import grub2-2.02-99.el8
This commit is contained in:
parent
fa384bc6b3
commit
c6f0640526
@ -0,0 +1,121 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
|
||||||
|
Date: Thu, 3 Dec 2020 09:13:24 +0100
|
||||||
|
Subject: [PATCH] at_keyboard: use set 1 when keyboard is in Translate mode
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
When keyboard controller acts in Translate mode (0x40 mask), then use
|
||||||
|
set 1 since translation is done.
|
||||||
|
Otherwise use the mode queried from the controller (usually set 2).
|
||||||
|
|
||||||
|
Added "atkeyb" debugging messages in at_keyboard module as well.
|
||||||
|
|
||||||
|
Resolves: rhbz#1897587
|
||||||
|
|
||||||
|
Tested on:
|
||||||
|
- Asus N53SN (set 1 used)
|
||||||
|
- Dell Precision (set 1 used)
|
||||||
|
- HP Elitebook (set 2 used)
|
||||||
|
- HP G5430 (set 1 used, keyboard in XT mode!)
|
||||||
|
- Lenovo P71 & Lenovo T460s (set 2 used)
|
||||||
|
- QEMU/KVM (set 1 used)
|
||||||
|
|
||||||
|
Signed-off-by: Renaud Métrich <rmetrich@redhat.com>
|
||||||
|
---
|
||||||
|
grub-core/term/at_keyboard.c | 29 ++++++++++++++++++++++++-----
|
||||||
|
include/grub/at_keyboard.h | 4 ++++
|
||||||
|
2 files changed, 28 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/term/at_keyboard.c b/grub-core/term/at_keyboard.c
|
||||||
|
index f0a986eb176..69d99b61df5 100644
|
||||||
|
--- a/grub-core/term/at_keyboard.c
|
||||||
|
+++ b/grub-core/term/at_keyboard.c
|
||||||
|
@@ -135,20 +135,28 @@ query_mode (void)
|
||||||
|
int e;
|
||||||
|
|
||||||
|
e = write_mode (0);
|
||||||
|
- if (!e)
|
||||||
|
+ if (!e) {
|
||||||
|
+ grub_dprintf("atkeyb", "query_mode: write_mode(0) failed\n");
|
||||||
|
return 0;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
do {
|
||||||
|
keyboard_controller_wait_until_ready ();
|
||||||
|
ret = grub_inb (KEYBOARD_REG_DATA);
|
||||||
|
} while (ret == GRUB_AT_ACK);
|
||||||
|
/* QEMU translates the set even in no-translate mode. */
|
||||||
|
- if (ret == 0x43 || ret == 1)
|
||||||
|
+ if (ret == 0x43 || ret == 1) {
|
||||||
|
+ grub_dprintf("atkeyb", "query_mode: returning 1 (ret=0x%x)\n", ret);
|
||||||
|
return 1;
|
||||||
|
- if (ret == 0x41 || ret == 2)
|
||||||
|
+ }
|
||||||
|
+ if (ret == 0x41 || ret == 2) {
|
||||||
|
+ grub_dprintf("atkeyb", "query_mode: returning 2 (ret=0x%x)\n", ret);
|
||||||
|
return 2;
|
||||||
|
- if (ret == 0x3f || ret == 3)
|
||||||
|
+ }
|
||||||
|
+ if (ret == 0x3f || ret == 3) {
|
||||||
|
+ grub_dprintf("atkeyb", "query_mode: returning 3 (ret=0x%x)\n", ret);
|
||||||
|
return 3;
|
||||||
|
+ }
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -165,7 +173,13 @@ set_scancodes (void)
|
||||||
|
}
|
||||||
|
|
||||||
|
#if !USE_SCANCODE_SET
|
||||||
|
- ps2_state.current_set = 1;
|
||||||
|
+ if ((grub_keyboard_controller_orig & KEYBOARD_AT_TRANSLATE) == KEYBOARD_AT_TRANSLATE) {
|
||||||
|
+ grub_dprintf ("atkeyb", "queried set is %d but keyboard in Translate mode, so actually in set 1\n", grub_keyboard_orig_set);
|
||||||
|
+ ps2_state.current_set = 1;
|
||||||
|
+ } else {
|
||||||
|
+ grub_dprintf ("atkeyb", "using queried set %d\n", grub_keyboard_orig_set);
|
||||||
|
+ ps2_state.current_set = grub_keyboard_orig_set;
|
||||||
|
+ }
|
||||||
|
return;
|
||||||
|
#else
|
||||||
|
|
||||||
|
@@ -266,6 +280,7 @@ grub_keyboard_controller_init (void)
|
||||||
|
grub_keyboard_orig_set = 2;
|
||||||
|
#else
|
||||||
|
grub_keyboard_controller_orig = grub_keyboard_controller_read ();
|
||||||
|
+ grub_dprintf ("atkeyb", "grub_keyboard_controller_orig = 0x%x\n", grub_keyboard_controller_orig);
|
||||||
|
grub_keyboard_orig_set = query_mode ();
|
||||||
|
#endif
|
||||||
|
set_scancodes ();
|
||||||
|
@@ -275,11 +290,15 @@ grub_keyboard_controller_init (void)
|
||||||
|
static grub_err_t
|
||||||
|
grub_keyboard_controller_fini (struct grub_term_input *term __attribute__ ((unused)))
|
||||||
|
{
|
||||||
|
+/* In !USE_SCANCODE_SET mode, we didn't change anything, so nothing to restore */
|
||||||
|
+#if USE_SCANCODE_SET
|
||||||
|
if (ps2_state.current_set == 0)
|
||||||
|
return GRUB_ERR_NONE;
|
||||||
|
+ grub_dprintf ("atkeyb", "restoring set %d, controller 0x%x\n", grub_keyboard_orig_set, grub_keyboard_controller_orig);
|
||||||
|
if (grub_keyboard_orig_set)
|
||||||
|
write_mode (grub_keyboard_orig_set);
|
||||||
|
grub_keyboard_controller_write (grub_keyboard_controller_orig);
|
||||||
|
+#endif
|
||||||
|
return GRUB_ERR_NONE;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/include/grub/at_keyboard.h b/include/grub/at_keyboard.h
|
||||||
|
index bcb4d9ba78f..9414dc1b996 100644
|
||||||
|
--- a/include/grub/at_keyboard.h
|
||||||
|
+++ b/include/grub/at_keyboard.h
|
||||||
|
@@ -19,6 +19,10 @@
|
||||||
|
#ifndef GRUB_AT_KEYBOARD_HEADER
|
||||||
|
#define GRUB_AT_KEYBOARD_HEADER 1
|
||||||
|
|
||||||
|
+/*
|
||||||
|
+ * Refer to https://wiki.osdev.org/%228042%22_PS/2_Controller for details.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
/* Used for sending commands to the controller. */
|
||||||
|
#define KEYBOARD_COMMAND_ISREADY(x) !((x) & 0x02)
|
||||||
|
#define KEYBOARD_COMMAND_READ 0x20
|
@ -0,0 +1,118 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jan Hlavac <jhlavac@redhat.com>
|
||||||
|
Date: Fri, 20 Nov 2020 23:51:47 +0100
|
||||||
|
Subject: [PATCH] grub-install: disable support for EFI platforms
|
||||||
|
|
||||||
|
For each platform, GRUB is shipped as a kernel image and a set of
|
||||||
|
modules. These files are then used by the grub-install utility to
|
||||||
|
install GRUB on a specific device. However, in order to support UEFI
|
||||||
|
Secure Boot, the resulting EFI binary must be signed by a recognized
|
||||||
|
private key. For this reason, for EFI platforms, most distributions also
|
||||||
|
ship prebuilt EFI binaries signed by a distribution-specific private
|
||||||
|
key. In this case, however, the grub-install utility should not be used
|
||||||
|
because it would overwrite the signed EFI binary.
|
||||||
|
|
||||||
|
The current fix is suboptimal because it preserves all EFI-related code.
|
||||||
|
A better solution could be to modularize the code and provide a
|
||||||
|
build-time option.
|
||||||
|
|
||||||
|
Resolves: rhbz#1737444
|
||||||
|
|
||||||
|
Signed-off-by: Jan Hlavac <jhlavac@redhat.com>
|
||||||
|
---
|
||||||
|
util/grub-install.c | 35 ++++++++++++++++-------------------
|
||||||
|
docs/grub.texi | 7 +++++++
|
||||||
|
util/grub-install.8 | 4 +++-
|
||||||
|
3 files changed, 26 insertions(+), 20 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/util/grub-install.c b/util/grub-install.c
|
||||||
|
index 3bf0e063a86..65bb2f99ef1 100644
|
||||||
|
--- a/util/grub-install.c
|
||||||
|
+++ b/util/grub-install.c
|
||||||
|
@@ -888,6 +888,22 @@ main (int argc, char *argv[])
|
||||||
|
|
||||||
|
platform = grub_install_get_target (grub_install_source_directory);
|
||||||
|
|
||||||
|
+ switch (platform)
|
||||||
|
+ {
|
||||||
|
+ case GRUB_INSTALL_PLATFORM_ARM_EFI:
|
||||||
|
+ case GRUB_INSTALL_PLATFORM_ARM64_EFI:
|
||||||
|
+ case GRUB_INSTALL_PLATFORM_I386_EFI:
|
||||||
|
+ case GRUB_INSTALL_PLATFORM_IA64_EFI:
|
||||||
|
+ case GRUB_INSTALL_PLATFORM_X86_64_EFI:
|
||||||
|
+ is_efi = 1;
|
||||||
|
+ grub_util_error (_("this utility cannot be used for EFI platforms"
|
||||||
|
+ " because it does not support UEFI Secure Boot"));
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ is_efi = 0;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
{
|
||||||
|
char *platname = grub_install_get_platform_name (platform);
|
||||||
|
fprintf (stderr, _("Installing for %s platform.\n"), platname);
|
||||||
|
@@ -994,26 +1010,7 @@ main (int argc, char *argv[])
|
||||||
|
grub_hostfs_init ();
|
||||||
|
grub_host_init ();
|
||||||
|
|
||||||
|
- switch (platform)
|
||||||
|
- {
|
||||||
|
- case GRUB_INSTALL_PLATFORM_I386_EFI:
|
||||||
|
- case GRUB_INSTALL_PLATFORM_X86_64_EFI:
|
||||||
|
- case GRUB_INSTALL_PLATFORM_ARM_EFI:
|
||||||
|
- case GRUB_INSTALL_PLATFORM_ARM64_EFI:
|
||||||
|
- case GRUB_INSTALL_PLATFORM_IA64_EFI:
|
||||||
|
- is_efi = 1;
|
||||||
|
- break;
|
||||||
|
- default:
|
||||||
|
- is_efi = 0;
|
||||||
|
- break;
|
||||||
|
-
|
||||||
|
- /* pacify warning. */
|
||||||
|
- case GRUB_INSTALL_PLATFORM_MAX:
|
||||||
|
- break;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
/* Find the EFI System Partition. */
|
||||||
|
-
|
||||||
|
if (is_efi)
|
||||||
|
{
|
||||||
|
grub_fs_t fs;
|
||||||
|
diff --git a/docs/grub.texi b/docs/grub.texi
|
||||||
|
index c54bee31679..fa11cc0aff7 100644
|
||||||
|
--- a/docs/grub.texi
|
||||||
|
+++ b/docs/grub.texi
|
||||||
|
@@ -6185,6 +6185,13 @@ grub2-install @var{install_device}
|
||||||
|
The device name @var{install_device} is an OS device name or a GRUB
|
||||||
|
device name.
|
||||||
|
|
||||||
|
+In order to support UEFI Secure Boot, the resulting GRUB EFI binary must
|
||||||
|
+be signed by a recognized private key. For this reason, for EFI
|
||||||
|
+platforms, most distributions also ship prebuilt GRUB EFI binaries
|
||||||
|
+signed by a distribution-specific private key. In this case, however,
|
||||||
|
+@command{grub2-install} should not be used because it would overwrite
|
||||||
|
+the signed EFI binary.
|
||||||
|
+
|
||||||
|
@command{grub2-install} accepts the following options:
|
||||||
|
|
||||||
|
@table @option
|
||||||
|
diff --git a/util/grub-install.8 b/util/grub-install.8
|
||||||
|
index 76272a39d2e..02371930fa1 100644
|
||||||
|
--- a/util/grub-install.8
|
||||||
|
+++ b/util/grub-install.8
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-.TH GRUB-INSTALL 1 "Wed Feb 26 2014"
|
||||||
|
+.TH GRUB-INSTALL 1 "Fri Nov 20 2020"
|
||||||
|
.SH NAME
|
||||||
|
\fBgrub-install\fR \(em Install GRUB on a device.
|
||||||
|
|
||||||
|
@@ -31,6 +31,8 @@
|
||||||
|
.SH DESCRIPTION
|
||||||
|
\fBgrub-install\fR installs GRUB onto a device. This includes copying GRUB images into the target directory (generally \fI/boot/grub\fR), and on some platforms may also include installing GRUB onto a boot sector.
|
||||||
|
|
||||||
|
+In order to support UEFI Secure Boot, the resulting GRUB EFI binary must be signed by a recognized private key. For this reason, for EFI platforms, most distributions also ship prebuilt GRUB EFI binaries signed by a distribution-specific private key. In this case, however, the \fBgrub-install\fR utility should not be used because it would overwrite the signed EFI binary.
|
||||||
|
+
|
||||||
|
.SH OPTIONS
|
||||||
|
.TP
|
||||||
|
\fB--modules\fR=\fIMODULES\fR\!
|
@ -0,0 +1,112 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
|
||||||
|
Date: Sat, 23 Nov 2019 14:57:41 +0100
|
||||||
|
Subject: [PATCH] New --with-debug-timestamps configure flag to prepend debug
|
||||||
|
traces with absolute and relative timestamp
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Signed-off-by: Renaud Métrich <rmetrich@redhat.com>
|
||||||
|
---
|
||||||
|
configure.ac | 18 ++++++++++++++++++
|
||||||
|
grub-core/kern/misc.c | 20 ++++++++++++++++++++
|
||||||
|
config.h.in | 1 +
|
||||||
|
3 files changed, 39 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index 9323c125469..0059b938a3a 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -1514,6 +1514,17 @@ else
|
||||||
|
fi
|
||||||
|
AC_SUBST([BOOT_TIME_STATS])
|
||||||
|
|
||||||
|
+AC_ARG_WITH([debug-timestamps],
|
||||||
|
+ AS_HELP_STRING([--with-debug-timestamps],
|
||||||
|
+ [prepend debug traces with absolute and relative timestamps]))
|
||||||
|
+
|
||||||
|
+if test x$with_debug_timestamps = xyes; then
|
||||||
|
+ DEBUG_WITH_TIMESTAMPS=1
|
||||||
|
+else
|
||||||
|
+ DEBUG_WITH_TIMESTAMPS=0
|
||||||
|
+fi
|
||||||
|
+AC_SUBST([DEBUG_WITH_TIMESTAMPS])
|
||||||
|
+
|
||||||
|
AC_ARG_ENABLE([grub-emu-sdl],
|
||||||
|
[AS_HELP_STRING([--enable-grub-emu-sdl],
|
||||||
|
[build and install the `grub-emu' debugging utility with SDL support (default=guessed)])])
|
||||||
|
@@ -2092,6 +2103,7 @@ AM_CONDITIONAL([COND_APPLE_LINKER], [test x$TARGET_APPLE_LINKER = x1])
|
||||||
|
AM_CONDITIONAL([COND_ENABLE_EFIEMU], [test x$enable_efiemu = xyes])
|
||||||
|
AM_CONDITIONAL([COND_ENABLE_CACHE_STATS], [test x$DISK_CACHE_STATS = x1])
|
||||||
|
AM_CONDITIONAL([COND_ENABLE_BOOT_TIME_STATS], [test x$BOOT_TIME_STATS = x1])
|
||||||
|
+AM_CONDITIONAL([COND_DEBUG_WITH_TIMESTAMPS], [test x$DEBUG_WITH_TIMESTAMPS = x1])
|
||||||
|
|
||||||
|
AM_CONDITIONAL([COND_HAVE_CXX], [test x$HAVE_CXX = xyes])
|
||||||
|
|
||||||
|
@@ -2187,6 +2199,12 @@ else
|
||||||
|
echo With boot time statistics: No
|
||||||
|
fi
|
||||||
|
|
||||||
|
+if [ x"$with_debug_timestamps" = xyes ]; then
|
||||||
|
+echo Debug traces with timestamps: Yes
|
||||||
|
+else
|
||||||
|
+echo Debug traces with timestamps: No
|
||||||
|
+fi
|
||||||
|
+
|
||||||
|
if [ x"$efiemu_excuse" = x ]; then
|
||||||
|
echo efiemu runtime: Yes
|
||||||
|
else
|
||||||
|
diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c
|
||||||
|
index c034f49f97c..11f2974fce5 100644
|
||||||
|
--- a/grub-core/kern/misc.c
|
||||||
|
+++ b/grub-core/kern/misc.c
|
||||||
|
@@ -25,6 +25,9 @@
|
||||||
|
#include <grub/env.h>
|
||||||
|
#include <grub/i18n.h>
|
||||||
|
#include <grub/backtrace.h>
|
||||||
|
+#if DEBUG_WITH_TIMESTAMPS
|
||||||
|
+#include <grub/time.h>
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
union printf_arg
|
||||||
|
{
|
||||||
|
@@ -179,9 +182,26 @@ grub_real_dprintf (const char *file, const int line, const char *condition,
|
||||||
|
const char *fmt, ...)
|
||||||
|
{
|
||||||
|
va_list args;
|
||||||
|
+#if DEBUG_WITH_TIMESTAMPS
|
||||||
|
+ static long unsigned int last_time = 0;
|
||||||
|
+ static int last_had_cr = 1;
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
if (grub_debug_enabled (condition))
|
||||||
|
{
|
||||||
|
+#if DEBUG_WITH_TIMESTAMPS
|
||||||
|
+ /* Don't print timestamp if last printed message isn't terminated yet */
|
||||||
|
+ if (last_had_cr) {
|
||||||
|
+ long unsigned int tmabs = (long unsigned int) grub_get_time_ms();
|
||||||
|
+ long unsigned int tmrel = tmabs - last_time;
|
||||||
|
+ last_time = tmabs;
|
||||||
|
+ grub_printf ("%3lu.%03lus +%2lu.%03lus ", tmabs / 1000, tmabs % 1000, tmrel / 1000, tmrel % 1000);
|
||||||
|
+ }
|
||||||
|
+ if (fmt[grub_strlen(fmt)-1] == '\n')
|
||||||
|
+ last_had_cr = 1;
|
||||||
|
+ else
|
||||||
|
+ last_had_cr = 0;
|
||||||
|
+#endif
|
||||||
|
grub_printf ("%s:%d: ", file, line);
|
||||||
|
va_start (args, fmt);
|
||||||
|
grub_vprintf (fmt, args);
|
||||||
|
diff --git a/config.h.in b/config.h.in
|
||||||
|
index 9e8f9911b18..d15480b4163 100644
|
||||||
|
--- a/config.h.in
|
||||||
|
+++ b/config.h.in
|
||||||
|
@@ -12,6 +12,7 @@
|
||||||
|
/* Define to 1 to enable disk cache statistics. */
|
||||||
|
#define DISK_CACHE_STATS @DISK_CACHE_STATS@
|
||||||
|
#define BOOT_TIME_STATS @BOOT_TIME_STATS@
|
||||||
|
+#define DEBUG_WITH_TIMESTAMPS @DEBUG_WITH_TIMESTAMPS@
|
||||||
|
|
||||||
|
/* We don't need those. */
|
||||||
|
#define MINILZO_CFG_SKIP_LZO_PTR 1
|
@ -0,0 +1,47 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
|
||||||
|
Date: Sat, 23 Nov 2019 15:22:16 +0100
|
||||||
|
Subject: [PATCH] Added debug statements to grub_disk_open() and
|
||||||
|
grub_disk_close() on success
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Signed-off-by: Renaud Métrich <rmetrich@redhat.com>
|
||||||
|
---
|
||||||
|
grub-core/kern/disk.c | 6 +++++-
|
||||||
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/kern/disk.c b/grub-core/kern/disk.c
|
||||||
|
index 789f8c05233..7f58c561472 100644
|
||||||
|
--- a/grub-core/kern/disk.c
|
||||||
|
+++ b/grub-core/kern/disk.c
|
||||||
|
@@ -285,6 +285,8 @@ grub_disk_open (const char *name)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ grub_dprintf ("disk", "Opening `%s' succeeded.\n", name);
|
||||||
|
+
|
||||||
|
return disk;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -292,7 +294,7 @@ void
|
||||||
|
grub_disk_close (grub_disk_t disk)
|
||||||
|
{
|
||||||
|
grub_partition_t part;
|
||||||
|
- grub_dprintf ("disk", "Closing `%s'.\n", disk->name);
|
||||||
|
+ grub_dprintf ("disk", "Closing `%s'...\n", disk->name);
|
||||||
|
|
||||||
|
if (disk->dev && disk->dev->close)
|
||||||
|
(disk->dev->close) (disk);
|
||||||
|
@@ -306,8 +308,10 @@ grub_disk_close (grub_disk_t disk)
|
||||||
|
grub_free (disk->partition);
|
||||||
|
disk->partition = part;
|
||||||
|
}
|
||||||
|
+ grub_dprintf ("disk", "Closing `%s' succeeded.\n", disk->name);
|
||||||
|
grub_free ((void *) disk->name);
|
||||||
|
grub_free (disk);
|
||||||
|
+
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Small read (less than cache size and not pass across cache unit boundaries).
|
@ -0,0 +1,51 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
|
||||||
|
Date: Mon, 25 Nov 2019 09:29:53 +0100
|
||||||
|
Subject: [PATCH] Introduce function grub_debug_is_enabled(void) returning 1 if
|
||||||
|
'debug' is in the environment and not empty
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Signed-off-by: Renaud Métrich <rmetrich@redhat.com>
|
||||||
|
---
|
||||||
|
grub-core/kern/misc.c | 13 +++++++++++++
|
||||||
|
include/grub/misc.h | 1 +
|
||||||
|
2 files changed, 14 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c
|
||||||
|
index 11f2974fce5..97378c48b22 100644
|
||||||
|
--- a/grub-core/kern/misc.c
|
||||||
|
+++ b/grub-core/kern/misc.c
|
||||||
|
@@ -162,6 +162,19 @@ int grub_err_printf (const char *fmt, ...)
|
||||||
|
__attribute__ ((alias("grub_printf")));
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+/* Return 1 if 'debug' is set and not empty */
|
||||||
|
+int
|
||||||
|
+grub_debug_is_enabled (void)
|
||||||
|
+{
|
||||||
|
+ const char *debug;
|
||||||
|
+
|
||||||
|
+ debug = grub_env_get ("debug");
|
||||||
|
+ if (!debug || debug[0] == '\0')
|
||||||
|
+ return 0;
|
||||||
|
+
|
||||||
|
+ return 1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int
|
||||||
|
grub_debug_enabled (const char * condition)
|
||||||
|
{
|
||||||
|
diff --git a/include/grub/misc.h b/include/grub/misc.h
|
||||||
|
index 1258ec6bbf3..6ca03c4d692 100644
|
||||||
|
--- a/include/grub/misc.h
|
||||||
|
+++ b/include/grub/misc.h
|
||||||
|
@@ -367,6 +367,7 @@ grub_puts (const char *s)
|
||||||
|
}
|
||||||
|
|
||||||
|
int EXPORT_FUNC(grub_puts_) (const char *s);
|
||||||
|
+int EXPORT_FUNC(grub_debug_is_enabled) (void);
|
||||||
|
int EXPORT_FUNC(grub_debug_enabled) (const char *condition);
|
||||||
|
void EXPORT_FUNC(grub_real_dprintf) (const char *file,
|
||||||
|
const int line,
|
@ -0,0 +1,27 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
|
||||||
|
Date: Sat, 23 Nov 2019 16:23:54 +0100
|
||||||
|
Subject: [PATCH] Don't clear screen when debugging is enabled
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Signed-off-by: Renaud Métrich <rmetrich@redhat.com>
|
||||||
|
---
|
||||||
|
grub-core/normal/main.c | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
|
||||||
|
index 04ae9ed02f6..59fd54eb0f1 100644
|
||||||
|
--- a/grub-core/normal/main.c
|
||||||
|
+++ b/grub-core/normal/main.c
|
||||||
|
@@ -204,7 +204,8 @@ void
|
||||||
|
grub_normal_init_page (struct grub_term_output *term,
|
||||||
|
int y __attribute__((__unused__)))
|
||||||
|
{
|
||||||
|
- grub_term_cls (term);
|
||||||
|
+ if (! grub_debug_is_enabled ())
|
||||||
|
+ grub_term_cls (term);
|
||||||
|
|
||||||
|
#if 0
|
||||||
|
grub_ssize_t msg_len;
|
@ -0,0 +1,71 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
|
||||||
|
Date: Fri, 29 Nov 2019 11:02:00 +0100
|
||||||
|
Subject: [PATCH] grub_file_* instrumentation (new 'file' debug tag)
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Signed-off-by: Renaud Métrich <rmetrich@redhat.com>
|
||||||
|
---
|
||||||
|
grub-core/kern/file.c | 14 ++++++++++++++
|
||||||
|
1 file changed, 14 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/grub-core/kern/file.c b/grub-core/kern/file.c
|
||||||
|
index 668f8930b19..c2d9a550007 100644
|
||||||
|
--- a/grub-core/kern/file.c
|
||||||
|
+++ b/grub-core/kern/file.c
|
||||||
|
@@ -67,6 +67,8 @@ grub_file_open (const char *name)
|
||||||
|
const char *file_name;
|
||||||
|
grub_file_filter_id_t filter;
|
||||||
|
|
||||||
|
+ grub_dprintf ("file", "Opening `%s' ...\n", name);
|
||||||
|
+
|
||||||
|
device_name = grub_file_get_device_name (name);
|
||||||
|
if (grub_errno)
|
||||||
|
goto fail;
|
||||||
|
@@ -127,6 +129,8 @@ grub_file_open (const char *name)
|
||||||
|
grub_memcpy (grub_file_filters_enabled, grub_file_filters_all,
|
||||||
|
sizeof (grub_file_filters_enabled));
|
||||||
|
|
||||||
|
+ grub_dprintf ("file", "Opening `%s' succeeded.\n", name);
|
||||||
|
+
|
||||||
|
return file;
|
||||||
|
|
||||||
|
fail:
|
||||||
|
@@ -140,6 +144,8 @@ grub_file_open (const char *name)
|
||||||
|
grub_memcpy (grub_file_filters_enabled, grub_file_filters_all,
|
||||||
|
sizeof (grub_file_filters_enabled));
|
||||||
|
|
||||||
|
+ grub_dprintf ("file", "Opening `%s' failed.\n", name);
|
||||||
|
+
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -171,6 +177,7 @@ grub_file_read (grub_file_t file, void *buf, grub_size_t len)
|
||||||
|
|
||||||
|
if (len == 0)
|
||||||
|
return 0;
|
||||||
|
+
|
||||||
|
read_hook = file->read_hook;
|
||||||
|
read_hook_data = file->read_hook_data;
|
||||||
|
if (!file->read_hook)
|
||||||
|
@@ -191,11 +198,18 @@ grub_file_read (grub_file_t file, void *buf, grub_size_t len)
|
||||||
|
grub_err_t
|
||||||
|
grub_file_close (grub_file_t file)
|
||||||
|
{
|
||||||
|
+ grub_dprintf ("file", "Closing `%s' ...\n", file->name);
|
||||||
|
if (file->fs->close)
|
||||||
|
(file->fs->close) (file);
|
||||||
|
|
||||||
|
if (file->device)
|
||||||
|
grub_device_close (file->device);
|
||||||
|
+
|
||||||
|
+ if (grub_errno == GRUB_ERR_NONE)
|
||||||
|
+ grub_dprintf ("file", "Closing `%s' succeeded.\n", file->name);
|
||||||
|
+ else
|
||||||
|
+ grub_dprintf ("file", "Closing `%s' failed with %d.\n", file->name, grub_errno);
|
||||||
|
+
|
||||||
|
grub_free (file->name);
|
||||||
|
grub_free (file);
|
||||||
|
return grub_errno;
|
136
SOURCES/0325-ieee1275-Avoiding-many-unecessary-open-close.patch
Normal file
136
SOURCES/0325-ieee1275-Avoiding-many-unecessary-open-close.patch
Normal file
@ -0,0 +1,136 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Diego Domingos <diegodo@br.ibm.com>
|
||||||
|
Date: Mon, 14 Dec 2020 17:42:45 +0100
|
||||||
|
Subject: [PATCH] ieee1275: Avoiding many unecessary open/close
|
||||||
|
|
||||||
|
Signed-off-by: Diego Domingos <diegodo@br.ibm.com>
|
||||||
|
---
|
||||||
|
grub-core/disk/ieee1275/ofdisk.c | 64 ++++++++++++++++++++++------------------
|
||||||
|
1 file changed, 35 insertions(+), 29 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/disk/ieee1275/ofdisk.c b/grub-core/disk/ieee1275/ofdisk.c
|
||||||
|
index d887d4b6eee..f3a6ecd797f 100644
|
||||||
|
--- a/grub-core/disk/ieee1275/ofdisk.c
|
||||||
|
+++ b/grub-core/disk/ieee1275/ofdisk.c
|
||||||
|
@@ -44,7 +44,7 @@ struct ofdisk_hash_ent
|
||||||
|
};
|
||||||
|
|
||||||
|
static grub_err_t
|
||||||
|
-grub_ofdisk_get_block_size (const char *device, grub_uint32_t *block_size,
|
||||||
|
+grub_ofdisk_get_block_size (grub_uint32_t *block_size,
|
||||||
|
struct ofdisk_hash_ent *op);
|
||||||
|
|
||||||
|
#define OFDISK_HASH_SZ 8
|
||||||
|
@@ -461,6 +461,7 @@ grub_ofdisk_open (const char *name, grub_disk_t disk)
|
||||||
|
grub_ssize_t actual;
|
||||||
|
grub_uint32_t block_size = 0;
|
||||||
|
grub_err_t err;
|
||||||
|
+ struct ofdisk_hash_ent *op;
|
||||||
|
|
||||||
|
if (grub_strncmp (name, "ieee1275/", sizeof ("ieee1275/") - 1) != 0)
|
||||||
|
return grub_error (GRUB_ERR_UNKNOWN_DEVICE,
|
||||||
|
@@ -471,6 +472,35 @@ grub_ofdisk_open (const char *name, grub_disk_t disk)
|
||||||
|
|
||||||
|
grub_dprintf ("disk", "Opening `%s'.\n", devpath);
|
||||||
|
|
||||||
|
+ op = ofdisk_hash_find (devpath);
|
||||||
|
+ if (!op)
|
||||||
|
+ op = ofdisk_hash_add (devpath, NULL);
|
||||||
|
+ if (!op)
|
||||||
|
+ {
|
||||||
|
+ grub_free (devpath);
|
||||||
|
+ return grub_errno;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* Check if the call to open is the same to the last disk already opened */
|
||||||
|
+ if (last_devpath && !grub_strcmp(op->open_path,last_devpath))
|
||||||
|
+ {
|
||||||
|
+ goto finish;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* If not, we need to close the previous disk and open the new one */
|
||||||
|
+ else {
|
||||||
|
+ if (last_ihandle){
|
||||||
|
+ grub_ieee1275_close (last_ihandle);
|
||||||
|
+ }
|
||||||
|
+ last_ihandle = 0;
|
||||||
|
+ last_devpath = NULL;
|
||||||
|
+
|
||||||
|
+ grub_ieee1275_open (op->open_path, &last_ihandle);
|
||||||
|
+ if (! last_ihandle)
|
||||||
|
+ return grub_error (GRUB_ERR_UNKNOWN_DEVICE, "can't open device");
|
||||||
|
+ last_devpath = op->open_path;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (grub_ieee1275_finddevice (devpath, &dev))
|
||||||
|
{
|
||||||
|
grub_free (devpath);
|
||||||
|
@@ -491,25 +521,18 @@ grub_ofdisk_open (const char *name, grub_disk_t disk)
|
||||||
|
return grub_error (GRUB_ERR_UNKNOWN_DEVICE, "not a block device");
|
||||||
|
}
|
||||||
|
|
||||||
|
+
|
||||||
|
+ finish:
|
||||||
|
/* XXX: There is no property to read the number of blocks. There
|
||||||
|
should be a property `#blocks', but it is not there. Perhaps it
|
||||||
|
is possible to use seek for this. */
|
||||||
|
disk->total_sectors = GRUB_DISK_SIZE_UNKNOWN;
|
||||||
|
|
||||||
|
{
|
||||||
|
- struct ofdisk_hash_ent *op;
|
||||||
|
- op = ofdisk_hash_find (devpath);
|
||||||
|
- if (!op)
|
||||||
|
- op = ofdisk_hash_add (devpath, NULL);
|
||||||
|
- if (!op)
|
||||||
|
- {
|
||||||
|
- grub_free (devpath);
|
||||||
|
- return grub_errno;
|
||||||
|
- }
|
||||||
|
disk->id = (unsigned long) op;
|
||||||
|
disk->data = op->open_path;
|
||||||
|
|
||||||
|
- err = grub_ofdisk_get_block_size (devpath, &block_size, op);
|
||||||
|
+ err = grub_ofdisk_get_block_size (&block_size, op);
|
||||||
|
if (err)
|
||||||
|
{
|
||||||
|
grub_free (devpath);
|
||||||
|
@@ -532,13 +555,6 @@ grub_ofdisk_open (const char *name, grub_disk_t disk)
|
||||||
|
static void
|
||||||
|
grub_ofdisk_close (grub_disk_t disk)
|
||||||
|
{
|
||||||
|
- if (disk->data == last_devpath)
|
||||||
|
- {
|
||||||
|
- if (last_ihandle)
|
||||||
|
- grub_ieee1275_close (last_ihandle);
|
||||||
|
- last_ihandle = 0;
|
||||||
|
- last_devpath = NULL;
|
||||||
|
- }
|
||||||
|
disk->data = 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -685,7 +701,7 @@ grub_ofdisk_init (void)
|
||||||
|
}
|
||||||
|
|
||||||
|
static grub_err_t
|
||||||
|
-grub_ofdisk_get_block_size (const char *device, grub_uint32_t *block_size,
|
||||||
|
+grub_ofdisk_get_block_size (grub_uint32_t *block_size,
|
||||||
|
struct ofdisk_hash_ent *op)
|
||||||
|
{
|
||||||
|
struct size_args_ieee1275
|
||||||
|
@@ -698,16 +714,6 @@ grub_ofdisk_get_block_size (const char *device, grub_uint32_t *block_size,
|
||||||
|
grub_ieee1275_cell_t size2;
|
||||||
|
} args_ieee1275;
|
||||||
|
|
||||||
|
- if (last_ihandle)
|
||||||
|
- grub_ieee1275_close (last_ihandle);
|
||||||
|
-
|
||||||
|
- last_ihandle = 0;
|
||||||
|
- last_devpath = NULL;
|
||||||
|
-
|
||||||
|
- grub_ieee1275_open (device, &last_ihandle);
|
||||||
|
- if (! last_ihandle)
|
||||||
|
- return grub_error (GRUB_ERR_UNKNOWN_DEVICE, "can't open device");
|
||||||
|
-
|
||||||
|
*block_size = 0;
|
||||||
|
|
||||||
|
if (op->block_size_fails >= 2)
|
@ -0,0 +1,90 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Diego Domingos <diegodo@br.ibm.com>
|
||||||
|
Date: Mon, 14 Dec 2020 17:45:28 +0100
|
||||||
|
Subject: [PATCH] ieee1275/powerpc: implements fibre channel discovery for
|
||||||
|
ofpathname
|
||||||
|
|
||||||
|
grub-ofpathname doesn't work with fibre channel because there is no
|
||||||
|
function currently implemented for it.
|
||||||
|
This patch enables it by prividing a function that looks for the port
|
||||||
|
name, building the entire path for OF devices.
|
||||||
|
|
||||||
|
Signed-off-by: Diego Domingos <diegodo@br.ibm.com>
|
||||||
|
---
|
||||||
|
grub-core/osdep/linux/ofpath.c | 49 ++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
1 file changed, 49 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/grub-core/osdep/linux/ofpath.c b/grub-core/osdep/linux/ofpath.c
|
||||||
|
index a6153d35954..0f5d54e9f2d 100644
|
||||||
|
--- a/grub-core/osdep/linux/ofpath.c
|
||||||
|
+++ b/grub-core/osdep/linux/ofpath.c
|
||||||
|
@@ -350,6 +350,38 @@ of_path_of_ide(const char *sys_devname __attribute__((unused)), const char *devi
|
||||||
|
return ret;
|
||||||
|
}
|
||||||
|
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+of_fc_port_name(const char *path, const char *subpath, char *port_name)
|
||||||
|
+{
|
||||||
|
+ char *bname, *basepath, *p;
|
||||||
|
+ int fd;
|
||||||
|
+
|
||||||
|
+ bname = xmalloc(sizeof(char)*150);
|
||||||
|
+ basepath = xmalloc(strlen(path));
|
||||||
|
+
|
||||||
|
+ /* Generate the path to get port name information from the drive */
|
||||||
|
+ strncpy(basepath,path,subpath-path);
|
||||||
|
+ basepath[subpath-path-1] = '\0';
|
||||||
|
+ p = get_basename(basepath);
|
||||||
|
+ snprintf(bname,sizeof(char)*150,"%s/fc_transport/%s/port_name",basepath,p);
|
||||||
|
+
|
||||||
|
+ /* Read the information from the port name */
|
||||||
|
+ fd = open (bname, O_RDONLY);
|
||||||
|
+ if (fd < 0)
|
||||||
|
+ grub_util_error (_("cannot open `%s': %s"), bname, strerror (errno));
|
||||||
|
+
|
||||||
|
+ if (read(fd,port_name,sizeof(char)*19) < 0)
|
||||||
|
+ grub_util_error (_("cannot read `%s': %s"), bname, strerror (errno));
|
||||||
|
+
|
||||||
|
+ sscanf(port_name,"0x%s",port_name);
|
||||||
|
+
|
||||||
|
+ close(fd);
|
||||||
|
+
|
||||||
|
+ free(bname);
|
||||||
|
+ free(basepath);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
#ifdef __sparc__
|
||||||
|
static char *
|
||||||
|
of_path_of_nvme(const char *sys_devname __attribute__((unused)),
|
||||||
|
@@ -577,6 +609,16 @@ of_path_of_scsi(const char *sys_devname __attribute__((unused)), const char *dev
|
||||||
|
digit_string = trailing_digits (device);
|
||||||
|
if (strncmp (of_path, "/vdevice/", sizeof ("/vdevice/") - 1) == 0)
|
||||||
|
{
|
||||||
|
+ if(strstr(of_path,"vfc-client"))
|
||||||
|
+ {
|
||||||
|
+ char * port_name = xmalloc(sizeof(char)*17);
|
||||||
|
+ of_fc_port_name(sysfs_path, p, port_name);
|
||||||
|
+
|
||||||
|
+ snprintf(disk,sizeof(disk),"/%s@%s", disk_name, port_name);
|
||||||
|
+ free(port_name);
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ {
|
||||||
|
unsigned long id = 0x8000 | (tgt << 8) | (bus << 5) | lun;
|
||||||
|
if (*digit_string == '\0')
|
||||||
|
{
|
||||||
|
@@ -590,6 +632,13 @@ of_path_of_scsi(const char *sys_devname __attribute__((unused)), const char *dev
|
||||||
|
snprintf(disk, sizeof (disk),
|
||||||
|
"/%s@%04lx000000000000:%c", disk_name, id, 'a' + (part - 1));
|
||||||
|
}
|
||||||
|
+ }
|
||||||
|
+ } else if (strstr(of_path,"fibre-channel")||(strstr(of_path,"vfc-client"))){
|
||||||
|
+ char * port_name = xmalloc(sizeof(char)*17);
|
||||||
|
+ of_fc_port_name(sysfs_path, p, port_name);
|
||||||
|
+
|
||||||
|
+ snprintf(disk,sizeof(disk),"/%s@%s", disk_name, port_name);
|
||||||
|
+ free(port_name);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
@ -0,0 +1,106 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Diego Domingos <diegodo@br.ibm.com>
|
||||||
|
Date: Mon, 14 Dec 2020 17:47:16 +0100
|
||||||
|
Subject: [PATCH] ieee1275/powerpc: enables device mapper discovery
|
||||||
|
|
||||||
|
this patch enables the device mapper discovery on ofpath.c. Currently,
|
||||||
|
when we are dealing with a device like /dev/dm-* the ofpath returns null
|
||||||
|
since there is no function implemented to handle this case.
|
||||||
|
|
||||||
|
This patch implements a function that will look into /sys/block/dm-*
|
||||||
|
devices and search recursively inside slaves directory to find the root
|
||||||
|
disk.
|
||||||
|
|
||||||
|
Signed-off-by: Diego Domingos <diegodo@br.ibm.com>
|
||||||
|
---
|
||||||
|
grub-core/osdep/linux/ofpath.c | 64 +++++++++++++++++++++++++++++++++++++++++-
|
||||||
|
1 file changed, 63 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/osdep/linux/ofpath.c b/grub-core/osdep/linux/ofpath.c
|
||||||
|
index 0f5d54e9f2d..cc849d9c94c 100644
|
||||||
|
--- a/grub-core/osdep/linux/ofpath.c
|
||||||
|
+++ b/grub-core/osdep/linux/ofpath.c
|
||||||
|
@@ -37,6 +37,7 @@
|
||||||
|
#include <fcntl.h>
|
||||||
|
#include <errno.h>
|
||||||
|
#include <ctype.h>
|
||||||
|
+#include <dirent.h>
|
||||||
|
|
||||||
|
#ifdef __sparc__
|
||||||
|
typedef enum
|
||||||
|
@@ -755,13 +756,74 @@ strip_trailing_digits (const char *p)
|
||||||
|
return new;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static char *
|
||||||
|
+get_slave_from_dm(const char * device){
|
||||||
|
+ char *curr_device, *tmp;
|
||||||
|
+ char *directory;
|
||||||
|
+ char *ret = NULL;
|
||||||
|
+
|
||||||
|
+ directory = grub_strdup (device);
|
||||||
|
+ tmp = get_basename(directory);
|
||||||
|
+ curr_device = grub_strdup (tmp);
|
||||||
|
+ *tmp = '\0';
|
||||||
|
+
|
||||||
|
+ /* Recursively check for slaves devices so we can find the root device */
|
||||||
|
+ while ((curr_device[0] == 'd') && (curr_device[1] == 'm') && (curr_device[2] == '-')){
|
||||||
|
+ DIR *dp;
|
||||||
|
+ struct dirent *ep;
|
||||||
|
+ char* device_path;
|
||||||
|
+
|
||||||
|
+ device_path = grub_xasprintf ("/sys/block/%s/slaves", curr_device);
|
||||||
|
+ dp = opendir(device_path);
|
||||||
|
+ free(device_path);
|
||||||
|
+
|
||||||
|
+ if (dp != NULL)
|
||||||
|
+ {
|
||||||
|
+ ep = readdir (dp);
|
||||||
|
+ while (ep != NULL){
|
||||||
|
+
|
||||||
|
+ /* avoid some system directories */
|
||||||
|
+ if (!strcmp(ep->d_name,"."))
|
||||||
|
+ goto next_dir;
|
||||||
|
+ if (!strcmp(ep->d_name,".."))
|
||||||
|
+ goto next_dir;
|
||||||
|
+
|
||||||
|
+ free (curr_device);
|
||||||
|
+ free (ret);
|
||||||
|
+ curr_device = grub_strdup (ep->d_name);
|
||||||
|
+ ret = grub_xasprintf ("%s%s", directory, curr_device);
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
+ next_dir:
|
||||||
|
+ ep = readdir (dp);
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+ closedir (dp);
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ grub_util_warn (_("cannot open directory `%s'"), device_path);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ free (directory);
|
||||||
|
+ free (curr_device);
|
||||||
|
+
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
char *
|
||||||
|
grub_util_devname_to_ofpath (const char *sys_devname)
|
||||||
|
{
|
||||||
|
- char *name_buf, *device, *devnode, *devicenode, *ofpath;
|
||||||
|
+ char *name_buf, *device, *devnode, *devicenode, *ofpath, *realname;
|
||||||
|
|
||||||
|
name_buf = xrealpath (sys_devname);
|
||||||
|
|
||||||
|
+ realname = get_slave_from_dm (name_buf);
|
||||||
|
+ if (realname)
|
||||||
|
+ {
|
||||||
|
+ free (name_buf);
|
||||||
|
+ name_buf = realname;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
device = get_basename (name_buf);
|
||||||
|
devnode = strip_trailing_digits (name_buf);
|
||||||
|
devicenode = strip_trailing_digits (device);
|
@ -0,0 +1,239 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Renaud=20M=C3=A9trich?= <rmetrich@redhat.com>
|
||||||
|
Date: Fri, 18 Dec 2020 15:39:26 +0100
|
||||||
|
Subject: [PATCH] Add 'at_keyboard_fallback_set' var to force the set manually
|
||||||
|
|
||||||
|
This seems required with HP DL380p Gen 8 systems.
|
||||||
|
Indeed, with this system, we can see the following sequence:
|
||||||
|
|
||||||
|
1. controller is queried to get current configuration (returns 0x30 which is quite standard)
|
||||||
|
2. controller is queried to get the current keyboard set in used, using code 0xf0 (first part)
|
||||||
|
3. controller answers with 0xfa which means "ACK" (== ok)
|
||||||
|
4. then we send "0" to tell "we want to know which set your are supporting"
|
||||||
|
5. controller answers with 0xfa ("ACK")
|
||||||
|
6. controller should then give us 1, 2, 3 or 0x43, 0x41, 0x3f, but here it gives us 0xfe which means "NACK"
|
||||||
|
|
||||||
|
Since there seems no way to determine the current set, and in fact the
|
||||||
|
controller expects set2 to be used, we need to rely on an environment
|
||||||
|
variable.
|
||||||
|
Everything has been tested on this system: using 0xFE (resend command),
|
||||||
|
making sure we wait for ACK in the 2 steps "write_mode", etc.
|
||||||
|
|
||||||
|
Below is litterature I used to come up with "there is no other
|
||||||
|
solution":
|
||||||
|
- https://wiki.osdev.org/%228042%22_PS/2_Controller
|
||||||
|
- http://www-ug.eecg.toronto.edu/msl/nios_devices/datasheets/PS2%20Keyboard%20Protocol.htm
|
||||||
|
- http://www.s100computers.com/My%20System%20Pages/MSDOS%20Board/PC%20Keyboard.pdf
|
||||||
|
---
|
||||||
|
grub-core/term/at_keyboard.c | 121 ++++++++++++++++++++++++++++++++++---------
|
||||||
|
1 file changed, 96 insertions(+), 25 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/term/at_keyboard.c b/grub-core/term/at_keyboard.c
|
||||||
|
index 69d99b61df5..c805cccbdde 100644
|
||||||
|
--- a/grub-core/term/at_keyboard.c
|
||||||
|
+++ b/grub-core/term/at_keyboard.c
|
||||||
|
@@ -31,6 +31,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
|
||||||
|
static grub_uint8_t grub_keyboard_controller_orig;
|
||||||
|
static grub_uint8_t grub_keyboard_orig_set;
|
||||||
|
struct grub_ps2_state ps2_state;
|
||||||
|
+static int fallback_set;
|
||||||
|
|
||||||
|
static int ping_sent;
|
||||||
|
|
||||||
|
@@ -76,6 +77,8 @@ at_command (grub_uint8_t data)
|
||||||
|
break;
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
+ if (i == GRUB_AT_TRIES)
|
||||||
|
+ grub_dprintf ("atkeyb", "at_command() timed out! (stopped after %d tries)\n", i);
|
||||||
|
return (i != GRUB_AT_TRIES);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -105,6 +108,21 @@ grub_keyboard_controller_read (void)
|
||||||
|
|
||||||
|
#endif
|
||||||
|
|
||||||
|
+static int
|
||||||
|
+resend_last_result (void)
|
||||||
|
+{
|
||||||
|
+ grub_uint8_t ret;
|
||||||
|
+ keyboard_controller_wait_until_ready ();
|
||||||
|
+ grub_dprintf ("atkeyb", "resend_last_result: sending 0xfe\n");
|
||||||
|
+ grub_outb (0xfe, KEYBOARD_REG_DATA);
|
||||||
|
+ ret = wait_ack ();
|
||||||
|
+ grub_dprintf ("atkeyb", "resend_last_result: wait_ack() returned 0x%x\n", ret);
|
||||||
|
+ keyboard_controller_wait_until_ready ();
|
||||||
|
+ ret = grub_inb (KEYBOARD_REG_DATA);
|
||||||
|
+ grub_dprintf ("atkeyb", "resend_last_result: read 0x%x from controller\n", ret);
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static int
|
||||||
|
write_mode (int mode)
|
||||||
|
{
|
||||||
|
@@ -113,11 +131,14 @@ write_mode (int mode)
|
||||||
|
{
|
||||||
|
grub_uint8_t ack;
|
||||||
|
keyboard_controller_wait_until_ready ();
|
||||||
|
+ grub_dprintf ("atkeyb", "write_mode: sending 0xf0\n");
|
||||||
|
grub_outb (0xf0, KEYBOARD_REG_DATA);
|
||||||
|
keyboard_controller_wait_until_ready ();
|
||||||
|
+ grub_dprintf ("atkeyb", "write_mode: sending mode %d\n", mode);
|
||||||
|
grub_outb (mode, KEYBOARD_REG_DATA);
|
||||||
|
keyboard_controller_wait_until_ready ();
|
||||||
|
ack = wait_ack ();
|
||||||
|
+ grub_dprintf ("atkeyb", "write_mode: wait_ack() returned 0x%x\n", ack);
|
||||||
|
if (ack == GRUB_AT_NACK)
|
||||||
|
continue;
|
||||||
|
if (ack == GRUB_AT_ACK)
|
||||||
|
@@ -125,6 +146,9 @@ write_mode (int mode)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (i == GRUB_AT_TRIES)
|
||||||
|
+ grub_dprintf ("atkeyb", "write_mode() timed out! (stopped after %d tries)\n", i);
|
||||||
|
+
|
||||||
|
return (i != GRUB_AT_TRIES);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -132,31 +156,66 @@ static int
|
||||||
|
query_mode (void)
|
||||||
|
{
|
||||||
|
grub_uint8_t ret;
|
||||||
|
+ grub_uint64_t endtime;
|
||||||
|
+ unsigned i;
|
||||||
|
int e;
|
||||||
|
+ char *envvar;
|
||||||
|
|
||||||
|
- e = write_mode (0);
|
||||||
|
- if (!e) {
|
||||||
|
- grub_dprintf("atkeyb", "query_mode: write_mode(0) failed\n");
|
||||||
|
- return 0;
|
||||||
|
- }
|
||||||
|
+ for (i = 0; i < GRUB_AT_TRIES; i++) {
|
||||||
|
+ grub_dprintf ("atkeyb", "query_mode: sending command to controller\n");
|
||||||
|
+ e = write_mode (0);
|
||||||
|
+ if (!e) {
|
||||||
|
+ grub_dprintf ("atkeyb", "query_mode: write_mode(0) failed\n");
|
||||||
|
+ return 0;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- do {
|
||||||
|
- keyboard_controller_wait_until_ready ();
|
||||||
|
- ret = grub_inb (KEYBOARD_REG_DATA);
|
||||||
|
- } while (ret == GRUB_AT_ACK);
|
||||||
|
- /* QEMU translates the set even in no-translate mode. */
|
||||||
|
- if (ret == 0x43 || ret == 1) {
|
||||||
|
- grub_dprintf("atkeyb", "query_mode: returning 1 (ret=0x%x)\n", ret);
|
||||||
|
- return 1;
|
||||||
|
- }
|
||||||
|
- if (ret == 0x41 || ret == 2) {
|
||||||
|
- grub_dprintf("atkeyb", "query_mode: returning 2 (ret=0x%x)\n", ret);
|
||||||
|
- return 2;
|
||||||
|
+ endtime = grub_get_time_ms () + 20;
|
||||||
|
+ do {
|
||||||
|
+ keyboard_controller_wait_until_ready ();
|
||||||
|
+ ret = grub_inb (KEYBOARD_REG_DATA);
|
||||||
|
+ grub_dprintf ("atkeyb", "query_mode/loop: read 0x%x from controller\n", ret);
|
||||||
|
+ } while ((ret == GRUB_AT_ACK || ret == GRUB_AT_NACK) && grub_get_time_ms () < endtime);
|
||||||
|
+ if (ret == 0xfe) {
|
||||||
|
+ grub_dprintf ("atkeyb", "query_mode: asking controller to resend last result\n");
|
||||||
|
+ ret = resend_last_result();
|
||||||
|
+ grub_dprintf ("atkeyb", "query_mode: read 0x%x from controller\n", ret);
|
||||||
|
+ }
|
||||||
|
+ /* QEMU translates the set even in no-translate mode. */
|
||||||
|
+ if (ret == 0x43 || ret == 1) {
|
||||||
|
+ grub_dprintf ("atkeyb", "query_mode: controller returned 0x%x, returning 1\n", ret);
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+ if (ret == 0x41 || ret == 2) {
|
||||||
|
+ grub_dprintf ("atkeyb", "query_mode: controller returned 0x%x, returning 2\n", ret);
|
||||||
|
+ return 2;
|
||||||
|
+ }
|
||||||
|
+ if (ret == 0x3f || ret == 3) {
|
||||||
|
+ grub_dprintf ("atkeyb", "query_mode: controller returned 0x%x, returning 3\n", ret);
|
||||||
|
+ return 3;
|
||||||
|
+ }
|
||||||
|
+ grub_dprintf ("atkeyb", "query_mode: controller returned unexpected value 0x%x, retrying\n", ret);
|
||||||
|
}
|
||||||
|
- if (ret == 0x3f || ret == 3) {
|
||||||
|
- grub_dprintf("atkeyb", "query_mode: returning 3 (ret=0x%x)\n", ret);
|
||||||
|
- return 3;
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Falling here means we tried querying and the controller returned something
|
||||||
|
+ * we don't understand, try to use 'at_keyboard_fallback_set' if it exists,
|
||||||
|
+ * otherwise return 0.
