00c5fdc44..68d7cbb90 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -4373,7 +4373,9 @@ you forget a command, you can run the command @command{help}
* date:: Display or set current date and time
* devicetree:: Load a device tree blob
* distrust:: Remove a pubkey from trusted keys
-* distrust_certificate:: Remove a certificate from the list of trusted certificates
+* distrusted_certificate:: Remove a certificate from the trusted list
+* distrusted_list:: List distrusted certificates and binary/certificate hashes
+* distrusted_signature:: Add a binary hash to the distrusted list
* drivemap:: Map a drive to another
* echo:: Display a line of text
* efitextmode:: Set/Get text output mode resolution
@@ -4390,7 +4392,6 @@ you forget a command, you can run the command @command{help}
* hexdump:: Show raw contents of a file or memory
* insmod:: Insert a module
* keystatus:: Check key modifier status
-* list_certificates:: List trusted certificates
* list_env:: List variables in environment block
* list_trusted:: List trusted public keys
* load_env:: Load variables from environment block
@@ -4429,7 +4430,9 @@ you forget a command, you can run the command @command{help}
* test:: Check file types and compare values
* true:: Do nothing, successfully
* trust:: Add public key to list of trusted keys
-* trust_certificate:: Add an x509 certificate to the list of trusted certificates
+* trusted_certificate:: Add an x509 certificate to the trusted list
+* trusted_list:: List trusted certificates and binary hashes
+* trusted_signature:: Add a binary hash to the trusted list.
* unset:: Unset an environment variable
@comment * vbeinfo:: List available video modes
* verify_appended:: Verify appended digital signature
@@ -4776,15 +4779,15 @@ GPG-style digital signatures}, for more information.
@end deffn
-@node distrust_certificate
-@subsection distrust_certificate
+@node distrusted_certificate
+@subsection distrusted_certificate
-@deffn Command distrust_certificate cert_number
+@deffn Command distrusted_certificate cert_number
Remove the x509 certificate numbered @var{cert_number} from GRUB's keyring of
trusted x509 certificates for verifying appended signatures.
@var{cert_number} is the certificate number as listed by
-@command{list_certificates} (@pxref{list_certificates}).
+@command{trusted_list} (@pxref{trusted_list}).
These certificates are used to validate appended signatures when environment
variable @code{check_appended_signatures} is set to @code{enforce}
@@ -4793,6 +4796,27 @@ variable @code{check_appended_signatures} is set to @code{enforce}
information.
@end deffn
+@node distrusted_list
+@subsection distrusted_list
+
+@deffn Command distrusted_list
+List all the distrusted x509 certificates and binary/certificate hashes.
+The output is a numbered list of certificates and binary/certificate hashes,
+showing the certificate's serial number and Common Name.
+@end deffn
+
+@node distrusted_signature
+@subsection distrusted_signature
+
+@deffn Command distrusted_signature
+Read a binary hash from the file @var{binary hash file}
+and add it to GRUB's internal distrusted list. These hash are used to
+restrict validation of linux image integrity using trusted list if appended
+signatures validation failed when the environment variable
+@code{check_appended_signatures} is set to @code{enforce}.
+
+See @xref{Using appended signatures} for more information.
+@end deffn
@node drivemap
@subsection drivemap
@@ -5069,22 +5093,6 @@ without any options, the @command{keystatus} command returns true if and
only if checking key modifier status is supported.
@end deffn
-
-@node list_certificates
-@subsection list_certificates
-
-@deffn Command list_certificates
-List all x509 certificates trusted by GRUB for validating appended signatures.
-The output is a numbered list of certificates, showing the certificate's serial
-number and Common Name.
-
-The certificate number can be used as an argument to
-@command{distrust_certificate} (@pxref{distrust_certificate}).
-
-See @xref{Using appended signatures} for more information.
-@end deffn
-
-
@node list_env
@subsection list_env
@@ -5935,9 +5943,8 @@ and manual booting. @xref{Using GPG-style digital signatures}, for more
information.
@end deffn
-
-@node trust_certificate
-@subsection trust_certificate
+@node trusted_certificate
+@subsection trusted_certificate
@deffn Command trust_certificate x509_certificate
Read a DER-formatted x509 certificate from the file @var{x509_certificate}
@@ -5946,7 +5953,7 @@ certificates are used to validate appended signatures when the environment
variable @code{check_appended_signatures} is set to @code{enforce}.
Note that if @code{check_appended_signatures} is set to @code{enforce}
-when @command{trust_certificate} is executed, then @var{x509_certificate}
+when @command{trusted_certificate} is executed, then @var{x509_certificate}
must itself bear an appended signature. (It is not sufficient that
@var{x509_certificate} be signed by a trusted certificate according to the
x509 rules: grub does not include support for validating signatures within x509
@@ -5955,6 +5962,32 @@ certificates themselves.)
See @xref{Using appended signatures} for more information.
@end deffn
+@node trusted_list
+@subsection trusted_list
+
+@deffn Command trusted_list
+List all x509 certificates and binary hases trusted by GRUB for validating
+appended signatures. The output is a numbered list of certificates and binary
+hashes, showing the certificate's serial number and Common Name.
+
+The certificate number can be used as an argument to
+@command{distrusted_certificate} (@pxref{distrusted_certificate}).
+
+See @xref{Using appended signatures} for more information.
+@end deffn
+
+@node trusted_signature
+@subsection trusted_signature
+
+@deffn Command trust_signature
+Read a binary hash from the file @var{binary hash file}
+and add it to GRUB's internal trusted list. These binary hash are used to
+validate linux image integrity if appended signatures validation failed
+when the environment variable @code{check_appended_signatures} is set
+to @code{enforce}.
+
+See @xref{Using appended signatures} for more information.
+@end deffn
@node unset
@subsection unset
@@ -5979,8 +6012,8 @@ only on PC BIOS platforms.
@deffn Command verify_appended file
Verifies an appended signature on @var{file} against the trusted certificates
-known to GRUB (See @pxref{list_certificates}, @pxref{trust_certificate}, and
-@pxref{distrust_certificate}).
+known to GRUB (See @pxref{trusted_list}, @pxref{trusted_certificate}, and
+@pxref{distrusted_certificate}).
Exit code @code{$?} is set to 0 if the signature validates
successfully. If validation fails, it is set to a non-zero value.
@@ -6664,17 +6697,29 @@ with an appended signature ends with the magic string:
where @code{\n} represents the carriage-return character, @code{0x0a}.
To enable appended signature verification, load the appendedsig module and an
-x509 certificate for verification. Building the appendedsig module into the
+trusted keys for verification. Building the appendedsig module into the
core grub image is recommended.
-Certificates can be managed at boot time using the @pxref{trust_certificate},
-@pxref{distrust_certificate} and @pxref{list_certificates} commands.
-Certificates can also be built in to the core image using the @code{--x509}
-parameter to @command{grub-install} or @command{grub-mkimage}.
+For static key, Certificates will be built in to the core image using
+the @code{--x509} parameter to @command{grub-install} or @command{grub-mkimage}.
+it can allow to list the trusted certificates and binary hashes at boot time using
+@pxref{trusted_list} and list distrusted certificates and binary/certificate hashes
+at boot time using @pxref{distrusted_list} commands.
+
+For dynamic key, loads the signature database (DB) and forbidden
+signature database (DBX) from platform keystore (PKS) and it can allow to list
+the trusted certificates and binary hashes at boot time using @pxref{trusted_list}
+and list distrusted certificates and binary/certificate hashes at boot time using
+@pxref{distrusted_list} commands.
+
+Also, it will not allow to manage add/delete of certificates/signature at boot time using
+@pxref{trusted_certificate} and @pxref{trusted_signature}, @pxref{distrusted_certificate}
+and @pxref{distrusted_signature} commands when the environment variable
+@code{check_appended_signatures} is set to @code{enforce}.
A file can be explictly verified using the @pxref{verify_appended} command.
-Only signatures made with the SHA-256 or SHA-512 hash algorithm are supported,
+Only signatures made with the SHA-256, SH-384 and SHA-512 hash algorithm are supported,
and only RSA signatures are supported.
A file can be signed with the @command{sign-file} utility supplied with the
--
2.47.0

35
0006-kern-file-Ensure-file-data-is-set.patch Normal file
View File

@ -0,0 +1,35 @@
From 07482c2ab034df5069761319e4969551c3dcc6e1 Mon Sep 17 00:00:00 2001
From: B Horn <b@horn.uk>
Date: Sun, 12 May 2024 03:01:40 +0100
Subject: [PATCH 06/20] kern/file: Ensure file->data is set
This is to avoid a generic issue were some filesystems would not set
data and also not set a grub_errno. This meant it was possible for many
filesystems to grub_dl_unref() themselves multiple times resulting in
it being possible to unload the filesystems while there were still
references to them, e.g., via a loopback.
Reported-by: B Horn <b@horn.uk>
Signed-off-by: B Horn <b@horn.uk>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/kern/file.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c
index 750177248f..e990507fca 100644
--- a/grub-core/kern/file.c
+++ b/grub-core/kern/file.c
@@ -114,6 +114,9 @@ grub_file_open (const char *name, enum grub_file_type type)
if ((file->fs->fs_open) (file, file_name) != GRUB_ERR_NONE)
goto fail;
+ if (file->data == NULL)
+ goto fail;
+
file->name = grub_strdup (name);
grub_errno = GRUB_ERR_NONE;
--
2.48.1

216
0007-grub-mkimage-Create-new-ELF-note-for-SBAT.patch Normal file
View File

@ -0,0 +1,216 @@
From 6701b4a9e1994c8a05c87a7167694bc3dd71e7d6 Mon Sep 17 00:00:00 2001
From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Date: Wed, 23 Oct 2024 17:54:32 +0530
Subject: [PATCH 7/8] grub-mkimage: Create new ELF note for SBAT
In order to store the SBAT data we create a new ELF note. The string
".sbat", zero-padded to 4 byte alignment, shall be entered in the name
field. The string "SBAT"'s ASCII values, 0x53424154, should be entered
in the type field.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
include/grub/util/mkimage.h | 4 +-
util/grub-mkimagexx.c | 92 +++++++++++++++++++++++++++----------
util/mkimage.c | 5 +-
3 files changed, 74 insertions(+), 27 deletions(-)
diff --git a/include/grub/util/mkimage.h b/include/grub/util/mkimage.h
index 6f1da89b9..881e3031f 100644
--- a/include/grub/util/mkimage.h
+++ b/include/grub/util/mkimage.h
@@ -51,12 +51,12 @@ grub_mkimage_load_image64 (const char *kernel_path,
const struct grub_install_image_target_desc *image_target);
void
grub_mkimage_generate_elf32 (const struct grub_install_image_target_desc *image_target,
- int note, size_t appsig_size, char **core_img, size_t *core_size,
+ int note, size_t appsig_size, char *sbat, char **core_img, size_t *core_size,
Elf32_Addr target_addr,
struct grub_mkimage_layout *layout);
void
grub_mkimage_generate_elf64 (const struct grub_install_image_target_desc *image_target,
- int note, size_t appsig_size, char **core_img, size_t *core_size,
+ int note, size_t appsig_size, char *sbat, char **core_img, size_t *core_size,
Elf64_Addr target_addr,
struct grub_mkimage_layout *layout);
diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c
index 9488f0525..b507d4ade 100644
--- a/util/grub-mkimagexx.c
+++ b/util/grub-mkimagexx.c
@@ -116,6 +116,14 @@ struct section_metadata
const char *strtab;
};
+#define GRUB_SBAT_NOTE_NAME ".sbat"
+#define GRUB_SBAT_NOTE_TYPE 0x53424154 /* "SBAT" */
+
+struct grub_sbat_note {
+ Elf32_Nhdr header;
+ char name[ALIGN_UP(sizeof(GRUB_SBAT_NOTE_NAME), 4)];
+};
+
static int
is_relocatable (const struct grub_install_image_target_desc *image_target)
{
@@ -217,7 +225,7 @@ grub_arm_reloc_jump24 (grub_uint32_t *target, Elf32_Addr sym_addr)
void
SUFFIX (grub_mkimage_generate_elf) (const struct grub_install_image_target_desc *image_target,
- int note, size_t appsig_size, char **core_img, size_t *core_size,
+ int note, size_t appsig_size, char *sbat, char **core_img, size_t *core_size,
Elf_Addr target_addr,
struct grub_mkimage_layout *layout)
{
@@ -226,10 +234,17 @@ SUFFIX (grub_mkimage_generate_elf) (const struct grub_install_image_target_desc
Elf_Ehdr *ehdr;
Elf_Phdr *phdr;
Elf_Shdr *shdr;
- int header_size, footer_size = 0;
+ int header_size, footer_size = 0, footer_offset = 0;
int phnum = 1;
int shnum = 4;
int string_size = sizeof (".text") + sizeof ("mods") + 1;
+ char *footer;
+
+ if (sbat)
+ {
+ phnum++;
+ footer_size += ALIGN_UP (sizeof (struct grub_sbat_note) + layout->sbat_size, 4);
+ }
if (appsig_size)
{
@@ -263,6 +278,7 @@ SUFFIX (grub_mkimage_generate_elf) (const struct grub_install_image_target_desc
ehdr = (void *) elf_img;
phdr = (void *) (elf_img + sizeof (*ehdr));
shdr = (void *) (elf_img + sizeof (*ehdr) + phnum * sizeof (*phdr));
+ footer = elf_img + program_size + header_size;
memcpy (ehdr->e_ident, ELFMAG, SELFMAG);
ehdr->e_ident[EI_CLASS] = ELFCLASSXX;
if (!image_target->bigendian)
@@ -435,6 +451,8 @@ SUFFIX (grub_mkimage_generate_elf) (const struct grub_install_image_target_desc
phdr->p_filesz = grub_host_to_target32 (XEN_NOTE_SIZE);
phdr->p_memsz = 0;
phdr->p_offset = grub_host_to_target32 (header_size + program_size);
+ footer = ptr;
+ footer_offset = XEN_NOTE_SIZE;
}
if (image_target->id == IMAGE_XEN_PVH)
@@ -468,6 +486,8 @@ SUFFIX (grub_mkimage_generate_elf) (const struct grub_install_image_target_desc
phdr->p_filesz = grub_host_to_target32 (XEN_PVH_NOTE_SIZE);
phdr->p_memsz = 0;
phdr->p_offset = grub_host_to_target32 (header_size + program_size);
+ footer = ptr;
+ footer_offset = XEN_PVH_NOTE_SIZE;
}
if (note)
@@ -498,29 +518,55 @@ SUFFIX (grub_mkimage_generate_elf) (const struct grub_install_image_target_desc
phdr->p_filesz = grub_host_to_target32 (note_size);
phdr->p_memsz = 0;
phdr->p_offset = grub_host_to_target32 (header_size + program_size);
+ footer = (elf_img + program_size + header_size + note_size);
+ footer_offset += note_size;
}
- if (appsig_size) {
- int note_size = ALIGN_UP(sizeof (struct grub_appended_signature_note) + appsig_size, 4);
- struct grub_appended_signature_note *note_ptr = (struct grub_appended_signature_note *)
- (elf_img + program_size + header_size + (note ? sizeof (struct grub_ieee1275_note) : 0));
-
- note_ptr->header.n_namesz = grub_host_to_target32 (sizeof (GRUB_APPENDED_SIGNATURE_NOTE_NAME));
- /* needs to sit at the end, so we round this up and sign some zero padding */
- note_ptr->header.n_descsz = grub_host_to_target32 (ALIGN_UP(appsig_size, 4));
- note_ptr->header.n_type = grub_host_to_target32 (GRUB_APPENDED_SIGNATURE_NOTE_TYPE);
- strcpy (note_ptr->name, GRUB_APPENDED_SIGNATURE_NOTE_NAME);
-
- phdr++;
- phdr->p_type = grub_host_to_target32 (PT_NOTE);
- phdr->p_flags = grub_host_to_target32 (PF_R);
- phdr->p_align = grub_host_to_target32 (image_target->voidp_sizeof);
- phdr->p_vaddr = 0;
- phdr->p_paddr = 0;
- phdr->p_filesz = grub_host_to_target32 (note_size);
- phdr->p_memsz = 0;
- phdr->p_offset = grub_host_to_target32 (header_size + program_size + (note ? sizeof (struct grub_ieee1275_note) : 0));
- }
+ if (sbat)
+ {
+ int note_size = ALIGN_UP (sizeof (struct grub_sbat_note) + layout->sbat_size, 4);
+ struct grub_sbat_note *note_ptr = (struct grub_sbat_note *) footer;
+
+ note_ptr->header.n_namesz = grub_host_to_target32 (sizeof (GRUB_SBAT_NOTE_NAME));
+ note_ptr->header.n_descsz = grub_host_to_target32 (ALIGN_UP(layout->sbat_size, 4));
+ note_ptr->header.n_type = grub_host_to_target32 (GRUB_SBAT_NOTE_TYPE);
+ memcpy (note_ptr->name, GRUB_SBAT_NOTE_NAME, sizeof (GRUB_SBAT_NOTE_NAME));
+ memcpy ((char *)(note_ptr + 1), sbat, layout->sbat_size);
+
+ phdr++;
+ phdr->p_type = grub_host_to_target32 (PT_NOTE);
+ phdr->p_flags = grub_host_to_target32 (PF_R);
+ phdr->p_align = grub_host_to_target32 (image_target->voidp_sizeof);
+ phdr->p_vaddr = 0;
+ phdr->p_paddr = 0;
+ phdr->p_filesz = grub_host_to_target32 (note_size);
+ phdr->p_memsz = 0;
+ phdr->p_offset = grub_host_to_target32 (header_size + program_size + footer_offset);
+
+ footer += note_size;
+ footer_offset += note_size;
+ }
+
+ if (appsig_size)
+ {
+ int note_size = ALIGN_UP (sizeof (struct grub_appended_signature_note) + appsig_size, 4);
+ struct grub_appended_signature_note *note_ptr = (struct grub_appended_signature_note *)footer;
+ note_ptr->header.n_namesz = grub_host_to_target32 (sizeof (GRUB_APPENDED_SIGNATURE_NOTE_NAME));
+ /* needs to sit at the end, so we round this up and sign some zero padding */
+ note_ptr->header.n_descsz = grub_host_to_target32 (ALIGN_UP (appsig_size, 4));
+ note_ptr->header.n_type = grub_host_to_target32 (GRUB_APPENDED_SIGNATURE_NOTE_TYPE);
+ strcpy (note_ptr->name, GRUB_APPENDED_SIGNATURE_NOTE_NAME);
+
+ phdr++;
+ phdr->p_type = grub_host_to_target32 (PT_NOTE);
+ phdr->p_flags = grub_host_to_target32 (PF_R);
+ phdr->p_align = grub_host_to_target32 (image_target->voidp_sizeof);
+ phdr->p_vaddr = 0;
+ phdr->p_paddr = 0;
+ phdr->p_filesz = grub_host_to_target32 (note_size);
+ phdr->p_memsz = 0;
+ phdr->p_offset = grub_host_to_target32 (header_size + program_size + footer_offset);
+ }
{
char *str_start = (elf_img + sizeof (*ehdr) + phnum * sizeof (*phdr)
diff --git a/util/mkimage.c b/util/mkimage.c
index 0737935fd..be7f02c5c 100644
--- a/util/mkimage.c
+++ b/util/mkimage.c
@@ -1835,6 +1835,7 @@ grub_install_generate_image (const char *dir, const char *prefix,
case IMAGE_I386_IEEE1275:
{
grub_uint64_t target_addr;
+ char *sbat = NULL;
if (image_target->id == IMAGE_LOONGSON_ELF)
{
if (comp == GRUB_COMPRESSION_NONE)
@@ -1846,10 +1847,10 @@ grub_install_generate_image (const char *dir, const char *prefix,
else
target_addr = image_target->link_addr;
if (image_target->voidp_sizeof == 4)
- grub_mkimage_generate_elf32 (image_target, note, appsig_size, &core_img,
+ grub_mkimage_generate_elf32 (image_target, note, appsig_size, sbat, &core_img,
&core_size, target_addr, &layout);
else
- grub_mkimage_generate_elf64 (image_target, note, appsig_size, &core_img,
+ grub_mkimage_generate_elf64 (image_target, note, appsig_size, sbat, &core_img,
&core_size, target_addr, &layout);
}
break;
--
2.47.1

