diff --git a/SOURCES/0555-Make-debug-file-show-which-file-filters-get-run.patch b/SOURCES/0555-Make-debug-file-show-which-file-filters-get-run.patch new file mode 100644 index 0000000..b614ef3 --- /dev/null +++ b/SOURCES/0555-Make-debug-file-show-which-file-filters-get-run.patch @@ -0,0 +1,47 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Fri, 29 Jul 2022 15:56:00 -0400 +Subject: [PATCH] Make debug=file show which file filters get run. + +If one of the file filters breaks things, it's hard to figure out where +it has happened. + +This makes grub log which filter is being run, which makes it easier to +figure out where you are in the sequence of events. + +Signed-off-by: Peter Jones +(cherry picked from commit d3d6518a13b5440a3be6c66b0ae47447182f2891) +(cherry picked from commit d197e70761b1383827e9008e21ee41c6c7015776) +--- + grub-core/kern/file.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c +index f062fc21e7..5e1f29d0dd 100644 +--- a/grub-core/kern/file.c ++++ b/grub-core/kern/file.c +@@ -30,6 +30,14 @@ void (*EXPORT_VAR (grub_grubnet_fini)) (void); + + grub_file_filter_t grub_file_filters[GRUB_FILE_FILTER_MAX]; + ++static char *filter_names[] = { ++ [GRUB_FILE_FILTER_VERIFY] = "GRUB_FILE_FILTER_VERIFY", ++ [GRUB_FILE_FILTER_GZIO] = "GRUB_FILE_FILTER_GZIO", ++ [GRUB_FILE_FILTER_XZIO] = "GRUB_FILE_FILTER_XZIO", ++ [GRUB_FILE_FILTER_LZOPIO] = "GRUB_FILE_FILTER_LZOPIO", ++ [GRUB_FILE_FILTER_MAX] = "GRUB_FILE_FILTER_MAX" ++}; ++ + /* Get the device part of the filename NAME. It is enclosed by parentheses. */ + char * + grub_file_get_device_name (const char *name) +@@ -121,6 +129,9 @@ grub_file_open (const char *name, enum grub_file_type type) + if (grub_file_filters[filter]) + { + last_file = file; ++ if (filter < GRUB_FILE_FILTER_MAX) ++ grub_dprintf ("file", "Running %s file filter\n", ++ filter_names[filter]); + file = grub_file_filters[filter] (file, type); + if (file && file != last_file) + { diff --git a/SOURCES/0556-efi-use-enumerated-array-positions-for-our-allocatio.patch b/SOURCES/0556-efi-use-enumerated-array-positions-for-our-allocatio.patch new file mode 100644 index 0000000..6f1bfc7 --- /dev/null +++ b/SOURCES/0556-efi-use-enumerated-array-positions-for-our-allocatio.patch @@ -0,0 +1,83 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 1 Aug 2022 14:06:30 -0400 +Subject: [PATCH] efi: use enumerated array positions for our allocation + choices + +In our kernel allocator on EFI systems, we currently have a growing +amount of code that references the various allocation policies by +position in the array, and of course maintenance of this code scales +very poorly. + +This patch changes them to be enumerated, so they're easier to refer to +farther along in the code without confusion. + +Signed-off-by: Peter Jones +(cherry picked from commit 6768026270cca015d7fef0ecc8a4119e9b3d3923) +(cherry picked from commit 50b2ca3274b6950393a4ffc7edde04a1a3de594e) +--- + grub-core/loader/i386/efi/linux.c | 31 ++++++++++++++++++++----------- + 1 file changed, 20 insertions(+), 11 deletions(-) + +diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c +index d80d6ec312..23b27f6507 100644 +--- a/grub-core/loader/i386/efi/linux.c ++++ b/grub-core/loader/i386/efi/linux.c +@@ -60,17 +60,26 @@ struct allocation_choice { + grub_efi_allocate_type_t alloc_type; + }; + +-static struct allocation_choice max_addresses[4] = ++enum { ++ KERNEL_PREF_ADDRESS, ++ KERNEL_4G_LIMIT, ++ KERNEL_NO_LIMIT, ++}; ++ ++static struct allocation_choice max_addresses[] = + { + /* the kernel overrides this one with pref_address and + * GRUB_EFI_ALLOCATE_ADDRESS */ +- { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS }, ++ [KERNEL_PREF_ADDRESS] = ++ { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS }, ++ /* If the flag in params is set, this one gets changed to be above 4GB. */ ++ [KERNEL_4G_LIMIT] = ++ { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS }, + /* this one is always below 4GB, which we still *prefer* even if the flag + * is set. */ +- { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS }, +- /* If the flag in params is set, this one gets changed to be above 4GB. */ +- { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS }, +- { 0, 0 } ++ [KERNEL_NO_LIMIT] = ++ { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS }, ++ { NO_MEM, 0, 0 } + }; + static struct allocation_choice saved_addresses[4]; + +@@ -423,7 +432,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), + if (lh->xloadflags & LINUX_XLF_CAN_BE_LOADED_ABOVE_4G) + { + grub_dprintf ("linux", "Loading kernel above 4GB is supported; enabling.\n"); +- max_addresses[2].addr = GRUB_EFI_MAX_USABLE_ADDRESS; ++ max_addresses[KERNEL_NO_LIMIT].addr = GRUB_EFI_MAX_USABLE_ADDRESS; + } + else + { +@@ -495,11 +504,11 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), + grub_dprintf ("linux", "lh->pref_address: %p\n", (void *)(grub_addr_t)lh->pref_address); + if (lh->pref_address < (grub_uint64_t)GRUB_EFI_MAX_ALLOCATION_ADDRESS) + { +- max_addresses[0].addr = lh->pref_address; +- max_addresses[0].alloc_type = GRUB_EFI_ALLOCATE_ADDRESS; ++ max_addresses[KERNEL_PREF_ADDRESS].addr = lh->pref_address; ++ max_addresses[KERNEL_PREF_ADDRESS].alloc_type = GRUB_EFI_ALLOCATE_ADDRESS; + } +- max_addresses[1].addr = GRUB_EFI_MAX_ALLOCATION_ADDRESS; +- max_addresses[2].addr = GRUB_EFI_MAX_ALLOCATION_ADDRESS; ++ max_addresses[KERNEL_4G_LIMIT].addr = GRUB_EFI_MAX_ALLOCATION_ADDRESS; ++ max_addresses[KERNEL_NO_LIMIT].addr = GRUB_EFI_MAX_ALLOCATION_ADDRESS; + kernel_size = lh->init_size; + kernel_mem = kernel_alloc (kernel_size, GRUB_EFI_RUNTIME_SERVICES_CODE, + N_("can't allocate kernel")); diff --git a/SOURCES/0557-efi-split-allocation-policy-for-kernel-vs-initrd-mem.patch b/SOURCES/0557-efi-split-allocation-policy-for-kernel-vs-initrd-mem.patch new file mode 100644 index 0000000..08d2765 --- /dev/null +++ b/SOURCES/0557-efi-split-allocation-policy-for-kernel-vs-initrd-mem.patch @@ -0,0 +1,129 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 1 Aug 2022 14:24:39 -0400 +Subject: [PATCH] efi: split allocation policy for kernel vs initrd memories. + +Currently in our kernel allocator, we use the same set of choices for +all of our various kernel and initramfs allocations, though they do not +have exactly the same constraints. + +This patch adds the concept of an allocation purpose, which currently +can be KERNEL_MEM or INITRD_MEM, and updates kernel_alloc() calls +appropriately, but does not change any current policy decision. It +also adds a few debug prints. + +Signed-off-by: Peter Jones +(cherry picked from commit 36307bed28cd838116fc4af26a30719660d62d4c) +(cherry picked from commit dc1196350b0cbe89582832f44df0fce67e0c9fb2) +--- + grub-core/loader/i386/efi/linux.c | 35 +++++++++++++++++++++++++++-------- + 1 file changed, 27 insertions(+), 8 deletions(-) + +diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c +index 23b27f6507..09e7596064 100644 +--- a/grub-core/loader/i386/efi/linux.c ++++ b/grub-core/loader/i386/efi/linux.c +@@ -55,7 +55,14 @@ struct grub_linuxefi_context { + + #define BYTES_TO_PAGES(bytes) (((bytes) + 0xfff) >> 12) + ++typedef enum { ++ NO_MEM, ++ KERNEL_MEM, ++ INITRD_MEM, ++} kernel_alloc_purpose_t; ++ + struct allocation_choice { ++ kernel_alloc_purpose_t purpose; + grub_efi_physical_address_t addr; + grub_efi_allocate_type_t alloc_type; + }; +@@ -64,6 +71,7 @@ enum { + KERNEL_PREF_ADDRESS, + KERNEL_4G_LIMIT, + KERNEL_NO_LIMIT, ++ INITRD_MAX_ADDRESS, + }; + + static struct allocation_choice max_addresses[] = +@@ -71,14 +79,17 @@ static struct allocation_choice max_addresses[] = + /* the kernel overrides this one with pref_address and + * GRUB_EFI_ALLOCATE_ADDRESS */ + [KERNEL_PREF_ADDRESS] = +- { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS }, ++ { KERNEL_MEM, GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS }, + /* If the flag in params is set, this one gets changed to be above 4GB. */ + [KERNEL_4G_LIMIT] = +- { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS }, ++ { KERNEL_MEM, GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS }, + /* this one is always below 4GB, which we still *prefer* even if the flag + * is set. */ + [KERNEL_NO_LIMIT] = +- { GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS }, ++ { KERNEL_MEM, GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS }, ++ /* this is for the initrd */ ++ [INITRD_MAX_ADDRESS] = ++ { INITRD_MEM, GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS }, + { NO_MEM, 0, 0 } + }; + static struct allocation_choice saved_addresses[4]; +@@ -95,7 +106,8 @@ kernel_free(void *addr, grub_efi_uintn_t size) + } + + static void * +-kernel_alloc(grub_efi_uintn_t