|
||||||
|
+ */
|
||||||
|
+ envvar = grub_env_get ("at_keyboard_fallback_set");
|
||||||
|
+ if (envvar) {
|
||||||
|
+ fallback_set = grub_strtoul (envvar, 0, 10);
|
||||||
|
+ if ((grub_errno) || (fallback_set < 1) || (fallback_set > 3)) {
|
||||||
|
+ grub_dprintf ("atkeyb", "WARNING: ignoring unexpected value '%s' for '%s' variable\n",
|
||||||
|
+ envvar, "at_keyboard_fallback_set");
|
||||||
|
+ fallback_set = 0;
|
||||||
|
+ } else {
|
||||||
|
+ grub_dprintf ("atkeyb", "query_mode: '%s' specified in environment, returning %d\n",
|
||||||
|
+ "at_keyboard_fallback_set", fallback_set);
|
||||||
|
+ }
|
||||||
|
+ return fallback_set;
|
||||||
|
}
|
||||||
|
+ grub_dprintf ("atkeyb", "WARNING: no '%s' specified in environment, returning 0\n",
|
||||||
|
+ "at_keyboard_fallback_set");
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -165,14 +224,25 @@ set_scancodes (void)
|
||||||
|
{
|
||||||
|
/* You must have visited computer museum. Keyboard without scancode set
|
||||||
|
knowledge. Assume XT. */
|
||||||
|
- if (!grub_keyboard_orig_set)
|
||||||
|
- {
|
||||||
|
- grub_dprintf ("atkeyb", "No sets support assumed\n");
|
||||||
|
- ps2_state.current_set = 1;
|
||||||
|
+ if (!grub_keyboard_orig_set) {
|
||||||
|
+ if (fallback_set) {
|
||||||
|
+ grub_dprintf ("atkeyb", "No sets support assumed but set forced to %d\n", fallback_set);
|
||||||
|
+ ps2_state.current_set = fallback_set;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
+ grub_dprintf ("atkeyb", "No sets support assumed, forcing to set 1\n");
|
||||||
|
+ ps2_state.current_set = 1;
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
#if !USE_SCANCODE_SET
|
||||||
|
+ if (fallback_set) {
|
||||||
|
+ grub_dprintf ("atkeyb", "queried set is %d but set forced to %d\n",
|
||||||
|
+ grub_keyboard_orig_set, fallback_set);
|
||||||
|
+ ps2_state.current_set = fallback_set;
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if ((grub_keyboard_controller_orig & KEYBOARD_AT_TRANSLATE) == KEYBOARD_AT_TRANSLATE) {
|
||||||
|
grub_dprintf ("atkeyb", "queried set is %d but keyboard in Translate mode, so actually in set 1\n", grub_keyboard_orig_set);
|
||||||
|
ps2_state.current_set = 1;
|
||||||
|
@@ -261,6 +331,7 @@ grub_at_keyboard_getkey (struct grub_term_input *term __attribute__ ((unused)))
|
||||||
|
static void
|
||||||
|
grub_keyboard_controller_init (void)
|
||||||
|
{
|
||||||
|
+ grub_dprintf ("atkeyb", "initializing the controller\n");
|
||||||
|
ps2_state.at_keyboard_status = 0;
|
||||||
|
/* Drain input buffer. */
|
||||||
|
while (1)
|
||||||
|
@@ -282,6 +353,7 @@ grub_keyboard_controller_init (void)
|
||||||
|
grub_keyboard_controller_orig = grub_keyboard_controller_read ();
|
||||||
|
grub_dprintf ("atkeyb", "grub_keyboard_controller_orig = 0x%x\n", grub_keyboard_controller_orig);
|
||||||
|
grub_keyboard_orig_set = query_mode ();
|
||||||
|
+ grub_dprintf ("atkeyb", "grub_keyboard_orig_set = %d\n", grub_keyboard_orig_set);
|
||||||
|
#endif
|
||||||
|
set_scancodes ();
|
||||||
|
keyboard_controller_led (ps2_state.led_status);
|
||||||
|
@@ -329,7 +401,6 @@ grub_at_restore_hw (void)
|
||||||
|
return GRUB_ERR_NONE;
|
||||||
|
}
|
||||||
|
|
||||||
|
-
|
||||||
|
static struct grub_term_input grub_at_keyboard_term =
|
||||||
|
{
|
||||||
|
.name = "at_keyboard",
|
@ -0,0 +1,60 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
Date: Mon, 29 Oct 2018 13:25:25 +0100
|
||||||
|
Subject: [PATCH] bufio: Use grub_size_t instead of plain int for size
|
||||||
|
|
||||||
|
Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
|
||||||
|
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
|
||||||
|
(cherry picked from commit f3f8347569383e7f483f37ca70d41eb1af9f990f)
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
grub-core/io/bufio.c | 6 +++---
|
||||||
|
include/grub/bufio.h | 4 ++--
|
||||||
|
2 files changed, 5 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/io/bufio.c b/grub-core/io/bufio.c
|
||||||
|
index 6118bade50d..2781afe0515 100644
|
||||||
|
--- a/grub-core/io/bufio.c
|
||||||
|
+++ b/grub-core/io/bufio.c
|
||||||
|
@@ -43,7 +43,7 @@ typedef struct grub_bufio *grub_bufio_t;
|
||||||
|
static struct grub_fs grub_bufio_fs;
|
||||||
|
|
||||||
|
grub_file_t
|
||||||
|
-grub_bufio_open (grub_file_t io, int size)
|
||||||
|
+grub_bufio_open (grub_file_t io, grub_size_t size)
|
||||||
|
{
|
||||||
|
grub_file_t file;
|
||||||
|
grub_bufio_t bufio = 0;
|
||||||
|
@@ -57,7 +57,7 @@ grub_bufio_open (grub_file_t io, int size)
|
||||||
|
else if (size > GRUB_BUFIO_MAX_SIZE)
|
||||||
|
size = GRUB_BUFIO_MAX_SIZE;
|
||||||
|
|
||||||
|
- if ((size < 0) || ((unsigned) size > io->size))
|
||||||
|
+ if (size > io->size)
|
||||||
|
size = ((io->size > GRUB_BUFIO_MAX_SIZE) ? GRUB_BUFIO_MAX_SIZE :
|
||||||
|
io->size);
|
||||||
|
|
||||||
|
@@ -88,7 +88,7 @@ grub_bufio_open (grub_file_t io, int size)
|
||||||
|
}
|
||||||
|
|
||||||
|
grub_file_t
|
||||||
|
-grub_buffile_open (const char *name, int size)
|
||||||
|
+grub_buffile_open (const char *name, grub_size_t size)
|
||||||
|
{
|
||||||
|
grub_file_t io, file;
|
||||||
|
|
||||||
|
diff --git a/include/grub/bufio.h b/include/grub/bufio.h
|
||||||
|
index acdd0c882c6..77eb8ee5672 100644
|
||||||
|
--- a/include/grub/bufio.h
|
||||||
|
+++ b/include/grub/bufio.h
|
||||||
|
@@ -22,7 +22,7 @@
|
||||||
|
|
||||||
|
#include <grub/file.h>
|
||||||
|
|
||||||
|
-grub_file_t EXPORT_FUNC (grub_bufio_open) (grub_file_t io, int size);
|
||||||
|
-grub_file_t EXPORT_FUNC (grub_buffile_open) (const char *name, int size);
|
||||||
|
+grub_file_t EXPORT_FUNC (grub_bufio_open) (grub_file_t io, grub_size_t size);
|
||||||
|
+grub_file_t EXPORT_FUNC (grub_buffile_open) (const char *name, grub_size_t size);
|
||||||
|
|
||||||
|
#endif /* ! GRUB_BUFIO_H */
|
File diff suppressed because it is too large
Load Diff
1026
SOURCES/0331-verifiers-Framework-core.patch
Normal file
1026
SOURCES/0331-verifiers-Framework-core.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,520 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vladimir Serbinenko <phcoder@gmail.com>
|
||||||
|
Date: Tue, 7 Feb 2017 02:10:14 +0100
|
||||||
|
Subject: [PATCH] verifiers: Add possibility to verify kernel and modules
|
||||||
|
command lines
|
||||||
|
|
||||||
|
Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
|
||||||
|
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
|
||||||
|
(backported from 4d4a8c96e3593d76fe7b025665ccdecc70a53c1f)
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
grub-core/commands/verifiers.c | 14 ++++++++++++++
|
||||||
|
grub-core/lib/cmdline.c | 7 ++++---
|
||||||
|
grub-core/loader/arm/linux.c | 8 ++++++--
|
||||||
|
grub-core/loader/arm64/linux.c | 10 +++++++---
|
||||||
|
grub-core/loader/i386/bsd.c | 6 ++++++
|
||||||
|
grub-core/loader/i386/linux.c | 16 +++++++++++-----
|
||||||
|
grub-core/loader/i386/multiboot_mbi.c | 16 ++++++++++------
|
||||||
|
grub-core/loader/i386/pc/linux.c | 13 ++++++++-----
|
||||||
|
grub-core/loader/i386/pc/plan9.c | 11 +++++++++++
|
||||||
|
grub-core/loader/i386/xen.c | 7 +++++++
|
||||||
|
grub-core/loader/ia64/efi/linux.c | 7 +++++++
|
||||||
|
grub-core/loader/mips/linux.c | 8 ++++++++
|
||||||
|
grub-core/loader/multiboot_mbi2.c | 8 +++-----
|
||||||
|
grub-core/loader/powerpc/ieee1275/linux.c | 5 +++--
|
||||||
|
grub-core/loader/sparc64/ieee1275/linux.c | 5 +++--
|
||||||
|
grub-core/loader/xnu.c | 9 +++++++++
|
||||||
|
include/grub/lib/cmdline.h | 5 +++--
|
||||||
|
include/grub/verify.h | 11 +++++++++++
|
||||||
|
18 files changed, 131 insertions(+), 35 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/commands/verifiers.c b/grub-core/commands/verifiers.c
|
||||||
|
index fde88318d4c..59ea418a2d9 100644
|
||||||
|
--- a/grub-core/commands/verifiers.c
|
||||||
|
+++ b/grub-core/commands/verifiers.c
|
||||||
|
@@ -186,6 +186,20 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type)
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
+grub_err_t
|
||||||
|
+grub_verify_string (char *str, enum grub_verify_string_type type)
|
||||||
|
+{
|
||||||
|
+ struct grub_file_verifier *ver;
|
||||||
|
+ FOR_LIST_ELEMENTS(ver, grub_file_verifiers)
|
||||||
|
+ {
|
||||||
|
+ grub_err_t err;
|
||||||
|
+ err = ver->verify_string ? ver->verify_string (str, type) : GRUB_ERR_NONE;
|
||||||
|
+ if (err)
|
||||||
|
+ return err;
|
||||||
|
+ }
|
||||||
|
+ return GRUB_ERR_NONE;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
GRUB_MOD_INIT(verifiers)
|
||||||
|
{
|
||||||
|
grub_file_filter_register (GRUB_FILE_FILTER_VERIFY, grub_verifiers_open);
|
||||||
|
diff --git a/grub-core/lib/cmdline.c b/grub-core/lib/cmdline.c
|
||||||
|
index d5c12957cad..463c3c65c79 100644
|
||||||
|
--- a/grub-core/lib/cmdline.c
|
||||||
|
+++ b/grub-core/lib/cmdline.c
|
||||||
|
@@ -75,8 +75,9 @@ unsigned int grub_loader_cmdline_size (int argc, char *argv[])
|
||||||
|
return size;
|
||||||
|
}
|
||||||
|
|
||||||
|
-int grub_create_loader_cmdline (int argc, char *argv[], char *buf,
|
||||||
|
- grub_size_t size)
|
||||||
|
+grub_err_t
|
||||||
|
+grub_create_loader_cmdline (int argc, char *argv[], char *buf,
|
||||||
|
+ grub_size_t size, enum grub_verify_string_type type)
|
||||||
|
{
|
||||||
|
int i, space;
|
||||||
|
unsigned int arg_size;
|
||||||
|
@@ -130,5 +131,5 @@ int grub_create_loader_cmdline (int argc, char *argv[], char *buf,
|
||||||
|
"grub_kernel_cmdline", orig);
|
||||||
|
grub_print_error();
|
||||||
|
|
||||||
|
- return i;
|
||||||
|
+ return grub_verify_string (orig, type);
|
||||||
|
}
|
||||||
|
diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c
|
||||||
|
index ea29d7a724a..beceda52030 100644
|
||||||
|
--- a/grub-core/loader/arm/linux.c
|
||||||
|
+++ b/grub-core/loader/arm/linux.c
|
||||||
|
@@ -28,6 +28,7 @@
|
||||||
|
#include <grub/cpu/linux.h>
|
||||||
|
#include <grub/lib/cmdline.h>
|
||||||
|
#include <grub/linux.h>
|
||||||
|
+#include <grub/verify.h>
|
||||||
|
|
||||||
|
GRUB_MOD_LICENSE ("GPLv3+");
|
||||||
|
|
||||||
|
@@ -383,8 +384,11 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
|
||||||
|
/* Create kernel command line. */
|
||||||
|
grub_memcpy (linux_args, LINUX_IMAGE, sizeof (LINUX_IMAGE));
|
||||||
|
- grub_create_loader_cmdline (argc, argv,
|
||||||
|
- linux_args + sizeof (LINUX_IMAGE) - 1, size);
|
||||||
|
+ err = grub_create_loader_cmdline (argc, argv,
|
||||||
|
+ linux_args + sizeof (LINUX_IMAGE) - 1, size,
|
||||||
|
+ GRUB_VERIFY_KERNEL_CMDLINE);
|
||||||
|
+ if (err)
|
||||||
|
+ goto fail;
|
||||||
|
|
||||||
|
return GRUB_ERR_NONE;
|
||||||
|
|
||||||
|
diff --git a/grub-core/loader/arm64/linux.c b/grub-core/loader/arm64/linux.c
|
||||||
|
index 7a076c13171..48ea66596ad 100644
|
||||||
|
--- a/grub-core/loader/arm64/linux.c
|
||||||
|
+++ b/grub-core/loader/arm64/linux.c
|
||||||
|
@@ -33,6 +33,7 @@
|
||||||
|
#include <grub/efi/pe32.h>
|
||||||
|
#include <grub/i18n.h>
|
||||||
|
#include <grub/lib/cmdline.h>
|
||||||
|
+#include <grub/verify.h>
|
||||||
|
|
||||||
|
GRUB_MOD_LICENSE ("GPLv3+");
|
||||||
|
|
||||||
|
@@ -403,9 +404,12 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
grub_memcpy (linux_args, LINUX_IMAGE, sizeof (LINUX_IMAGE));
|
||||||
|
- grub_create_loader_cmdline (argc, argv,
|
||||||
|
- linux_args + sizeof (LINUX_IMAGE) - 1,
|
||||||
|
- cmdline_size);
|
||||||
|
+ err = grub_create_loader_cmdline (argc, argv,
|
||||||
|
+ linux_args + sizeof (LINUX_IMAGE) - 1,
|
||||||
|
+ cmdline_size,
|
||||||
|
+ GRUB_VERIFY_KERNEL_CMDLINE);
|
||||||
|
+ if (err)
|
||||||
|
+ goto fail;
|
||||||
|
|
||||||
|
if (grub_errno == GRUB_ERR_NONE)
|
||||||
|
{
|
||||||
|
diff --git a/grub-core/loader/i386/bsd.c b/grub-core/loader/i386/bsd.c
|
||||||
|
index 8306b415abd..45a71509956 100644
|
||||||
|
--- a/grub-core/loader/i386/bsd.c
|
||||||
|
+++ b/grub-core/loader/i386/bsd.c
|
||||||
|
@@ -36,6 +36,7 @@
|
||||||
|
#include <grub/bsdlabel.h>
|
||||||
|
#include <grub/crypto.h>
|
||||||
|
#include <grub/safemath.h>
|
||||||
|
+#include <grub/verify.h>
|
||||||
|
#ifdef GRUB_MACHINE_PCBIOS
|
||||||
|
#include <grub/machine/int.h>
|
||||||
|
#endif
|
||||||
|
@@ -418,6 +419,8 @@ grub_freebsd_add_meta_module (const char *filename, const char *type,
|
||||||
|
grub_addr_t addr, grub_uint32_t size)
|
||||||
|
{
|
||||||
|
const char *name;
|
||||||
|
+ grub_err_t err;
|
||||||
|
+
|
||||||
|
name = grub_strrchr (filename, '/');
|
||||||
|
if (name)
|
||||||
|
name++;
|
||||||
|
@@ -471,6 +474,9 @@ grub_freebsd_add_meta_module (const char *filename, const char *type,
|
||||||
|
*(p++) = ' ';
|
||||||
|
}
|
||||||
|
*p = 0;
|
||||||
|
+ err = grub_verify_string (cmdline, GRUB_VERIFY_MODULE_CMDLINE);
|
||||||
|
+ if (err)
|
||||||
|
+ return err;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
|
||||||
|
index aa2cbc4e7eb..ef8fcb9e1b6 100644
|
||||||
|
--- a/grub-core/loader/i386/linux.c
|
||||||
|
+++ b/grub-core/loader/i386/linux.c
|
||||||
|
@@ -1039,11 +1039,17 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
if (!linux_cmdline)
|
||||||
|
goto fail;
|
||||||
|
grub_memcpy (linux_cmdline, LINUX_IMAGE, sizeof (LINUX_IMAGE));
|
||||||
|
- grub_create_loader_cmdline (argc, argv,
|
||||||
|
- linux_cmdline
|
||||||
|
- + sizeof (LINUX_IMAGE) - 1,
|
||||||
|
- maximal_cmdline_size
|
||||||
|
- - (sizeof (LINUX_IMAGE) - 1));
|
||||||
|
+ {
|
||||||
|
+ grub_err_t err;
|
||||||
|
+ err = grub_create_loader_cmdline (argc, argv,
|
||||||
|
+ linux_cmdline
|
||||||
|
+ + sizeof (LINUX_IMAGE) - 1,
|
||||||
|
+ maximal_cmdline_size
|
||||||
|
+ - (sizeof (LINUX_IMAGE) - 1),
|
||||||
|
+ GRUB_VERIFY_KERNEL_CMDLINE);
|
||||||
|
+ if (err)
|
||||||
|
+ goto fail;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
len = prot_file_size;
|
||||||
|
grub_memcpy (prot_mode_mem, kernel + kernel_offset, len);
|
||||||
|
diff --git a/grub-core/loader/i386/multiboot_mbi.c b/grub-core/loader/i386/multiboot_mbi.c
|
||||||
|
index 9d3466d6ace..525446b5687 100644
|
||||||
|
--- a/grub-core/loader/i386/multiboot_mbi.c
|
||||||
|
+++ b/grub-core/loader/i386/multiboot_mbi.c
|
||||||
|
@@ -676,10 +676,8 @@ grub_multiboot_init_mbi (int argc, char *argv[])
|
||||||
|
return grub_errno;
|
||||||
|
cmdline_size = len;
|
||||||
|
|
||||||
|
- grub_create_loader_cmdline (argc, argv, cmdline,
|
||||||
|
- cmdline_size);
|
||||||
|
-
|
||||||
|
- return GRUB_ERR_NONE;
|
||||||
|
+ return grub_create_loader_cmdline (argc, argv, cmdline,
|
||||||
|
+ cmdline_size, GRUB_VERIFY_KERNEL_CMDLINE);
|
||||||
|
}
|
||||||
|
|
||||||
|
grub_err_t
|
||||||
|
@@ -688,6 +686,7 @@ grub_multiboot_add_module (grub_addr_t start, grub_size_t size,
|
||||||
|
{
|
||||||
|
struct module *newmod;
|
||||||
|
grub_size_t len = 0;
|
||||||
|
+ grub_err_t err;
|
||||||
|
|
||||||
|
newmod = grub_malloc (sizeof (*newmod));
|
||||||
|
if (!newmod)
|
||||||
|
@@ -707,8 +706,13 @@ grub_multiboot_add_module (grub_addr_t start, grub_size_t size,
|
||||||
|
newmod->cmdline_size = len;
|
||||||
|
total_modcmd += ALIGN_UP (len, 4);
|
||||||
|
|
||||||
|
- grub_create_loader_cmdline (argc, argv, newmod->cmdline,
|
||||||
|
- newmod->cmdline_size);
|
||||||
|
+ err = grub_create_loader_cmdline (argc, argv, newmod->cmdline,
|
||||||
|
+ newmod->cmdline_size, GRUB_VERIFY_MODULE_CMDLINE);
|
||||||
|
+ if (err)
|
||||||
|
+ {
|
||||||
|
+ grub_free (newmod);
|
||||||
|
+ return grub_errno;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
if (modules_last)
|
||||||
|
modules_last->next = newmod;
|
||||||
|
diff --git a/grub-core/loader/i386/pc/linux.c b/grub-core/loader/i386/pc/linux.c
|
||||||
|
index b5c28c6580e..f631225f59b 100644
|
||||||
|
--- a/grub-core/loader/i386/pc/linux.c
|
||||||
|
+++ b/grub-core/loader/i386/pc/linux.c
|
||||||
|
@@ -348,11 +348,14 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
/* Create kernel command line. */
|
||||||
|
grub_memcpy ((char *)grub_linux_real_chunk + GRUB_LINUX_CL_OFFSET,
|
||||||
|
LINUX_IMAGE, sizeof (LINUX_IMAGE));
|
||||||
|
- grub_create_loader_cmdline (argc, argv,
|
||||||
|
- (char *)grub_linux_real_chunk
|
||||||
|
- + GRUB_LINUX_CL_OFFSET + sizeof (LINUX_IMAGE) - 1,
|
||||||
|
- maximal_cmdline_size
|
||||||
|
- - (sizeof (LINUX_IMAGE) - 1));
|
||||||
|
+ err = grub_create_loader_cmdline (argc, argv,
|
||||||
|
+ (char *)grub_linux_real_chunk
|
||||||
|
+ + GRUB_LINUX_CL_OFFSET + sizeof (LINUX_IMAGE) - 1,
|
||||||
|
+ maximal_cmdline_size
|
||||||
|
+ - (sizeof (LINUX_IMAGE) - 1),
|
||||||
|
+ GRUB_VERIFY_KERNEL_CMDLINE);
|
||||||
|
+ if (err)
|
||||||
|
+ goto fail;
|
||||||
|
|
||||||
|
if (grub_linux_is_bzimage)
|
||||||
|
grub_linux_prot_target = GRUB_LINUX_BZIMAGE_ADDR;
|
||||||
|
diff --git a/grub-core/loader/i386/pc/plan9.c b/grub-core/loader/i386/pc/plan9.c
|
||||||
|
index 0351090daf8..37550155df7 100644
|
||||||
|
--- a/grub-core/loader/i386/pc/plan9.c
|
||||||
|
+++ b/grub-core/loader/i386/pc/plan9.c
|
||||||
|
@@ -33,6 +33,7 @@
|
||||||
|
#include <grub/mm.h>
|
||||||
|
#include <grub/cpu/relocator.h>
|
||||||
|
#include <grub/extcmd.h>
|
||||||
|
+#include <grub/verify.h>
|
||||||
|
|
||||||
|
GRUB_MOD_LICENSE ("GPLv3+");
|
||||||
|
|
||||||
|
@@ -505,6 +506,7 @@ grub_cmd_plan9 (grub_extcmd_context_t ctxt, int argc, char *argv[])
|
||||||
|
configptr = grub_stpcpy (configptr, "bootfile=");
|
||||||
|
configptr = grub_stpcpy (configptr, bootpath);
|
||||||
|
*configptr++ = '\n';
|
||||||
|
+ char *cmdline = configptr;
|
||||||
|
{
|
||||||
|
int i;
|
||||||
|
for (i = 1; i < argc; i++)
|
||||||
|
@@ -513,6 +515,15 @@ grub_cmd_plan9 (grub_extcmd_context_t ctxt, int argc, char *argv[])
|
||||||
|
*configptr++ = '\n';
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ {
|
||||||
|
+ grub_err_t err;
|
||||||
|
+ *configptr = '\0';
|
||||||
|
+ err = grub_verify_string (cmdline, GRUB_VERIFY_KERNEL_CMDLINE);
|
||||||
|
+ if (err)
|
||||||
|
+ goto fail;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
configptr = grub_stpcpy (configptr, fill_ctx.pmap);
|
||||||
|
|
||||||
|
{
|
||||||
|
diff --git a/grub-core/loader/i386/xen.c b/grub-core/loader/i386/xen.c
|
||||||
|
index 82350d3a178..07a4837c532 100644
|
||||||
|
--- a/grub-core/loader/i386/xen.c
|
||||||
|
+++ b/grub-core/loader/i386/xen.c
|
||||||
|
@@ -41,6 +41,7 @@
|
||||||
|
#include <grub/linux.h>
|
||||||
|
#include <grub/i386/memory.h>
|
||||||
|
#include <grub/safemath.h>
|
||||||
|
+#include <grub/verify.h>
|
||||||
|
|
||||||
|
GRUB_MOD_LICENSE ("GPLv3+");
|
||||||
|
|
||||||
|
@@ -649,6 +650,9 @@ grub_cmd_xen (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
grub_create_loader_cmdline (argc - 1, argv + 1,
|
||||||
|
(char *) xen_state.next_start.cmd_line,
|
||||||
|
sizeof (xen_state.next_start.cmd_line) - 1);
|
||||||
|
+ err = grub_verify_string (xen_state.next_start.cmd_line, GRUB_VERIFY_MODULE_CMDLINE);
|
||||||
|
+ if (err)
|
||||||
|
+ return err;
|
||||||
|
|
||||||
|
file = grub_file_open (argv[0], GRUB_FILE_TYPE_LINUX_KERNEL);
|
||||||
|
if (!file)
|
||||||
|
@@ -916,6 +920,9 @@ grub_cmd_module (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
|
||||||
|
grub_create_loader_cmdline (argc - 1, argv + 1,
|
||||||
|
get_virtual_current_address (ch), cmdline_len);
|
||||||
|
+ err = grub_verify_string (get_virtual_current_address (ch), GRUB_VERIFY_MODULE_CMDLINE);
|
||||||
|
+ if (err)
|
||||||
|
+ goto fail;
|
||||||
|
|
||||||
|
xen_state.module_info_page[xen_state.n_modules].cmdline =
|
||||||
|
xen_state.max_addr - xen_state.modules_target_start;
|
||||||
|
diff --git a/grub-core/loader/ia64/efi/linux.c b/grub-core/loader/ia64/efi/linux.c
|
||||||
|
index 750330d4572..e325fe0ee83 100644
|
||||||
|
--- a/grub-core/loader/ia64/efi/linux.c
|
||||||
|
+++ b/grub-core/loader/ia64/efi/linux.c
|
||||||
|
@@ -33,6 +33,7 @@
|
||||||
|
#include <grub/i18n.h>
|
||||||
|
#include <grub/env.h>
|
||||||
|
#include <grub/linux.h>
|
||||||
|
+#include <grub/verify.h>
|
||||||
|
|
||||||
|
GRUB_MOD_LICENSE ("GPLv3+");
|
||||||
|
|
||||||
|
@@ -543,6 +544,12 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
p = grub_stpcpy (p, argv[i]);
|
||||||
|
}
|
||||||
|
cmdline[10] = '=';
|
||||||
|
+
|
||||||
|
+ *p = '\0';
|
||||||
|
+
|
||||||
|
+ err = grub_verify_string (cmdline, GRUB_VERIFY_KERNEL_CMDLINE);
|
||||||
|
+ if (err)
|
||||||
|
+ goto fail;
|
||||||
|
|
||||||
|
boot_param->command_line = (grub_uint64_t) cmdline;
|
||||||
|
boot_param->efi_systab = (grub_uint64_t) grub_efi_system_table;
|
||||||
|
diff --git a/grub-core/loader/mips/linux.c b/grub-core/loader/mips/linux.c
|
||||||
|
index 10358854458..20135ce253d 100644
|
||||||
|
--- a/grub-core/loader/mips/linux.c
|
||||||
|
+++ b/grub-core/loader/mips/linux.c
|
||||||
|
@@ -327,6 +327,8 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
linux_argv++;
|
||||||
|
linux_args += ALIGN_UP (sizeof ("a0"), 4);
|
||||||
|
|
||||||
|
+ char *params = linux_args;
|
||||||
|
+
|
||||||
|
#ifdef GRUB_MACHINE_MIPS_LOONGSON
|
||||||
|
{
|
||||||
|
unsigned mtype = grub_arch_machine;
|
||||||
|
@@ -352,6 +354,12 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
linux_args += ALIGN_UP (grub_strlen (argv[i]) + 1, 4);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ *linux_args = '\0';
|
||||||
|
+
|
||||||
|
+ err = grub_verify_string (params, GRUB_VERIFY_KERNEL_CMDLINE);
|
||||||
|
+ if (err)
|
||||||
|
+ return err;
|
||||||
|
+
|
||||||
|
/* Reserve space for rd arguments. */
|
||||||
|
rd_addr_arg_off = (grub_uint8_t *) linux_args - (grub_uint8_t *) playground;
|
||||||
|
linux_args += ALIGN_UP (sizeof ("rd_start=0xXXXXXXXXXXXXXXXX"), 4);
|
||||||
|
diff --git a/grub-core/loader/multiboot_mbi2.c b/grub-core/loader/multiboot_mbi2.c
|
||||||
|
index 3cfb47650a0..f64a857e394 100644
|
||||||
|
--- a/grub-core/loader/multiboot_mbi2.c
|
||||||
|
+++ b/grub-core/loader/multiboot_mbi2.c
|
||||||
|
@@ -1077,10 +1077,8 @@ grub_multiboot2_init_mbi (int argc, char *argv[])
|
||||||
|
return grub_errno;
|
||||||
|
cmdline_size = len;
|
||||||
|
|
||||||
|
- grub_create_loader_cmdline (argc, argv, cmdline,
|
||||||
|
- cmdline_size);
|
||||||
|
-
|
||||||
|
- return GRUB_ERR_NONE;
|
||||||
|
+ return grub_create_loader_cmdline (argc, argv, cmdline, cmdline_size,
|
||||||
|
+ GRUB_VERIFY_KERNEL_CMDLINE);
|
||||||
|
}
|
||||||
|
|
||||||
|
grub_err_t
|
||||||
|
@@ -1109,7 +1107,7 @@ grub_multiboot2_add_module (grub_addr_t start, grub_size_t size,
|
||||||
|
total_modcmd += ALIGN_UP (len, MULTIBOOT_TAG_ALIGN);
|
||||||
|
|
||||||
|
err = grub_create_loader_cmdline (argc, argv, newmod->cmdline,
|
||||||
|
- newmod->cmdline_size);
|
||||||
|
+ newmod->cmdline_size, GRUB_VERIFY_MODULE_CMDLINE);
|
||||||
|
if (err)
|
||||||
|
{
|
||||||
|
grub_free (newmod->cmdline);
|
||||||
|
diff --git a/grub-core/loader/powerpc/ieee1275/linux.c b/grub-core/loader/powerpc/ieee1275/linux.c
|
||||||
|
index 6e814649f31..c114e7df4fb 100644
|
||||||
|
--- a/grub-core/loader/powerpc/ieee1275/linux.c
|
||||||
|
+++ b/grub-core/loader/powerpc/ieee1275/linux.c
|
||||||
|
@@ -302,8 +302,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
|
||||||
|
/* Create kernel command line. */
|
||||||
|
grub_memcpy (linux_args, LINUX_IMAGE, sizeof (LINUX_IMAGE));
|
||||||
|
- grub_create_loader_cmdline (argc, argv, linux_args + sizeof (LINUX_IMAGE) - 1,
|
||||||
|
- size);
|
||||||
|
+ if (grub_create_loader_cmdline (argc, argv, linux_args + sizeof (LINUX_IMAGE) - 1,
|
||||||
|
+ size))
|
||||||
|
+ goto out;
|
||||||
|
|
||||||
|
out:
|
||||||
|
|
||||||
|
diff --git a/grub-core/loader/sparc64/ieee1275/linux.c b/grub-core/loader/sparc64/ieee1275/linux.c
|
||||||
|
index 67ef0488324..abe46faa012 100644
|
||||||
|
--- a/grub-core/loader/sparc64/ieee1275/linux.c
|
||||||
|
+++ b/grub-core/loader/sparc64/ieee1275/linux.c
|
||||||
|
@@ -340,8 +340,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
|
||||||
|
/* Create kernel command line. */
|
||||||
|
grub_memcpy (linux_args, LINUX_IMAGE, sizeof (LINUX_IMAGE));
|
||||||
|
- grub_create_loader_cmdline (argc, argv, linux_args + sizeof (LINUX_IMAGE) - 1,
|
||||||
|
- size);
|
||||||
|
+ if (grub_create_loader_cmdline (argc, argv, linux_args + sizeof (LINUX_IMAGE) - 1,
|
||||||
|
+ size, GRUB_VERIFY_KERNEL_CMDLINE))
|
||||||
|
+ goto out;
|
||||||
|
|
||||||
|
out:
|
||||||
|
if (elf)
|
||||||
|
diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
|
||||||
|
index 9f78abb05f9..5944dc5eafc 100644
|
||||||
|
--- a/grub-core/loader/xnu.c
|
||||||
|
+++ b/grub-core/loader/xnu.c
|
||||||
|
@@ -35,6 +35,7 @@
|
||||||
|
#include <grub/i18n.h>
|
||||||
|
#include <grub/efi/sb.h>
|
||||||
|
#include <grub/safemath.h>
|
||||||
|
+#include <grub/verify.h>
|
||||||
|
|
||||||
|
GRUB_MOD_LICENSE ("GPLv3+");
|
||||||
|
|
||||||
|
@@ -429,6 +430,10 @@ grub_cmd_xnu_kernel (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
if (ptr != grub_xnu_cmdline)
|
||||||
|
*(ptr - 1) = 0;
|
||||||
|
|
||||||
|
+ err = grub_verify_string (grub_xnu_cmdline, GRUB_VERIFY_KERNEL_CMDLINE);
|
||||||
|
+ if (err)
|
||||||
|
+ return err;
|
||||||
|
+
|
||||||
|
#if defined (__i386) && !defined (GRUB_MACHINE_EFI)
|
||||||
|
err = grub_efiemu_autocore ();
|
||||||
|
if (err)
|
||||||
|
@@ -538,6 +543,10 @@ grub_cmd_xnu_kernel64 (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
if (ptr != grub_xnu_cmdline)
|
||||||
|
*(ptr - 1) = 0;
|
||||||
|
|
||||||
|
+ err = grub_verify_string (grub_xnu_cmdline, GRUB_VERIFY_KERNEL_CMDLINE);
|
||||||
|
+ if (err)
|
||||||
|
+ return err;
|
||||||
|
+
|
||||||
|
#if defined (__i386) && !defined (GRUB_MACHINE_EFI)
|
||||||
|
err = grub_efiemu_autocore ();
|
||||||
|
if (err)
|
||||||
|
diff --git a/include/grub/lib/cmdline.h b/include/grub/lib/cmdline.h
|
||||||
|
index 1fe8d017971..cdca09b7a16 100644
|
||||||
|
--- a/include/grub/lib/cmdline.h
|
||||||
|
+++ b/include/grub/lib/cmdline.h
|
||||||
|
@@ -21,11 +21,12 @@
|
||||||
|
#define GRUB_CMDLINE_HEADER 1
|
||||||
|
|
||||||
|
#include <grub/types.h>
|
||||||
|
+#include <grub/verify.h>
|
||||||
|
|
||||||
|
#define LINUX_IMAGE "BOOT_IMAGE="
|
||||||
|
|
||||||
|
unsigned int grub_loader_cmdline_size (int argc, char *argv[]);
|
||||||
|
-int grub_create_loader_cmdline (int argc, char *argv[], char *buf,
|
||||||
|
- grub_size_t size);
|
||||||
|
+grub_err_t grub_create_loader_cmdline (int argc, char *argv[], char *buf,
|
||||||
|
+ grub_size_t size, enum grub_verify_string_type type);
|
||||||
|
|
||||||
|
#endif /* ! GRUB_CMDLINE_HEADER */
|
||||||
|
diff --git a/include/grub/verify.h b/include/grub/verify.h
|
||||||
|
index 298120f5776..9f892d8fedb 100644
|
||||||
|
--- a/include/grub/verify.h
|
||||||
|
+++ b/include/grub/verify.h
|
||||||
|
@@ -25,6 +25,12 @@ enum grub_verify_flags
|
||||||
|
GRUB_VERIFY_FLAGS_SINGLE_CHUNK = 2
|
||||||
|
};
|
||||||
|
|
||||||
|
+enum grub_verify_string_type
|
||||||
|
+ {
|
||||||
|
+ GRUB_VERIFY_KERNEL_CMDLINE,
|
||||||
|
+ GRUB_VERIFY_MODULE_CMDLINE,
|
||||||
|
+ };
|
||||||
|
+
|
||||||
|
struct grub_file_verifier
|
||||||
|
{
|
||||||
|
struct grub_file_verifier *next;
|
||||||
|
@@ -48,6 +54,8 @@ struct grub_file_verifier
|
||||||
|
|
||||||
|
grub_err_t (*fini) (void *context);
|
||||||
|
void (*close) (void *context);
|
||||||
|
+
|
||||||
|
+ grub_err_t (*verify_string) (char *str, enum grub_verify_string_type type);
|
||||||
|
};
|
||||||
|
|
||||||
|
extern struct grub_file_verifier *grub_file_verifiers;
|
||||||
|
@@ -63,3 +71,6 @@ grub_verifier_unregister (struct grub_file_verifier *ver)
|
||||||
|
{
|
||||||
|
grub_list_remove (GRUB_AS_LIST (ver));
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+grub_err_t
|
||||||
|
+grub_verify_string (char *str, enum grub_verify_string_type type);
|
@ -0,0 +1,91 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
Date: Wed, 26 Sep 2018 13:17:52 +0200
|
||||||
|
Subject: [PATCH] verifiers: Add possibility to defer verification to other
|
||||||
|
verifiers
|
||||||
|
|
||||||
|
This way if a verifier requires verification of a given file it can defer task
|
||||||
|
to another verifier (another authority) if it is not able to do it itself. E.g.
|
||||||
|
shim_lock verifier, posted as a subsequent patch, is able to verify only PE
|
||||||
|
files. This means that it is not able to verify any of GRUB2 modules which have
|
||||||
|
to be trusted on UEFI systems with secure boot enabled. So, it can defer
|
||||||
|
verification to other verifier, e.g. PGP one.
|
||||||
|
|
||||||
|
I silently assume that other verifiers are trusted and will do good job for us.
|
||||||
|
Or at least they will not do any harm.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
|
||||||
|
---
|
||||||
|
grub-core/commands/verifiers.c | 23 ++++++++++++++++++++---
|
||||||
|
include/grub/verify.h | 4 +++-
|
||||||
|
2 files changed, 23 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/commands/verifiers.c b/grub-core/commands/verifiers.c
|
||||||
|
index 59ea418a2d9..c638d5f43e0 100644
|
||||||
|
--- a/grub-core/commands/verifiers.c
|
||||||
|
+++ b/grub-core/commands/verifiers.c
|
||||||
|
@@ -83,6 +83,7 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type)
|
||||||
|
void *context;
|
||||||
|
grub_file_t ret = 0;
|
||||||
|
grub_err_t err;
|
||||||
|
+ int defer = 0;
|
||||||
|
|
||||||
|
grub_dprintf ("verify", "file: %s type: %d\n", io->name, type);
|
||||||
|
|
||||||
|
@@ -102,13 +103,27 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type)
|
||||||
|
err = ver->init (io, type, &context, &flags);
|
||||||
|
if (err)
|
||||||
|
goto fail_noclose;
|
||||||
|
+ if (flags & GRUB_VERIFY_FLAGS_DEFER_AUTH)
|
||||||
|
+ {
|
||||||
|
+ defer = 1;
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
if (!(flags & GRUB_VERIFY_FLAGS_SKIP_VERIFICATION))
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!ver)
|
||||||
|
- /* No verifiers wanted to verify. Just return underlying file. */
|
||||||
|
- return io;
|
||||||
|
+ {
|
||||||
|
+ if (defer)
|
||||||
|
+ {
|
||||||
|
+ grub_error (GRUB_ERR_ACCESS_DENIED,
|
||||||
|
+ N_("verification requested but nobody cares: %s"), io->name);
|
||||||
|
+ goto fail_noclose;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* No verifiers wanted to verify. Just return underlying file. */
|
||||||
|
+ return io;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
ret = grub_malloc (sizeof (*ret));
|
||||||
|
if (!ret)
|
||||||
|
@@ -160,7 +175,9 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type)
|
||||||
|
err = ver->init (io, type, &context, &flags);
|
||||||
|
if (err)
|
||||||
|
goto fail_noclose;
|
||||||
|
- if (flags & GRUB_VERIFY_FLAGS_SKIP_VERIFICATION)
|
||||||
|
+ if (flags & GRUB_VERIFY_FLAGS_SKIP_VERIFICATION ||
|
||||||
|
+ /* Verification done earlier. So, we are happy here. */
|
||||||
|
+ flags & GRUB_VERIFY_FLAGS_DEFER_AUTH)
|
||||||
|
continue;
|
||||||
|
err = ver->write (context, verified->buf, ret->size);
|
||||||
|
if (err)
|
||||||
|
diff --git a/include/grub/verify.h b/include/grub/verify.h
|
||||||
|
index 9f892d8fedb..79022b42258 100644
|
||||||
|
--- a/include/grub/verify.h
|
||||||
|
+++ b/include/grub/verify.h
|
||||||
|
@@ -22,7 +22,9 @@
|
||||||
|
enum grub_verify_flags
|
||||||
|
{
|
||||||
|
GRUB_VERIFY_FLAGS_SKIP_VERIFICATION = 1,
|
||||||
|
- GRUB_VERIFY_FLAGS_SINGLE_CHUNK = 2
|
||||||
|
+ GRUB_VERIFY_FLAGS_SINGLE_CHUNK = 2,
|
||||||
|
+ /* Defer verification to another authority. */
|
||||||
|
+ GRUB_VERIFY_FLAGS_DEFER_AUTH = 4
|
||||||
|
};
|
||||||
|
|
||||||
|
enum grub_verify_string_type
|
@ -0,0 +1,36 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
Date: Tue, 2 Oct 2018 22:36:43 +0200
|
||||||
|
Subject: [PATCH] verifiers: Rename verify module to pgp module
|
||||||
|
|
||||||
|
Just for clarity. No functional change.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
|
||||||
|
(cherry picked from commit b07feb8746c3bb845e3f0d33d37c0bded704d14d)
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
grub-core/Makefile.core.def | 4 ++--
|
||||||
|
grub-core/commands/{verify.c => pgp.c} | 0
|
||||||
|
2 files changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
rename grub-core/commands/{verify.c => pgp.c} (100%)
|
||||||
|
|
||||||
|
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
|
||||||
|
index 29c3bf6cd66..809f11feaef 100644
|
||||||
|
--- a/grub-core/Makefile.core.def
|
||||||
|
+++ b/grub-core/Makefile.core.def
|
||||||
|
@@ -915,8 +915,8 @@ module = {
|
||||||
|
};
|
||||||
|
|
||||||
|
module = {
|
||||||
|
- name = verify;
|
||||||
|
- common = commands/verify.c;
|
||||||
|
+ name = pgp;
|
||||||
|
+ common = commands/pgp.c;
|
||||||
|
cflags = '$(CFLAGS_POSIX)';
|
||||||
|
cppflags = '-I$(srcdir)/lib/posix_wrap';
|
||||||
|
};
|
||||||
|
diff --git a/grub-core/commands/verify.c b/grub-core/commands/pgp.c
|
||||||
|
similarity index 100%
|
||||||
|
rename from grub-core/commands/verify.c
|
||||||
|
rename to grub-core/commands/pgp.c
|
@ -0,0 +1,55 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Colin Watson <cjwatson@ubuntu.com>
|
||||||
|
Date: Wed, 9 Jan 2019 14:54:39 +0000
|
||||||
|
Subject: [PATCH] pgp: Fix emu build and tests after pgp module renaming
|
||||||
|
|
||||||
|
Commit b07feb8746c3bb845e3f0d33d37c0bded704d14d (verifiers: Rename
|
||||||
|
verify module to pgp module) renamed the "verify" module to "pgp", but
|
||||||
|
the GRUB_MOD_INIT and GRUB_MOD_FINI macros were left as "verify", which
|
||||||
|
broke the emu target build; and file_filter_test still referred to the
|
||||||
|
now non-existent "verify" module. Fix both of these.
|
||||||
|
|
||||||
|
Signed-off-by: Colin Watson <cjwatson@ubuntu.com>
|
||||||
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
(cherry picked from commit ed087f0460516737e174222f01e2bf6ccbd45674)
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
grub-core/commands/pgp.c | 4 ++--
|
||||||
|
tests/file_filter_test.in | 2 +-
|
||||||
|
2 files changed, 3 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c
|
||||||
|
index 29e74a64004..5c913c2e2fe 100644
|
||||||
|
--- a/grub-core/commands/pgp.c
|
||||||
|
+++ b/grub-core/commands/pgp.c
|
||||||
|
@@ -950,7 +950,7 @@ struct grub_file_verifier grub_pubkey_verifier =
|
||||||
|
static grub_extcmd_t cmd, cmd_trust;
|
||||||
|
static grub_command_t cmd_distrust, cmd_list;
|
||||||
|
|
||||||
|
-GRUB_MOD_INIT(verify)
|
||||||
|
+GRUB_MOD_INIT(pgp)
|
||||||
|
{
|
||||||
|
const char *val;
|
||||||
|
struct grub_module_header *header;
|
||||||
|
@@ -1009,7 +1009,7 @@ GRUB_MOD_INIT(verify)
|
||||||
|
grub_verifier_register (&grub_pubkey_verifier);
|
||||||
|
}
|
||||||
|
|
||||||
|
-GRUB_MOD_FINI(verify)
|
||||||
|
+GRUB_MOD_FINI(pgp)
|
||||||
|
{
|
||||||
|
grub_verifier_unregister (&grub_pubkey_verifier);
|
||||||
|
grub_unregister_extcmd (cmd);
|
||||||
|
diff --git a/tests/file_filter_test.in b/tests/file_filter_test.in
|
||||||
|
index bfb6382274e..ed6abcb5af4 100644
|
||||||
|
--- a/tests/file_filter_test.in
|
||||||
|
+++ b/tests/file_filter_test.in
|
||||||
|
@@ -19,7 +19,7 @@ grubshell=@builddir@/grub-shell
|
||||||
|
|
||||||
|
. "@builddir@/grub-core/modinfo.sh"
|
||||||
|
|
||||||
|
-filters="gzio xzio lzopio verify"
|
||||||
|
+filters="gzio xzio lzopio pgp"
|
||||||
|
modules="cat mpi"
|
||||||
|
|
||||||
|
for mod in $(cut -d ' ' -f 2 "@builddir@/grub-core/crypto.lst" | sort -u); do
|
@ -0,0 +1,30 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Leif Lindholm <leif.lindholm@linaro.org>
|
||||||
|
Date: Wed, 14 Nov 2018 19:29:16 +0000
|
||||||
|
Subject: [PATCH] include/grub/file.h: Add device tree file type
|
||||||
|
|
||||||
|
The API change of grub_file_open() for adding verifiers did not include
|
||||||
|
a type for device tree blobs. Add GRUB_FILE_TYPE_DEVICE_TREE_IMAGE to
|
||||||
|
the grub_file_type enum.