279
0007-grub-switch-to-blscfg-adapt-to-openSUSE.patch
View File

@ -1,279 +0,0 @@
From 96e5a28d120856057fe7fc9b281f11f8933063b7 Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Fri, 30 Jun 2023 14:37:41 +0800
Subject: [PATCH 7/9] grub-switch-to-blscfg: adapt to openSUSE
A few tweaks to make it 'just works' for openSUSE:
- remove RHEL specific $grub_get_kernel_settings and all reference to it.
- make $grubdir and $startlink to the path in openSUSE
- change the bls template to openSUSE
- make $cmdline account for btrfs subvolumes, among others
- remove RHEL specific $GRUB_LINUX_MAKE_DEBUG and all related code
- remove ostree specific hack
- ignore increment.mod
- fix error in dash shell script
- fix kernel flavor parsing in openSUSE
Signed-off-by: Michael Chang <mchang@suse.com>
---
util/grub-switch-to-blscfg.in | 156 ++++++++++++++++++++--------------
1 file changed, 94 insertions(+), 62 deletions(-)
diff --git a/util/grub-switch-to-blscfg.in b/util/grub-switch-to-blscfg.in
index a851424be..145c22add 100644
--- a/util/grub-switch-to-blscfg.in
+++ b/util/grub-switch-to-blscfg.in
@@ -28,27 +28,24 @@ PACKAGE_NAME=@PACKAGE_NAME@
PACKAGE_VERSION=@PACKAGE_VERSION@
datarootdir="@datarootdir@"
datadir="@datadir@"
-if [ ! -v pkgdatadir ]; then
+if [ -z "${pkgdatadir+x}" ]; then
pkgdatadir="${datadir}/@PACKAGE@"
fi
self=`basename $0`
-grub_get_kernel_settings="${sbindir}/@grub_get_kernel_settings@"
grub_editenv=${bindir}/@grub_editenv@
-etcdefaultgrub=/etc/default/grub
+grub_probe="${sbindir}/@grub_probe@"
+etcdefaultgrub=${sysconfdir}/default/grub
-eval "$("${grub_get_kernel_settings}")" || true
-
-EFIDIR=$(grep ^ID= /etc/os-release | sed -e 's/^ID=//' -e 's/rhel/redhat/' -e 's/\"//g')
-if [ -d /sys/firmware/efi/efivars/ ]; then
- startlink=/etc/grub2-efi.cfg
- grubdir=`echo "/@bootdirname@/efi/EFI/${EFIDIR}/" | sed 's,//*,/,g'`
-else
- startlink=/etc/grub2.cfg
- grubdir=`echo "/@bootdirname@/@grubdirname@" | sed 's,//*,/,g'`
+if test -f "$etcdefaultgrub" ; then
+ # shellcheck source=/etc/default/grub
+ . "$etcdefaultgrub"
fi
+grubdir=`echo "/@bootdirname@/@grubdirname@" | sed 's,//*,/,g'`
+startlink="${grubdir}/grub.cfg"
+
blsdir=`echo "/@bootdirname@/loader/entries" | sed 's,//*,/,g'`
backupsuffix=.bak
@@ -58,19 +55,80 @@ arch="$(uname -m)"
export TEXTDOMAIN=@PACKAGE@
export TEXTDOMAINDIR="@localedir@"
+# shellcheck source=/usr/share/grub2/grub-mkconfig_lib
. "${pkgdatadir}/grub-mkconfig_lib"
+# FIXME: Abort if grub_probe fails
+
+GRUB_DEVICE="`${grub_probe} --target=device /`"
+GRUB_DEVICE_UUID="`${grub_probe} --device ${GRUB_DEVICE} --target=fs_uuid 2> /dev/null`" || true
+GRUB_DEVICE_PARTUUID="`${grub_probe} --device ${GRUB_DEVICE} --target=partuuid 2> /dev/null`" || true
+GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"
+
+# loop-AES arranges things so that /dev/loop/X can be our root device, but
+# the initrds that Linux uses don't like that.
+case ${GRUB_DEVICE} in
+ /dev/loop/*|/dev/loop[0-9])
+ GRUB_DEVICE=$(losetup "${GRUB_DEVICE}" | sed -e "s/^[^(]*(\([^)]\+\)).*/\1/")
+ ;;
+esac
+
+# Default to disabling partition uuid support to maintian compatibility with
+# older kernels.
+GRUB_DISABLE_LINUX_PARTUUID=${GRUB_DISABLE_LINUX_PARTUUID-true}
+
+# btrfs may reside on multiple devices. We cannot pass them as value of root= parameter
+# and mounting btrfs requires user space scanning, so force UUID in this case.
+if ( [ "x${GRUB_DEVICE_UUID}" = "x" ] && [ "x${GRUB_DEVICE_PARTUUID}" = "x" ] ) \
+ || ( [ "x${GRUB_DISABLE_LINUX_UUID}" = "xtrue" ] \
+ && [ "x${GRUB_DISABLE_LINUX_PARTUUID}" = "xtrue" ] ) \
+ || ( ! test -e "/dev/disk/by-uuid/${GRUB_DEVICE_UUID}" \
+ && ! test -e "/dev/disk/by-partuuid/${GRUB_DEVICE_PARTUUID}" ) \
+ || ( test -e "${GRUB_DEVICE}" && uses_abstraction "${GRUB_DEVICE}" lvm ); then
+ LINUX_ROOT_DEVICE=${GRUB_DEVICE}
+elif [ "x${GRUB_DEVICE_UUID}" = "x" ] \
+ || [ "x${GRUB_DISABLE_LINUX_UUID}" = "xtrue" ]; then
+ LINUX_ROOT_DEVICE=PARTUUID=${GRUB_DEVICE_PARTUUID}
+else
+ LINUX_ROOT_DEVICE=UUID=${GRUB_DEVICE_UUID}
+fi
+
+if [ "x$GRUB_CONMODE" != "x" ]; then
+ GRUB_CMDLINE_LINUX="conmode=${GRUB_CONMODE} ${GRUB_CMDLINE_LINUX}"
+fi
+
+case x"$GRUB_FS" in
+ xbtrfs)
+ if [ "x${SUSE_BTRFS_SNAPSHOT_BOOTING}" != "xtrue" ]; then
+ rootsubvol="`make_system_path_relative_to_its_root /`"
+ rootsubvol="${rootsubvol#/}"
+ if [ "x${rootsubvol}" != x ] && [ "x$SUSE_REMOVE_LINUX_ROOT_PARAM" != "xtrue" ]; then
+ GRUB_CMDLINE_LINUX="rootflags=subvol=${rootsubvol} ${GRUB_CMDLINE_LINUX}"
+ fi
+ fi
+ ;;
+ xzfs)
+ rpool=`${grub_probe} --device ${GRUB_DEVICE} --target=fs_label 2>/dev/null || true`
+ bootfs="`make_system_path_relative_to_its_root / | sed -e "s,@$,,"`"
+ LINUX_ROOT_DEVICE="ZFS=${rpool}${bootfs%/}"
+ ;;
+esac
+
+if [ "x$SUSE_REMOVE_LINUX_ROOT_PARAM" = "xtrue" ]; then
+ LINUX_ROOT_DEVICE=""
+fi
+
# Usage: usage
# Print the usage.
usage () {
gettext_printf "Usage: %s\n" "$self"
- gettext "Switch to BLS config files.\n"; echo
+ gettext "Switch to BLS config files. Only for testing purpose !!!\n"; echo
echo
print_option_help "-h, --help" "$(gettext "print this message and exit")"
print_option_help "-V, --version" "$(gettext "print the version information and exit")"
echo
print_option_help "--backup-suffix=$(gettext "SUFFIX")" "$backupsuffix"
- print_option_help "--bls-directory=$(gettext "DIR")" "$blsdir"
+ print_option_help "--bls-directory=$(gettext "DIR")" "Noop, always $blsdir"
print_option_help "--config-file=$(gettext "FILE")" "$startlink"
print_option_help "--grub-defaults=$(gettext "FILE")" "$etcdefaultgrub"
print_option_help "--grub-directory=$(gettext "DIR")" "$grubdir"
@@ -112,11 +170,15 @@ do
;;
--bls-directory)
- blsdir=`argument $option "$@"`
+ # blsdir=`argument $option "$@"`
+ gettext_printf "WARN: --bls-directory is currently disabled, it's always $blsdir !!!\n"
+ gettext_printf "WARN: use kernel-install instead if you want to test bls directory on ESP !!!\n"
shift
;;
--bls-directory=*)
- blsdir=`echo "$option" | sed 's/--bls-directory=//'`
+ # blsdir=`echo "$option" | sed 's/--bls-directory=//'`
+ gettext_printf "WARN: --bls-directory is currently disabled, it's always $blsdir !!!\n"
+ gettext_printf "WARN: use kernel-install instead if you want to test bls directory on ESP !!!\n"
;;
--config-file)
@@ -172,7 +234,7 @@ find_grub_cfg() {
return 1
}
-if ! find_grub_cfg ${startlink} ${grubdir}/grub.cfg ; then
+if ! find_grub_cfg "${startlink}" ; then
gettext_printf "Couldn't find config file\n" 1>&2
exit 1
fi
@@ -190,27 +252,24 @@ fi
mkbls() {
local kernelver=$1 && shift
local datetime=$1 && shift
+ local prefix=$1 && shift
local kernelopts=$1 && shift
- local debugname=""
- local debugid=""
local flavor=""
- if [ "$kernelver" == *\+* ] ; then
- local flavor=-"${kernelver##*+}"
- if [ "${flavor}" == "-debug" ]; then
- local debugname=" with debugging"
- local debugid="-debug"
- fi
- fi
+ case "$kernelver" in
+ *-*-*)
+ flavor=-"${kernelver##*-}"
+ ;;
+ esac
(
- source /etc/os-release
+ . /etc/os-release
cat <<EOF
-title ${NAME} (${kernelver}) ${VERSION}${debugname}
-version ${kernelver}${debugid}
-linux /vmlinuz-${kernelver}
-initrd /initramfs-${kernelver}.img
+title ${NAME} (${kernelver}) ${VERSION}
+version ${kernelver}
+linux ${prefix}/vmlinuz-${kernelver}
+initrd ${prefix}/initrd-${kernelver}
options ${kernelopts}
grub_users \$grub_users
grub_arg --unrestricted
@@ -233,42 +292,15 @@ copy_bls() {
continue
fi
- linux_relpath="$("${grub_mkrelpath}" "${linux_path}")"
- bootprefix="${linux_relpath%%"${linux}"}"
+ bootprefix="$(make_system_path_relative_to_its_root /boot)"
cmdline="root=${LINUX_ROOT_DEVICE} ro ${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
mkbls "${kernelver}" \
"$(date -u +%Y%m%d%H%M%S -d "$(stat -c '%y' "${kernel_dir}")")" \
"${bootprefix}" "${cmdline}" >"${bls_target}"
-
- if [ "x$GRUB_LINUX_MAKE_DEBUG" = "xtrue" ]; then
- bls_debug="$(echo ${bls_target} | sed -e "s/${kernelver}/${kernelver}~debug/")"
- cp -aT "${bls_target}" "${bls_debug}"
- title="$(grep '^title[ \t]' "${bls_debug}" | sed -e 's/^title[ \t]*//')"
- options="$(echo "${cmdline} ${GRUB_CMDLINE_LINUX_DEBUG}" | sed -e 's/\//\\\//g')"
- sed -i -e "s/^title.*/title ${title}${GRUB_LINUX_DEBUG_TITLE_POSTFIX}/" "${bls_debug}"
- sed -i -e "s/^options.*/options ${options}/" "${bls_debug}"
- fi
done
-
- if [ -f "/boot/vmlinuz-0-rescue-${MACHINE_ID}" ]; then
- mkbls "0-rescue-${MACHINE_ID}" "0" "${bootprefix}" >"${blsdir}/${MACHINE_ID}-0-rescue.conf"
- fi
}
-# The grub2 EFI binary is not copied to the ESP as a part of an ostree
-# transaction. Make sure a grub2 version with BLS support is installed
-# but only do this if the blsdir is not set, to make sure that the BLS
-# parsing module will search for the BLS snippets in the default path.
-if test -f /run/ostree-booted && test -d /sys/firmware/efi/efivars && \
- ! ${grub_editenv} - list | grep -q blsdir && \
- mountpoint -q /boot; then
- grub_binary="$(find /usr/lib/ostree-boot/efi/EFI/${EFIDIR}/ -name grub*.efi)"
- install -m 700 ${grub_binary} ${grubdir} || exit 1
- # Create a hidden file to indicate that grub2 now has BLS support.
- touch /boot/grub2/.grub2-blscfg-supported
-fi
-
GENERATE=0
if grep '^GRUB_ENABLE_BLSCFG=.*' "${etcdefaultgrub}" \
| grep -vq '^GRUB_ENABLE_BLSCFG="*true"*\s*$' ; then
@@ -297,9 +329,7 @@ if [ "${GENERATE}" -eq 1 ] ; then
fi
if [ -n "${mod_dir}" ]; then
- for mod in blscfg increment; do
- install -m 700 ${prefix}/lib/grub/${mod_dir}/${mod}.mod ${grubdir}/$mod_dir/ || exit 1
- done
+ install -m 700 "${pkgdatadir}/${mod_dir}/blscfg.mod" "${grubdir}/$mod_dir/" || exit 1
fi
cp -af "${GRUB_CONFIG_FILE}" "${GRUB_CONFIG_FILE}${backupsuffix}"
@@ -311,6 +341,8 @@ if [ "${GENERATE}" -eq 1 ] ; then
gettext_printf "Updating %s failed\n" "${GRUB_CONFIG_FILE}"
exit 1
fi
+else
+ gettext_printf "Do nothing because \$GRUB_ENABLE_BLSCFG is already true in %s\n" "${GRUB_CONFIG_FILE}"
fi
# Bye.
--
2.45.2

443
0007-kern-file-Implement-filesystem-reference-counting.patch Normal file
View File

@ -0,0 +1,443 @@
From 8e9240826c7d230cab6d52724d2cf3759e6f0d3f Mon Sep 17 00:00:00 2001
From: B Horn <b@horn.uk>
Date: Sun, 12 May 2024 10:15:03 +0100
Subject: [PATCH 07/20] kern/file: Implement filesystem reference counting
The grub_file_open() and grub_file_close() should be the only places
that allow a reference to a filesystem to stay open. So, add grub_dl_t
to grub_fs_t and set this in the GRUB_MOD_INIT() for each filesystem to
avoid issues when filesystems forget to do it themselves or do not track
their own references, e.g. squash4.
The fs_label(), fs_uuid(), fs_mtime() and fs_read() should all ref and
unref in the same function but it is essentially redundant in GRUB
single threaded model.
Signed-off-by: B Horn <b@horn.uk>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/affs.c | 1 +
grub-core/fs/bfs.c | 1 +
grub-core/fs/btrfs.c | 1 +
grub-core/fs/cbfs.c | 1 +
grub-core/fs/cpio.c | 1 +
grub-core/fs/cpio_be.c | 1 +
grub-core/fs/ext2.c | 1 +
grub-core/fs/f2fs.c | 1 +
grub-core/fs/fat.c | 1 +
grub-core/fs/hfs.c | 1 +
grub-core/fs/hfsplus.c | 1 +
grub-core/fs/iso9660.c | 1 +
grub-core/fs/jfs.c | 1 +
grub-core/fs/minix.c | 1 +
grub-core/fs/newc.c | 1 +
grub-core/fs/nilfs2.c | 1 +
grub-core/fs/ntfs.c | 1 +
grub-core/fs/odc.c | 1 +
grub-core/fs/proc.c | 1 +
grub-core/fs/reiserfs.c | 1 +
grub-core/fs/romfs.c | 1 +
grub-core/fs/sfs.c | 1 +
grub-core/fs/squash4.c | 1 +
grub-core/fs/tar.c | 1 +
grub-core/fs/udf.c | 1 +
grub-core/fs/ufs.c | 1 +
grub-core/fs/xfs.c | 1 +
grub-core/fs/zfs/zfs.c | 1 +
grub-core/kern/file.c | 7 +++++++
include/grub/fs.h | 4 ++++
30 files changed, 39 insertions(+)
diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c
index ed606b3f15..9b0afb9541 100644
--- a/grub-core/fs/affs.c
+++ b/grub-core/fs/affs.c
@@ -703,6 +703,7 @@ static struct grub_fs grub_affs_fs =
GRUB_MOD_INIT(affs)
{
+ grub_affs_fs.mod = mod;
grub_fs_register (&grub_affs_fs);
my_mod = mod;
}
diff --git a/grub-core/fs/bfs.c b/grub-core/fs/bfs.c
index 07cb3e3acf..f37b168958 100644
--- a/grub-core/fs/bfs.c
+++ b/grub-core/fs/bfs.c
@@ -1106,6 +1106,7 @@ GRUB_MOD_INIT (bfs)
{
COMPILE_TIME_ASSERT (1 << LOG_EXTENT_SIZE ==
sizeof (struct grub_bfs_extent));
+ grub_bfs_fs.mod = mod;
grub_fs_register (&grub_bfs_fs);
}
diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
index 7e12dce9c2..0dd9a817ee 100644
--- a/grub-core/fs/btrfs.c
+++ b/grub-core/fs/btrfs.c
@@ -3565,6 +3565,7 @@ relpath_set_env (struct grub_env_var *var,
GRUB_MOD_INIT (btrfs)
{
+ grub_btrfs_fs.mod = mod;
grub_fs_register (&grub_btrfs_fs);
cmd_info = grub_register_command("btrfs-info", grub_cmd_btrfs_info,
"DEVICE",
diff --git a/grub-core/fs/cbfs.c b/grub-core/fs/cbfs.c
index 8ab7106afb..2332745fe8 100644
--- a/grub-core/fs/cbfs.c
+++ b/grub-core/fs/cbfs.c
@@ -390,6 +390,7 @@ GRUB_MOD_INIT (cbfs)
#if (defined (__i386__) || defined (__x86_64__)) && !defined (GRUB_UTIL) && !defined (GRUB_MACHINE_EMU) && !defined (GRUB_MACHINE_XEN)
init_cbfsdisk ();
#endif
+ grub_cbfs_fs.mod = mod;
grub_fs_register (&grub_cbfs_fs);
}
diff --git a/grub-core/fs/cpio.c b/grub-core/fs/cpio.c
index dab5f98988..1799f7ff5a 100644
--- a/grub-core/fs/cpio.c
+++ b/grub-core/fs/cpio.c
@@ -52,6 +52,7 @@ read_number (const grub_uint16_t *arr, grub_size_t size)
GRUB_MOD_INIT (cpio)
{
+ grub_cpio_fs.mod = mod;
grub_fs_register (&grub_cpio_fs);
}
diff --git a/grub-core/fs/cpio_be.c b/grub-core/fs/cpio_be.c
index 8465488921..7bed1b848c 100644
--- a/grub-core/fs/cpio_be.c
+++ b/grub-core/fs/cpio_be.c
@@ -52,6 +52,7 @@ read_number (const grub_uint16_t *arr, grub_size_t size)
GRUB_MOD_INIT (cpio_be)
{
+ grub_cpio_fs.mod = mod;
grub_fs_register (&grub_cpio_fs);
}
diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c
index e1cc5e62aa..04f5d04e14 100644
--- a/grub-core/fs/ext2.c
+++ b/grub-core/fs/ext2.c
@@ -1123,6 +1123,7 @@ static struct grub_fs grub_ext2_fs =
GRUB_MOD_INIT(ext2)
{
+ grub_ext2_fs.mod = mod;
grub_fs_register (&grub_ext2_fs);
my_mod = mod;
}
diff --git a/grub-core/fs/f2fs.c b/grub-core/fs/f2fs.c
index 855e24618c..7e48796036 100644
--- a/grub-core/fs/f2fs.c
+++ b/grub-core/fs/f2fs.c
@@ -1350,6 +1350,7 @@ static struct grub_fs grub_f2fs_fs = {
GRUB_MOD_INIT (f2fs)
{
+ grub_f2fs_fs.mod = mod;
grub_fs_register (&grub_f2fs_fs);
my_mod = mod;
}
diff --git a/grub-core/fs/fat.c b/grub-core/fs/fat.c
index c5efed7241..6e62b915dd 100644
--- a/grub-core/fs/fat.c
+++ b/grub-core/fs/fat.c
@@ -1312,6 +1312,7 @@ GRUB_MOD_INIT(fat)
#endif
{
COMPILE_TIME_ASSERT (sizeof (struct grub_fat_dir_entry) == 32);
+ grub_fat_fs.mod = mod;
grub_fs_register (&grub_fat_fs);
my_mod = mod;
}
diff --git a/grub-core/fs/hfs.c b/grub-core/fs/hfs.c
index 920112b03e..ce7581dd5f 100644
--- a/grub-core/fs/hfs.c
+++ b/grub-core/fs/hfs.c
@@ -1434,6 +1434,7 @@ static struct grub_fs grub_hfs_fs =
GRUB_MOD_INIT(hfs)
{
+ grub_hfs_fs.mod = mod;
if (!grub_is_lockdown ())
grub_fs_register (&grub_hfs_fs);
my_mod = mod;
diff --git a/grub-core/fs/hfsplus.c b/grub-core/fs/hfsplus.c
index de71fd486b..3f203abccd 100644
--- a/grub-core/fs/hfsplus.c
+++ b/grub-core/fs/hfsplus.c
@@ -1176,6 +1176,7 @@ static struct grub_fs grub_hfsplus_fs =
GRUB_MOD_INIT(hfsplus)
{
+ grub_hfsplus_fs.mod = mod;
grub_fs_register (&grub_hfsplus_fs);
my_mod = mod;
}
diff --git a/grub-core/fs/iso9660.c b/grub-core/fs/iso9660.c
index 8c348b59a5..5aabca284b 100644
--- a/grub-core/fs/iso9660.c
+++ b/grub-core/fs/iso9660.c
@@ -1247,6 +1247,7 @@ static struct grub_fs grub_iso9660_fs =
GRUB_MOD_INIT(iso9660)
{
+ grub_iso9660_fs.mod = mod;
grub_fs_register (&grub_iso9660_fs);
my_mod = mod;
}
diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c
index 6f7c439049..3139e53329 100644
--- a/grub-core/fs/jfs.c
+++ b/grub-core/fs/jfs.c
@@ -963,6 +963,7 @@ static struct grub_fs grub_jfs_fs =
GRUB_MOD_INIT(jfs)
{
+ grub_jfs_fs.mod = mod;
grub_fs_register (&grub_jfs_fs);
my_mod = mod;
}
diff --git a/grub-core/fs/minix.c b/grub-core/fs/minix.c
index 5354951d10..b7679c3e25 100644
--- a/grub-core/fs/minix.c
+++ b/grub-core/fs/minix.c
@@ -734,6 +734,7 @@ GRUB_MOD_INIT(minix)
#endif
#endif
{
+ grub_minix_fs.mod = mod;
grub_fs_register (&grub_minix_fs);
my_mod = mod;
}
diff --git a/grub-core/fs/newc.c b/grub-core/fs/newc.c
index 4fb8b2e3d2..43b7f8b642 100644
--- a/grub-core/fs/newc.c
+++ b/grub-core/fs/newc.c
@@ -64,6 +64,7 @@ read_number (const char *str, grub_size_t size)
GRUB_MOD_INIT (newc)
{
+ grub_cpio_fs.mod = mod;
grub_fs_register (&grub_cpio_fs);
}
diff --git a/grub-core/fs/nilfs2.c b/grub-core/fs/nilfs2.c
index fc7374ead4..4e1e717386 100644
--- a/grub-core/fs/nilfs2.c
+++ b/grub-core/fs/nilfs2.c
@@ -1231,6 +1231,7 @@ GRUB_MOD_INIT (nilfs2)
grub_nilfs2_dat_entry));
COMPILE_TIME_ASSERT (1 << LOG_INODE_SIZE
== sizeof (struct grub_nilfs2_inode));
+ grub_nilfs2_fs.mod = mod;
grub_fs_register (&grub_nilfs2_fs);
my_mod = mod;
}
diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
index de435aa14d..560917dc2c 100644
--- a/grub-core/fs/ntfs.c
+++ b/grub-core/fs/ntfs.c
@@ -1320,6 +1320,7 @@ static struct grub_fs grub_ntfs_fs =
GRUB_MOD_INIT (ntfs)
{
+ grub_ntfs_fs.mod = mod;
grub_fs_register (&grub_ntfs_fs);
my_mod = mod;
}
diff --git a/grub-core/fs/odc.c b/grub-core/fs/odc.c
index 790000622d..8e4e8aeac8 100644
--- a/grub-core/fs/odc.c
+++ b/grub-core/fs/odc.c
@@ -52,6 +52,7 @@ read_number (const char *str, grub_size_t size)
GRUB_MOD_INIT (odc)
{
+ grub_cpio_fs.mod = mod;
grub_fs_register (&grub_cpio_fs);
}
diff --git a/grub-core/fs/proc.c b/grub-core/fs/proc.c
index 5f516502d4..bcde433495 100644
--- a/grub-core/fs/proc.c
+++ b/grub-core/fs/proc.c
@@ -192,6 +192,7 @@ static struct grub_fs grub_procfs_fs =
GRUB_MOD_INIT (procfs)
{
+ grub_procfs_fs.mod = mod;
grub_disk_dev_register (&grub_procfs_dev);
grub_fs_register (&grub_procfs_fs);
}
diff --git a/grub-core/fs/reiserfs.c b/grub-core/fs/reiserfs.c
index 36b26ac98a..c3850e0138 100644
--- a/grub-core/fs/reiserfs.c
+++ b/grub-core/fs/reiserfs.c
@@ -1417,6 +1417,7 @@ static struct grub_fs grub_reiserfs_fs =
GRUB_MOD_INIT(reiserfs)
{
+ grub_reiserfs_fs.mod = mod;
grub_fs_register (&grub_reiserfs_fs);
my_mod = mod;
}
diff --git a/grub-core/fs/romfs.c b/grub-core/fs/romfs.c
index 1f7dcfca1d..56b0b2b2f3 100644
--- a/grub-core/fs/romfs.c
+++ b/grub-core/fs/romfs.c
@@ -475,6 +475,7 @@ static struct grub_fs grub_romfs_fs =
GRUB_MOD_INIT(romfs)
{
+ grub_romfs_fs.mod = mod;
grub_fs_register (&grub_romfs_fs);
}
diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c
index 983e880088..f0d7cac435 100644
--- a/grub-core/fs/sfs.c
+++ b/grub-core/fs/sfs.c
@@ -779,6 +779,7 @@ static struct grub_fs grub_sfs_fs =
GRUB_MOD_INIT(sfs)
{
+ grub_sfs_fs.mod = mod;
grub_fs_register (&grub_sfs_fs);
my_mod = mod;
}
diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c
index a30e6ebe14..6e9d63874c 100644
--- a/grub-core/fs/squash4.c
+++ b/grub-core/fs/squash4.c
@@ -1044,6 +1044,7 @@ static struct grub_fs grub_squash_fs =
GRUB_MOD_INIT(squash4)
{
+ grub_squash_fs.mod = mod;
grub_fs_register (&grub_squash_fs);
}
diff --git a/grub-core/fs/tar.c b/grub-core/fs/tar.c
index a9e39b0eb6..a608ac9c9f 100644
--- a/grub-core/fs/tar.c
+++ b/grub-core/fs/tar.c
@@ -349,6 +349,7 @@ static struct grub_fs grub_cpio_fs = {
GRUB_MOD_INIT (tar)
{
+ grub_cpio_fs.mod = mod;
grub_fs_register (&grub_cpio_fs);
}
diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c
index b836e61075..8765c633c6 100644
--- a/grub-core/fs/udf.c
+++ b/grub-core/fs/udf.c
@@ -1455,6 +1455,7 @@ static struct grub_fs grub_udf_fs = {
GRUB_MOD_INIT (udf)
{
+ grub_udf_fs.mod = mod;
grub_fs_register (&grub_udf_fs);
my_mod = mod;
}
diff --git a/grub-core/fs/ufs.c b/grub-core/fs/ufs.c
index 01235101b4..e82d9356d7 100644
--- a/grub-core/fs/ufs.c
+++ b/grub-core/fs/ufs.c
@@ -899,6 +899,7 @@ GRUB_MOD_INIT(ufs1)
#endif
#endif
{
+ grub_ufs_fs.mod = mod;
grub_fs_register (&grub_ufs_fs);
my_mod = mod;
}
diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c
index 1ce5fa4fc4..c17e54e447 100644
--- a/grub-core/fs/xfs.c
+++ b/grub-core/fs/xfs.c
@@ -1281,6 +1281,7 @@ static struct grub_fs grub_xfs_fs =
GRUB_MOD_INIT(xfs)
{
+ grub_xfs_fs.mod = mod;
grub_fs_register (&grub_xfs_fs);
my_mod = mod;
}
diff --git a/grub-core/fs/zfs/zfs.c b/grub-core/fs/zfs/zfs.c
index b5453e0062..a497b18695 100644
--- a/grub-core/fs/zfs/zfs.c
+++ b/grub-core/fs/zfs/zfs.c
@@ -4424,6 +4424,7 @@ static struct grub_fs grub_zfs_fs = {
GRUB_MOD_INIT (zfs)
{
COMPILE_TIME_ASSERT (sizeof (zap_leaf_chunk_t) == ZAP_LEAF_CHUNKSIZE);
+ grub_zfs_fs.mod = mod;
grub_fs_register (&grub_zfs_fs);
#ifndef GRUB_UTIL
my_mod = mod;
diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c
index e990507fca..6e7efe89ab 100644
--- a/grub-core/kern/file.c
+++ b/grub-core/kern/file.c
@@ -25,6 +25,7 @@
#include <grub/fs.h>
#include <grub/device.h>
#include <grub/i18n.h>
+#include <grub/dl.h>
void (*EXPORT_VAR (grub_grubnet_fini)) (void);
@@ -117,6 +118,9 @@ grub_file_open (const char *name, enum grub_file_type type)
if (file->data == NULL)
goto fail;
+ if (file->fs->mod)
+ grub_dl_ref (file->fs->mod);
+
file->name = grub_strdup (name);
grub_errno = GRUB_ERR_NONE;
@@ -197,6 +201,9 @@ grub_file_read (grub_file_t file, void *buf, grub_size_t len)
grub_err_t
grub_file_close (grub_file_t file)
{
+ if (file->fs->mod)
+ grub_dl_unref (file->fs->mod);
+
if (file->fs->fs_close)
(file->fs->fs_close) (file);
diff --git a/include/grub/fs.h b/include/grub/fs.h
index 4c380e3341..9c8206133d 100644
--- a/include/grub/fs.h
+++ b/include/grub/fs.h
@@ -23,6 +23,7 @@
#include <grub/device.h>
#include <grub/symbol.h>
#include <grub/types.h>
+#include <grub/dl.h>
#include <grub/list.h>
/* For embedding types. */
@@ -57,6 +58,9 @@ struct grub_fs
/* My name. */
const char *name;
+ /* My module */
+ grub_dl_t mod;
+
/* Call HOOK with each file under DIR. */
grub_err_t (*fs_dir) (grub_device_t device, const char *path,
grub_fs_dir_hook_t hook, void *hook_data);
--
2.48.1