size, ++kernel_alloc(kernel_alloc_purpose_t purpose, ++ grub_efi_uintn_t size, + grub_efi_memory_type_t memtype, + const char * const errmsg) + { +@@ -108,6 +120,9 @@ kernel_alloc(grub_efi_uintn_t size, + grub_uint64_t max = max_addresses[i].addr; + grub_efi_uintn_t pages; + ++ if (purpose != max_addresses[i].purpose) ++ continue; ++ + /* + * When we're *not* loading the kernel, or >4GB allocations aren't + * supported, these entries are basically all the same, so don't re-try +@@ -262,7 +277,8 @@ grub_cmd_initrd (grub_command_t cmd, int argc, char *argv[]) + } + } + +- initrd_mem = kernel_alloc(size, GRUB_EFI_RUNTIME_SERVICES_DATA, ++ grub_dprintf ("linux", "Trying to allocate initrd mem\n"); ++ initrd_mem = kernel_alloc(INITRD_MEM, size, GRUB_EFI_RUNTIME_SERVICES_DATA, + N_("can't allocate initrd")); + if (initrd_mem == NULL) + goto fail; +@@ -440,7 +456,8 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), + } + #endif + +- params = kernel_alloc (sizeof(*params), GRUB_EFI_RUNTIME_SERVICES_DATA, ++ params = kernel_alloc (KERNEL_MEM, sizeof(*params), ++ GRUB_EFI_RUNTIME_SERVICES_DATA, + "cannot allocate kernel parameters"); + if (!params) + goto fail; +@@ -462,7 +479,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), + grub_dprintf ("linux", "new lh is at %p\n", lh); + + grub_dprintf ("linux", "setting up cmdline\n"); +- cmdline = kernel_alloc (lh->cmdline_size + 1, ++ cmdline = kernel_alloc (KERNEL_MEM, lh->cmdline_size + 1, + GRUB_EFI_RUNTIME_SERVICES_DATA, + N_("can't allocate cmdline")); + if (!cmdline) +@@ -510,7 +527,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), + max_addresses[KERNEL_4G_LIMIT].addr = GRUB_EFI_MAX_ALLOCATION_ADDRESS; + max_addresses[KERNEL_NO_LIMIT].addr = GRUB_EFI_MAX_ALLOCATION_ADDRESS; + kernel_size = lh->init_size; +- kernel_mem = kernel_alloc (kernel_size, GRUB_EFI_RUNTIME_SERVICES_CODE, ++ grub_dprintf ("linux", "Trying to allocate kernel mem\n"); ++ kernel_mem = kernel_alloc (KERNEL_MEM, kernel_size, ++ GRUB_EFI_RUNTIME_SERVICES_CODE, + N_("can't allocate kernel")); + restore_addresses(); + if (!kernel_mem) diff --git a/SOURCES/0558-efi-use-EFI_LOADER_-CODE-DATA-for-kernel-and-initrd-.patch b/SOURCES/0558-efi-use-EFI_LOADER_-CODE-DATA-for-kernel-and-initrd-.patch new file mode 100644 index 0000000..28f603e --- /dev/null +++ b/SOURCES/0558-efi-use-EFI_LOADER_-CODE-DATA-for-kernel-and-initrd-.patch @@ -0,0 +1,63 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Mon, 1 Aug 2022 13:04:43 -0400 +Subject: [PATCH] efi: use EFI_LOADER_(CODE|DATA) for kernel and initrd + allocations + +At some point due to an erroneous kernel warning, we switched kernel and +initramfs to being loaded in EFI_RUNTIME_SERVICES_CODE and +EFI_RUNTIME_SERVICES_DATA memory pools. This doesn't appear to be +correct according to the spec, and that kernel warning has gone away. + +This patch puts them back in EFI_LOADER_CODE and EFI_LOADER_DATA +allocations, respectively. + +Resolves: rhbz#2108456 + +Signed-off-by: Peter Jones +(cherry picked from commit 35b5d5fa47bc394c76022e6595b173e68f53225e) +(cherry picked from commit 66e1c922b40957fca488435e06a2f875a219844b) +--- + grub-core/loader/i386/efi/linux.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c +index 09e7596064..4d39023792 100644 +--- a/grub-core/loader/i386/efi/linux.c ++++ b/grub-core/loader/i386/efi/linux.c +@@ -278,7 +278,7 @@ grub_cmd_initrd (grub_command_t cmd, int argc, char *argv[]) + } + + grub_dprintf ("linux", "Trying to allocate initrd mem\n"); +- initrd_mem = kernel_alloc(INITRD_MEM, size, GRUB_EFI_RUNTIME_SERVICES_DATA, ++ initrd_mem = kernel_alloc(INITRD_MEM, size, GRUB_EFI_LOADER_DATA, + N_("can't allocate initrd")); + if (initrd_mem == NULL) + goto fail; +@@ -457,7 +457,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), + #endif + + params = kernel_alloc (KERNEL_MEM, sizeof(*params), +- GRUB_EFI_RUNTIME_SERVICES_DATA, ++ GRUB_EFI_LOADER_DATA, + "cannot allocate kernel parameters"); + if (!params) + goto fail; +@@ -480,7 +480,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), + + grub_dprintf ("linux", "setting up cmdline\n"); + cmdline = kernel_alloc (KERNEL_MEM, lh->cmdline_size + 1, +- GRUB_EFI_RUNTIME_SERVICES_DATA, ++ GRUB_EFI_LOADER_DATA, + N_("can't allocate cmdline")); + if (!cmdline) + goto fail; +@@ -529,7 +529,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), + kernel_size = lh->init_size; + grub_dprintf ("linux", "Trying to allocate kernel mem\n"); + kernel_mem = kernel_alloc (KERNEL_MEM, kernel_size, +- GRUB_EFI_RUNTIME_SERVICES_CODE, ++ GRUB_EFI_LOADER_CODE, + N_("can't allocate kernel")); + restore_addresses(); + if (!kernel_mem) diff --git a/SOURCES/0559-ieee1275-implement-vec5-for-cas-negotiation.patch b/SOURCES/0559-ieee1275-implement-vec5-for-cas-negotiation.patch new file mode 100644 index 0000000..ff614f8 --- /dev/null +++ b/SOURCES/0559-ieee1275-implement-vec5-for-cas-negotiation.patch @@ -0,0 +1,72 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Diego Domingos +Date: Thu, 25 Aug 2022 11:37:56 -0400 +Subject: [PATCH] ieee1275: implement vec5 for cas negotiation + +As a legacy support, if the vector 5 is not implemented, Power +Hypervisor will consider the max CPUs as 64 instead 256 currently +supported during client-architecture-support negotiation. + +This patch implements the vector 5 and set the MAX CPUs to 256 while +setting the others values to 0 (default). + +Signed-off-by: Diego Domingos +Signed-off-by: Robbie Harwood +(cherry picked from commit f735c65b6da8a9d4251242b37774e1a517511253) +(cherry picked from commit 1639f43b2db4ac405ac2a92e50ed4cff351c3baa) +--- + grub-core/kern/ieee1275/init.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c +index 1414695cc6..37f3098c39 100644 +--- a/grub-core/kern/ieee1275/init.c ++++ b/grub-core/kern/ieee1275/init.c +@@ -307,6 +307,18 @@ struct option_vector2 { + grub_uint8_t max_pft_size; + } __attribute__((packed)); + ++struct option_vector5 { ++ grub_uint8_t byte1; ++ grub_uint8_t byte2; ++ grub_uint8_t byte3; ++ grub_uint8_t cmo; ++ grub_uint8_t associativity; ++ grub_uint8_t bin_opts; ++ grub_uint8_t micro_checkpoint; ++ grub_uint8_t reserved0; ++ grub_uint32_t max_cpus; ++} __attribute__((packed)); ++ + struct pvr_entry { + grub_uint32_t mask; + grub_uint32_t entry; +@@ -325,6 +337,8 @@ struct cas_vector { + grub_uint16_t vec3; + grub_uint8_t vec4_size; + grub_uint16_t vec4; ++ grub_uint8_t vec5_size; ++ struct option_vector5 vec5; + } __attribute__((packed)); + + /* Call ibm,client-architecture-support to try to get more RMA. +@@ -345,7 +359,7 @@ grub_ieee1275_ibm_cas (void) + } args; + struct cas_vector vector = { + .pvr_list = { { 0x00000000, 0xffffffff } }, /* any processor */ +- .num_vecs = 4 - 1, ++ .num_vecs = 5 - 1, + .vec1_size = 0, + .vec1 = 0x80, /* ignore */ + .vec2_size = 1 + sizeof(struct option_vector2) - 2, +@@ -356,6 +370,10 @@ grub_ieee1275_ibm_cas (void) + .vec3 = 0x00e0, // ask for FP + VMX + DFP but don't halt if unsatisfied + .vec4_size = 2 - 1, + .vec4 = 0x0001, // set required minimum capacity % to the lowest value ++ .vec5_size = 1 + sizeof(struct option_vector5) - 2, ++ .vec5 = { ++ 0, 0, 0, 0, 0, 0, 0, 0, 256 ++ } + }; + + INIT_IEEE1275_COMMON (&args.common, "call-method", 3, 2); diff --git a/SOURCES/0560-x86-efi-Fix-an-incorrect-array-size-in-kernel-alloca.patch b/SOURCES/0560-x86-efi-Fix-an-incorrect-array-size-in-kernel-alloca.patch new file mode 100644 index 0000000..a422b99 --- /dev/null +++ b/SOURCES/0560-x86-efi-Fix-an-incorrect-array-size-in-kernel-alloca.patch @@ -0,0 +1,38 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Tue, 11 Oct 2022 17:00:50 -0400 +Subject: [PATCH] x86-efi: Fix an incorrect array size in kernel allocation + +In 81a6ebf62bbe166ddc968463df2e8bd481bf697c ("efi: split allocation +policy for kernel vs initrd memories."), I introduced a split in the +kernel allocator to allow for different dynamic policies for the kernel +and the initrd allocations. + +Unfortunately, that change increased the size of the policy data used to +make decisions, but did not change the size of the temporary storage we +use to back it up and restore. This results in some of .data getting +clobbered at runtime, and hilarity ensues. + +This patch makes the size of the backup storage be based on the size of +the initial policy data. + +Signed-off-by: Peter Jones +(cherry picked from commit 37747b22342499a798ca3a8895770cd93b6e1258) +(cherry picked from commit 72713ce761720235c86bbda412480c97b2892e00) +--- + grub-core/loader/i386/efi/linux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c +index 4d39023792..3d55f8b8d2 100644 +--- a/grub-core/loader/i386/efi/linux.c ++++ b/grub-core/loader/i386/efi/linux.c +@@ -92,7 +92,7 @@ static struct allocation_choice max_addresses[] = + { INITRD_MEM, GRUB_EFI_MAX_ALLOCATION_ADDRESS, GRUB_EFI_ALLOCATE_MAX_ADDRESS }, + { NO_MEM, 0, 0 } + }; +-static struct allocation_choice saved_addresses[4]; ++static struct allocation_choice saved_addresses[sizeof(max_addresses) / sizeof(max_addresses[0])]; + + #define save_addresses() grub_memcpy(saved_addresses, max_addresses, sizeof(max_addresses)) + #define restore_addresses() grub_memcpy(max_addresses, saved_addresses, sizeof(max_addresses)) diff --git a/SOURCES/0561-switch-to-blscfg-don-t-assume-newline-at-end-of-cfg.patch b/SOURCES/0561-switch-to-blscfg-don-t-assume-newline-at-end-of-cfg.patch new file mode 100644 index 0000000..fee71eb --- /dev/null +++ b/SOURCES/0561-switch-to-blscfg-don-t-assume-newline-at-end-of-cfg.patch @@ -0,0 +1,25 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Tue, 18 Oct 2022 14:15:28 -0400 +Subject: [PATCH] switch-to-blscfg: don't assume newline at end of cfg + +Signed-off-by: Robbie Harwood +--- + util/grub-switch-to-blscfg.in | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/util/grub-switch-to-blscfg.in b/util/grub-switch-to-blscfg.in +index eeea130770..5a97954c39 100644 +--- a/util/grub-switch-to-blscfg.in ++++ b/util/grub-switch-to-blscfg.in +@@ -277,7 +277,9 @@ if grep '^GRUB_ENABLE_BLSCFG=.*' "${etcdefaultgrub}" \ + fi + GENERATE=1 + elif ! grep -q '^GRUB_ENABLE_BLSCFG=.*' "${etcdefaultgrub}" ; then +- if ! echo 'GRUB_ENABLE_BLSCFG=true' >> "${etcdefaultgrub}" ; then ++ # prepend in case admins have been bad at newlines ++ sed -i '1iGRUB_ENABLE_BLSCFG=true' "${etcdefaultgrub}" ++ if ! grep -q '^GRUB_ENABLE_BLSCFG=true' "${etcdefaultgrub}" ; then + gettext_printf "Updating %s failed\n" "${etcdefaultgrub}" + exit 1 + fi diff --git a/SOURCES/0562-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch b/SOURCES/0562-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch new file mode 100644 index 0000000..e7f7a0c --- /dev/null +++ b/SOURCES/0562-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch @@ -0,0 +1,33 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Zhang Boyang +Date: Wed, 3 Aug 2022 19:45:33 +0800 +Subject: [PATCH] font: Reject glyphs exceeds font->max_glyph_width or + font->max_glyph_height + +Check glyph's width and height against limits specified in font's +metadata. Reject the glyph (and font) if such limits are exceeded. + +Signed-off-by: Zhang Boyang +Reviewed-by: Daniel Kiper +(cherry picked from commit 5760fcfd466cc757540ea0d591bad6a08caeaa16) +(cherry picked from commit 3b410ef4bb95e607cadeba2193fa90ae9bddb98d) +(cherry picked from commit 8ebe587def61af7893ebcae87d45c883f3cfb713) +--- + grub-core/font/font.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index b67507fcc8..8d1a990401 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -760,7 +760,9 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code) + || read_be_uint16 (font->file, &height) != 0 + || read_be_int16 (font->file, &xoff) != 0 + || read_be_int16 (font->file, &yoff) != 0 +- || read_be_int16 (font->file, &dwidth) != 0) ++ || read_be_int16 (font->file, &dwidth) != 0 ++ || width > font->max_char_width ++ || height > font->max_char_height) + { + remove_font (font); + return 0; diff --git a/SOURCES/0563-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch b/SOURCES/0563-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch new file mode 100644 index 0000000..df3a705 --- /dev/null +++ b/SOURCES/0563-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch @@ -0,0 +1,112 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Zhang Boyang +Date: Fri, 5 Aug 2022 00:51:20 +0800 +Subject: [PATCH] font: Fix size overflow in grub_font_get_glyph_internal() + +The length of memory allocation and file read may overflow. This patch +fixes the problem by using safemath macros. + +There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe +if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz(). +It is safe replacement for such code. It has safemath-like prototype. + +This patch also introduces grub_cast(value, pointer), it casts value to +typeof(*pointer) then store the value to *pointer. It returns true when +overflow occurs or false if there is no overflow. The semantics of arguments +and return value are designed to be consistent with other safemath macros. + +Signed-off-by: Zhang Boyang +Reviewed-by: Daniel Kiper +(cherry picked from commit 941d10ad6f1dcbd12fb613002249e29ba035f985) +(cherry picked from commit 6bca9693878bdf61dd62b8c784862a48e75f569a) +(cherry picked from commit edbbda5486cf8c3dc2b68fbd3dead822ab448022) +--- + grub-core/font/font.c | 17 +++++++++++++---- + include/grub/bitmap.h | 18 ++++++++++++++++++ + include/grub/safemath.h | 2 ++ + 3 files changed, 33 insertions(+), 4 deletions(-) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index 8d1a990401..d6df79602d 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -739,7 +739,8 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code) + grub_int16_t xoff; + grub_int16_t yoff; + grub_int16_t dwidth; +- int len; ++ grub_ssize_t len; ++ grub_size_t sz; + + if (index_entry->glyph) + /* Return cached glyph. */ +@@ -768,9 +769,17 @@ grub_font_get_glyph_internal (grub_font_t font, grub_uint32_t code) + return 0; + } + +- len = (width * height + 7) / 8; +- glyph = grub_malloc (sizeof (struct grub_font_glyph) + len); +- if (!glyph) ++ /* Calculate real struct size of current glyph. */ ++ if (grub_video_bitmap_calc_1bpp_bufsz (width, height, &len) || ++ grub_add (sizeof (struct grub_font_glyph), len, &sz)) ++ { ++ remove_font (font); ++ return 0; ++ } ++ ++ /* Allocate and initialize the glyph struct. */ ++ glyph = grub_malloc (sz); ++ if (glyph == NULL) + { + remove_font (font); + return 0; +diff --git a/include/grub/bitmap.h b/include/grub/bitmap.h +index 5728f8ca3a..0d9603f619 100644 +--- a/include/grub/bitmap.h ++++ b/include/grub/bitmap.h +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + + struct grub_video_bitmap + { +@@ -79,6 +80,23 @@ grub_video_bitmap_get_height (struct grub_video_bitmap *bitmap) + return bitmap->mode_info.height; + } + ++/* ++ * Calculate and store the size of data buffer of 1bit bitmap in result. ++ * Equivalent to "*result = (width * height + 7) / 8" if no overflow occurs. ++ * Return true when overflow occurs or false if there is no overflow. ++ * This function is intentionally implemented as a macro instead of ++ * an inline function. Although a bit awkward, it preserves data types for ++ * safemath macros and reduces macro side effects as much as possible. ++ * ++ * XXX: Will report false overflow if width * height > UINT64_MAX. ++ */ ++#define grub_video_bitmap_calc_1bpp_bufsz(width, height, result) \ ++({ \ ++ grub_uint64_t _bitmap_pixels; \ ++ grub_mul ((width), (height), &_bitmap_pixels) ? 1 : \ ++ grub_cast (_bitmap_pixels / GRUB_CHAR_BIT + !!(_bitmap_pixels % GRUB_CHAR_BIT), (result)); \ ++}) ++ + void EXPORT_FUNC (grub_video_bitmap_get_mode_info) (struct grub_video_bitmap *bitmap, + struct grub_video_mode_info *mode_info); + +diff --git a/include/grub/safemath.h b/include/grub/safemath.h +index 1ccac276b5..30800ad6a1 100644 +--- a/include/grub/safemath.h ++++ b/include/grub/safemath.h +@@ -30,6 +30,8 @@ + #define grub_sub(a, b, res) __builtin_sub_overflow(a, b, res) + #define grub_mul(a, b, res) __builtin_mul_overflow(a, b, res) + ++#define grub_cast(a, res) grub_add ((a), 0, (res)) ++ + #else + /* + * Copyright 2020 Rasmus Villemoes diff --git a/SOURCES/0564-font-Fix-several-integer-overflows-in-grub_font_cons.patch b/SOURCES/0564-font-Fix-several-integer-overflows-in-grub_font_cons.patch new file mode 100644 index 0000000..0afdf93 --- /dev/null +++ b/SOURCES/0564-font-Fix-several-integer-overflows-in-grub_font_cons.patch @@ -0,0 +1,81 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Zhang Boyang +Date: Fri, 5 Aug 2022 01:58:27 +0800 +Subject: [PATCH] font: Fix several integer overflows in + grub_font_construct_glyph() + +This patch fixes several integer overflows in grub_font_construct_glyph(). +Glyphs of invalid size, zero or leading to an overflow, are rejected. +The inconsistency between "glyph" and "max_glyph_size" when grub_malloc() +returns NULL is fixed too. + +Fixes: CVE-2022-2601 + +Reported-by: Zhang Boyang +Signed-off-by: Zhang Boyang +Reviewed-by: Daniel Kiper +(cherry picked from commit b1805f251b31a9d3cfae5c3572ddfa630145dbbf) +(cherry picked from commit b91eb9bd6c724339b7d7bb4765b9d36f1ee88b84) +(cherry picked from commit 1ebafd82dd19e522f0d753fd9828553fe8bcac78) +--- + grub-core/font/font.c | 29 +++++++++++++++++------------ + 1 file changed, 17 insertions(+), 12 