|
||||||
|
|
||||||
|
Signed-off-by: Leif Lindholm <leif.lindholm@linaro.org>
|
||||||
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
(cherry picked from commit 7453c2cc32525a5eebe3b268433d0dfc73622917)
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
include/grub/file.h | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/include/grub/file.h b/include/grub/file.h
|
||||||
|
index 19dda67f68b..9aae463557a 100644
|
||||||
|
--- a/include/grub/file.h
|
||||||
|
+++ b/include/grub/file.h
|
||||||
|
@@ -69,6 +69,8 @@ enum grub_file_type
|
||||||
|
|
||||||
|
GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE,
|
||||||
|
|
||||||
|
+ GRUB_FILE_TYPE_DEVICE_TREE_IMAGE,
|
||||||
|
+
|
||||||
|
/* File holding signature. */
|
||||||
|
GRUB_FILE_TYPE_SIGNATURE,
|
||||||
|
/* File holding public key to verify signature once. */
|
@ -0,0 +1,28 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Leif Lindholm <leif.lindholm@linaro.org>
|
||||||
|
Date: Wed, 14 Nov 2018 19:29:17 +0000
|
||||||
|
Subject: [PATCH] grub-core/loader/efi/fdt.c: Fixup grub_file_open() call
|
||||||
|
|
||||||
|
The verifiers framework changed the API of grub_file_open(), but did not
|
||||||
|
fix up all users. Add the file type GRUB_FILE_TYPE_DEVICE_TREE_IMAGE
|
||||||
|
to the "devicetree" command handler call.
|
||||||
|
|
||||||
|
Signed-off-by: Leif Lindholm <leif.lindholm@linaro.org>
|
||||||
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
---
|
||||||
|
grub-core/loader/efi/fdt.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c
|
||||||
|
index a9dbcfdfeaf..e3ee3ad79d6 100644
|
||||||
|
--- a/grub-core/loader/efi/fdt.c
|
||||||
|
+++ b/grub-core/loader/efi/fdt.c
|
||||||
|
@@ -125,7 +125,7 @@ grub_cmd_devicetree (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
return GRUB_ERR_NONE;
|
||||||
|
}
|
||||||
|
|
||||||
|
- dtb = grub_file_open (argv[0]);
|
||||||
|
+ dtb = grub_file_open (argv[0], GRUB_FILE_TYPE_DEVICE_TREE_IMAGE);
|
||||||
|
if (!dtb)
|
||||||
|
goto out;
|
||||||
|
|
@ -0,0 +1,38 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Leif Lindholm <leif.lindholm@linaro.org>
|
||||||
|
Date: Wed, 14 Nov 2018 19:29:18 +0000
|
||||||
|
Subject: [PATCH] arm64/efi: Fix breakage caused by verifiers
|
||||||
|
|
||||||
|
- add variable "err" (used but not defined),
|
||||||
|
- add GRUB_FILE_TYPE_LINUX_KERNEL to grub_file_open() call.
|
||||||
|
|
||||||
|
Signed-off-by: Leif Lindholm <leif.lindholm@linaro.org>
|
||||||
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
|
||||||
|
Conflicts:
|
||||||
|
grub-core/loader/arm64/linux.c
|
||||||
|
---
|
||||||
|
grub-core/loader/arm64/linux.c | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/loader/arm64/linux.c b/grub-core/loader/arm64/linux.c
|
||||||
|
index 48ea66596ad..864724dd4fa 100644
|
||||||
|
--- a/grub-core/loader/arm64/linux.c
|
||||||
|
+++ b/grub-core/loader/arm64/linux.c
|
||||||
|
@@ -338,6 +338,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
struct linux_armxx_kernel_header lh;
|
||||||
|
struct grub_armxx_linux_pe_header *pe;
|
||||||
|
int rc;
|
||||||
|
+ grub_err_t err;
|
||||||
|
|
||||||
|
grub_dl_ref (my_mod);
|
||||||
|
|
||||||
|
@@ -347,7 +348,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
|
||||||
|
- file = grub_file_open (argv[0]);
|
||||||
|
+ file = grub_file_open (argv[0], GRUB_FILE_TYPE_LINUX_KERNEL);
|
||||||
|
if (!file)
|
||||||
|
goto fail;
|
||||||
|
|
@ -0,0 +1,74 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Leif Lindholm <leif.lindholm@linaro.org>
|
||||||
|
Date: Wed, 14 Nov 2018 19:29:19 +0000
|
||||||
|
Subject: [PATCH] arm-uboot, ia64, sparc64: Fix up grub_file_open() calls
|
||||||
|
|
||||||
|
The verifiers framework changed the grub_file_open() interface, breaking all
|
||||||
|
non-x86 linux loaders. Add file types to the grub_file_open() calls to make
|
||||||
|
them build again.
|
||||||
|
|
||||||
|
Signed-off-by: Leif Lindholm <leif.lindholm@linaro.org>
|
||||||
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
---
|
||||||
|
grub-core/loader/arm/linux.c | 6 +++---
|
||||||
|
grub-core/loader/ia64/efi/linux.c | 2 +-
|
||||||
|
grub-core/loader/sparc64/ieee1275/linux.c | 2 +-
|
||||||
|
3 files changed, 5 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c
|
||||||
|
index beceda52030..1e944a2b671 100644
|
||||||
|
--- a/grub-core/loader/arm/linux.c
|
||||||
|
+++ b/grub-core/loader/arm/linux.c
|
||||||
|
@@ -363,7 +363,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
if (argc == 0)
|
||||||
|
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
|
||||||
|
|
||||||
|
- file = grub_file_open (argv[0]);
|
||||||
|
+ file = grub_file_open (argv[0], GRUB_FILE_TYPE_LINUX_KERNEL);
|
||||||
|
if (!file)
|
||||||
|
goto fail;
|
||||||
|
|
||||||
|
@@ -408,7 +408,7 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
if (argc == 0)
|
||||||
|
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
|
||||||
|
|
||||||
|
- file = grub_file_open (argv[0]);
|
||||||
|
+ file = grub_file_open (argv[0], GRUB_FILE_TYPE_LINUX_INITRD);
|
||||||
|
if (!file)
|
||||||
|
return grub_errno;
|
||||||
|
|
||||||
|
@@ -471,7 +471,7 @@ grub_cmd_devicetree (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
if (argc != 1)
|
||||||
|
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
|
||||||
|
|
||||||
|
- dtb = grub_file_open (argv[0]);
|
||||||
|
+ dtb = grub_file_open (argv[0], GRUB_FILE_TYPE_DEVICE_TREE_IMAGE);
|
||||||
|
if (!dtb)
|
||||||
|
return grub_errno;
|
||||||
|
|
||||||
|
diff --git a/grub-core/loader/ia64/efi/linux.c b/grub-core/loader/ia64/efi/linux.c
|
||||||
|
index e325fe0ee83..2ad0b0c0407 100644
|
||||||
|
--- a/grub-core/loader/ia64/efi/linux.c
|
||||||
|
+++ b/grub-core/loader/ia64/efi/linux.c
|
||||||
|
@@ -502,7 +502,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
|
||||||
|
- file = grub_file_open (argv[0]);
|
||||||
|
+ file = grub_file_open (argv[0], GRUB_FILE_TYPE_LINUX_KERNEL);
|
||||||
|
if (! file)
|
||||||
|
goto fail;
|
||||||
|
|
||||||
|
diff --git a/grub-core/loader/sparc64/ieee1275/linux.c b/grub-core/loader/sparc64/ieee1275/linux.c
|
||||||
|
index abe46faa012..bb47ee0cc64 100644
|
||||||
|
--- a/grub-core/loader/sparc64/ieee1275/linux.c
|
||||||
|
+++ b/grub-core/loader/sparc64/ieee1275/linux.c
|
||||||
|
@@ -306,7 +306,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
- file = grub_file_open (argv[0]);
|
||||||
|
+ file = grub_file_open (argv[0], GRUB_FILE_TYPE_LINUX_KERNEL);
|
||||||
|
if (!file)
|
||||||
|
goto out;
|
||||||
|
|
@ -0,0 +1,146 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michael Chang <mchang@suse.com>
|
||||||
|
Date: Tue, 20 Nov 2018 19:15:37 +0800
|
||||||
|
Subject: [PATCH] verifiers: fix double close on pgp's sig file descriptor
|
||||||
|
|
||||||
|
An error emerged as when I was testing the verifiers branch, so instead
|
||||||
|
of putting it in pgp prefix, the verifiers is used to reflect what the
|
||||||
|
patch is based on.
|
||||||
|
|
||||||
|
While running verify_detached, grub aborts with error.
|
||||||
|
|
||||||
|
verify_detached /@/.snapshots/1/snapshot/boot/grub/grub.cfg
|
||||||
|
/@/.snapshots/1/snapshot/boot/grub/grub.cfg.sig
|
||||||
|
|
||||||
|
alloc magic is broken at 0x7beea660: 0
|
||||||
|
Aborted. Press any key to exit.
|
||||||
|
|
||||||
|
The error is caused by sig file descriptor been closed twice, first time
|
||||||
|
in grub_verify_signature() to which it is passed as parameter. Second in
|
||||||
|
grub_cmd_verify_signature() or in whichever opens the sig file
|
||||||
|
descriptor. The second close is not consider as bug to me either, as in
|
||||||
|
common rule of what opens a file has to close it to avoid file
|
||||||
|
descriptor leakage.
|
||||||
|
|
||||||
|
After all the design of grub_verify_signature() makes it difficult to keep
|
||||||
|
a good trace on opened file descriptor from it's caller. Let's refine
|
||||||
|
the application interface to accept file path rather than descriptor, in
|
||||||
|
this way the caller doesn't have to care about closing the descriptor by
|
||||||
|
delegating it to grub_verify_signature() with full tracing to opened
|
||||||
|
file descriptor by itself.
|
||||||
|
|
||||||
|
Also making it clear that sig descriptor is not referenced in error
|
||||||
|
returning path of grub_verify_signature_init(), so it can be closed
|
||||||
|
directly by it's caller. This also makes delegating it to
|
||||||
|
grub_pubkey_close() infeasible to help in relieving file descriptor
|
||||||
|
leakage as it has to depend on uncertainty of ctxt fields in error
|
||||||
|
returning path.
|
||||||
|
|
||||||
|
Signed-off-by: Michael Chang <mchang@suse.com>
|
||||||
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
---
|
||||||
|
grub-core/commands/pgp.c | 35 +++++++++++++++++------------------
|
||||||
|
include/grub/pubkey.h | 2 +-
|
||||||
|
2 files changed, 18 insertions(+), 19 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c
|
||||||
|
index 5c913c2e2fe..d39846d8cfe 100644
|
||||||
|
--- a/grub-core/commands/pgp.c
|
||||||
|
+++ b/grub-core/commands/pgp.c
|
||||||
|
@@ -495,13 +495,12 @@ grub_verify_signature_init (struct grub_pubkey_context *ctxt, grub_file_t sig)
|
||||||
|
|
||||||
|
grub_dprintf ("crypt", "alive\n");
|
||||||
|
|
||||||
|
- ctxt->sig = sig;
|
||||||
|
-
|
||||||
|
ctxt->hash_context = grub_zalloc (ctxt->hash->contextsize);
|
||||||
|
if (!ctxt->hash_context)
|
||||||
|
return grub_errno;
|
||||||
|
|
||||||
|
ctxt->hash->init (ctxt->hash_context);
|
||||||
|
+ ctxt->sig = sig;
|
||||||
|
|
||||||
|
return GRUB_ERR_NONE;
|
||||||
|
}
|
||||||
|
@@ -684,16 +683,26 @@ grub_pubkey_close (void *ctxt)
|
||||||
|
}
|
||||||
|
|
||||||
|
grub_err_t
|
||||||
|
-grub_verify_signature (grub_file_t f, grub_file_t sig,
|
||||||
|
+grub_verify_signature (grub_file_t f, const char *fsig,
|
||||||
|
struct grub_public_key *pkey)
|
||||||
|
{
|
||||||
|
+ grub_file_t sig;
|
||||||
|
grub_err_t err;
|
||||||
|
struct grub_pubkey_context ctxt;
|
||||||
|
grub_uint8_t *readbuf = NULL;
|
||||||
|
|
||||||
|
+ sig = grub_file_open (fsig,
|
||||||
|
+ GRUB_FILE_TYPE_SIGNATURE
|
||||||
|
+ | GRUB_FILE_TYPE_NO_DECOMPRESS);
|
||||||
|
+ if (!sig)
|
||||||
|
+ return grub_errno;
|
||||||
|
+
|
||||||
|
err = grub_verify_signature_init (&ctxt, sig);
|
||||||
|
if (err)
|
||||||
|
- return err;
|
||||||
|
+ {
|
||||||
|
+ grub_file_close (sig);
|
||||||
|
+ return err;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
readbuf = grub_zalloc (READBUF_SIZE);
|
||||||
|
if (!readbuf)
|
||||||
|
@@ -807,7 +816,7 @@ static grub_err_t
|
||||||
|
grub_cmd_verify_signature (grub_extcmd_context_t ctxt,
|
||||||
|
int argc, char **args)
|
||||||
|
{
|
||||||
|
- grub_file_t f = NULL, sig = NULL;
|
||||||
|
+ grub_file_t f = NULL;
|
||||||
|
grub_err_t err = GRUB_ERR_NONE;
|
||||||
|
struct grub_public_key *pk = NULL;
|
||||||
|
|
||||||
|
@@ -845,19 +854,8 @@ grub_cmd_verify_signature (grub_extcmd_context_t ctxt,
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
|
||||||
|
- sig = grub_file_open (args[1],
|
||||||
|
- GRUB_FILE_TYPE_SIGNATURE
|
||||||
|
- | GRUB_FILE_TYPE_NO_DECOMPRESS);
|
||||||
|
- if (!sig)
|
||||||
|
- {
|
||||||
|
- err = grub_errno;
|
||||||
|
- goto fail;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- err = grub_verify_signature (f, sig, pk);
|
||||||
|
+ err = grub_verify_signature (f, args[1], pk);
|
||||||
|
fail:
|
||||||
|
- if (sig)
|
||||||
|
- grub_file_close (sig);
|
||||||
|
if (f)
|
||||||
|
grub_file_close (f);
|
||||||
|
if (pk)
|
||||||
|
@@ -902,7 +900,8 @@ grub_pubkey_init (grub_file_t io, enum grub_file_type type __attribute__ ((unuse
|
||||||
|
err = grub_verify_signature_init (ctxt, sig);
|
||||||
|
if (err)
|
||||||
|
{
|
||||||
|
- grub_pubkey_close (ctxt);
|
||||||
|
+ grub_free (ctxt);
|
||||||
|
+ grub_file_close (sig);
|
||||||
|
return err;
|
||||||
|
}
|
||||||
|
*context = ctxt;
|
||||||
|
diff --git a/include/grub/pubkey.h b/include/grub/pubkey.h
|
||||||
|
index 4a9d04b4305..fb8be9cbb73 100644
|
||||||
|
--- a/include/grub/pubkey.h
|
||||||
|
+++ b/include/grub/pubkey.h
|
||||||
|
@@ -25,7 +25,7 @@ struct grub_public_key *
|
||||||
|
grub_load_public_key (grub_file_t f);
|
||||||
|
|
||||||
|
grub_err_t
|
||||||
|
-grub_verify_signature (grub_file_t f, grub_file_t sig,
|
||||||
|
+grub_verify_signature (grub_file_t f, const char *fsig,
|
||||||
|
struct grub_public_key *pk);
|
||||||
|
|
||||||
|
|
46
SOURCES/0341-verifiers-Xen-fallout-cleanup.patch
Normal file
46
SOURCES/0341-verifiers-Xen-fallout-cleanup.patch
Normal file
@ -0,0 +1,46 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
Date: Thu, 6 Dec 2018 13:38:15 +0100
|
||||||
|
Subject: [PATCH] verifiers: Xen fallout cleanup
|
||||||
|
|
||||||
|
Xen fallout cleanup after commit ca0a4f689 (verifiers: File type for
|
||||||
|
fine-grained signature-verification controlling).
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
|
||||||
|
---
|
||||||
|
grub-core/loader/i386/xen.c | 14 +++++++-------
|
||||||
|
1 file changed, 7 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/loader/i386/xen.c b/grub-core/loader/i386/xen.c
|
||||||
|
index 07a4837c532..071b530d744 100644
|
||||||
|
--- a/grub-core/loader/i386/xen.c
|
||||||
|
+++ b/grub-core/loader/i386/xen.c
|
||||||
|
@@ -647,10 +647,10 @@ grub_cmd_xen (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
|
||||||
|
grub_xen_reset ();
|
||||||
|
|
||||||
|
- grub_create_loader_cmdline (argc - 1, argv + 1,
|
||||||
|
- (char *) xen_state.next_start.cmd_line,
|
||||||
|
- sizeof (xen_state.next_start.cmd_line) - 1);
|
||||||
|
- err = grub_verify_string (xen_state.next_start.cmd_line, GRUB_VERIFY_MODULE_CMDLINE);
|
||||||
|
+ err = grub_create_loader_cmdline (argc - 1, argv + 1,
|
||||||
|
+ (char *) xen_state.next_start.cmd_line,
|
||||||
|
+ sizeof (xen_state.next_start.cmd_line) - 1,
|
||||||
|
+ GRUB_VERIFY_KERNEL_CMDLINE);
|
||||||
|
if (err)
|
||||||
|
return err;
|
||||||
|
|
||||||
|
@@ -918,9 +918,9 @@ grub_cmd_module (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
if (err)
|
||||||
|
goto fail;
|
||||||
|
|
||||||
|
- grub_create_loader_cmdline (argc - 1, argv + 1,
|
||||||
|
- get_virtual_current_address (ch), cmdline_len);
|
||||||
|
- err = grub_verify_string (get_virtual_current_address (ch), GRUB_VERIFY_MODULE_CMDLINE);
|
||||||
|
+ err = grub_create_loader_cmdline (argc - 1, argv + 1,
|
||||||
|
+ get_virtual_current_address (ch), cmdline_len,
|
||||||
|
+ GRUB_VERIFY_MODULE_CMDLINE);
|
||||||
|
if (err)
|
||||||
|
goto fail;
|
||||||
|
|
63
SOURCES/0342-verifiers-ARM-Xen-fallout-cleanup.patch
Normal file
63
SOURCES/0342-verifiers-ARM-Xen-fallout-cleanup.patch
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
Date: Thu, 6 Dec 2018 13:43:05 +0100
|
||||||
|
Subject: [PATCH] verifiers: ARM Xen fallout cleanup
|
||||||
|
|
||||||
|
ARM Xen fallout cleanup after commit ca0a4f689 (verifiers: File type for
|
||||||
|
fine-grained signature-verification controlling).
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
|
||||||
|
[javierm: remove grub_file_filter_disable_compression() call leftovers]
|
||||||
|
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
||||||
|
|
||||||
|
Conflicts:
|
||||||
|
grub-core/loader/arm64/xen_boot.c
|
||||||
|
---
|
||||||
|
grub-core/loader/arm64/xen_boot.c | 9 +++++----
|
||||||
|
include/grub/file.h | 5 +++++
|
||||||
|
2 files changed, 10 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/loader/arm64/xen_boot.c b/grub-core/loader/arm64/xen_boot.c
|
||||||
|
index f35b16caa92..318c833de57 100644
|
||||||
|
--- a/grub-core/loader/arm64/xen_boot.c
|
||||||
|
+++ b/grub-core/loader/arm64/xen_boot.c
|
||||||
|
@@ -427,9 +427,10 @@ grub_cmd_xen_module (grub_command_t cmd __attribute__((unused)),
|
||||||
|
|
||||||
|
grub_dprintf ("xen_loader", "Init module and node info\n");
|
||||||
|
|
||||||
|
- if (nounzip)
|
||||||
|
- grub_file_filter_disable_compression ();
|
||||||
|
- file = grub_file_open (argv[0]);
|
||||||
|
+ file = grub_file_open (argv[0], GRUB_FILE_TYPE_XEN_MODULE
|
||||||
|
+ | (nounzip ? GRUB_FILE_TYPE_NO_DECOMPRESS
|
||||||
|
+ : GRUB_FILE_TYPE_NONE));
|
||||||
|
+
|
||||||
|
if (!file)
|
||||||
|
goto fail;
|
||||||
|
|
||||||
|
@@ -461,7 +462,7 @@ grub_cmd_xen_hypervisor (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
|
||||||
|
- file = grub_file_open (argv[0]);
|
||||||
|
+ file = grub_file_open (argv[0], GRUB_FILE_TYPE_XEN_HYPERVISOR);
|
||||||
|
if (!file)
|
||||||
|
goto fail;
|
||||||
|
|
||||||
|
diff --git a/include/grub/file.h b/include/grub/file.h
|
||||||
|
index 9aae463557a..cbbd294655b 100644
|
||||||
|
--- a/include/grub/file.h
|
||||||
|
+++ b/include/grub/file.h
|
||||||
|
@@ -42,6 +42,11 @@ enum grub_file_type
|
||||||
|
/* Multiboot module. */
|
||||||
|
GRUB_FILE_TYPE_MULTIBOOT_MODULE,
|
||||||
|
|
||||||
|
+ /* Xen hypervisor - used on ARM only. */
|
||||||
|
+ GRUB_FILE_TYPE_XEN_HYPERVISOR,
|
||||||
|
+ /* Xen module - used on ARM only. */
|
||||||
|
+ GRUB_FILE_TYPE_XEN_MODULE,
|
||||||
|
+
|
||||||
|
GRUB_FILE_TYPE_BSD_KERNEL,
|
||||||
|
GRUB_FILE_TYPE_FREEBSD_ENV,
|
||||||
|
GRUB_FILE_TYPE_FREEBSD_MODULE,
|
28
SOURCES/0343-verifiers-IA-64-fallout-cleanup.patch
Normal file
28
SOURCES/0343-verifiers-IA-64-fallout-cleanup.patch
Normal file
@ -0,0 +1,28 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
Date: Thu, 14 Mar 2019 16:18:31 +0100
|
||||||
|
Subject: [PATCH] verifiers: IA-64 fallout cleanup
|
||||||
|
|
||||||
|
IA-64 fallout cleanup after commit 4d4a8c96e (verifiers: Add possibility
|
||||||
|
to verify kernel and modules command lines).
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
|
||||||
|
---
|
||||||
|
grub-core/loader/ia64/efi/linux.c | 3 +--
|
||||||
|
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/loader/ia64/efi/linux.c b/grub-core/loader/ia64/efi/linux.c
|
||||||
|
index 2ad0b0c0407..cfeb2c145bb 100644
|
||||||
|
--- a/grub-core/loader/ia64/efi/linux.c
|
||||||
|
+++ b/grub-core/loader/ia64/efi/linux.c
|
||||||
|
@@ -547,8 +547,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
|
||||||
|
*p = '\0';
|
||||||
|
|
||||||
|
- err = grub_verify_string (cmdline, GRUB_VERIFY_KERNEL_CMDLINE);
|
||||||
|
- if (err)
|
||||||
|
+ if (grub_verify_string (cmdline, GRUB_VERIFY_KERNEL_CMDLINE))
|
||||||
|
goto fail;
|
||||||
|
|
||||||
|
boot_param->command_line = (grub_uint64_t) cmdline;
|
37
SOURCES/0344-verifiers-PowerPC-fallout-cleanup.patch
Normal file
37
SOURCES/0344-verifiers-PowerPC-fallout-cleanup.patch
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
Date: Thu, 14 Mar 2019 19:45:17 +0100
|
||||||
|
Subject: [PATCH] verifiers: PowerPC fallout cleanup
|
||||||
|
|
||||||
|
PowerPC fallout cleanup after commit 4d4a8c96e (verifiers: Add possibility
|
||||||
|
to verify kernel and modules command lines) and ca0a4f689 (verifiers: File
|
||||||
|
type for fine-grained signature-verification controlling).
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
|
||||||
|
---
|
||||||
|
grub-core/loader/powerpc/ieee1275/linux.c | 4 ++--
|
||||||
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/loader/powerpc/ieee1275/linux.c b/grub-core/loader/powerpc/ieee1275/linux.c
|
||||||
|
index c114e7df4fb..818b2a86d1a 100644
|
||||||
|
--- a/grub-core/loader/powerpc/ieee1275/linux.c
|
||||||
|
+++ b/grub-core/loader/powerpc/ieee1275/linux.c
|
||||||
|
@@ -270,7 +270,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
goto out;
|
||||||
|
}
|
||||||
|
|
||||||
|
- elf = grub_elf_open (argv[0]);
|
||||||
|
+ elf = grub_elf_open (argv[0], GRUB_FILE_TYPE_LINUX_KERNEL);
|
||||||
|
if (! elf)
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
@@ -303,7 +303,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
/* Create kernel command line. */
|
||||||
|
grub_memcpy (linux_args, LINUX_IMAGE, sizeof (LINUX_IMAGE));
|
||||||
|
if (grub_create_loader_cmdline (argc, argv, linux_args + sizeof (LINUX_IMAGE) - 1,
|
||||||
|
- size))
|
||||||
|
+ size, GRUB_VERIFY_KERNEL_CMDLINE))
|
||||||
|
goto out;
|
||||||
|
|
||||||
|
out:
|
27
SOURCES/0345-verifiers-MIPS-fallout-cleanup.patch
Normal file
27
SOURCES/0345-verifiers-MIPS-fallout-cleanup.patch
Normal file
@ -0,0 +1,27 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
Date: Mon, 18 Mar 2019 13:09:22 +0100
|
||||||
|
Subject: [PATCH] verifiers: MIPS fallout cleanup
|
||||||
|
|
||||||
|
MIPS fallout cleanup after commit 4d4a8c96e (verifiers: Add possibility
|
||||||
|
to verify kernel and modules command lines).
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
|
||||||
|
---
|
||||||
|
grub-core/loader/mips/linux.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/loader/mips/linux.c b/grub-core/loader/mips/linux.c
|
||||||
|
index 20135ce253d..e4ed95921df 100644
|
||||||
|
--- a/grub-core/loader/mips/linux.c
|
||||||
|
+++ b/grub-core/loader/mips/linux.c
|
||||||
|
@@ -314,7 +314,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
|
||||||
|
grub_memcpy (params, LINUX_IMAGE, sizeof (LINUX_IMAGE));
|
||||||
|
grub_create_loader_cmdline (argc, argv, params + sizeof (LINUX_IMAGE) - 1,
|
||||||
|
- size);
|
||||||
|
+ size, GRUB_VERIFY_KERNEL_CMDLINE);
|
||||||
|
#else
|
||||||
|
linux_argv = extra;
|
||||||
|
argv_off = (grub_uint8_t *) linux_argv - (grub_uint8_t *) playground;
|
@ -0,0 +1,41 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michael Chang <mchang@suse.com>
|
||||||
|
Date: Tue, 18 Feb 2020 18:08:18 +0800
|
||||||
|
Subject: [PATCH] verifiers: Fix calling uninitialized function pointer
|
||||||
|
|
||||||
|
The necessary check for NULL before use of function ver->close is not
|
||||||
|
taking place in the failure path. This patch simply adds the missing
|
||||||
|
check and fixes the problem that GRUB hangs indefinitely after booting
|
||||||
|
rogue image without valid signature if secure boot is turned on.
|
||||||
|
|
||||||
|
Now it displays like this for booting rogue UEFI image:
|
||||||
|
|
||||||
|
error: bad shim signature
|
||||||
|
error: you need to load the kernel first
|
||||||
|
|
||||||
|
Press any key to continue...
|
||||||
|
|
||||||
|
and then you can go back to boot menu by pressing any key or after a few
|
||||||
|
seconds expired.
|
||||||
|
|
||||||
|
Signed-off-by: Michael Chang <mchang@suse.com>
|
||||||
|
Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
|
||||||
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
---
|
||||||
|
grub-core/commands/verifiers.c | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/commands/verifiers.c b/grub-core/commands/verifiers.c
|
||||||
|
index c638d5f43e0..599d79b757e 100644
|
||||||
|
--- a/grub-core/commands/verifiers.c
|
||||||
|
+++ b/grub-core/commands/verifiers.c
|
||||||
|
@@ -196,7 +196,8 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type)
|
||||||
|
return ret;
|
||||||
|
|
||||||
|
fail:
|
||||||
|
- ver->close (context);
|
||||||
|
+ if (ver->close)
|
||||||
|
+ ver->close (context);
|
||||||
|
fail_noclose:
|
||||||
|
verified_free (verified);
|
||||||
|
grub_free (ret);
|
124
SOURCES/0347-rhel-extra-file-type-fixes.patch
Normal file
124
SOURCES/0347-rhel-extra-file-type-fixes.patch
Normal file
@ -0,0 +1,124 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Tue, 12 May 2020 17:26:26 +1000
|
||||||
|
Subject: [PATCH] rhel: extra file type fixes
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
[javierm: fix a couple of build errors caused by mismerges]
|
||||||
|
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
|
||||||
|
---
|
||||||
|
grub-core/commands/blscfg.c | 2 +-
|
||||||
|
grub-core/loader/arm64/linux.c | 1 +
|
||||||
|
grub-core/loader/i386/efi/linux.c | 9 +++++----
|
||||||
|
grub-core/net/net.c | 2 +-
|
||||||
|
grub-core/normal/main.c | 2 +-
|
||||||
|
grub-core/osdep/generic/blocklist.c | 4 ++--
|
||||||
|
6 files changed, 11 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/commands/blscfg.c b/grub-core/commands/blscfg.c
|
||||||
|
index 70ce5c7bf6f..795a9f9f178 100644
|
||||||
|
--- a/grub-core/commands/blscfg.c
|
||||||
|
+++ b/grub-core/commands/blscfg.c
|
||||||
|
@@ -463,7 +463,7 @@ static int read_entry (
|
||||||
|
|
||||||
|
p = grub_xasprintf ("(%s)%s/%s", info->devid, info->dirname, filename);
|
||||||
|
|
||||||
|
- f = grub_file_open (p);
|
||||||
|
+ f = grub_file_open (p, GRUB_FILE_TYPE_CONFIG);
|
||||||
|
if (!f)
|
||||||
|
goto finish;
|
||||||
|
|
||||||
|
diff --git a/grub-core/loader/arm64/linux.c b/grub-core/loader/arm64/linux.c
|
||||||
|
index 864724dd4fa..e1923cf7257 100644
|
||||||
|
--- a/grub-core/loader/arm64/linux.c
|
||||||
|
+++ b/grub-core/loader/arm64/linux.c
|
||||||
|
@@ -31,6 +31,7 @@
|
||||||
|
#include <grub/efi/memory.h>
|
||||||
|
#include <grub/efi/linux.h>
|
||||||
|
#include <grub/efi/pe32.h>
|
||||||
|
+#include <grub/efi/sb.h>
|
||||||
|
#include <grub/i18n.h>
|
||||||
|
#include <grub/lib/cmdline.h>
|
||||||
|
#include <grub/verify.h>
|
||||||
|
diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
|
||||||
|
index 361e503cb52..576f8c07eaf 100644
|
||||||
|
--- a/grub-core/loader/i386/efi/linux.c
|
||||||
|
+++ b/grub-core/loader/i386/efi/linux.c
|
||||||
|
@@ -101,8 +101,8 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
|
||||||
|
for (i = 0; i < argc; i++)
|
||||||
|
{
|
||||||
|
- grub_file_filter_disable_compression ();
|
||||||
|
- files[i] = grub_file_open (argv[i]);
|
||||||
|
+ files[i] = grub_file_open (argv[i], GRUB_FILE_TYPE_LINUX_INITRD |
|
||||||
|
+ GRUB_FILE_TYPE_NO_DECOMPRESS);
|
||||||
|
if (! files[i])
|
||||||
|
goto fail;
|
||||||
|
nfiles++;
|
||||||
|
@@ -182,7 +182,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
|
||||||
|
- file = grub_file_open (argv[0]);
|
||||||
|
+ file = grub_file_open (argv[0], GRUB_FILE_TYPE_LINUX_KERNEL);
|
||||||
|
if (! file)
|
||||||
|
goto fail;
|
||||||
|
|
||||||
|
@@ -302,7 +302,8 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
||||||
|
grub_memcpy (linux_cmdline, LINUX_IMAGE, sizeof (LINUX_IMAGE));
|
||||||
|
grub_create_loader_cmdline (argc, argv,
|
||||||
|
linux_cmdline + sizeof (LINUX_IMAGE) - 1,
|
||||||
|
- lh->cmdline_size - (sizeof (LINUX_IMAGE) - 1));
|
||||||
|
+ lh->cmdline_size - (sizeof (LINUX_IMAGE) - 1),
|
||||||
|
+ GRUB_VERIFY_KERNEL_CMDLINE);
|
||||||
|
|
||||||
|
grub_dprintf ("linux", "cmdline:%s\n", linux_cmdline);
|
||||||
|
grub_dprintf ("linux", "setting lh->cmd_line_ptr\n");
|
||||||
|
diff --git a/grub-core/net/net.c b/grub-core/net/net.c
|
||||||
|
index 0e72bbb9b39..1fd104aeaf2 100644
|
||||||
|
--- a/grub-core/net/net.c
|
||||||
|
+++ b/grub-core/net/net.c
|
||||||
|
@@ -1907,7 +1907,7 @@ grub_net_search_configfile (char *config)
|
||||||
|
grub_dprintf ("net", "probe %s\n", config);
|
||||||
|
|
||||||
|
grub_file_t file;
|
||||||
|
- file = grub_file_open (config);
|
||||||
|
+ file = grub_file_open (config, GRUB_FILE_TYPE_CONFIG);
|
||||||
|
|
||||||
|
if (file)
|
||||||
|
{
|
||||||
|
diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
|
||||||
|
index cee71a4c2ab..49141039f8f 100644
|
||||||
|
--- a/grub-core/normal/main.c
|
||||||
|
+++ b/grub-core/normal/main.c
|
||||||
|
@@ -363,7 +363,7 @@ grub_try_normal (const char *variable)
|
||||||
|
if (config)
|
||||||
|
{
|
||||||
|
grub_file_t file;
|
||||||
|
- file = grub_file_open (config);
|
||||||
|
+ file = grub_file_open (config, GRUB_FILE_TYPE_CONFIG);
|
||||||
|
if (file)
|
||||||
|
{
|
||||||
|
grub_file_close (file);
|
||||||
|
diff --git a/grub-core/osdep/generic/blocklist.c b/grub-core/osdep/generic/blocklist.c
|
||||||
|
index 74024fd06f3..ab1f96da62d 100644
|
||||||
|
--- a/grub-core/osdep/generic/blocklist.c
|
||||||
|
+++ b/grub-core/osdep/generic/blocklist.c
|
||||||
|
@@ -60,7 +60,7 @@ grub_install_get_blocklist (grub_device_t root_dev,
|
||||||
|
grub_disk_cache_invalidate_all ();
|
||||||
|
|
||||||
|
grub_file_filter_disable_compression ();
|
||||||
|
- file = grub_file_open (core_path_dev);
|
||||||
|
+ file = grub_file_open (core_path_dev, GRUB_FILE_TYPE_NONE);
|
||||||
|
if (file)
|
||||||
|
{
|
||||||
|
if (grub_file_size (file) != core_size)
|
||||||
|
@@ -118,7 +118,7 @@ grub_install_get_blocklist (grub_device_t root_dev,
|
||||||
|
grub_file_t file;
|
||||||
|
/* Now read the core image to determine where the sectors are. */
|
||||||
|
grub_file_filter_disable_compression ();
|
||||||
|
- file = grub_file_open (core_path_dev);
|
||||||
|
+ file = grub_file_open (core_path_dev, GRUB_FILE_TYPE_NONE);
|
||||||
|
if (! file)
|
||||||
|
grub_util_error ("%s", grub_errmsg);
|
||||||
|
|
65
SOURCES/0348-dl-Add-support-for-persistent-modules.patch
Normal file
65
SOURCES/0348-dl-Add-support-for-persistent-modules.patch
Normal file
@ -0,0 +1,65 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
Date: Tue, 2 Oct 2018 18:49:26 +0200
|
||||||
|
Subject: [PATCH] dl: Add support for persistent modules
|
||||||
|
|
||||||
|
This type of modules cannot be unloaded. This is useful if a given
|
||||||
|
functionality, e.g. UEFI secure boot shim signature verification, should
|
||||||
|
not be disabled if it was enabled at some point in time. Somebody may
|
||||||
|
say that we can use standalone GRUB2 here. That is true. However, the
|
||||||
|
code is not so big nor complicated hence it make sense to support
|
||||||
|
modularized configs too.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
|
||||||
|
(cherry picked from commit ee7808e2197cbf5e8515d90ecbd81c9d0dd6fc15)
|
||||||
|
---
|
||||||
|
grub-core/commands/minicmd.c | 3 +++
|
||||||
|
include/grub/dl.h | 13 +++++++++++++
|
||||||
|
2 files changed, 16 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c
|
||||||
|
index 46bf135e8f0..6d66b7c453a 100644
|
||||||
|
--- a/grub-core/commands/minicmd.c
|
||||||
|
+++ b/grub-core/commands/minicmd.c
|
||||||
|
@@ -137,6 +137,9 @@ grub_mini_cmd_rmmod (struct grub_command *cmd __attribute__ ((unused)),
|
||||||
|
if (! mod)
|
||||||
|
return grub_error (GRUB_ERR_BAD_ARGUMENT, "no such module");
|
||||||
|
|
||||||
|
+ if (grub_dl_is_persistent (mod))
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot unload persistent module");
|
||||||
|
+
|
||||||
|
if (grub_dl_unref (mod) <= 0)
|
||||||
|
grub_dl_unload (mod);
|
||||||
|
|
||||||
|
diff --git a/include/grub/dl.h b/include/grub/dl.h
|
||||||
|
index 7b5bfb07ce6..f7cfe64823c 100644
|
||||||
|
--- a/include/grub/dl.h
|
||||||
|
+++ b/include/grub/dl.h
|
||||||
|
@@ -177,6 +177,7 @@ struct grub_dl
|
||||||
|
{
|
||||||
|
char *name;
|
||||||
|
int ref_count;
|
||||||
|
+ int persistent;
|
||||||
|
grub_dl_dep_t dep;
|
||||||
|
grub_dl_segment_t segment;
|
||||||
|
Elf_Sym *symtab;
|
||||||
|
@@ -242,6 +243,18 @@ grub_dl_get (const char *name)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static inline void
|
||||||
|
+grub_dl_set_persistent (grub_dl_t mod)
|
||||||
|
+{
|
||||||
|
+ mod->persistent = 1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static inline int
|
||||||
|
+grub_dl_is_persistent (grub_dl_t mod)
|
||||||
|
+{
|
||||||
|
+ return mod->persistent;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
#endif
|
||||||
|
|
||||||
|
void * EXPORT_FUNC(grub_resolve_symbol) (const char *name);
|
@ -0,0 +1,309 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rashmica Gupta <rashmica.g@gmail.com>
|
||||||
|
Date: Thu, 11 Jun 2020 11:26:23 +1000
|
||||||
|
Subject: [PATCH] Add suport for signing grub with an appended signature
|
||||||
|
|
||||||
|
Add infrastructure to allow firmware to verify the integrity of grub
|
||||||
|
by use of a Linux-kernel-module-style appended signature. We initially
|
||||||
|
target powerpc-ieee1275, but the code should be extensible to other
|
||||||
|
platforms.
|
||||||
|
|
||||||
|
Usually these signatures are appended to a file without modifying the
|
||||||
|
ELF file itself. (This is what the 'sign-file' tool does, for example.)
|
||||||
|
The verifier loads the signed file from the file system and looks at the
|
||||||
|
end of the file for the appended signature. However, on powerpc-ieee1275
|
||||||
|
platforms, the bootloader is often stored directly in the PReP partition
|
||||||
|
as raw bytes without a file-system. This makes determining the location
|
||||||
|
of an appended signature more difficult.
|
||||||
|
|
||||||
|
To address this, we add a new ELF note.
|
||||||
|
|
||||||
|
The name field of shall be the string "Appended-Signature", zero-padded
|
||||||
|
to 4 byte alignment. The type field shall be 0x41536967 (the ASCII values
|
||||||
|
for the string "ASig"). It must be the final section in the ELF binary.
|
||||||
|
|
||||||
|
The description shall contain the appended signature structure as defined
|
||||||
|
by the Linux kernel. The description will also be padded to be a multiple
|
||||||
|
of 4 bytes. The padding shall be added before the appended signature
|
||||||
|
structure (not at the end) so that the final bytes of a signed ELF file
|
||||||
|
are the appended signature magic.
|
||||||
|
|
||||||
|
A subsequent patch documents how to create a grub core.img validly signed
|
||||||
|
under this scheme.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
Signed-off-by: Rashmica Gupta <rashmica.g@gmail.com>
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
You can experiment with this code with a patched version of SLOF
|
||||||
|
that verifies these signatures. You can find one at:
|
||||||
|
https://github.com/daxtens/SLOF
|
||||||
|
|
||||||
|
I will be proposing this for inclusion in a future Power Architecture
|
||||||
|
Platform Reference (PAPR).
|
||||||
|
---
|
||||||
|
util/grub-install-common.c | 16 +++++++++++++---
|
||||||
|
util/grub-mkimage.c | 11 +++++++++++
|
||||||
|
util/grub-mkimagexx.c | 39 ++++++++++++++++++++++++++++++++++++++-
|
||||||
|
util/mkimage.c | 10 +++++-----
|
||||||
|
include/grub/util/install.h | 8 ++++++--
|
||||||
|
include/grub/util/mkimage.h | 4 ++--
|
||||||
|
6 files changed, 75 insertions(+), 13 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/util/grub-install-common.c b/util/grub-install-common.c
|
||||||
|
index cf993c059ad..561e671ff34 100644
|
||||||
|
--- a/util/grub-install-common.c
|
||||||
|
+++ b/util/grub-install-common.c
|
||||||
|
@@ -303,10 +303,12 @@ handle_install_list (struct install_list *il, const char *val,
|
||||||
|
static char **pubkeys;
|
||||||
|
static size_t npubkeys;
|
||||||
|
static grub_compression_t compression;
|
||||||
|
+static size_t appsig_size;
|
||||||
|
|
||||||
|
int
|
||||||
|
grub_install_parse (int key, char *arg)
|
||||||
|
{
|
||||||
|
+ const char *end;
|
||||||
|
switch (key)
|
||||||
|
{
|
||||||
|
case 'C':
|
||||||
|
@@ -395,6 +397,12 @@ grub_install_parse (int key, char *arg)
|
||||||
|
grub_util_error (_("Unrecognized compression `%s'"), arg);
|
||||||
|
case GRUB_INSTALL_OPTIONS_GRUB_MKIMAGE:
|
||||||
|
return 1;
|
||||||
|
+ case GRUB_INSTALL_OPTIONS_APPENDED_SIGNATURE_SIZE:
|
||||||
|
+ grub_errno = 0;
|
||||||
|
+ appsig_size = grub_strtol(arg, &end, 10);
|
||||||
|
+ if (grub_errno)
|
||||||
|
+ return 0;
|
||||||
|
+ return 1;
|
||||||
|
default:
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
@@ -493,10 +501,12 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix,
|
||||||
|
grub_util_info ("grub-mkimage --directory '%s' --prefix '%s'"
|
||||||
|
" --output '%s' "
|
||||||
|
" --dtb '%s' "
|
||||||
|
- "--format '%s' --compression '%s' %s %s\n",
|
||||||
|
+ "--format '%s' --compression '%s' "
|
||||||
|
+ "--appended-signature-size %zu %s %s\n",
|
||||||
|
dir, prefix,
|
||||||
|
outname, dtb ? : "", mkimage_target,
|
||||||
|
- compnames[compression], note ? "--note" : "", s);
|
||||||
|
+ compnames[compression], appsig_size,
|
||||||
|
+ note ? "--note" : "", s);
|
||||||
|
free (s);
|
||||||
|
|
||||||
|
tgt = grub_install_get_image_target (mkimage_target);
|
||||||
|
@@ -506,7 +516,7 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix,
|
||||||
|
grub_install_generate_image (dir, prefix, fp, outname,
|
||||||
|
modules.entries, memdisk_path,
|
||||||
|
pubkeys, npubkeys, config_path, tgt,
|
||||||
|
- note, compression, dtb);
|
||||||
|
+ note, appsig_size, compression, dtb);
|
||||||
|
while (dc--)
|
||||||
|
grub_install_pop_module ();
|
||||||
|
}
|
||||||
|
diff --git a/util/grub-mkimage.c b/util/grub-mkimage.c
|
||||||
|
index 98d24cc06ea..65a015d8a04 100644
|
||||||
|
--- a/util/grub-mkimage.c
|
||||||
|
+++ b/util/grub-mkimage.c
|
||||||
|
@@ -82,6 +82,7 @@ static struct argp_option options[] = {
|
||||||
|
{"format", 'O', N_("FORMAT"), 0, 0, 0},
|
||||||
|
{"compression", 'C', "(xz|none|auto)", 0, N_("choose the compression to use for core image"), 0},
|
||||||
|
{"verbose", 'v', 0, 0, N_("print verbose messages."), 0},
|
||||||
|
+ {"appended-signature-size", 'S', N_("SIZE"), 0, N_("Add a note segment reserving SIZE bytes for an appended signature"), 0},
|
||||||
|
{ 0, 0, 0, 0, 0, 0 }
|
||||||
|
};
|
||||||
|
|
||||||
|
@@ -124,6 +125,7 @@ struct arguments
|
||||||
|
char *font;
|
||||||
|
char *config;
|
||||||
|
int note;
|
||||||
|
+ size_t appsig_size;
|
||||||
|
const struct grub_install_image_target_desc *image_target;
|
||||||
|
grub_compression_t comp;
|
||||||
|
};
|
||||||
|
@@ -134,6 +136,7 @@ argp_parser (int key, char *arg, struct argp_state *state)
|
||||||
|
/* Get the input argument from argp_parse, which we
|
||||||
|
know is a pointer to our arguments structure. */
|
||||||
|
struct arguments *arguments = state->input;
|
||||||
|
+ const char* end;
|
||||||
|
|
||||||
|
switch (key)
|
||||||
|
{
|
||||||
|
@@ -166,6 +169,13 @@ argp_parser (int key, char *arg, struct argp_state *state)
|
||||||
|
arguments->note = 1;
|
||||||
|
break;
|
||||||
|
|
||||||
|
+ case 'S':
|
||||||
|
+ grub_errno = 0;
|
||||||
|
+ arguments->appsig_size = grub_strtol(arg, &end, 10);
|
||||||
|
+ if (grub_errno)
|
||||||
|
+ return 0;
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
case 'm':
|
||||||
|
if (arguments->memdisk)
|
||||||
|
free (arguments->memdisk);
|
||||||
|
@@ -309,6 +319,7 @@ main (int argc, char *argv[])
|
||||||
|
arguments.memdisk, arguments.pubkeys,
|
||||||
|
arguments.npubkeys, arguments.config,
|
||||||
|
arguments.image_target, arguments.note,
|
||||||
|
+ arguments.appsig_size,
|
||||||
|
arguments.comp, arguments.dtb);
|
||||||
|
|
||||||
|
grub_util_file_sync (fp);
|
||||||
|
diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c
|
||||||
|
index f9aa1a033b5..1bb5eb84c14 100644
|
||||||
|
--- a/util/grub-mkimagexx.c
|
||||||
|
+++ b/util/grub-mkimagexx.c
|
||||||
|
@@ -82,6 +82,15 @@ struct grub_ieee1275_note
|
||||||
|
struct grub_ieee1275_note_desc descriptor;
|
||||||
|
};
|
||||||
|
|
||||||
|
+#define GRUB_APPENDED_SIGNATURE_NOTE_NAME "Appended-Signature"
|
||||||
|
+#define GRUB_APPENDED_SIGNATURE_NOTE_TYPE 0x41536967 /* "ASig" */
|
||||||
|
+
|
||||||
|
+struct grub_appended_signature_note
|
||||||
|
+{
|
||||||
|
+ Elf32_Nhdr header;
|
||||||
|
+ char name[ALIGN_UP(sizeof (GRUB_APPENDED_SIGNATURE_NOTE_NAME), 4)];
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
#define GRUB_XEN_NOTE_NAME "Xen"
|
||||||
|
|
||||||
|
struct fixup_block_list
|
||||||
|
@@ -205,7 +214,7 @@ grub_arm_reloc_jump24 (grub_uint32_t *target, Elf32_Addr sym_addr)
|
||||||
|
|
||||||
|
void
|
||||||
|
SUFFIX (grub_mkimage_generate_elf) (const struct grub_install_image_target_desc *image_target,
|
||||||
|
- int note, char **core_img, size_t *core_size,
|
||||||
|
+ int note, size_t appsig_size, char **core_img, size_t *core_size,
|
||||||
|
Elf_Addr target_addr,
|
||||||
|
struct grub_mkimage_layout *layout)
|
||||||
|
{
|
||||||
|
@@ -219,6 +228,12 @@ SUFFIX (grub_mkimage_generate_elf) (const struct grub_install_image_target_desc
|
||||||
|
int shnum = 4;
|
||||||
|
int string_size = sizeof (".text") + sizeof ("mods") + 1;
|
||||||
|
|
||||||
|
+ if (appsig_size)
|
||||||
|
+ {
|
||||||
|
+ phnum++;
|
||||||
|
+ footer_size += ALIGN_UP(sizeof (struct grub_appended_signature_note) + appsig_size, 4);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (image_target->id != IMAGE_LOONGSON_ELF)
|
||||||
|
phnum += 2;
|
||||||
|
|
||||||
|
@@ -449,6 +464,28 @@ SUFFIX (grub_mkimage_generate_elf) (const struct grub_install_image_target_desc
|
||||||
|
phdr->p_offset = grub_host_to_target32 (header_size + program_size);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (appsig_size) {
|
||||||
|
+ int note_size = ALIGN_UP(sizeof (struct grub_appended_signature_note) + appsig_size, 4);
|
||||||
|
+ struct grub_appended_signature_note *note_ptr = (struct grub_appended_signature_note *)
|
||||||
|
+ (elf_img + program_size + header_size + (note ? sizeof (struct grub_ieee1275_note) : 0));
|
||||||
|
+
|
||||||
|
+ note_ptr->header.n_namesz = grub_host_to_target32 (sizeof (GRUB_APPENDED_SIGNATURE_NOTE_NAME));
|
||||||
|
+ /* needs to sit at the end, so we round this up and sign some zero padding */
|
||||||
|
+ note_ptr->header.n_descsz = grub_host_to_target32 (ALIGN_UP(appsig_size, 4));
|
||||||
|
+ note_ptr->header.n_type = grub_host_to_target32 (GRUB_APPENDED_SIGNATURE_NOTE_TYPE);
|
||||||
|
+ strcpy (note_ptr->name, GRUB_APPENDED_SIGNATURE_NOTE_NAME);
|
||||||
|
+
|
||||||
|
+ phdr++;
|
||||||
|
+ phdr->p_type = grub_host_to_target32 (PT_NOTE);
|
||||||
|
+ phdr->p_flags = grub_host_to_target32 (PF_R);
|
||||||
|
+ phdr->p_align = grub_host_to_target32 (image_target->voidp_sizeof);
|
||||||
|
+ phdr->p_vaddr = 0;
|
||||||
|
+ phdr->p_paddr = 0;
|
||||||
|
+ phdr->p_filesz = grub_host_to_target32 (note_size);
|
||||||
|
+ phdr->p_memsz = 0;
|
||||||
|
+ phdr->p_offset = grub_host_to_target32 (header_size + program_size + (note ? sizeof (struct grub_ieee1275_note) : 0));
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
{
|
||||||
|
char *str_start = (elf_img + sizeof (*ehdr) + phnum * sizeof (*phdr)
|
||||||
|
+ shnum * sizeof (*shdr));
|
||||||
|
diff --git a/util/mkimage.c b/util/mkimage.c
|
||||||
|
index e22d82afa61..a81120f26be 100644
|
||||||
|
--- a/util/mkimage.c
|
||||||
|
+++ b/util/mkimage.c
|
||||||
|
@@ -777,7 +777,7 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||||||
|
char *memdisk_path, char **pubkey_paths,
|
||||||
|
size_t npubkeys, char *config_path,
|
||||||
|
const struct grub_install_image_target_desc *image_target,
|
||||||
|
- int note, grub_compression_t comp, const char *dtb_path)
|
||||||
|
+ int note, size_t appsig_size, grub_compression_t comp, const char *dtb_path)
|
||||||
|
{
|
||||||
|
char *kernel_img, *core_img;
|
||||||
|
size_t total_module_size, core_size;
|
||||||
|
@@ -1694,11 +1694,11 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||||||
|
else
|
||||||
|
target_addr = image_target->link_addr;
|
||||||
|
if (image_target->voidp_sizeof == 4)
|
||||||
|
- grub_mkimage_generate_elf32 (image_target, note, &core_img, &core_size,
|
||||||
|
- target_addr, &layout);
|
||||||
|
+ grub_mkimage_generate_elf32 (image_target, note, appsig_size, &core_img,
|
||||||
|
+ &core_size, target_addr, &layout);
|
||||||
|
else
|
||||||
|
- grub_mkimage_generate_elf64 (image_target, note, &core_img, &core_size,
|
||||||
|
- target_addr, &layout);
|
||||||
|
+ grub_mkimage_generate_elf64 (image_target, note, appsig_size, &core_img,
|
||||||
|
+ &core_size, target_addr, &layout);
|
||||||
|
}
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
diff --git a/include/grub/util/install.h b/include/grub/util/install.h
|
||||||
|
index 0dba8b67f93..ba5e6a2ea8f 100644
|
||||||
|
--- a/include/grub/util/install.h
|
||||||
|
+++ b/include/grub/util/install.h
|
||||||
|
@@ -63,6 +63,9 @@
|
||||||
|
/* TRANSLATORS: "embed" is a verb (command description). "*/ \
|
||||||
|
{ "pubkey", 'k', N_("FILE"), 0, \
|
||||||
|
N_("embed FILE as public key for signature checking"), 0}, \
|
||||||
|
+ { "appended-signature-size", GRUB_INSTALL_OPTIONS_APPENDED_SIGNATURE_SIZE,\
|
||||||
|
+ "SIZE", 0, N_("Add a note segment reserving SIZE bytes for an appended signature"), \
|
||||||
|
+ 1}, \
|
||||||
|
{ "verbose", 'v', 0, 0, \
|
||||||
|
N_("print verbose messages."), 1 }
|
||||||
|
|
||||||
|
@@ -119,7 +122,8 @@ enum grub_install_options {
|
||||||
|
GRUB_INSTALL_OPTIONS_THEMES_DIRECTORY,
|
||||||
|
GRUB_INSTALL_OPTIONS_GRUB_MKIMAGE,
|
||||||
|
GRUB_INSTALL_OPTIONS_INSTALL_CORE_COMPRESS,
|
||||||
|
- GRUB_INSTALL_OPTIONS_DTB
|
||||||
|
+ GRUB_INSTALL_OPTIONS_DTB,
|
||||||
|
+ GRUB_INSTALL_OPTIONS_APPENDED_SIGNATURE_SIZE
|
||||||
|
};
|
||||||
|
|
||||||
|
extern char *grub_install_source_directory;
|
||||||
|
@@ -179,7 +183,7 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||||||
|
size_t npubkeys,
|
||||||
|
char *config_path,
|
||||||
|
const struct grub_install_image_target_desc *image_target,
|
||||||
|
- int note,
|
||||||
|
+ int note, size_t appsig_size,
|
||||||
|
grub_compression_t comp, const char *dtb_file);
|
||||||
|
|
||||||
|
const struct grub_install_image_target_desc *
|
||||||
|
diff --git a/include/grub/util/mkimage.h b/include/grub/util/mkimage.h
|
||||||
|
index b3a5ca132bc..cef7fffa7ae 100644
|
||||||
|
--- a/include/grub/util/mkimage.h
|
||||||
|
+++ b/include/grub/util/mkimage.h
|
||||||
|
@@ -50,12 +50,12 @@ grub_mkimage_load_image64 (const char *kernel_path,
|
||||||
|
const struct grub_install_image_target_desc *image_target);
|
||||||
|
void
|
||||||
|
grub_mkimage_generate_elf32 (const struct grub_install_image_target_desc *image_target,
|
||||||
|
- int note, char **core_img, size_t *core_size,
|
||||||
|
+ int note, size_t appsig_size, char **core_img, size_t *core_size,
|
||||||
|
Elf32_Addr target_addr,
|
||||||
|
struct grub_mkimage_layout *layout);
|
||||||
|
void
|
||||||
|
grub_mkimage_generate_elf64 (const struct grub_install_image_target_desc *image_target,
|
||||||
|
- int note, char **core_img, size_t *core_size,
|
||||||
|
+ int note, size_t appsig_size, char **core_img, size_t *core_size,
|
||||||
|
Elf64_Addr target_addr,
|
||||||
|
struct grub_mkimage_layout *layout);
|
||||||
|
|
@ -0,0 +1,59 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Sat, 15 Aug 2020 02:00:57 +1000
|
||||||
|
Subject: [PATCH] docs/grub: Document signing grub under UEFI
|
||||||
|
|
||||||
|
Before adding information about how grub is signed with an appended
|
||||||
|
signature scheme, it's worth adding some information about how it
|
||||||
|
can currently be signed for UEFI.