75
0008-blscfg-reading-bls-fragments-if-boot-present.patch
View File

@ -1,75 +0,0 @@
From 2b0e6effc31ec166bbbe35a3cd2b4c73051f38bb Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Fri, 16 Jun 2023 15:54:50 +0800
Subject: [PATCH 8/9] blscfg: reading bls fragments if boot present
The Boot Loader Specification (BLS) designates the EFI System Partition
(ESP) as a primary location for $BOOT, where boot menu entries can be
stored. The specification encourages boot loaders to retrieve menu
entries from the ESP, even when XBOOTLDR is present.
This commit aligns with the BLS specification by introducing the
capability to search for the ESP in addition to the default root
partition or any specified location via blscfg's command line. The $boot
environment variable is utilized as a reference to the ESP device for
the blscfg command. Initialization of $boot in grub.cfg is demonstrated
as follows:
insmod part_gpt
insmod fat
search --no-floppy --fs-uuid --set=boot F414-5A9F
If $boot is unset, no additional search for the BLS location will be
performed.
Signed-off-by: Michael Chang <mchang@suse.com>
---
grub-core/commands/blscfg.c | 10 ++++++++++
util/grub.d/10_linux.in | 3 ++-
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/grub-core/commands/blscfg.c b/grub-core/commands/blscfg.c
index c872bcef0..cbe2a289e 100644
--- a/grub-core/commands/blscfg.c
+++ b/grub-core/commands/blscfg.c
@@ -1186,6 +1186,7 @@ grub_cmd_blscfg (grub_extcmd_context_t ctxt UNUSED,
char *entry_id = NULL;
bool show_default = true;
bool show_non_default = true;
+ const char *boot = NULL;
if (argc == 1) {
if (grub_strcmp (args[0], "default") == 0) {
@@ -1205,6 +1206,15 @@ grub_cmd_blscfg (grub_extcmd_context_t ctxt UNUSED,
if (r)
return r;
+ boot = grub_env_get("boot");
+ path = (boot) ? grub_xasprintf("(%s)" GRUB_BLS_CONFIG_PATH, boot) : NULL;
+ if (path)
+ {
+ bls_load_entries(path);
+ grub_print_error();
+ }
+ grub_free(path);
+
return bls_create_entries(show_default, show_non_default, entry_id);
}
diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
index 45eefb332..edf0fca55 100644
--- a/util/grub.d/10_linux.in
+++ b/util/grub.d/10_linux.in
@@ -201,7 +201,8 @@ populate_menu()
}
# Make BLS the default if GRUB_ENABLE_BLSCFG was not set and grubby is not installed.
-if [ -z "${GRUB_ENABLE_BLSCFG}" ] && ! command -v new-kernel-pkg >/dev/null; then
+# FIXME: The test should be aligned to openSUSE, grubby is not our default tool
+if [ -z "${GRUB_ENABLE_BLSCFG}" ] && ! command -v new-kernel-pkg >/dev/null && false; then
GRUB_ENABLE_BLSCFG="true"
fi
--
2.44.0

48
0008-grub-mkimage-Add-SBAT-metadata-into-ELF-note-for-Pow.patch Normal file
View File

@ -0,0 +1,48 @@
From 312edf1f0ebaebba72e348ae88d95b29fa24c09c Mon Sep 17 00:00:00 2001
From: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Date: Wed, 23 Oct 2024 17:54:33 +0530
Subject: [PATCH 8/8] grub-mkimage: Add SBAT metadata into ELF note for PowerPC
targets
The SBAT metadata is read from CSV file and transformed into an ELF note
with the -s option.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
util/mkimage.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/util/mkimage.c b/util/mkimage.c
index be7f02c5c..d3948937b 100644
--- a/util/mkimage.c
+++ b/util/mkimage.c
@@ -958,8 +958,8 @@ grub_install_generate_image (const char *dir, const char *prefix,
total_module_size += dtb_size + sizeof (struct grub_module_header);
}
- if (sbat_path != NULL && image_target->id != IMAGE_EFI)
- grub_util_error (_(".sbat section can be embedded into EFI images only"));
+ if (sbat_path != NULL && (image_target->id != IMAGE_EFI && image_target->id != IMAGE_PPC))
+ grub_util_error (_("SBAT data can be added only to EFI or powerpc-ieee1275 images"));
if (disable_shim_lock)
total_module_size += sizeof (struct grub_module_header);
@@ -1836,6 +1836,13 @@ grub_install_generate_image (const char *dir, const char *prefix,
{
grub_uint64_t target_addr;
char *sbat = NULL;
+ if (sbat_path != NULL)
+ {
+ sbat_size = grub_util_get_image_size (sbat_path);
+ sbat = xmalloc (sbat_size);
+ grub_util_load_image (sbat_path, sbat);
+ layout.sbat_size = sbat_size;
+ }
if (image_target->id == IMAGE_LOONGSON_ELF)
{
if (comp == GRUB_COMPRESSION_NONE)
--
2.47.1

83
0008-net-Fix-OOB-write-in-grub_net_search_config_file.patch Normal file
View File

@ -0,0 +1,83 @@
From de9400db3f181e059f9ab1bb6a667ae2c29baf03 Mon Sep 17 00:00:00 2001
From: B Horn <b@horn.uk>
Date: Fri, 15 Nov 2024 13:12:09 +0000
Subject: [PATCH 08/20] net: Fix OOB write in grub_net_search_config_file()
The function included a call to grub_strcpy() which copied data from an
environment variable to a buffer allocated in grub_cmd_normal(). The
grub_cmd_normal() didn't consider the length of the environment variable.
So, the copy operation could exceed the allocation and lead to an OOB
write. Fix the issue by replacing grub_strcpy() with grub_strlcpy() and
pass the underlying buffers size to the grub_net_search_config_file().
Fixes: CVE-2025-0624
Reported-by: B Horn <b@horn.uk>
Signed-off-by: B Horn <b@horn.uk>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/net/net.c | 7 ++++---
grub-core/normal/main.c | 2 +-
include/grub/net.h | 2 +-
3 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/grub-core/net/net.c b/grub-core/net/net.c
index 22221dc6a0..df13c3aaaa 100644
--- a/grub-core/net/net.c
+++ b/grub-core/net/net.c
@@ -1912,14 +1912,15 @@ grub_config_search_through (char *config, char *suffix,
}
grub_err_t
-grub_net_search_config_file (char *config)
+grub_net_search_config_file (char *config, grub_size_t config_buf_len)
{
- grub_size_t config_len;
+ grub_size_t config_len, suffix_len;
char *suffix;
config_len = grub_strlen (config);
config[config_len] = '-';
suffix = config + config_len + 1;
+ suffix_len = config_buf_len - (config_len + 1);
struct grub_net_network_level_interface *inf;
FOR_NET_NETWORK_LEVEL_INTERFACES (inf)
@@ -1945,7 +1946,7 @@ grub_net_search_config_file (char *config)
if (client_uuid)
{
- grub_strcpy (suffix, client_uuid);
+ grub_strlcpy (suffix, client_uuid, suffix_len);
if (grub_config_search_through (config, suffix, 1, 0) == 0)
return GRUB_ERR_NONE;
}
diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
index b08fd6977d..f2679c4378 100644
--- a/grub-core/normal/main.c
+++ b/grub-core/normal/main.c
@@ -451,7 +451,7 @@ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)),
if (grub_strncmp (prefix + 1, "tftp", sizeof ("tftp") - 1) == 0 &&
!disable_net_search)
- grub_net_search_config_file (config);
+ grub_net_search_config_file (config, config_len);
grub_enter_normal_mode (config);
grub_free (config);
diff --git a/include/grub/net.h b/include/grub/net.h
index dfb089a35c..abb637eaa2 100644
--- a/include/grub/net.h
+++ b/include/grub/net.h
@@ -652,7 +652,7 @@ void
grub_net_remove_dns_server (const struct grub_net_network_level_address *s);
grub_err_t
-grub_net_search_config_file (char *config);
+grub_net_search_config_file (char *config, grub_size_t config_buf_len);
extern char *grub_net_default_server;
--
2.48.1

252
0009-10_linux-Some-refinement-for-BLS.patch
View File

@ -1,252 +0,0 @@
From abd8b83cdc6398c52c7d2b71b378938cf51872fd Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Wed, 13 Mar 2024 15:26:42 +0800
Subject: [PATCH 9/9] 10_linux: Some refinement for BLS
Remove BLS_POPULATE_MENU as it is not being used currently and removing
kernelopts assignment in the grub boot config itself to fully delegate
the responsibility of generating kernel options to a functioning BLS
generator.
Additionally, removing unused dead code, which is often blamed for
causing errors in the dash shell script.
Signed-off-by: Michael Chang <mchang@suse.com>
---
util/grub.d/10_linux.in | 194 ----------------------------------------
1 file changed, 194 deletions(-)
diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
index edf0fca55..666eae995 100644
--- a/util/grub.d/10_linux.in
+++ b/util/grub.d/10_linux.in
@@ -93,11 +93,7 @@ fi
populate_header_warn()
{
-if [ "x${BLS_POPULATE_MENU}" = "xtrue" ]; then
- bls_parser="10_linux script"
-else
bls_parser="blscfg command"
-fi
cat <<EOF
# This section was generated by a script. Do not modify the generated file - all changes
@@ -110,102 +106,6 @@ cat <<EOF
EOF
}
-read_config()
-{
- config_file=${1}
- title=""
- initrd=""
- options=""
- linux=""
- grub_arg=""
-
- while read -r line
- do
- record=$(echo ${line} | cut -f 1 -d ' ')
- value=$(echo ${line} | cut -s -f2- -d ' ')
- case "${record}" in
- "title")
- title=${value}
- ;;
- "initrd")
- initrd=${value}
- ;;
- "linux")
- linux=${value}
- ;;
- "options")
- options=${value}
- ;;
- "grub_arg")
- grub_arg=${value}
- ;;
- esac
- done < ${config_file}
-}
-
-blsdir="/boot/loader/entries"
-
-get_sorted_bls()
-{
- if ! [ -d "${blsdir}" ] || [ -f /run/ostree-booted ] || [ -d /ostree/repo ]; then
- return
- fi
-
- local IFS=$'\n'
-
- files=($(for bls in ${blsdir}/*.conf; do
- if ! [[ -e "${bls}" ]] ; then
- continue
- fi
- bls="${bls%.conf}"
- bls="${bls##*/}"
- echo "${bls}"
- done | ${kernel_sort} 2>/dev/null | tac)) || :
-
- echo "${files[@]}"
-}
-
-update_bls_cmdline()
-{
- local cmdline="root=${LINUX_ROOT_DEVICE} ro ${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
- local -a files=($(get_sorted_bls))
-
- for bls in "${files[@]}"; do
- local options="${cmdline}"
- if [ -z "${bls##*debug*}" ]; then
- options="${options} ${GRUB_CMDLINE_LINUX_DEBUG}"
- fi
- options="$(echo "${options}" | sed -e 's/\//\\\//g')"
- sed -i -e "s/^options.*/options ${options}/" "${blsdir}/${bls}.conf"
- done
-}
-
-populate_menu()
-{
- local -a files=($(get_sorted_bls))
-
- gettext_printf "Generating boot entries from BLS files...\n" >&2
-
- for bls in "${files[@]}"; do
- read_config "${blsdir}/${bls}.conf"
-
- menu="${menu}menuentry '${title}' ${grub_arg} --id=${bls} {\n"
- menu="${menu}\t linux ${linux} ${options}\n"
- if [ -n "${initrd}" ] ; then
- menu="${menu}\t initrd ${boot_prefix}${initrd}\n"
- fi
- menu="${menu}}\n\n"
- done
- # The printf command seems to be more reliable across shells for special character (\n, \t) evaluation
- printf "$menu"
-}
-
-# Make BLS the default if GRUB_ENABLE_BLSCFG was not set and grubby is not installed.
-# FIXME: The test should be aligned to openSUSE, grubby is not our default tool
-if [ -z "${GRUB_ENABLE_BLSCFG}" ] && ! command -v new-kernel-pkg >/dev/null && false; then
- GRUB_ENABLE_BLSCFG="true"
-fi
-
if [ "x${GRUB_ENABLE_BLSCFG}" = "xtrue" ]; then
if [ x$dirname = x/ ]; then
if [ -z "${prepare_root_cache}" ]; then
@@ -225,111 +125,17 @@ if [ "x${GRUB_ENABLE_BLSCFG}" = "xtrue" ]; then
prepare_grub_to_access_device_with_variable boot ${boot_device}
fi
- arch="$(uname -m)"
- if [ "x${arch}" = "xppc64le" ] && [ -d /sys/firmware/opal ]; then
-
- BLS_POPULATE_MENU="true"
- petitboot_path="/sys/firmware/devicetree/base/ibm,firmware-versions/petitboot"
-
- if test -e ${petitboot_path}; then
- read -r -d '' petitboot_version < ${petitboot_path}
- petitboot_version="$(echo ${petitboot_version//v})"
-
- if test -n ${petitboot_version}; then
- major_version="$(echo ${petitboot_version} | cut -d . -f1)"
- minor_version="$(echo ${petitboot_version} | cut -d . -f2)"
-
- re='^[0-9]+$'
- if [[ $major_version =~ $re ]] && [[ $minor_version =~ $re ]] &&
- ([[ ${major_version} -gt 1 ]] ||
- [[ ${major_version} -eq 1 &&
- ${minor_version} -ge 8 ]]); then
- BLS_POPULATE_MENU="false"
- fi
- fi
- fi
- fi
-
populate_header_warn
- cat << EOF
-# The kernelopts variable should be defined in the grubenv file. But to ensure that menu
-# entries populated from BootLoaderSpec files that use this variable work correctly even
-# without a grubenv file, define a fallback kernelopts variable if this has not been set.
-#
-# The kernelopts variable in the grubenv file can be modified using the grubby tool or by
-# executing the grub2-mkconfig tool. For the latter, the values of the GRUB_CMDLINE_LINUX
-# and GRUB_CMDLINE_LINUX_DEFAULT options from /etc/default/grub file are used to set both
-# the kernelopts variable in the grubenv file and the fallback kernelopts variable.
-if [ -z "\${kernelopts}" ]; then
- set kernelopts="root=${LINUX_ROOT_DEVICE} ro ${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
-fi
-EOF
-
- update_bls_cmdline
-
- if [ "x${BLS_POPULATE_MENU}" = "xtrue" ]; then
- populate_menu
- else
cat << EOF
insmod blscfg
blscfg
EOF
- fi
-
- if [ "x${GRUB_GRUBENV_UPDATE}" = "xyes" ]; then
- blsdir="/boot/loader/entries"
- [ -d "${blsdir}" ] && GRUB_BLS_FS="$(${grub_probe} --target=fs ${blsdir})"
- if [ "x${GRUB_BLS_FS}" = "xbtrfs" ] || [ "x${GRUB_BLS_FS}" = "xzfs" ]; then
- blsdir=$(make_system_path_relative_to_its_root "${blsdir}")
- if [ "x${blsdir}" != "x/loader/entries" ] && [ "x${blsdir}" != "x/boot/loader/entries" ]; then
- ${grub_editenv} - set blsdir="${blsdir}"
- fi
- fi
-
- if [ -n "${GRUB_EARLY_INITRD_LINUX_CUSTOM}" ]; then
- ${grub_editenv} - set early_initrd="${GRUB_EARLY_INITRD_LINUX_CUSTOM}"
- fi
-
- if [ -n "${GRUB_DEFAULT_DTB}" ]; then
- ${grub_editenv} - set devicetree="${GRUB_DEFAULT_DTB}"
- fi
-
- if [ -n "${GRUB_SAVEDEFAULT}" ]; then
- ${grub_editenv} - set save_default="${GRUB_SAVEDEFAULT}"
- fi
- fi
exit 0
fi
-mktitle ()
-{
- local title_type
- local version
- local OS_NAME
- local OS_VERS
-
- title_type=$1 && shift
- version=$1 && shift
-
- OS_NAME="$(eval $(grep ^NAME= /etc/os-release) ; echo ${NAME})"
- OS_VERS="$(eval $(grep ^VERSION= /etc/os-release) ; echo ${VERSION})"
-
- case $title_type in
- recovery)
- title=$(printf '%s (%s) %s (recovery mode)' \
- "${OS_NAME}" "${version}" "${OS_VERS}")
- ;;
- *)
- title=$(printf '%s (%s) %s' \
- "${OS_NAME}" "${version}" "${OS_VERS}")
- ;;
- esac
- echo -n ${title}
-}
-
title_correction_code=
hotkey=1
--
2.45.2