deletions(-) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index d6df79602d..129aaa3838 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -1517,6 +1517,7 @@ grub_font_construct_glyph (grub_font_t hinted_font, + struct grub_video_signed_rect bounds; + static struct grub_font_glyph *glyph = 0; + static grub_size_t max_glyph_size = 0; ++ grub_size_t cur_glyph_size; + + ensure_comb_space (glyph_id); + +@@ -1533,29 +1534,33 @@ grub_font_construct_glyph (grub_font_t hinted_font, + if (!glyph_id->ncomb && !glyph_id->attributes) + return main_glyph; + +- if (max_glyph_size < sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) ++ if (grub_video_bitmap_calc_1bpp_bufsz (bounds.width, bounds.height, &cur_glyph_size) || ++ grub_add (sizeof (*glyph), cur_glyph_size, &cur_glyph_size)) ++ return main_glyph; ++ ++ if (max_glyph_size < cur_glyph_size) + { + grub_free (glyph); +- max_glyph_size = (sizeof (*glyph) + (bounds.width * bounds.height + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT) * 2; +- if (max_glyph_size < 8) +- max_glyph_size = 8; +- glyph = grub_malloc (max_glyph_size); ++ if (grub_mul (cur_glyph_size, 2, &max_glyph_size)) ++ max_glyph_size = 0; ++ glyph = max_glyph_size > 0 ? grub_malloc (max_glyph_size) : NULL; + } + if (!glyph) + { ++ max_glyph_size = 0; + grub_errno = GRUB_ERR_NONE; + return main_glyph; + } + +- grub_memset (glyph, 0, sizeof (*glyph) +- + (bounds.width * bounds.height +- + GRUB_CHAR_BIT - 1) / GRUB_CHAR_BIT); ++ grub_memset (glyph, 0, cur_glyph_size); + + glyph->font = main_glyph->font; +- glyph->width = bounds.width; +- glyph->height = bounds.height; +- glyph->offset_x = bounds.x; +- glyph->offset_y = bounds.y; ++ if (bounds.width == 0 || bounds.height == 0 || ++ grub_cast (bounds.width, &glyph->width) || ++ grub_cast (bounds.height, &glyph->height) || ++ grub_cast (bounds.x, &glyph->offset_x) || ++ grub_cast (bounds.y, &glyph->offset_y)) ++ return main_glyph; + + if (glyph_id->attributes & GRUB_UNICODE_GLYPH_ATTRIBUTE_MIRROR) + grub_font_blit_glyph_mirror (glyph, main_glyph, diff --git a/SOURCES/0565-font-Remove-grub_font_dup_glyph.patch b/SOURCES/0565-font-Remove-grub_font_dup_glyph.patch new file mode 100644 index 0000000..2f9a33e --- /dev/null +++ b/SOURCES/0565-font-Remove-grub_font_dup_glyph.patch @@ -0,0 +1,42 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Zhang Boyang +Date: Fri, 5 Aug 2022 02:13:29 +0800 +Subject: [PATCH] font: Remove grub_font_dup_glyph() + +Remove grub_font_dup_glyph() since nobody is using it since 2013, and +I'm too lazy to fix the integer overflow problem in it. + +Signed-off-by: Zhang Boyang +Reviewed-by: Daniel Kiper +(cherry picked from commit 25ad31c19c331aaa2dbd9bd2b2e2655de5766a9d) +(cherry picked from commit ad950e1e033318bb50222ed268a6dcfb97389035) +(cherry picked from commit 71644fccc1d43309f0a379dcfe9341ec3bd9657d) +--- + grub-core/font/font.c | 14 -------------- + 1 file changed, 14 deletions(-) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index 129aaa3838..347e9dfa29 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -1055,20 +1055,6 @@ grub_font_get_glyph_with_fallback (grub_font_t font, grub_uint32_t code) + return best_glyph; + } + +-#if 0 +-static struct grub_font_glyph * +-grub_font_dup_glyph (struct grub_font_glyph *glyph) +-{ +- static struct grub_font_glyph *ret; +- ret = grub_malloc (sizeof (*ret) + (glyph->width * glyph->height + 7) / 8); +- if (!ret) +- return NULL; +- grub_memcpy (ret, glyph, sizeof (*ret) +- + (glyph->width * glyph->height + 7) / 8); +- return ret; +-} +-#endif +- + /* FIXME: suboptimal. */ + static void + grub_font_blit_glyph (struct grub_font_glyph *target, diff --git a/SOURCES/0566-font-Fix-integer-overflow-in-ensure_comb_space.patch b/SOURCES/0566-font-Fix-integer-overflow-in-ensure_comb_space.patch new file mode 100644 index 0000000..baa2d74 --- /dev/null +++ b/SOURCES/0566-font-Fix-integer-overflow-in-ensure_comb_space.patch @@ -0,0 +1,48 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Zhang Boyang +Date: Fri, 5 Aug 2022 02:27:05 +0800 +Subject: [PATCH] font: Fix integer overflow in ensure_comb_space() + +In fact it can't overflow at all because glyph_id->ncomb is only 8-bit +wide. But let's keep safe if somebody changes the width of glyph_id->ncomb +in the future. This patch also fixes the inconsistency between +render_max_comb_glyphs and render_combining_glyphs when grub_malloc() +returns NULL. + +Signed-off-by: Zhang Boyang +Reviewed-by: Daniel Kiper +(cherry picked from commit b2740b7e4a03bb8331d48b54b119afea76bb9d5f) +(cherry picked from commit f66ea1e60c347408e92b6695d5105c7e0f24d568) +(cherry picked from commit 0e07159c24cdbb62a9d19fba8199065b049e03c7) +--- + grub-core/font/font.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index 347e9dfa29..1367e44743 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -1468,14 +1468,18 @@ ensure_comb_space (const struct grub_unicode_glyph *glyph_id) + if (glyph_id->ncomb <= render_max_comb_glyphs) + return; + +- render_max_comb_glyphs = 2 * glyph_id->ncomb; +- if (render_max_comb_glyphs < 8) ++ if (grub_mul (glyph_id->ncomb, 2, &render_max_comb_glyphs)) ++ render_max_comb_glyphs = 0; ++ if (render_max_comb_glyphs > 0 && render_max_comb_glyphs < 8) + render_max_comb_glyphs = 8; + grub_free (render_combining_glyphs); +- render_combining_glyphs = grub_malloc (render_max_comb_glyphs +- * sizeof (render_combining_glyphs[0])); ++ render_combining_glyphs = (render_max_comb_glyphs > 0) ? ++ grub_calloc (render_max_comb_glyphs, sizeof (render_combining_glyphs[0])) : NULL; + if (!render_combining_glyphs) +- grub_errno = 0; ++ { ++ render_max_comb_glyphs = 0; ++ grub_errno = GRUB_ERR_NONE; ++ } + } + + int diff --git a/SOURCES/0567-font-Fix-integer-overflow-in-BMP-index.patch b/SOURCES/0567-font-Fix-integer-overflow-in-BMP-index.patch new file mode 100644 index 0000000..c28337d --- /dev/null +++ b/SOURCES/0567-font-Fix-integer-overflow-in-BMP-index.patch @@ -0,0 +1,65 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Zhang Boyang +Date: Mon, 15 Aug 2022 02:04:58 +0800 +Subject: [PATCH] font: Fix integer overflow in BMP index + +The BMP index (font->bmp_idx) is designed as a reverse lookup table of +char entries (font->char_index), in order to speed up lookups for BMP +chars (i.e. code < 0x10000). The values in BMP index are the subscripts +of the corresponding char entries, stored in grub_uint16_t, while 0xffff +means not found. + +This patch fixes the problem of large subscript truncated to grub_uint16_t, +leading BMP index to return wrong char entry or report false miss. The +code now checks for bounds and uses BMP index as a hint, and fallbacks +to binary-search if necessary. + +On the occasion add a comment about BMP index is initialized to 0xffff. + +Signed-off-by: Zhang Boyang +Reviewed-by: Daniel Kiper +(cherry picked from commit afda8b60ba0712abe01ae1e64c5f7a067a0e6492) +(cherry picked from commit 6d90568929e11739b56f09ebbce9185ca9c23519) +(cherry picked from commit b8c47c3dd6894b3135db861e3e563f661efad5c3) +--- + grub-core/font/font.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index 1367e44743..059c23dff7 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -300,6 +300,8 @@ load_font_index (grub_file_t file, grub_uint32_t sect_length, struct + font->bmp_idx = grub_malloc (0x10000 * sizeof (grub_uint16_t)); + if (!font->bmp_idx) + return 1; ++ ++ /* Init the BMP index array to 0xffff. */ + grub_memset (font->bmp_idx, 0xff, 0x10000 * sizeof (grub_uint16_t)); + + +@@ -328,7 +330,7 @@ load_font_index (grub_file_t file, grub_uint32_t sect_length, struct + return 1; + } + +- if (entry->code < 0x10000) ++ if (entry->code < 0x10000 && i < 0xffff) + font->bmp_idx[entry->code] = i; + + last_code = entry->code; +@@ -696,9 +698,12 @@ find_glyph (const grub_font_t font, grub_uint32_t code) + /* Use BMP index if possible. */ + if (code < 0x10000 && font->bmp_idx) + { +- if (font->bmp_idx[code] == 0xffff) +- return 0; +- return &table[font->bmp_idx[code]]; ++ if (font->bmp_idx[code] < 0xffff) ++ return &table[font->bmp_idx[code]]; ++ /* ++ * When we are here then lookup in BMP index result in miss, ++ * fallthough to binary-search. ++ */ + } + + /* Do a binary search in `char_index', which is ordered by code point. */ diff --git a/SOURCES/0568-font-Fix-integer-underflow-in-binary-search-of-char-.patch b/SOURCES/0568-font-Fix-integer-underflow-in-binary-search-of-char-.patch new file mode 100644 index 0000000..31b66af --- /dev/null +++ b/SOURCES/0568-font-Fix-integer-underflow-in-binary-search-of-char-.patch @@ -0,0 +1,85 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Zhang Boyang +Date: Sun, 14 Aug 2022 18:09:38 +0800 +Subject: [PATCH] font: Fix