|
||||||
|
|
||||||
|
(adjusted from upstream - s/grub/grub2/ in the docs)
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
docs/grub.texi | 19 ++++++++++++++++++-
|
||||||
|
1 file changed, 18 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/docs/grub.texi b/docs/grub.texi
|
||||||
|
index fa11cc0aff7..acace6c0737 100644
|
||||||
|
--- a/docs/grub.texi
|
||||||
|
+++ b/docs/grub.texi
|
||||||
|
@@ -5610,6 +5610,7 @@ environment variables and commands are listed in the same order.
|
||||||
|
@menu
|
||||||
|
* Authentication and authorisation:: Users and access control
|
||||||
|
* Using digital signatures:: Booting digitally signed code
|
||||||
|
+* Signing GRUB itself:: Ensuring the integrity of the GRUB core image
|
||||||
|
@end menu
|
||||||
|
|
||||||
|
@node Authentication and authorisation
|
||||||
|
@@ -5687,7 +5688,7 @@ commands.
|
||||||
|
|
||||||
|
GRUB's @file{core.img} can optionally provide enforcement that all files
|
||||||
|
subsequently read from disk are covered by a valid digital signature.
|
||||||
|
-This document does @strong{not} cover how to ensure that your
|
||||||
|
+This section does @strong{not} cover how to ensure that your
|
||||||
|
platform's firmware (e.g., Coreboot) validates @file{core.img}.
|
||||||
|
|
||||||
|
If environment variable @code{check_signatures}
|
||||||
|
@@ -5772,6 +5773,22 @@ or BIOS) configuration to cause the machine to boot from a different
|
||||||
|
(attacker-controlled) device. GRUB is at best only one link in a
|
||||||
|
secure boot chain.
|
||||||
|
|
||||||
|
+@node Signing GRUB itself
|
||||||
|
+@section Signing GRUB itself
|
||||||
|
+
|
||||||
|
+To ensure a complete secure-boot chain, there must be a way for the code that
|
||||||
|
+loads GRUB to verify the integrity of the core image.
|
||||||
|
+
|
||||||
|
+This is ultimately platform-specific and individual platforms can define their
|
||||||
|
+own mechanisms. However, there are general-purpose mechanisms that can be used
|
||||||
|
+with GRUB.
|
||||||
|
+
|
||||||
|
+@section Signing GRUB for UEFI secure boot
|
||||||
|
+
|
||||||
|
+On UEFI platforms, @file{core.img} is a PE binary. Therefore, it can be signed
|
||||||
|
+with a tool such as @command{pesign} or @command{sbsign}. It will also be
|
||||||
|
+necessary to enrol the public key used into a relevant firmware key database.
|
||||||
|
+
|
||||||
|
@node Platform limitations
|
||||||
|
@chapter Platform limitations
|
||||||
|
|
@ -0,0 +1,67 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Sat, 15 Aug 2020 02:19:36 +1000
|
||||||
|
Subject: [PATCH] docs/grub: Document signing grub with an appended signature
|
||||||
|
|
||||||
|
Signing grub for firmware that verifies an appended signature is a
|
||||||
|
bit fiddly. I don't want people to have to figure it out from scratch
|
||||||
|
so document it here.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
docs/grub.texi | 42 ++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
1 file changed, 42 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/docs/grub.texi b/docs/grub.texi
|
||||||
|
index acace6c0737..61c92a1e03d 100644
|
||||||
|
--- a/docs/grub.texi
|
||||||
|
+++ b/docs/grub.texi
|
||||||
|
@@ -5789,6 +5789,48 @@ On UEFI platforms, @file{core.img} is a PE binary. Therefore, it can be signed
|
||||||
|
with a tool such as @command{pesign} or @command{sbsign}. It will also be
|
||||||
|
necessary to enrol the public key used into a relevant firmware key database.
|
||||||
|
|
||||||
|
+@section Signing GRUB with an appended signature
|
||||||
|
+
|
||||||
|
+The @file{core.img} itself can be signed with a Linux kernel module-style
|
||||||
|
+appended signature.
|
||||||
|
+
|
||||||
|
+To support IEEE1275 platforms where the boot image is often loaded directly
|
||||||
|
+from a disk partition rather than from a file system, the @file{core.img}
|
||||||
|
+can specify the size and location of the appended signature with an ELF
|
||||||
|
+note added by @command{grub-install}.
|
||||||
|
+
|
||||||
|
+An image can be signed this way using the @command{sign-file} command from
|
||||||
|
+the Linux kernel:
|
||||||
|
+
|
||||||
|
+@example
|
||||||
|
+@group
|
||||||
|
+# grub.key is your private key and certificate.der is your public key
|
||||||
|
+
|
||||||
|
+# Determine the size of the appended signature. It depends on the signing
|
||||||
|
+# certificate and the hash algorithm
|
||||||
|
+touch empty
|
||||||
|
+sign-file SHA256 grub.key certificate.der empty empty.sig
|
||||||
|
+SIG_SIZE=`stat -c '%s' empty.sig`
|
||||||
|
+rm empty empty.sig
|
||||||
|
+
|
||||||
|
+# Build a grub image with $SIG_SIZE reserved for the signature
|
||||||
|
+grub-install --appended-signature-size $SIG_SIZE --modules="..." ...
|
||||||
|
+
|
||||||
|
+# Replace the reserved size with a signature:
|
||||||
|
+# cut off the last $SIG_SIZE bytes with truncate's minus modifier
|
||||||
|
+truncate -s -$SIG_SIZE /boot/grub/powerpc-ieee1275/core.elf core.elf.unsigned
|
||||||
|
+# sign the trimmed file with an appended signature, restoring the correct size
|
||||||
|
+sign-file SHA256 grub.key certificate.der core.elf.unsigned core.elf.signed
|
||||||
|
+
|
||||||
|
+# Don't forget to install the signed image as required
|
||||||
|
+# (e.g. on powerpc-ieee1275, to the PReP partition)
|
||||||
|
+@end group
|
||||||
|
+@end example
|
||||||
|
+
|
||||||
|
+As with UEFI secure boot, it is necessary to build in the required modules,
|
||||||
|
+or sign them separately.
|
||||||
|
+
|
||||||
|
+
|
||||||
|
@node Platform limitations
|
||||||
|
@chapter Platform limitations
|
||||||
|
|
@ -0,0 +1,33 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Sat, 15 Aug 2020 01:00:11 +1000
|
||||||
|
Subject: [PATCH] docs/grub: grub-install is no longer a shell script
|
||||||
|
|
||||||
|
Since commit cd46aa6cefab in 2013, grub-install hasn't been a shell
|
||||||
|
script. The para doesn't really add that much, especially since it's
|
||||||
|
the user manual, so just drop it.
|
||||||
|
|
||||||
|
(adjust docs: s/grub/grub2)
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
docs/grub.texi | 7 -------
|
||||||
|
1 file changed, 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/docs/grub.texi b/docs/grub.texi
|
||||||
|
index 61c92a1e03d..34517e67439 100644
|
||||||
|
--- a/docs/grub.texi
|
||||||
|
+++ b/docs/grub.texi
|
||||||
|
@@ -695,13 +695,6 @@ floppy instead of exposing the USB drive as a hard disk (they call it
|
||||||
|
This install doesn't conflict with standard install as long as they are in
|
||||||
|
separate directories.
|
||||||
|
|
||||||
|
-Note that @command{grub2-install} is actually just a shell script and the
|
||||||
|
-real task is done by other tools such as @command{grub2-mkimage}. Therefore,
|
||||||
|
-you may run those commands directly to install GRUB, without using
|
||||||
|
-@command{grub2-install}. Don't do that, however, unless you are very familiar
|
||||||
|
-with the internals of GRUB. Installing a boot loader on a running OS may be
|
||||||
|
-extremely dangerous.
|
||||||
|
-
|
||||||
|
On EFI systems for fixed disk install you have to mount EFI System Partition.
|
||||||
|
If you mount it at @file{/boot/efi} then you don't need any special arguments:
|
||||||
|
|
@ -0,0 +1,36 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Sat, 15 Aug 2020 02:04:01 +1000
|
||||||
|
Subject: [PATCH] docs/grub: --pubkey has been supported for some time
|
||||||
|
|
||||||
|
--pubkey is supported, so we can now document it.
|
||||||
|
|
||||||
|
(adjust docs: s/grub/grub2)
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
docs/grub.texi | 12 +++---------
|
||||||
|
1 file changed, 3 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/docs/grub.texi b/docs/grub.texi
|
||||||
|
index 34517e67439..a833364d5ff 100644
|
||||||
|
--- a/docs/grub.texi
|
||||||
|
+++ b/docs/grub.texi
|
||||||
|
@@ -5695,15 +5695,9 @@ verified with a public key currently trusted by GRUB
|
||||||
|
validation fails, then file @file{foo} cannot be opened. This failure
|
||||||
|
may halt or otherwise impact the boot process.
|
||||||
|
|
||||||
|
-@comment Unfortunately --pubkey is not yet supported by grub2-install,
|
||||||
|
-@comment but we should not bring up internal detail grub2-mkimage here
|
||||||
|
-@comment in the user guide (as opposed to developer's manual).
|
||||||
|
-
|
||||||
|
-@comment An initial trusted public key can be embedded within the GRUB
|
||||||
|
-@comment @file{core.img} using the @code{--pubkey} option to
|
||||||
|
-@comment @command{grub2-mkimage} (@pxref{Invoking grub2-install}). Presently it
|
||||||
|
-@comment is necessary to write a custom wrapper around @command{grub2-mkimage}
|
||||||
|
-@comment using the @code{--grub-mkimage} flag to @command{grub2-install}.
|
||||||
|
+An initial trusted public key can be embedded within the GRUB
|
||||||
|
+@file{core.img} using the @code{--pubkey} option to
|
||||||
|
+@command{grub2-install} (@pxref{Invoking grub2-install}).
|
||||||
|
|
||||||
|
GRUB uses GPG-style detached signatures (meaning that a file
|
||||||
|
@file{foo.sig} will be produced when file @file{foo} is signed), and
|
@ -0,0 +1,44 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Thu, 30 Jul 2020 00:13:21 +1000
|
||||||
|
Subject: [PATCH] dl: provide a fake grub_dl_set_persistent for the emu target
|
||||||
|
|
||||||
|
Trying to start grub-emu with a module that calls grub_dl_set_persistent
|
||||||
|
will crash because grub-emu fakes modules and passes NULL to the module
|
||||||
|
init function.
|
||||||
|
|
||||||
|
Provide an empty function for the emu case.
|
||||||
|
|
||||||
|
Fixes: ee7808e2197c (dl: Add support for persistent modules)
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
include/grub/dl.h | 11 +++++++++++
|
||||||
|
1 file changed, 11 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/include/grub/dl.h b/include/grub/dl.h
|
||||||
|
index f7cfe64823c..877821dcb04 100644
|
||||||
|
--- a/include/grub/dl.h
|
||||||
|
+++ b/include/grub/dl.h
|
||||||
|
@@ -243,11 +243,22 @@ grub_dl_get (const char *name)
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#ifdef GRUB_MACHINE_EMU
|
||||||
|
+/*
|
||||||
|
+ * Under grub-emu, modules are faked and NULL is passed to GRUB_MOD_INIT.
|
||||||
|
+ * So we fake this out to avoid a NULL deref.
|
||||||
|
+ */
|
||||||
|
+static inline void
|
||||||
|
+grub_dl_set_persistent (grub_dl_t mod __attribute__((unused)))
|
||||||
|
+{
|
||||||
|
+}
|
||||||
|
+#else
|
||||||
|
static inline void
|
||||||
|
grub_dl_set_persistent (grub_dl_t mod)
|
||||||
|
{
|
||||||
|
mod->persistent = 1;
|
||||||
|
}
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
static inline int
|
||||||
|
grub_dl_is_persistent (grub_dl_t mod)
|
96
SOURCES/0355-verifiers-provide-unsafe-module-list.patch
Normal file
96
SOURCES/0355-verifiers-provide-unsafe-module-list.patch
Normal file
@ -0,0 +1,96 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Wed, 29 Jul 2020 17:46:16 +1000
|
||||||
|
Subject: [PATCH] verifiers: provide unsafe module list
|
||||||
|
|
||||||
|
Other verifiers that implement secure boot may want to be able to
|
||||||
|
use this list and behaviour.
|
||||||
|
|
||||||
|
Upstream, this factors the list out of the shim_lock verifier.
|
||||||
|
However, that hasn't hit the RHEL8.4 tree yet, so instead
|
||||||
|
of factoring it out of that we just create it.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
grub-core/commands/verifiers.c | 46 ++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
include/grub/verify.h | 13 ++++++++++++
|
||||||
|
2 files changed, 59 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/grub-core/commands/verifiers.c b/grub-core/commands/verifiers.c
|
||||||
|
index 599d79b757e..f64343ac90b 100644
|
||||||
|
--- a/grub-core/commands/verifiers.c
|
||||||
|
+++ b/grub-core/commands/verifiers.c
|
||||||
|
@@ -218,6 +218,52 @@ grub_verify_string (char *str, enum grub_verify_string_type type)
|
||||||
|
return GRUB_ERR_NONE;
|
||||||
|
}
|
||||||
|
|
||||||
|
+/* List of modules which may allow for verifcation to be bypassed. */
|
||||||
|
+static const char *const disabled_mods[] = { "iorw", "memrw", "wrmsr", NULL };
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Does the module in file `io' allow for the a verifier to be bypassed?
|
||||||
|
+ *
|
||||||
|
+ * Returns 1 if so, otherwise 0.
|
||||||
|
+ */
|
||||||
|
+char
|
||||||
|
+grub_is_dangerous_module (grub_file_t io)
|
||||||
|
+{
|
||||||
|
+ char *b, *e;
|
||||||
|
+ int i;
|
||||||
|
+
|
||||||
|
+ /* Establish GRUB module name. */
|
||||||
|
+ b = grub_strrchr (io->name, '/');
|
||||||
|
+ e = grub_strrchr (io->name, '.');
|
||||||
|
+
|
||||||
|
+ b = b ? (b + 1) : io->name;
|
||||||
|
+ e = e ? e : io->name + grub_strlen (io->name);
|
||||||
|
+ e = (e > b) ? e : io->name + grub_strlen (io->name);
|
||||||
|
+
|
||||||
|
+ for (i = 0; disabled_mods[i]; i++)
|
||||||
|
+ if (!grub_strncmp (b, disabled_mods[i],
|
||||||
|
+ grub_strlen (b) - grub_strlen (e)))
|
||||||
|
+ return 1;
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Is there already an unsafe module in memory?
|
||||||
|
+ * Returns the name if one is loaded, otherwise NULL.
|
||||||
|
+ */
|
||||||
|
+const char *
|
||||||
|
+grub_dangerous_module_loaded (void)
|
||||||
|
+{
|
||||||
|
+ int i;
|
||||||
|
+
|
||||||
|
+ for (i = 0; disabled_mods[i]; i++)
|
||||||
|
+ if (grub_dl_get (disabled_mods[i]))
|
||||||
|
+ {
|
||||||
|
+ return disabled_mods[i];
|
||||||
|
+ }
|
||||||
|
+ return NULL;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
GRUB_MOD_INIT(verifiers)
|
||||||
|
{
|
||||||
|
grub_file_filter_register (GRUB_FILE_FILTER_VERIFY, grub_verifiers_open);
|
||||||
|
diff --git a/include/grub/verify.h b/include/grub/verify.h
|
||||||
|
index 79022b42258..60c13e7ea8e 100644
|
||||||
|
--- a/include/grub/verify.h
|
||||||
|
+++ b/include/grub/verify.h
|
||||||
|
@@ -76,3 +76,16 @@ grub_verifier_unregister (struct grub_file_verifier *ver)
|
||||||
|
|
||||||
|
grub_err_t
|
||||||
|
grub_verify_string (char *str, enum grub_verify_string_type type);
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Does the module in file `io' allow for the a verifier to be bypassed?
|
||||||
|
+ *
|
||||||
|
+ * Returns 1 if so, otherwise 0.
|
||||||
|
+ */
|
||||||
|
+char grub_is_dangerous_module (grub_file_t io);
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Is there already an unsafe module in memory?
|
||||||
|
+ * Returns the name if one is loaded, otherwise NULL.
|
||||||
|
+ */
|
||||||
|
+const char *grub_dangerous_module_loaded (void);
|
191
SOURCES/0356-pgp-factor-out-rsa_pad.patch
Normal file
191
SOURCES/0356-pgp-factor-out-rsa_pad.patch
Normal file
@ -0,0 +1,191 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Thu, 1 Oct 2020 20:23:48 +1000
|
||||||
|
Subject: [PATCH] pgp: factor out rsa_pad
|
||||||
|
|
||||||
|
rsa_pad does the PKCS#1 v1.5 padding for the RSA signature scheme.
|
||||||
|
We want to use it in other RSA signature verification applications.
|
||||||
|
|
||||||
|
I considered and rejected putting it in lib/crypto.c. That file doesn't
|
||||||
|
currently require any MPI functions, but rsa_pad does. That's not so
|
||||||
|
much of a problem for the grub kernel and modules, but crypto.c also
|
||||||
|
gets built into all the grub utilities. So - despite the utils not
|
||||||
|
using any asymmetric ciphers - we would need to built the entire MPI
|
||||||
|
infrastructure in to them.
|
||||||
|
|
||||||
|
A better and simpler solution is just to spin rsa_pad out into its own
|
||||||
|
PKCS#1 v1.5 module.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
grub-core/Makefile.core.def | 8 ++++++
|
||||||
|
grub-core/commands/pgp.c | 28 ++-------------------
|
||||||
|
grub-core/lib/pkcs1_v15.c | 59 +++++++++++++++++++++++++++++++++++++++++++++
|
||||||
|
include/grub/pkcs1_v15.h | 27 +++++++++++++++++++++
|
||||||
|
4 files changed, 96 insertions(+), 26 deletions(-)
|
||||||
|
create mode 100644 grub-core/lib/pkcs1_v15.c
|
||||||
|
create mode 100644 include/grub/pkcs1_v15.h
|
||||||
|
|
||||||
|
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
|
||||||
|
index 809f11feaef..99615c07b94 100644
|
||||||
|
--- a/grub-core/Makefile.core.def
|
||||||
|
+++ b/grub-core/Makefile.core.def
|
||||||
|
@@ -2387,6 +2387,14 @@ module = {
|
||||||
|
cppflags = '$(CPPFLAGS_GCRY)';
|
||||||
|
};
|
||||||
|
|
||||||
|
+module = {
|
||||||
|
+ name = pkcs1_v15;
|
||||||
|
+ common = lib/pkcs1_v15.c;
|
||||||
|
+
|
||||||
|
+ cflags = '$(CFLAGS_GCRY) -Wno-redundant-decls -Wno-sign-compare';
|
||||||
|
+ cppflags = '$(CPPFLAGS_GCRY)';
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
module = {
|
||||||
|
name = all_video;
|
||||||
|
common = lib/fake_module.c;
|
||||||
|
diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c
|
||||||
|
index d39846d8cfe..bb6543819f0 100644
|
||||||
|
--- a/grub-core/commands/pgp.c
|
||||||
|
+++ b/grub-core/commands/pgp.c
|
||||||
|
@@ -24,6 +24,7 @@
|
||||||
|
#include <grub/file.h>
|
||||||
|
#include <grub/command.h>
|
||||||
|
#include <grub/crypto.h>
|
||||||
|
+#include <grub/pkcs1_v15.h>
|
||||||
|
#include <grub/i18n.h>
|
||||||
|
#include <grub/gcrypt/gcrypt.h>
|
||||||
|
#include <grub/pubkey.h>
|
||||||
|
@@ -411,32 +412,7 @@ static int
|
||||||
|
rsa_pad (gcry_mpi_t *hmpi, grub_uint8_t *hval,
|
||||||
|
const gcry_md_spec_t *hash, struct grub_public_subkey *sk)
|
||||||
|
{
|
||||||
|
- grub_size_t tlen, emlen, fflen;
|
||||||
|
- grub_uint8_t *em, *emptr;
|
||||||
|
- unsigned nbits = gcry_mpi_get_nbits (sk->mpis[0]);
|
||||||
|
- int ret;
|
||||||
|
- tlen = hash->mdlen + hash->asnlen;
|
||||||
|
- emlen = (nbits + 7) / 8;
|
||||||
|
- if (emlen < tlen + 11)
|
||||||
|
- return 1;
|
||||||
|
-
|
||||||
|
- em = grub_malloc (emlen);
|
||||||
|
- if (!em)
|
||||||
|
- return 1;
|
||||||
|
-
|
||||||
|
- em[0] = 0x00;
|
||||||
|
- em[1] = 0x01;
|
||||||
|
- fflen = emlen - tlen - 3;
|
||||||
|
- for (emptr = em + 2; emptr < em + 2 + fflen; emptr++)
|
||||||
|
- *emptr = 0xff;
|
||||||
|
- *emptr++ = 0x00;
|
||||||
|
- grub_memcpy (emptr, hash->asnoid, hash->asnlen);
|
||||||
|
- emptr += hash->asnlen;
|
||||||
|
- grub_memcpy (emptr, hval, hash->mdlen);
|
||||||
|
-
|
||||||
|
- ret = gcry_mpi_scan (hmpi, GCRYMPI_FMT_USG, em, emlen, 0);
|
||||||
|
- grub_free (em);
|
||||||
|
- return ret;
|
||||||
|
+ return grub_crypto_rsa_pad(hmpi, hval, hash, sk->mpis[0]);
|
||||||
|
}
|
||||||
|
|
||||||
|
struct grub_pubkey_context
|
||||||
|
diff --git a/grub-core/lib/pkcs1_v15.c b/grub-core/lib/pkcs1_v15.c
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..dbacd563d01
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/grub-core/lib/pkcs1_v15.c
|
||||||
|
@@ -0,0 +1,59 @@
|
||||||
|
+/*
|
||||||
|
+ * GRUB -- GRand Unified Bootloader
|
||||||
|
+ * Copyright (C) 2013 Free Software Foundation, Inc.
|
||||||
|
+ *
|
||||||
|
+ * GRUB is free software: you can redistribute it and/or modify
|
||||||
|
+ * it under the terms of the GNU General Public License as published by
|
||||||
|
+ * the Free Software Foundation, either version 3 of the License, or
|
||||||
|
+ * (at your option) any later version.
|
||||||
|
+ *
|
||||||
|
+ * GRUB is distributed in the hope that it will be useful,
|
||||||
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+ * GNU General Public License for more details.
|
||||||
|
+ *
|
||||||
|
+ * You should have received a copy of the GNU General Public License
|
||||||
|
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#include <grub/dl.h>
|
||||||
|
+#include <grub/gcrypt/gcrypt.h>
|
||||||
|
+
|
||||||
|
+GRUB_MOD_LICENSE ("GPLv3+");
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Given a hash value 'hval', of hash specification 'hash', perform
|
||||||
|
+ * the EMSA-PKCS1-v1_5 padding suitable for a key with modulus 'mod'
|
||||||
|
+ * (see RFC 8017 s 9.2) and place the result in 'hmpi'.
|
||||||
|
+ */
|
||||||
|
+gcry_err_code_t
|
||||||
|
+grub_crypto_rsa_pad (gcry_mpi_t * hmpi, grub_uint8_t * hval,
|
||||||
|
+ const gcry_md_spec_t * hash, gcry_mpi_t mod)
|
||||||
|
+{
|
||||||
|
+ grub_size_t tlen, emlen, fflen;
|
||||||
|
+ grub_uint8_t *em, *emptr;
|
||||||
|
+ unsigned nbits = gcry_mpi_get_nbits (mod);
|
||||||
|
+ int ret;
|
||||||
|
+ tlen = hash->mdlen + hash->asnlen;
|
||||||
|
+ emlen = (nbits + 7) / 8;
|
||||||
|
+ if (emlen < tlen + 11)
|
||||||
|
+ return GPG_ERR_TOO_SHORT;
|
||||||
|
+
|
||||||
|
+ em = grub_malloc (emlen);
|
||||||
|
+ if (!em)
|
||||||
|
+ return 1;
|
||||||
|
+
|
||||||
|
+ em[0] = 0x00;
|
||||||
|
+ em[1] = 0x01;
|
||||||
|
+ fflen = emlen - tlen - 3;
|
||||||
|
+ for (emptr = em + 2; emptr < em + 2 + fflen; emptr++)
|
||||||
|
+ *emptr = 0xff;
|
||||||
|
+ *emptr++ = 0x00;
|
||||||
|
+ grub_memcpy (emptr, hash->asnoid, hash->asnlen);
|
||||||
|
+ emptr += hash->asnlen;
|
||||||
|
+ grub_memcpy (emptr, hval, hash->mdlen);
|
||||||
|
+
|
||||||
|
+ ret = gcry_mpi_scan (hmpi, GCRYMPI_FMT_USG, em, emlen, 0);
|
||||||
|
+ grub_free (em);
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
diff --git a/include/grub/pkcs1_v15.h b/include/grub/pkcs1_v15.h
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..5c338c84a15
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/include/grub/pkcs1_v15.h
|
||||||
|
@@ -0,0 +1,27 @@
|
||||||
|
+/*
|
||||||
|
+ * GRUB -- GRand Unified Bootloader
|
||||||
|
+ * Copyright (C) 2013 Free Software Foundation, Inc.
|
||||||
|
+ *
|
||||||
|
+ * GRUB is free software: you can redistribute it and/or modify
|
||||||
|
+ * it under the terms of the GNU General Public License as published by
|
||||||
|
+ * the Free Software Foundation, either version 3 of the License, or
|
||||||
|
+ * (at your option) any later version.
|
||||||
|
+ *
|
||||||
|
+ * GRUB is distributed in the hope that it will be useful,
|
||||||
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+ * GNU General Public License for more details.
|
||||||
|
+ *
|
||||||
|
+ * You should have received a copy of the GNU General Public License
|
||||||
|
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Given a hash value 'hval', of hash specification 'hash', perform
|
||||||
|
+ * the EMSA-PKCS1-v1_5 padding suitable for a key with modulus 'mod'
|
||||||
|
+ * (See RFC 8017 s 9.2)
|
||||||
|
+ */
|
||||||
|
+gcry_err_code_t
|
||||||
|
+grub_crypto_rsa_pad (gcry_mpi_t * hmpi, grub_uint8_t * hval,
|
||||||
|
+ const gcry_md_spec_t * hash, gcry_mpi_t mod);
|
||||||
|
+
|
@ -0,0 +1,71 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Fri, 2 Oct 2020 10:49:26 +1000
|
||||||
|
Subject: [PATCH] crypto: move storage for grub_crypto_pk_* to crypto.c
|
||||||
|
|
||||||
|
The way gcry_rsa and friends (the asymmetric ciphers) are loaded for the
|
||||||
|
pgp module is a bit quirky.
|
||||||
|
|
||||||
|
include/grub/crypto.h contains:
|
||||||
|
extern struct gcry_pk_spec *grub_crypto_pk_rsa;
|
||||||
|
|
||||||
|
commands/pgp.c contains the actual storage:
|
||||||
|
struct gcry_pk_spec *grub_crypto_pk_rsa;
|
||||||
|
|
||||||
|
And the module itself saves to the storage in pgp.c:
|
||||||
|
GRUB_MOD_INIT(gcry_rsa)
|
||||||
|
{
|
||||||
|
grub_crypto_pk_rsa = &_gcry_pubkey_spec_rsa;
|
||||||
|
}
|
||||||
|
|
||||||
|
This is annoying: gcry_rsa now has a dependency on pgp!
|
||||||
|
|
||||||
|
We want to be able to bring in gcry_rsa without bringing in PGP,
|
||||||
|
so move the storage to crypto.c.
|
||||||
|
|
||||||
|
Previously, gcry_rsa depended on pgp and mpi. Now it depends on
|
||||||
|
crypto and mpi. As pgp depends on crypto, this doesn't add any new
|
||||||
|
module dependencies using the PGP verfier.
|
||||||
|
|
||||||
|
[FWIW, the story is different for the symmetric ciphers. cryptodisk
|
||||||
|
and friends (zfs encryption etc) use grub_crypto_lookup_cipher_by_name()
|
||||||
|
to get a cipher handle. That depends on grub_ciphers being populated
|
||||||
|
by people calling grub_cipher_register. import_gcry.py ensures that the
|
||||||
|
symmetric ciphers call it.]
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
grub-core/commands/pgp.c | 4 ----
|
||||||
|
grub-core/lib/crypto.c | 4 ++++
|
||||||
|
2 files changed, 4 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c
|
||||||
|
index bb6543819f0..75de32c2a00 100644
|
||||||
|
--- a/grub-core/commands/pgp.c
|
||||||
|
+++ b/grub-core/commands/pgp.c
|
||||||
|
@@ -147,10 +147,6 @@ const char *hashes[] = {
|
||||||
|
[0x0b] = "sha224"
|
||||||
|
};
|
||||||
|
|
||||||
|
-struct gcry_pk_spec *grub_crypto_pk_dsa;
|
||||||
|
-struct gcry_pk_spec *grub_crypto_pk_ecdsa;
|
||||||
|
-struct gcry_pk_spec *grub_crypto_pk_rsa;
|
||||||
|
-
|
||||||
|
static int
|
||||||
|
dsa_pad (gcry_mpi_t *hmpi, grub_uint8_t *hval,
|
||||||
|
const gcry_md_spec_t *hash, struct grub_public_subkey *sk);
|
||||||
|
diff --git a/grub-core/lib/crypto.c b/grub-core/lib/crypto.c
|
||||||
|
index e6c78d16d39..ff62fa30e1a 100644
|
||||||
|
--- a/grub-core/lib/crypto.c
|
||||||
|
+++ b/grub-core/lib/crypto.c
|
||||||
|
@@ -121,6 +121,10 @@ grub_md_unregister (gcry_md_spec_t *cipher)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+struct gcry_pk_spec *grub_crypto_pk_dsa;
|
||||||
|
+struct gcry_pk_spec *grub_crypto_pk_ecdsa;
|
||||||
|
+struct gcry_pk_spec *grub_crypto_pk_rsa;
|
||||||
|
+
|
||||||
|
void
|
||||||
|
grub_crypto_hash (const gcry_md_spec_t *hash, void *out, const void *in,
|
||||||
|
grub_size_t inlen)
|
@ -0,0 +1,64 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Sat, 2 May 2020 00:27:57 +1000
|
||||||
|
Subject: [PATCH] posix_wrap: tweaks in preparation for libtasn1
|
||||||
|
|
||||||
|
- Define SIZEOF_UNSIGNED_LONG_INT, it's the same as
|
||||||
|
SIZEOF_UNSIGNED_LONG.
|
||||||
|
|
||||||
|
- Define WORD_BIT, the size in bits of an int. This is a defined
|
||||||
|
in the Single Unix Specification and in gnulib's limits.h. gnulib
|
||||||
|
assumes it's 32 bits on all our platforms, including 64 bit
|
||||||
|
platforms, so we also use that value.
|
||||||
|
|
||||||
|
- Provide strto[u]l[l] preprocessor macros that resolve to
|
||||||
|
grub_strto[u]l[l]. To avoid gcrypt redefining strtoul, we
|
||||||
|
also define HAVE_STRTOUL here.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
grub-core/lib/posix_wrap/limits.h | 1 +
|
||||||
|
grub-core/lib/posix_wrap/stdlib.h | 8 ++++++++
|
||||||
|
grub-core/lib/posix_wrap/sys/types.h | 1 +
|
||||||
|
3 files changed, 10 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/grub-core/lib/posix_wrap/limits.h b/grub-core/lib/posix_wrap/limits.h
|
||||||
|
index 95529540398..474a923b074 100644
|
||||||
|
--- a/grub-core/lib/posix_wrap/limits.h
|
||||||
|
+++ b/grub-core/lib/posix_wrap/limits.h
|
||||||
|
@@ -31,5 +31,6 @@
|
||||||
|
#define INT_MAX GRUB_INT_MAX
|
||||||
|
|
||||||
|
#define CHAR_BIT 8
|
||||||
|
+#define WORD_BIT 32
|
||||||
|
|
||||||
|
#endif
|
||||||
|
diff --git a/grub-core/lib/posix_wrap/stdlib.h b/grub-core/lib/posix_wrap/stdlib.h
|
||||||
|
index 7a8d385e973..4634db09f29 100644
|
||||||
|
--- a/grub-core/lib/posix_wrap/stdlib.h
|
||||||
|
+++ b/grub-core/lib/posix_wrap/stdlib.h
|
||||||
|
@@ -58,4 +58,12 @@ abs (int c)
|
||||||
|
return (c >= 0) ? c : -c;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#define strtol grub_strtol
|
||||||
|
+
|
||||||
|
+/* for libgcrypt */
|
||||||
|
+#define HAVE_STRTOUL
|
||||||
|
+#define strtoul grub_strtoul
|
||||||
|
+
|
||||||
|
+#define strtoull grub_strtoull
|
||||||
|
+
|
||||||
|
#endif
|
||||||
|
diff --git a/grub-core/lib/posix_wrap/sys/types.h b/grub-core/lib/posix_wrap/sys/types.h
|
||||||
|
index 854eb0122ef..f63412c8da0 100644
|
||||||
|
--- a/grub-core/lib/posix_wrap/sys/types.h
|
||||||
|
+++ b/grub-core/lib/posix_wrap/sys/types.h
|
||||||
|
@@ -51,6 +51,7 @@ typedef grub_uint8_t byte;
|
||||||
|
typedef grub_addr_t uintptr_t;
|
||||||
|
|
||||||
|
#define SIZEOF_UNSIGNED_LONG GRUB_CPU_SIZEOF_LONG
|
||||||
|
+#define SIZEOF_UNSIGNED_LONG_INT GRUB_CPU_SIZEOF_LONG
|
||||||
|
#define SIZEOF_UNSIGNED_INT 4
|
||||||
|
#define SIZEOF_UNSIGNED_LONG_LONG 8
|
||||||
|
#define SIZEOF_UNSIGNED_SHORT 2
|
8934
SOURCES/0359-libtasn1-import-libtasn1-4.16.0.patch
Normal file
8934
SOURCES/0359-libtasn1-import-libtasn1-4.16.0.patch
Normal file
File diff suppressed because it is too large
Load Diff
307
SOURCES/0360-libtasn1-disable-code-not-needed-in-grub.patch
Normal file
307
SOURCES/0360-libtasn1-disable-code-not-needed-in-grub.patch
Normal file
@ -0,0 +1,307 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Fri, 1 May 2020 17:12:23 +1000
|
||||||
|
Subject: [PATCH] libtasn1: disable code not needed in grub
|
||||||
|
|
||||||
|
We don't expect to be able to write ASN.1, only read it,
|
||||||
|
so we can disable some code.
|
||||||
|
|
||||||
|
Do that with #if 0/#endif, rather than deletion. This means
|
||||||
|
that the difference between upstream and grub is smaller,
|
||||||
|
which should make updating libtasn1 easier in the future.
|
||||||
|
|
||||||
|
With these exclusions we also avoid the need for minmax.h,
|
||||||
|
which is convenient because it means we don't have to
|
||||||
|
import it from gnulib.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
grub-core/lib/libtasn1/lib/coding.c | 12 ++++++++++--
|
||||||
|
grub-core/lib/libtasn1/lib/decoding.c | 2 ++
|
||||||
|
grub-core/lib/libtasn1/lib/element.c | 4 ++--
|
||||||
|
grub-core/lib/libtasn1/lib/errors.c | 3 +++
|
||||||
|
grub-core/lib/libtasn1/lib/structure.c | 10 ++++++----
|
||||||
|
include/grub/libtasn1.h | 15 +++++++++++++++
|
||||||
|
6 files changed, 38 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/lib/libtasn1/lib/coding.c b/grub-core/lib/libtasn1/lib/coding.c
|
||||||
|
index 245ea64cf0a..52def598368 100644
|
||||||
|
--- a/grub-core/lib/libtasn1/lib/coding.c
|
||||||
|
+++ b/grub-core/lib/libtasn1/lib/coding.c
|
||||||
|
@@ -30,11 +30,11 @@
|
||||||
|
#include "parser_aux.h"
|
||||||
|
#include <gstr.h>
|
||||||
|
#include "element.h"
|
||||||
|
-#include "minmax.h"
|
||||||
|
#include <structure.h>
|
||||||
|
|
||||||
|
#define MAX_TAG_LEN 16
|
||||||
|
|
||||||
|
+#if 0
|
||||||
|
/******************************************************/
|
||||||
|
/* Function : _asn1_error_description_value_not_found */
|
||||||
|
/* Description: creates the ErrorDescription string */
|
||||||
|
@@ -58,6 +58,7 @@ _asn1_error_description_value_not_found (asn1_node node,
|
||||||
|
Estrcat (ErrorDescription, "' not found");
|
||||||
|
|
||||||
|
}
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
/**
|
||||||
|
* asn1_length_der:
|
||||||
|
@@ -244,6 +245,7 @@ asn1_encode_simple_der (unsigned int etype, const unsigned char *str,
|
||||||
|
return ASN1_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#if 0
|
||||||
|
/******************************************************/
|
||||||
|
/* Function : _asn1_time_der */
|
||||||
|
/* Description: creates the DER coding for a TIME */
|
||||||
|
@@ -281,7 +283,7 @@ _asn1_time_der (unsigned char *str, int str_len, unsigned char *der,
|
||||||
|
|
||||||
|
return ASN1_SUCCESS;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
/*
|
||||||
|
void
|
||||||
|
@@ -520,6 +522,7 @@ asn1_bit_der (const unsigned char *str, int bit_len,
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
+#if 0
|
||||||
|
/******************************************************/
|
||||||
|
/* Function : _asn1_complete_explicit_tag */
|
||||||
|
/* Description: add the length coding to the EXPLICIT */
|
||||||
|
@@ -596,6 +599,7 @@ _asn1_complete_explicit_tag (asn1_node node, unsigned char *der,
|
||||||
|
|
||||||
|
return ASN1_SUCCESS;
|
||||||
|
}
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
const tag_and_class_st _asn1_tags[] = {
|
||||||
|
[ASN1_ETYPE_GENERALSTRING] =
|
||||||
|
@@ -648,6 +652,8 @@ const tag_and_class_st _asn1_tags[] = {
|
||||||
|
|
||||||
|
unsigned int _asn1_tags_size = sizeof (_asn1_tags) / sizeof (_asn1_tags[0]);
|
||||||
|
|
||||||
|
+
|
||||||
|
+#if 0
|
||||||
|
/******************************************************/
|
||||||
|
/* Function : _asn1_insert_tag_der */
|
||||||
|
/* Description: creates the DER coding of tags of one */
|
||||||
|
@@ -1413,3 +1419,5 @@ error:
|
||||||
|
asn1_delete_structure (&node);
|
||||||
|
return err;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+#endif
|
||||||
|
\ No newline at end of file
|
||||||
|
diff --git a/grub-core/lib/libtasn1/lib/decoding.c b/grub-core/lib/libtasn1/lib/decoding.c
|
||||||
|
index ff04eb778cb..42f9a92b5d4 100644
|
||||||
|
--- a/grub-core/lib/libtasn1/lib/decoding.c
|
||||||
|
+++ b/grub-core/lib/libtasn1/lib/decoding.c
|
||||||
|
@@ -1613,6 +1613,7 @@ asn1_der_decoding (asn1_node * element, const void *ider, int ider_len,
|
||||||
|
return asn1_der_decoding2 (element, ider, &ider_len, 0, errorDescription);
|
||||||
|
}
|
||||||
|
|
||||||
|
+#if 0
|
||||||
|
/**
|
||||||
|
* asn1_der_decoding_element:
|
||||||
|
* @structure: pointer to an ASN1 structure
|
||||||
|
@@ -1643,6 +1644,7 @@ asn1_der_decoding_element (asn1_node * structure, const char *elementName,
|
||||||
|
{
|
||||||
|
return asn1_der_decoding(structure, ider, len, errorDescription);
|
||||||
|
}
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
/**
|
||||||
|
* asn1_der_decoding_startEnd:
|
||||||
|
diff --git a/grub-core/lib/libtasn1/lib/element.c b/grub-core/lib/libtasn1/lib/element.c
|
||||||
|
index 997eb2725dc..539008d8e94 100644
|
||||||
|
--- a/grub-core/lib/libtasn1/lib/element.c
|
||||||
|
+++ b/grub-core/lib/libtasn1/lib/element.c
|
||||||
|
@@ -191,7 +191,7 @@ _asn1_append_sequence_set (asn1_node node, struct node_tail_cache_st *pcache)
|
||||||
|
return ASN1_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
-
|
||||||
|
+#if 0
|
||||||
|
/**
|
||||||
|
* asn1_write_value:
|
||||||
|
* @node_root: pointer to a structure
|
||||||
|
@@ -645,7 +645,7 @@ asn1_write_value (asn1_node node_root, const char *name,
|
||||||
|
|
||||||
|
return ASN1_SUCCESS;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
#define PUT_VALUE( ptr, ptr_size, data, data_size) \
|
||||||
|
*len = data_size; \
|
||||||
|
diff --git a/grub-core/lib/libtasn1/lib/errors.c b/grub-core/lib/libtasn1/lib/errors.c
|
||||||
|
index cee74daf795..42785e8622b 100644
|
||||||
|
--- a/grub-core/lib/libtasn1/lib/errors.c
|
||||||
|
+++ b/grub-core/lib/libtasn1/lib/errors.c
|
||||||
|
@@ -57,6 +57,8 @@ static const libtasn1_error_entry error_algorithms[] = {
|
||||||
|
{0, 0}
|
||||||
|
};
|
||||||
|
|
||||||
|
+
|
||||||
|
+#if 0
|
||||||
|
/**
|
||||||
|
* asn1_perror:
|
||||||
|
* @error: is an error returned by a libtasn1 function.
|
||||||
|
@@ -73,6 +75,7 @@ asn1_perror (int error)
|
||||||
|
const char *str = asn1_strerror (error);
|
||||||
|
fprintf (stderr, "LIBTASN1 ERROR: %s\n", str ? str : "(null)");
|
||||||
|
}
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
/**
|
||||||
|
* asn1_strerror:
|
||||||
|
diff --git a/grub-core/lib/libtasn1/lib/structure.c b/grub-core/lib/libtasn1/lib/structure.c
|
||||||
|
index 8189c56a4c9..fcfde01a393 100644
|
||||||
|
--- a/grub-core/lib/libtasn1/lib/structure.c
|
||||||
|
+++ b/grub-core/lib/libtasn1/lib/structure.c
|
||||||
|
@@ -76,7 +76,7 @@ _asn1_find_left (asn1_node_const node)
|
||||||
|
return node->left;
|
||||||
|
}
|
||||||
|
|
||||||
|
-
|
||||||
|
+#if 0
|
||||||
|
int
|
||||||
|
_asn1_create_static_structure (asn1_node_const pointer, char *output_file_name,
|
||||||
|
char *vector_name)
|
||||||
|
@@ -155,7 +155,7 @@ _asn1_create_static_structure (asn1_node_const pointer, char *output_file_name,
|
||||||
|
|
||||||
|
return ASN1_SUCCESS;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
/**
|
||||||
|
* asn1_array2tree:
|
||||||
|
@@ -718,7 +718,7 @@ asn1_create_element (asn1_node_const definitions, const char *source_name,
|
||||||
|
return res;
|
||||||
|
}
|
||||||
|
|
||||||
|
-
|
||||||
|
+#if 0
|
||||||
|
/**
|
||||||
|
* asn1_print_structure:
|
||||||
|
* @out: pointer to the output file (e.g. stdout).