36
0009-video-readers-jpeg-Do-not-permit-duplicate-SOF0-mark.patch Normal file
View File

@ -0,0 +1,36 @@
From c3093b6240302e52438469857fec616aa4b294a3 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Fri, 8 Mar 2024 22:47:20 +1100
Subject: [PATCH 09/20] video/readers/jpeg: Do not permit duplicate SOF0
markers in JPEG
Otherwise a subsequent header could change the height and width
allowing future OOB writes.
Fixes: CVE-2024-45774
Reported-by: Nils Langius <nils@langius.de>
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/video/readers/jpeg.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/grub-core/video/readers/jpeg.c b/grub-core/video/readers/jpeg.c
index ae634fd419..631a893564 100644
--- a/grub-core/video/readers/jpeg.c
+++ b/grub-core/video/readers/jpeg.c
@@ -339,6 +339,10 @@ grub_jpeg_decode_sof (struct grub_jpeg_data *data)
if (grub_errno != GRUB_ERR_NONE)
return grub_errno;
+ if (data->image_height != 0 || data->image_width != 0)
+ return grub_error (GRUB_ERR_BAD_FILE_TYPE,
+ "jpeg: cannot have duplicate SOF0 markers");
+
if (grub_jpeg_get_byte (data) != 8)
return grub_error (GRUB_ERR_BAD_FILE_TYPE,
"jpeg: only 8-bit precision is supported");
--
2.48.1

37
0010-commands-extcmd-Missing-check-for-failed-allocation.patch Normal file
View File

@ -0,0 +1,37 @@
From 5d6f17ba4e94fe00b80498e9ce1aac57e22adba7 Mon Sep 17 00:00:00 2001
From: Lidong Chen <lidong.chen@oracle.com>
Date: Fri, 22 Nov 2024 06:27:55 +0000
Subject: [PATCH 10/20] commands/extcmd: Missing check for failed allocation
The grub_extcmd_dispatcher() calls grub_arg_list_alloc() to allocate
a grub_arg_list struct but it does not verify the allocation was successful.
In case of failed allocation the NULL state pointer can be accessed in
parse_option() through grub_arg_parse() which may lead to a security issue.
Fixes: CVE-2024-45775
Reported-by: Nils Langius <nils@langius.de>
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
---
grub-core/commands/extcmd.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/grub-core/commands/extcmd.c b/grub-core/commands/extcmd.c
index 4ac111a991..95bd71235a 100644
--- a/grub-core/commands/extcmd.c
+++ b/grub-core/commands/extcmd.c
@@ -49,6 +49,9 @@ grub_extcmd_dispatcher (struct grub_command *cmd, int argc, char **args,
}
state = grub_arg_list_alloc (ext, argc, args);
+ if (state == NULL)
+ return grub_errno;
+
if (grub_arg_parse (ext, argc, args, state, &new_args, &new_argc))
{
context.state = state;
--
2.48.1

34
0011-commands-pgp-Unregister-the-check_signatures-hooks-o.patch Normal file
View File

@ -0,0 +1,34 @@
From a496d7fbb80826b341ec1a578704dd574b716d68 Mon Sep 17 00:00:00 2001
From: B Horn <b@horn.uk>
Date: Fri, 1 Nov 2024 19:24:29 +0000
Subject: [PATCH 11/20] commands/pgp: Unregister the "check_signatures" hooks
on module unload
If the hooks are not removed they can be called after the module has
been unloaded leading to an use-after-free.
Fixes: CVE-2025-0622
Reported-by: B Horn <b@horn.uk>
Signed-off-by: B Horn <b@horn.uk>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/commands/pgp.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c
index 847a5046a5..fa3ef5c754 100644
--- a/grub-core/commands/pgp.c
+++ b/grub-core/commands/pgp.c
@@ -982,6 +982,8 @@ GRUB_MOD_INIT(pgp)
GRUB_MOD_FINI(pgp)
{
+ grub_register_variable_hook ("check_signatures", NULL, NULL);
+ grub_env_unset ("check_signatures");
grub_verifier_unregister (&grub_pubkey_verifier);
grub_unregister_extcmd (cmd);
grub_unregister_extcmd (cmd_trust);
--
2.48.1

40
0012-normal-Remove-variables-hooks-on-module-unload.patch Normal file
View File

@ -0,0 +1,40 @@
From cf9108c54b25bd485832bf8930c18abf2935b35e Mon Sep 17 00:00:00 2001
From: B Horn <b@horn.uk>
Date: Fri, 1 Nov 2024 23:46:55 +0000
Subject: [PATCH 12/20] normal: Remove variables hooks on module unload
The normal module does not entirely cleanup after itself in
its GRUB_MOD_FINI() leaving a few variables hooks in place.
It is not possible to unload normal module now but fix the
issues for completeness.
On the occasion replace 0s with NULLs for "pager" variable
hooks unregister.
Fixes: CVE-2025-0622
Reported-by: B Horn <b@horn.uk>
Signed-off-by: B Horn <b@horn.uk>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/normal/main.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
index f2679c4378..c9eda889ca 100644
--- a/grub-core/normal/main.c
+++ b/grub-core/normal/main.c
@@ -694,7 +694,9 @@ GRUB_MOD_FINI(normal)
grub_xputs = grub_xputs_saved;
grub_set_history (0);
- grub_register_variable_hook ("pager", 0, 0);
+ grub_register_variable_hook ("pager", NULL, NULL);
+ grub_register_variable_hook ("color_normal", NULL, NULL);
+ grub_register_variable_hook ("color_highlight", NULL, NULL);
grub_fs_autoload_hook = 0;
grub_unregister_command (cmd_clear);
}
--
2.48.1

37
0013-gettext-Remove-variables-hooks-on-module-unload.patch Normal file
View File

@ -0,0 +1,37 @@
From dff23721425f363f2d1b6ee41be44af69cdd4aab Mon Sep 17 00:00:00 2001
From: B Horn <b@horn.uk>
Date: Fri, 1 Nov 2024 23:52:06 +0000
Subject: [PATCH 13/20] gettext: Remove variables hooks on module unload
The gettext module does not entirely cleanup after itself in
its GRUB_MOD_FINI() leaving a few variables hooks in place.
It is not possible to unload gettext module because normal
module depends on it. Though fix the issues for completeness.
Fixes: CVE-2025-0622
Reported-by: B Horn <b@horn.uk>
Signed-off-by: B Horn <b@horn.uk>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/gettext/gettext.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
index 7a1c14e4f3..e4f4f8ee66 100644
--- a/grub-core/gettext/gettext.c
+++ b/grub-core/gettext/gettext.c
@@ -535,6 +535,10 @@ GRUB_MOD_INIT (gettext)
GRUB_MOD_FINI (gettext)
{
+ grub_register_variable_hook ("locale_dir", NULL, NULL);
+ grub_register_variable_hook ("secondary_locale_dir", NULL, NULL);
+ grub_register_variable_hook ("lang", NULL, NULL);
+
grub_gettext_delete_list (&main_context);
grub_gettext_delete_list (&secondary_context);
--
2.48.1

39
0014-gettext-Integer-overflow-leads-to-heap-OOB-write-or-.patch Normal file
View File

@ -0,0 +1,39 @@
From 9126fb474968a1f4ea8e233c5746fa735a07b3d4 Mon Sep 17 00:00:00 2001
From: Lidong Chen <lidong.chen@oracle.com>
Date: Fri, 22 Nov 2024 06:27:56 +0000
Subject: [PATCH 14/20] gettext: Integer overflow leads to heap OOB write or
read
Calculation of ctx->grub_gettext_msg_list size in grub_mofile_open() may
overflow leading to subsequent OOB write or read. This patch fixes the
issue by replacing grub_zalloc() and explicit multiplication with
grub_calloc() which does the same thing in safe manner.
Fixes: CVE-2024-45776
Reported-by: Nils Langius <nils@langius.de>
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
---
grub-core/gettext/gettext.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
index e4f4f8ee66..63bb1ab73f 100644
--- a/grub-core/gettext/gettext.c
+++ b/grub-core/gettext/gettext.c
@@ -323,8 +323,8 @@ grub_mofile_open (struct grub_gettext_context *ctx,
for (ctx->grub_gettext_max_log = 0; ctx->grub_gettext_max >> ctx->grub_gettext_max_log;
ctx->grub_gettext_max_log++);
- ctx->grub_gettext_msg_list = grub_zalloc (ctx->grub_gettext_max
- * sizeof (ctx->grub_gettext_msg_list[0]));
+ ctx->grub_gettext_msg_list = grub_calloc (ctx->grub_gettext_max,
+ sizeof (ctx->grub_gettext_msg_list[0]));
if (!ctx->grub_gettext_msg_list)
{
grub_file_close (fd);
--
2.48.1

56
0015-gettext-Integer-overflow-leads-to-heap-OOB-write.patch Normal file
View File

@ -0,0 +1,56 @@
From 1f8d74717d2bebd1206143c1acbf720be9097011 Mon Sep 17 00:00:00 2001
From: Lidong Chen <lidong.chen@oracle.com>
Date: Fri, 22 Nov 2024 06:27:57 +0000
Subject: [PATCH 15/20] gettext: Integer overflow leads to heap OOB write
The size calculation of the translation buffer in
grub_gettext_getstr_from_position() may overflow
to 0 leading to heap OOB write. This patch fixes
the issue by using grub_add() and checking for
an overflow.
Fixes: CVE-2024-45777
Reported-by: Nils Langius <nils@langius.de>
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Alec Brown <alec.r.brown@oracle.com>
---
grub-core/gettext/gettext.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/grub-core/gettext/gettext.c b/grub-core/gettext/gettext.c
index 63bb1ab73f..9ffc734284 100644
--- a/grub-core/gettext/gettext.c
+++ b/grub-core/gettext/gettext.c
@@ -26,6 +26,7 @@
#include <grub/file.h>
#include <grub/kernel.h>
#include <grub/i18n.h>
+#include <grub/safemath.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -99,6 +100,7 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx,
char *translation;
struct string_descriptor desc;
grub_err_t err;
+ grub_size_t alloc_sz;
internal_position = (off + position * sizeof (desc));
@@ -109,7 +111,10 @@ grub_gettext_getstr_from_position (struct grub_gettext_context *ctx,
length = grub_cpu_to_le32 (desc.length);
offset = grub_cpu_to_le32 (desc.offset);
- translation = grub_malloc (length + 1);
+ if (grub_add (length, 1, &alloc_sz))
+ return NULL;
+
+ translation = grub_malloc (alloc_sz);
if (!translation)
return NULL;
--
2.48.1

72
0016-commands-read-Fix-an-integer-overflow-when-supplying.patch Normal file
View File

@ -0,0 +1,72 @@
From fd945966dc04c01765dcf129d8884f0b22991e74 Mon Sep 17 00:00:00 2001
From: Jonathan Bar Or <jonathanbaror@gmail.com>
Date: Thu, 23 Jan 2025 19:17:05 +0100
Subject: [PATCH 16/20] commands/read: Fix an integer overflow when supplying
more than 2^31 characters
The grub_getline() function currently has a signed integer variable "i"
that can be overflown when user supplies more than 2^31 characters.
It results in a memory corruption of the allocated line buffer as well
as supplying large negative values to grub_realloc().
Fixes: CVE-2025-0690
Reported-by: Jonathan Bar Or <jonathanbaror@gmail.com>
Signed-off-by: Jonathan Bar Or <jonathanbaror@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/commands/read.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/grub-core/commands/read.c b/grub-core/commands/read.c
index 9bbc523f6b..b8597692e2 100644
--- a/grub-core/commands/read.c
+++ b/grub-core/commands/read.c
@@ -26,6 +26,7 @@
#include <grub/types.h>
#include <grub/extcmd.h>
#include <grub/i18n.h>
+#include <grub/safemath.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -38,13 +39,14 @@ static const struct grub_arg_option options[] =
static char *
grub_getline (int silent)
{
- int i;
+ grub_size_t i;
char *line;
char *tmp;
int c;
+ grub_size_t alloc_size;
i = 0;
- line = grub_malloc (1 + i + sizeof('\0'));
+ line = grub_malloc (1 + sizeof('\0'));
if (! line)
return NULL;
@@ -60,8 +62,17 @@ grub_getline (int silent)
line[i] = (char) c;
if (!silent)
grub_printf ("%c", c);
- i++;
- tmp = grub_realloc (line, 1 + i + sizeof('\0'));
+ if (grub_add (i, 1, &i))
+ {
+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+ return NULL;
+ }
+ if (grub_add (i, 1 + sizeof('\0'), &alloc_size))
+ {
+ grub_error (GRUB_ERR_OUT_OF_RANGE, N_("overflow is detected"));
+ return NULL;
+ }
+ tmp = grub_realloc (line, alloc_size);
if (! tmp)
{
grub_free (line);
--
2.48.1

37
0017-commands-minicmd-Block-the-dump-command-in-lockdown-.patch Normal file
View File

@ -0,0 +1,37 @@
From 0f62a673fe00e83984810b7ec61b2d9a0bb8b9d4 Mon Sep 17 00:00:00 2001
From: B Horn <b@horn.uk>
Date: Thu, 18 Apr 2024 20:29:39 +0100
Subject: [PATCH 17/20] commands/minicmd: Block the dump command in lockdown
mode
The dump enables a user to read memory which should not be possible
in lockdown mode.
Fixes: CVE-2025-1118
Reported-by: B Horn <b@horn.uk>
Reported-by: Jonathan Bar Or <jonathanbaror@gmail.com>
Signed-off-by: B Horn <b@horn.uk>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/commands/minicmd.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c
index fa498931ed..903af33131 100644
--- a/grub-core/commands/minicmd.c
+++ b/grub-core/commands/minicmd.c
@@ -203,8 +203,8 @@ GRUB_MOD_INIT(minicmd)
grub_register_command ("help", grub_mini_cmd_help,
0, N_("Show this message."));
cmd_dump =
- grub_register_command ("dump", grub_mini_cmd_dump,
- N_("ADDR [SIZE]"), N_("Show memory contents."));
+ grub_register_command_lockdown ("dump", grub_mini_cmd_dump,
+ N_("ADDR [SIZE]"), N_("Show memory contents."));
cmd_rmmod =
grub_register_command ("rmmod", grub_mini_cmd_rmmod,
N_("MODULE"), N_("Remove a module."));
--
2.48.1

55
0018-fs-bfs-Disable-under-lockdown.patch Normal file
View File

@ -0,0 +1,55 @@
From 2cb6585529e7d1e522d71a13f382d8cc3d326555 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Sat, 23 Mar 2024 15:59:43 +1100
Subject: [PATCH 18/20] fs/bfs: Disable under lockdown
The BFS is not fuzz-clean. Don't allow it to be loaded under lockdown.
This will also disable the AFS.
Fixes: CVE-2024-45778
Fixes: CVE-2024-45779
Reported-by: Nils Langius <nils@langius.de>
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/bfs.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/grub-core/fs/bfs.c b/grub-core/fs/bfs.c
index f37b168958..c92fd79168 100644
--- a/grub-core/fs/bfs.c
+++ b/grub-core/fs/bfs.c
@@ -30,6 +30,7 @@
#include <grub/types.h>
#include <grub/i18n.h>
#include <grub/fshelp.h>
+#include <grub/lockdown.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -1106,8 +1107,11 @@ GRUB_MOD_INIT (bfs)
{
COMPILE_TIME_ASSERT (1 << LOG_EXTENT_SIZE ==
sizeof (struct grub_bfs_extent));
- grub_bfs_fs.mod = mod;
- grub_fs_register (&grub_bfs_fs);
+ if (!grub_is_lockdown ())
+ {
+ grub_bfs_fs.mod = mod;
+ grub_fs_register (&grub_bfs_fs);
+ }
}
#ifdef MODE_AFS
@@ -1116,5 +1120,6 @@ GRUB_MOD_FINI (afs)
GRUB_MOD_FINI (bfs)
#endif
{
- grub_fs_unregister (&grub_bfs_fs);
+ if (!grub_is_lockdown ())
+ grub_fs_unregister (&grub_bfs_fs);
}
--
2.48.1

