rpms/grub2
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Sync with beta changes

Browse Source 
Resolves: rhbz#2006784
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
This commit is contained in:
Robbie Harwood 2021-10-26 19:48:28 +00:00
parent 4c7c1f4aaf
commit 4e8839634b
8 changed files with 353 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
0179-Add-suport-for-signing-grub-with-an-appended-signatu.patch
View File

@ -44,12 +44,12 @@ I will be proposing this for inclusion in a future Power Architecture
Platform Reference (PAPR).
---
util/grub-install-common.c | 18 ++++++++++++++++--
util/grub-mkimage.c | 16 ++++++++++++++--
util/grub-mkimage.c | 15 +++++++++++++--
util/grub-mkimagexx.c | 39 ++++++++++++++++++++++++++++++++++++++-
util/mkimage.c | 13 +++++++------
include/grub/util/install.h | 8 ++++++--
include/grub/util/mkimage.h | 4 ++--
6 files changed, 83 insertions(+), 15 deletions(-)
6 files changed, 82 insertions(+), 15 deletions(-)
diff --git a/util/grub-install-common.c b/util/grub-install-common.c
index 4e212e690c5..aab2a941f85 100644
@ -106,14 +106,14 @@ index 4e212e690c5..aab2a941f85 100644
while (dc--)
grub_install_pop_module ();
diff --git a/util/grub-mkimage.c b/util/grub-mkimage.c
index c0d55993702..26d1ecbf74e 100644
index c0d55993702..8a53310548b 100644
--- a/util/grub-mkimage.c
+++ b/util/grub-mkimage.c
@@ -84,6 +84,7 @@ static struct argp_option options[] = {
{"sbat", 's', N_("FILE"), 0, N_("SBAT metadata"), 0},
{"disable-shim-lock", GRUB_INSTALL_OPTIONS_DISABLE_SHIM_LOCK, 0, 0, N_("disable shim_lock verifier"), 0},
{"verbose", 'v', 0, 0, N_("print verbose messages."), 0},
+ {"appended-signature-size", 's', N_("SIZE"), 0, N_("Add a note segment reserving SIZE bytes for an appended signature"), 0},
+ {"appended-signature-size", 'S', N_("SIZE"), 0, N_("Add a note segment reserving SIZE bytes for an appended signature"), 0},
{ 0, 0, 0, 0, 0, 0 }
};
@ -147,14 +147,13 @@ index c0d55993702..26d1ecbf74e 100644
case 'm':
if (arguments->memdisk)
free (arguments->memdisk);
@@ -324,8 +334,10 @@ main (int argc, char *argv[])
@@ -324,8 +334,9 @@ main (int argc, char *argv[])
arguments.memdisk, arguments.pubkeys,
arguments.npubkeys, arguments.config,
arguments.image_target, arguments.note,
- arguments.comp, arguments.dtb,
- arguments.sbat, arguments.disable_shim_lock);
+
+ arguments.comp, arguments.appsig_size,
+ arguments.appsig_size, arguments.comp,
+ arguments.dtb, arguments.sbat,
+ arguments.disable_shim_lock);

6
0191-grub-install-support-embedding-x509-certificates.patch
View File

@ -94,7 +94,7 @@ index aab2a941f85..422f82362c7 100644
disable_shim_lock);
while (dc--)
diff --git a/util/grub-mkimage.c b/util/grub-mkimage.c
index 26d1ecbf74e..c5cdda498eb 100644
index 8a53310548b..e1f1112784a 100644
--- a/util/grub-mkimage.c
+++ b/util/grub-mkimage.c
@@ -75,7 +75,8 @@ static struct argp_option options[] = {
@ -138,8 +138,8 @@ index 26d1ecbf74e..c5cdda498eb 100644
+ arguments.npubkeys, arguments.x509keys,
+ arguments.nx509keys, arguments.config,
arguments.image_target, arguments.note,
arguments.comp, arguments.appsig_size,
arguments.appsig_size, arguments.comp,
arguments.dtb, arguments.sbat,
diff --git a/util/mkimage.c b/util/mkimage.c
index bab12276010..8319e8dfbde 100644
--- a/util/mkimage.c

63
0220-Arm-check-for-the-PE-magic-for-the-compiled-arch.patch Normal file
View File