|
||||||
|
@@ -1058,7 +1058,7 @@ asn1_print_structure (FILE * out, asn1_node_const structure, const char *name,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
-
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
@@ -1153,6 +1153,7 @@ asn1_find_structure_from_oid (asn1_node_const definitions, const char *oidValue)
|
||||||
|
return NULL; /* ASN1_ELEMENT_NOT_FOUND; */
|
||||||
|
}
|
||||||
|
|
||||||
|
+#if 0
|
||||||
|
/**
|
||||||
|
* asn1_copy_node:
|
||||||
|
* @dst: Destination asn1 node.
|
||||||
|
@@ -1202,6 +1203,7 @@ asn1_copy_node (asn1_node dst, const char *dst_name,
|
||||||
|
|
||||||
|
return result;
|
||||||
|
}
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
/**
|
||||||
|
* asn1_dup_node:
|
||||||
|
diff --git a/include/grub/libtasn1.h b/include/grub/libtasn1.h
|
||||||
|
index 6fd7a30dc35..785eda2ae3f 100644
|
||||||
|
--- a/include/grub/libtasn1.h
|
||||||
|
+++ b/include/grub/libtasn1.h
|
||||||
|
@@ -319,6 +319,8 @@ typedef struct asn1_data_node_st asn1_data_node_st;
|
||||||
|
/* Functions definitions */
|
||||||
|
/***********************************/
|
||||||
|
|
||||||
|
+/* These functions are not used in grub and should not be referenced. */
|
||||||
|
+#if 0
|
||||||
|
extern ASN1_API int
|
||||||
|
asn1_parser2tree (const char *file,
|
||||||
|
asn1_node * definitions, char *error_desc);
|
||||||
|
@@ -327,14 +329,17 @@ extern ASN1_API int
|
||||||
|
asn1_parser2array (const char *inputFileName,
|
||||||
|
const char *outputFileName,
|
||||||
|
const char *vectorName, char *error_desc);
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
extern ASN1_API int
|
||||||
|
asn1_array2tree (const asn1_static_node * array,
|
||||||
|
asn1_node * definitions, char *errorDescription);
|
||||||
|
|
||||||
|
+#if 0
|
||||||
|
extern ASN1_API void
|
||||||
|
asn1_print_structure (FILE * out, asn1_node_const structure,
|
||||||
|
const char *name, int mode);
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
extern ASN1_API int
|
||||||
|
asn1_create_element (asn1_node_const definitions,
|
||||||
|
@@ -347,9 +352,11 @@ extern ASN1_API int asn1_delete_structure2 (asn1_node * structure, unsigned int
|
||||||
|
extern ASN1_API int
|
||||||
|
asn1_delete_element (asn1_node structure, const char *element_name);
|
||||||
|
|
||||||
|
+#if 0
|
||||||
|
extern ASN1_API int
|
||||||
|
asn1_write_value (asn1_node node_root, const char *name,
|
||||||
|
const void *ivalue, int len);
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
extern ASN1_API int
|
||||||
|
asn1_read_value (asn1_node_const root, const char *name,
|
||||||
|
@@ -365,9 +372,11 @@ extern ASN1_API int
|
||||||
|
extern ASN1_API int
|
||||||
|
asn1_number_of_elements (asn1_node_const element, const char *name, int *num);
|
||||||
|
|
||||||
|
+#if 0
|
||||||
|
extern ASN1_API int
|
||||||
|
asn1_der_coding (asn1_node_const element, const char *name,
|
||||||
|
void *ider, int *len, char *ErrorDescription);
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
extern ASN1_API int
|
||||||
|
asn1_der_decoding2 (asn1_node *element, const void *ider,
|
||||||
|
@@ -378,12 +387,14 @@ extern ASN1_API int
|
||||||
|
asn1_der_decoding (asn1_node * element, const void *ider,
|
||||||
|
int ider_len, char *errorDescription);
|
||||||
|
|
||||||
|
+#if 0
|
||||||
|
/* Do not use. Use asn1_der_decoding() instead. */
|
||||||
|
extern ASN1_API int
|
||||||
|
asn1_der_decoding_element (asn1_node * structure,
|
||||||
|
const char *elementName,
|
||||||
|
const void *ider, int len,
|
||||||
|
char *errorDescription) _ASN1_GCC_ATTR_DEPRECATED;
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
extern ASN1_API int
|
||||||
|
asn1_der_decoding_startEnd (asn1_node element,
|
||||||
|
@@ -408,13 +419,17 @@ extern ASN1_API const char *asn1_find_structure_from_oid (asn1_node_const
|
||||||
|
const char
|
||||||
|
*oidValue);
|
||||||
|
|
||||||
|
+#if 0
|
||||||
|
__LIBTASN1_PURE__
|
||||||
|
extern ASN1_API const char *asn1_check_version (const char *req_version);
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
__LIBTASN1_PURE__
|
||||||
|
extern ASN1_API const char *asn1_strerror (int error);
|
||||||
|
|
||||||
|
+#if 0
|
||||||
|
extern ASN1_API void asn1_perror (int error);
|
||||||
|
+#endif
|
||||||
|
|
||||||
|
#define ASN1_MAX_TAG_SIZE 4
|
||||||
|
#define ASN1_MAX_LENGTH_SIZE 9
|
202
SOURCES/0361-libtasn1-changes-for-grub-compatibility.patch
Normal file
202
SOURCES/0361-libtasn1-changes-for-grub-compatibility.patch
Normal file
@ -0,0 +1,202 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Fri, 1 May 2020 20:44:29 +1000
|
||||||
|
Subject: [PATCH] libtasn1: changes for grub compatibility
|
||||||
|
|
||||||
|
Do a few things to make libtasn1 compile as part of grub:
|
||||||
|
|
||||||
|
- replace strcat. grub removed strcat so replace it with the appropriate
|
||||||
|
calls to memcpy and strlen.
|
||||||
|
|
||||||
|
- replace c_isdigit with grub_isdigit (and don't import c-ctype from
|
||||||
|
gnulib) grub_isdigit provides the same functionality as c_isdigit: it
|
||||||
|
determines if the input is an ASCII digit without regard for locale.
|
||||||
|
|
||||||
|
- replace GL_ATTRIBUTE_PURE with __attribute__((pure)) which been
|
||||||
|
supported since gcc-2.96. This avoids messing around with gnulib.
|
||||||
|
|
||||||
|
- adjust libtasn1.h: drop the ASN1_API logic, it's not needed for our
|
||||||
|
modules. Unconditionally support const and pure attributes and adjust
|
||||||
|
header paths.
|
||||||
|
|
||||||
|
- adjust header paths to "grub/libtasn1.h".
|
||||||
|
|
||||||
|
- replace a 64 bit division with a call to grub_divmod64, preventing
|
||||||
|
creation of __udivdi3 calls on 32 bit platforms.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
grub-core/lib/libtasn1/lib/decoding.c | 11 ++++++-----
|
||||||
|
grub-core/lib/libtasn1/lib/element.c | 3 ++-
|
||||||
|
grub-core/lib/libtasn1/lib/gstr.c | 4 ++--
|
||||||
|
grub-core/lib/libtasn1/lib/parser_aux.c | 7 ++++---
|
||||||
|
grub-core/lib/libtasn1/lib/int.h | 4 ++--
|
||||||
|
include/grub/libtasn1.h | 26 ++++++--------------------
|
||||||
|
6 files changed, 22 insertions(+), 33 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/lib/libtasn1/lib/decoding.c b/grub-core/lib/libtasn1/lib/decoding.c
|
||||||
|
index 42f9a92b5d4..7856858b272 100644
|
||||||
|
--- a/grub-core/lib/libtasn1/lib/decoding.c
|
||||||
|
+++ b/grub-core/lib/libtasn1/lib/decoding.c
|
||||||
|
@@ -32,7 +32,8 @@
|
||||||
|
#include <element.h>
|
||||||
|
#include <limits.h>
|
||||||
|
#include <intprops.h>
|
||||||
|
-#include <c-ctype.h>
|
||||||
|
+
|
||||||
|
+#define c_isdigit grub_isdigit
|
||||||
|
|
||||||
|
#ifdef DEBUG
|
||||||
|
# define warn() fprintf(stderr, "%s: %d\n", __func__, __LINE__)
|
||||||
|
@@ -2008,8 +2009,8 @@ asn1_expand_octet_string (asn1_node_const definitions, asn1_node * element,
|
||||||
|
(p2->type & CONST_ASSIGN))
|
||||||
|
{
|
||||||
|
strcpy (name, definitions->name);
|
||||||
|
- strcat (name, ".");
|
||||||
|
- strcat (name, p2->name);
|
||||||
|
+ memcpy (name + strlen(name), ".", sizeof(" . "));
|
||||||
|
+ memcpy (name + strlen(name), p2->name, strlen(p2->name) + 1);
|
||||||
|
|
||||||
|
len = sizeof (value);
|
||||||
|
result = asn1_read_value (definitions, name, value, &len);
|
||||||
|
@@ -2026,8 +2027,8 @@ asn1_expand_octet_string (asn1_node_const definitions, asn1_node * element,
|
||||||
|
if (p2)
|
||||||
|
{
|
||||||
|
strcpy (name, definitions->name);
|
||||||
|
- strcat (name, ".");
|
||||||
|
- strcat (name, p2->name);
|
||||||
|
+ memcpy (name + strlen(name), ".", sizeof(" . "));
|
||||||
|
+ memcpy (name + strlen(name), p2->name, strlen(p2->name) + 1);
|
||||||
|
|
||||||
|
result = asn1_create_element (definitions, name, &aux);
|
||||||
|
if (result == ASN1_SUCCESS)
|
||||||
|
diff --git a/grub-core/lib/libtasn1/lib/element.c b/grub-core/lib/libtasn1/lib/element.c
|
||||||
|
index 539008d8e94..ed761ff56bd 100644
|
||||||
|
--- a/grub-core/lib/libtasn1/lib/element.c
|
||||||
|
+++ b/grub-core/lib/libtasn1/lib/element.c
|
||||||
|
@@ -30,9 +30,10 @@
|
||||||
|
#include "parser_aux.h"
|
||||||
|
#include <gstr.h>
|
||||||
|
#include "structure.h"
|
||||||
|
-#include "c-ctype.h"
|
||||||
|
#include "element.h"
|
||||||
|
|
||||||
|
+#define c_isdigit grub_isdigit
|
||||||
|
+
|
||||||
|
void
|
||||||
|
_asn1_hierarchical_name (asn1_node_const node, char *name, int name_size)
|
||||||
|
{
|
||||||
|
diff --git a/grub-core/lib/libtasn1/lib/gstr.c b/grub-core/lib/libtasn1/lib/gstr.c
|
||||||
|
index e91a3a151c0..e33875c2c7c 100644
|
||||||
|
--- a/grub-core/lib/libtasn1/lib/gstr.c
|
||||||
|
+++ b/grub-core/lib/libtasn1/lib/gstr.c
|
||||||
|
@@ -36,13 +36,13 @@ _asn1_str_cat (char *dest, size_t dest_tot_size, const char *src)
|
||||||
|
|
||||||
|
if (dest_tot_size - dest_size > str_size)
|
||||||
|
{
|
||||||
|
- strcat (dest, src);
|
||||||
|
+ memcpy (dest + dest_size, src, str_size + 1);
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
if (dest_tot_size - dest_size > 0)
|
||||||
|
{
|
||||||
|
- strncat (dest, src, (dest_tot_size - dest_size) - 1);
|
||||||
|
+ memcpy (dest + dest_size, src, (dest_tot_size - dest_size) - 1);
|
||||||
|
dest[dest_tot_size - 1] = 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
diff --git a/grub-core/lib/libtasn1/lib/parser_aux.c b/grub-core/lib/libtasn1/lib/parser_aux.c
|
||||||
|
index d5dbbf8765d..89c9be69dc2 100644
|
||||||
|
--- a/grub-core/lib/libtasn1/lib/parser_aux.c
|
||||||
|
+++ b/grub-core/lib/libtasn1/lib/parser_aux.c
|
||||||
|
@@ -26,7 +26,8 @@
|
||||||
|
#include "gstr.h"
|
||||||
|
#include "structure.h"
|
||||||
|
#include "element.h"
|
||||||
|
-#include "c-ctype.h"
|
||||||
|
+
|
||||||
|
+#define c_isdigit grub_isdigit
|
||||||
|
|
||||||
|
char _asn1_identifierMissing[ASN1_MAX_NAME_SIZE + 1]; /* identifier name not found */
|
||||||
|
|
||||||
|
@@ -40,7 +41,7 @@ char _asn1_identifierMissing[ASN1_MAX_NAME_SIZE + 1]; /* identifier name not fou
|
||||||
|
#ifdef __clang__
|
||||||
|
__attribute__((no_sanitize("integer")))
|
||||||
|
#endif
|
||||||
|
-_GL_ATTRIBUTE_PURE
|
||||||
|
+__attribute__((__pure__))
|
||||||
|
static unsigned int
|
||||||
|
_asn1_hash_name (const char *x)
|
||||||
|
{
|
||||||
|
@@ -634,7 +635,7 @@ _asn1_ltostr (int64_t v, char str[LTOSTR_MAX_SIZE])
|
||||||
|
count = 0;
|
||||||
|
do
|
||||||
|
{
|
||||||
|
- d = val / 10;
|
||||||
|
+ d = grub_divmod64(val, 10, NULL);
|
||||||
|
r = val - d * 10;
|
||||||
|
temp[start + count] = '0' + (char) r;
|
||||||
|
count++;
|
||||||
|
diff --git a/grub-core/lib/libtasn1/lib/int.h b/grub-core/lib/libtasn1/lib/int.h
|
||||||
|
index ea1625786c1..4a568efee9c 100644
|
||||||
|
--- a/grub-core/lib/libtasn1/lib/int.h
|
||||||
|
+++ b/grub-core/lib/libtasn1/lib/int.h
|
||||||
|
@@ -35,7 +35,7 @@
|
||||||
|
#include <sys/types.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
-#include <libtasn1.h>
|
||||||
|
+#include "grub/libtasn1.h"
|
||||||
|
|
||||||
|
#define ASN1_SMALL_VALUE_SIZE 16
|
||||||
|
|
||||||
|
@@ -115,7 +115,7 @@ extern const tag_and_class_st _asn1_tags[];
|
||||||
|
#define _asn1_strtoul(n,e,b) strtoul((const char *) n, e, b)
|
||||||
|
#define _asn1_strcmp(a,b) strcmp((const char *)a, (const char *)b)
|
||||||
|
#define _asn1_strcpy(a,b) strcpy((char *)a, (const char *)b)
|
||||||
|
-#define _asn1_strcat(a,b) strcat((char *)a, (const char *)b)
|
||||||
|
+#define _asn1_strcat(a,b) memcpy((char *)a + strlen((const char *)a), (const char *)b, strlen((const char *)b) + 1)
|
||||||
|
|
||||||
|
#if SIZEOF_UNSIGNED_LONG_INT == 8
|
||||||
|
# define _asn1_strtou64(n,e,b) strtoul((const char *) n, e, b)
|
||||||
|
diff --git a/include/grub/libtasn1.h b/include/grub/libtasn1.h
|
||||||
|
index 785eda2ae3f..28dbf16c4e0 100644
|
||||||
|
--- a/include/grub/libtasn1.h
|
||||||
|
+++ b/include/grub/libtasn1.h
|
||||||
|
@@ -38,29 +38,15 @@
|
||||||
|
#ifndef LIBTASN1_H
|
||||||
|
#define LIBTASN1_H
|
||||||
|
|
||||||
|
-#ifndef ASN1_API
|
||||||
|
-#if defined ASN1_BUILDING && defined HAVE_VISIBILITY && HAVE_VISIBILITY
|
||||||
|
-#define ASN1_API __attribute__((__visibility__("default")))
|
||||||
|
-#elif defined ASN1_BUILDING && defined _MSC_VER && ! defined ASN1_STATIC
|
||||||
|
-#define ASN1_API __declspec(dllexport)
|
||||||
|
-#elif defined _MSC_VER && ! defined ASN1_STATIC
|
||||||
|
-#define ASN1_API __declspec(dllimport)
|
||||||
|
-#else
|
||||||
|
+/* grub: ASN1_API is not used */
|
||||||
|
#define ASN1_API
|
||||||
|
-#endif
|
||||||
|
-#endif
|
||||||
|
|
||||||
|
-#ifdef __GNUC__
|
||||||
|
-# define __LIBTASN1_CONST__ __attribute__((const))
|
||||||
|
-# define __LIBTASN1_PURE__ __attribute__((pure))
|
||||||
|
-#else
|
||||||
|
-# define __LIBTASN1_CONST__
|
||||||
|
-# define __LIBTASN1_PURE__
|
||||||
|
-#endif
|
||||||
|
+/* grub: all our supported compilers support these attributes */
|
||||||
|
+#define __LIBTASN1_CONST__ __attribute__((const))
|
||||||
|
+#define __LIBTASN1_PURE__ __attribute__((pure))
|
||||||
|
|
||||||
|
-#include <sys/types.h>
|
||||||
|
-#include <time.h>
|
||||||
|
-#include <stdio.h> /* for FILE* */
|
||||||
|
+#include <grub/types.h>
|
||||||
|
+#include <grub/time.h>
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
extern "C"
|
70
SOURCES/0362-libtasn1-compile-into-asn1-module.patch
Normal file
70
SOURCES/0362-libtasn1-compile-into-asn1-module.patch
Normal file
@ -0,0 +1,70 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Fri, 5 Jun 2020 17:47:25 +1000
|
||||||
|
Subject: [PATCH] libtasn1: compile into asn1 module
|
||||||
|
|
||||||
|
Create a wrapper file that specifies the module license.
|
||||||
|
Set up the makefile so it is built.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
grub-core/Makefile.core.def | 15 +++++++++++++++
|
||||||
|
grub-core/lib/libtasn1_wrap/wrap.c | 26 ++++++++++++++++++++++++++
|
||||||
|
2 files changed, 41 insertions(+)
|
||||||
|
create mode 100644 grub-core/lib/libtasn1_wrap/wrap.c
|
||||||
|
|
||||||
|
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
|
||||||
|
index 99615c07b94..c2d922e6d48 100644
|
||||||
|
--- a/grub-core/Makefile.core.def
|
||||||
|
+++ b/grub-core/Makefile.core.def
|
||||||
|
@@ -2436,3 +2436,18 @@ module = {
|
||||||
|
common = loader/i386/xen_file64.c;
|
||||||
|
extra_dist = loader/i386/xen_fileXX.c;
|
||||||
|
};
|
||||||
|
+
|
||||||
|
+module = {
|
||||||
|
+ name = asn1;
|
||||||
|
+ common = lib/libtasn1/lib/decoding.c;
|
||||||
|
+ common = lib/libtasn1/lib/coding.c;
|
||||||
|
+ common = lib/libtasn1/lib/element.c;
|
||||||
|
+ common = lib/libtasn1/lib/structure.c;
|
||||||
|
+ common = lib/libtasn1/lib/parser_aux.c;
|
||||||
|
+ common = lib/libtasn1/lib/gstr.c;
|
||||||
|
+ common = lib/libtasn1/lib/errors.c;
|
||||||
|
+ common = lib/libtasn1_wrap/wrap.c;
|
||||||
|
+ cflags = '$(CFLAGS_POSIX) $(CFLAGS_GNULIB)';
|
||||||
|
+ // -Wno-type-limits comes from libtasn1's configure.ac
|
||||||
|
+ cppflags = '$(CPPFLAGS_POSIX) $(CPPFLAGS_GNULIB) -I$(srcdir)/lib/libtasn1/lib -Wno-type-limits';
|
||||||
|
+};
|
||||||
|
diff --git a/grub-core/lib/libtasn1_wrap/wrap.c b/grub-core/lib/libtasn1_wrap/wrap.c
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..622ba942e33
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/grub-core/lib/libtasn1_wrap/wrap.c
|
||||||
|
@@ -0,0 +1,26 @@
|
||||||
|
+/*
|
||||||
|
+ * GRUB -- GRand Unified Bootloader
|
||||||
|
+ * Copyright (C) 2020 IBM Corporation
|
||||||
|
+ *
|
||||||
|
+ * GRUB is free software: you can redistribute it and/or modify
|
||||||
|
+ * it under the terms of the GNU General Public License as published by
|
||||||
|
+ * the Free Software Foundation, either version 3 of the License, or
|
||||||
|
+ * (at your option) any later version.
|
||||||
|
+ *
|
||||||
|
+ * GRUB is distributed in the hope that it will be useful,
|
||||||
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+ * GNU General Public License for more details.
|
||||||
|
+ *
|
||||||
|
+ * You should have received a copy of the GNU General Public License
|
||||||
|
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#include <grub/dl.h>
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * libtasn1 is provided under LGPL2.1+, which is compatible
|
||||||
|
+ * with GPL3+. As Grub as a whole is under GPL3+, this module
|
||||||
|
+ * is therefore under GPL3+ also.
|
||||||
|
+ */
|
||||||
|
+GRUB_MOD_LICENSE ("GPLv3+");
|
1455
SOURCES/0363-test_asn1-test-module-for-libtasn1.patch
Normal file
1455
SOURCES/0363-test_asn1-test-module-for-libtasn1.patch
Normal file
File diff suppressed because one or more lines are too long
@ -0,0 +1,255 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Alastair D'Silva <alastair@d-silva.org>
|
||||||
|
Date: Mon, 6 Jul 2020 13:33:04 +1000
|
||||||
|
Subject: [PATCH] grub-install: support embedding x509 certificates
|
||||||
|
|
||||||
|
To support verification of appended signatures, we need a way to
|
||||||
|
embed the necessary public keys. Existing appended signature schemes
|
||||||
|
in the Linux kernel use X.509 certificates, so allow certificates to
|
||||||
|
be embedded in the grub core image in the same way as PGP keys.
|
||||||
|
|
||||||
|
Signed-off-by: Alastair D'Silva <alastair@d-silva.org>
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
grub-core/commands/pgp.c | 2 +-
|
||||||
|
util/grub-install-common.c | 23 ++++++++++++++++++++++-
|
||||||
|
util/grub-mkimage.c | 15 +++++++++++++--
|
||||||
|
util/mkimage.c | 41 ++++++++++++++++++++++++++++++++++++++---
|
||||||
|
include/grub/kernel.h | 3 ++-
|
||||||
|
include/grub/util/install.h | 7 +++++--
|
||||||
|
6 files changed, 81 insertions(+), 10 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c
|
||||||
|
index 75de32c2a00..55d354be0ae 100644
|
||||||
|
--- a/grub-core/commands/pgp.c
|
||||||
|
+++ b/grub-core/commands/pgp.c
|
||||||
|
@@ -944,7 +944,7 @@ GRUB_MOD_INIT(pgp)
|
||||||
|
grub_memset (&pseudo_file, 0, sizeof (pseudo_file));
|
||||||
|
|
||||||
|
/* Not an ELF module, skip. */
|
||||||
|
- if (header->type != OBJ_TYPE_PUBKEY)
|
||||||
|
+ if (header->type != OBJ_TYPE_GPG_PUBKEY)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
pseudo_file.fs = &pseudo_fs;
|
||||||
|
diff --git a/util/grub-install-common.c b/util/grub-install-common.c
|
||||||
|
index 561e671ff34..fa6b65347ea 100644
|
||||||
|
--- a/util/grub-install-common.c
|
||||||
|
+++ b/util/grub-install-common.c
|
||||||
|
@@ -302,6 +302,8 @@ handle_install_list (struct install_list *il, const char *val,
|
||||||
|
|
||||||
|
static char **pubkeys;
|
||||||
|
static size_t npubkeys;
|
||||||
|
+static char **x509keys;
|
||||||
|
+static size_t nx509keys;
|
||||||
|
static grub_compression_t compression;
|
||||||
|
static size_t appsig_size;
|
||||||
|
|
||||||
|
@@ -334,6 +336,12 @@ grub_install_parse (int key, char *arg)
|
||||||
|
* (npubkeys + 1));
|
||||||
|
pubkeys[npubkeys++] = xstrdup (arg);
|
||||||
|
return 1;
|
||||||
|
+ case 'x':
|
||||||
|
+ x509keys = xrealloc (x509keys,
|
||||||
|
+ sizeof (x509keys[0])
|
||||||
|
+ * (nx509keys + 1));
|
||||||
|
+ x509keys[nx509keys++] = xstrdup (arg);
|
||||||
|
+ return 1;
|
||||||
|
|
||||||
|
case GRUB_INSTALL_OPTIONS_VERBOSITY:
|
||||||
|
verbosity++;
|
||||||
|
@@ -460,6 +468,9 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix,
|
||||||
|
for (pk = pubkeys; pk < pubkeys + npubkeys; pk++)
|
||||||
|
slen += 20 + grub_strlen (*pk);
|
||||||
|
|
||||||
|
+ for (pk = x509keys; pk < x509keys + nx509keys; pk++)
|
||||||
|
+ slen += 10 + grub_strlen (*pk);
|
||||||
|
+
|
||||||
|
for (md = modules.entries; *md; md++)
|
||||||
|
{
|
||||||
|
slen += 10 + grub_strlen (*md);
|
||||||
|
@@ -488,6 +499,14 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix,
|
||||||
|
*p++ = ' ';
|
||||||
|
}
|
||||||
|
|
||||||
|
+ for (pk = x509keys; pk < x509keys + nx509keys; pk++)
|
||||||
|
+ {
|
||||||
|
+ p = grub_stpcpy (p, "--x509 '");
|
||||||
|
+ p = grub_stpcpy (p, *pk);
|
||||||
|
+ *p++ = '\'';
|
||||||
|
+ *p++ = ' ';
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
for (md = modules.entries; *md; md++)
|
||||||
|
{
|
||||||
|
*p++ = '\'';
|
||||||
|
@@ -515,7 +534,9 @@ grub_install_make_image_wrap_file (const char *dir, const char *prefix,
|
||||||
|
|
||||||
|
grub_install_generate_image (dir, prefix, fp, outname,
|
||||||
|
modules.entries, memdisk_path,
|
||||||
|
- pubkeys, npubkeys, config_path, tgt,
|
||||||
|
+ pubkeys, npubkeys,
|
||||||
|
+ x509keys, nx509keys,
|
||||||
|
+ config_path, tgt,
|
||||||
|
note, appsig_size, compression, dtb);
|
||||||
|
while (dc--)
|
||||||
|
grub_install_pop_module ();
|
||||||
|
diff --git a/util/grub-mkimage.c b/util/grub-mkimage.c
|
||||||
|
index 65a015d8a04..394d2dc5fc9 100644
|
||||||
|
--- a/util/grub-mkimage.c
|
||||||
|
+++ b/util/grub-mkimage.c
|
||||||
|
@@ -75,7 +75,8 @@ static struct argp_option options[] = {
|
||||||
|
/* TRANSLATORS: "embed" is a verb (command description). "*/
|
||||||
|
{"config", 'c', N_("FILE"), 0, N_("embed FILE as an early config"), 0},
|
||||||
|
/* TRANSLATORS: "embed" is a verb (command description). "*/
|
||||||
|
- {"pubkey", 'k', N_("FILE"), 0, N_("embed FILE as public key for signature checking"), 0},
|
||||||
|
+ {"pubkey", 'k', N_("FILE"), 0, N_("embed FILE as public key for PGP signature checking"), 0},
|
||||||
|
+ {"x509", 'x', N_("FILE"), 0, N_("embed FILE as an x509 certificate for appended signature checking"), 0},
|
||||||
|
/* TRANSLATORS: NOTE is a name of segment. */
|
||||||
|
{"note", 'n', 0, 0, N_("add NOTE segment for CHRP IEEE1275"), 0},
|
||||||
|
{"output", 'o', N_("FILE"), 0, N_("output a generated image to FILE [default=stdout]"), 0},
|
||||||
|
@@ -122,6 +123,8 @@ struct arguments
|
||||||
|
char *dtb;
|
||||||
|
char **pubkeys;
|
||||||
|
size_t npubkeys;
|
||||||
|
+ char **x509keys;
|
||||||
|
+ size_t nx509keys;
|
||||||
|
char *font;
|
||||||
|
char *config;
|
||||||
|
int note;
|
||||||
|
@@ -202,6 +205,13 @@ argp_parser (int key, char *arg, struct argp_state *state)
|
||||||
|
arguments->pubkeys[arguments->npubkeys++] = xstrdup (arg);
|
||||||
|
break;
|
||||||
|
|
||||||
|
+ case 'x':
|
||||||
|
+ arguments->x509keys = xrealloc (arguments->x509keys,
|
||||||
|
+ sizeof (arguments->x509keys[0])
|
||||||
|
+ * (arguments->nx509keys + 1));
|
||||||
|
+ arguments->x509keys[arguments->nx509keys++] = xstrdup (arg);
|
||||||
|
+ break;
|
||||||
|
+
|
||||||
|
case 'c':
|
||||||
|
if (arguments->config)
|
||||||
|
free (arguments->config);
|
||||||
|
@@ -317,7 +327,8 @@ main (int argc, char *argv[])
|
||||||
|
grub_install_generate_image (arguments.dir, arguments.prefix, fp,
|
||||||
|
arguments.output, arguments.modules,
|
||||||
|
arguments.memdisk, arguments.pubkeys,
|
||||||
|
- arguments.npubkeys, arguments.config,
|
||||||
|
+ arguments.npubkeys, arguments.x509keys,
|
||||||
|
+ arguments.nx509keys, arguments.config,
|
||||||
|
arguments.image_target, arguments.note,
|
||||||
|
arguments.appsig_size,
|
||||||
|
arguments.comp, arguments.dtb);
|
||||||
|
diff --git a/util/mkimage.c b/util/mkimage.c
|
||||||
|
index a81120f26be..2529de4bb78 100644
|
||||||
|
--- a/util/mkimage.c
|
||||||
|
+++ b/util/mkimage.c
|
||||||
|
@@ -774,8 +774,10 @@ grub_install_get_image_targets_string (void)
|
||||||
|
void
|
||||||
|
grub_install_generate_image (const char *dir, const char *prefix,
|
||||||
|
FILE *out, const char *outname, char *mods[],
|
||||||
|
- char *memdisk_path, char **pubkey_paths,
|
||||||
|
- size_t npubkeys, char *config_path,
|
||||||
|
+ char *memdisk_path,
|
||||||
|
+ char **pubkey_paths, size_t npubkeys,
|
||||||
|
+ char **x509key_paths, size_t nx509keys,
|
||||||
|
+ char *config_path,
|
||||||
|
const struct grub_install_image_target_desc *image_target,
|
||||||
|
int note, size_t appsig_size, grub_compression_t comp, const char *dtb_path)
|
||||||
|
{
|
||||||
|
@@ -819,6 +821,19 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ {
|
||||||
|
+ size_t i;
|
||||||
|
+ for (i = 0; i < nx509keys; i++)
|
||||||
|
+ {
|
||||||
|
+ size_t curs;
|
||||||
|
+ curs = ALIGN_ADDR (grub_util_get_image_size (x509key_paths[i]));
|
||||||
|
+ grub_util_info ("the size of x509 public key %u is 0x%"
|
||||||
|
+ GRUB_HOST_PRIxLONG_LONG,
|
||||||
|
+ (unsigned) i, (unsigned long long) curs);
|
||||||
|
+ total_module_size += curs + sizeof (struct grub_module_header);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (memdisk_path)
|
||||||
|
{
|
||||||
|
memdisk_size = ALIGN_UP(grub_util_get_image_size (memdisk_path), 512);
|
||||||
|
@@ -933,7 +948,7 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||||||
|
curs = grub_util_get_image_size (pubkey_paths[i]);
|
||||||
|
|
||||||
|
header = (struct grub_module_header *) (kernel_img + offset);
|
||||||
|
- header->type = grub_host_to_target32 (OBJ_TYPE_PUBKEY);
|
||||||
|
+ header->type = grub_host_to_target32 (OBJ_TYPE_GPG_PUBKEY);
|
||||||
|
header->size = grub_host_to_target32 (curs + sizeof (*header));
|
||||||
|
offset += sizeof (*header);
|
||||||
|
|
||||||
|
@@ -942,6 +957,26 @@ grub_install_generate_image (const char *dir, const char *prefix,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ {
|
||||||
|
+ size_t i;
|
||||||
|
+ for (i = 0; i < nx509keys; i++)
|
||||||
|
+ {
|
||||||
|
+ size_t curs;
|
||||||
|
+ struct grub_module_header *header;
|
||||||
|
+
|
||||||
|
+ curs = grub_util_get_image_size (x509key_paths[i]);
|
||||||
|
+
|
||||||
|
+ header = (struct grub_module_header *) (kernel_img + offset);
|
||||||
|
+ header->type = grub_host_to_target32 (OBJ_TYPE_X509_PUBKEY);
|
||||||
|
+ header->size = grub_host_to_target32 (curs + sizeof (*header));
|
||||||
|
+ offset += sizeof (*header);
|
||||||
|
+
|
||||||
|
+ grub_util_load_image (x509key_paths[i], kernel_img + offset);
|
||||||
|
+ offset += ALIGN_ADDR (curs);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+
|
||||||
|
if (memdisk_path)
|
||||||
|
{
|
||||||
|
struct grub_module_header *header;
|
||||||
|
diff --git a/include/grub/kernel.h b/include/grub/kernel.h
|
||||||
|
index 9548d552aad..75a057d4666 100644
|
||||||
|
--- a/include/grub/kernel.h
|
||||||
|
+++ b/include/grub/kernel.h
|
||||||
|
@@ -28,7 +28,8 @@ enum
|
||||||
|
OBJ_TYPE_MEMDISK,
|
||||||
|
OBJ_TYPE_CONFIG,
|
||||||
|
OBJ_TYPE_PREFIX,
|
||||||
|
- OBJ_TYPE_PUBKEY,
|
||||||
|
+ OBJ_TYPE_GPG_PUBKEY,
|
||||||
|
+ OBJ_TYPE_X509_PUBKEY,
|
||||||
|
OBJ_TYPE_DTB
|
||||||
|
};
|
||||||
|
|
||||||
|
diff --git a/include/grub/util/install.h b/include/grub/util/install.h
|
||||||
|
index ba5e6a2ea8f..95059285bd4 100644
|
||||||
|
--- a/include/grub/util/install.h
|
||||||
|
+++ b/include/grub/util/install.h
|
||||||
|
@@ -63,6 +63,8 @@
|
||||||
|
/* TRANSLATORS: "embed" is a verb (command description). "*/ \
|
||||||
|
{ "pubkey", 'k', N_("FILE"), 0, \
|
||||||
|
N_("embed FILE as public key for signature checking"), 0}, \
|
||||||
|
+ { "x509key", 'x', N_("FILE"), 0, \
|
||||||
|
+ N_("embed FILE as an x509 certificate for signature checking"), 0}, \
|
||||||
|
{ "appended-signature-size", GRUB_INSTALL_OPTIONS_APPENDED_SIGNATURE_SIZE,\
|
||||||
|
"SIZE", 0, N_("Add a note segment reserving SIZE bytes for an appended signature"), \
|
||||||
|
1}, \
|
||||||
|
@@ -179,8 +181,9 @@ void
|
||||||
|
grub_install_generate_image (const char *dir, const char *prefix,
|
||||||
|
FILE *out,
|
||||||
|
const char *outname, char *mods[],
|
||||||
|
- char *memdisk_path, char **pubkey_paths,
|
||||||
|
- size_t npubkeys,
|
||||||
|
+ char *memdisk_path,
|
||||||
|
+ char **pubkey_paths, size_t npubkeys,
|
||||||
|
+ char **x509key_paths, size_t nx509keys,
|
||||||
|
char *config_path,
|
||||||
|
const struct grub_install_image_target_desc *image_target,
|
||||||
|
int note, size_t appsig_size,
|
@ -0,0 +1,639 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Thu, 30 Jul 2020 01:35:10 +1000
|
||||||
|
Subject: [PATCH] appended signatures: import GNUTLS's ASN.1 description files
|
||||||
|
|
||||||
|
In order to parse PKCS#7 messages and X.509 certificates with libtasn1,
|
||||||
|
we need some information about how they are encoded.
|
||||||
|
|
||||||
|
We get these from GNUTLS, which has the benefit that they support the
|
||||||
|
features we need and are well tested.