394
0019-fs-Disable-many-filesystems-under-lockdown.patch Normal file
View File

@ -0,0 +1,394 @@
From 8aba3dd18838329ae93c0ab43029d2236441b0ed Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Sat, 23 Mar 2024 16:20:45 +1100
Subject: [PATCH 19/20] fs: Disable many filesystems under lockdown
The idea is to permit the following: btrfs, cpio, exfat, ext, f2fs, fat,
hfsplus, iso9660, squash4, tar, xfs and zfs.
The JFS, ReiserFS, romfs, UDF and UFS security vulnerabilities were
reported by Jonathan Bar Or <jonathanbaror@gmail.com>.
Fixes: CVE-2025-0677
Fixes: CVE-2025-0684
Fixes: CVE-2025-0685
Fixes: CVE-2025-0686
Fixes: CVE-2025-0689
Suggested-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/affs.c | 11 ++++++++---
grub-core/fs/cbfs.c | 11 ++++++++---
grub-core/fs/jfs.c | 11 ++++++++---
grub-core/fs/minix.c | 11 ++++++++---
grub-core/fs/nilfs2.c | 11 ++++++++---
grub-core/fs/ntfs.c | 11 ++++++++---
grub-core/fs/reiserfs.c | 11 ++++++++---
grub-core/fs/romfs.c | 11 ++++++++---
grub-core/fs/sfs.c | 11 ++++++++---
grub-core/fs/udf.c | 11 ++++++++---
grub-core/fs/ufs.c | 11 ++++++++---
11 files changed, 88 insertions(+), 33 deletions(-)
diff --git a/grub-core/fs/affs.c b/grub-core/fs/affs.c
index 9b0afb9541..520a001c75 100644
--- a/grub-core/fs/affs.c
+++ b/grub-core/fs/affs.c
@@ -26,6 +26,7 @@
#include <grub/types.h>
#include <grub/fshelp.h>
#include <grub/charset.h>
+#include <grub/lockdown.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -703,12 +704,16 @@ static struct grub_fs grub_affs_fs =
GRUB_MOD_INIT(affs)
{
- grub_affs_fs.mod = mod;
- grub_fs_register (&grub_affs_fs);
+ if (!grub_is_lockdown ())
+ {
+ grub_affs_fs.mod = mod;
+ grub_fs_register (&grub_affs_fs);
+ }
my_mod = mod;
}
GRUB_MOD_FINI(affs)
{
- grub_fs_unregister (&grub_affs_fs);
+ if (!grub_is_lockdown ())
+ grub_fs_unregister (&grub_affs_fs);
}
diff --git a/grub-core/fs/cbfs.c b/grub-core/fs/cbfs.c
index 2332745fe8..b62c8777cf 100644
--- a/grub-core/fs/cbfs.c
+++ b/grub-core/fs/cbfs.c
@@ -26,6 +26,7 @@
#include <grub/dl.h>
#include <grub/i18n.h>
#include <grub/cbfs_core.h>
+#include <grub/lockdown.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -390,13 +391,17 @@ GRUB_MOD_INIT (cbfs)
#if (defined (__i386__) || defined (__x86_64__)) && !defined (GRUB_UTIL) && !defined (GRUB_MACHINE_EMU) && !defined (GRUB_MACHINE_XEN)
init_cbfsdisk ();
#endif
- grub_cbfs_fs.mod = mod;
- grub_fs_register (&grub_cbfs_fs);
+ if (!grub_is_lockdown ())
+ {
+ grub_cbfs_fs.mod = mod;
+ grub_fs_register (&grub_cbfs_fs);
+ }
}
GRUB_MOD_FINI (cbfs)
{
- grub_fs_unregister (&grub_cbfs_fs);
+ if (!grub_is_lockdown ())
+ grub_fs_unregister (&grub_cbfs_fs);
#if (defined (__i386__) || defined (__x86_64__)) && !defined (GRUB_UTIL) && !defined (GRUB_MACHINE_EMU) && !defined (GRUB_MACHINE_XEN)
fini_cbfsdisk ();
#endif
diff --git a/grub-core/fs/jfs.c b/grub-core/fs/jfs.c
index 3139e53329..d72e19088c 100644
--- a/grub-core/fs/jfs.c
+++ b/grub-core/fs/jfs.c
@@ -26,6 +26,7 @@
#include <grub/types.h>
#include <grub/charset.h>
#include <grub/i18n.h>
+#include <grub/lockdown.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -963,12 +964,16 @@ static struct grub_fs grub_jfs_fs =
GRUB_MOD_INIT(jfs)
{
- grub_jfs_fs.mod = mod;
- grub_fs_register (&grub_jfs_fs);
+ if (!grub_is_lockdown ())
+ {
+ grub_jfs_fs.mod = mod;
+ grub_fs_register (&grub_jfs_fs);
+ }
my_mod = mod;
}
GRUB_MOD_FINI(jfs)
{
- grub_fs_unregister (&grub_jfs_fs);
+ if (!grub_is_lockdown ())
+ grub_fs_unregister (&grub_jfs_fs);
}
diff --git a/grub-core/fs/minix.c b/grub-core/fs/minix.c
index b7679c3e25..4440fcca83 100644
--- a/grub-core/fs/minix.c
+++ b/grub-core/fs/minix.c
@@ -25,6 +25,7 @@
#include <grub/dl.h>
#include <grub/types.h>
#include <grub/i18n.h>
+#include <grub/lockdown.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -734,8 +735,11 @@ GRUB_MOD_INIT(minix)
#endif
#endif
{
- grub_minix_fs.mod = mod;
- grub_fs_register (&grub_minix_fs);
+ if (!grub_is_lockdown ())
+ {
+ grub_minix_fs.mod = mod;
+ grub_fs_register (&grub_minix_fs);
+ }
my_mod = mod;
}
@@ -757,5 +761,6 @@ GRUB_MOD_FINI(minix)
#endif
#endif
{
- grub_fs_unregister (&grub_minix_fs);
+ if (!grub_is_lockdown ())
+ grub_fs_unregister (&grub_minix_fs);
}
diff --git a/grub-core/fs/nilfs2.c b/grub-core/fs/nilfs2.c
index 4e1e717386..26e6077ff2 100644
--- a/grub-core/fs/nilfs2.c
+++ b/grub-core/fs/nilfs2.c
@@ -34,6 +34,7 @@
#include <grub/dl.h>
#include <grub/types.h>
#include <grub/fshelp.h>
+#include <grub/lockdown.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -1231,12 +1232,16 @@ GRUB_MOD_INIT (nilfs2)
grub_nilfs2_dat_entry));
COMPILE_TIME_ASSERT (1 << LOG_INODE_SIZE
== sizeof (struct grub_nilfs2_inode));
- grub_nilfs2_fs.mod = mod;
- grub_fs_register (&grub_nilfs2_fs);
+ if (!grub_is_lockdown ())
+ {
+ grub_nilfs2_fs.mod = mod;
+ grub_fs_register (&grub_nilfs2_fs);
+ }
my_mod = mod;
}
GRUB_MOD_FINI (nilfs2)
{
- grub_fs_unregister (&grub_nilfs2_fs);
+ if (!grub_is_lockdown ())
+ grub_fs_unregister (&grub_nilfs2_fs);
}
diff --git a/grub-core/fs/ntfs.c b/grub-core/fs/ntfs.c
index 560917dc2c..bce81947cf 100644
--- a/grub-core/fs/ntfs.c
+++ b/grub-core/fs/ntfs.c
@@ -27,6 +27,7 @@
#include <grub/fshelp.h>
#include <grub/ntfs.h>
#include <grub/charset.h>
+#include <grub/lockdown.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -1320,12 +1321,16 @@ static struct grub_fs grub_ntfs_fs =
GRUB_MOD_INIT (ntfs)
{
- grub_ntfs_fs.mod = mod;
- grub_fs_register (&grub_ntfs_fs);
+ if (!grub_is_lockdown ())
+ {
+ grub_ntfs_fs.mod = mod;
+ grub_fs_register (&grub_ntfs_fs);
+ }
my_mod = mod;
}
GRUB_MOD_FINI (ntfs)
{
- grub_fs_unregister (&grub_ntfs_fs);
+ if (!grub_is_lockdown ())
+ grub_fs_unregister (&grub_ntfs_fs);
}
diff --git a/grub-core/fs/reiserfs.c b/grub-core/fs/reiserfs.c
index c3850e0138..5d3c859502 100644
--- a/grub-core/fs/reiserfs.c
+++ b/grub-core/fs/reiserfs.c
@@ -39,6 +39,7 @@
#include <grub/types.h>
#include <grub/fshelp.h>
#include <grub/i18n.h>
+#include <grub/lockdown.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -1417,12 +1418,16 @@ static struct grub_fs grub_reiserfs_fs =
GRUB_MOD_INIT(reiserfs)
{
- grub_reiserfs_fs.mod = mod;
- grub_fs_register (&grub_reiserfs_fs);
+ if (!grub_is_lockdown ())
+ {
+ grub_reiserfs_fs.mod = mod;
+ grub_fs_register (&grub_reiserfs_fs);
+ }
my_mod = mod;
}
GRUB_MOD_FINI(reiserfs)
{
- grub_fs_unregister (&grub_reiserfs_fs);
+ if (!grub_is_lockdown ())
+ grub_fs_unregister (&grub_reiserfs_fs);
}
diff --git a/grub-core/fs/romfs.c b/grub-core/fs/romfs.c
index 56b0b2b2f3..eafab03b25 100644
--- a/grub-core/fs/romfs.c
+++ b/grub-core/fs/romfs.c
@@ -23,6 +23,7 @@
#include <grub/disk.h>
#include <grub/fs.h>
#include <grub/fshelp.h>
+#include <grub/lockdown.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -475,11 +476,15 @@ static struct grub_fs grub_romfs_fs =
GRUB_MOD_INIT(romfs)
{
- grub_romfs_fs.mod = mod;
- grub_fs_register (&grub_romfs_fs);
+ if (!grub_is_lockdown ())
+ {
+ grub_romfs_fs.mod = mod;
+ grub_fs_register (&grub_romfs_fs);
+ }
}
GRUB_MOD_FINI(romfs)
{
- grub_fs_unregister (&grub_romfs_fs);
+ if (!grub_is_lockdown ())
+ grub_fs_unregister (&grub_romfs_fs);
}
diff --git a/grub-core/fs/sfs.c b/grub-core/fs/sfs.c
index f0d7cac435..88705b3a29 100644
--- a/grub-core/fs/sfs.c
+++ b/grub-core/fs/sfs.c
@@ -26,6 +26,7 @@
#include <grub/types.h>
#include <grub/fshelp.h>
#include <grub/charset.h>
+#include <grub/lockdown.h>
#include <grub/safemath.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -779,12 +780,16 @@ static struct grub_fs grub_sfs_fs =
GRUB_MOD_INIT(sfs)
{
- grub_sfs_fs.mod = mod;
- grub_fs_register (&grub_sfs_fs);
+ if (!grub_is_lockdown ())
+ {
+ grub_sfs_fs.mod = mod;
+ grub_fs_register (&grub_sfs_fs);
+ }
my_mod = mod;
}
GRUB_MOD_FINI(sfs)
{
- grub_fs_unregister (&grub_sfs_fs);
+ if (!grub_is_lockdown ())
+ grub_fs_unregister (&grub_sfs_fs);
}
diff --git a/grub-core/fs/udf.c b/grub-core/fs/udf.c
index 8765c633c6..3d5ee5af50 100644
--- a/grub-core/fs/udf.c
+++ b/grub-core/fs/udf.c
@@ -27,6 +27,7 @@
#include <grub/fshelp.h>
#include <grub/charset.h>
#include <grub/datetime.h>
+#include <grub/lockdown.h>
#include <grub/udf.h>
#include <grub/safemath.h>
@@ -1455,12 +1456,16 @@ static struct grub_fs grub_udf_fs = {
GRUB_MOD_INIT (udf)
{
- grub_udf_fs.mod = mod;
- grub_fs_register (&grub_udf_fs);
+ if (!grub_is_lockdown ())
+ {
+ grub_udf_fs.mod = mod;
+ grub_fs_register (&grub_udf_fs);
+ }
my_mod = mod;
}
GRUB_MOD_FINI (udf)
{
- grub_fs_unregister (&grub_udf_fs);
+ if (!grub_is_lockdown ())
+ grub_fs_unregister (&grub_udf_fs);
}
diff --git a/grub-core/fs/ufs.c b/grub-core/fs/ufs.c
index e82d9356d7..8b5adbd48d 100644
--- a/grub-core/fs/ufs.c
+++ b/grub-core/fs/ufs.c
@@ -25,6 +25,7 @@
#include <grub/dl.h>
#include <grub/types.h>
#include <grub/i18n.h>
+#include <grub/lockdown.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -899,8 +900,11 @@ GRUB_MOD_INIT(ufs1)
#endif
#endif
{
- grub_ufs_fs.mod = mod;
- grub_fs_register (&grub_ufs_fs);
+ if (!grub_is_lockdown ())
+ {
+ grub_ufs_fs.mod = mod;
+ grub_fs_register (&grub_ufs_fs);
+ }
my_mod = mod;
}
@@ -914,6 +918,7 @@ GRUB_MOD_FINI(ufs1)
#endif
#endif
{
- grub_fs_unregister (&grub_ufs_fs);
+ if (!grub_is_lockdown ())
+ grub_fs_unregister (&grub_ufs_fs);
}
--
2.48.1

85
0020-fs-Prevent-overflows-when-allocating-memory-for-arra.patch Normal file
View File

@ -0,0 +1,85 @@
From 53a0f0ebe569a846de22085c654ea4fbdfb6a154 Mon Sep 17 00:00:00 2001
From: Lidong Chen <lidong.chen@oracle.com>
Date: Tue, 21 Jan 2025 19:02:37 +0000
Subject: [PATCH 20/20] fs: Prevent overflows when allocating memory for arrays
Use grub_calloc() when allocating memory for arrays to ensure proper
overflow checks are in place.
The HFS+ and squash4 security vulnerabilities were reported by
Jonathan Bar Or <jonathanbaror@gmail.com>.
Fixes: CVE-2025-0678
Fixes: CVE-2025-1125
Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
grub-core/fs/btrfs.c | 4 ++--
grub-core/fs/hfspluscomp.c | 9 +++++++--
grub-core/fs/squash4.c | 8 ++++----
3 files changed, 13 insertions(+), 8 deletions(-)
diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c
index 0dd9a817ee..8d0147dac1 100644
--- a/grub-core/fs/btrfs.c
+++ b/grub-core/fs/btrfs.c
@@ -1409,8 +1409,8 @@ grub_btrfs_mount (grub_device_t dev)
}
data->n_devices_allocated = 16;
- data->devices_attached = grub_malloc (sizeof (data->devices_attached[0])
- * data->n_devices_allocated);
+ data->devices_attached = grub_calloc (data->n_devices_allocated,
+ sizeof (data->devices_attached[0]));
if (!data->devices_attached)
{
grub_free (data);
diff --git a/grub-core/fs/hfspluscomp.c b/grub-core/fs/hfspluscomp.c
index 48ae438d85..a80954ee61 100644
--- a/grub-core/fs/hfspluscomp.c
+++ b/grub-core/fs/hfspluscomp.c
@@ -244,14 +244,19 @@ hfsplus_open_compressed_real (struct grub_hfsplus_file *node)
return 0;
}
node->compress_index_size = grub_le_to_cpu32 (index_size);
- node->compress_index = grub_malloc (node->compress_index_size
- * sizeof (node->compress_index[0]));
+ node->compress_index = grub_calloc (node->compress_index_size,
+ sizeof (node->compress_index[0]));
if (!node->compress_index)
{
node->compressed = 0;
grub_free (attr_node);
return grub_errno;
}
+
+ /*
+ * The node->compress_index_size * sizeof (node->compress_index[0]) is safe here
+ * due to relevant checks done in grub_calloc() above.
+ */
if (grub_hfsplus_read_file (node, 0, 0,
0x104 + sizeof (index_size),
node->compress_index_size
diff --git a/grub-core/fs/squash4.c b/grub-core/fs/squash4.c
index 6e9d63874c..77aa4fbf3a 100644
--- a/grub-core/fs/squash4.c
+++ b/grub-core/fs/squash4.c
@@ -816,10 +816,10 @@ direct_read (struct grub_squash_data *data,
break;
}
total_blocks = ((total_size + data->blksz - 1) >> data->log2_blksz);
- ino->block_sizes = grub_malloc (total_blocks
- * sizeof (ino->block_sizes[0]));
- ino->cumulated_block_sizes = grub_malloc (total_blocks
- * sizeof (ino->cumulated_block_sizes[0]));
+ ino->block_sizes = grub_calloc (total_blocks,
+ sizeof (ino->block_sizes[0]));
+ ino->cumulated_block_sizes = grub_calloc (total_blocks,
+ sizeof (ino->cumulated_block_sizes[0]));
if (!ino->block_sizes || !ino->cumulated_block_sizes)
{
grub_free (ino->block_sizes);
--
2.48.1

68
grub-read-pcr.patch
View File

@ -1,5 +1,7 @@
--- a/include/grub/tpm.h
+++ b/include/grub/tpm.h
Index: grub-2.12/include/grub/tpm.h
===================================================================
--- grub-2.12.orig/include/grub/tpm.h
+++ grub-2.12/include/grub/tpm.h
@@ -36,6 +36,12 @@
#define EV_IPL 0x0d
@ -13,7 +15,7 @@
grub_err_t grub_tpm_measure (unsigned char *buf, grub_size_t size,
grub_uint8_t pcr, const char *description);
int grub_tpm_present (void);
@@ -45,5 +51,7 @@
@@ -45,5 +51,7 @@ grub_is_tpm_fail_fatal (void)
{
return grub_env_get_bool ("tpm_fail_fatal", false);
}
@ -21,29 +23,32 @@
+void grub_tpm_digest_free (struct grub_tpm_digest *d);
#endif
--- a/grub-core/commands/efi/tpm.c
+++ b/grub-core/commands/efi/tpm.c
@@ -24,6 +24,7 @@
#include <grub/efi/efi.h>
#include <grub/efi/cc.h>
#include <grub/efi/tpm.h>
+#include <grub/tpm2/tpm2.h>
#include <grub/mm.h>
Index: grub-2.12/grub-core/commands/efi/tpm.c
===================================================================
--- grub-2.12.orig/grub-core/commands/efi/tpm.c
+++ grub-2.12/grub-core/commands/efi/tpm.c
@@ -28,6 +28,8 @@
#include <grub/tpm.h>
#include <grub/term.h>
@@ -186,6 +187,91 @@
+#include <tpm2_cmd.h>
+
typedef TCG_PCR_EVENT grub_tpm_event_t;
static grub_guid_t tpm_guid = EFI_TPM_GUID;
@@ -186,6 +188,91 @@ grub_tpm1_log_event (grub_efi_handle_t t
return grub_efi_log_event_status (status);
}
+static void
+grub_tpm2_select_pcr(TPML_PCR_SELECTION *o, unsigned int pcrIndex, unsigned int algo)
+grub_tpm2_select_pcr (TPML_PCR_SELECTION_t *o, unsigned int pcrIndex, unsigned int algo)
+{
+ TPMS_PCR_SELECTION *pcr;
+ TPMS_PCR_SELECTION_t *pcr;
+
+ pcr = &o->pcrSelections[o->count++];
+ pcr->hash = algo;
+ pcr->sizeOfSelect = 3;
+ pcr->pcrSelect[TPM2_PCR_TO_SELECT(pcrIndex)] |= TPM2_PCR_TO_BIT(pcrIndex);
+ TPMS_PCR_SELECTION_SelectPCR (pcr, pcrIndex);
+}
+
+struct grub_tpm_hash_info {
@ -77,10 +82,10 @@
+grub_tpm2_read_pcr (grub_int8_t pcrIndex, const char *algo, struct grub_tpm_digest **ret)
+{
+ const struct grub_tpm_hash_info *info;
+ TPML_PCR_SELECTION inSelection, outSelection;
+ TPML_PCR_SELECTION_t inSelection, outSelection;
+ grub_uint32_t pcrUpdateCounter;
+ TPML_DIGEST digests = { 0 };
+ TPM2B_DIGEST *d;
+ TPML_DIGEST_t digests = { 0 };
+ TPM2B_DIGEST_t *d;
+ struct grub_tpm_digest *result;
+ int rc;
+
@ -92,7 +97,7 @@
+ grub_memset(&outSelection, 0, sizeof(outSelection));
+ grub_tpm2_select_pcr(&inSelection, pcrIndex, info->id);
+
+ rc = TPM2_PCR_Read(
+ rc = grub_tpm2_pcr_read(
+ NULL,
+ &inSelection,
+ &pcrUpdateCounter,
@ -123,7 +128,7 @@
static grub_err_t
grub_tpm2_log_event (grub_efi_handle_t tpm_handle, unsigned char *buf,
grub_size_t size, grub_uint8_t pcr,
@@ -323,3 +409,26 @@
@@ -323,3 +410,26 @@ grub_tpm_present (void)
return grub_tpm2_present (tpm);
}
}
@ -150,16 +155,15 @@
+
+ return result;
+}
--- a/include/grub/tpm2/tpm2.h
+++ b/include/grub/tpm2/tpm2.h
@@ -23,6 +23,10 @@
#include <grub/tpm2/internal/structs.h>
#include <grub/tpm2/internal/functions.h>
+/* Defined in: TCG TPM Specification, v1.59, Part 2, Section 10.6.1. */
+#define TPM2_PCR_TO_SELECT(x) ((x) / 8)
+#define TPM2_PCR_TO_BIT(x) (1 << ((x) % 8))
+
/* Well-Known Windows SRK handle */
#define TPM2_SRK_HANDLE 0x81000001
Index: grub-2.12/grub-core/Makefile.core.def
===================================================================
--- grub-2.12.orig/grub-core/Makefile.core.def
+++ grub-2.12/grub-core/Makefile.core.def
@@ -2606,6 +2606,7 @@ module = {
common = commands/tpm.c;
efi = commands/efi/tpm.c;
enable = efi;
+ cppflags = '-I$(srcdir)/lib/tss2';
};
module = {

19
grub2-SUSE-Add-the-t-hotkey.patch
View File

@ -21,6 +21,11 @@ v2 -> v3 (by fvogt@suse.de)
- make it a runtime decision (bsc#1164385)
v3 -> v4
- display the message only when necessary
- clear the screen to enhance visual comfort (bsc#1224465)
--- a/Makefile.util.def
+++ b/Makefile.util.def
@@ -552,6 +552,12 @@
@ -38,17 +43,25 @@ v2 -> v3 (by fvogt@suse.de)
name = grub-mkrescue;
--- a/util/grub.d/00_header.in
+++ b/util/grub.d/00_header.in
@@ -247,6 +247,10 @@
@@ -246,6 +246,18 @@
fi
fi
cat << EOF
+if echo "$GRUB_TERMINAL_OUTPUT" | grep -qwv console &&
+ ([ x"$GRUB_TIMEOUT_STYLE" = xmenu ] ||
+ ([ x"$GRUB_TIMEOUT_STYLE" = x ] &&
+ [ x"$GRUB_HIDDEN_TIMEOUT" = x -o x"$GRUB_HIDDEN_TIMEOUT" = x0 ])); then
+ cat <<EOF
+ if [ "\${grub_platform}" = "efi" ]; then
+ clear
+ echo "Please press 't' to show the boot menu on this console"
+ fi
+EOF
+fi
+
cat << EOF
set gfxmode=${GRUB_GFXMODE}
load_video
insmod gfxterm
--- /dev/null
+++ b/util/grub.d/95_textmode.in
@@ -0,0 +1,12 @@

4586
grub2-add-tss2-support.patch Normal file
View File

File diff suppressed because it is too large Load Diff

33
grub2-bsc1220338-key_protector-implement-the-blocklist.patch
View File

@ -1,4 +1,4 @@
From beb26b1be325ea55f3f9a230152d170a3faa85d5 Mon Sep 17 00:00:00 2001
From 32e07f7b99a1dbae933f4d916b0342a82e7ccf35 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Mon, 18 Mar 2024 14:53:11 +0800
Subject: [PATCH] key_protector: implement the blocklist
@ -15,11 +15,11 @@ Signed-off-by: Gary Lin <glin@suse.com>
include/grub/efi/api.h | 5 +++++
2 files changed, 36 insertions(+)
diff --git a/grub-core/disk/key_protector.c b/grub-core/disk/key_protector.c
index b84afe1c7..3d630ca4f 100644
--- a/grub-core/disk/key_protector.c
+++ b/grub-core/disk/key_protector.c
@@ -24,6 +24,10 @@
Index: grub-2.12/grub-core/disk/key_protector.c
===================================================================
--- grub-2.12.orig/grub-core/disk/key_protector.c
+++ grub-2.12/grub-core/disk/key_protector.c
@@ -25,6 +25,10 @@
GRUB_MOD_LICENSE ("GPLv3+");
@ -30,7 +30,7 @@ index b84afe1c7..3d630ca4f 100644
struct grub_key_protector *grub_key_protectors = NULL;
grub_err_t
@@ -54,11 +58,34 @@ grub_key_protector_unregister (struct grub_key_protector *protector)
@@ -53,11 +57,34 @@ grub_key_protector_unregister (struct gr
return GRUB_ERR_NONE;
}
@ -64,10 +64,10 @@ index b84afe1c7..3d630ca4f 100644
+ grub_err_t err;
if (grub_key_protectors == NULL)
return GRUB_ERR_OUT_OF_RANGE;
@@ -74,5 +101,9 @@ grub_key_protector_recover_key (const char *protector, grub_uint8_t **key,
"Is the name spelled correctly and is the "
"corresponding module loaded?"), protector);
return grub_error (GRUB_ERR_OUT_OF_RANGE, "No key protector registered");
@@ -69,5 +96,9 @@ grub_key_protector_recover_key (const ch
if (kp == NULL)
return grub_error (GRUB_ERR_OUT_OF_RANGE, "Key protector '%s' not found", protector);
+ err = grub_key_protector_check_blocklist ();
+ if (err != GRUB_ERR_NONE)
@ -75,10 +75,10 @@ index b84afe1c7..3d630ca4f 100644
+
return kp->recover_key (key, key_size);
}
diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h
index 7947cf592..975b90b09 100644
--- a/include/grub/efi/api.h
+++ b/include/grub/efi/api.h
Index: grub-2.12/include/grub/efi/api.h
===================================================================
--- grub-2.12.orig/include/grub/efi/api.h
+++ grub-2.12/include/grub/efi/api.h
@@ -389,6 +389,11 @@
{ 0x89, 0x29, 0x48, 0xbc, 0xd9, 0x0a, 0xd3, 0x1a } \
}
@ -91,6 +91,3 @@ index 7947cf592..975b90b09 100644
struct grub_efi_sal_system_table
{
grub_uint32_t signature;
--
2.35.3