@ -0,0 +1,63 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Thu, 9 Sep 2021 10:59:28 -0400
Subject: [PATCH] Arm: check for the PE magic for the compiled arch
In "arm64: Fix EFI loader kernel image allocation", Ben fixed the kernel
alignment to match the alignment given in the PE header. In doing so, a
check for valid PE magic was added, which was hard-coded to the value
seen on Aarch64 (GRUB_PE32_PE64_MAGIC).
Unfortunately, this code is shared between 64-bit and 32-bit, and so
that value broke 32-bit Arm systems.
This patch adds a constant definition for GRUB_PE32_PEXX_MAGIC, which is
either GRUB_PE32_PE64_MAGIC or GRUB_PE32_PE32_MAGIC, depending on which
platform is being built, and uses it in the header magic check.
Resolves: rhbz#2000756
Signed-off-by: Peter Jones <pjones@redhat.com>
---
grub-core/loader/arm64/linux.c | 2 +-
include/grub/arm/linux.h | 1 +
include/grub/arm64/linux.h | 1 +
3 files changed, 3 insertions(+), 1 deletion(-)
diff --git a/grub-core/loader/arm64/linux.c b/grub-core/loader/arm64/linux.c
index 4a252d5e7e9..f18d90bd749 100644
--- a/grub-core/loader/arm64/linux.c
+++ b/grub-core/loader/arm64/linux.c
@@ -322,7 +322,7 @@ parse_pe_header (void *kernel, grub_uint64_t *total_size,
pe = (void *)((unsigned long)kernel + lh->hdr_offset);
- if (pe->opt.magic != GRUB_PE32_PE64_MAGIC)
+ if (pe->opt.magic != GRUB_PE32_PEXX_MAGIC)
return grub_error(GRUB_ERR_BAD_OS, "Invalid PE optional header magic");
*total_size = pe->opt.image_size;
diff --git a/include/grub/arm/linux.h b/include/grub/arm/linux.h
index b582f67f661..966a5074f53 100644
--- a/include/grub/arm/linux.h
+++ b/include/grub/arm/linux.h
@@ -44,6 +44,7 @@ struct grub_arm_linux_pe_header
#if defined(__arm__)
# define GRUB_LINUX_ARMXX_MAGIC_SIGNATURE GRUB_LINUX_ARM_MAGIC_SIGNATURE
+# define GRUB_PE32_PEXX_MAGIC GRUB_PE32_PE32_MAGIC
# define linux_arch_kernel_header linux_arm_kernel_header
# define grub_armxx_linux_pe_header grub_arm_linux_pe_header
#endif
diff --git a/include/grub/arm64/linux.h b/include/grub/arm64/linux.h
index ea030312df3..422bf2bf24b 100644
--- a/include/grub/arm64/linux.h
+++ b/include/grub/arm64/linux.h
@@ -48,6 +48,7 @@ struct grub_arm64_linux_pe_header
#if defined(__aarch64__)
# define GRUB_LINUX_ARMXX_MAGIC_SIGNATURE GRUB_LINUX_ARM64_MAGIC_SIGNATURE
+# define GRUB_PE32_PEXX_MAGIC GRUB_PE32_PE64_MAGIC
# define linux_arch_kernel_header linux_arm64_kernel_header
# define grub_armxx_linux_pe_header grub_arm64_linux_pe_header
#endif

118
0221-fs-xfs-Fix-unreadable-filesystem-with-v4-superblock.patch Normal file
View File