integer underflow in binary search of char index + +If search target is less than all entries in font->index then "hi" +variable is set to -1, which translates to SIZE_MAX and leads to errors. + +This patch fixes the problem by replacing the entire binary search code +with the libstdc++'s std::lower_bound() implementation. + +Signed-off-by: Zhang Boyang +Reviewed-by: Daniel Kiper +(cherry picked from commit c140a086838e7c9af87842036f891b8393a8c4bc) +(cherry picked from commit e110997335b1744464ea232d57a7d86e16ca8dee) +(cherry picked from commit 403053a5116ae945f9515a82c37ff8cfb927362c) +--- + grub-core/font/font.c | 40 ++++++++++++++++++++++------------------ + 1 file changed, 22 insertions(+), 18 deletions(-) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index 059c23dff7..31786ab339 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -688,12 +688,12 @@ read_be_int16 (grub_file_t file, grub_int16_t * value) + static inline struct char_index_entry * + find_glyph (const grub_font_t font, grub_uint32_t code) + { +- struct char_index_entry *table; +- grub_size_t lo; +- grub_size_t hi; +- grub_size_t mid; ++ struct char_index_entry *table, *first, *end; ++ grub_size_t len; + + table = font->char_index; ++ if (table == NULL) ++ return NULL; + + /* Use BMP index if possible. */ + if (code < 0x10000 && font->bmp_idx) +@@ -706,25 +706,29 @@ find_glyph (const grub_font_t font, grub_uint32_t code) + */ + } + +- /* Do a binary search in `char_index', which is ordered by code point. */ +- lo = 0; +- hi = font->num_chars - 1; ++ /* ++ * Do a binary search in char_index which is ordered by code point. ++ * The code below is the same as libstdc++'s std::lower_bound(). ++ */ ++ first = table; ++ len = font->num_chars; ++ end = first + len; + +- if (!table) +- return 0; +- +- while (lo <= hi) ++ while (len > 0) + { +- mid = lo + (hi - lo) / 2; +- if (code < table[mid].code) +- hi = mid - 1; +- else if (code > table[mid].code) +- lo = mid + 1; ++ grub_size_t half = len >> 1; ++ struct char_index_entry *middle = first + half; ++ ++ if (middle->code < code) ++ { ++ first = middle + 1; ++ len = len - half - 1; ++ } + else +- return &table[mid]; ++ len = half; + } + +- return 0; ++ return (first < end && first->code == code) ? first : NULL; + } + + /* Get a glyph for the Unicode character CODE in FONT. The glyph is loaded diff --git a/SOURCES/0569-fbutil-Fix-integer-overflow.patch b/SOURCES/0569-fbutil-Fix-integer-overflow.patch new file mode 100644 index 0000000..8854410 --- /dev/null +++ b/SOURCES/0569-fbutil-Fix-integer-overflow.patch @@ -0,0 +1,85 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Zhang Boyang +Date: Tue, 6 Sep 2022 03:03:21 +0800 +Subject: [PATCH] fbutil: Fix integer overflow + +Expressions like u64 = u32 * u32 are unsafe because their products are +truncated to u32 even if left hand side is u64. This patch fixes all +problems like that one in fbutil. + +To get right result not only left hand side have to be u64 but it's also +necessary to cast at least one of the operands of all leaf operators of +right hand side to u64, e.g. u64 = u32 * u32 + u32 * u32 should be +u64 = (u64)u32 * u32 + (u64)u32 * u32. + +For 1-bit bitmaps grub_uint64_t have to be used. It's safe because any +combination of values in (grub_uint64_t)u32 * u32 + u32 expression will +not overflow grub_uint64_t. + +Other expressions like ptr + u32 * u32 + u32 * u32 are also vulnerable. +They should be ptr + (grub_addr_t)u32 * u32 + (grub_addr_t)u32 * u32. + +This patch also adds a comment to grub_video_fb_get_video_ptr() which +says it's arguments must be valid and no sanity check is performed +(like its siblings in grub-core/video/fb/fbutil.c). + +Signed-off-by: Zhang Boyang +Reviewed-by: Daniel Kiper +(cherry picked from commit 50a11a81bc842c58962244a2dc86bbd31a426e12) +(cherry picked from commit 8fa75d647362c938c4cc302cf5945b31fb92c078) +(cherry picked from commit 91005e39b3c8b6ca8dcc84ecb19ac9328966aaea) +--- + grub-core/video/fb/fbutil.c | 4 ++-- + include/grub/fbutil.h | 13 +++++++++---- + 2 files changed, 11 insertions(+), 6 deletions(-) + +diff --git a/grub-core/video/fb/fbutil.c b/grub-core/video/fb/fbutil.c +index b98bb51fe8..25ef39f47d 100644 +--- a/grub-core/video/fb/fbutil.c ++++ b/grub-core/video/fb/fbutil.c +@@ -67,7 +67,7 @@ get_pixel (struct grub_video_fbblit_info *source, + case 1: + if (source->mode_info->blit_format == GRUB_VIDEO_BLIT_FORMAT_1BIT_PACKED) + { +- int bit_index = y * source->mode_info->width + x; ++ grub_uint64_t bit_index = (grub_uint64_t) y * source->mode_info->width + x; + grub_uint8_t *ptr = source->data + bit_index / 8; + int bit_pos = 7 - bit_index % 8; + color = (*ptr >> bit_pos) & 0x01; +@@ -138,7 +138,7 @@ set_pixel (struct grub_video_fbblit_info *source, + case 1: + if (source->mode_info->blit_format == GRUB_VIDEO_BLIT_FORMAT_1BIT_PACKED) + { +- int bit_index = y * source->mode_info->width + x; ++ grub_uint64_t bit_index = (grub_uint64_t) y * source->mode_info->width + x; + grub_uint8_t *ptr = source->data + bit_index / 8; + int bit_pos = 7 - bit_index % 8; + *ptr = (*ptr & ~(1 << bit_pos)) | ((color & 0x01) << bit_pos); +diff --git a/include/grub/fbutil.h b/include/grub/fbutil.h +index 4205eb917f..78a1ab3b45 100644 +--- a/include/grub/fbutil.h ++++ b/include/grub/fbutil.h +@@ -31,14 +31,19 @@ struct grub_video_fbblit_info + grub_uint8_t *data; + }; + +-/* Don't use for 1-bit bitmaps, addressing needs to be done at the bit level +- and it doesn't make sense, in general, to ask for a pointer +- to a particular pixel's data. */ ++/* ++ * Don't use for 1-bit bitmaps, addressing needs to be done at the bit level ++ * and it doesn't make sense, in general, to ask for a pointer ++ * to a particular pixel's data. ++ * ++ * This function assumes that bounds checking has been done in previous phase ++ * and they are opted out in here. ++ */ + static inline void * + grub_video_fb_get_video_ptr (struct grub_video_fbblit_info *source, + unsigned int x, unsigned int y) + { +- return source->data + y * source->mode_info->pitch + x * source->mode_info->bytes_per_pixel; ++ return source->data + (grub_addr_t) y * source->mode_info->pitch + (grub_addr_t) x * source->mode_info->bytes_per_pixel; + } + + /* Advance pointer by VAL bytes. If there is no unaligned access available, diff --git a/SOURCES/0570-font-Fix-an-integer-underflow-in-blit_comb.patch b/SOURCES/0570-font-Fix-an-integer-underflow-in-blit_comb.patch new file mode 100644 index 0000000..8da101f --- /dev/null +++ b/SOURCES/0570-font-Fix-an-integer-underflow-in-blit_comb.patch @@ -0,0 +1,91 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Zhang Boyang +Date: Mon, 24 Oct 2022 08:05:35 +0800 +Subject: [PATCH] font: Fix an integer underflow in blit_comb() + +The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may +evaluate to a very big invalid value even if both ctx.bounds.height and +combining_glyphs[i]->height are small integers. For example, if +ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this +expression evaluates to 2147483647 (expected -1). This is because +coordinates are allowed to be negative but ctx.bounds.height is an +unsigned int. So, the subtraction operates on unsigned ints and +underflows to a very big value. The division makes things even worse. +The quotient is still an invalid value even if converted back to int. + +This patch fixes the problem by casting ctx.bounds.height to int. As +a result the subtraction will operate on int and grub_uint16_t which +will be promoted to an int. So, the underflow will no longer happen. Other +uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int, +to ensure coordinates are always calculated on signed integers. + +Fixes: CVE-2022-3775 + +Reported-by: Daniel Axtens +Signed-off-by: Zhang Boyang +Reviewed-by: Daniel Kiper +(cherry picked from commit 6d2668dea3774ed74c4cd1eadd146f1b846bc3d4) +(cherry picked from commit 05e532fb707bbf79aa4e1efbde4d208d7da89d6b) +(cherry picked from commit 0b2592fbb245d53c5c42885d695ece03ddb0eb12) +--- + grub-core/font/font.