12
grub2-install-fix-not-a-directory-error.patch
View File

@ -22,17 +22,23 @@ minix.
[1] https://savannah.gnu.org/bugs/index.php?57652
[2] https://bugzilla.opensuse.org/attachment.cgi?id=828118
v2:
We are still encountering the error. Instead of ensuring ext[234] is tried
before minix, make sure everything is tried before minix unless its detection
issue can be properly addressed.
--- a/Makefile.am
+++ b/Makefile.am
@@ -51,8 +51,11 @@
@@ -51,8 +51,12 @@
-D'GRUB_MOD_INIT(x)=@MARKER@x@' $^ > $@ || (rm -f $@; exit 1)
CLEANFILES += libgrub.pp
+# the grep/sed ensures that ext2 gets initialized before minix*
+# the grep/sed ensures that every other file system gets tested before minix*"
+# see https://savannah.gnu.org/bugs/?57652
+# see https://bugzilla.suse.com/show_bug.cgi?id=1231604
libgrub_a_init.lst: libgrub.pp
cat $< | grep '^@MARKER@' | sed 's/@MARKER@\(.*\)@/\1/g' | sort -u > $@ || (rm -f $@; exit 1)
+ if grep ^ext2 $@ >/dev/null; then sed '/ext2/d;/newc/iext2' < $@ > $@.tmp && mv $@.tmp $@; fi
+ if grep ^minix $@ >/dev/null; then sed -n '/^minix/p;/^minix/!H;$${x;s/^\n//;p}' < $@ > $@.tmp && mv $@.tmp $@; fi
CLEANFILES += libgrub_a_init.lst
libgrub_a_init.c: libgrub_a_init.lst $(top_srcdir)/geninit.sh

361
grub2-s390x-secure-execution-support.patch Normal file
View File

@ -0,0 +1,361 @@
From 023b569648eece7a7fe2ae38d731185a1f2abeb5 Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Fri, 23 Aug 2024 09:57:03 +0800
Subject: [PATCH] s390x: add Secure Execution support
To support Secure Execution, 2 extra files and 5 environment variables
are introduced.
- se-parm.conf.in
The template file for the kernel parameter to be used by 'genprotimg'
- se-zipl2grub.conf.in
The template file of zipl.conf for secure execution
- SUSE_S390_SE_ENABLE
The variable to enable s390x Secure Execution
- SUSE_S390_SE_HOST_KEY
The variable to set the file list to the host key documents
- SUSE_S390_SE_HOST_KEY_SIGNING_KEY
The variable to set the file list to the signing key certificates
- SUSE_S390_SE_CA_CERT
The variable to set the file path to the CA certificate
- SUSE_S390_SE_REVOCATION_LIST
The variable to set the file list of the host key revocation lists
When enabling Secure Execution, the zipl initrd is generated in
"/dev/shm/zipl-se" instead of "/boot/zipl" because the zipl initrd
may contain the LUKS key for the encrypted root partition. Then,
'genprotimg' stores the encrypted image, a combination of the zipl
kernel, zipl initrd, and the kernel parameters, as
"/boot/secure-linux-$version". To make the image ready for zipl,
it is copied to "/boot/zipl/secure-linux-$version" and linked to
"/boot/zipl/secure-linux" which is expected by the zipl config.
---
Makefile.util.def | 17 +++
util/s390x/se-parm.conf.in | 1 +
util/s390x/se-zipl2grub.conf.in | 17 +++
util/s390x/zipl2grub.pl.in | 202 ++++++++++++++++++++++++++------
4 files changed, 198 insertions(+), 39 deletions(-)
create mode 100644 util/s390x/se-parm.conf.in
create mode 100644 util/s390x/se-zipl2grub.conf.in
diff --git a/Makefile.util.def b/Makefile.util.def
index ffedea24a..722542933 100644
--- a/Makefile.util.def
+++ b/Makefile.util.def
@@ -796,6 +796,23 @@ data = {
emu_condition = COND_s390x;
};
+data = {
+ name = se-parm.conf.in;
+ common = util/s390x/se-parm.conf.in;
+ installdir = grubconf;
+ enable = emu;
+ emu_condition = COND_s390x;
+};
+
+data = {
+ name = se-zipl2grub.conf.in;
+ common = util/s390x/se-zipl2grub.conf.in;
+ installdir = grubconf;
+ enable = emu;
+ emu_condition = COND_s390x;
+};
+
+
script = {
name = dracut-module-setup.sh;
common = util/s390x/dracut-module-setup.sh.in;
diff --git a/util/s390x/se-parm.conf.in b/util/s390x/se-parm.conf.in
new file mode 100644
index 000000000..63959b753
--- /dev/null
+++ b/util/s390x/se-parm.conf.in
@@ -0,0 +1 @@
+root=@GRUB_DEVICE@ @GRUB_EMU_CONMODE@ @GRUB_CMDLINE_LINUX@ @GRUB_CMDLINE_LINUX_DEFAULT@ initgrub quiet splash=silent plymouth.enable=0
diff --git a/util/s390x/se-zipl2grub.conf.in b/util/s390x/se-zipl2grub.conf.in
new file mode 100644
index 000000000..e9feeb9b6
--- /dev/null
+++ b/util/s390x/se-zipl2grub.conf.in
@@ -0,0 +1,17 @@
+## This is the template for '@zipldir@/config' and is subject to
+## rpm's %config file handling in case of grub2-s390x-emu package update.
+
+[defaultboot]
+defaultmenu = menu
+
+[grub2-secure]
+ target = @zipldir@
+ image = @zipldir@/secure-linux
+
+:menu
+ target = @zipldir@
+ timeout = 60
+ default = 1
+ prompt = 0
+ secure = @SUSE_SECURE_BOOT@
+ 1 = grub2-secure
diff --git a/util/s390x/zipl2grub.pl.in b/util/s390x/zipl2grub.pl.in
index 46b902209..930ecc4cd 100644
--- a/util/s390x/zipl2grub.pl.in
+++ b/util/s390x/zipl2grub.pl.in
@@ -12,10 +12,19 @@ my $definitrd = "/boot/initrd";
my $Image = "$defimage";
my $previous = ".prev";
my $zipldir = "";
+my $imgdir = "";
my $running = "";
my $refresh = 1; # needs to default to "on" until most bugs are shaken out!
my $force = 0;
my $hostonly = 1;
+my $secure_exec = 0;
+my $sehostkey = "";
+my $sesignkey = "";
+my $secacert = "";
+my $serevoke = "";
+my $separm= "";
+my $se_zipconf = '@sysconfdir@/default/se-zipl2grub.conf.in';
+my $se_kernparm = '@sysconfdir@/default/se-parm.conf.in';
my $verbose = 0;
my $debug = 0;
my $miss = 0;
@@ -183,6 +192,55 @@ sub ChkInitrd($$) {
return $found;
}
+sub GenSEImage($$$$) {
+ my( $kernel, $initrd, $parm, $out_image) = @_;
+
+ # genprotimg -i <kernel-image-file> \
+ # -r <initrd-file>> \
+ # -p <parm-file> \
+ # --host-key-document <host-key-doc> \
+ # --cert ibm-z-host-key-signing.crt \
+ # --cert DigiCertCA.crt \
+ # --crl revocation.crl \
+ # -o /boot/zipl/secure-linux
+
+ my @C = ( "genprotimg", "-i", $kernel, "-r", $initrd, "-p", $parm,
+ "--cert", $secacert);
+
+ # Handle the host key document list
+ if ($sehostkey) {
+ my @sehostkey_list = split('[,\s]+', $sehostkey);
+ my $hkd;
+ foreach $hkd (@sehostkey_list) {
+ Panic( 1, "$C: host key document '$hkd' not readable!?\n") unless (-r $hkd);
+ push @C, "--host-key-document", $hkd;
+ }
+ }
+
+ # Handle the signing key list
+ if ($sesignkey) {
+ my @sesignkey_list = split('[,\s]+', $sesignkey);
+ my $signkey;
+ foreach $signkey (@sesignkey_list) {
+ Panic( 1, "$C: signing key '$signkey' not readable!?\n") unless (-r $signkey);
+ push @C, "--cert", $signkey;
+ }
+ }
+
+ # Handle the revocation list files
+ if ($serevoke) {
+ my @serevoke_list = split('[,\s]+', $serevoke);
+ my $crl;
+ foreach $crl (@serevoke_list) {
+ Panic( 1, "$C: revocation list '$crl' not readable!?\n") unless (-r $crl);
+ push @C, "--crl", $crl;
+ }
+ }
+
+ push @C, "-o", "$out_image";
+ System( @C);
+}
+
sub Usage($) {
my @cat = ("",
"Parameter error.",
@@ -401,49 +459,91 @@ if ( $debug && $verbose > 2 ) {
}
}
-open( IN, "< $in") ||
- Panic( 1, "$C: Failed to open 'zipl.conf' template: $!.\n");
-while ( <IN> ) {
- Info( 4, "$.. <$_$.. >");
- if ( $. == 1 && m{^## This} ) {
- $_ = "## This file was written by 'grub2-install/$C'\n" .
- "## filling '$in' as template\n";
- } elsif ( $. == 2 && m{^## rpm's} ) {
- $_ = "## with values from '$default'.\n" .
- "## In-place modifications will eventually go missing!\n";
+#
+# s390x Secure Execution variables
+#
+# SUSE_S390_SE_ENABLE: enabling s390x Secure Execution
+# SUSE_S390_SE_HOST_KEY: the host key
+# SUSE_S390_SE_HOST_KEY_SIGNING_KEY: the signing key of the host key
+# SUSE_S390_SE_CA_CERT: the CA certificate
+# SUSE_S390_SE_REVOCATION_LIST: the revocation list
+#
+if ( -r $C{SUSE_S390_SE_HOST_KEY} && -r $C{SUSE_S390_SE_HOST_KEY_SIGNING_KEY} &&
+ -r $C{SUSE_S390_SE_CA_CERT}) {
+
+ $sehostkey = $C{SUSE_S390_SE_HOST_KEY};
+ $sesignkey = $C{SUSE_S390_SE_HOST_KEY_SIGNING_KEY};
+ $secacert = $C{SUSE_S390_SE_CA_CERT};
+
+ $serevoke = $C{SUSE_S390_SE_REVOCATION_LIST} if $C{SUSE_S390_SE_REVOCATION_LIST};
+
+ if ( $C{SUSE_S390_SE_ENABLE} =~ m{^(yes|true|1)$} ) {
+ $secure_exec = 1;
}
- while ( m{\@([^\@\s]+)\@} ) {
- my $k = $1;
- my $v;
- if ( exists( $C{$k}) ) {
- $v = $C{$k};
- } elsif ( exists( $Mandatory{$k}) ) {
- $v = "$k";
- $miss++;
- } else {
- $v = "";
+}
+
+sub MkConfig($$) {
+ my( $template, $name) = @_;
+ open( IN, "< $template") ||
+ Panic( 1, "$C: Failed to open '$name' template: $!.\n");
+ while ( <IN> ) {
+ Info( 4, "$.. <$_$.. >");
+ if ( $. == 1 && m{^## This} ) {
+ $_ = "## This file was written by 'grub2-install/$C'\n" .
+ "## filling '$template' as template\n";
+ } elsif ( $. == 2 && m{^## rpm's} ) {
+ $_ = "## with values from '$default'.\n" .
+ "## In-place modifications will eventually go missing!\n";
}
- if ($k eq "GRUB_DEVICE") {
- if (($v !~ /^UUID/ && ! -e $v) ||
- (exists( $C{SUSE_REMOVE_LINUX_ROOT_PARAM}) &&
- $C{SUSE_REMOVE_LINUX_ROOT_PARAM} eq "true")) {
- s{root=\@$k\@}{}g;
- next;
+ while ( m{\@([^\@\s]+)\@} ) {
+ my $k = $1;
+ my $v;
+ if ( exists( $C{$k}) ) {
+ $v = $C{$k};
+ } elsif ( exists( $Mandatory{$k}) ) {
+ $v = "$k";
+ $miss++;
+ } else {
+ $v = "";
+ }
+ if ($k eq "GRUB_DEVICE") {
+ if (($v !~ /^UUID/ && ! -e $v) ||
+ (exists( $C{SUSE_REMOVE_LINUX_ROOT_PARAM}) &&
+ $C{SUSE_REMOVE_LINUX_ROOT_PARAM} eq "true")) {
+ s{root=\@$k\@}{}g;
+ next;
+ }
}
+ s{\@$k\@}{$v}g;
}
- s{\@$k\@}{$v}g;
+ Info( 3, $_);
+ $cfg .= $_;
+ }
+ if ( $miss ) {
+ Info( 1, "Partially filled config:\n===\n$cfg===\n");
+ Panic( 1, "$C: '$name' template could not be filled. \n");
}
- Info( 3, $_);
- $cfg .= $_;
}
-if ( $miss ) {
- Info( 1, "Partially filled config:\n===\n$cfg===\n");
- Panic( 1, "$C: 'zipl.conf' template could not be filled. \n");
+
+if ( $secure_exec ) {
+ # create the kernel parameter file
+ MkConfig($se_kernparm, "parm.conf");
+ $separm = $cfg;
+
+ # clean up $cfg to reuse the variable for zipl.conf
+ $cfg = "";
+ MkConfig($se_zipconf, "zipl.conf");
+ $imgdir = "/dev/shm/zipl-se";
+
+ mkdir ($imgdir, 0700) unless (-d $imgdir);
+} else {
+ MkConfig($in, "zipl.conf");
+ $imgdir = $zipldir;
}
# copy out kernel and initrd
-my $ziplimage = "$zipldir/image";
-my $ziplinitrd = "$zipldir/initrd";
+my $ziplimage = "$imgdir/image";
+my $ziplinitrd = "$imgdir/initrd";
if ( ! $running && ! $force ) {
chomp( $running = qx{uname -r});
@@ -478,18 +578,42 @@ my $initrd = "initrd-$version";
$image = "image-$version";
if ( ! -r $ziplimage || ! -r $ziplinitrd || $refresh ) {
- BootCopy( $Image, $image, $zipldir, "image");
- BootCopy( $initrd, $initrd, $zipldir, "initrd")
+ BootCopy( $Image, $image, $imgdir, "image");
+ BootCopy( $initrd, $initrd, $imgdir, "initrd")
if (-r "/boot/$initrd" && ! exists( $fsdev{"/boot"}));
}
-if ( $refresh || ChkInitrd( $zipldir, "initrd") <= 0 ) {
- MkInitrd( $initrd, $zipldir, $version);
+if ( $refresh || ChkInitrd( $imgdir, "initrd") <= 0 ) {
+ MkInitrd( $initrd, $imgdir, $version);
}
-if ( ChkInitrd( $zipldir, "initrd") == 0 ) {
+if ( ChkInitrd( $imgdir, "initrd") == 0 ) {
Info( 0, "$C: dracut does not work as expected! Help needed!\n");
$miss++;
}
+if ( $secure_exec ) {
+ my $seimage = "secure-linux-$version";
+ my $parmconf = "$imgdir/parm.conf";
+ my $bootseimg = "/boot/$seimage";
+
+ # write parm.conf
+ if ( ! $debug ) {
+ open( OUT, "> $parmconf") || die;
+ print( OUT $separm) || die;
+ close( OUT);
+ } else {
+ print( STDERR $separm);
+ }
+
+ # Create the secure-execution image in /boot first
+ GenSEImage( $ziplimage, $ziplinitrd, $parmconf, $bootseimg );
+
+ # check /boot/$seimage
+ Panic( 1, "$C: Secure Image '$bootseimg' not readable!?\n") unless (-r "$bootseimg");
+
+ # copy /boot/$seimage to $zipldir
+ BootCopy($seimage, $seimage, $zipldir, "secure-linux");
+}
+
# write zipl config file
my $ziplconf = "$zipldir/config";
$cfg =~ s{#@}{}g if ( -r "$ziplimage$previous" && -r "$ziplinitrd$previous" );
--
2.43.0

24
grub2-s390x-set-hostonly.patch
View File

@ -1,3 +1,24 @@
From 2a86e5f9e3abb622d2e16ee5f05b1ba2df1f756d Mon Sep 17 00:00:00 2001
From: Gary Lin <glin@suse.com>
Date: Tue, 6 Aug 2024 14:46:17 +0800
Subject: [PATCH] zipl2grub.pl.in: add the switch for hostonly/no-hostonly
Since the kiwi build environment could be very different from the real
system environment, it may cause some problem to build the zipl initrd
with '--hostonly' since some critical files could be omitted
accidentally. To avoid the potential issues, this commit introduces a
variable, SUSE_S390_DRACUT_HOSTONLY, as the switch to use hostonly or
no-hostonly for the zipl initrd. By default, it's detected automatically
by tracing the root partition to the root block device. If the root
block device is a loop device, then it's likely to be a build
environment, and then '--no-hostonly' will be used to create the zipl
initrd.
Signed-off-by: Gary Lin <glin@suse.com>
---
util/s390x/zipl2grub.pl.in | 26 +++++++++++++++++++++++++-
1 file changed, 25 insertions(+), 1 deletion(-)
diff --git a/util/s390x/zipl2grub.pl.in b/util/s390x/zipl2grub.pl.in
index f4f997100..46b902209 100644
--- a/util/s390x/zipl2grub.pl.in
@ -50,3 +71,6 @@ index f4f997100..46b902209 100644
if ( $debug && $verbose > 2 ) {
foreach ( sort( keys( %C)) ) {
printf( "%s=\"%s\"\n", $_, $C{$_});
--
2.35.3