@ -0,0 +1,118 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Erwan Velu <erwanaliasr1@gmail.com>
Date: Wed, 25 Aug 2021 15:31:52 +0200
Subject: [PATCH] fs/xfs: Fix unreadable filesystem with v4 superblock
The commit 8b1e5d193 (fs/xfs: Add bigtime incompat feature support)
introduced the bigtime support by adding some features in v3 inodes.
This change extended grub_xfs_inode struct by 76 bytes but also changed
the computation of XFS_V2_INODE_SIZE and XFS_V3_INODE_SIZE. Prior this
commit, XFS_V2_INODE_SIZE was 100 bytes. After the commit it's 84 bytes
XFS_V2_INODE_SIZE becomes 16 bytes too small.
As a result, the data structures aren't properly aligned and the GRUB
generates "attempt to read or write outside of partition" errors when
trying to read the XFS filesystem:
GNU GRUB version 2.11
....
grub> set debug=efi,gpt,xfs
grub> insmod part_gpt
grub> ls (hd0,gpt1)/
partmap/gpt.c:93: Read a valid GPT header
partmap/gpt.c:115: GPT entry 0: start=4096, length=1953125
fs/xfs.c:931: Reading sb
fs/xfs.c:270: Validating superblock
fs/xfs.c:295: XFS v4 superblock detected
fs/xfs.c:962: Reading root ino 128
fs/xfs.c:515: Reading inode (128) - 64, 0
fs/xfs.c:515: Reading inode (739521961424144223) - 344365866970255880, 3840
error: attempt to read or write outside of partition.
This commit change the XFS_V2_INODE_SIZE computation by subtracting 76
bytes instead of 92 bytes from the actual size of grub_xfs_inode struct.
This 76 bytes value comes from added members:
20 grub_uint8_t unused5
1 grub_uint64_t flags2
48 grub_uint8_t unused6
This patch explicitly splits the v2 and v3 parts of the structure.
The unused4 is still ending of the v2 structures and the v3 starts
at unused5. Thanks to this we will avoid future corruptions of v2
or v3 inodes.
The XFS_V2_INODE_SIZE is returning to its expected size and the
filesystem is back to a readable state:
GNU GRUB version 2.11
....
grub> set debug=efi,gpt,xfs
grub> insmod part_gpt
grub> ls (hd0,gpt1)/
partmap/gpt.c:93: Read a valid GPT header
partmap/gpt.c:115: GPT entry 0: start=4096, length=1953125
fs/xfs.c:931: Reading sb
fs/xfs.c:270: Validating superblock
fs/xfs.c:295: XFS v4 superblock detected
fs/xfs.c:962: Reading root ino 128
fs/xfs.c:515: Reading inode (128) - 64, 0
fs/xfs.c:515: Reading inode (128) - 64, 0
fs/xfs.c:931: Reading sb
fs/xfs.c:270: Validating superblock
fs/xfs.c:295: XFS v4 superblock detected
fs/xfs.c:962: Reading root ino 128
fs/xfs.c:515: Reading inode (128) - 64, 0
fs/xfs.c:515: Reading inode (128) - 64, 0
fs/xfs.c:515: Reading inode (128) - 64, 0
fs/xfs.c:515: Reading inode (131) - 64, 768
efi/ fs/xfs.c:515: Reading inode (3145856) - 1464904, 0
grub2/ fs/xfs.c:515: Reading inode (132) - 64, 1024
grub/ fs/xfs.c:515: Reading inode (139) - 64, 2816
grub>
Fixes: 8b1e5d193 (fs/xfs: Add bigtime incompat feature support)
Signed-off-by: Erwan Velu <e.velu@criteo.com>
Tested-by: Carlos Maiolino <cmaiolino@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
(cherry picked from commit a4b495520e4dc41a896a8b916a64eda9970c50ea)
---
grub-core/fs/xfs.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c
index 0f524c3a8a6..e3816d1ec4a 100644
--- a/grub-core/fs/xfs.c
+++ b/grub-core/fs/xfs.c
@@ -192,6 +192,11 @@ struct grub_xfs_time_legacy
grub_uint32_t nanosec;
} GRUB_PACKED;
+/*
+ * The struct grub_xfs_inode layout was taken from the
+ * struct xfs_dinode_core which is described here:
+ * https://mirrors.edge.kernel.org/pub/linux/utils/fs/xfs/docs/xfs_filesystem_structure.pdf
+ */
struct grub_xfs_inode
{
grub_uint8_t magic[2];
@@ -208,14 +213,15 @@ struct grub_xfs_inode
grub_uint32_t nextents;
grub_uint16_t unused3;
grub_uint8_t fork_offset;
- grub_uint8_t unused4[37];
+ grub_uint8_t unused4[17]; /* Last member of inode v2. */
+ grub_uint8_t unused5[20]; /* First member of inode v3. */
grub_uint64_t flags2;
- grub_uint8_t unused5[48];
+ grub_uint8_t unused6[48]; /* Last member of inode v3. */
} GRUB_PACKED;
#define XFS_V3_INODE_SIZE sizeof(struct grub_xfs_inode)
-/* Size of struct grub_xfs_inode until fork_offset (included). */
-#define XFS_V2_INODE_SIZE (XFS_V3_INODE_SIZE - 92)
+/* Size of struct grub_xfs_inode v2, up to unused4 member included. */
+#define XFS_V2_INODE_SIZE (XFS_V3_INODE_SIZE - 76)
struct grub_xfs_dirblock_tail
{