|
||||||
|
|
||||||
|
The GNUTLS license is LGPLv2.1+, which is GPLv3 compatible, allowing
|
||||||
|
us to import it without issue.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
grub-core/commands/appendedsig/gnutls_asn1_tab.c | 121 ++++++
|
||||||
|
grub-core/commands/appendedsig/pkix_asn1_tab.c | 484 +++++++++++++++++++++++
|
||||||
|
2 files changed, 605 insertions(+)
|
||||||
|
create mode 100644 grub-core/commands/appendedsig/gnutls_asn1_tab.c
|
||||||
|
create mode 100644 grub-core/commands/appendedsig/pkix_asn1_tab.c
|
||||||
|
|
||||||
|
diff --git a/grub-core/commands/appendedsig/gnutls_asn1_tab.c b/grub-core/commands/appendedsig/gnutls_asn1_tab.c
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..ddd1314e63b
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/grub-core/commands/appendedsig/gnutls_asn1_tab.c
|
||||||
|
@@ -0,0 +1,121 @@
|
||||||
|
+#include <grub/mm.h>
|
||||||
|
+#include <grub/libtasn1.h>
|
||||||
|
+
|
||||||
|
+const asn1_static_node gnutls_asn1_tab[] = {
|
||||||
|
+ { "GNUTLS", 536872976, NULL },
|
||||||
|
+ { NULL, 1073741836, NULL },
|
||||||
|
+ { "RSAPublicKey", 1610612741, NULL },
|
||||||
|
+ { "modulus", 1073741827, NULL },
|
||||||
|
+ { "publicExponent", 3, NULL },
|
||||||
|
+ { "RSAPrivateKey", 1610612741, NULL },
|
||||||
|
+ { "version", 1073741827, NULL },
|
||||||
|
+ { "modulus", 1073741827, NULL },
|
||||||
|
+ { "publicExponent", 1073741827, NULL },
|
||||||
|
+ { "privateExponent", 1073741827, NULL },
|
||||||
|
+ { "prime1", 1073741827, NULL },
|
||||||
|
+ { "prime2", 1073741827, NULL },
|
||||||
|
+ { "exponent1", 1073741827, NULL },
|
||||||
|
+ { "exponent2", 1073741827, NULL },
|
||||||
|
+ { "coefficient", 1073741827, NULL },
|
||||||
|
+ { "otherPrimeInfos", 16386, "OtherPrimeInfos"},
|
||||||
|
+ { "ProvableSeed", 1610612741, NULL },
|
||||||
|
+ { "algorithm", 1073741836, NULL },
|
||||||
|
+ { "seed", 7, NULL },
|
||||||
|
+ { "OtherPrimeInfos", 1612709899, NULL },
|
||||||
|
+ { "MAX", 1074266122, "1"},
|
||||||
|
+ { NULL, 2, "OtherPrimeInfo"},
|
||||||
|
+ { "OtherPrimeInfo", 1610612741, NULL },
|
||||||
|
+ { "prime", 1073741827, NULL },
|
||||||
|
+ { "exponent", 1073741827, NULL },
|
||||||
|
+ { "coefficient", 3, NULL },
|
||||||
|
+ { "AlgorithmIdentifier", 1610612741, NULL },
|
||||||
|
+ { "algorithm", 1073741836, NULL },
|
||||||
|
+ { "parameters", 541081613, NULL },
|
||||||
|
+ { "algorithm", 1, NULL },
|
||||||
|
+ { "DigestInfo", 1610612741, NULL },
|
||||||
|
+ { "digestAlgorithm", 1073741826, "DigestAlgorithmIdentifier"},
|
||||||
|
+ { "digest", 7, NULL },
|
||||||
|
+ { "DigestAlgorithmIdentifier", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "DSAPublicKey", 1073741827, NULL },
|
||||||
|
+ { "DSAParameters", 1610612741, NULL },
|
||||||
|
+ { "p", 1073741827, NULL },
|
||||||
|
+ { "q", 1073741827, NULL },
|
||||||
|
+ { "g", 3, NULL },
|
||||||
|
+ { "DSASignatureValue", 1610612741, NULL },
|
||||||
|
+ { "r", 1073741827, NULL },
|
||||||
|
+ { "s", 3, NULL },
|
||||||
|
+ { "DSAPrivateKey", 1610612741, NULL },
|
||||||
|
+ { "version", 1073741827, NULL },
|
||||||
|
+ { "p", 1073741827, NULL },
|
||||||
|
+ { "q", 1073741827, NULL },
|
||||||
|
+ { "g", 1073741827, NULL },
|
||||||
|
+ { "Y", 1073741827, NULL },
|
||||||
|
+ { "priv", 3, NULL },
|
||||||
|
+ { "DHParameter", 1610612741, NULL },
|
||||||
|
+ { "prime", 1073741827, NULL },
|
||||||
|
+ { "base", 1073741827, NULL },
|
||||||
|
+ { "privateValueLength", 16387, NULL },
|
||||||
|
+ { "ECParameters", 1610612754, NULL },
|
||||||
|
+ { "namedCurve", 12, NULL },
|
||||||
|
+ { "ECPrivateKey", 1610612741, NULL },
|
||||||
|
+ { "Version", 1073741827, NULL },
|
||||||
|
+ { "privateKey", 1073741831, NULL },
|
||||||
|
+ { "parameters", 1610637314, "ECParameters"},
|
||||||
|
+ { NULL, 2056, "0"},
|
||||||
|
+ { "publicKey", 536895494, NULL },
|
||||||
|
+ { NULL, 2056, "1"},
|
||||||
|
+ { "PrincipalName", 1610612741, NULL },
|
||||||
|
+ { "name-type", 1610620931, NULL },
|
||||||
|
+ { NULL, 2056, "0"},
|
||||||
|
+ { "name-string", 536879115, NULL },
|
||||||
|
+ { NULL, 1073743880, "1"},
|
||||||
|
+ { NULL, 27, NULL },
|
||||||
|
+ { "KRB5PrincipalName", 1610612741, NULL },
|
||||||
|
+ { "realm", 1610620955, NULL },
|
||||||
|
+ { NULL, 2056, "0"},
|
||||||
|
+ { "principalName", 536879106, "PrincipalName"},
|
||||||
|
+ { NULL, 2056, "1"},
|
||||||
|
+ { "RSAPSSParameters", 1610612741, NULL },
|
||||||
|
+ { "hashAlgorithm", 1610637314, "AlgorithmIdentifier"},
|
||||||
|
+ { NULL, 2056, "0"},
|
||||||
|
+ { "maskGenAlgorithm", 1610637314, "AlgorithmIdentifier"},
|
||||||
|
+ { NULL, 2056, "1"},
|
||||||
|
+ { "saltLength", 1610653699, NULL },
|
||||||
|
+ { NULL, 1073741833, "20"},
|
||||||
|
+ { NULL, 2056, "2"},
|
||||||
|
+ { "trailerField", 536911875, NULL },
|
||||||
|
+ { NULL, 1073741833, "1"},
|
||||||
|
+ { NULL, 2056, "3"},
|
||||||
|
+ { "GOSTParameters", 1610612741, NULL },
|
||||||
|
+ { "publicKeyParamSet", 1073741836, NULL },
|
||||||
|
+ { "digestParamSet", 16396, NULL },
|
||||||
|
+ { "GOSTParametersOld", 1610612741, NULL },
|
||||||
|
+ { "publicKeyParamSet", 1073741836, NULL },
|
||||||
|
+ { "digestParamSet", 1073741836, NULL },
|
||||||
|
+ { "encryptionParamSet", 16396, NULL },
|
||||||
|
+ { "GOSTPrivateKey", 1073741831, NULL },
|
||||||
|
+ { "GOSTPrivateKeyOld", 1073741827, NULL },
|
||||||
|
+ { "IssuerSignTool", 1610612741, NULL },
|
||||||
|
+ { "signTool", 1073741858, NULL },
|
||||||
|
+ { "cATool", 1073741858, NULL },
|
||||||
|
+ { "signToolCert", 1073741858, NULL },
|
||||||
|
+ { "cAToolCert", 34, NULL },
|
||||||
|
+ { "Gost28147-89-EncryptedKey", 1610612741, NULL },
|
||||||
|
+ { "encryptedKey", 1073741831, NULL },
|
||||||
|
+ { "maskKey", 1610637319, NULL },
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { "macKey", 7, NULL },
|
||||||
|
+ { "SubjectPublicKeyInfo", 1610612741, NULL },
|
||||||
|
+ { "algorithm", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "subjectPublicKey", 6, NULL },
|
||||||
|
+ { "GostR3410-TransportParameters", 1610612741, NULL },
|
||||||
|
+ { "encryptionParamSet", 1073741836, NULL },
|
||||||
|
+ { "ephemeralPublicKey", 1610637314, "SubjectPublicKeyInfo"},
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { "ukm", 7, NULL },
|
||||||
|
+ { "GostR3410-KeyTransport", 536870917, NULL },
|
||||||
|
+ { "sessionEncryptedKey", 1073741826, "Gost28147-89-EncryptedKey"},
|
||||||
|
+ { "transportParameters", 536895490, "GostR3410-TransportParameters"},
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { NULL, 0, NULL }
|
||||||
|
+};
|
||||||
|
diff --git a/grub-core/commands/appendedsig/pkix_asn1_tab.c b/grub-core/commands/appendedsig/pkix_asn1_tab.c
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..adef69d95ce
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/grub-core/commands/appendedsig/pkix_asn1_tab.c
|
||||||
|
@@ -0,0 +1,484 @@
|
||||||
|
+#include <grub/mm.h>
|
||||||
|
+#include <grub/libtasn1.h>
|
||||||
|
+
|
||||||
|
+const asn1_static_node pkix_asn1_tab[] = {
|
||||||
|
+ { "PKIX1", 536875024, NULL },
|
||||||
|
+ { NULL, 1073741836, NULL },
|
||||||
|
+ { "PrivateKeyUsagePeriod", 1610612741, NULL },
|
||||||
|
+ { "notBefore", 1610637349, NULL },
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { "notAfter", 536895525, NULL },
|
||||||
|
+ { NULL, 4104, "1"},
|
||||||
|
+ { "AuthorityKeyIdentifier", 1610612741, NULL },
|
||||||
|
+ { "keyIdentifier", 1610637319, NULL },
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { "authorityCertIssuer", 1610637314, "GeneralNames"},
|
||||||
|
+ { NULL, 4104, "1"},
|
||||||
|
+ { "authorityCertSerialNumber", 536895490, "CertificateSerialNumber"},
|
||||||
|
+ { NULL, 4104, "2"},
|
||||||
|
+ { "SubjectKeyIdentifier", 1073741831, NULL },
|
||||||
|
+ { "KeyUsage", 1073741830, NULL },
|
||||||
|
+ { "DirectoryString", 1610612754, NULL },
|
||||||
|
+ { "teletexString", 1612709918, NULL },
|
||||||
|
+ { "MAX", 524298, "1"},
|
||||||
|
+ { "printableString", 1612709919, NULL },
|
||||||
|
+ { "MAX", 524298, "1"},
|
||||||
|
+ { "universalString", 1612709920, NULL },
|
||||||
|
+ { "MAX", 524298, "1"},
|
||||||
|
+ { "utf8String", 1612709922, NULL },
|
||||||
|
+ { "MAX", 524298, "1"},
|
||||||
|
+ { "bmpString", 1612709921, NULL },
|
||||||
|
+ { "MAX", 524298, "1"},
|
||||||
|
+ { "ia5String", 538968093, NULL },
|
||||||
|
+ { "MAX", 524298, "1"},
|
||||||
|
+ { "SubjectAltName", 1073741826, "GeneralNames"},
|
||||||
|
+ { "GeneralNames", 1612709899, NULL },
|
||||||
|
+ { "MAX", 1074266122, "1"},
|
||||||
|
+ { NULL, 2, "GeneralName"},
|
||||||
|
+ { "GeneralName", 1610612754, NULL },
|
||||||
|
+ { "otherName", 1610620930, "AnotherName"},
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { "rfc822Name", 1610620957, NULL },
|
||||||
|
+ { NULL, 4104, "1"},
|
||||||
|
+ { "dNSName", 1610620957, NULL },
|
||||||
|
+ { NULL, 4104, "2"},
|
||||||
|
+ { "x400Address", 1610620941, NULL },
|
||||||
|
+ { NULL, 4104, "3"},
|
||||||
|
+ { "directoryName", 1610620939, NULL },
|
||||||
|
+ { NULL, 1073743880, "4"},
|
||||||
|
+ { NULL, 2, "RelativeDistinguishedName"},
|
||||||
|
+ { "ediPartyName", 1610620941, NULL },
|
||||||
|
+ { NULL, 4104, "5"},
|
||||||
|
+ { "uniformResourceIdentifier", 1610620957, NULL },
|
||||||
|
+ { NULL, 4104, "6"},
|
||||||
|
+ { "iPAddress", 1610620935, NULL },
|
||||||
|
+ { NULL, 4104, "7"},
|
||||||
|
+ { "registeredID", 536879116, NULL },
|
||||||
|
+ { NULL, 4104, "8"},
|
||||||
|
+ { "AnotherName", 1610612741, NULL },
|
||||||
|
+ { "type-id", 1073741836, NULL },
|
||||||
|
+ { "value", 541073421, NULL },
|
||||||
|
+ { NULL, 1073743880, "0"},
|
||||||
|
+ { "type-id", 1, NULL },
|
||||||
|
+ { "IssuerAltName", 1073741826, "GeneralNames"},
|
||||||
|
+ { "BasicConstraints", 1610612741, NULL },
|
||||||
|
+ { "cA", 1610645508, NULL },
|
||||||
|
+ { NULL, 131081, NULL },
|
||||||
|
+ { "pathLenConstraint", 537411587, NULL },
|
||||||
|
+ { "0", 10, "MAX"},
|
||||||
|
+ { "CRLDistributionPoints", 1612709899, NULL },
|
||||||
|
+ { "MAX", 1074266122, "1"},
|
||||||
|
+ { NULL, 2, "DistributionPoint"},
|
||||||
|
+ { "DistributionPoint", 1610612741, NULL },
|
||||||
|
+ { "distributionPoint", 1610637314, "DistributionPointName"},
|
||||||
|
+ { NULL, 2056, "0"},
|
||||||
|
+ { "reasons", 1610637314, "ReasonFlags"},
|
||||||
|
+ { NULL, 4104, "1"},
|
||||||
|
+ { "cRLIssuer", 536895490, "GeneralNames"},
|
||||||
|
+ { NULL, 4104, "2"},
|
||||||
|
+ { "DistributionPointName", 1610612754, NULL },
|
||||||
|
+ { "fullName", 1610620930, "GeneralNames"},
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { "nameRelativeToCRLIssuer", 536879106, "RelativeDistinguishedName"},
|
||||||
|
+ { NULL, 4104, "1"},
|
||||||
|
+ { "ReasonFlags", 1073741830, NULL },
|
||||||
|
+ { "ExtKeyUsageSyntax", 1612709899, NULL },
|
||||||
|
+ { "MAX", 1074266122, "1"},
|
||||||
|
+ { NULL, 12, NULL },
|
||||||
|
+ { "AuthorityInfoAccessSyntax", 1612709899, NULL },
|
||||||
|
+ { "MAX", 1074266122, "1"},
|
||||||
|
+ { NULL, 2, "AccessDescription"},
|
||||||
|
+ { "AccessDescription", 1610612741, NULL },
|
||||||
|
+ { "accessMethod", 1073741836, NULL },
|
||||||
|
+ { "accessLocation", 2, "GeneralName"},
|
||||||
|
+ { "Attribute", 1610612741, NULL },
|
||||||
|
+ { "type", 1073741836, NULL },
|
||||||
|
+ { "values", 536870927, NULL },
|
||||||
|
+ { NULL, 13, NULL },
|
||||||
|
+ { "AttributeTypeAndValue", 1610612741, NULL },
|
||||||
|
+ { "type", 1073741836, NULL },
|
||||||
|
+ { "value", 13, NULL },
|
||||||
|
+ { "Name", 1610612754, NULL },
|
||||||
|
+ { "rdnSequence", 536870923, NULL },
|
||||||
|
+ { NULL, 2, "RelativeDistinguishedName"},
|
||||||
|
+ { "DistinguishedName", 1610612747, NULL },
|
||||||
|
+ { NULL, 2, "RelativeDistinguishedName"},
|
||||||
|
+ { "RelativeDistinguishedName", 1612709903, NULL },
|
||||||
|
+ { "MAX", 1074266122, "1"},
|
||||||
|
+ { NULL, 2, "AttributeTypeAndValue"},
|
||||||
|
+ { "Certificate", 1610612741, NULL },
|
||||||
|
+ { "tbsCertificate", 1073741826, "TBSCertificate"},
|
||||||
|
+ { "signatureAlgorithm", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "signature", 6, NULL },
|
||||||
|
+ { "TBSCertificate", 1610612741, NULL },
|
||||||
|
+ { "version", 1610653699, NULL },
|
||||||
|
+ { NULL, 1073741833, "0"},
|
||||||
|
+ { NULL, 2056, "0"},
|
||||||
|
+ { "serialNumber", 1073741826, "CertificateSerialNumber"},
|
||||||
|
+ { "signature", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "issuer", 1073741826, "Name"},
|
||||||
|
+ { "validity", 1073741826, "Validity"},
|
||||||
|
+ { "subject", 1073741826, "Name"},
|
||||||
|
+ { "subjectPublicKeyInfo", 1073741826, "SubjectPublicKeyInfo"},
|
||||||
|
+ { "issuerUniqueID", 1610637314, "UniqueIdentifier"},
|
||||||
|
+ { NULL, 4104, "1"},
|
||||||
|
+ { "subjectUniqueID", 1610637314, "UniqueIdentifier"},
|
||||||
|
+ { NULL, 4104, "2"},
|
||||||
|
+ { "extensions", 536895490, "Extensions"},
|
||||||
|
+ { NULL, 2056, "3"},
|
||||||
|
+ { "CertificateSerialNumber", 1073741827, NULL },
|
||||||
|
+ { "Validity", 1610612741, NULL },
|
||||||
|
+ { "notBefore", 1073741826, "Time"},
|
||||||
|
+ { "notAfter", 2, "Time"},
|
||||||
|
+ { "Time", 1610612754, NULL },
|
||||||
|
+ { "utcTime", 1073741860, NULL },
|
||||||
|
+ { "generalTime", 37, NULL },
|
||||||
|
+ { "UniqueIdentifier", 1073741830, NULL },
|
||||||
|
+ { "SubjectPublicKeyInfo", 1610612741, NULL },
|
||||||
|
+ { "algorithm", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "subjectPublicKey", 6, NULL },
|
||||||
|
+ { "Extensions", 1612709899, NULL },
|
||||||
|
+ { "MAX", 1074266122, "1"},
|
||||||
|
+ { NULL, 2, "Extension"},
|
||||||
|
+ { "Extension", 1610612741, NULL },
|
||||||
|
+ { "extnID", 1073741836, NULL },
|
||||||
|
+ { "critical", 1610645508, NULL },
|
||||||
|
+ { NULL, 131081, NULL },
|
||||||
|
+ { "extnValue", 7, NULL },
|
||||||
|
+ { "CertificateList", 1610612741, NULL },
|
||||||
|
+ { "tbsCertList", 1073741826, "TBSCertList"},
|
||||||
|
+ { "signatureAlgorithm", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "signature", 6, NULL },
|
||||||
|
+ { "TBSCertList", 1610612741, NULL },
|
||||||
|
+ { "version", 1073758211, NULL },
|
||||||
|
+ { "signature", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "issuer", 1073741826, "Name"},
|
||||||
|
+ { "thisUpdate", 1073741826, "Time"},
|
||||||
|
+ { "nextUpdate", 1073758210, "Time"},
|
||||||
|
+ { "revokedCertificates", 1610629131, NULL },
|
||||||
|
+ { NULL, 536870917, NULL },
|
||||||
|
+ { "userCertificate", 1073741826, "CertificateSerialNumber"},
|
||||||
|
+ { "revocationDate", 1073741826, "Time"},
|
||||||
|
+ { "crlEntryExtensions", 16386, "Extensions"},
|
||||||
|
+ { "crlExtensions", 536895490, "Extensions"},
|
||||||
|
+ { NULL, 2056, "0"},
|
||||||
|
+ { "AlgorithmIdentifier", 1610612741, NULL },
|
||||||
|
+ { "algorithm", 1073741836, NULL },
|
||||||
|
+ { "parameters", 541081613, NULL },
|
||||||
|
+ { "algorithm", 1, NULL },
|
||||||
|
+ { "Dss-Sig-Value", 1610612741, NULL },
|
||||||
|
+ { "r", 1073741827, NULL },
|
||||||
|
+ { "s", 3, NULL },
|
||||||
|
+ { "Dss-Parms", 1610612741, NULL },
|
||||||
|
+ { "p", 1073741827, NULL },
|
||||||
|
+ { "q", 1073741827, NULL },
|
||||||
|
+ { "g", 3, NULL },
|
||||||
|
+ { "pkcs-7-ContentInfo", 1610612741, NULL },
|
||||||
|
+ { "contentType", 1073741836, NULL },
|
||||||
|
+ { "content", 541073421, NULL },
|
||||||
|
+ { NULL, 1073743880, "0"},
|
||||||
|
+ { "contentType", 1, NULL },
|
||||||
|
+ { "pkcs-7-DigestInfo", 1610612741, NULL },
|
||||||
|
+ { "digestAlgorithm", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "digest", 7, NULL },
|
||||||
|
+ { "pkcs-7-SignedData", 1610612741, NULL },
|
||||||
|
+ { "version", 1073741827, NULL },
|
||||||
|
+ { "digestAlgorithms", 1073741826, "pkcs-7-DigestAlgorithmIdentifiers"},
|
||||||
|
+ { "encapContentInfo", 1073741826, "pkcs-7-EncapsulatedContentInfo"},
|
||||||
|
+ { "certificates", 1610637314, "pkcs-7-CertificateSet"},
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { "crls", 1610637314, "pkcs-7-CertificateRevocationLists"},
|
||||||
|
+ { NULL, 4104, "1"},
|
||||||
|
+ { "signerInfos", 2, "pkcs-7-SignerInfos"},
|
||||||
|
+ { "pkcs-7-DigestAlgorithmIdentifiers", 1610612751, NULL },
|
||||||
|
+ { NULL, 2, "AlgorithmIdentifier"},
|
||||||
|
+ { "pkcs-7-EncapsulatedContentInfo", 1610612741, NULL },
|
||||||
|
+ { "eContentType", 1073741836, NULL },
|
||||||
|
+ { "eContent", 536895501, NULL },
|
||||||
|
+ { NULL, 2056, "0"},
|
||||||
|
+ { "pkcs-7-CertificateRevocationLists", 1610612751, NULL },
|
||||||
|
+ { NULL, 13, NULL },
|
||||||
|
+ { "pkcs-7-CertificateChoices", 1610612754, NULL },
|
||||||
|
+ { "certificate", 13, NULL },
|
||||||
|
+ { "pkcs-7-CertificateSet", 1610612751, NULL },
|
||||||
|
+ { NULL, 2, "pkcs-7-CertificateChoices"},
|
||||||
|
+ { "IssuerAndSerialNumber", 1610612741, NULL },
|
||||||
|
+ { "issuer", 1073741826, "Name"},
|
||||||
|
+ { "serialNumber", 2, "CertificateSerialNumber"},
|
||||||
|
+ { "pkcs-7-SignerInfo", 1610612741, NULL },
|
||||||
|
+ { "version", 1073741827, NULL },
|
||||||
|
+ { "sid", 1073741826, "SignerIdentifier"},
|
||||||
|
+ { "digestAlgorithm", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "signedAttrs", 1610637314, "SignedAttributes"},
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { "signatureAlgorithm", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "signature", 1073741831, NULL },
|
||||||
|
+ { "unsignedAttrs", 536895490, "SignedAttributes"},
|
||||||
|
+ { NULL, 4104, "1"},
|
||||||
|
+ { "SignedAttributes", 1612709903, NULL },
|
||||||
|
+ { "MAX", 1074266122, "1"},
|
||||||
|
+ { NULL, 2, "Attribute"},
|
||||||
|
+ { "SignerIdentifier", 1610612754, NULL },
|
||||||
|
+ { "issuerAndSerialNumber", 1073741826, "IssuerAndSerialNumber"},
|
||||||
|
+ { "subjectKeyIdentifier", 536879111, NULL },
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { "pkcs-7-SignerInfos", 1610612751, NULL },
|
||||||
|
+ { NULL, 2, "pkcs-7-SignerInfo"},
|
||||||
|
+ { "pkcs-10-CertificationRequestInfo", 1610612741, NULL },
|
||||||
|
+ { "version", 1073741827, NULL },
|
||||||
|
+ { "subject", 1073741826, "Name"},
|
||||||
|
+ { "subjectPKInfo", 1073741826, "SubjectPublicKeyInfo"},
|
||||||
|
+ { "attributes", 536879106, "Attributes"},
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { "Attributes", 1610612751, NULL },
|
||||||
|
+ { NULL, 2, "Attribute"},
|
||||||
|
+ { "pkcs-10-CertificationRequest", 1610612741, NULL },
|
||||||
|
+ { "certificationRequestInfo", 1073741826, "pkcs-10-CertificationRequestInfo"},
|
||||||
|
+ { "signatureAlgorithm", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "signature", 6, NULL },
|
||||||
|
+ { "pkcs-9-at-challengePassword", 1879048204, NULL },
|
||||||
|
+ { "iso", 1073741825, "1"},
|
||||||
|
+ { "member-body", 1073741825, "2"},
|
||||||
|
+ { "us", 1073741825, "840"},
|
||||||
|
+ { "rsadsi", 1073741825, "113549"},
|
||||||
|
+ { "pkcs", 1073741825, "1"},
|
||||||
|
+ { NULL, 1073741825, "9"},
|
||||||
|
+ { NULL, 1, "7"},
|
||||||
|
+ { "pkcs-9-challengePassword", 1610612754, NULL },
|
||||||
|
+ { "printableString", 1073741855, NULL },
|
||||||
|
+ { "utf8String", 34, NULL },
|
||||||
|
+ { "pkcs-9-localKeyId", 1073741831, NULL },
|
||||||
|
+ { "pkcs-8-PrivateKeyInfo", 1610612741, NULL },
|
||||||
|
+ { "version", 1073741827, NULL },
|
||||||
|
+ { "privateKeyAlgorithm", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "privateKey", 1073741831, NULL },
|
||||||
|
+ { "attributes", 536895490, "Attributes"},
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { "pkcs-8-EncryptedPrivateKeyInfo", 1610612741, NULL },
|
||||||
|
+ { "encryptionAlgorithm", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "encryptedData", 2, "pkcs-8-EncryptedData"},
|
||||||
|
+ { "pkcs-8-EncryptedData", 1073741831, NULL },
|
||||||
|
+ { "pkcs-5-des-CBC-params", 1612709895, NULL },
|
||||||
|
+ { NULL, 1048586, "8"},
|
||||||
|
+ { "pkcs-5-des-EDE3-CBC-params", 1612709895, NULL },
|
||||||
|
+ { NULL, 1048586, "8"},
|
||||||
|
+ { "pkcs-5-aes128-CBC-params", 1612709895, NULL },
|
||||||
|
+ { NULL, 1048586, "16"},
|
||||||
|
+ { "pkcs-5-aes192-CBC-params", 1612709895, NULL },
|
||||||
|
+ { NULL, 1048586, "16"},
|
||||||
|
+ { "pkcs-5-aes256-CBC-params", 1612709895, NULL },
|
||||||
|
+ { NULL, 1048586, "16"},
|
||||||
|
+ { "Gost28147-89-Parameters", 1610612741, NULL },
|
||||||
|
+ { "iv", 1073741831, NULL },
|
||||||
|
+ { "encryptionParamSet", 12, NULL },
|
||||||
|
+ { "pkcs-5-PBE-params", 1610612741, NULL },
|
||||||
|
+ { "salt", 1073741831, NULL },
|
||||||
|
+ { "iterationCount", 3, NULL },
|
||||||
|
+ { "pkcs-5-PBES2-params", 1610612741, NULL },
|
||||||
|
+ { "keyDerivationFunc", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "encryptionScheme", 2, "AlgorithmIdentifier"},
|
||||||
|
+ { "pkcs-5-PBKDF2-params", 1610612741, NULL },
|
||||||
|
+ { "salt", 1610612754, NULL },
|
||||||
|
+ { "specified", 1073741831, NULL },
|
||||||
|
+ { "otherSource", 2, "AlgorithmIdentifier"},
|
||||||
|
+ { "iterationCount", 1611137027, NULL },
|
||||||
|
+ { "1", 10, "MAX"},
|
||||||
|
+ { "keyLength", 1611153411, NULL },
|
||||||
|
+ { "1", 10, "MAX"},
|
||||||
|
+ { "prf", 16386, "AlgorithmIdentifier"},
|
||||||
|
+ { "pkcs-12-PFX", 1610612741, NULL },
|
||||||
|
+ { "version", 1610874883, NULL },
|
||||||
|
+ { "v3", 1, "3"},
|
||||||
|
+ { "authSafe", 1073741826, "pkcs-7-ContentInfo"},
|
||||||
|
+ { "macData", 16386, "pkcs-12-MacData"},
|
||||||
|
+ { "pkcs-12-PbeParams", 1610612741, NULL },
|
||||||
|
+ { "salt", 1073741831, NULL },
|
||||||
|
+ { "iterations", 3, NULL },
|
||||||
|
+ { "pkcs-12-MacData", 1610612741, NULL },
|
||||||
|
+ { "mac", 1073741826, "pkcs-7-DigestInfo"},
|
||||||
|
+ { "macSalt", 1073741831, NULL },
|
||||||
|
+ { "iterations", 536903683, NULL },
|
||||||
|
+ { NULL, 9, "1"},
|
||||||
|
+ { "pkcs-12-AuthenticatedSafe", 1610612747, NULL },
|
||||||
|
+ { NULL, 2, "pkcs-7-ContentInfo"},
|
||||||
|
+ { "pkcs-12-SafeContents", 1610612747, NULL },
|
||||||
|
+ { NULL, 2, "pkcs-12-SafeBag"},
|
||||||
|
+ { "pkcs-12-SafeBag", 1610612741, NULL },
|
||||||
|
+ { "bagId", 1073741836, NULL },
|
||||||
|
+ { "bagValue", 1614815245, NULL },
|
||||||
|
+ { NULL, 1073743880, "0"},
|
||||||
|
+ { "badId", 1, NULL },
|
||||||
|
+ { "bagAttributes", 536887311, NULL },
|
||||||
|
+ { NULL, 2, "Attribute"},
|
||||||
|
+ { "pkcs-12-CertBag", 1610612741, NULL },
|
||||||
|
+ { "certId", 1073741836, NULL },
|
||||||
|
+ { "certValue", 541073421, NULL },
|
||||||
|
+ { NULL, 1073743880, "0"},
|
||||||
|
+ { "certId", 1, NULL },
|
||||||
|
+ { "pkcs-12-CRLBag", 1610612741, NULL },
|
||||||
|
+ { "crlId", 1073741836, NULL },
|
||||||
|
+ { "crlValue", 541073421, NULL },
|
||||||
|
+ { NULL, 1073743880, "0"},
|
||||||
|
+ { "crlId", 1, NULL },
|
||||||
|
+ { "pkcs-12-SecretBag", 1610612741, NULL },
|
||||||
|
+ { "secretTypeId", 1073741836, NULL },
|
||||||
|
+ { "secretValue", 541073421, NULL },
|
||||||
|
+ { NULL, 1073743880, "0"},
|
||||||
|
+ { "secretTypeId", 1, NULL },
|
||||||
|
+ { "pkcs-7-Data", 1073741831, NULL },
|
||||||
|
+ { "pkcs-7-EncryptedData", 1610612741, NULL },
|
||||||
|
+ { "version", 1073741827, NULL },
|
||||||
|
+ { "encryptedContentInfo", 1073741826, "pkcs-7-EncryptedContentInfo"},
|
||||||
|
+ { "unprotectedAttrs", 536895490, "pkcs-7-UnprotectedAttributes"},
|
||||||
|
+ { NULL, 4104, "1"},
|
||||||
|
+ { "pkcs-7-EncryptedContentInfo", 1610612741, NULL },
|
||||||
|
+ { "contentType", 1073741836, NULL },
|
||||||
|
+ { "contentEncryptionAlgorithm", 1073741826, "pkcs-7-ContentEncryptionAlgorithmIdentifier"},
|
||||||
|
+ { "encryptedContent", 536895495, NULL },
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { "pkcs-7-ContentEncryptionAlgorithmIdentifier", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "pkcs-7-UnprotectedAttributes", 1612709903, NULL },
|
||||||
|
+ { "MAX", 1074266122, "1"},
|
||||||
|
+ { NULL, 2, "Attribute"},
|
||||||
|
+ { "ProxyCertInfo", 1610612741, NULL },
|
||||||
|
+ { "pCPathLenConstraint", 1611153411, NULL },
|
||||||
|
+ { "0", 10, "MAX"},
|
||||||
|
+ { "proxyPolicy", 2, "ProxyPolicy"},
|
||||||
|
+ { "ProxyPolicy", 1610612741, NULL },
|
||||||
|
+ { "policyLanguage", 1073741836, NULL },
|
||||||
|
+ { "policy", 16391, NULL },
|
||||||
|
+ { "certificatePolicies", 1612709899, NULL },
|
||||||
|
+ { "MAX", 1074266122, "1"},
|
||||||
|
+ { NULL, 2, "PolicyInformation"},
|
||||||
|
+ { "PolicyInformation", 1610612741, NULL },
|
||||||
|
+ { "policyIdentifier", 1073741836, NULL },
|
||||||
|
+ { "policyQualifiers", 538984459, NULL },
|
||||||
|
+ { "MAX", 1074266122, "1"},
|
||||||
|
+ { NULL, 2, "PolicyQualifierInfo"},
|
||||||
|
+ { "PolicyQualifierInfo", 1610612741, NULL },
|
||||||
|
+ { "policyQualifierId", 1073741836, NULL },
|
||||||
|
+ { "qualifier", 541065229, NULL },
|
||||||
|
+ { "policyQualifierId", 1, NULL },
|
||||||
|
+ { "CPSuri", 1073741853, NULL },
|
||||||
|
+ { "UserNotice", 1610612741, NULL },
|
||||||
|
+ { "noticeRef", 1073758210, "NoticeReference"},
|
||||||
|
+ { "explicitText", 16386, "DisplayText"},
|
||||||
|
+ { "NoticeReference", 1610612741, NULL },
|
||||||
|
+ { "organization", 1073741826, "DisplayText"},
|
||||||
|
+ { "noticeNumbers", 536870923, NULL },
|
||||||
|
+ { NULL, 3, NULL },
|
||||||
|
+ { "DisplayText", 1610612754, NULL },
|
||||||
|
+ { "ia5String", 1612709917, NULL },
|
||||||
|
+ { "200", 524298, "1"},
|
||||||
|
+ { "visibleString", 1612709923, NULL },
|
||||||
|
+ { "200", 524298, "1"},
|
||||||
|
+ { "bmpString", 1612709921, NULL },
|
||||||
|
+ { "200", 524298, "1"},
|
||||||
|
+ { "utf8String", 538968098, NULL },
|
||||||
|
+ { "200", 524298, "1"},
|
||||||
|
+ { "OCSPRequest", 1610612741, NULL },
|
||||||
|
+ { "tbsRequest", 1073741826, "TBSRequest"},
|
||||||
|
+ { "optionalSignature", 536895490, "Signature"},
|
||||||
|
+ { NULL, 2056, "0"},
|
||||||
|
+ { "TBSRequest", 1610612741, NULL },
|
||||||
|
+ { "version", 1610653699, NULL },
|
||||||
|
+ { NULL, 1073741833, "0"},
|
||||||
|
+ { NULL, 2056, "0"},
|
||||||
|
+ { "requestorName", 1610637314, "GeneralName"},
|
||||||
|
+ { NULL, 2056, "1"},
|
||||||
|
+ { "requestList", 1610612747, NULL },
|
||||||
|
+ { NULL, 2, "Request"},
|
||||||
|
+ { "requestExtensions", 536895490, "Extensions"},
|
||||||
|
+ { NULL, 2056, "2"},
|
||||||
|
+ { "Signature", 1610612741, NULL },
|
||||||
|
+ { "signatureAlgorithm", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "signature", 1073741830, NULL },
|
||||||
|
+ { "certs", 536895499, NULL },
|
||||||
|
+ { NULL, 1073743880, "0"},
|
||||||
|
+ { NULL, 2, "Certificate"},
|
||||||
|
+ { "Request", 1610612741, NULL },
|
||||||
|
+ { "reqCert", 1073741826, "CertID"},
|
||||||
|
+ { "singleRequestExtensions", 536895490, "Extensions"},
|
||||||
|
+ { NULL, 2056, "0"},
|
||||||
|
+ { "CertID", 1610612741, NULL },
|
||||||
|
+ { "hashAlgorithm", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "issuerNameHash", 1073741831, NULL },
|
||||||
|
+ { "issuerKeyHash", 1073741831, NULL },
|
||||||
|
+ { "serialNumber", 2, "CertificateSerialNumber"},
|
||||||
|
+ { "OCSPResponse", 1610612741, NULL },
|
||||||
|
+ { "responseStatus", 1073741826, "OCSPResponseStatus"},
|
||||||
|
+ { "responseBytes", 536895490, "ResponseBytes"},
|
||||||
|
+ { NULL, 2056, "0"},
|
||||||
|
+ { "OCSPResponseStatus", 1610874901, NULL },
|
||||||
|
+ { "successful", 1073741825, "0"},
|
||||||
|
+ { "malformedRequest", 1073741825, "1"},
|
||||||
|
+ { "internalError", 1073741825, "2"},
|
||||||
|
+ { "tryLater", 1073741825, "3"},
|
||||||
|
+ { "sigRequired", 1073741825, "5"},
|
||||||
|
+ { "unauthorized", 1, "6"},
|
||||||
|
+ { "ResponseBytes", 1610612741, NULL },
|
||||||
|
+ { "responseType", 1073741836, NULL },
|
||||||
|
+ { "response", 7, NULL },
|
||||||
|
+ { "BasicOCSPResponse", 1610612741, NULL },
|
||||||
|
+ { "tbsResponseData", 1073741826, "ResponseData"},
|
||||||
|
+ { "signatureAlgorithm", 1073741826, "AlgorithmIdentifier"},
|
||||||
|
+ { "signature", 1073741830, NULL },
|
||||||
|
+ { "certs", 536895499, NULL },
|
||||||
|
+ { NULL, 1073743880, "0"},
|
||||||
|
+ { NULL, 2, "Certificate"},
|
||||||
|
+ { "ResponseData", 1610612741, NULL },
|
||||||
|
+ { "version", 1610653699, NULL },
|
||||||
|
+ { NULL, 1073741833, "0"},
|
||||||
|
+ { NULL, 2056, "0"},
|
||||||
|
+ { "responderID", 1073741826, "ResponderID"},
|
||||||
|
+ { "producedAt", 1073741861, NULL },
|
||||||
|
+ { "responses", 1610612747, NULL },
|
||||||
|
+ { NULL, 2, "SingleResponse"},
|
||||||
|
+ { "responseExtensions", 536895490, "Extensions"},
|
||||||
|
+ { NULL, 2056, "1"},
|
||||||
|
+ { "ResponderID", 1610612754, NULL },
|
||||||
|
+ { "byName", 1610620939, NULL },
|
||||||
|
+ { NULL, 1073743880, "1"},
|
||||||
|
+ { NULL, 2, "RelativeDistinguishedName"},
|
||||||
|
+ { "byKey", 536879111, NULL },
|
||||||
|
+ { NULL, 2056, "2"},
|
||||||
|
+ { "SingleResponse", 1610612741, NULL },
|
||||||
|
+ { "certID", 1073741826, "CertID"},
|
||||||
|
+ { "certStatus", 1073741826, "CertStatus"},
|
||||||
|
+ { "thisUpdate", 1073741861, NULL },
|
||||||
|
+ { "nextUpdate", 1610637349, NULL },
|
||||||
|
+ { NULL, 2056, "0"},
|
||||||
|
+ { "singleExtensions", 536895490, "Extensions"},
|
||||||
|
+ { NULL, 2056, "1"},
|
||||||
|
+ { "CertStatus", 1610612754, NULL },
|
||||||
|
+ { "good", 1610620948, NULL },
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { "revoked", 1610620930, "RevokedInfo"},
|
||||||
|
+ { NULL, 4104, "1"},
|
||||||
|
+ { "unknown", 536879106, "UnknownInfo"},
|
||||||
|
+ { NULL, 4104, "2"},
|
||||||
|
+ { "RevokedInfo", 1610612741, NULL },
|
||||||
|
+ { "revocationTime", 1073741861, NULL },
|
||||||
|
+ { "revocationReason", 537157653, NULL },
|
||||||
|
+ { NULL, 1073743880, "0"},
|
||||||
|
+ { "unspecified", 1, "0"},
|
||||||
|
+ { "UnknownInfo", 1073741844, NULL },
|
||||||
|
+ { "NameConstraints", 1610612741, NULL },
|
||||||
|
+ { "permittedSubtrees", 1610637314, "GeneralSubtrees"},
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { "excludedSubtrees", 536895490, "GeneralSubtrees"},
|
||||||
|
+ { NULL, 4104, "1"},
|
||||||
|
+ { "GeneralSubtrees", 1612709899, NULL },
|
||||||
|
+ { "MAX", 1074266122, "1"},
|
||||||
|
+ { NULL, 2, "GeneralSubtree"},
|
||||||
|
+ { "GeneralSubtree", 1610612741, NULL },
|
||||||
|
+ { "base", 1073741826, "GeneralName"},
|
||||||
|
+ { "minimum", 1610653699, NULL },
|
||||||
|
+ { NULL, 1073741833, "0"},
|
||||||
|
+ { NULL, 4104, "0"},
|
||||||
|
+ { "maximum", 536895491, NULL },
|
||||||
|
+ { NULL, 4104, "1"},
|
||||||
|
+ { "TlsFeatures", 536870923, NULL },
|
||||||
|
+ { NULL, 3, NULL },
|
||||||
|
+ { NULL, 0, NULL }
|
||||||
|
+};
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,719 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Thu, 30 Jul 2020 01:35:43 +1000
|
||||||
|
Subject: [PATCH] appended signatures: support verifying appended signatures
|
||||||
|
|
||||||
|
Building on the parsers and the ability to embed x509 certificates, as
|
||||||
|
well as the existing gcrypt functionality, add a module for verifying
|
||||||
|
appended signatures.
|
||||||
|
|
||||||
|
This includes:
|
||||||
|
|
||||||
|
- a verifier that requires that kernels and grub modules have appended
|
||||||
|
signatures. It shares lots of logic with shim-lock verifier about what
|
||||||
|
files need to be verified and what modules are unsafe to have loaded.
|
||||||
|
|
||||||
|
- commands to manage the list of trusted certificates for verification.
|
||||||
|
|
||||||
|
Similar to the PGP verifier, if a certificate is embedded in the core
|
||||||
|
image, verification will be enforced unless disabled on the the grub
|
||||||
|
command line or by load_env.
|
||||||
|
|
||||||
|
Thus, as with the PGP verifier, it is not a complete secure-boot solution:
|
||||||
|
other mechanisms must be used to ensure that a user cannot drop to the
|
||||||
|
grub shell and disable verification.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
grub-core/Makefile.core.def | 12 +
|
||||||
|
grub-core/commands/appendedsig/appendedsig.c | 644 +++++++++++++++++++++++++++
|
||||||
|
include/grub/file.h | 2 +
|
||||||
|
3 files changed, 658 insertions(+)
|
||||||
|
create mode 100644 grub-core/commands/appendedsig/appendedsig.c
|
||||||
|
|
||||||
|
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
|
||||||
|
index fd1229c6328..1cf6b60f82e 100644
|
||||||
|
--- a/grub-core/Makefile.core.def
|
||||||
|
+++ b/grub-core/Makefile.core.def
|
||||||
|
@@ -921,6 +921,18 @@ module = {
|
||||||
|
cppflags = '-I$(srcdir)/lib/posix_wrap';
|
||||||
|
};
|
||||||
|
|
||||||
|
+module = {
|
||||||
|
+ name = appendedsig;
|
||||||
|
+ common = commands/appendedsig/appendedsig.c;
|
||||||
|
+ common = commands/appendedsig/x509.c;
|
||||||
|
+ common = commands/appendedsig/pkcs7.c;
|
||||||
|
+ common = commands/appendedsig/asn1util.c;
|
||||||
|
+ common = commands/appendedsig/gnutls_asn1_tab.c;
|
||||||
|
+ common = commands/appendedsig/pkix_asn1_tab.c;
|
||||||
|
+ cflags = '$(CFLAGS_POSIX)';
|
||||||
|
+ cppflags = '-I$(srcdir)/lib/posix_wrap';
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
module = {
|
||||||
|
name = verifiers;
|
||||||
|
common = commands/verifiers.c;
|
||||||
|
diff --git a/grub-core/commands/appendedsig/appendedsig.c b/grub-core/commands/appendedsig/appendedsig.c
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..5d8897be5c8
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/grub-core/commands/appendedsig/appendedsig.c
|
||||||
|
@@ -0,0 +1,644 @@
|
||||||
|
+/*
|
||||||
|
+ * GRUB -- GRand Unified Bootloader
|
||||||
|
+ * Copyright (C) 2020 IBM Corporation.
|
||||||
|
+ *
|
||||||
|
+ * GRUB is free software: you can redistribute it and/or modify
|
||||||
|
+ * it under the terms of the GNU General Public License as published by
|
||||||
|
+ * the Free Software Foundation, either version 3 of the License, or
|
||||||
|
+ * (at your option) any later version.
|
||||||
|
+ *
|
||||||
|
+ * GRUB is distributed in the hope that it will be useful,
|
||||||
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+ * GNU General Public License for more details.
|
||||||
|
+ *
|
||||||
|
+ * You should have received a copy of the GNU General Public License
|
||||||
|
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#include <grub/types.h>
|
||||||
|
+#include <grub/misc.h>
|
||||||
|
+#include <grub/mm.h>
|
||||||
|
+#include <grub/err.h>
|
||||||
|
+#include <grub/dl.h>
|
||||||
|
+#include <grub/file.h>
|
||||||
|
+#include <grub/command.h>
|
||||||
|
+#include <grub/crypto.h>
|
||||||
|
+#include <grub/pkcs1_v15.h>
|
||||||
|
+#include <grub/i18n.h>
|
||||||
|
+#include <grub/gcrypt/gcrypt.h>
|
||||||
|
+#include <grub/kernel.h>
|
||||||
|
+#include <grub/extcmd.h>
|
||||||
|
+#include <grub/verify.h>
|
||||||
|
+#include <grub/libtasn1.h>
|
||||||
|
+#include <grub/env.h>
|
||||||
|
+
|
||||||
|
+#include "appendedsig.h"
|
||||||
|
+
|
||||||
|
+GRUB_MOD_LICENSE ("GPLv3+");
|
||||||
|
+
|
||||||
|
+const char magic[] = "~Module signature appended~\n";
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * This structure is extracted from scripts/sign-file.c in the linux kernel
|
||||||
|
+ * source. It was licensed as LGPLv2.1+, which is GPLv3+ compatible.
|
||||||
|
+ */
|
||||||
|
+struct module_signature
|
||||||
|
+{
|
||||||
|
+ grub_uint8_t algo; /* Public-key crypto algorithm [0] */
|
||||||
|
+ grub_uint8_t hash; /* Digest algorithm [0] */
|
||||||
|
+ grub_uint8_t id_type; /* Key identifier type [PKEY_ID_PKCS7] */
|
||||||
|
+ grub_uint8_t signer_len; /* Length of signer's name [0] */
|
||||||
|
+ grub_uint8_t key_id_len; /* Length of key identifier [0] */
|
||||||
|
+ grub_uint8_t __pad[3];
|
||||||
|
+ grub_uint32_t sig_len; /* Length of signature data */
|
||||||
|
+} GRUB_PACKED;
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+/* This represents an entire, parsed, appended signature */
|
||||||
|
+struct grub_appended_signature
|
||||||
|
+{
|
||||||
|
+ grub_size_t signature_len; /* Length of PKCS#7 data +
|
||||||
|
+ * metadata + magic */
|
||||||
|
+
|
||||||
|
+ struct module_signature sig_metadata; /* Module signature metadata */
|
||||||
|
+ struct pkcs7_signedData pkcs7; /* Parsed PKCS#7 data */
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+/* Trusted certificates for verifying appended signatures */
|
||||||
|
+struct x509_certificate *grub_trusted_key;
|
||||||
|
+
|
||||||
|
+/*
|
||||||
|
+ * Force gcry_rsa to be a module dependency.
|
||||||
|
+ *
|
||||||
|
+ * If we use grub_crypto_pk_rsa, then then the gcry_rsa module won't be built
|
||||||
|
+ * in if you add 'appendedsig' to grub-install --modules. You would need to
|
||||||
|
+ * add 'gcry_rsa' too. That's confusing and seems suboptimal, especially when
|
||||||
|
+ * we only support RSA.
|
||||||
|
+ *
|
||||||
|
+ * Dynamic loading also causes some concerns. We can't load gcry_rsa from the
|
||||||
|
+ * the filesystem after we install the verifier - we won't be able to verify
|
||||||
|
+ * it without having it already present. We also shouldn't load it before we
|
||||||
|
+ * install the verifier, because that would mean it wouldn't be verified - an
|
||||||
|
+ * attacker could insert any code they wanted into the module.
|
||||||
|
+ *
|
||||||
|
+ * So instead, reference the internal symbol from gcry_rsa. That creates a
|
||||||
|
+ * direct dependency on gcry_rsa, so it will be built in when this module
|
||||||
|
+ * is built in. Being built in (assuming the core image is itself signed!)
|
||||||
|
+ * also resolves our concerns about loading from the filesystem.
|
||||||
|
+ */
|
||||||
|
+extern gcry_pk_spec_t _gcry_pubkey_spec_rsa;
|
||||||
|
+
|
||||||
|
+static int check_sigs = 0;
|
||||||
|
+
|
||||||
|
+static char *
|
||||||
|
+grub_env_write_sec (struct grub_env_var *var __attribute__((unused)),
|
||||||
|
+ const char *val)
|
||||||
|
+{
|
||||||
|
+ check_sigs = (*val == '1') || (*val == 'e');
|
||||||
|
+ return grub_strdup (check_sigs ? "enforce" : "no");
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static grub_err_t
|
||||||
|
+read_cert_from_file (grub_file_t f, struct x509_certificate *certificate)
|
||||||
|
+{
|
||||||
|
+ grub_err_t err;
|
||||||
|
+ grub_uint8_t *buf = NULL;
|
||||||
|
+ grub_ssize_t read_size;
|
||||||
|
+ grub_off_t total_read_size = 0;
|
||||||
|
+ grub_off_t file_size = grub_file_size (f);
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+ if (file_size == GRUB_FILE_SIZE_UNKNOWN)
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
||||||
|
+ N_("Cannot parse a certificate file of unknown size"));
|
||||||
|
+
|
||||||
|
+ buf = grub_zalloc (file_size);
|
||||||
|
+ if (!buf)
|
||||||
|
+ return grub_error (GRUB_ERR_OUT_OF_MEMORY,
|
||||||
|
+ N_("Could not allocate buffer for certificate file contents"));
|
||||||
|
+
|
||||||
|
+ while (total_read_size < file_size)
|
||||||
|
+ {
|
||||||
|
+ read_size =
|
||||||
|
+ grub_file_read (f, &buf[total_read_size],
|
||||||
|
+ file_size - total_read_size);
|
||||||
|
+ if (read_size < 0)
|
||||||
|
+ {
|
||||||
|
+ err = grub_error (GRUB_ERR_READ_ERROR,
|
||||||
|
+ N_("Error reading certificate file"));
|
||||||
|
+ goto cleanup_buf;
|
||||||
|
+ }
|
||||||
|
+ total_read_size += read_size;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ err = certificate_import (buf, total_read_size, certificate);
|
||||||
|
+ if (err != GRUB_ERR_NONE)
|
||||||
|
+ goto cleanup_buf;
|
||||||
|
+
|
||||||
|
+ return GRUB_ERR_NONE;
|
||||||
|
+
|
||||||
|
+cleanup_buf:
|
||||||
|
+ grub_free (buf);
|
||||||
|
+ return err;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static grub_err_t
|
||||||
|
+extract_appended_signature (grub_uint8_t * buf, grub_size_t bufsize,
|
||||||
|
+ struct grub_appended_signature *sig)
|
||||||
|
+{
|
||||||
|
+ grub_err_t err;
|
||||||
|
+ grub_size_t pkcs7_size;
|
||||||
|
+ grub_size_t remaining_len;
|
||||||
|
+ grub_uint8_t *appsigdata = buf + bufsize - grub_strlen (magic);
|
||||||
|
+
|
||||||
|
+ if (bufsize < grub_strlen (magic))
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_SIGNATURE,
|
||||||
|
+ N_("File too short for signature magic"));
|
||||||
|
+
|
||||||
|
+ if (grub_memcmp (appsigdata, (grub_uint8_t *) magic, grub_strlen (magic)))
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_SIGNATURE,
|
||||||
|
+ N_("Missing or invalid signature magic"));
|
||||||
|
+
|
||||||
|
+ remaining_len = bufsize - grub_strlen (magic);
|
||||||
|
+
|
||||||
|
+ if (remaining_len < sizeof (struct module_signature))
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_SIGNATURE,
|
||||||
|
+ N_("File too short for signature metadata"));
|
||||||
|
+
|
||||||
|
+ appsigdata -= sizeof (struct module_signature);
|
||||||
|
+
|
||||||
|
+ /* extract the metadata */
|
||||||
|
+ grub_memcpy (&(sig->sig_metadata), appsigdata,
|
||||||
|
+ sizeof (struct module_signature));
|
||||||
|
+
|
||||||
|
+ remaining_len -= sizeof (struct module_signature);
|
||||||
|
+
|
||||||
|
+ if (sig->sig_metadata.id_type != 2)
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("Wrong signature type"));
|
||||||
|
+
|
||||||
|
+#ifdef GRUB_TARGET_WORDS_BIGENDIAN
|
||||||
|
+ pkcs7_size = sig->sig_metadata.sig_len;
|
||||||
|
+#else
|
||||||
|
+ pkcs7_size = __builtin_bswap32 (sig->sig_metadata.sig_len);
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
+ if (pkcs7_size > remaining_len)
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_SIGNATURE,
|
||||||
|
+ N_("File too short for PKCS#7 message"));
|
||||||
|
+
|
||||||
|
+ grub_dprintf ("appendedsig", "sig len %" PRIuGRUB_SIZE "\n", pkcs7_size);
|
||||||
|
+
|
||||||
|
+ sig->signature_len =
|
||||||
|
+ grub_strlen (magic) + sizeof (struct module_signature) + pkcs7_size;
|
||||||
|
+
|
||||||
|
+ /* rewind pointer and parse pkcs7 data */
|
||||||
|
+ appsigdata -= pkcs7_size;
|
||||||
|
+
|
||||||
|
+ err = parse_pkcs7_signedData (appsigdata, pkcs7_size, &sig->pkcs7);
|
||||||
|
+ if (err != GRUB_ERR_NONE)
|
||||||
|
+ return err;
|
||||||
|
+
|
||||||
|
+ return GRUB_ERR_NONE;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static grub_err_t
|
||||||
|
+grub_verify_appended_signature (grub_uint8_t * buf, grub_size_t bufsize)
|
||||||
|
+{
|
||||||
|
+ grub_err_t err = GRUB_ERR_NONE;
|
||||||
|
+ grub_size_t datasize;
|
||||||
|
+ void *context;
|
||||||
|
+ unsigned char *hash;
|
||||||
|
+ gcry_mpi_t hashmpi;
|
||||||
|
+ gcry_err_code_t rc;
|
||||||
|
+ struct x509_certificate *pk;
|
||||||
|
+ struct grub_appended_signature sig;
|
||||||
|
+
|
||||||
|
+ if (!grub_trusted_key)
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_SIGNATURE,
|
||||||
|
+ N_("No trusted keys to verify against"));
|
||||||
|
+
|
||||||
|
+ err = extract_appended_signature (buf, bufsize, &sig);
|
||||||
|
+ if (err != GRUB_ERR_NONE)
|
||||||
|
+ return err;
|
||||||
|
+
|
||||||
|
+ datasize = bufsize - sig.signature_len;
|
||||||
|
+
|
||||||
|
+ context = grub_zalloc (sig.pkcs7.hash->contextsize);
|
||||||
|
+ if (!context)
|
||||||
|
+ return grub_errno;
|
||||||
|
+
|
||||||
|
+ sig.pkcs7.hash->init (context);
|
||||||
|
+ sig.pkcs7.hash->write (context, buf, datasize);
|
||||||
|
+ sig.pkcs7.hash->final (context);
|
||||||
|
+ hash = sig.pkcs7.hash->read (context);
|
||||||
|
+ grub_dprintf ("appendedsig",
|
||||||
|
+ "data size %" PRIxGRUB_SIZE ", hash %02x%02x%02x%02x...\n",
|
||||||
|
+ datasize, hash[0], hash[1], hash[2], hash[3]);
|
||||||
|
+
|
||||||
|
+ err = GRUB_ERR_BAD_SIGNATURE;
|
||||||
|
+ for (pk = grub_trusted_key; pk; pk = pk->next)
|
||||||
|
+ {
|
||||||
|
+ rc = grub_crypto_rsa_pad (&hashmpi, hash, sig.pkcs7.hash, pk->mpis[0]);
|
||||||
|
+ if (rc)
|
||||||
|
+ {
|
||||||
|
+ err = grub_error (GRUB_ERR_BAD_SIGNATURE,
|
||||||
|
+ N_("Error padding hash for RSA verification: %d"),
|
||||||
|
+ rc);
|
||||||
|
+ goto cleanup;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ rc = _gcry_pubkey_spec_rsa.verify (0, hashmpi, &sig.pkcs7.sig_mpi,
|
||||||
|
+ pk->mpis, NULL, NULL);
|
||||||
|
+ gcry_mpi_release (hashmpi);
|
||||||
|
+
|
||||||
|
+ if (rc == 0)
|
||||||
|
+ {
|
||||||
|
+ grub_dprintf ("appendedsig", "verify with key '%s' succeeded\n",
|
||||||
|
+ pk->subject);
|
||||||
|
+ err = GRUB_ERR_NONE;
|
||||||
|
+ break;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ grub_dprintf ("appendedsig", "verify with key '%s' failed with %d\n",
|
||||||
|
+ pk->subject, rc);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ /* If we didn't verify, provide a neat message */
|
||||||
|
+ if (err != GRUB_ERR_NONE)
|
||||||
|
+ err = grub_error (GRUB_ERR_BAD_SIGNATURE,
|
||||||
|
+ N_("Failed to verify signature against a trusted key"));
|
||||||
|
+
|
||||||
|
+cleanup:
|
||||||
|
+ grub_free (context);
|
||||||
|
+ pkcs7_signedData_release (&sig.pkcs7);
|
||||||
|
+
|
||||||
|
+ return err;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static grub_err_t
|
||||||
|
+grub_cmd_verify_signature (grub_command_t cmd __attribute__((unused)),
|
||||||
|
+ int argc, char **args)
|
||||||
|
+{
|
||||||
|
+ grub_file_t f;
|
||||||
|
+ grub_err_t err = GRUB_ERR_NONE;
|
||||||
|
+ grub_uint8_t *data;
|
||||||
|
+ grub_ssize_t read_size;
|
||||||
|
+ grub_off_t file_size, total_read_size = 0;
|
||||||
|
+
|
||||||
|
+ if (argc < 1)
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
|
||||||
|
+
|
||||||
|
+ grub_dprintf ("appendedsig", "verifying %s\n", args[0]);
|
||||||
|
+
|
||||||
|
+ f = grub_file_open (args[0], GRUB_FILE_TYPE_VERIFY_SIGNATURE);
|
||||||
|
+ if (!f)
|
||||||
|
+ {
|
||||||
|
+ err = grub_errno;
|
||||||
|
+ goto cleanup;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ file_size = grub_file_size (f);
|
||||||
|
+ if (file_size == GRUB_FILE_SIZE_UNKNOWN)
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
||||||
|
+ N_("Cannot verify the signature of a file of unknown size"));
|
||||||
|
+
|
||||||
|
+ data = grub_malloc (file_size);
|
||||||
|
+ if (!data)
|
||||||
|
+ return grub_error (GRUB_ERR_OUT_OF_MEMORY,
|
||||||
|
+ N_("Could not allocate data buffer size "
|
||||||
|
+ PRIuGRUB_UINT64_T " for verification"), file_size);
|
||||||
|
+
|
||||||
|
+ while (total_read_size < file_size)
|
||||||
|
+ {
|
||||||
|
+ read_size =
|
||||||
|
+ grub_file_read (f, &data[total_read_size],
|
||||||
|
+ file_size - total_read_size);
|
||||||
|
+ if (read_size < 0)
|
||||||
|
+ {
|
||||||
|
+ err = grub_error (GRUB_ERR_READ_ERROR,
|
||||||
|
+ N_("Error reading file to verify"));
|
||||||
|
+ goto cleanup_data;
|
||||||
|
+ }
|
||||||
|
+ total_read_size += read_size;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ err = grub_verify_appended_signature (data, file_size);
|
||||||
|
+
|
||||||
|
+cleanup_data:
|
||||||
|
+ grub_free (data);
|
||||||
|
+cleanup:
|
||||||
|
+ if (f)
|
||||||
|
+ grub_file_close (f);
|
||||||
|
+ return err;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static grub_err_t
|
||||||
|
+grub_cmd_distrust (grub_command_t cmd __attribute__((unused)),
|
||||||
|
+ int argc, char **args)
|
||||||
|
+{
|
||||||
|
+ unsigned long cert_num, i;
|
||||||
|
+ struct x509_certificate *cert, *prev;
|
||||||
|
+
|
||||||
|
+ if (argc != 1)
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("One argument expected"));
|
||||||
|
+
|
||||||
|
+ grub_errno = GRUB_ERR_NONE;
|
||||||
|
+ cert_num = grub_strtoul (args[0], NULL, 10);
|
||||||
|
+ if (grub_errno != GRUB_ERR_NONE)
|
||||||
|
+ return grub_errno;
|
||||||
|
+
|
||||||
|
+ if (cert_num < 1)
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
||||||
|
+ N_("Certificate number too small - numbers start at 1"));
|
||||||
|
+
|
||||||
|
+ if (cert_num == 1)
|
||||||
|
+ {
|
||||||
|
+ cert = grub_trusted_key;
|
||||||
|
+ grub_trusted_key = cert->next;
|
||||||
|
+
|
||||||
|
+ certificate_release (cert);
|
||||||
|
+ grub_free (cert);
|
||||||
|
+ return GRUB_ERR_NONE;
|
||||||
|
+ }
|
||||||
|
+ i = 2;
|
||||||
|
+ prev = grub_trusted_key;
|
||||||
|
+ cert = grub_trusted_key->next;
|
||||||
|
+ while (cert)
|
||||||
|
+ {
|
||||||
|
+ if (i == cert_num)
|
||||||
|
+ {
|
||||||
|
+ prev->next = cert->next;
|
||||||
|
+ certificate_release (cert);
|
||||||
|
+ grub_free (cert);
|
||||||
|
+ return GRUB_ERR_NONE;
|
||||||
|
+ }
|
||||||
|
+ i++;
|
||||||
|
+ prev = cert;
|
||||||
|
+ cert = cert->next;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
||||||
|
+ N_("No certificate number %d found - only %d certificates in the store"),
|
||||||
|
+ cert_num, i - 1);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static grub_err_t
|
||||||
|
+grub_cmd_trust (grub_command_t cmd __attribute__((unused)),
|
||||||
|
+ int argc, char **args)
|
||||||
|
+{
|
||||||
|
+ grub_file_t certf;
|
||||||
|
+ struct x509_certificate *cert = NULL;
|
||||||
|
+ grub_err_t err;
|
||||||
|
+
|
||||||
|
+ if (argc != 1)
|
||||||
|
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
|
||||||
|
+
|
||||||
|
+ certf = grub_file_open (args[0],
|
||||||
|
+ GRUB_FILE_TYPE_CERTIFICATE_TRUST
|
||||||
|
+ | GRUB_FILE_TYPE_NO_DECOMPRESS);
|
||||||
|
+ if (!certf)
|
||||||
|
+ return grub_errno;
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+ cert = grub_zalloc (sizeof (struct x509_certificate));
|
||||||
|
+ if (!cert)
|
||||||
|
+ return grub_error (GRUB_ERR_OUT_OF_MEMORY,
|
||||||
|
+ N_("Could not allocate memory for certificate"));
|
||||||
|
+
|
||||||
|
+ err = read_cert_from_file (certf, cert);
|
||||||
|
+ grub_file_close (certf);
|
||||||
|
+ if (err != GRUB_ERR_NONE)
|
||||||
|
+ {
|
||||||
|
+ grub_free (cert);
|
||||||
|
+ return err;
|
||||||
|
+ }
|
||||||
|
+ grub_dprintf ("appendedsig", "Loaded certificate with CN: %s\n",
|
||||||
|
+ cert->subject);
|
||||||
|
+
|
||||||
|
+ cert->next = grub_trusted_key;
|
||||||
|
+ grub_trusted_key = cert;
|
||||||
|
+
|
||||||
|
+ return GRUB_ERR_NONE;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static grub_err_t
|
||||||
|
+grub_cmd_list (grub_command_t cmd __attribute__((unused)),
|
||||||
|
+ int argc __attribute__((unused)),
|
||||||
|
+ char **args __attribute__((unused)))
|
||||||
|
+{
|
||||||
|
+ struct x509_certificate *cert;
|
||||||
|
+ int cert_num = 1;
|
||||||
|
+ grub_size_t i;
|
||||||
|
+
|
||||||
|
+ for (cert = grub_trusted_key; cert; cert = cert->next)
|
||||||
|
+ {
|
||||||
|
+ grub_printf (N_("Certificate %d:\n"), cert_num);
|
||||||
|
+
|
||||||
|
+ grub_printf (N_("\tSerial: "));
|
||||||
|
+ for (i = 0; i < cert->serial_len - 1; i++)
|
||||||
|
+ {
|
||||||
|
+ grub_printf ("%02x:", cert->serial[i]);
|
||||||
|
+ }
|
||||||
|
+ grub_printf ("%02x\n", cert->serial[cert->serial_len - 1]);
|
||||||
|
+
|
||||||
|
+ grub_printf ("\tCN: %s\n\n", cert->subject);
|
||||||
|
+ cert_num++;
|
||||||
|
+
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return GRUB_ERR_NONE;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static grub_err_t
|
||||||
|
+appendedsig_init (grub_file_t io, enum grub_file_type type,
|
||||||
|
+ void **context __attribute__((unused)),
|
||||||
|
+ enum grub_verify_flags *flags)
|
||||||
|
+{
|
||||||
|
+ const char *dangerous_mod;
|
||||||
|
+
|
||||||
|
+ if (!check_sigs)
|
||||||
|
+ {
|
||||||
|
+ *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
|
||||||
|
+ return GRUB_ERR_NONE;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ switch (type & GRUB_FILE_TYPE_MASK)
|
||||||
|
+ {
|
||||||
|
+ case GRUB_FILE_TYPE_GRUB_MODULE:
|
||||||
|
+ if (grub_is_dangerous_module (io))
|
||||||
|
+ return grub_error (GRUB_ERR_ACCESS_DENIED,
|
||||||
|
+ N_("module cannot be loaded in appended signature mode: %s"),
|
||||||
|
+ io->name);
|
||||||
|
+
|
||||||
|
+ *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
|
||||||
|
+ return GRUB_ERR_NONE;
|
||||||
|
+
|
||||||
|
+ case GRUB_FILE_TYPE_ACPI_TABLE:
|
||||||
|
+ case GRUB_FILE_TYPE_DEVICE_TREE_IMAGE:
|
||||||
|
+ *flags = GRUB_VERIFY_FLAGS_DEFER_AUTH;
|
||||||
|
+ return GRUB_ERR_NONE;
|
||||||
|
+
|
||||||
|
+ case GRUB_FILE_TYPE_CERTIFICATE_TRUST:
|
||||||
|
+ /*
|
||||||
|
+ * This is a certificate to add to trusted keychain.