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index 31786ab339..fc9d92fce4 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -1203,12 +1203,12 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, + ctx.bounds.height = main_glyph->height; + + above_rightx = main_glyph->offset_x + main_glyph->width; +- above_righty = ctx.bounds.y + ctx.bounds.height; ++ above_righty = ctx.bounds.y + (int) ctx.bounds.height; + + above_leftx = main_glyph->offset_x; +- above_lefty = ctx.bounds.y + ctx.bounds.height; ++ above_lefty = ctx.bounds.y + (int) ctx.bounds.height; + +- below_rightx = ctx.bounds.x + ctx.bounds.width; ++ below_rightx = ctx.bounds.x + (int) ctx.bounds.width; + below_righty = ctx.bounds.y; + + comb = grub_unicode_get_comb (glyph_id); +@@ -1221,7 +1221,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, + + if (!combining_glyphs[i]) + continue; +- targetx = (ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x; ++ targetx = ((int) ctx.bounds.width - combining_glyphs[i]->width) / 2 + ctx.bounds.x; + /* CGJ is to avoid diacritics reordering. */ + if (comb[i].code + == GRUB_UNICODE_COMBINING_GRAPHEME_JOINER) +@@ -1231,8 +1231,8 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, + case GRUB_UNICODE_COMB_OVERLAY: + do_blit (combining_glyphs[i], + targetx, +- (ctx.bounds.height - combining_glyphs[i]->height) / 2 +- - (ctx.bounds.height + ctx.bounds.y), &ctx); ++ ((int) ctx.bounds.height - combining_glyphs[i]->height) / 2 ++ - ((int) ctx.bounds.height + ctx.bounds.y), &ctx); + if (min_devwidth < combining_glyphs[i]->width) + min_devwidth = combining_glyphs[i]->width; + break; +@@ -1305,7 +1305,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, + /* Fallthrough. */ + case GRUB_UNICODE_STACK_ATTACHED_ABOVE: + do_blit (combining_glyphs[i], targetx, +- -(ctx.bounds.height + ctx.bounds.y + space ++ -((int) ctx.bounds.height + ctx.bounds.y + space + + combining_glyphs[i]->height), &ctx); + if (min_devwidth < combining_glyphs[i]->width) + min_devwidth = combining_glyphs[i]->width; +@@ -1313,7 +1313,7 @@ blit_comb (const struct grub_unicode_glyph *glyph_id, + + case GRUB_UNICODE_COMB_HEBREW_DAGESH: + do_blit (combining_glyphs[i], targetx, +- -(ctx.bounds.height / 2 + ctx.bounds.y ++ -((int) ctx.bounds.height / 2 + ctx.bounds.y + + combining_glyphs[i]->height / 2), &ctx); + if (min_devwidth < combining_glyphs[i]->width) + min_devwidth = combining_glyphs[i]->width; diff --git a/SOURCES/0571-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch b/SOURCES/0571-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch new file mode 100644 index 0000000..87b8e33 --- /dev/null +++ b/SOURCES/0571-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch @@ -0,0 +1,75 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Zhang Boyang +Date: Mon, 24 Oct 2022 07:15:41 +0800 +Subject: [PATCH] font: Harden grub_font_blit_glyph() and + grub_font_blit_glyph_mirror() + +As a mitigation and hardening measure add sanity checks to +grub_font_blit_glyph() and grub_font_blit_glyph_mirror(). This patch +makes these two functions do nothing if target blitting area isn't fully +contained in target bitmap. Therefore, if complex calculations in caller +overflows and malicious coordinates are given, we are still safe because +any coordinates which result in out-of-bound-write are rejected. However, +this patch only checks for invalid coordinates, and doesn't provide any +protection against invalid source glyph or destination glyph, e.g. +mismatch between glyph size and buffer size. + +This hardening measure is designed to mitigate possible overflows in +blit_comb(). If overflow occurs, it may return invalid bounding box +during dry run and call grub_font_blit_glyph() with malicious +coordinates during actual blitting. However, we are still safe because +the scratch glyph itself is valid, although its size makes no sense, and +any invalid coordinates are rejected. + +It would be better to call grub_fatal() if illegal parameter is detected. +However, doing this may end up in a dangerous recursion because grub_fatal() +would print messages to the screen and we are in the progress of drawing +characters on the screen. + +Reported-by: Daniel Axtens +Signed-off-by: Zhang Boyang +Reviewed-by: Daniel Kiper +(cherry picked from commit fcd7aa0c278f7cf3fb9f93f1a3966e1792339eb6) +(cherry picked from commit 1d37ec63a1c76a14fdf70f548eada92667b42ddb) +(cherry picked from commit 686c72ea0a841343b7d8ab64e815751aa36e24b5) +--- + grub-core/font/font.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index fc9d92fce4..cfa4bd5096 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -1069,8 +1069,15 @@ static void + grub_font_blit_glyph (struct grub_font_glyph *target, + struct grub_font_glyph *src, unsigned dx, unsigned dy) + { ++ grub_uint16_t max_x, max_y; + unsigned src_bit, tgt_bit, src_byte, tgt_byte; + unsigned i, j; ++ ++ /* Harden against out-of-bound writes. */ ++ if ((grub_add (dx, src->width, &max_x) || max_x > target->width) || ++ (grub_add (dy, src->height, &max_y) || max_y > target->height)) ++ return; ++ + for (i = 0; i < src->height; i++) + { + src_bit = (src->width * i) % 8; +@@ -1102,9 +1109,16 @@ grub_font_blit_glyph_mirror (struct grub_font_glyph *target, + struct grub_font_glyph *src, + unsigned dx, unsigned dy) + { ++ grub_uint16_t max_x, max_y; + unsigned tgt_bit, src_byte, tgt_byte; + signed src_bit; + unsigned i, j; ++ ++ /* Harden against out-of-bound writes. */ ++ if ((grub_add (dx, src->width, &max_x) || max_x > target->width) || ++ (grub_add (dy, src->height, &max_y) || max_y > target->height)) ++ return; ++ + for (i = 0; i < src->height; i++) + { + src_bit = (src->width * i + src->width - 1) % 8; diff --git a/SOURCES/0572-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch b/SOURCES/0572-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch new file mode 100644 index 0000000..981d5df --- /dev/null +++ b/SOURCES/0572-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch @@ -0,0 +1,36 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Zhang Boyang +Date: Fri, 28 Oct 2022 17:29:16 +0800 +Subject: [PATCH] font: Assign null_font to glyphs in ascii_font_glyph[] + +The calculations in blit_comb() need information from glyph's font, e.g. +grub_font_get_xheight(main_glyph->font). However, main_glyph->font is +NULL if main_glyph comes from ascii_font_glyph[]. Therefore +grub_font_get_*() crashes because of NULL pointer. + +There is already a solution, the null_font. So, assign it to those glyphs +in ascii_font_glyph[]. + +Reported-by: Daniel Axtens +Signed-off-by: Zhang Boyang +Reviewed-by: Daniel Kiper +(cherry picked from commit dd539d695482069d28b40f2d3821f710cdcf6ee6) +(cherry picked from commit 87526376857eaceae474c9797e3cee5b50597332) +(cherry picked from commit b4807bbb09d9adf82fe9ae12a3af1c852dc4e32d) +--- + grub-core/font/font.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/font/font.c b/grub-core/font/font.c +index cfa4bd5096..30cd1fe07f 100644 +--- a/grub-core/font/font.c ++++ b/grub-core/font/font.c +@@ -137,7 +137,7 @@ ascii_glyph_lookup (grub_uint32_t code) + ascii_font_glyph[current]->offset_x = 0; + ascii_font_glyph[current]->offset_y = -2; + ascii_font_glyph[current]->device_width = 8; +- ascii_font_glyph[current]->font = NULL; ++ ascii_font_glyph[current]->font = &null_font; + + grub_memcpy (ascii_font_glyph[current]->bitmap, + &ascii_bitmaps[current * ASCII_BITMAP_SIZE], diff --git a/SOURCES/0573-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch b/SOURCES/0573-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch new file mode 100644 index 0000000..283d560 --- /dev/null +++ b/SOURCES/0573-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch @@ -0,0 +1,55 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Zhang Boyang +Date: Fri, 28 Oct 2022 21:31:39 +0800 +Subject: [PATCH] normal/charset: Fix an integer overflow in + grub_unicode_aglomerate_comb() + +The out->ncomb is a bit-field of 8 bits. So, the max possible value is 255. +However, code in grub_unicode_aglomerate_comb() doesn't check for an +overflow when incrementing out->ncomb. If out->ncomb is already 255, +after incrementing it will get 0 instead of 256, and cause illegal +memory access in subsequent processing. + +This patch introduces GRUB_UNICODE_NCOMB_MAX to represent the max +acceptable value of ncomb. The code now checks for this limit and +ignores additional combining characters when limit is reached. + +Reported-by: Daniel Axtens +Signed-off-by: Zhang Boyang +Reviewed-by: Daniel Kiper +(cherry picked from commit da90d62316a3b105d2fbd7334d6521936bd6dcf6) +(cherry picked from commit 26fafec86000b5322837722a115279ef03922ca6) +(cherry picked from commit 872fba1c44dee2ab5cb36b2c7a883847f91ed907) +--- + grub-core/normal/charset.c | 3 +++ + include/grub/unicode.h | 2 ++ + 2 files changed, 5 insertions(+) + +diff --git a/grub-core/normal/charset.c b/grub-core/normal/charset.c +index 7b2de12001..4849cf06f7 100644 +--- a/grub-core/normal/charset.c ++++ b/grub-core/normal/charset.c +@@ -472,6 +472,9 @@ grub_unicode_aglomerate_comb (const grub_uint32_t *in, grub_size_t inlen, + if (!haveout) + continue; + ++ if (out->ncomb == GRUB_UNICODE_NCOMB_MAX) ++ continue; ++ + if (comb_type == GRUB_UNICODE_COMB_MC + || comb_type == GRUB_UNICODE_COMB_ME + || comb_type == GRUB_UNICODE_COMB_MN) +diff --git a/include/grub/unicode.h b/include/grub/unicode.h +index 4de986a857..c4f6fca043 100644 +--- a/include/grub/unicode.h ++++ b/include/grub/unicode.h +@@ -147,7 +147,9 @@ struct grub_unicode_glyph + grub_uint8_t bidi_level:6; /* minimum: 6 */ + enum grub_bidi_type bidi_type:5; /* minimum: :5 */ + ++#define GRUB_UNICODE_NCOMB_MAX ((1 << 8) - 1) + unsigned ncomb:8; ++ + /* Hint by unicode subsystem how wide this character usually is. + Real width is determined by font. Set only in UTF-8 stream. */ + int estimated_width:8; diff --git a/SOURCES/0574-Enable-TDX-measurement-to-RTMR-register.patch b/SOURCES/0574-Enable-TDX-measurement-to-RTMR-register.patch new file mode 100644 index 0000000..3fd5d5a --- /dev/null +++ b/SOURCES/0574-Enable-TDX-measurement-to-RTMR-register.patch @@ -0,0 +1,227 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Lu Ken +Date: Sat, 3 Jul 2021 10:50:37 -0400 +Subject: [PATCH] Enable TDX measurement to RTMR register + +Intel Trust Domain Extensions(Intel TDX) refers to an Intel technology +that extends Virtual Machine Extensions(VMX) and Multi-Key Total Memory +Encryption(MK-TME) with a new kind of virtual machine guest called a +Trust Domain(TD)[1]. A TD runs in a CPU mode that protects the confidentiality +of its memory contents and its CPU state from any other software, including +the hosting Virtual Machine Monitor (VMM). + +Trust Domain Virtual Firmware (TDVF) is required to provide TD services to +the TD guest OS.[2] Its reference code is available at https://github.com/tianocore/edk2-staging/tree/TDVF. + +To support TD measurement/attestation, TDs provide 4 RTMR registers like +TPM/TPM2 PCR as below: +- RTMR[0] is for TDVF configuration +- RTMR[1] is for the TD OS loader and kernel +- RTMR[2] is for the OS application +- RTMR[3] is reserved for special usage only + +This patch adds TD Measurement protocol support along with TPM/TPM2 protocol. + +References: +[1] https://software.intel.com/content/dam/develop/external/us/en/documents/tdx-whitepaper-v4.pdf +[2] https://software.intel.com/content/dam/develop/external/us/en/documents/tdx-virtual-firmware-design-guide-rev-1.pdf + +Signed-off-by: Lu Ken +(cherry picked from commit 841a0977397cf12a5498d439b8aaf8bf28ff8544) +--- + grub-core/Makefile.core.def | 1 + + grub-core/kern/efi/tdx.c | 70 +++++++++++++++++++++++++++++++++++++++++++++ + grub-core/kern/tpm.c | 4 +++ + include/grub/efi/tdx.h | 26 +++++++++++++++++ + include/grub/tdx.h | 36 +++++++++++++++++++++++ + 5 files changed, 137 insertions(+) + create mode 100644 grub-core/kern/efi/tdx.c + create mode 100644 include/grub/efi/tdx.h + create mode 100644 include/grub/tdx.h + +diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def +index 637d7203e3..2787d59c52 100644 +--- a/grub-core/Makefile.core.def ++++ b/grub-core/Makefile.core.def +@@ -200,6 +200,7 @@ kernel = { + efi = kern/efi/acpi.c; + efi = kern/lockdown.c; + efi = lib/envblk.c; ++ efi = kern/efi/tdx.c; + efi = kern/efi/tpm.c; + i386_coreboot = kern/i386/pc/acpi.c; + i386_multiboot = kern/i386/pc/acpi.c; +diff --git a/grub-core/kern/efi/tdx.c b/grub-core/kern/efi/tdx.c +new file mode 100644 +index 0000000000..3a49f8d117 +--- /dev/null ++++ b/grub-core/kern/efi/tdx.c +@@ -0,0 +1,70 @@ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++static grub_efi_guid_t tdx_guid = EFI_TDX_GUID; ++ ++static inline grub_err_t grub_tdx_dprintf(grub_efi_status_t status) ++{ ++ switch (status) { ++ case GRUB_EFI_SUCCESS: ++ return 0; ++ case GRUB_EFI_DEVICE_ERROR: ++ grub_dprintf ("tdx", "Command failed: 0x%"PRIxGRUB_EFI_STATUS"\n", ++ status); ++ return GRUB_ERR_IO; ++ case GRUB_EFI_INVALID_PARAMETER: ++ grub_dprintf ("tdx", "Invalid parameter: 0x%"PRIxGRUB_EFI_STATUS"\n", ++ status); ++ return GRUB_ERR_BAD_ARGUMENT; ++ case GRUB_EFI_VOLUME_FULL: ++ grub_dprintf ("tdx", "Volume is full: 0x%"PRIxGRUB_EFI_STATUS"\n", ++ status); ++ return GRUB_ERR_BAD_ARGUMENT; ++ case GRUB_EFI_UNSUPPORTED: ++ grub_dprintf ("tdx", "TDX unavailable: 0x%"PRIxGRUB_EFI_STATUS"\n", ++ status); ++ return GRUB_ERR_UNKNOWN_DEVICE; ++ default: ++ grub_dprintf ("tdx", "Unknown TDX error: 0x%"PRIxGRUB_EFI_STATUS"\n", ++ status); ++ return GRUB_ERR_UNKNOWN_DEVICE; ++ } ++} ++ ++grub_err_t ++grub_tdx_log_event(unsigned char *buf, grub_size_t size, grub_uint8_t pcr, ++ const char *description) ++{ ++ EFI_TCG2_EVENT *event; ++ grub_efi_status_t status; ++ grub_efi_tdx_protocol_t *tdx; ++ ++ tdx = grub_efi_locate_protocol (&tdx_guid, NULL); ++ ++ if (!tdx) ++ return 0; ++ ++ event = grub_zalloc(sizeof (EFI_TCG2_EVENT) + grub_strlen(description) + 1); ++ if (!event) ++ return grub_error (GRUB_ERR_OUT_OF_MEMORY, ++ N_("cannot allocate TCG2 event buffer")); ++ ++ event->Header.HeaderSize = sizeof(EFI_TCG2_EVENT_HEADER); ++ event->Header.HeaderVersion = 1; ++ event->Header.PCRIndex = pcr; ++ event->Header.EventType = EV_IPL; ++ event->Size = sizeof(*event) - sizeof(event->Event) + grub_strlen(description) + 1; ++ grub_memcpy(event->Event, description, grub_strlen(description) + 1); ++ ++ status = efi_call_5 (tdx->hash_log_extend_event, tdx, 0, (unsigned long) buf, ++ (grub_uint64_t) size, event); ++ ++ return grub_tdx_dprintf(status); ++} +\ No newline at end of file +diff --git a/grub-core/kern/tpm.c b/grub-core/kern/tpm.c +index e5e8fced62..71cc4252c1 100644 +--- a/grub-core/kern/tpm.c ++++ b/grub-core/kern/tpm.c +@@ -4,6 +4,7 @@ + #include + #include + #include ++#include + + grub_err_t + grub_tpm_measure (unsigned char *buf, grub_size_t size, grub_uint8_t pcr, +@@ -13,6 +14,9 @@ grub_tpm_measure (unsigned char *buf, grub_size_t size, grub_uint8_t pcr, + char *desc = grub_xasprintf("%s %s", kind, description); + if (!desc) + return GRUB_ERR_OUT_OF_MEMORY; ++ ++ grub_tdx_log_event(buf, size, pcr, desc); ++ + ret = grub_tpm_log_event(buf, size, pcr, desc); + grub_free(desc); + return ret; +diff --git a/include/grub/efi/tdx.h b/include/grub/efi/tdx.h +new file mode 100644 +index 0000000000..9bdac2a275 +--- /dev/null ++++ b/include/grub/efi/tdx.h +@@ -0,0 +1,26 @@ ++/* ++ * GRUB -- GRand Unified Bootloader ++ * Copyright (C) 2015 Free Software Foundation, Inc. ++ * ++ * GRUB is free software: you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation, either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GRUB is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GRUB. If not, see . ++ */ ++ ++#ifndef GRUB_EFI_TDX_HEADER ++#define GRUB_EFI_TDX_HEADER 1 ++ ++#define EFI_TDX_GUID {0x96751a3d, 0x72f4, 0x41a6, {0xa7, 0x94, 0xed, 0x5d, 0x0e, 0x67, 0xae, 0x6b}}; ++ ++typedef grub_efi_tpm2_protocol_t grub_efi_tdx_protocol_t; ++ ++#endif +\ No newline at end of file +diff --git a/include/grub/tdx.h b/include/grub/tdx.h +new file mode 100644 +index 0000000000..4a98008e39 +--- /dev/null ++++ b/include/grub/tdx.h +@@ -0,0 +1,36 @@ ++/* ++ * GRUB -- GRand Unified Bootloader ++ * Copyright (C) 2015 Free Software Foundation, Inc. ++ * ++ * GRUB is free software: you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation, either version 3 of the License, or ++ * (at your option) any later version. ++ * ++ * GRUB is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with GRUB. If not, see . ++ */ ++ ++#ifndef GRUB_TDX_HEADER ++#define GRUB_TDX_HEADER 1 ++ ++#if defined (GRUB_MACHINE_EFI) ++grub_err_t grub_tdx_log_event(unsigned char *buf, grub_size_t size, ++ grub_uint8_t pcr, const char *description); ++#else ++static inline grub_err_t grub_tdx_log_event( ++ unsigned char *buf __attribute__ ((unused)), ++ grub_size_t size __attribute__ ((unused)), ++ grub_uint8_t pcr __attribute__ ((unused)), ++ const char *description __attribute__ ((unused))) ++{ ++ return 0; ++}; ++#endif ++ ++#endif diff --git a/SOURCES/0575-Enable-shared-processor-mode-in-vector-5.patch b/SOURCES/0575-Enable-shared-processor-mode-in-vector-5.patch new file mode 100644 index 0000000..b7563d7 --- /dev/null +++ b/SOURCES/0575-Enable-shared-processor-mode-in-vector-5.patch @@ -0,0 +1,28 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Avnish Chouhan +Date: Tue, 24 Jan 2023 08:01:47 -0500 +Subject: [PATCH] Enable shared processor mode in vector 5 + +This patch is to update the vector 5 which is troubling some +machines to bootup properly in shared processor mode. + +Signed-off-by: Avnish Chouhan +(cherry picked from commit 30d2ee836649386a336f9437c8a149c8e642a46b) +(cherry picked from commit 7e309d139c5eca1f03659e612a14499213e79c95) +--- + grub-core/kern/ieee1275/init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c +index 37f3098c39..3ea9b73b2a 100644 +--- a/grub-core/kern/ieee1275/init.c ++++ b/grub-core/kern/ieee1275/init.c +@@ -372,7 +372,7 @@ grub_ieee1275_ibm_cas (void) + .vec4 = 0x0001, // set