48
0222-Print-module-name-on-license-check-failure.patch Normal file
View File

@ -0,0 +1,48 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Tue, 12 Oct 2021 12:34:23 -0400
Subject: [PATCH] Print module name on license check failure
At the very least, this will make it easier to track down the problem
module - or, if something else has gone wrong, provide more information
for debugging.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
grub-core/kern/dl.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
index 9557254035e..f3044945742 100644
--- a/grub-core/kern/dl.c
+++ b/grub-core/kern/dl.c
@@ -528,14 +528,16 @@ grub_dl_find_section_index (Elf_Ehdr *e, const char *name)
Be sure to understand your license obligations.
*/
static grub_err_t
-grub_dl_check_license (Elf_Ehdr *e)
+grub_dl_check_license (grub_dl_t mod, Elf_Ehdr *e)
{
Elf_Shdr *s = grub_dl_find_section (e, ".module_license");
if (s && (grub_strcmp ((char *) e + s->sh_offset, "LICENSE=GPLv3") == 0
|| grub_strcmp ((char *) e + s->sh_offset, "LICENSE=GPLv3+") == 0
|| grub_strcmp ((char *) e + s->sh_offset, "LICENSE=GPLv2+") == 0))
return GRUB_ERR_NONE;
- return grub_error (GRUB_ERR_BAD_MODULE, "incompatible license");
+ return grub_error (GRUB_ERR_BAD_MODULE,
+ "incompatible license in module %s: %s", mod->name,
+ (char *) e + s->sh_offset);
}
static grub_err_t
@@ -743,8 +745,8 @@ grub_dl_load_core_noinit (void *addr, grub_size_t size)
constitutes linking) and GRUB core being licensed under GPLv3+.
Be sure to understand your license obligations.
*/
- if (grub_dl_check_license (e)
- || grub_dl_resolve_name (mod, e)
+ if (grub_dl_resolve_name (mod, e)
+ || grub_dl_check_license (mod, e)
|| grub_dl_resolve_dependencies (mod, e)
|| grub_dl_load_segments (mod, e)
|| grub_dl_resolve_symbols (mod, e)