|
||||||
|
+ *
|
||||||
|
+ * This needs to be verified or blocked. Ideally we'd write an x509
|
||||||
|
+ * verifier, but we lack the hubris required to take this on. Instead,
|
||||||
|
+ * require that it have an appended signature.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+ /* Fall through */
|
||||||
|
+
|
||||||
|
+ case GRUB_FILE_TYPE_LINUX_KERNEL:
|
||||||
|
+ case GRUB_FILE_TYPE_MULTIBOOT_KERNEL:
|
||||||
|
+ case GRUB_FILE_TYPE_BSD_KERNEL:
|
||||||
|
+ case GRUB_FILE_TYPE_XNU_KERNEL:
|
||||||
|
+ case GRUB_FILE_TYPE_PLAN9_KERNEL:
|
||||||
|
+
|
||||||
|
+ dangerous_mod = grub_dangerous_module_loaded ();
|
||||||
|
+ if (dangerous_mod)
|
||||||
|
+ return grub_error (GRUB_ERR_ACCESS_DENIED,
|
||||||
|
+ N_("cannot proceed due to dangerous module in memory: %s"),
|
||||||
|
+ dangerous_mod);
|
||||||
|
+
|
||||||
|
+ *flags = GRUB_VERIFY_FLAGS_SINGLE_CHUNK;
|
||||||
|
+ return GRUB_ERR_NONE;
|
||||||
|
+
|
||||||
|
+ default:
|
||||||
|
+ /*
|
||||||
|
+ * powerpc only supports the linux loader. If you support more,
|
||||||
|
+ * (especially chain loaded binaries) make sure they're checked!
|
||||||
|
+ */
|
||||||
|
+ *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
|
||||||
|
+ return GRUB_ERR_NONE;
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static grub_err_t
|
||||||
|
+appendedsig_write (void *ctxt __attribute__((unused)),
|
||||||
|
+ void *buf, grub_size_t size)
|
||||||
|
+{
|
||||||
|
+ return grub_verify_appended_signature (buf, size);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+struct grub_file_verifier grub_appendedsig_verifier = {
|
||||||
|
+ .name = "appendedsig",
|
||||||
|
+ .init = appendedsig_init,
|
||||||
|
+ .write = appendedsig_write,
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static grub_ssize_t
|
||||||
|
+pseudo_read (struct grub_file *file, char *buf, grub_size_t len)
|
||||||
|
+{
|
||||||
|
+ grub_memcpy (buf, (grub_uint8_t *) file->data + file->offset, len);
|
||||||
|
+ return len;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/* Filesystem descriptor. */
|
||||||
|
+static struct grub_fs pseudo_fs = {
|
||||||
|
+ .name = "pseudo",
|
||||||
|
+ .read = pseudo_read
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static grub_command_t cmd_verify, cmd_list, cmd_distrust, cmd_trust;
|
||||||
|
+
|
||||||
|
+GRUB_MOD_INIT (appendedsig)
|
||||||
|
+{
|
||||||
|
+ int rc;
|
||||||
|
+ struct grub_module_header *header;
|
||||||
|
+ const char *val;
|
||||||
|
+
|
||||||
|
+ val = grub_env_get ("check_appended_signatures");
|
||||||
|
+ grub_dprintf ("appendedsig", "check_appended_signatures='%s'\n", val);
|
||||||
|
+
|
||||||
|
+ if (val && (val[0] == '1' || val[0] == 'e'))
|
||||||
|
+ check_sigs = 1;
|
||||||
|
+ else
|
||||||
|
+ check_sigs = 0;
|
||||||
|
+
|
||||||
|
+ grub_trusted_key = NULL;
|
||||||
|
+
|
||||||
|
+ grub_register_variable_hook ("check_appended_signatures", 0,
|
||||||
|
+ grub_env_write_sec);
|
||||||
|
+ grub_env_export ("check_appended_signatures");
|
||||||
|
+
|
||||||
|
+ rc = asn1_init ();
|
||||||
|
+ if (rc)
|
||||||
|
+ grub_fatal ("Error initing ASN.1 data structures: %d: %s\n", rc,
|
||||||
|
+ asn1_strerror (rc));
|
||||||
|
+
|
||||||
|
+ FOR_MODULES (header)
|
||||||
|
+ {
|
||||||
|
+ struct grub_file pseudo_file;
|
||||||
|
+ struct x509_certificate *pk = NULL;
|
||||||
|
+ grub_err_t err;
|
||||||
|
+
|
||||||
|
+ /* Not an ELF module, skip. */
|
||||||
|
+ if (header->type != OBJ_TYPE_X509_PUBKEY)
|
||||||
|
+ continue;
|
||||||
|
+
|
||||||
|
+ grub_memset (&pseudo_file, 0, sizeof (pseudo_file));
|
||||||
|
+ pseudo_file.fs = &pseudo_fs;
|
||||||
|
+ pseudo_file.size = header->size - sizeof (struct grub_module_header);
|
||||||
|
+ pseudo_file.data = (char *) header + sizeof (struct grub_module_header);
|
||||||
|
+
|
||||||
|
+ grub_dprintf ("appendedsig",
|
||||||
|
+ "Found an x509 key, size=%" PRIuGRUB_UINT64_T "\n",
|
||||||
|
+ pseudo_file.size);
|
||||||
|
+
|
||||||
|
+ pk = grub_zalloc (sizeof (struct x509_certificate));
|
||||||
|
+ if (!pk)
|
||||||
|
+ {
|
||||||
|
+ grub_fatal ("Out of memory loading initial certificates");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ err = read_cert_from_file (&pseudo_file, pk);
|
||||||
|
+ if (err != GRUB_ERR_NONE)
|
||||||
|
+ grub_fatal ("Error loading initial key: %s", grub_errmsg);
|
||||||
|
+
|
||||||
|
+ grub_dprintf ("appendedsig", "loaded certificate CN='%s'\n", pk->subject);
|
||||||
|
+
|
||||||
|
+ pk->next = grub_trusted_key;
|
||||||
|
+ grub_trusted_key = pk;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!val || val[0] == '\0')
|
||||||
|
+ {
|
||||||
|
+ grub_env_set ("check_appended_signatures",
|
||||||
|
+ grub_trusted_key ? "enforce" : "no");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ cmd_trust =
|
||||||
|
+ grub_register_command ("trust_certificate", grub_cmd_trust,
|
||||||
|
+ N_("X509_CERTIFICATE"),
|
||||||
|
+ N_("Add X509_CERTIFICATE to trusted certificates."));
|
||||||
|
+ cmd_list =
|
||||||
|
+ grub_register_command ("list_certificates", grub_cmd_list, 0,
|
||||||
|
+ N_("Show the list of trusted x509 certificates."));
|
||||||
|
+ cmd_verify =
|
||||||
|
+ grub_register_command ("verify_appended", grub_cmd_verify_signature,
|
||||||
|
+ N_("FILE"),
|
||||||
|
+ N_("Verify FILE against the trusted x509 certificates."));
|
||||||
|
+ cmd_distrust =
|
||||||
|
+ grub_register_command ("distrust_certificate", grub_cmd_distrust,
|
||||||
|
+ N_("CERT_NUMBER"),
|
||||||
|
+ N_("Remove CERT_NUMBER (as listed by list_certificates) from trusted certificates."));
|
||||||
|
+
|
||||||
|
+ grub_verifier_register (&grub_appendedsig_verifier);
|
||||||
|
+ grub_dl_set_persistent (mod);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+GRUB_MOD_FINI (appendedsig)
|
||||||
|
+{
|
||||||
|
+ /*
|
||||||
|
+ * grub_dl_set_persistent should prevent this from actually running, but
|
||||||
|
+ * it does still run under emu.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+ grub_verifier_unregister (&grub_appendedsig_verifier);
|
||||||
|
+ grub_unregister_command (cmd_verify);
|
||||||
|
+ grub_unregister_command (cmd_list);
|
||||||
|
+ grub_unregister_command (cmd_trust);
|
||||||
|
+ grub_unregister_command (cmd_distrust);
|
||||||
|
+}
|
||||||
|
diff --git a/include/grub/file.h b/include/grub/file.h
|
||||||
|
index cbbd294655b..2e337dbd68d 100644
|
||||||
|
--- a/include/grub/file.h
|
||||||
|
+++ b/include/grub/file.h
|
||||||
|
@@ -82,6 +82,8 @@ enum grub_file_type
|
||||||
|
GRUB_FILE_TYPE_PUBLIC_KEY,
|
||||||
|
/* File holding public key to add to trused keys. */
|
||||||
|
GRUB_FILE_TYPE_PUBLIC_KEY_TRUST,
|
||||||
|
+ /* File holding x509 certificiate to add to trusted keys. */
|
||||||
|
+ GRUB_FILE_TYPE_CERTIFICATE_TRUST,
|
||||||
|
/* File of which we intend to print a blocklist to the user. */
|
||||||
|
GRUB_FILE_TYPE_PRINT_BLOCKLIST,
|
||||||
|
/* File we intend to use for test loading or testing speed. */
|
897
SOURCES/0368-appended-signatures-verification-tests.patch
Normal file
897
SOURCES/0368-appended-signatures-verification-tests.patch
Normal file
@ -0,0 +1,897 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Thu, 30 Jul 2020 01:31:02 +1000
|
||||||
|
Subject: [PATCH] appended signatures: verification tests
|
||||||
|
|
||||||
|
These tests are run through all_functional_test and test a range
|
||||||
|
of commands and behaviours.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
grub-core/Makefile.core.def | 6 +
|
||||||
|
grub-core/tests/appended_signature_test.c | 281 +++++++++++++++
|
||||||
|
grub-core/tests/lib/functional_test.c | 1 +
|
||||||
|
grub-core/tests/appended_signatures.h | 557 ++++++++++++++++++++++++++++++
|
||||||
|
4 files changed, 845 insertions(+)
|
||||||
|
create mode 100644 grub-core/tests/appended_signature_test.c
|
||||||
|
create mode 100644 grub-core/tests/appended_signatures.h
|
||||||
|
|
||||||
|
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
|
||||||
|
index 1cf6b60f82e..8914083d13f 100644
|
||||||
|
--- a/grub-core/Makefile.core.def
|
||||||
|
+++ b/grub-core/Makefile.core.def
|
||||||
|
@@ -2040,6 +2040,12 @@ module = {
|
||||||
|
common = tests/setjmp_test.c;
|
||||||
|
};
|
||||||
|
|
||||||
|
+module = {
|
||||||
|
+ name = appended_signature_test;
|
||||||
|
+ common = tests/appended_signature_test.c;
|
||||||
|
+ common = tests/appended_signatures.h;
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
module = {
|
||||||
|
name = signature_test;
|
||||||
|
common = tests/signature_test.c;
|
||||||
|
diff --git a/grub-core/tests/appended_signature_test.c b/grub-core/tests/appended_signature_test.c
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..88a485200d8
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/grub-core/tests/appended_signature_test.c
|
||||||
|
@@ -0,0 +1,281 @@
|
||||||
|
+/*
|
||||||
|
+ * GRUB -- GRand Unified Bootloader
|
||||||
|
+ * Copyright (C) 2020 IBM Corporation.
|
||||||
|
+ *
|
||||||
|
+ * GRUB is free software: you can redistribute it and/or modify
|
||||||
|
+ * it under the terms of the GNU General Public License as published by
|
||||||
|
+ * the Free Software Foundation, either version 3 of the License, or
|
||||||
|
+ * (at your option) any later version.
|
||||||
|
+ *
|
||||||
|
+ * GRUB is distributed in the hope that it will be useful,
|
||||||
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+ * GNU General Public License for more details.
|
||||||
|
+ *
|
||||||
|
+ * You should have received a copy of the GNU General Public License
|
||||||
|
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+#include <grub/time.h>
|
||||||
|
+#include <grub/misc.h>
|
||||||
|
+#include <grub/dl.h>
|
||||||
|
+#include <grub/command.h>
|
||||||
|
+#include <grub/env.h>
|
||||||
|
+#include <grub/test.h>
|
||||||
|
+#include <grub/mm.h>
|
||||||
|
+#include <grub/procfs.h>
|
||||||
|
+#include <grub/file.h>
|
||||||
|
+
|
||||||
|
+#include "appended_signatures.h"
|
||||||
|
+
|
||||||
|
+GRUB_MOD_LICENSE ("GPLv3+");
|
||||||
|
+
|
||||||
|
+#define DEFINE_TEST_CASE(case_name) \
|
||||||
|
+static char * \
|
||||||
|
+get_ ## case_name (grub_size_t *sz) \
|
||||||
|
+{ \
|
||||||
|
+ char *ret; \
|
||||||
|
+ *sz = case_name ## _len; \
|
||||||
|
+ ret = grub_malloc (*sz); \
|
||||||
|
+ if (ret) \
|
||||||
|
+ grub_memcpy (ret, case_name, *sz); \
|
||||||
|
+ return ret; \
|
||||||
|
+} \
|
||||||
|
+\
|
||||||
|
+static struct grub_procfs_entry case_name ## _entry = \
|
||||||
|
+{ \
|
||||||
|
+ .name = #case_name, \
|
||||||
|
+ .get_contents = get_ ## case_name \
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+#define DO_TEST(case_name, is_valid) \
|
||||||
|
+{ \
|
||||||
|
+ grub_procfs_register (#case_name, &case_name ## _entry); \
|
||||||
|
+ do_verify ("(proc)/" #case_name, is_valid); \
|
||||||
|
+ grub_procfs_unregister (&case_name ## _entry); \
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+DEFINE_TEST_CASE (hi_signed);
|
||||||
|
+DEFINE_TEST_CASE (hi_signed_sha256);
|
||||||
|
+DEFINE_TEST_CASE (hj_signed);
|
||||||
|
+DEFINE_TEST_CASE (short_msg);
|
||||||
|
+DEFINE_TEST_CASE (unsigned_msg);
|
||||||
|
+DEFINE_TEST_CASE (hi_signed_2nd);
|
||||||
|
+
|
||||||
|
+static char *
|
||||||
|
+get_certificate_der (grub_size_t * sz)
|
||||||
|
+{
|
||||||
|
+ char *ret;
|
||||||
|
+ *sz = certificate_der_len;
|
||||||
|
+ ret = grub_malloc (*sz);
|
||||||
|
+ if (ret)
|
||||||
|
+ grub_memcpy (ret, certificate_der, *sz);
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static struct grub_procfs_entry certificate_der_entry = {
|
||||||
|
+ .name = "certificate.der",
|
||||||
|
+ .get_contents = get_certificate_der
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static char *
|
||||||
|
+get_certificate2_der (grub_size_t * sz)
|
||||||
|
+{
|
||||||
|
+ char *ret;
|
||||||
|
+ *sz = certificate2_der_len;
|
||||||
|
+ ret = grub_malloc (*sz);
|
||||||
|
+ if (ret)
|
||||||
|
+ grub_memcpy (ret, certificate2_der, *sz);
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static struct grub_procfs_entry certificate2_der_entry = {
|
||||||
|
+ .name = "certificate2.der",
|
||||||
|
+ .get_contents = get_certificate2_der
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+static char *
|
||||||
|
+get_certificate_printable_der (grub_size_t * sz)
|
||||||
|
+{
|
||||||
|
+ char *ret;
|
||||||
|
+ *sz = certificate_printable_der_len;
|
||||||
|
+ ret = grub_malloc (*sz);
|
||||||
|
+ if (ret)
|
||||||
|
+ grub_memcpy (ret, certificate_printable_der, *sz);
|
||||||
|
+ return ret;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static struct grub_procfs_entry certificate_printable_der_entry = {
|
||||||
|
+ .name = "certificate_printable.der",
|
||||||
|
+ .get_contents = get_certificate_printable_der
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+do_verify (const char *f, int is_valid)
|
||||||
|
+{
|
||||||
|
+ grub_command_t cmd;
|
||||||
|
+ char *args[] = { (char *) f, NULL };
|
||||||
|
+ grub_err_t err;
|
||||||
|
+
|
||||||
|
+ cmd = grub_command_find ("verify_appended");
|
||||||
|
+ if (!cmd)
|
||||||
|
+ {
|
||||||
|
+ grub_test_assert (0, "can't find command `%s'", "verify_appended");
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+ err = (cmd->func) (cmd, 1, args);
|
||||||
|
+ if (is_valid)
|
||||||
|
+ {
|
||||||
|
+ grub_test_assert (err == GRUB_ERR_NONE,
|
||||||
|
+ "verification of %s failed: %d: %s", f, grub_errno,
|
||||||
|
+ grub_errmsg);
|
||||||
|
+ }
|
||||||
|
+ else
|
||||||
|
+ {
|
||||||
|
+ grub_test_assert (err == GRUB_ERR_BAD_SIGNATURE,
|
||||||
|
+ "verification of %s unexpectedly succeeded", f);
|
||||||
|
+ }
|
||||||
|
+ grub_errno = GRUB_ERR_NONE;
|
||||||
|
+
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static void
|
||||||
|
+appended_signature_test (void)
|
||||||
|
+{
|
||||||
|
+ grub_command_t cmd_trust, cmd_distrust;
|
||||||
|
+ char *trust_args[] = { (char *) "(proc)/certificate.der", NULL };
|
||||||
|
+ char *trust_args2[] = { (char *) "(proc)/certificate2.der", NULL };
|
||||||
|
+ char *trust_args_printable[] = { (char *) "(proc)/certificate_printable.der",
|
||||||
|
+ NULL };
|
||||||
|
+ char *distrust_args[] = { (char *) "1", NULL };
|
||||||
|
+ char *distrust2_args[] = { (char *) "2", NULL };
|
||||||
|
+ grub_err_t err;
|
||||||
|
+
|
||||||
|
+ grub_procfs_register ("certificate.der", &certificate_der_entry);
|
||||||
|
+ grub_procfs_register ("certificate2.der", &certificate2_der_entry);
|
||||||
|
+ grub_procfs_register ("certificate_printable.der",
|
||||||
|
+ &certificate_printable_der_entry);
|
||||||
|
+
|
||||||
|
+ cmd_trust = grub_command_find ("trust_certificate");
|
||||||
|
+ if (!cmd_trust)
|
||||||
|
+ {
|
||||||
|
+ grub_test_assert (0, "can't find command `%s'", "trust_certificate");
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+ err = (cmd_trust->func) (cmd_trust, 1, trust_args);
|
||||||
|
+
|
||||||
|
+ grub_test_assert (err == GRUB_ERR_NONE,
|
||||||
|
+ "loading certificate failed: %d: %s", grub_errno,
|
||||||
|
+ grub_errmsg);
|
||||||
|
+
|
||||||
|
+ /* If we have no certificate the remainder of the tests are meaningless */
|
||||||
|
+ if (err != GRUB_ERR_NONE)
|
||||||
|
+ return;
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Reload the command: this works around some 'interesting' behaviour in the
|
||||||
|
+ * dynamic command dispatcher. The first time you call cmd->func you get a
|
||||||
|
+ * dispatcher that loads the module, finds the real cmd, calls it, and then
|
||||||
|
+ * releases some internal storage. This means it's not safe to call a second
|
||||||
|
+ * time and we need to reload it.
|
||||||
|
+ */
|
||||||
|
+ cmd_trust = grub_command_find ("trust_certificate");
|
||||||
|
+
|
||||||
|
+ DO_TEST (hi_signed, 1);
|
||||||
|
+ DO_TEST (hi_signed_sha256, 1);
|
||||||
|
+ DO_TEST (hj_signed, 0);
|
||||||
|
+ DO_TEST (short_msg, 0);
|
||||||
|
+ DO_TEST (unsigned_msg, 0);
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * in enforcing mode, we shouldn't be able to load a certificate that isn't
|
||||||
|
+ * signed by an existing trusted key.
|
||||||
|
+ *
|
||||||
|
+ * However, procfs files automatically skip the verification test, so we can't
|
||||||
|
+ * easily test this.
|
||||||
|
+ */
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * verify that testing with 2 trusted certs works
|
||||||
|
+ */
|
||||||
|
+ DO_TEST (hi_signed_2nd, 0);
|
||||||
|
+
|
||||||
|
+ err = (cmd_trust->func) (cmd_trust, 1, trust_args2);
|
||||||
|
+
|
||||||
|
+ grub_test_assert (err == GRUB_ERR_NONE,
|
||||||
|
+ "loading certificate 2 failed: %d: %s", grub_errno,
|
||||||
|
+ grub_errmsg);
|
||||||
|
+
|
||||||
|
+ if (err != GRUB_ERR_NONE)
|
||||||
|
+ return;
|
||||||
|
+
|
||||||
|
+ DO_TEST (hi_signed_2nd, 1);
|
||||||
|
+ DO_TEST (hi_signed, 1);
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Check certificate removal. They're added to the _top_ of the list and
|
||||||
|
+ * removed by position in the list. Current the list looks like [#2, #1].
|
||||||
|
+ *
|
||||||
|
+ * First test removing the second certificate in the list, which is
|
||||||
|
+ * certificate #1, giving us just [#2].
|
||||||
|
+ */
|
||||||
|
+ cmd_distrust = grub_command_find ("distrust_certificate");
|
||||||
|
+ if (!cmd_distrust)
|
||||||
|
+ {
|
||||||
|
+ grub_test_assert (0, "can't find command `%s'", "distrust_certificate");
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ err = (cmd_distrust->func) (cmd_distrust, 1, distrust2_args);
|
||||||
|
+ grub_test_assert (err == GRUB_ERR_NONE,
|
||||||
|
+ "distrusting certificate 1 failed: %d: %s", grub_errno,
|
||||||
|
+ grub_errmsg);
|
||||||
|
+ DO_TEST (hi_signed_2nd, 1);
|
||||||
|
+ DO_TEST (hi_signed, 0);
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Now reload certificate #1. This will make the list look like [#1, #2]
|
||||||
|
+ */
|
||||||
|
+ err = (cmd_trust->func) (cmd_trust, 1, trust_args);
|
||||||
|
+
|
||||||
|
+ grub_test_assert (err == GRUB_ERR_NONE,
|
||||||
|
+ "reloading certificate 1 failed: %d: %s", grub_errno,
|
||||||
|
+ grub_errmsg);
|
||||||
|
+ DO_TEST (hi_signed, 1);
|
||||||
|
+
|
||||||
|
+ /* Remove the first certificate in the list, giving us just [#2] */
|
||||||
|
+ err = (cmd_distrust->func) (cmd_distrust, 1, distrust_args);
|
||||||
|
+ grub_test_assert (err == GRUB_ERR_NONE,
|
||||||
|
+ "distrusting certificate 1 (first time) failed: %d: %s",
|
||||||
|
+ grub_errno, grub_errmsg);
|
||||||
|
+ DO_TEST (hi_signed_2nd, 1);
|
||||||
|
+ DO_TEST (hi_signed, 0);
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Remove the first certificate again, giving an empty list.
|
||||||
|
+ *
|
||||||
|
+ * verify_appended should fail if there are no certificates to verify against.
|
||||||
|
+ */
|
||||||
|
+ err = (cmd_distrust->func) (cmd_distrust, 1, distrust_args);
|
||||||
|
+ grub_test_assert (err == GRUB_ERR_NONE,
|
||||||
|
+ "distrusting certificate 1 (second time) failed: %d: %s",
|
||||||
|
+ grub_errno, grub_errmsg);
|
||||||
|
+ DO_TEST (hi_signed_2nd, 0);
|
||||||
|
+
|
||||||
|
+ /*
|
||||||
|
+ * Lastly, check a certificate that uses printableString rather than
|
||||||
|
+ * utf8String loads properly.
|
||||||
|
+ */
|
||||||
|
+ err = (cmd_trust->func) (cmd_trust, 1, trust_args_printable);
|
||||||
|
+ grub_test_assert (err == GRUB_ERR_NONE,
|
||||||
|
+ "distrusting printable certificate failed: %d: %s",
|
||||||
|
+ grub_errno, grub_errmsg);
|
||||||
|
+
|
||||||
|
+ grub_procfs_unregister (&certificate_der_entry);
|
||||||
|
+ grub_procfs_unregister (&certificate2_der_entry);
|
||||||
|
+ grub_procfs_unregister (&certificate_printable_der_entry);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+GRUB_FUNCTIONAL_TEST (appended_signature_test, appended_signature_test);
|
||||||
|
diff --git a/grub-core/tests/lib/functional_test.c b/grub-core/tests/lib/functional_test.c
|
||||||
|
index 96781fb39b5..403fa5c789a 100644
|
||||||
|
--- a/grub-core/tests/lib/functional_test.c
|
||||||
|
+++ b/grub-core/tests/lib/functional_test.c
|
||||||
|
@@ -73,6 +73,7 @@ grub_functional_all_tests (grub_extcmd_context_t ctxt __attribute__ ((unused)),
|
||||||
|
grub_dl_load ("xnu_uuid_test");
|
||||||
|
grub_dl_load ("pbkdf2_test");
|
||||||
|
grub_dl_load ("signature_test");
|
||||||
|
+ grub_dl_load ("appended_signature_test");
|
||||||
|
grub_dl_load ("sleep_test");
|
||||||
|
grub_dl_load ("bswap_test");
|
||||||
|
grub_dl_load ("ctz_test");
|
||||||
|
diff --git a/grub-core/tests/appended_signatures.h b/grub-core/tests/appended_signatures.h
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000000..aa3dc6278e3
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/grub-core/tests/appended_signatures.h
|
||||||
|
@@ -0,0 +1,557 @@
|
||||||
|
+unsigned char certificate_der[] = {
|
||||||
|
+ 0x30, 0x82, 0x03, 0x88, 0x30, 0x82, 0x02, 0x70, 0xa0, 0x03, 0x02, 0x01,
|
||||||
|
+ 0x02, 0x02, 0x14, 0x25, 0x2e, 0xb8, 0xfd, 0x12, 0x62, 0x2e, 0xcd, 0x5d,
|
||||||
|
+ 0xa7, 0x53, 0xd2, 0x0b, 0xc2, 0x61, 0x7c, 0x14, 0xe0, 0x0f, 0x5c, 0x30,
|
||||||
|
+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
|
||||||
|
+ 0x05, 0x00, 0x30, 0x49, 0x31, 0x28, 0x30, 0x26, 0x06, 0x03, 0x55, 0x04,
|
||||||
|
+ 0x03, 0x0c, 0x1f, 0x47, 0x72, 0x75, 0x62, 0x20, 0x41, 0x70, 0x70, 0x65,
|
||||||
|
+ 0x6e, 0x64, 0x65, 0x64, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75,
|
||||||
|
+ 0x72, 0x65, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x31, 0x1d,
|
||||||
|
+ 0x30, 0x1b, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09,
|
||||||
|
+ 0x01, 0x16, 0x0e, 0x64, 0x6a, 0x61, 0x40, 0x61, 0x78, 0x74, 0x65, 0x6e,
|
||||||
|
+ 0x73, 0x2e, 0x6e, 0x65, 0x74, 0x30, 0x20, 0x17, 0x0d, 0x32, 0x30, 0x30,
|
||||||
|
+ 0x37, 0x30, 0x39, 0x30, 0x36, 0x32, 0x32, 0x30, 0x37, 0x5a, 0x18, 0x0f,
|
||||||
|
+ 0x32, 0x31, 0x32, 0x30, 0x30, 0x36, 0x31, 0x35, 0x30, 0x36, 0x32, 0x32,
|
||||||
|
+ 0x30, 0x37, 0x5a, 0x30, 0x52, 0x31, 0x31, 0x30, 0x2f, 0x06, 0x03, 0x55,
|
||||||
|
+ 0x04, 0x03, 0x0c, 0x28, 0x47, 0x72, 0x75, 0x62, 0x20, 0x41, 0x70, 0x70,
|
||||||
|
+ 0x65, 0x6e, 0x64, 0x65, 0x64, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x74,
|
||||||
|
+ 0x75, 0x72, 0x65, 0x20, 0x54, 0x65, 0x73, 0x74, 0x20, 0x53, 0x69, 0x67,
|
||||||
|
+ 0x6e, 0x69, 0x6e, 0x67, 0x20, 0x4b, 0x65, 0x79, 0x31, 0x1d, 0x30, 0x1b,
|
||||||
|
+ 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16,
|
||||||
|
+ 0x0e, 0x64, 0x6a, 0x61, 0x40, 0x61, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x2e,
|
||||||
|
+ 0x6e, 0x65, 0x74, 0x30, 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a,
|
||||||
|
+ 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82,
|
||||||
|
+ 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00,
|
||||||
|
+ 0xcd, 0xe8, 0x1c, 0x08, 0x68, 0x2e, 0xcb, 0xfe, 0x8c, 0x4b, 0x3b, 0x61,
|
||||||
|
+ 0xe7, 0x8e, 0x80, 0x58, 0x85, 0x85, 0xea, 0xc8, 0x3b, 0x42, 0xba, 0x72,
|
||||||
|
+ 0x84, 0x65, 0x20, 0xbc, 0x48, 0xa2, 0x25, 0x49, 0x6e, 0x1c, 0xb9, 0x7d,
|
||||||
|
+ 0xeb, 0xc1, 0x0c, 0xa8, 0xb7, 0xcc, 0x13, 0x78, 0xba, 0x11, 0xa4, 0x98,
|
||||||
|
+ 0xd7, 0xd0, 0x7c, 0xdd, 0xf5, 0x5a, 0xb7, 0xcd, 0x31, 0x0e, 0xcd, 0x9e,
|
||||||
|
+ 0xa7, 0x19, 0xf0, 0xbd, 0x0f, 0xa6, 0xfe, 0x8a, 0x11, 0x97, 0xed, 0x8b,
|
||||||
|
+ 0xe5, 0x16, 0xa6, 0x21, 0x13, 0x36, 0xad, 0x05, 0x49, 0xec, 0x29, 0x12,
|
||||||
|
+ 0x38, 0xa7, 0x4b, 0x0f, 0xa1, 0xfb, 0x72, 0xc0, 0xc0, 0x09, 0x67, 0x78,
|
||||||
|
+ 0xa8, 0xb6, 0xd6, 0x1a, 0x39, 0xc0, 0xa8, 0xbf, 0x5f, 0x14, 0x89, 0x5c,
|
||||||
|
+ 0xbc, 0x41, 0x0c, 0x0c, 0x5d, 0x42, 0x2e, 0x1c, 0xdf, 0x1f, 0x1d, 0xc9,
|
||||||
|
+ 0x43, 0x94, 0x5b, 0x6e, 0x8f, 0x15, 0x8c, 0x8f, 0x94, 0x73, 0x4f, 0x97,
|
||||||
|
+ 0x54, 0xf1, 0x86, 0x8a, 0xbc, 0xe4, 0xe4, 0x93, 0xc1, 0x5e, 0xc2, 0x3e,
|
||||||
|
+ 0x31, 0x5e, 0xd4, 0x85, 0x57, 0x14, 0xd0, 0x11, 0x07, 0x65, 0xf4, 0x7c,
|
||||||
|
+ 0x8f, 0x07, 0x57, 0xe1, 0x22, 0xd4, 0x78, 0x47, 0x65, 0x4e, 0xa9, 0xb3,
|
||||||
|
+ 0xaa, 0xce, 0xc7, 0x36, 0xfe, 0xda, 0x66, 0x02, 0xb6, 0x8d, 0x18, 0x2f,
|
||||||
|
+ 0x3b, 0x41, 0x8d, 0x02, 0x08, 0x72, 0x4b, 0x69, 0xbd, 0x1e, 0x58, 0xfc,
|
||||||
|
+ 0x1b, 0x64, 0x04, 0x52, 0x35, 0x35, 0xe2, 0x3d, 0x3e, 0xde, 0xd6, 0x64,
|
||||||
|
+ 0xf4, 0xec, 0x57, 0x7e, 0x65, 0x59, 0x00, 0xa6, 0xd3, 0x4b, 0x09, 0x93,
|
||||||
|
+ 0x2a, 0x95, 0x0f, 0x30, 0xb6, 0xa1, 0x8c, 0xe7, 0x8b, 0x49, 0xa4, 0x1d,
|
||||||
|
+ 0x25, 0x2d, 0x65, 0x48, 0x8a, 0x0f, 0xcf, 0x2a, 0xa2, 0xe1, 0xef, 0x72,
|
||||||
|
+ 0x92, 0xc3, 0xf5, 0x21, 0x37, 0x83, 0x9b, 0x6d, 0x0b, 0x1b, 0xb3, 0xa2,
|
||||||
|
+ 0x32, 0x38, 0x11, 0xb1, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x5d, 0x30,
|
||||||
|
+ 0x5b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04,
|
||||||
|
+ 0x02, 0x30, 0x00, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04,
|
||||||
|
+ 0x03, 0x02, 0x07, 0x80, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04,
|
||||||
|
+ 0x16, 0x04, 0x14, 0xe5, 0x2a, 0x4f, 0xf2, 0x84, 0x91, 0x57, 0x91, 0xaf,
|
||||||
|
+ 0x12, 0xd2, 0xf1, 0xa1, 0x87, 0x73, 0x0f, 0x90, 0x25, 0xa0, 0x7a, 0x30,
|
||||||
|
+ 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14,
|
||||||
|
+ 0x56, 0xd1, 0xfd, 0xe2, 0x1e, 0x7e, 0x1c, 0x63, 0x4f, 0x47, 0xdb, 0xe4,
|
||||||
|
+ 0xc4, 0x51, 0x04, 0x03, 0x9a, 0x48, 0x35, 0x6e, 0x30, 0x0d, 0x06, 0x09,
|
||||||
|
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03,
|
||||||
|
+ 0x82, 0x01, 0x01, 0x00, 0x65, 0x82, 0xd5, 0x88, 0x30, 0xe2, 0x2c, 0x47,
|
||||||
|
+ 0xf3, 0x31, 0x39, 0xa1, 0x75, 0x9a, 0xb0, 0x8a, 0x6c, 0x4b, 0xac, 0xdf,
|
||||||
|
+ 0x09, 0x7b, 0x90, 0xb6, 0x9e, 0x76, 0x62, 0x94, 0xc1, 0x3a, 0x99, 0x49,
|
||||||
|
+ 0x68, 0x29, 0x47, 0x42, 0xc3, 0x06, 0xcb, 0x88, 0x75, 0xe6, 0x79, 0x13,
|
||||||
|
+ 0x8c, 0x4b, 0x49, 0x6a, 0xb5, 0x56, 0x95, 0xc0, 0x42, 0x21, 0x9b, 0xd4,
|
||||||
|
+ 0x61, 0xd0, 0x02, 0x41, 0xdd, 0x20, 0x61, 0xe5, 0x91, 0xdf, 0x75, 0x00,
|
||||||
|
+ 0x25, 0x0e, 0x99, 0x65, 0x5c, 0x54, 0x49, 0x32, 0xa3, 0xe2, 0xcd, 0xa1,
|
||||||
|
+ 0x5f, 0x40, 0xf3, 0xc5, 0x81, 0xd9, 0x3c, 0xa3, 0x63, 0x5a, 0x38, 0x79,
|
||||||
|
+ 0xab, 0x77, 0x98, 0xde, 0x8f, 0x4e, 0x9e, 0x26, 0xbc, 0x4e, 0x80, 0x9e,
|
||||||
|
+ 0x8f, 0xbe, 0xf1, 0x00, 0xb3, 0x78, 0xb9, 0x4b, 0x1d, 0xc7, 0xa4, 0x83,
|
||||||
|
+ 0x59, 0x56, 0x11, 0xd1, 0x11, 0x1e, 0x50, 0x39, 0xd5, 0x78, 0x14, 0xf3,
|
||||||
|
+ 0xb9, 0x1d, 0xda, 0xe4, 0xc4, 0x63, 0x74, 0x26, 0xab, 0xa3, 0xfd, 0x9d,
|
||||||
|
+ 0x58, 0xa2, 0xee, 0x7b, 0x28, 0x34, 0xa3, 0xbe, 0x85, 0x7e, 0xaa, 0x97,
|
||||||
|
+ 0xb7, 0x5b, 0x9d, 0xa9, 0x4d, 0x96, 0xdb, 0x6b, 0x21, 0xe1, 0x96, 0x5d,
|
||||||
|
+ 0xc7, 0xad, 0x23, 0x03, 0x9a, 0x16, 0xdb, 0xa4, 0x1f, 0x63, 0xef, 0xaf,
|
||||||
|
+ 0x1e, 0x4f, 0xf8, 0x27, 0xdc, 0x4b, 0xfc, 0x2b, 0x68, 0x2e, 0xa0, 0xd3,
|
||||||
|
+ 0xae, 0xf2, 0xce, 0xf5, 0xfc, 0x97, 0x92, 0xd2, 0x29, 0x0f, 0x4f, 0x4b,
|
||||||
|
+ 0x29, 0xeb, 0x06, 0xcb, 0xf8, 0x21, 0x6e, 0xbc, 0x8b, 0x5c, 0xc5, 0xc9,
|
||||||
|
+ 0xf7, 0xe2, 0x7c, 0x47, 0xcd, 0x43, 0x98, 0xc4, 0xa3, 0x9a, 0xd7, 0x3e,
|
||||||
|
+ 0xdc, 0x01, 0x13, 0x28, 0x96, 0xc4, 0x60, 0x83, 0xe2, 0x79, 0xa1, 0x46,
|
||||||
|
+ 0xef, 0xf5, 0xa4, 0x7b, 0x00, 0xe3, 0x3d, 0x7d, 0xbc, 0xa8, 0x98, 0x49,
|
||||||
|
+ 0xa8, 0xcf, 0x3b, 0x41, 0xb6, 0x09, 0x97, 0x07
|
||||||
|
+};
|
||||||
|
+unsigned int certificate_der_len = 908;
|
||||||
|
+
|
||||||
|
+unsigned char hi_signed[] = {
|
||||||
|
+ 0x68, 0x69, 0x0a, 0x30, 0x82, 0x01, 0xc0, 0x06, 0x09, 0x2a, 0x86, 0x48,
|
||||||
|
+ 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x82, 0x01, 0xb1, 0x30, 0x82,
|
||||||
|
+ 0x01, 0xad, 0x02, 0x01, 0x01, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x09, 0x60,
|
||||||
|
+ 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x30, 0x0b, 0x06, 0x09,
|
||||||
|
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x31, 0x82, 0x01,
|
||||||
|
+ 0x8a, 0x30, 0x82, 0x01, 0x86, 0x02, 0x01, 0x01, 0x30, 0x61, 0x30, 0x49,
|
||||||
|
+ 0x31, 0x28, 0x30, 0x26, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x1f, 0x47,
|
||||||
|
+ 0x72, 0x75, 0x62, 0x20, 0x41, 0x70, 0x70, 0x65, 0x6e, 0x64, 0x65, 0x64,
|
||||||
|
+ 0x20, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x20, 0x54,
|
||||||
|
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x31, 0x1d, 0x30, 0x1b, 0x06, 0x09,
|
||||||
|
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x0e, 0x64,
|
||||||
|
+ 0x6a, 0x61, 0x40, 0x61, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x2e, 0x6e, 0x65,
|
||||||
|
+ 0x74, 0x02, 0x14, 0x25, 0x2e, 0xb8, 0xfd, 0x12, 0x62, 0x2e, 0xcd, 0x5d,
|
||||||
|
+ 0xa7, 0x53, 0xd2, 0x0b, 0xc2, 0x61, 0x7c, 0x14, 0xe0, 0x0f, 0x5c, 0x30,
|
||||||
|
+ 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
|
||||||
|
+ 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
|
||||||
|
+ 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0xc7, 0x69, 0x35, 0x21, 0x66,
|
||||||
|
+ 0x4d, 0x50, 0xd4, 0x73, 0xde, 0xbd, 0x3a, 0xf6, 0x45, 0xe3, 0xe4, 0xd0,
|
||||||
|
+ 0xb6, 0xa1, 0xe7, 0xc0, 0xa2, 0xc9, 0xf4, 0xf0, 0x05, 0x8c, 0xa4, 0x16,
|
||||||
|
+ 0x9e, 0x81, 0x0d, 0x21, 0x68, 0xf3, 0xfe, 0x03, 0x96, 0x77, 0x31, 0x69,
|
||||||
|
+ 0x01, 0xd8, 0x26, 0xd9, 0x48, 0x95, 0xcf, 0xd1, 0x17, 0xb1, 0x0b, 0x6b,
|
||||||
|
+ 0x2c, 0xf1, 0xb0, 0xab, 0x65, 0x65, 0x56, 0xf8, 0x0c, 0xa7, 0xf7, 0xbb,
|
||||||
|
+ 0xf6, 0x5a, 0x55, 0x98, 0x14, 0x07, 0x8d, 0x2a, 0xbc, 0x16, 0x48, 0x94,
|
||||||
|
+ 0xab, 0x2f, 0x85, 0x97, 0x90, 0x51, 0x78, 0xa0, 0xda, 0x60, 0xb5, 0x41,
|
||||||
|
+ 0x4b, 0xe8, 0x78, 0xc5, 0xa6, 0x04, 0x9d, 0x54, 0x2a, 0x85, 0xfd, 0x86,
|
||||||
|
+ 0x0b, 0x6d, 0xc2, 0xd2, 0xad, 0x07, 0xff, 0x16, 0x42, 0x82, 0xe3, 0x5c,