266
grub2.changes
View File

@ -1,3 +1,269 @@
-------------------------------------------------------------------
Mon Mar 3 04:30:51 UTC 2025 - Michael Chang <mchang@suse.com>
- Cherry-pick upstream XFS fixes
* 0001-fs-xfs-Add-new-superblock-features-added-in-Linux-6..patch
* 0002-fs-xfs-Fix-grub_xfs_iterate_dir-return-value-in-case.patch
- Fix "attempt to read of write outside of partition" error message (bsc#1237844)
* 0003-fs-xfs-fix-large-extent-counters-incompat-feature-su.patch
-------------------------------------------------------------------
Tue Feb 25 02:46:36 UTC 2025 - Michael Chang <mchang@suse.com>
- Make SLFO/SLE-16 and openSUSE have identical package structures
- Provide grub2-<CPUARCH>-efi-bls for SLFO/SLE-16
-------------------------------------------------------------------
Wed Feb 19 07:12:23 UTC 2025 - Michael Chang <mchang@suse.com>
- Fix grub-bls does not rollback via setting new default (bsc#1237198)
* 0001-bls-Accept-.conf-suffix-in-setting-default-entry.patch
-------------------------------------------------------------------
Fri Feb 14 03:49:09 UTC 2025 - Michael Chang <mchang@suse.com>
- Security fixes for 2024
* 0001-misc-Implement-grub_strlcpy.patch
- Fix CVE-2024-45781 (bsc#1233617)
* 0002-fs-ufs-Fix-a-heap-OOB-write.patch
- Fix CVE-2024-56737 (bsc#1234958)
- Fix CVE-2024-45782 (bsc#1233615)
* 0003-fs-hfs-Fix-stack-OOB-write-with-grub_strcpy.patch
- Fix CVE-2024-45780 (bsc#1233614)
* 0004-fs-tar-Integer-overflow-leads-to-heap-OOB-write.patch
- Fix CVE-2024-45783 (bsc#1233616)
* 0005-fs-hfsplus-Set-a-grub_errno-if-mount-fails.patch
* 0006-kern-file-Ensure-file-data-is-set.patch
* 0007-kern-file-Implement-filesystem-reference-counting.patch
- Fix CVE-2025-0624 (bsc#1236316)
* 0008-net-Fix-OOB-write-in-grub_net_search_config_file.patch
- Fix CVE-2024-45774 (bsc#1233609)
* 0009-video-readers-jpeg-Do-not-permit-duplicate-SOF0-mark.patch
- Fix CVE-2024-45775 (bsc#1233610)
* 0010-commands-extcmd-Missing-check-for-failed-allocation.patch
- Fix CVE-2025-0622 (bsc#1236317)
* 0011-commands-pgp-Unregister-the-check_signatures-hooks-o.patch
- Fix CVE-2025-0622 (bsc#1236317)
* 0012-normal-Remove-variables-hooks-on-module-unload.patch
- Fix CVE-2025-0622 (bsc#1236317)
* 0013-gettext-Remove-variables-hooks-on-module-unload.patch
- Fix CVE-2024-45776 (bsc#1233612)
* 0014-gettext-Integer-overflow-leads-to-heap-OOB-write-or-.patch
- Fix CVE-2024-45777 (bsc#1233613)
* 0015-gettext-Integer-overflow-leads-to-heap-OOB-write.patch
- Fix CVE-2025-0690 (bsc#1237012)
* 0016-commands-read-Fix-an-integer-overflow-when-supplying.patch
- Fix CVE-2025-1118 (bsc#1237013)
* 0017-commands-minicmd-Block-the-dump-command-in-lockdown-.patch
- Fix CVE-2024-45778 (bsc#1233606)
- Fix CVE-2024-45779 (bsc#1233608)
* 0018-fs-bfs-Disable-under-lockdown.patch
- Fix CVE-2025-0677 (bsc#1237002)
- Fix CVE-2025-0684 (bsc#1237008)
- Fix CVE-2025-0685 (bsc#1237009)
- Fix CVE-2025-0686 (bsc#1237010)
- Fix CVE-2025-0689 (bsc#1237011)
* 0019-fs-Disable-many-filesystems-under-lockdown.patch
- Fix CVE-2025-1125 (bsc#1237014)
- Fix CVE-2025-0678 (bsc#1237006)
* 0020-fs-Prevent-overflows-when-allocating-memory-for-arra.patch
- Updated to upstream version
* 0002-Requiring-authentication-after-tpm-unlock-for-CLI-ac.patch
- Bump upstream SBAT generation to 5
-------------------------------------------------------------------
Thu Feb 13 15:28:50 UTC 2025 - Michael Chang <mchang@suse.com>
- Fix out of memory issue on PowerPC by increasing RMA size (bsc#1236744)
* 0001-powerpc-increase-MIN-RMA-size-for-CAS-negotiation.patch
-------------------------------------------------------------------
Sun Dec 8 10:22:43 UTC 2024 - Michael Chang <mchang@suse.com>
- Update PowerPC SBAT patches to upstream (bsc#1233730)
* 0007-grub-mkimage-Create-new-ELF-note-for-SBAT.patch
* 0008-grub-mkimage-Add-SBAT-metadata-into-ELF-note-for-Pow.patch
- Replaced patches
* 0007-mkimage-create-new-ELF-Note-for-SBAT.patch
* 0008-mkimage-adding-sbat-data-into-sbat-ELF-Note-on-power.patch
-------------------------------------------------------------------
Fri Dec 6 16:40:54 UTC 2024 - Michael Chang <mchang@suse.com>
- Fix missing requires in SLE package (bsc#1234264) (bsc#1234272)
-------------------------------------------------------------------
Tue Dec 3 07:18:32 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
- Update the TPM2 patches to the upstream final version
* Update 0001-key_protector-Add-key-protectors-framework.patch
* Replace 0002-tpm2-Add-TPM-Software-Stack-TSS.patch with
grub2-add-tss2-support.patch
* Replace 0003-key_protector-Add-TPM2-Key-Protector.patch with
0001-key_protector-Add-TPM2-Key-Protector.patch
* Replace 0005-util-grub-protect-Add-new-tool.patch with
0001-util-grub-protect-Add-new-tool.patch
* Replace 0001-tpm2-Implement-NV-index.patch with
0001-tpm2_key_protector-Implement-NV-index.patch
* Replace 0001-tpm2-Support-authorized-policy.patch with
0001-tpm2_key_protector-Support-authorized-policy.patch
- Refresh the TPM2 related patches
* grub-read-pcr.patch
* 0001-tpm2-Add-extra-RSA-SRK-types.patch
* grub2-bsc1220338-key_protector-implement-the-blocklist.patch
* safe_tpm_pcr_snapshot.patch
* tpm-record-pcrs.patch
-------------------------------------------------------------------
Fri Nov 29 05:56:22 UTC 2024 - Gary Ching-Pang Lin <glin@suse.com>
- Support s390x Secure Execution (jsc#PED-9531)
* grub2-s390x-secure-execution-support.patch
- Update grub2-s390x-set-hostonly.patch to add the patch header
and the description
-------------------------------------------------------------------
Wed Nov 13 01:09:47 UTC 2024 - Michael Chang <mchang@suse.com>
- Revert the patches related to BLS support in grub2-mkconfig, as they are not
relevant to the current BLS integration and cause issues in older KIWI
versions, which actively force it to be enabled by default (bsc#1233196)
* 0002-Add-BLS-support-to-grub-mkconfig.patch
* 0003-Add-grub2-switch-to-blscfg.patch
* 0007-grub-switch-to-blscfg-adapt-to-openSUSE.patch
* 0008-blscfg-reading-bls-fragments-if-boot-present.patch
* 0009-10_linux-Some-refinement-for-BLS.patch
* 0001-10_linux-Do-not-enable-BLSCFG-on-s390-emu.patch
-------------------------------------------------------------------
Fri Nov 8 14:42:12 UTC 2024 - Michael Chang <mchang@suse.com>
- Fix previous change as the variable has to be set earlier
* 0001-10_linux-Do-not-enable-BLSCFG-on-s390-emu.patch
-------------------------------------------------------------------
Fri Nov 8 05:21:47 UTC 2024 - Michael Chang <mchang@suse.com>
- Do not enable blscfg on s390-emu
* 0001-10_linux-Do-not-enable-BLSCFG-on-s390-emu.patch
-------------------------------------------------------------------
Wed Nov 6 07:45:21 UTC 2024 - Michael Chang <mchang@suse.com>
- Fix xen package contains debug_info files with the .module suffix by moving
them to a separate xen-debug subpackage (bsc#1232573)
-------------------------------------------------------------------
Fri Nov 1 08:46:36 UTC 2024 - Michael Chang <mchang@suse.com>
- Fix grub.cfg is loaded from an unexpected fallback directory instead of the
root directory during PXE boot when grub is loaded from the tftp root
directory (bsc#1232391)
* 0001-kern-main-Fix-cmdpath-in-root-directory.patch
* grub2.spec: Refine PPC grub.elf early config to derive root from cmdpath
directly, avoiding the unneeded search
-------------------------------------------------------------------
Wed Oct 30 08:24:15 UTC 2024 - Michael Chang <mchang@suse.com>
- Fix CVE-2024-49504 (bsc#1229163) (bsc#1229164)
- Restrict CLI access if the encrypted root device is automatically unlocked by
the TPM. LUKS password authentication is required for access to be granted
* 0001-cli_lock-Add-build-option-to-block-command-line-inte.patch
* 0002-Requiring-authentication-after-tpm-unlock-for-CLI-ac.patch
- Obsolete, as CLI access is now locked and granted access no longer requires
the previous restrictions
* 0002-Restrict-file-access-on-cryptodisk-print.patch
* 0003-Restrict-ls-and-auto-file-completion-on-cryptodisk-p.patch
- Rediff
* 0004-Key-revocation-on-out-of-bound-file-access.patch
-------------------------------------------------------------------
Wed Oct 30 00:44:41 UTC 2024 - Michael Chang <mchang@suse.com>
- Enable support of Radix, Xive and Radix_gtse on Power (jsc#PED-9881)
* 0001-kern-ieee1275-init-Add-IEEE-1275-Radix-support-for-K.patch
-------------------------------------------------------------------
Wed Oct 23 06:17:54 UTC 2024 - Michael Chang <mchang@suse.com>
- Fix error: /boot/grub2/x86_64-efi/bli.mod not found (bsc#1231591)
-------------------------------------------------------------------
Tue Oct 22 07:34:04 UTC 2024 - Michael Chang <mchang@suse.com>
- Keep grub packaging and dependencies in the SLE-12 and SLE-15 builds
-------------------------------------------------------------------
Fri Oct 18 07:42:27 UTC 2024 - Michael Chang <mchang@suse.com>
- Power guest secure boot with key management (jsc#PED-3520) (jsc#PED-9892)
* 0001-ieee1275-Platform-Keystore-PKS-Support.patch
* 0002-ieee1275-Read-the-DB-and-DBX-secure-boot-variables.patch
* 0003-appendedsig-The-creation-of-trusted-and-distrusted-l.patch
* 0004-appendedsig-While-verifying-the-kernel-use-trusted-a.patch
* 0005-appendedsig-The-grub-command-s-trusted-and-distruste.patch
* 0006-appendedsig-documentation.patch
* 0007-mkimage-create-new-ELF-Note-for-SBAT.patch
* 0008-mkimage-adding-sbat-data-into-sbat-ELF-Note-on-power.patch
* grub2.spec : Building signed grub.elf with SBAT metadata
- Support for NVMe multipath splitter (jsc#PED-10538)
* 0001-ieee1275-support-added-for-multiple-nvme-bootpaths.patch
- Deleted path (jsc#PED-10538)
* 0001-grub2-Can-t-setup-a-default-boot-device-correctly-on.patch
* 0001-grub2-Set-multiple-device-path-for-a-nvmf-boot-devic.patch
-------------------------------------------------------------------
Wed Oct 16 13:50:00 UTC 2024 - Michael Chang <mchang@suse.com>
- Fix not a directory error from the minix filesystem, as leftover data on disk
may contain its magic header so it gets misdetected (bsc#1231604)
* grub2-install-fix-not-a-directory-error.patch
-------------------------------------------------------------------
Fri Oct 4 06:58:06 UTC 2024 - Michael Chang <mchang@suse.com>
- Fix missng menu entry "Start bootloader from a read-only snapshot" by
ensuring grub2-snapper-plugin is installed when both snapper and grub2-common
are installed (bsc#1231271)
-------------------------------------------------------------------
Fri Oct 4 06:49:12 UTC 2024 - Michael Chang <mchang@suse.com>
- Fix OOM error in loading loopback file (bsc#1230840)
* 0001-tpm-Skip-loopback-image-measurement.patch
-------------------------------------------------------------------
Fri Oct 4 06:41:11 UTC 2024 - Michael Chang <mchang@suse.com>
- Fix UEFI PXE boot failure on tagged VLAN network (bsc#1230263)
* 0001-efinet-Skip-virtual-VLAN-devices-during-card-enumera.patch
-------------------------------------------------------------------
Thu Oct 3 08:25:57 UTC 2024 - Michael Chang <mchang@suse.com>
- Fix grub screen is filled with artifects from earlier post menu (bsc#1224465)
* grub2-SUSE-Add-the-t-hotkey.patch
* 0001-fix-grub-screen-filled-with-post-screen-artifects.patch
-------------------------------------------------------------------
Tue Aug 13 07:12:58 UTC 2024 - Michael Chang <mchang@suse.com>
- Introduces a new package, grub2-x86_64-efi-bls, which includes a
straightforward grubbls.efi file. This file can be copied to the EFI System
Partition (ESP) along with boot fragments in the Boot Loader Specification
(BLS) format
* 0001-Streamline-BLS-and-improve-PCR-stability.patch
- Fix crash in bli module (bsc#1226497)
* 0001-bli-Fix-crash-in-get_part_uuid.patch
-------------------------------------------------------------------
Tue Aug 13 02:42:42 UTC 2024 - Michael Chang <mchang@suse.com>
- Rework package dependencies: grub2-common now includes common userland
utilities and is required by grub2 platform packages. grub2 is now a meta
package that pulls in the default platform package.
-------------------------------------------------------------------
Fri Aug 2 08:44:40 UTC 2024 - Michael Chang <mchang@suse.com>