106
0223-powerpc-ieee1275-load-grub-at-4MB-not-2MB.patch Normal file
View File

@ -0,0 +1,106 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Daniel Axtens <dja@axtens.net>
Date: Fri, 22 Oct 2021 09:53:15 +1100
Subject: [PATCH] powerpc-ieee1275: load grub at 4MB, not 2MB
This was first reported under PFW but reproduces under SLOF.
- The core.elf was 2126152 = 0x207148 bytes in size with the following
program headers (per readelf):
Entry point 0x200000
There are 4 program headers, starting at offset 52
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x000160 0x00200000 0x00200000 0x21f98 0x2971c RWE 0x8
GNU_STACK 0x0220f8 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4
LOAD 0x0220f8 0x00232000 0x00232000 0x1e4e50 0x1e4e50 RWE 0x4
NOTE 0x206f48 0x00000000 0x00000000 0x00200 0x00000 R 0x4
- SLOF places the ELF file at 0x4000 (after the reserved space for
interrupt handlers etc.) upwards. The image was 2126152 = 0x207148
bytes in size, so it runs from 0x4000 - 0x20b148. We'll call 0x4000 the
load address.
0x0 0x4000 0x20b148
|----------|--------------|
| reserved | ELF contents |
- SLOF then copies the first LOAD program header (for .text). That runs
for 0x21f98 bytes. It runs from
(load addr + 0x160) to (load addr + 0x160 + 0x21f98)
= 0x4160 to 0x260f8
and we copy it to 0x200000 to 0x221f98. This overwrites the end of the
image:
0x0 0x4000 0x200000 0x221f98
|----------|------------|---------------|
| reserved | ELF cont.. | .text section |
- SLOF zeros the bss up to PhysAddr + MemSize = 0x22971c
0x0 0x4000 0x200000 0x221f98 0x22971c
|----------|------------|---------------|--------|
| reserved | ELF cont.. | .text section | bss 0s |
- SLOF then goes to fulfil the next LOAD header (for mods), which is
for 0x1e4e50 bytes. We copy from
(load addr + 0x220f8) to (load addr + 0x220f8 + 0x1e4e50)
= 0x260f8 to 0x20af48
and we copy it to 0x232000 to 0x416e50:
0x0 0x4000 0x200000 0x221f98 0x22971c
|----------|------------|---------------|--------|
| reserved | ELF cont.. | .text section | bss 0s |
|-------------|
| copied area |
0x260f8 0x20af48
This goes poorly:
0x0 0x4000 0x200000 0x221f98 0x22971c 0x232000 0x40bf08 0x416e50
|----------|------------|---------------|--------|-----|-----------|-------------|
| reserved | ELF cont.. | .text section | bss 0s | pad | some mods | .text start |
This matches the observations on the running system - 0x40bf08 was where
the contents of memory no longer matched the contents of the ELF file.
This was reported as a license verification failure on SLOF as the
last module's .module_license section fell past where the corruption
began.
Signed-off-by: Daniel Axtens <dja@axtens.net>
[rharwood@redhat.com: trim very detailed commit message]
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
grub-core/Makefile.core.def | 2 +-
include/grub/offsets.h | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index 3f3459b2c70..6b00eb55575 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -89,7 +89,7 @@ kernel = {
i386_xen_pvh_ldflags = '$(TARGET_IMG_BASE_LDOPT),0x100000';
mips_loongson_ldflags = '-Wl,-Ttext,0x80200000';
- powerpc_ieee1275_ldflags = '-Wl,-Ttext,0x200000';
+ powerpc_ieee1275_ldflags = '-Wl,-Ttext,0x400000';
sparc64_ieee1275_ldflags = '-Wl,-Ttext,0x4400';
mips_arc_ldflags = '-Wl,-Ttext,$(TARGET_LINK_ADDR)';
mips_qemu_mips_ldflags = '-Wl,-Ttext,0x80200000';
diff --git a/include/grub/offsets.h b/include/grub/offsets.h
index 871e1cd4c38..69211aa798b 100644
--- a/include/grub/offsets.h
+++ b/include/grub/offsets.h
@@ -63,7 +63,7 @@
#define GRUB_KERNEL_SPARC64_IEEE1275_LINK_ADDR 0x4400
#define GRUB_KERNEL_POWERPC_IEEE1275_LINK_ALIGN 4
-#define GRUB_KERNEL_POWERPC_IEEE1275_LINK_ADDR 0x200000
+#define GRUB_KERNEL_POWERPC_IEEE1275_LINK_ADDR 0x400000
#define GRUB_KERNEL_MIPS_LOONGSON_LINK_ADDR 0x80200000

4
grub.patches
View File

@ -217,3 +217,7 @@ Patch0216: 0216-arm64-Fix-EFI-loader-kernel-image-allocation.patch
Patch0217: 0217-normal-main-Discover-the-device-to-read-the-config-f.patch
Patch0218: 0218-powerpc-adjust-setting-of-prefix-for-signed-binary-c.patch
Patch0219: 0219-powerpc-fix-prefix-signed-grub-special-case-for-Powe.patch
Patch0220: 0220-Arm-check-for-the-PE-magic-for-the-compiled-arch.patch
Patch0221: 0221-fs-xfs-Fix-unreadable-filesystem-with-v4-superblock.patch
Patch0222: 0222-Print-module-name-on-license-check-failure.patch
Patch0223: 0223-powerpc-ieee1275-load-grub-at-4MB-not-2MB.patch

6
grub2.spec
View File

@ -14,7 +14,7 @@
Name: grub2
Epoch: 1
Version: 2.06
Release: 3%{?dist}
Release: 11%{?dist}
Summary: Bootloader with support for Linux, Multiboot and more
License: GPLv3+
URL: http://www.gnu.org/software/grub/
@ -523,6 +523,10 @@ mv ${EFI_HOME}/grub.cfg.stb ${EFI_HOME}/grub.cfg
%endif
%changelog
* Tue Oct 26 2021 Robbie Harwood <rharwood@redhat.com> - 2.06-11
- Sync with beta changes
Resolves: rhbz#2006784
* Mon Sep 27 2021 Robbie Harwood <rharwood@redhat.com> - 2.06-3
- Rebuild for gating + rpminspect
Resolves: rhbz#2006784