required minimum capacity % to the lowest value + .vec5_size = 1 + sizeof(struct option_vector5) - 2, + .vec5 = { +- 0, 0, 0, 0, 0, 0, 0, 0, 256 ++ 0, 192, 0, 128, 0, 0, 0, 0, 256 + } + }; + diff --git a/SOURCES/clsecureboot001.cer b/SOURCES/clsecureboot001.cer deleted file mode 100644 index ca9ce5d..0000000 Binary files a/SOURCES/clsecureboot001.cer and /dev/null differ diff --git a/SOURCES/grub.macros b/SOURCES/grub.macros index c9ed442..8baf627 100644 --- a/SOURCES/grub.macros +++ b/SOURCES/grub.macros @@ -285,7 +285,13 @@ Requires: %{name}-common = %{evr} \ Requires: %{name}-tools-minimal >= %{evr} \ Requires: %{name}-tools-extra = %{evr} \ Requires: %{name}-tools = %{evr} \ +Requires: %{efi_esp_dir}/shim%%(echo %{1} | cut -d- -f2).efi \ Provides: %{name}-efi = %{evr} \ +Provides: almalinux(grub2-sig-key) = 202303 \ +%{expand:%%ifarch x86_64 \ +Conflicts: shim-x64 <= 15.6-1.el8.alma \ +Conflicts: shim-ia32 <= 15.6-1.el8.alma \ +%%endif} \ %{?legacy_provides:Provides: %{name} = %{evr}} \ %{-o:Obsoletes: %{name}-efi < %{evr}} \ \ @@ -540,7 +546,7 @@ install -D -m 700 unicode.pf2 \\\ $RPM_BUILD_ROOT%{efi_esp_dir}/fonts/unicode.pf2 \ ${RPM_BUILD_ROOT}/%{_bindir}/%{name}-editenv \\\ ${RPM_BUILD_ROOT}%{efi_esp_dir}/grubenv create \ -ln -sf ../efi/EFI/%{efi_vendor}/grubenv \\\ +ln -sf ../efi/EFI/%{efidir}/grubenv \\\ $RPM_BUILD_ROOT/boot/grub2/grubenv \ cd .. \ %{nil} diff --git a/SOURCES/grub.patches b/SOURCES/grub.patches index 9ea738a..3eacbac 100644 --- a/SOURCES/grub.patches +++ b/SOURCES/grub.patches @@ -552,3 +552,24 @@ Patch0551: 0551-nx-set-page-permissions-for-loaded-modules.patch Patch0552: 0552-nx-set-attrs-in-our-kernel-loaders.patch Patch0553: 0553-nx-set-the-nx-compatible-flag-in-EFI-grub-images.patch Patch0554: 0554-Fixup-grub_efi_get_variable-type-in-our-loaders.patch +Patch0555: 0555-Make-debug-file-show-which-file-filters-get-run.patch +Patch0556: 0556-efi-use-enumerated-array-positions-for-our-allocatio.patch +Patch0557: 0557-efi-split-allocation-policy-for-kernel-vs-initrd-mem.patch +Patch0558: 0558-efi-use-EFI_LOADER_-CODE-DATA-for-kernel-and-initrd-.patch +Patch0559: 0559-ieee1275-implement-vec5-for-cas-negotiation.patch +Patch0560: 0560-x86-efi-Fix-an-incorrect-array-size-in-kernel-alloca.patch +Patch0561: 0561-switch-to-blscfg-don-t-assume-newline-at-end-of-cfg.patch +Patch0562: 0562-font-Reject-glyphs-exceeds-font-max_glyph_width-or-f.patch +Patch0563: 0563-font-Fix-size-overflow-in-grub_font_get_glyph_intern.patch +Patch0564: 0564-font-Fix-several-integer-overflows-in-grub_font_cons.patch +Patch0565: 0565-font-Remove-grub_font_dup_glyph.patch +Patch0566: 0566-font-Fix-integer-overflow-in-ensure_comb_space.patch +Patch0567: 0567-font-Fix-integer-overflow-in-BMP-index.patch +Patch0568: 0568-font-Fix-integer-underflow-in-binary-search-of-char-.patch +Patch0569: 0569-fbutil-Fix-integer-overflow.patch +Patch0570: 0570-font-Fix-an-integer-underflow-in-blit_comb.patch +Patch0571: 0571-font-Harden-grub_font_blit_glyph-and-grub_font_blit_.patch +Patch0572: 0572-font-Assign-null_font-to-glyphs-in-ascii_font_glyph.patch +Patch0573: 0573-normal-charset-Fix-an-integer-overflow-in-grub_unico.patch +Patch0574: 0574-Enable-TDX-measurement-to-RTMR-register.patch +Patch0575: 0575-Enable-shared-processor-mode-in-vector-5.patch diff --git a/SOURCES/sbat.csv.in b/SOURCES/sbat.csv.in index f7ab055..e43e302 100755 --- a/SOURCES/sbat.csv.in +++ b/SOURCES/sbat.csv.in @@ -1,4 +1,4 @@ sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md -grub,2,Free Software Foundation,grub,@@VERSION@@,https//www.gnu.org/software/grub/ +grub,3,Free Software Foundation,grub,@@VERSION@@,https//www.gnu.org/software/grub/ grub.rh,2,Red Hat,grub2,@@RHEL_VERSION_RELEASE@@,mailto:secalert@redhat.com -grub.almalinux,2,AlmaLinux,grub2,@@VERSION_RELEASE@@,mail:security@almalinux.org \ No newline at end of file +grub.almalinux,2,AlmaLinux,grub2,@@VERSION_RELEASE@@,mail:security@almalinux.org diff --git a/SPECS/grub2.spec b/SPECS/grub2.spec index 419039d..41dbfd4 100644 --- a/SPECS/grub2.spec +++ b/SPECS/grub2.spec @@ -1,3 +1,7 @@ +%global efi_vendor almalinux +%global efidir almalinux +%global efi_esp_dir /boot/efi/EFI/%{efidir} + %undefine _hardened_build %global tarversion 2.02 @@ -7,7 +11,7 @@ Name: grub2 Epoch: 1 Version: 2.02 -Release: 138%{?dist}.alma +Release: 148%{?dist}.alma Summary: Bootloader with support for Linux, Multiboot and more Group: System Environment/Base License: GPLv3+ @@ -24,7 +28,7 @@ Source6: gitignore Source8: strtoull_test.c Source9: 20-grub.install Source12: 99-grub-mkconfig.install -Source13: clsecureboot001.cer +Source13: almalinuxsecurebootca0.cer Source19: sbat.csv.in %include %{SOURCE1} @@ -32,16 +36,16 @@ Source19: sbat.csv.in %if 0%{with_efi_arch} %define old_sb_ca %{SOURCE13} %define old_sb_cer %{SOURCE13} -%define old_sb_key clsecureboot001 +%define old_sb_key almalinuxsecurebootca0 %define sb_ca %{SOURCE13} %define sb_cer %{SOURCE13} -%define sb_key clsecureboot001 +%define sb_key almalinuxsecurebootca0 %endif %ifarch ppc64le %define old_sb_cer %{SOURCE13} %define sb_cer %{SOURCE13} -%define sb_key clsecureboot001 +%define sb_key almalinuxsecurebootca0 %endif # AlmaLinux: keep upstream EVR for RHEL SBAT entry @@ -339,6 +343,20 @@ if [ "$1" = 0 ]; then /sbin/install-info --delete --info-dir=%{_infodir} %{_infodir}/%{name}-dev.info.gz || : fi +%if 0%{with_efi_arch} +%posttrans %{package_arch} +if [ -d /sys/firmware/efi ] && [ ! -f %{efi_esp_dir}/grub.cfg ]; then + grub2-mkconfig -o %{efi_esp_dir}/grub.cfg || : +fi +%endif + +%if 0%{with_alt_efi_arch} +%posttrans %{alt_package_arch} +if [ -d /sys/firmware/efi ] && [ ! -f %{efi_esp_dir}/grub.cfg ]; then + grub2-mkconfig -o %{efi_esp_dir}/grub.cfg || : +fi +%endif + %files common -f grub.lang %dir %{_libdir}/grub/ %dir %{_datarootdir}/grub/ @@ -508,51 +526,88 @@ fi %endif %changelog -* Fri Oct 07 2022 Andrew Lukoshko - 2.06-138.alma -- AlmaLinux changes +* Mon Feb 27 2023 Eduard Abdullin - 2.02-148.alma +- Use AlmaLinux cert -* Wed Jul 20 2022 Robbie Harwood - 2.06-138 +* Mon Feb 06 2023 Robbie Harwood - 2.02-148 +- ppc64le: cas5, take 3 +- Resolves: #2139508 + +* Tue Jan 10 2023 Robbie Harwood - 2.02-147 +- Enable TDX measurement to RTMR register +- Resolves: #1981485 + +* Wed Dec 14 2022 Robbie Harwood - 2.02-146 +- ppc64le: fix lpar cas5 +- Resolves: #2139508 + +* Tue Nov 08 2022 Robbie Harwood - 1:2.02-145 +- Font CVE fixes +- Resolves: CVE-2022-2601 + +* Tue Oct 18 2022 Robbie Harwood - 2.02-144 +- blscfg: don't assume newline at end of cfg +- Resolves: #2121132 + +* Wed Oct 12 2022 Robbie Harwood - 2.02-143 +- x86-efi: Fix an incorrect array size in kernel allocation +- Also merge with 8.7 +- Resolves: #2031288 + +* Thu Aug 25 2022 Robbie Harwood - 2.02-141 +- Implement vec5 for cas negotiation +- Resolves: #2117914 + +* Wed Aug 24 2022 Robbie Harwood - 2.02-140 +- Or two, because I forgot the debug patch +- Resolves: #2118896 + +* Thu Aug 18 2022 Robbie Harwood - 2.02-139 +- Kernel allocator fixups (in one pass) +- Resolves: #2118896 + +* Wed Jul 20 2022 Robbie Harwood - 2.02-138 - Rotate signing keys on ppc64le - Resolves: #2074762 -* Fri Jun 03 2022 Robbie Harwood - 2.06-137 +* Fri Jun 03 2022 Robbie Harwood - 2.02-137 - CVE fixes for 2022-06-07 - CVE-2022-28736 CVE-2022-28735 CVE-2022-28734 CVE-2022-28733 - CVE-2021-3697 CVE-2021-3696 CVE-2021-3695 - Resolves: #2070687 -* Mon May 16 2022 Robbie Harwood - 2.06-129 +* Mon May 16 2022 Robbie Harwood - 2.02-129 - ppc64le: Slow boot after LPM - Resolves: #2070347 -* Wed May 04 2022 Robbie Harwood - 2.06-127 +* Wed May 04 2022 Robbie Harwood - 2.02-127 - ppc64le: CAS improvements, prefix detection, and vTPM support - Resolves: #2076795 - Resolves: #2026568 - Resolves: #2051331 -* Wed May 04 2022 Robbie Harwood - 2.06-126 +* Wed May 04 2022 Robbie Harwood - 2.02-126 - Fix rpm verification error on grub.cfg permissions - Resolves: #2071643 -* Wed Apr 20 2022 Robbie Harwood - 2.06-125 +* Wed Apr 20 2022 Robbie Harwood - 2.02-125 - RHEL 8.6.0 import; no code changes - Resolves: #2062892 -* Mon Mar 28 2022 Robbie Harwood - 2.06-123 +* Mon Mar 28 2022 Robbie Harwood - 2.02-123 - Bump for signing -* Wed Mar 09 2022 Robbie Harwood - 2.06-122 +* Wed Mar 09 2022 Robbie Harwood - 2.02-122 - Fix initialization on efidisk patch -* Tue Mar 08 2022 Robbie Harwood - 2.06-121 +* Tue Mar 08 2022 Robbie Harwood - 2.02-121 - Backport support for loading initrd above 4GB -* Mon Feb 28 2022 Robbie Harwood - 2.06-120 +* Mon Feb 28 2022 Robbie Harwood - 2.02-120 - Bump signing - Resolves: #2032294 -* Mon Feb 28 2022 Robbie Harwood - 2.06-119 +* Mon Feb 28 2022 Robbie Harwood - 2.02-119 - Enable connectefi module - Resolves: #2032294