331
grub2.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package grub2
#
# Copyright (c) 2024 SUSE LLC
# Copyright (c) 2025 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -22,7 +22,7 @@
%if %{defined sbat_distro}
# SBAT metadata
%define sbat_generation 1
%define sbat_generation_grub 4
%define sbat_generation_grub 5
%else
%{error please define sbat_distro, sbat_distro_summary and sbat_distro_url}
%endif
@ -339,10 +339,10 @@ Patch147: 0001-grub-probe-Deduplicate-probed-partmap-output.patch
Patch148: 0001-Fix-infinite-boot-loop-on-headless-system-in-qemu.patch
Patch149: 0001-ofdisk-improve-boot-time-by-lookup-boot-disk-first.patch
Patch150: 0001-key_protector-Add-key-protectors-framework.patch
Patch151: 0002-tpm2-Add-TPM-Software-Stack-TSS.patch
Patch152: 0003-key_protector-Add-TPM2-Key-Protector.patch
Patch151: grub2-add-tss2-support.patch
Patch152: 0001-key_protector-Add-TPM2-Key-Protector.patch
Patch153: 0004-cryptodisk-Support-key-protectors.patch
Patch154: 0005-util-grub-protect-Add-new-tool.patch
Patch154: 0001-util-grub-protect-Add-new-tool.patch
Patch155: 0008-linuxefi-Use-common-grub_initrd_load.patch
Patch156: 0009-Add-crypttab_entry-to-obviate-the-need-to-input-pass.patch
Patch157: 0010-templates-import-etc-crypttab-to-grub.cfg.patch
@ -356,9 +356,7 @@ Patch164: 0003-ieee1275-change-the-logic-of-ieee1275_get_devargs.patch
Patch165: 0004-ofpath-controller-name-update.patch
Patch166: 0002-Mark-environmet-blocks-as-used-for-image-embedding.patch
Patch167: grub2-increase-crypttab-path-buffer.patch
Patch168: 0001-grub2-Set-multiple-device-path-for-a-nvmf-boot-devic.patch
Patch169: 0001-grub2-Can-t-setup-a-default-boot-device-correctly-on.patch
Patch170: 0001-tpm2-Support-authorized-policy.patch
Patch170: 0001-tpm2_key_protector-Support-authorized-policy.patch
Patch171: 0001-tpm2-Add-extra-RSA-SRK-types.patch
Patch174: 0001-clean-up-crypttab-and-linux-modules-dependency.patch
Patch175: 0002-discard-cached-key-before-entering-grub-shell-and-ed.patch
@ -370,7 +368,7 @@ Patch180: 0001-xen_boot-add-missing-grub_arch_efi_linux_load_image_.patch
Patch181: 0001-font-Try-memdisk-fonts-with-the-same-name.patch
Patch182: 0001-Make-grub.cfg-compatible-to-old-binaries.patch
Patch183: grub2-change-bash-completion-dir.patch
Patch184: 0001-tpm2-Implement-NV-index.patch
Patch184: 0001-tpm2_key_protector-Implement-NV-index.patch
Patch185: 0002-cryptodisk-Fallback-to-passphrase.patch
Patch186: 0003-cryptodisk-wipe-out-the-cached-keys-from-protectors.patch
Patch187: 0004-diskfilter-look-up-cryptodisk-devices-first.patch
@ -379,8 +377,6 @@ Patch189: arm64-Use-proper-memory-type-for-kernel-allocation.patch
Patch190: 0001-luks2-Use-grub-tpm2-token-for-TPM2-protected-volume-.patch
Patch191: Fix-the-size-calculation-for-the-synthesized-initrd.patch
Patch192: 0001-Improve-TPM-key-protection-on-boot-interruptions.patch
Patch193: 0002-Restrict-file-access-on-cryptodisk-print.patch
Patch194: 0003-Restrict-ls-and-auto-file-completion-on-cryptodisk-p.patch
Patch195: 0004-Key-revocation-on-out-of-bound-file-access.patch
# Workaround for 2.12 tarball
Patch196: fix_no_extra_deps_in_release_tarball.patch
@ -396,17 +392,57 @@ Patch205: 0001-10_linux-Ensure-persistence-of-root-file-system-moun.patch
Patch206: 0001-util-bash-completion-Fix-for-bash-completion-2.12.patch
Patch207: 0001-util-enable-grub-protect-only-for-EFI-systems.patch
Patch208: 0001-blscfg-add-blscfg-module-to-parse-Boot-Loader-Specif.patch
Patch209: 0002-Add-BLS-support-to-grub-mkconfig.patch
Patch210: 0003-Add-grub2-switch-to-blscfg.patch
Patch211: 0004-blscfg-Don-t-root-device-in-emu-builds.patch
Patch212: 0005-blscfg-check-for-mounted-boot-in-emu.patch
Patch213: 0006-Follow-the-device-where-blscfg-is-discovered.patch
Patch214: 0007-grub-switch-to-blscfg-adapt-to-openSUSE.patch
Patch215: 0008-blscfg-reading-bls-fragments-if-boot-present.patch
Patch216: 0009-10_linux-Some-refinement-for-BLS.patch
Patch217: 0001-net-drivers-ieee1275-ofnet-Remove-200-ms-timeout-in-.patch
Patch218: grub2-s390x-set-hostonly.patch
Patch219: 0001-bli-Fix-crash-in-get_part_uuid.patch
Patch220: 0001-Streamline-BLS-and-improve-PCR-stability.patch
Patch221: 0001-fix-grub-screen-filled-with-post-screen-artifects.patch
Patch222: 0001-efinet-Skip-virtual-VLAN-devices-during-card-enumera.patch
Patch223: 0001-tpm-Skip-loopback-image-measurement.patch
Patch224: 0001-ieee1275-Platform-Keystore-PKS-Support.patch
Patch225: 0002-ieee1275-Read-the-DB-and-DBX-secure-boot-variables.patch
Patch226: 0003-appendedsig-The-creation-of-trusted-and-distrusted-l.patch
Patch227: 0004-appendedsig-While-verifying-the-kernel-use-trusted-a.patch
Patch228: 0005-appendedsig-The-grub-command-s-trusted-and-distruste.patch
Patch229: 0006-appendedsig-documentation.patch
Patch230: 0007-grub-mkimage-Create-new-ELF-note-for-SBAT.patch
Patch231: 0008-grub-mkimage-Add-SBAT-metadata-into-ELF-note-for-Pow.patch
Patch232: 0001-ieee1275-support-added-for-multiple-nvme-bootpaths.patch
Patch233: 0001-kern-ieee1275-init-Add-IEEE-1275-Radix-support-for-K.patch
Patch234: 0001-cli_lock-Add-build-option-to-block-command-line-inte.patch
Patch235: 0002-Requiring-authentication-after-tpm-unlock-for-CLI-ac.patch
Patch236: 0001-kern-main-Fix-cmdpath-in-root-directory.patch
Patch237: grub2-s390x-secure-execution-support.patch
Patch238: 0001-powerpc-increase-MIN-RMA-size-for-CAS-negotiation.patch
Patch239: 0001-misc-Implement-grub_strlcpy.patch
Patch240: 0002-fs-ufs-Fix-a-heap-OOB-write.patch
Patch241: 0003-fs-hfs-Fix-stack-OOB-write-with-grub_strcpy.patch
Patch242: 0004-fs-tar-Integer-overflow-leads-to-heap-OOB-write.patch
Patch243: 0005-fs-hfsplus-Set-a-grub_errno-if-mount-fails.patch
Patch244: 0006-kern-file-Ensure-file-data-is-set.patch
Patch245: 0007-kern-file-Implement-filesystem-reference-counting.patch
Patch246: 0008-net-Fix-OOB-write-in-grub_net_search_config_file.patch
Patch247: 0009-video-readers-jpeg-Do-not-permit-duplicate-SOF0-mark.patch
Patch248: 0010-commands-extcmd-Missing-check-for-failed-allocation.patch
Patch249: 0011-commands-pgp-Unregister-the-check_signatures-hooks-o.patch
Patch250: 0012-normal-Remove-variables-hooks-on-module-unload.patch
Patch251: 0013-gettext-Remove-variables-hooks-on-module-unload.patch
Patch252: 0014-gettext-Integer-overflow-leads-to-heap-OOB-write-or-.patch
Patch253: 0015-gettext-Integer-overflow-leads-to-heap-OOB-write.patch
Patch254: 0016-commands-read-Fix-an-integer-overflow-when-supplying.patch
Patch255: 0017-commands-minicmd-Block-the-dump-command-in-lockdown-.patch
Patch256: 0018-fs-bfs-Disable-under-lockdown.patch
Patch257: 0019-fs-Disable-many-filesystems-under-lockdown.patch
Patch258: 0020-fs-Prevent-overflows-when-allocating-memory-for-arra.patch
Patch259: 0001-bls-Accept-.conf-suffix-in-setting-default-entry.patch
Patch260: 0001-fs-xfs-Add-new-superblock-features-added-in-Linux-6..patch
Patch261: 0002-fs-xfs-Fix-grub_xfs_iterate_dir-return-value-in-case.patch
Patch262: 0003-fs-xfs-fix-large-extent-counters-incompat-feature-su.patch
%if 0%{?suse_version} < 1600
Requires: gettext-runtime
%if 0%{?suse_version} >= 1140
%ifnarch s390x
@ -417,9 +453,6 @@ Recommends: os-prober
Suggests: libburnia-tools
Suggests: mtools
%endif
%if ! 0%{?only_efi:1}
Requires: grub2-%{grubarch} = %{version}-%{release}
%endif
%ifarch s390x
# required utilities by grub2-s390x-04-grub2-install.patch
# use 'showconsole' to determine console device. (bnc#876743)
@ -435,6 +468,16 @@ Requires: powerpc-utils
# meanwhile, memtest is available as EFI executable
Recommends: memtest86+
%endif
%endif
%if 0%{?suse_version} >= 1600
# Always requires a default cpu-platform package
Requires: grub2-%{grubarch} = %{version}-%{release}
%else
%if ! 0%{?only_efi:1}
Requires: grub2-%{grubarch} = %{version}-%{release}
%endif
%endif
%if 0%{?only_x86_64:1}
ExclusiveArch: x86_64
@ -448,13 +491,48 @@ highly configurable and customizable bootloader with modular
architecture. It support rich scale of kernel formats, file systems,
computer architectures and hardware devices.
%if 0%{?suse_version} >= 1600
%package common
Summary: Utilies to manage grub
Group: System/Boot
Requires: gettext-runtime
%ifnarch s390x
Recommends: os-prober
%endif
# xorriso not available using grub2-mkrescue (bnc#812681)
# downgrade to suggest as minimal system can't afford pulling in tcl/tk and half of the x11 stack (bsc#1102515)
Suggests: libburnia-tools
Suggests: mtools
%ifarch s390x
# required utilities by grub2-s390x-04-grub2-install.patch
# use 'showconsole' to determine console device. (bnc#876743)
Requires: kexec-tools
Requires: (/sbin/showconsole or /usr/sbin/showconsole)
# for /sbin/zipl used by grub2-zipl-setup
Requires: s390-tools
%endif
%ifarch ppc64 ppc64le
Requires: powerpc-utils
%endif
%ifarch %{ix86}
# meanwhile, memtest is available as EFI executable
Recommends: memtest86+
%endif
%description common
This package includes user space utlities to manage GRUB on your system.
%endif
%package branding-upstream
Summary: Upstream branding for GRUB2's graphical console
Group: System/Fhs
BuildArch: noarch
%if 0%{?suse_version} >= 1600
Requires: %{name}-common = %{version}
%else
Requires: %{name} = %{version}
%endif
%description branding-upstream
Upstream branding for GRUB2's graphical console
@ -467,8 +545,13 @@ Group: System/Boot
%if "%{platform}" != "emu"
BuildArch: noarch
%endif
%if 0%{?suse_version} >= 1600
Requires: %{name}-common = %{version}
Requires(post): %{name}-common = %{version}
%else
Requires: %{name} = %{version}
Requires(post): %{name} = %{version}
%endif
%{?update_bootloader_requires}
%description %{grubarch}
@ -516,8 +599,13 @@ BuildArch: noarch
# Without it grub-install is broken so break the package as well if unavailable
Requires: efibootmgr
Requires(post): efibootmgr
%if 0%{?suse_version} >= 1600
Requires: %{name}-common = %{version}
Requires(post): %{name}-common = %{version}
%else
Requires: %{name} = %{version}
Requires(post): %{name} = %{version}
%endif
%{?update_bootloader_requires}
%{?fde_tpm_update_requires}
Provides: %{name}-efi = %{version}-%{release}
@ -529,6 +617,16 @@ bootloader with modular architecture. It supports rich variety of kernel format
file systems, computer architectures and hardware devices. This subpackage
provides support for EFI systems.
%if 0%{?suse_version} >= 1600
%package %{grubefiarch}-bls
Summary: Image for Boot Loader Specification (BLS) support on %{grubefiarch}
Group: System/Boot
BuildArch: noarch
%description %{grubefiarch}-bls
Custom EFI build tailored for Boot Loader Specification (BLS) support.
%endif
%package %{grubefiarch}-extras
Summary: Unsupported modules for %{grubefiarch}
@ -586,15 +684,32 @@ Provides: %{name}-%{grubxenarch}:%{_datadir}/%{name}/%{grubxenarch}/zfsinf
%description %{grubxenarch}-extras
Unsupported modules for %{name}-%{grubxenarch}
%package %{grubxenarch}-debug
Summary: Debug symbols for %{grubxenarch}
Group: System/Boot
BuildArch: noarch
Requires: %{name}-%{grubxenarch} = %{version}
%description %{grubxenarch}-debug
Debug symbols for %{name}-%{grubxenarch}
Information on how to debug grub can be found online:
https://www.cnblogs.com/coryxie/archive/2013/03/12/2956807.html
%endif
%package snapper-plugin
Summary: Grub2's snapper plugin
Group: System/Fhs
Requires: %{name} = %{version}
Requires: libxml2-tools
%if 0%{?suse_version} >= 1600
Requires: (grub2 or grub2-common)
Supplements: ((grub2 or grub2-common) and snapper)
%else
Requires: %{name} = %{version}
Supplements: packageand(snapper:grub2)
%endif
BuildArch: noarch
%description snapper-plugin
@ -605,9 +720,14 @@ Grub2's snapper plugin for advanced btrfs snapshot boot menu management
Summary: Grub2's systemd-sleep plugin
Group: System/Fhs
Requires: grub2
Requires: util-linux
%if 0%{?suse_version} >= 1600
Requires: (grub2 or grub2-common)
Supplements: ((grub2 or grub2-common) and systemd)
%else
Requires: grub2
Supplements: packageand(systemd:grub2)
%endif
BuildArch: noarch
%description systemd-sleep-plugin
@ -708,7 +828,7 @@ CD_MODULES="all_video boot cat configfile echo true \
PXE_MODULES="tftp http"
CRYPTO_MODULES="luks luks2 gcry_rijndael gcry_sha1 gcry_sha256 gcry_sha512 crypttab"
%ifarch %{efi}
CD_MODULES="${CD_MODULES} chain efifwsetup efinet read tpm tpm2 memdisk tar squash4 xzio blscfg"
CD_MODULES="${CD_MODULES} chain efifwsetup efinet read tpm tss2 tpm2_key_protector memdisk tar squash4 xzio blscfg"
PXE_MODULES="${PXE_MODULES} efinet"
%else
CD_MODULES="${CD_MODULES} net ofnet"
@ -756,6 +876,59 @@ mksquashfs ./fonts memdisk.sqsh -keep-as-directory -comp xz -quiet -no-progress
./grub-mkimage -O %{grubefiarch} -o grub.efi --memdisk=./memdisk.sqsh --prefix= %{?sbat_generation:--sbat sbat.csv} \
-d grub-core ${GRUB_MODULES}
%if 0%{?suse_version} >= 1600
rm memdisk.sqsh
# Building grubbls.efi
# FIXME: error out if theme_vendor missing
theme_vendor=$(find %{_datadir}/%{name}/themes -type f -name activate-theme -exec dirname {} \; -quit)
theme_vendor=${theme_vendor##*/}
# [ -n "$theme_vendor" ] || { echo "ERROR: no grub2 theme vendor found, missing branding package ??"; exit 1 }
mkdir -p ./boot/grub
cp -rf "%{_datadir}/%{name}/themes/$theme_vendor" ./boot/grub/themes
rm -f "./boot/grub/themes/activate-theme"
cat > ./grubbls.cfg <<'EOF'
regexp --set 1:root '\((.*)\)' "$cmdpath"
set timeout=8
set gfxmode=auto
set gfxpayload=keep
set enable_blscfg=1
terminal_input console
terminal_output console
terminal_output --append gfxterm
loadfont (memdisk)/boot/grub/themes/DejaVuSans-Bold14.pf2
loadfont (memdisk)/boot/grub/themes/DejaVuSans10.pf2
loadfont (memdisk)/boot/grub/themes/DejaVuSans12.pf2
loadfont (memdisk)/boot/grub/themes/ascii.pf2
set theme=(memdisk)/boot/grub/themes/theme.txt
export theme
EOF
%if 0%{?suse_version} > 1500
tar --sort=name -cf - ./boot | mksquashfs - memdisk.sqsh -tar -comp xz -quiet -no-progress
%else
mksquashfs ./boot memdisk.sqsh -keep-as-directory -comp xz -quiet -no-progress
%endif
./grub-mkimage -O %{grubefiarch} \
-o grubbls.efi \
--memdisk=./memdisk.sqsh \
-c ./grubbls.cfg \
%{?sbat_generation:--sbat sbat.csv} \
-d grub-core \
all_video boot font gfxmenu gfxterm gzio halt jpeg minicmd normal part_gpt png reboot video \
fat tpm tss2 tpm2_key_protector memdisk tar squash4 xzio blscfg linux bli regexp loadenv test echo true sleep
%endif
%ifarch x86_64 aarch64
if test -e %{_sourcedir}/_projectcert.crt ; then
prjsubject=$(openssl x509 -in %{_sourcedir}/_projectcert.crt -noout -subject_hash)
@ -786,6 +959,14 @@ cd ..
%if ! 0%{?only_efi:1}
cd build
%ifarch ppc ppc64 ppc64le
%if 0%{?sbat_generation}
echo "sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md" > sbat.csv
echo "grub,%{sbat_generation_grub},Free Software Foundation,grub,%{version},https://www.gnu.org/software/grub/" >> sbat.csv
echo "grub.%{sbat_distro},%{sbat_generation},%{sbat_distro_summary},%{name},%{version},%{sbat_distro_url}" >> sbat.csv
%endif
%endif
%if "%{platform}" != "emu"
%define arch_specific --enable-device-mapper
TLFLAGS="-static"
@ -825,8 +1006,6 @@ echo "bpath=$bpath"
if regexp '^(tftp|http)$' "$bdev"; then
if [ -z "$bpath" ]; then
echo "network booting via $bdev but firmware didn't provide loaded path from sever root"
bpath="/boot/grub2/powerpc-ieee1275"
echo "using bpath=$bpath as fallback path"
fi
elif [ -z "$ENV_FS_UUID" ]; then
echo "Reading vars from ($bdev)"
@ -871,6 +1050,17 @@ set prefix=""
set root=""
set cfg="grub.cfg"
if regexp '^(tftp|http)$' "$bdev"; then
cfg_dir=""
root="$bdev$bpart"
if [ -z "$bpath" ]; then
bpath="/boot/grub2/powerpc-ieee1275"
echo "using bpath=$bpath as fallback path"
fi
prefix="($root)$bpath"
cfg="grub.cfg"
fi
for uuid in $ENV_CRYPTO_UUID; do
cryptomount -u $uuid
done
@ -915,7 +1105,7 @@ fi
EOF
%{__tar} cvf memdisk.tar ./grub.cfg
./grub-mkimage -O %{grubarch} -o grub.elf -d grub-core -x grub.der -m memdisk.tar \
-c %{platform}-config --appended-signature-size %brp_pesign_reservation ${GRUB_MODULES}
-c %{platform}-config -s sbat.csv --appended-signature-size %brp_pesign_reservation ${GRUB_MODULES}
ls -l "grub.elf"
truncate -s -%brp_pesign_reservation "grub.elf"
fi
@ -947,6 +1137,9 @@ install -m 644 grub.efi %{buildroot}/%{_datadir}/%{name}/%{grubefiarch}/.
%ifarch x86_64
ln -srf %{buildroot}/%{_datadir}/%{name}/%{grubefiarch}/grub.efi %{buildroot}/%{_datadir}/%{name}/%{grubefiarch}/grub-tpm.efi
%endif
%if 0%{?suse_version} >= 1600
install -m 644 grubbls.efi %{buildroot}/%{_datadir}/%{name}/%{grubefiarch}/.
%endif
# Create grub.efi link to system efi directory
# This is for tools like kiwi not fiddling with the path
@ -968,7 +1161,11 @@ EoM
%endif
%ifarch x86_64 aarch64
%if 0%{?suse_version} >= 1600
export BRP_PESIGN_FILES="%{_datadir}/%{name}/%{grubefiarch}/grub.efi %{_datadir}/%{name}/%{grubefiarch}/grubbls.efi"
%else
export BRP_PESIGN_FILES="%{_datadir}/%{name}/%{grubefiarch}/grub.efi"
%endif
install -m 444 grub.der %{buildroot}/%{sysefidir}/
%endif
@ -1046,7 +1243,11 @@ rm -f $R%{_sysconfdir}/grub.d/20_ppc_terminfo
%ifarch s390x
mv $R%{_sysconfdir}/{grub.d,default}/zipl2grub.conf.in
mv $R%{_sysconfdir}/{grub.d,default}/se-zipl2grub.conf.in
mv $R%{_sysconfdir}/{grub.d,default}/se-parm.conf.in
chmod 600 $R%{_sysconfdir}/default/zipl2grub.conf.in
chmod 600 $R%{_sysconfdir}/default/se-zipl2grub.conf.in
chmod 600 $R%{_sysconfdir}/default/se-parm.conf.in
%define dracutlibdir %{_prefix}/lib/dracut
%define dracutgrubmoddir %{dracutlibdir}/modules.d/99grub2
@ -1081,9 +1282,9 @@ perl -ni -e '
# EXTRA_PATTERN='pattern1|pattern2|pattern3|...'
EXTRA_PATTERN="zfs"
%ifarch %{ix86} x86_64
find %{buildroot}/%{_datadir}/%{name}/%{grubxenarch}/ -type f | sed 's,%{buildroot},,' > %{grubxenarch}-all.lst
grep -v -E ${EXTRA_PATTERN} %{grubxenarch}-all.lst > %{grubxenarch}.lst
grep -E ${EXTRA_PATTERN} %{grubxenarch}-all.lst > %{grubxenarch}-extras.lst
find %{buildroot}/%{_datadir}/%{name}/%{grubxenarch}/ -name '*.mod' | sed 's,%{buildroot},,' > %{grubxenarch}-mod-all.lst
grep -v -E ${EXTRA_PATTERN} %{grubxenarch}-mod-all.lst > %{grubxenarch}-mod.lst
grep -E ${EXTRA_PATTERN} %{grubxenarch}-mod-all.lst > %{grubxenarch}-mod-extras.lst
%endif
%ifarch %{efi}
@ -1101,10 +1302,20 @@ grep -E ${EXTRA_PATTERN} %{grubarch}-mod-all.lst > %{grubarch}-mod-extras.lst
%fdupes %buildroot%{_libdir}
%fdupes %buildroot%{_datadir}
%if 0%{?suse_version} >= 1600
%pre common
%else
%pre
%endif
%service_add_pre grub2-once.service
%if 0%{?suse_version} >= 1600
%post common
%else
%post
%endif
%service_add_post grub2-once.service
%if ! 0%{?only_efi:1}
@ -1132,19 +1343,29 @@ grep -E ${EXTRA_PATTERN} %{grubarch}-mod-all.lst > %{grubarch}-mod-extras.lst
%endif
%if 0%{?suse_version} >= 1600
%preun common
%else
%preun
%endif
%service_del_preun grub2-once.service
%if 0%{?suse_version} >= 1600
%postun common
%else
%postun
%endif
%service_del_postun grub2-once.service
%files -f %{name}.lang
%defattr(-,root,root,-)
%if 0%{?suse_version} < 1500
%doc COPYING
%if 0%{?suse_version} >= 1600
%files
%else
%license COPYING
%files -f %{name}.lang
%endif
%defattr(-,root,root,-)
%doc AUTHORS
%doc NEWS README
%doc THANKS TODO ChangeLog
@ -1152,6 +1373,16 @@ grep -E ${EXTRA_PATTERN} %{grubarch}-mod-all.lst > %{grubarch}-mod-extras.lst
%ifarch s390x
%doc README.ibm3215
%endif
%if 0%{?suse_version} >= 1600
%files common -f %{name}.lang
%defattr(-,root,root,-)
%endif
%if 0%{?suse_version} < 1500
%doc COPYING
%else
%license COPYING
%endif
%dir /boot/%{name}
%ghost %attr(600, root, root) /boot/%{name}/grub.cfg
%{_datadir}/bash-completion/completions/grub*
@ -1162,7 +1393,14 @@ grep -E ${EXTRA_PATTERN} %{grubarch}-mod-all.lst > %{grubarch}-mod-extras.lst
%config(noreplace) %{_sysconfdir}/grub.d/05_crypttab
%config(noreplace) %{_sysconfdir}/grub.d/10_linux
%config(noreplace) %{_sysconfdir}/grub.d/20_linux_xen
%config(noreplace) %{_sysconfdir}/grub.d/25_bli
# The bli.mod is enabled in grubbls.efi, which will mostly adhere to systemd
# standards. But it is not the case for grub.efi, as it serves no purpose
# there, among other considerations. Therefore, the 25_bli script that loads
# bli.mod as an external module should be disabled (by stripping off its
# executable bit) to prevent showing 'file not found' error. This is because
# grub.efi may intentionally lack access to external modules, as it is designed
# to be a drop-in file, requires no external dependency (boo#1231591)
%attr(0644, root, root) %config(noreplace) %{_sysconfdir}/grub.d/25_bli
%config(noreplace) %{_sysconfdir}/grub.d/30_uefi-firmware
%config(noreplace) %{_sysconfdir}/grub.d/40_custom
%config(noreplace) %{_sysconfdir}/grub.d/41_custom
@ -1175,6 +1413,8 @@ grep -E ${EXTRA_PATTERN} %{grubarch}-mod-all.lst > %{grubarch}-mod-extras.lst
%endif
%ifarch s390x
%config(noreplace) %{_sysconfdir}/default/zipl2grub.conf.in
%config(noreplace) %{_sysconfdir}/default/se-zipl2grub.conf.in
%config(noreplace) %{_sysconfdir}/default/se-parm.conf.in
%{dracutlibdir}
%{_sbindir}/%{name}-zipl-setup
%{_datadir}/%{name}/zipl-refresh
@ -1185,7 +1425,6 @@ grep -E ${EXTRA_PATTERN} %{grubarch}-mod-all.lst > %{grubarch}-mod-extras.lst
%{_sbindir}/%{name}-probe
%{_sbindir}/%{name}-reboot
%{_sbindir}/%{name}-set-default
%{_sbindir}/%{name}-switch-to-blscfg
%{_sbindir}/%{name}-check-default
%{_bindir}/%{name}-editenv
%{_bindir}/%{name}-file
@ -1238,7 +1477,6 @@ grep -E ${EXTRA_PATTERN} %{grubarch}-mod-all.lst > %{grubarch}-mod-extras.lst
%{_mandir}/man8/%{name}-probe.8.*
%{_mandir}/man8/%{name}-reboot.8.*
%{_mandir}/man8/%{name}-set-default.8.*
%{_mandir}/man8/%{name}-switch-to-blscfg.8.*
%if %{emu}
%{_bindir}/%{name}-emu
%{_mandir}/man1/%{name}-emu.1.*
@ -1333,6 +1571,12 @@ grep -E ${EXTRA_PATTERN} %{grubarch}-mod-all.lst > %{grubarch}-mod-extras.lst
%{sysefidir}/grub.der
%endif
%if 0%{?suse_version} >= 1600
%files %{grubefiarch}-bls
%defattr(-,root,root,-)
%{_datadir}/%{name}/%{grubefiarch}/grubbls.efi
%endif
%files %{grubefiarch}-extras -f %{grubefiarch}-mod-extras.lst
%defattr(-,root,root,-)
%dir %{_datadir}/%{name}/%{grubefiarch}
@ -1353,16 +1597,27 @@ grep -E ${EXTRA_PATTERN} %{grubarch}-mod-all.lst > %{grubarch}-mod-extras.lst
%{_libdir}/snapper/plugins/grub
%ifarch %{ix86} x86_64
%files %{grubxenarch} -f %{grubxenarch}.lst
%files %{grubxenarch} -f %{grubxenarch}-mod.lst
%defattr(-,root,root,-)
%dir %{_datadir}/%{name}/%{grubxenarch}
# provide compatibility sym-link for VM definitions pointing to old location
%dir %{_libdir}/%{name}
%{_libdir}/%{name}/%{grubxenarch}
%{_datadir}/%{name}/%{grubxenarch}/grub.xen
%{_datadir}/%{name}/%{grubxenarch}/*.img
%{_datadir}/%{name}/%{grubxenarch}/*.lst
%{_datadir}/%{name}/%{grubxenarch}/kernel.exec
%{_datadir}/%{name}/%{grubxenarch}/modinfo.sh
%files %{grubxenarch}-extras -f %{grubxenarch}-extras.lst
%files %{grubxenarch}-extras -f %{grubxenarch}-mod-extras.lst
%defattr(-,root,root,-)
%dir %{_datadir}/%{name}/%{grubxenarch}
%files %{grubxenarch}-debug
%defattr(-,root,root,-)
%{_datadir}/%{name}/%{grubxenarch}/gdb_grub
%{_datadir}/%{name}/%{grubxenarch}/gdb_helper.py
%{_datadir}/%{name}/%{grubxenarch}/*.module
%endif
%if 0%{?has_systemd:1}

27
safe_tpm_pcr_snapshot.patch
View File

@ -3,20 +3,21 @@
util/grub-install.c | 6 ++++--
2 files changed, 40 insertions(+), 12 deletions(-)
--- a/grub-core/commands/tpm.c
+++ b/grub-core/commands/tpm.c
@@ -27,8 +27,10 @@
Index: grub-2.12/grub-core/commands/tpm.c
===================================================================
--- grub-2.12.orig/grub-core/commands/tpm.c
+++ grub-2.12/grub-core/commands/tpm.c
@@ -27,7 +27,9 @@
#include <grub/verify.h>
#include <grub/dl.h>
#include <grub/extcmd.h>
+#ifdef GRUB_MACHINE_EFI
#include <grub/tpm2/tpm2.h>
#include <grub/efi/efi.h>
+#endif
GRUB_MOD_LICENSE ("GPLv3+");
@@ -97,12 +99,6 @@
@@ -96,12 +98,6 @@ struct grub_file_verifier grub_tpm_verif
.verify_string = grub_tpm_verify_string,
};
@ -29,7 +30,7 @@
static const struct grub_arg_option grub_tpm_record_pcrs_options[] =
{
{
@@ -118,6 +114,14 @@
@@ -117,6 +113,14 @@ static const struct grub_arg_option grub
{0, 0, 0, 0, 0, 0}
};
@ -44,7 +45,7 @@
static grub_err_t
grub_tpm_parse_pcr_index (const char *word, const char **end_ret, unsigned int *index)
{
@@ -269,6 +273,10 @@
@@ -268,6 +272,10 @@ grub_tpm_record_pcrs (grub_extcmd_contex
grub_size_t size = 0;
int n, rv = 1;
@ -55,7 +56,7 @@
if (argc == 0)
pcr_bitmask = GRUB2_PCR_BITMASK_DEFAULT;
else
@@ -297,6 +305,18 @@
@@ -296,6 +304,18 @@ out:
return rv;
}
@ -74,9 +75,11 @@
static grub_extcmd_t cmd;
GRUB_MOD_INIT (tpm)
--- a/util/grub-install.c
+++ b/util/grub-install.c
@@ -1560,8 +1560,9 @@
Index: grub-2.12/util/grub-install.c
===================================================================
--- grub-2.12.orig/util/grub-install.c
+++ grub-2.12/util/grub-install.c
@@ -1574,8 +1574,9 @@ main (int argc, char *argv[])
grub_util_unlink (load_cfg);
@ -87,7 +90,7 @@
load_cfg_f = grub_util_fopen (load_cfg, "wb");
have_load_cfg = 1;
fprintf (load_cfg_f, "tpm_record_pcrs 0-9\n");
@@ -1569,7 +1570,8 @@
@@ -1583,7 +1584,8 @@ main (int argc, char *argv[])
if (debug_image && debug_image[0])
{

13
tpm-record-pcrs.patch
View File

@ -1,16 +1,17 @@
--- a/grub-core/commands/tpm.c
+++ b/grub-core/commands/tpm.c
@@ -26,6 +26,9 @@
Index: grub-2.12/grub-core/commands/tpm.c
===================================================================
--- grub-2.12.orig/grub-core/commands/tpm.c
+++ grub-2.12/grub-core/commands/tpm.c
@@ -26,6 +26,8 @@
#include <grub/term.h>
#include <grub/verify.h>
#include <grub/dl.h>
+#include <grub/extcmd.h>
+#include <grub/tpm2/tpm2.h>
+#include <grub/efi/efi.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -94,8 +97,214 @@
@@ -94,8 +96,214 @@ struct grub_file_verifier grub_tpm_verif
.verify_string = grub_tpm_verify_string,
};
@ -225,7 +226,7 @@
/*
* Even though this now calls ibmvtpm's grub_tpm_present() from GRUB_MOD_INIT(),
* it does seem to call it late enough in the initialization sequence so
@@ -109,6 +318,7 @@
@@ -109,6 +317,7 @@ GRUB_MOD_INIT (tpm)
GRUB_MOD_FINI (tpm)
{