|
||||||
|
+ 0xaa, 0x22, 0x59, 0x78, 0x92, 0xea, 0x94, 0xc3, 0x41, 0xb7, 0xa1, 0x86,
|
||||||
|
+ 0x44, 0xea, 0xd1, 0xdb, 0xe5, 0xac, 0x30, 0x32, 0xfb, 0x7d, 0x3f, 0xf7,
|
||||||
|
+ 0x8b, 0x11, 0x7f, 0x80, 0x3b, 0xe5, 0xc7, 0x82, 0x0f, 0x92, 0x07, 0x14,
|
||||||
|
+ 0x66, 0x01, 0x6e, 0x85, 0xab, 0x3a, 0x14, 0xcf, 0x76, 0xd1, 0x7e, 0x14,
|
||||||
|
+ 0x85, 0xca, 0x01, 0x73, 0x72, 0x38, 0xdc, 0xde, 0x30, 0x5c, 0xfb, 0xc0,
|
||||||
|
+ 0x3d, 0x93, 0xef, 0x9c, 0xbc, 0xf8, 0xcc, 0xd2, 0xbf, 0x47, 0xec, 0xf8,
|
||||||
|
+ 0x88, 0x9b, 0xe1, 0x43, 0xbe, 0xa7, 0x47, 0x96, 0xb6, 0x5d, 0x46, 0x0e,
|
||||||
|
+ 0x7a, 0x78, 0x38, 0x19, 0xbc, 0xb5, 0xbc, 0x9b, 0x3c, 0x39, 0x92, 0x70,
|
||||||
|
+ 0x0d, 0x9d, 0x8a, 0x35, 0xaf, 0xb4, 0x9e, 0xf4, 0xef, 0xc1, 0xb8, 0x25,
|
||||||
|
+ 0xd0, 0x14, 0x91, 0xd6, 0xc2, 0xb6, 0xc7, 0x3c, 0x72, 0x91, 0x0f, 0xad,
|
||||||
|
+ 0xde, 0xb2, 0x36, 0xf8, 0x4e, 0x59, 0xd4, 0xa4, 0x21, 0x9f, 0x03, 0x95,
|
||||||
|
+ 0x48, 0x01, 0xb4, 0x05, 0xc3, 0x39, 0x60, 0x51, 0x08, 0xd0, 0xbe, 0x00,
|
||||||
|
+ 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xc4, 0x7e,
|
||||||
|
+ 0x4d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x61,
|
||||||
|
+ 0x74, 0x75, 0x72, 0x65, 0x20, 0x61, 0x70, 0x70, 0x65, 0x6e, 0x64, 0x65,
|
||||||
|
+ 0x64, 0x7e, 0x0a
|
||||||
|
+};
|
||||||
|
+unsigned int hi_signed_len = 495;
|
||||||
|
+
|
||||||
|
+unsigned char hj_signed[] = {
|
||||||
|
+ 0x68, 0x6a, 0x0a, 0x30, 0x82, 0x01, 0xc0, 0x06, 0x09, 0x2a, 0x86, 0x48,
|
||||||
|
+ 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x82, 0x01, 0xb1, 0x30, 0x82,
|
||||||
|
+ 0x01, 0xad, 0x02, 0x01, 0x01, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x09, 0x60,
|
||||||
|
+ 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x30, 0x0b, 0x06, 0x09,
|
||||||
|
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x31, 0x82, 0x01,
|
||||||
|
+ 0x8a, 0x30, 0x82, 0x01, 0x86, 0x02, 0x01, 0x01, 0x30, 0x61, 0x30, 0x49,
|
||||||
|
+ 0x31, 0x28, 0x30, 0x26, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x1f, 0x47,
|
||||||
|
+ 0x72, 0x75, 0x62, 0x20, 0x41, 0x70, 0x70, 0x65, 0x6e, 0x64, 0x65, 0x64,
|
||||||
|
+ 0x20, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x20, 0x54,
|
||||||
|
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x31, 0x1d, 0x30, 0x1b, 0x06, 0x09,
|
||||||
|
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x0e, 0x64,
|
||||||
|
+ 0x6a, 0x61, 0x40, 0x61, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x2e, 0x6e, 0x65,
|
||||||
|
+ 0x74, 0x02, 0x14, 0x25, 0x2e, 0xb8, 0xfd, 0x12, 0x62, 0x2e, 0xcd, 0x5d,
|
||||||
|
+ 0xa7, 0x53, 0xd2, 0x0b, 0xc2, 0x61, 0x7c, 0x14, 0xe0, 0x0f, 0x5c, 0x30,
|
||||||
|
+ 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03,
|
||||||
|
+ 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
|
||||||
|
+ 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0xc7, 0x69, 0x35, 0x21, 0x66,
|
||||||
|
+ 0x4d, 0x50, 0xd4, 0x73, 0xde, 0xbd, 0x3a, 0xf6, 0x45, 0xe3, 0xe4, 0xd0,
|
||||||
|
+ 0xb6, 0xa1, 0xe7, 0xc0, 0xa2, 0xc9, 0xf4, 0xf0, 0x05, 0x8c, 0xa4, 0x16,
|
||||||
|
+ 0x9e, 0x81, 0x0d, 0x21, 0x68, 0xf3, 0xfe, 0x03, 0x96, 0x77, 0x31, 0x69,
|
||||||
|
+ 0x01, 0xd8, 0x26, 0xd9, 0x48, 0x95, 0xcf, 0xd1, 0x17, 0xb1, 0x0b, 0x6b,
|
||||||
|
+ 0x2c, 0xf1, 0xb0, 0xab, 0x65, 0x65, 0x56, 0xf8, 0x0c, 0xa7, 0xf7, 0xbb,
|
||||||
|
+ 0xf6, 0x5a, 0x55, 0x98, 0x14, 0x07, 0x8d, 0x2a, 0xbc, 0x16, 0x48, 0x94,
|
||||||
|
+ 0xab, 0x2f, 0x85, 0x97, 0x90, 0x51, 0x78, 0xa0, 0xda, 0x60, 0xb5, 0x41,
|
||||||
|
+ 0x4b, 0xe8, 0x78, 0xc5, 0xa6, 0x04, 0x9d, 0x54, 0x2a, 0x85, 0xfd, 0x86,
|
||||||
|
+ 0x0b, 0x6d, 0xc2, 0xd2, 0xad, 0x07, 0xff, 0x16, 0x42, 0x82, 0xe3, 0x5c,
|
||||||
|
+ 0xaa, 0x22, 0x59, 0x78, 0x92, 0xea, 0x94, 0xc3, 0x41, 0xb7, 0xa1, 0x86,
|
||||||
|
+ 0x44, 0xea, 0xd1, 0xdb, 0xe5, 0xac, 0x30, 0x32, 0xfb, 0x7d, 0x3f, 0xf7,
|
||||||
|
+ 0x8b, 0x11, 0x7f, 0x80, 0x3b, 0xe5, 0xc7, 0x82, 0x0f, 0x92, 0x07, 0x14,
|
||||||
|
+ 0x66, 0x01, 0x6e, 0x85, 0xab, 0x3a, 0x14, 0xcf, 0x76, 0xd1, 0x7e, 0x14,
|
||||||
|
+ 0x85, 0xca, 0x01, 0x73, 0x72, 0x38, 0xdc, 0xde, 0x30, 0x5c, 0xfb, 0xc0,
|
||||||
|
+ 0x3d, 0x93, 0xef, 0x9c, 0xbc, 0xf8, 0xcc, 0xd2, 0xbf, 0x47, 0xec, 0xf8,
|
||||||
|
+ 0x88, 0x9b, 0xe1, 0x43, 0xbe, 0xa7, 0x47, 0x96, 0xb6, 0x5d, 0x46, 0x0e,
|
||||||
|
+ 0x7a, 0x78, 0x38, 0x19, 0xbc, 0xb5, 0xbc, 0x9b, 0x3c, 0x39, 0x92, 0x70,
|
||||||
|
+ 0x0d, 0x9d, 0x8a, 0x35, 0xaf, 0xb4, 0x9e, 0xf4, 0xef, 0xc1, 0xb8, 0x25,
|
||||||
|
+ 0xd0, 0x14, 0x91, 0xd6, 0xc2, 0xb6, 0xc7, 0x3c, 0x72, 0x91, 0x0f, 0xad,
|
||||||
|
+ 0xde, 0xb2, 0x36, 0xf8, 0x4e, 0x59, 0xd4, 0xa4, 0x21, 0x9f, 0x03, 0x95,
|
||||||
|
+ 0x48, 0x01, 0xb4, 0x05, 0xc3, 0x39, 0x60, 0x51, 0x08, 0xd0, 0xbe, 0x00,
|
||||||
|
+ 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xc4, 0x7e,
|
||||||
|
+ 0x4d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x61,
|
||||||
|
+ 0x74, 0x75, 0x72, 0x65, 0x20, 0x61, 0x70, 0x70, 0x65, 0x6e, 0x64, 0x65,
|
||||||
|
+ 0x64, 0x7e, 0x0a
|
||||||
|
+};
|
||||||
|
+unsigned int hj_signed_len = 495;
|
||||||
|
+
|
||||||
|
+unsigned char hi_signed_sha256[] = {
|
||||||
|
+ 0x68, 0x69, 0x0a, 0x30, 0x82, 0x01, 0xc0, 0x06, 0x09, 0x2a, 0x86, 0x48,
|
||||||
|
+ 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x82, 0x01, 0xb1, 0x30, 0x82,
|
||||||
|
+ 0x01, 0xad, 0x02, 0x01, 0x01, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x09, 0x60,
|
||||||
|
+ 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01, 0x30, 0x0b, 0x06, 0x09,
|
||||||
|
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x31, 0x82, 0x01,
|
||||||
|
+ 0x8a, 0x30, 0x82, 0x01, 0x86, 0x02, 0x01, 0x01, 0x30, 0x61, 0x30, 0x49,
|
||||||
|
+ 0x31, 0x28, 0x30, 0x26, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x1f, 0x47,
|
||||||
|
+ 0x72, 0x75, 0x62, 0x20, 0x41, 0x70, 0x70, 0x65, 0x6e, 0x64, 0x65, 0x64,
|
||||||
|
+ 0x20, 0x53, 0x69, 0x67, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x65, 0x20, 0x54,
|
||||||
|
+ 0x65, 0x73, 0x74, 0x20, 0x43, 0x41, 0x31, 0x1d, 0x30, 0x1b, 0x06, 0x09,
|
||||||
|
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x09, 0x01, 0x16, 0x0e, 0x64,
|
||||||
|
+ 0x6a, 0x61, 0x40, 0x61, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x2e, 0x6e, 0x65,
|
||||||
|
+ 0x74, 0x02, 0x14, 0x25, 0x2e, 0xb8, 0xfd, 0x12, 0x62, 0x2e, 0xcd, 0x5d,
|
||||||
|
+ 0xa7, 0x53, 0xd2, 0x0b, 0xc2, 0x61, 0x7c, 0x14, 0xe0, 0x0f, 0x5c, 0x30,
|
||||||
|
+ 0x0b, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01,
|
||||||
|
+ 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
|
||||||
|
+ 0x01, 0x05, 0x00, 0x04, 0x82, 0x01, 0x00, 0x7b, 0x5e, 0x82, 0x1d, 0x21,
|
||||||
|
+ 0xb6, 0x40, 0xd3, 0x33, 0x79, 0xa7, 0x52, 0x2b, 0xfc, 0x46, 0x51, 0x26,
|
||||||
|
+ 0xfe, 0x0f, 0x81, 0x90, 0x81, 0xab, 0x57, 0x5e, 0xf6, 0x45, 0x41, 0xa3,
|
||||||
|
+ 0x7b, 0x48, 0xdd, 0xd6, 0x59, 0x60, 0x51, 0x31, 0x14, 0x14, 0x7b, 0xb4,
|
||||||
|
+ 0x55, 0x7b, 0x4d, 0xfe, 0x09, 0x7a, 0x5d, 0xae, 0xc4, 0x58, 0x50, 0x80,
|
||||||
|
+ 0x75, 0xf2, 0x23, 0x20, 0x62, 0xe3, 0x7c, 0x26, 0x1d, 0x2a, 0x4d, 0x9f,
|
||||||
|
+ 0x89, 0xf0, 0x4f, 0x95, 0x8a, 0x80, 0x6e, 0x1a, 0xea, 0x87, 0xdb, 0x1f,
|
||||||
|
+ 0xf3, 0xda, 0x04, 0x91, 0x37, 0xea, 0x0a, 0xfb, 0x6c, 0xc9, 0x3d, 0x73,
|
||||||
|
+ 0xf9, 0x58, 0x7c, 0x15, 0x6b, 0xa2, 0x52, 0x5a, 0x97, 0xff, 0xd6, 0xb0,
|
||||||
|
+ 0xf1, 0xbf, 0xa5, 0x04, 0x6d, 0x91, 0xc1, 0x54, 0x05, 0xdc, 0x7f, 0x5d,
|
||||||
|
+ 0x19, 0xaf, 0x55, 0xec, 0x51, 0xfb, 0x66, 0x0a, 0xa4, 0x4e, 0x96, 0x47,
|
||||||
|
+ 0x43, 0x54, 0x7c, 0x64, 0xa8, 0xaa, 0xb4, 0x90, 0x02, 0xf3, 0xa7, 0x0b,
|
||||||
|
+ 0xb7, 0xbf, 0x06, 0xdb, 0x5e, 0x9c, 0x32, 0x6d, 0x45, 0x14, 0x1c, 0xaf,
|
||||||
|
+ 0x46, 0x30, 0x08, 0x55, 0x49, 0x78, 0xfa, 0x57, 0xda, 0x3d, 0xf5, 0xa0,
|
||||||
|
+ 0xef, 0x11, 0x0a, 0x81, 0x0d, 0x82, 0xcd, 0xaf, 0xdb, 0xda, 0x0e, 0x1a,
|
||||||
|
+ 0x44, 0xd1, 0xee, 0xc4, 0xb8, 0xde, 0x97, 0xb4, 0xda, 0xb4, 0x8b, 0x4f,
|
||||||
|
+ 0x58, 0x24, 0x59, 0xc0, 0xe0, 0x08, 0x97, 0x14, 0x68, 0xbe, 0x31, 0x09,
|
||||||
|
+ 0x5e, 0x67, 0x45, 0xf0, 0xcb, 0x81, 0x4f, 0x17, 0x44, 0x61, 0xe0, 0xe2,
|
||||||
|
+ 0xf0, 0xfc, 0x1e, 0xb9, 0x73, 0xaf, 0x42, 0xff, 0x33, 0xde, 0x61, 0x6b,
|
||||||
|
+ 0x7f, 0xc2, 0x69, 0x0d, 0x66, 0x54, 0xae, 0xf6, 0xde, 0x20, 0x47, 0x44,
|
||||||
|
+ 0x9b, 0x73, 0xd1, 0x07, 0x6e, 0x77, 0x37, 0x0a, 0xbb, 0x7f, 0xa0, 0x93,
|
||||||
|
+ 0x2d, 0x8d, 0x44, 0xba, 0xe2, 0xdd, 0x34, 0x32, 0xd7, 0x56, 0x71, 0x00,
|
||||||
|
+ 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xc4, 0x7e,
|
||||||
|
+ 0x4d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x20, 0x73, 0x69, 0x67, 0x6e, 0x61,
|
||||||
|
+ 0x74, 0x75, 0x72, 0x65, 0x20, 0x61, 0x70, 0x70, 0x65, 0x6e, 0x64, 0x65,
|
||||||
|
+ 0x64, 0x7e, 0x0a
|
||||||
|
+};
|
||||||
|
+unsigned int hi_signed_sha256_len = 495;
|
||||||
|
+
|
||||||
|
+unsigned char short_msg[] = {
|
||||||
|
+ 0x68, 0x69, 0x0a
|
||||||
|
+};
|
||||||
|
+unsigned int short_msg_len = 3;
|
||||||
|
+
|
||||||
|
+unsigned char unsigned_msg[] = {
|
||||||
|
+ 0x53, 0x65, 0x64, 0x20, 0x75, 0x74, 0x20, 0x70, 0x65, 0x72, 0x73, 0x70,
|
||||||
|
+ 0x69, 0x63, 0x69, 0x61, 0x74, 0x69, 0x73, 0x20, 0x75, 0x6e, 0x64, 0x65,
|
||||||
|
+ 0x20, 0x6f, 0x6d, 0x6e, 0x69, 0x73, 0x20, 0x69, 0x73, 0x74, 0x65, 0x20,
|
||||||
|
+ 0x6e, 0x61, 0x74, 0x75, 0x73, 0x20, 0x65, 0x72, 0x72, 0x6f, 0x72, 0x20,
|
||||||
|
+ 0x73, 0x69, 0x74, 0x20, 0x76, 0x6f, 0x6c, 0x75, 0x70, 0x74, 0x61, 0x74,
|
||||||
|
+ 0x65, 0x6d, 0x20, 0x61, 0x63, 0x63, 0x75, 0x73, 0x61, 0x6e, 0x74, 0x69,
|
||||||
|
+ 0x75, 0x6d, 0x20, 0x64, 0x6f, 0x6c, 0x6f, 0x72, 0x65, 0x6d, 0x71, 0x75,
|
||||||
|
+ 0x65, 0x20, 0x6c, 0x61, 0x75, 0x64, 0x61, 0x6e, 0x74, 0x69, 0x75, 0x6d,
|
||||||
|
+ 0x2c, 0x20, 0x74, 0x6f, 0x74, 0x61, 0x6d, 0x20, 0x72, 0x65, 0x6d, 0x20,
|
||||||
|
+ 0x61, 0x70, 0x65, 0x72, 0x69, 0x61, 0x6d, 0x2c, 0x20, 0x65, 0x61, 0x71,
|
||||||
|
+ 0x75, 0x65, 0x20, 0x69, 0x70, 0x73, 0x61, 0x20, 0x71, 0x75, 0x61, 0x65,
|
||||||
|
+ 0x20, 0x61, 0x62, 0x20, 0x69, 0x6c, 0x6c, 0x6f, 0x20, 0x69, 0x6e, 0x76,
|
||||||
|
+ 0x65, 0x6e, 0x74, 0x6f, 0x72, 0x65, 0x20, 0x76, 0x65, 0x72, 0x69, 0x74,
|
||||||
|
+ 0x61, 0x74, 0x69, 0x73, 0x20, 0x65, 0x74, 0x20, 0x71, 0x75, 0x61, 0x73,
|
||||||
|
+ 0x69, 0x20, 0x61, 0x72, 0x63, 0x68, 0x69, 0x74, 0x65, 0x63, 0x74, 0x6f,
|
||||||
|
+ 0x20, 0x62, 0x65, 0x61, 0x74, 0x61, 0x65, 0x20, 0x76, 0x69, 0x74, 0x61,
|
||||||
|
+ 0x65, 0x20, 0x64, 0x69, 0x63, 0x74, 0x61, 0x20, 0x73, 0x75, 0x6e, 0x74,
|
||||||
|
+ 0x20, 0x65, 0x78, 0x70, 0x6c, 0x69, 0x63, 0x61, 0x62, 0x6f, 0x2e, 0x20,
|
||||||
|
+ 0x4e, 0x65, 0x6d, 0x6f, 0x20, 0x65, 0x6e, 0x69, 0x6d, 0x20, 0x69, 0x70,
|
||||||
|
+ 0x73, 0x61, 0x6d, 0x20, 0x76, 0x6f, 0x6c, 0x75, 0x70, 0x74, 0x61, 0x74,
|
||||||
|
+ 0x65, 0x6d, 0x20, 0x71, 0x75, 0x69, 0x61, 0x20, 0x76, 0x6f, 0x6c, 0x75,
|
||||||
|
+ 0x70, 0x74, 0x61, 0x73, 0x20, 0x73, 0x69, 0x74, 0x20, 0x61, 0x73, 0x70,
|
||||||
|
+ 0x65, 0x72, 0x6e, 0x61, 0x74, 0x75, 0x72, 0x20, 0x61, 0x75, 0x74, 0x20,
|
||||||
|
+ 0x6f, 0x64, 0x69, 0x74, 0x20, 0x61, 0x75, 0x74, 0x20, 0x66, 0x75, 0x67,
|
||||||
|
+ 0x69, 0x74, 0x2c, 0x20, 0x73, 0x65, 0x64, 0x20, 0x71, 0x75, 0x69, 0x61,
|
||||||
|
+ 0x20, 0x63, 0x6f, 0x6e, 0x73, 0x65, 0x71, 0x75, 0x75, 0x6e, 0x74, 0x75,
|
||||||
|
+ 0x72, 0x20, 0x6d, 0x61, 0x67, 0x6e, 0x69, 0x20, 0x64, 0x6f, 0x6c, 0x6f,
|
||||||
|
+ 0x72, 0x65, 0x73, 0x20, 0x65, 0x6f, 0x73, 0x20, 0x71, 0x75, 0x69, 0x20,
|
||||||
|
+ 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x65, 0x20, 0x76, 0x6f, 0x6c, 0x75,
|
||||||
|
+ 0x70, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x20, 0x73, 0x65, 0x71, 0x75, 0x69,
|
||||||
|
+ 0x20, 0x6e, 0x65, 0x73, 0x63, 0x69, 0x75, 0x6e, 0x74, 0x2e, 0x20, 0x4e,
|
||||||
|
+ 0x65, 0x71, 0x75, 0x65, 0x20, 0x70, 0x6f, 0x72, 0x72, 0x6f, 0x20, 0x71,
|
||||||
|
+ 0x75, 0x69, 0x73, 0x71, 0x75, 0x61, 0x6d, 0x20, 0x65, 0x73, 0x74, 0x2c,
|
||||||
|
+ 0x20, 0x71, 0x75, 0x69, 0x20, 0x64, 0x6f, 0x6c, 0x6f, 0x72, 0x65, 0x6d,
|
||||||
|
+ 0x20, 0x69, 0x70, 0x73, 0x75, 0x6d, 0x20, 0x71, 0x75, 0x69, 0x61, 0x20,
|
||||||
|
+ 0x64, 0x6f, 0x6c, 0x6f, 0x72, 0x20, 0x73, 0x69, 0x74, 0x20, 0x61, 0x6d,
|
||||||
|
+ 0x65, 0x74, 0x2c, 0x20, 0x63, 0x6f, 0x6e, 0x73, 0x65, 0x63, 0x74, 0x65,
|
||||||
|
+ 0x74, 0x75, 0x72, 0x2c, 0x20, 0x61, 0x64, 0x69, 0x70, 0x69, 0x73, 0x63,
|
||||||
|
+ 0x69, 0x20, 0x76, 0x65, 0x6c, 0x69, 0x74, 0x2c, 0x20, 0x73, 0x65, 0x64,
|
||||||
|
+ 0x20, 0x71, 0x75, 0x69, 0x61, 0x20, 0x6e, 0x6f, 0x6e, 0x20, 0x6e, 0x75,
|
||||||
|
+ 0x6d, 0x71, 0x75, 0x61, 0x6d, 0x20, 0x65, 0x69, 0x75, 0x73, 0x20, 0x6d,
|
||||||
|
+ 0x6f, 0x64, 0x69, 0x20, 0x74, 0x65, 0x6d, 0x70, 0x6f, 0x72, 0x61, 0x20,
|
||||||
|
+ 0x69, 0x6e, 0x63, 0x69, 0x64, 0x75, 0x6e, 0x74, 0x20, 0x75, 0x74, 0x20,
|
||||||
|
+ 0x6c, 0x61, 0x62, 0x6f, 0x72, 0x65, 0x20, 0x65, 0x74, 0x20, 0x64, 0x6f,
|
||||||
|
+ 0x6c, 0x6f, 0x72, 0x65, 0x20, 0x6d, 0x61, 0x67, 0x6e, 0x61, 0x6d, 0x20,
|
||||||
|
+ 0x61, 0x6c, 0x69, 0x71, 0x75, 0x61, 0x6d, 0x20, 0x71, 0x75, 0x61, 0x65,
|
||||||
|
+ 0x72, 0x61, 0x74, 0x20, 0x76, 0x6f, 0x6c, 0x75, 0x70, 0x74, 0x61, 0x74,
|
||||||
|
+ 0x65, 0x6d, 0x2e, 0x20, 0x55, 0x74, 0x20, 0x65, 0x6e, 0x69, 0x6d, 0x20,
|
||||||
|
+ 0x61, 0x64, 0x20, 0x6d, 0x69, 0x6e, 0x69, 0x6d, 0x61, 0x20, 0x76, 0x65,
|
||||||
|
+ 0x6e, 0x69, 0x61, 0x6d, 0x2c, 0x20, 0x71, 0x75, 0x69, 0x73, 0x20, 0x6e,
|
||||||
|
+ 0x6f, 0x73, 0x74, 0x72, 0x75, 0x6d, 0x20, 0x65, 0x78, 0x65, 0x72, 0x63,
|
||||||
|
+ 0x69, 0x74, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x65, 0x6d, 0x20, 0x75, 0x6c,
|
||||||
|
+ 0x6c, 0x61, 0x6d, 0x20, 0x63, 0x6f, 0x72, 0x70, 0x6f, 0x72, 0x69, 0x73,
|
||||||
|
+ 0x20, 0x73, 0x75, 0x73, 0x63, 0x69, 0x70, 0x69, 0x74, 0x20, 0x6c, 0x61,
|
||||||
|
+ 0x62, 0x6f, 0x72, 0x69, 0x6f, 0x73, 0x61, 0x6d, 0x2c, 0x20, 0x6e, 0x69,
|
||||||
|
+ 0x73, 0x69, 0x20, 0x75, 0x74, 0x20, 0x61, 0x6c, 0x69, 0x71, 0x75, 0x69,
|
||||||
|
+ 0x64, 0x20, 0x65, 0x78, 0x20, 0x65, 0x61, 0x20, 0x63, 0x6f, 0x6d, 0x6d,
|
||||||
|
+ 0x6f, 0x64, 0x69, 0x20, 0x63, 0x6f, 0x6e, 0x73, 0x65, 0x71, 0x75, 0x61,
|
||||||
|
+ 0x74, 0x75, 0x72, 0x3f, 0x20, 0x51, 0x75, 0x69, 0x73, 0x20, 0x61, 0x75,
|
||||||
|
+ 0x74, 0x65, 0x6d, 0x20, 0x76, 0x65, 0x6c, 0x20, 0x65, 0x75, 0x6d, 0x20,
|
||||||
|
+ 0x69, 0x75, 0x72, 0x65, 0x20, 0x72, 0x65, 0x70, 0x72, 0x65, 0x68, 0x65,
|
||||||
|
+ 0x6e, 0x64, 0x65, 0x72, 0x69, 0x74, 0x20, 0x71, 0x75, 0x69, 0x20, 0x69,
|
||||||
|
+ 0x6e, 0x20, 0x65, 0x61, 0x20, 0x76, 0x6f, 0x6c, 0x75, 0x70, 0x74, 0x61,
|
||||||
|
+ 0x74, 0x65, 0x20, 0x76, 0x65, 0x6c, 0x69, 0x74, 0x20, 0x65, 0x73, 0x73,
|
||||||
|
+ 0x65, 0x20, 0x71, 0x75, 0x61, 0x6d, 0x20, 0x6e, 0x69, 0x68, 0x69, 0x6c,
|
||||||
|
+ 0x20, 0x6d, 0x6f, 0x6c, 0x65, 0x73, 0x74, 0x69, 0x61, 0x65, 0x20, 0x63,
|
||||||
|
+ 0x6f, 0x6e, 0x73, 0x65, 0x71, 0x75, 0x61, 0x74, 0x75, 0x72, 0x2c, 0x20,
|
||||||
|
+ 0x76, 0x65, 0x6c, 0x20, 0x69, 0x6c, 0x6c, 0x75, 0x6d, 0x20, 0x71, 0x75,
|
||||||
|
+ 0x69, 0x20, 0x64, 0x6f, 0x6c, 0x6f, 0x72, 0x65, 0x6d, 0x20, 0x65, 0x75,
|
||||||
|
+ 0x6d, 0x20, 0x66, 0x75, 0x67, 0x69, 0x61, 0x74, 0x20, 0x71, 0x75, 0x6f,
|
||||||
|
+ 0x20, 0x76, 0x6f, 0x6c, 0x75, 0x70, 0x74, 0x61, 0x73, 0x20, 0x6e, 0x75,
|
||||||
|
+ 0x6c, 0x6c, 0x61, 0x20, 0x70, 0x61, 0x72, 0x69, 0x61, 0x74, 0x75, 0x72,
|
||||||
|
+ 0x3f, 0x0a
|
||||||
|
+};
|
||||||
|
+unsigned int unsigned_msg_len = 866;
|
||||||
|
+
|
||||||
|
+unsigned char certificate2_der[] = {
|
||||||
|
+ 0x30, 0x82, 0x05, 0x52, 0x30, 0x82, 0x03, 0x3a, 0xa0, 0x03, 0x02, 0x01,
|
||||||
|
+ 0x02, 0x02, 0x14, 0x5b, 0x5e, 0x59, 0xf2, 0x5f, 0x75, 0x4c, 0x8e, 0xc5,
|
||||||
|
+ 0x3a, 0x91, 0x07, 0xe9, 0xe7, 0x6d, 0x3c, 0xd0, 0x7f, 0x91, 0xff, 0x30,
|
||||||
|
+ 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b,
|
||||||
|
+ 0x05, 0x00, 0x30, 0x3a, 0x31, 0x38, 0x30, 0x36, 0x06, 0x03, 0x55, 0x04,
|
||||||
|
+ 0x03, 0x0c, 0x2f, 0x47, 0x72, 0x75, 0x62, 0x20, 0x32, 0x6e, 0x64, 0x20,
|
||||||
|
+ 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20,
|
||||||
|
+ 0x54, 0x65, 0x73, 0x74, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
|
||||||
|
+ 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69,
|
||||||
|
+ 0x74, 0x79, 0x30, 0x20, 0x17, 0x0d, 0x32, 0x30, 0x30, 0x37, 0x32, 0x38,
|
||||||
|
+ 0x31, 0x33, 0x32, 0x34, 0x32, 0x39, 0x5a, 0x18, 0x0f, 0x32, 0x31, 0x32,
|
||||||
|
+ 0x30, 0x30, 0x37, 0x30, 0x34, 0x31, 0x33, 0x32, 0x34, 0x32, 0x39, 0x5a,
|
||||||
|
+ 0x30, 0x2b, 0x31, 0x29, 0x30, 0x27, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c,
|
||||||
|
+ 0x20, 0x47, 0x72, 0x75, 0x62, 0x20, 0x32, 0x6e, 0x64, 0x20, 0x43, 0x65,
|
||||||
|
+ 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x53, 0x69,
|
||||||
|
+ 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x20, 0x4b, 0x65, 0x79, 0x30, 0x82, 0x02,
|
||||||
|
+ 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
|
||||||
|
+ 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x02, 0x0f, 0x00, 0x30, 0x82, 0x02,
|
||||||
|
+ 0x0a, 0x02, 0x82, 0x02, 0x01, 0x00, 0xb0, 0x2f, 0x50, 0x01, 0x9c, 0x0e,
|
||||||
|
+ 0xd6, 0x8c, 0x07, 0xca, 0xc1, 0xcf, 0xbc, 0x03, 0xdd, 0xd3, 0xfa, 0xe3,
|
||||||
|
+ 0x4f, 0x71, 0xc1, 0x30, 0xaa, 0x09, 0x96, 0xe4, 0xd0, 0x6c, 0x42, 0x93,
|
||||||
|
+ 0xdb, 0x35, 0xf6, 0x7e, 0x1b, 0x67, 0xc0, 0xc2, 0x2d, 0x5b, 0xec, 0xca,
|
||||||
|
+ 0x35, 0x06, 0x32, 0x6c, 0x7b, 0x2c, 0xd3, 0x71, 0x2b, 0xe9, 0x7a, 0x19,
|
||||||
|
+ 0xd1, 0xf2, 0xa0, 0x7f, 0xd7, 0x4d, 0x6e, 0x28, 0xbb, 0xae, 0x49, 0x4a,
|
||||||
|
+ 0xbc, 0xea, 0x47, 0x67, 0xb8, 0x36, 0xa6, 0xf5, 0x0d, 0x0e, 0x20, 0x14,
|
||||||
|
+ 0x0c, 0x66, 0x67, 0x28, 0xb5, 0x97, 0x8b, 0x1f, 0x5e, 0x32, 0x06, 0x29,
|
||||||
|
+ 0x9c, 0x99, 0x92, 0x0f, 0x73, 0xac, 0xfd, 0xd2, 0x1d, 0xf2, 0xa8, 0x55,
|
||||||
|
+ 0x9d, 0x1b, 0xd8, 0x3d, 0xb0, 0x76, 0x9a, 0xb6, 0x6c, 0x9f, 0x62, 0x37,
|
||||||
|
+ 0x2f, 0xc0, 0xef, 0x44, 0xb3, 0x0d, 0x4a, 0x3e, 0x4f, 0x7d, 0xbd, 0xdb,
|
||||||
|
+ 0xd8, 0x75, 0x5f, 0x68, 0xe3, 0xf0, 0xec, 0x82, 0x66, 0x7c, 0x31, 0x70,
|
||||||
|
+ 0xa9, 0xa1, 0x6f, 0x38, 0x9f, 0xdf, 0xf5, 0xf0, 0x7d, 0x23, 0x9d, 0x34,
|
||||||
|
+ 0xa5, 0x85, 0xd3, 0xdf, 0x68, 0x41, 0xfc, 0x4f, 0x89, 0x45, 0x3c, 0x24,
|
||||||
|
+ 0x81, 0xa6, 0xf2, 0x3c, 0x02, 0x26, 0x09, 0x48, 0xdd, 0xfe, 0x4b, 0xb6,
|
||||||
|
+ 0x66, 0xbf, 0x8f, 0xe5, 0x5f, 0xf0, 0x5d, 0x8a, 0x61, 0x2e, 0x5f, 0x9f,
|
||||||
|
+ 0x80, 0xd9, 0xd5, 0xe6, 0x41, 0xd8, 0x10, 0x5e, 0x7a, 0xc6, 0xdb, 0x89,
|
||||||
|
+ 0xc7, 0xca, 0x6c, 0x5b, 0xb1, 0x4e, 0x7d, 0x0c, 0x03, 0xfd, 0x50, 0xca,
|
||||||
|
+ 0xbf, 0xbb, 0xe2, 0x69, 0x4b, 0x4e, 0xc2, 0x3d, 0x75, 0xfa, 0xd1, 0xcc,
|
||||||
|
+ 0xd6, 0xf9, 0x39, 0xb9, 0xdc, 0x53, 0xad, 0x62, 0xfb, 0x1b, 0x94, 0x26,
|
||||||
|
+ 0x7f, 0x21, 0x54, 0x5c, 0xb7, 0xdc, 0xe7, 0x96, 0x8c, 0xce, 0x75, 0xe0,
|
||||||
|
+ 0x17, 0x01, 0x3a, 0x3c, 0x77, 0x6e, 0xa4, 0x8b, 0x7a, 0x83, 0x28, 0x7a,
|
||||||
|
+ 0xf7, 0xb0, 0x5f, 0xfc, 0x7f, 0x2d, 0x2e, 0xec, 0xf5, 0xeb, 0x9c, 0x63,
|
||||||
|
+ 0x74, 0xd0, 0xe5, 0xdc, 0x19, 0xe4, 0x71, 0xc5, 0x4a, 0x8a, 0x54, 0xa4,
|
||||||
|
+ 0xe0, 0x7d, 0x4e, 0xbf, 0x53, 0x30, 0xaf, 0xd0, 0xeb, 0x96, 0xc3, 0xbb,
|
||||||
|
+ 0x65, 0xf7, 0x67, 0xf5, 0xae, 0xd3, 0x96, 0xf2, 0x63, 0xc8, 0x69, 0xf7,
|
||||||
|
+ 0x47, 0xcb, 0x27, 0x79, 0xe1, 0xff, 0x2f, 0x68, 0xdf, 0x1e, 0xb3, 0xb8,
|
||||||
|
+ 0x0c, 0xc5, 0x58, 0x73, 0xcc, 0xfe, 0x8c, 0xda, 0x4e, 0x3b, 0x01, 0x04,
|
||||||
|
+ 0xcd, 0xcb, 0xb8, 0x3e, 0x06, 0xfd, 0x4c, 0x0a, 0x9f, 0x5e, 0x76, 0x8c,
|
||||||
|
+ 0x0c, 0x83, 0x75, 0x09, 0x08, 0xb2, 0xdb, 0xf4, 0x49, 0x4e, 0xa0, 0xf2,
|
||||||
|
+ 0x0c, 0x7b, 0x87, 0x38, 0x9e, 0x22, 0x67, 0xbd, 0xd1, 0x97, 0x57, 0x24,
|
||||||
|
+ 0xf1, 0x46, 0x07, 0xf9, 0xd2, 0x1b, 0xec, 0x25, 0x5e, 0x67, 0xd9, 0x66,
|
||||||
|
+ 0x23, 0x1b, 0xd3, 0xe4, 0xaa, 0xec, 0x88, 0xf0, 0x7e, 0x15, 0x83, 0x51,
|
||||||
|
+ 0x31, 0x67, 0x51, 0x76, 0x5f, 0x55, 0xd7, 0x36, 0xdf, 0x4a, 0x84, 0x0b,
|
||||||
|
+ 0x6f, 0x5c, 0xbb, 0x5b, 0x8f, 0x37, 0x23, 0x7f, 0xf8, 0x17, 0x84, 0xa2,
|
||||||
|
+ 0x70, 0x20, 0x07, 0x0c, 0x90, 0x3a, 0x04, 0xfd, 0xf0, 0x08, 0x4a, 0xb1,
|
||||||
|
+ 0x16, 0x0f, 0xe6, 0xf6, 0x40, 0x51, 0x83, 0xd2, 0x87, 0x40, 0x9c, 0x1c,
|
||||||
|
+ 0x9f, 0x13, 0x38, 0x17, 0xd3, 0x34, 0x58, 0xad, 0x05, 0x71, 0xa0, 0x73,
|
||||||
|
+ 0xca, 0x40, 0xa6, 0xa4, 0x81, 0x02, 0xee, 0xa8, 0x72, 0x41, 0xa1, 0x41,
|
||||||
|
+ 0x18, 0x64, 0x8a, 0x86, 0x8a, 0x5d, 0xe6, 0x4f, 0x0a, 0xc5, 0x95, 0x98,
|
||||||
|
+ 0xf9, 0x78, 0xfe, 0x19, 0x0d, 0xc9, 0xb3, 0x89, 0xc1, 0x2b, 0x09, 0xbe,
|
||||||
|
+ 0xf1, 0xd2, 0x04, 0x5d, 0xcc, 0x28, 0xf5, 0x4b, 0xd2, 0x20, 0x4f, 0xc5,
|
||||||
|
+ 0x41, 0x9d, 0x8c, 0x85, 0xd8, 0xb0, 0x68, 0x5e, 0xc1, 0x0c, 0xb7, 0x24,
|
||||||
|
+ 0x4d, 0x67, 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x5d, 0x30, 0x5b, 0x30,
|
||||||
|
+ 0x0c, 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30,
|
||||||
|
+ 0x00, 0x30, 0x0b, 0x06, 0x03, 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02,
|
||||||
|
+ 0x07, 0x80, 0x30, 0x1d, 0x06, 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04,
|
||||||
|
+ 0x14, 0xac, 0xf5, 0x47, 0x17, 0xd9, 0x7d, 0xc1, 0xb1, 0xc4, 0x41, 0xe1,
|
||||||
|
+ 0x41, 0x60, 0xcb, 0x37, 0x11, 0x60, 0x28, 0x78, 0x5f, 0x30, 0x1f, 0x06,
|
||||||
|
+ 0x03, 0x55, 0x1d, 0x23, 0x04, 0x18, 0x30, 0x16, 0x80, 0x14, 0x21, 0x94,
|
||||||
|
+ 0xfb, 0xf9, 0xb2, 0x43, 0xe9, 0x33, 0xd7, 0x50, 0x7d, 0xc7, 0x37, 0xdb,
|
||||||
|
+ 0xd5, 0x82, 0x5a, 0x4e, 0xbe, 0x1b, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86,
|
||||||
|
+ 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x02,
|
||||||
|
+ 0x01, 0x00, 0x96, 0x70, 0x65, 0x26, 0x42, 0xf8, 0xdc, 0x69, 0xde, 0xcf,
|
||||||
|
+ 0x41, 0x3a, 0x2e, 0x7f, 0x5b, 0xf1, 0xf9, 0x3b, 0x9b, 0xd2, 0x4e, 0x64,
|
||||||
|
+ 0x48, 0x81, 0xe4, 0x5d, 0x1e, 0x22, 0xce, 0x68, 0x63, 0x62, 0xe5, 0x1b,
|
||||||
|
+ 0x9b, 0xf2, 0xc7, 0x12, 0xda, 0x1e, 0x9b, 0x90, 0x84, 0x79, 0x48, 0x12,
|
||||||
|
+ 0xe6, 0x21, 0x6f, 0x2f, 0x7e, 0x18, 0x77, 0xdb, 0x8c, 0xc4, 0xd1, 0x0d,
|
||||||
|
+ 0x91, 0xbf, 0x39, 0x22, 0x0f, 0x64, 0xcf, 0x25, 0x2e, 0x8c, 0x1f, 0x91,
|
||||||
|
+ 0x81, 0xb5, 0xe9, 0x6c, 0x02, 0x3a, 0xf8, 0x07, 0xa2, 0x6f, 0x46, 0x5d,
|
||||||
|
+ 0x7b, 0xfd, 0x43, 0xff, 0x41, 0x0f, 0xe2, 0x57, 0x1c, 0xbd, 0x48, 0x60,
|
||||||
|
+ 0x53, 0x11, 0x48, 0x87, 0x88, 0x9d, 0x13, 0x82, 0x40, 0x68, 0x44, 0x2c,
|
||||||
|
+ 0xc6, 0xc8, 0x95, 0x27, 0x4f, 0xb6, 0xb9, 0x4a, 0x22, 0x0a, 0xfd, 0xe4,
|
||||||
|
+ 0x46, 0x8f, 0x35, 0x12, 0x98, 0x5a, 0x34, 0x6f, 0x2b, 0x57, 0x62, 0xa1,
|
||||||
|
+ 0x4d, 0x8d, 0x79, 0x37, 0xe4, 0x6b, 0x8a, 0x32, 0x5b, 0xcb, 0xef, 0x79,
|
||||||
|
+ 0x11, 0xed, 0xa7, 0xf8, 0x7a, 0x1c, 0xbd, 0x86, 0xdc, 0x0e, 0x2e, 0xfd,
|
||||||
|
+ 0xd3, 0x51, 0xbb, 0x73, 0xad, 0x00, 0xa0, 0x1b, 0xf9, 0x1d, 0xd1, 0x4a,
|
||||||
|
+ 0xe4, 0xd4, 0x02, 0x63, 0x2b, 0x39, 0x5f, 0x18, 0x08, 0x2f, 0x42, 0xb7,
|
||||||
|
+ 0x23, 0x4b, 0x48, 0x46, 0x1f, 0x63, 0x87, 0xae, 0x6d, 0xd5, 0xdb, 0x60,
|
||||||
|
+ 0xf8, 0x5f, 0xd3, 0x13, 0xec, 0xca, 0xdd, 0x60, 0x60, 0x79, 0x52, 0x70,
|
||||||
|
+ 0x47, 0xae, 0x1d, 0x38, 0x78, 0x71, 0xcf, 0xb3, 0x04, 0x03, 0xbe, 0xba,
|
||||||
|
+ 0x81, 0xba, 0x74, 0xb1, 0x30, 0x35, 0xdc, 0xea, 0x21, 0x4a, 0x9b, 0x70,
|
||||||
|
+ 0xfb, 0xd6, 0x60, 0x59, 0x78, 0x0c, 0x4d, 0x39, 0x19, 0x1d, 0xe5, 0x75,
|
||||||
|
+ 0xba, 0x07, 0xf4, 0x22, 0x37, 0x64, 0xb7, 0xf2, 0x9a, 0xc9, 0x11, 0x2d,
|
||||||
|
+ 0x8e, 0x58, 0xa6, 0xcf, 0x83, 0xf1, 0xcb, 0x6c, 0x7f, 0x02, 0xbd, 0xda,
|
||||||
|
+ 0x03, 0x92, 0xa9, 0x45, 0x24, 0x56, 0xc5, 0xbd, 0x41, 0xd1, 0x20, 0x86,
|
||||||
|
+ 0xc0, 0xb6, 0xb7, 0xe8, 0xa7, 0xb2, 0x46, 0xf7, 0x8e, 0xa9, 0x38, 0x0e,
|
||||||
|
+ 0x23, 0x77, 0x3c, 0x0d, 0x66, 0x83, 0x6a, 0x1a, 0x6b, 0x7f, 0x54, 0x11,
|
||||||
|
+ 0x58, 0x0d, 0x4a, 0xb5, 0x74, 0x60, 0xca, 0xed, 0xff, 0x91, 0x47, 0xd9,
|
||||||
|
+ 0x29, 0xe0, 0xaa, 0x8c, 0xa8, 0x8f, 0x10, 0x4c, 0x15, 0x7d, 0xce, 0x95,
|
||||||
|
+ 0xf9, 0x87, 0x1e, 0x18, 0x38, 0x18, 0xfc, 0xcc, 0xaf, 0x91, 0x17, 0x3f,
|
||||||
|
+ 0xfa, 0xf0, 0x8a, 0x09, 0x6f, 0xba, 0x4e, 0x53, 0xf7, 0xfa, 0x4f, 0x20,
|
||||||
|
+ 0xa3, 0xf4, 0x4a, 0x5a, 0xde, 0x17, 0x1c, 0x29, 0x6a, 0x6f, 0x03, 0x48,
|
||||||
|
+ 0xdf, 0xad, 0x4f, 0xe4, 0xbc, 0x71, 0xc4, 0x72, 0x32, 0x11, 0x84, 0xac,
|
||||||
|
+ 0x09, 0xd2, 0x18, 0x44, 0x35, 0xf1, 0xcd, 0xaf, 0xa8, 0x98, 0xe0, 0x8b,
|
||||||
|
+ 0xec, 0xa0, 0x83, 0x37, 0xc3, 0x35, 0x85, 0xd6, 0xd8, 0x1b, 0xe0, 0x75,
|
||||||
|
+ 0xdc, 0xfd, 0xde, 0xc9, 0xeb, 0xd5, 0x18, 0x0f, 0xd3, 0x4c, 0x2f, 0x71,
|
||||||
|
+ 0xdc, 0x48, 0xe3, 0x14, 0xeb, 0xda, 0x00, 0x24, 0x24, 0x9e, 0xa3, 0x8e,
|
||||||
|
+ 0x3e, 0x08, 0x6f, 0x22, 0x24, 0xd6, 0xc4, 0x85, 0x8f, 0x68, 0x00, 0x4a,
|
||||||
|
+ 0x82, 0x4c, 0x33, 0x6e, 0xa5, 0x35, 0x7b, 0xeb, 0x4b, 0xdc, 0xa0, 0xa6,
|
||||||
|
+ 0x65, 0x6f, 0x5a, 0x7a, 0xdf, 0x8a, 0x01, 0x52, 0xa1, 0x6c, 0xff, 0x59,
|
||||||
|
+ 0x22, 0x7f, 0xe1, 0x96, 0x1b, 0x19, 0xb8, 0xf9, 0x5d, 0x44, 0x9f, 0x91,
|
||||||
|
+ 0x03, 0x3c, 0x3d, 0xa1, 0x2a, 0xb6, 0x5a, 0x51, 0xa0, 0xce, 0x4a, 0x88,
|
||||||
|
+ 0x22, 0x72, 0x9c, 0xdc, 0xc0, 0x47, 0x76, 0x35, 0x84, 0x75, 0x9b, 0x87,
|
||||||
|
+ 0x5c, 0xd3, 0xcf, 0xe7, 0xdd, 0xa3, 0x57, 0x14, 0xdf, 0x00, 0xfd, 0x19,
|
||||||
|
+ 0x2a, 0x7d, 0x89, 0x27, 0x1c, 0x78, 0x97, 0x04, 0x58, 0x48
|
||||||
|
+};
|
||||||
|
+unsigned int certificate2_der_len = 1366;
|
||||||
|
+
|
||||||
|
+unsigned char hi_signed_2nd[] = {
|
||||||
|
+ 0x68, 0x69, 0x0a, 0x30, 0x82, 0x02, 0xb1, 0x06, 0x09, 0x2a, 0x86, 0x48,
|
||||||
|
+ 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x02, 0xa0, 0x82, 0x02, 0xa2, 0x30, 0x82,
|
||||||
|
+ 0x02, 0x9e, 0x02, 0x01, 0x01, 0x31, 0x0d, 0x30, 0x0b, 0x06, 0x09, 0x60,
|
||||||
|
+ 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x30, 0x0b, 0x06, 0x09,
|
||||||
|
+ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01, 0x31, 0x82, 0x02,
|
||||||
|
+ 0x7b, 0x30, 0x82, 0x02, 0x77, 0x02, 0x01, 0x01, 0x30, 0x52, 0x30, 0x3a,
|
||||||
|
+ 0x31, 0x38, 0x30, 0x36, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x2f, 0x47,
|
||||||
|
+ 0x72, 0x75, 0x62, 0x20, 0x32, 0x6e, 0x64, 0x20, 0x43, 0x65, 0x72, 0x74,
|
||||||
|
+ 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x54, 0x65, 0x73, 0x74,
|
||||||
|
+ 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65,
|
||||||
|
+ 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x72, 0x69, 0x74, 0x79, 0x02, 0x14,
|
||||||
|
+ 0x5b, 0x5e, 0x59, 0xf2, 0x5f, 0x75, 0x4c, 0x8e, 0xc5, 0x3a, 0x91, 0x07,
|
||||||
|
+ 0xe9, 0xe7, 0x6d, 0x3c, 0xd0, 0x7f, 0x91, 0xff, 0x30, 0x0b, 0x06, 0x09,
|
||||||
|
+ 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x03, 0x30, 0x0d, 0x06,
|
||||||
|
+ 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00,
|
||||||
|
+ 0x04, 0x82, 0x02, 0x00, 0x0e, 0xc2, 0x30, 0x38, 0x81, 0x23, 0x68, 0x90,
|
||||||
|
+ 0xae, 0x5f, 0xce, 0xf7, 0x27, 0xb1, 0x8c, 0x2e, 0x12, 0x10, 0xc6, 0x99,
|
||||||
|
+ 0xdc, 0x4d, 0x4b, 0x79, 0xda, 0xe4, 0x32, 0x10, 0x46, 0x1c, 0x16, 0x07,
|
||||||
|
+ 0x87, 0x66, 0x55, 0xff, 0x64, 0x1c, 0x61, 0x25, 0xd5, 0xb9, 0xe1, 0xfe,
|
||||||
|
+ 0xea, 0x5a, 0xcd, 0x56, 0xa5, 0xc3, 0xbe, 0xb1, 0x61, 0xc7, 0x6f, 0x5f,
|
||||||
|
+ 0x69, 0x20, 0x64, 0x50, 0x6f, 0x12, 0x78, 0xb6, 0x0c, 0x72, 0x44, 0x4f,
|
||||||
|
+ 0x60, 0x0f, 0x9f, 0xa2, 0x83, 0x3b, 0xc2, 0x83, 0xd5, 0x14, 0x1f, 0x6f,
|
||||||
|
+ 0x3e, 0xb2, 0x47, 0xb5, 0x58, 0xc5, 0xa7, 0xb4, 0x82, 0x53, 0x2e, 0x53,
|
||||||
|
+ 0x95, 0x4e, 0x3d, 0xe4, 0x62, 0xe8, 0xa1, 0xaf, 0xae, 0xbf, 0xa9, 0xd2,
|
||||||
|
+ 0x22, 0x07, 0xbe, 0x71, 0x37, 0x2c, 0x5a, 0xa7, 0x6c, 0xaf, 0x14, 0xc0,
|
||||||
|
+ 0x6c, 0x2f, 0xbf, 0x4f, 0x15, 0xc2, 0x0f, 0x8b, 0xdc, 0x68, 0x45, 0xdf,
|
||||||
|
+ 0xf3, 0xa5, 0x7f, 0x11, 0x6a, 0x54, 0xcd, 0x67, 0xb9, 0x2e, 0x7d, 0x05,
|
||||||
|
+ 0xe3, 0x1c, 0x1d, 0xcc, 0x77, 0x8e, 0x97, 0xb1, 0xa0, 0x11, 0x09, 0x3d,
|
||||||
|
+ 0x90, 0x54, 0xfc, 0x7e, 0xbb, 0xbb, 0x21, 0x23, 0x03, 0x44, 0xbf, 0x7d,
|
||||||
|
+ 0x2c, 0xc9, 0x15, 0x42, 0xe5, 0xa0, 0x3b, 0xa2, 0xd1, 0x5b, 0x73, 0x81,
|
||||||
|
+ 0xff, 0xfa, 0x90, 0xfc, 0x27, 0x7b, 0x2f, 0x86, 0x9c, 0x1d, 0x14, 0x36,
|
||||||
|
+ 0x94, 0xa2, 0x6e, 0xe8, 0x9d, 0xa0, 0x5f, 0xfc, 0x5a, 0x0d, 0xa4, 0xd5,
|
||||||
|
+ 0x2f, 0x8d, 0xd6, 0x00, 0xfa, 0x93, 0x5b, 0x09, 0x7f, 0x42, 0x78, 0xcc,
|
||||||
|
+ 0x8c, 0x49, 0xda, 0xd9, 0xf6, 0x43, 0xe7, 0xe1, 0x3c, 0xa2, 0xe2, 0x70,
|
||||||
|
+ 0xe2, 0x6a, 0x99, 0xc5, 0xd6, 0xa2, 0xe3, 0x0b, 0xd4, 0x09, 0xac, 0x94,
|
||||||
|
+ 0xaf, 0xb7, 0xf0, 0xb3, 0x0c, 0x1e, 0xf5, 0x16, 0x4f, 0x53, 0x9a, 0xe3,
|
||||||
|
+ 0xcc, 0xe2, 0x0c, 0x4a, 0xb9, 0xe6, 0x06, 0xbb, 0xf7, 0x41, 0x43, 0x20,
|
||||||
|
+ 0x04, 0xee, 0x99, 0x2f, 0xd8, 0x9f, 0xda, 0x3f, 0xfd, 0x49, 0xb8, 0xc2,
|
||||||
|
+ 0xbd, 0xd9, 0xc5, 0x72, 0xfd, 0xe3, 0xce, 0x1c, 0xbc, 0xe4, 0x39, 0xac,
|
||||||
|
+ 0x2a, 0x99, 0xe9, 0xb4, 0x3e, 0x74, 0x10, 0xeb, 0xd5, 0x14, 0xcc, 0xdb,
|
||||||
|
+ 0xf1, 0x04, 0x63, 0x36, 0xfb, 0x1f, 0x2b, 0xe2, 0x73, 0xd4, 0xd8, 0x49,
|
||||||
|
+ 0x31, 0xa8, 0x55, 0xcc, 0xa7, 0x76, 0x36, 0x6e, 0x18, 0xdc, 0xb9, 0xb0,
|
||||||
|
+ 0x29, 0x99, 0xcf, 0x49, 0xbf, 0xf9, 0xdb, 0x7f, 0x24, 0x42, 0x02, 0xcb,
|
||||||
|
+ 0xc1, 0xaa, 0xcb, 0xba, 0x18, 0x85, 0x86, 0xc7, 0xf4, 0x1c, 0x62, 0x76,
|
||||||
|
+ 0xbc, 0x73, 0xfb, 0xe4, 0x15, 0xb8, 0xdd, 0x5d, 0xa6, 0x68, 0x39, 0xa5,
|
||||||
|
+ 0x3d, 0x33, 0xaf, 0xd5, 0x92, 0x4d, 0x48, 0xdb, 0x22, 0xc0, 0xdc, 0x49,
|
||||||
|
+ 0x5f, 0x7b, 0xa8, 0xd2, 0x62, 0x2d, 0xa7, 0x39, 0x93, 0x48, 0xe7, 0x6b,
|
||||||
|
+ 0x23, 0xba, 0xd4, 0xe0, 0xc1, 0x29, 0x55, 0xc4, 0x34, 0xe3, 0xac, 0x25,
|
||||||
|
+ 0xa7, 0x15, 0xad, 0xab, 0xb3, 0xb7, 0x25, 0xca, 0x37, 0x88, 0x40, 0x2e,
|
||||||
|
+ 0x47, 0x6e, 0x92, 0x20, 0x09, 0x2e, 0x5a, 0xec, 0xf2, 0xfb, 0xb3, 0xa0,
|
||||||
|
+ 0x16, 0xb6, 0x93, 0xf2, 0xf5, 0x8b, 0xfe, 0xaf, 0x25, 0xee, 0x2e, 0x98,
|
||||||
|
+ 0x6c, 0x0a, 0xfe, 0xae, 0x0b, 0x57, 0xf5, 0x9f, 0x3c, 0x80, 0xe9, 0x8b,
|
||||||
|
+ 0xaf, 0x92, 0x8a, 0xad, 0xe7, 0xa0, 0xe4, 0xe6, 0x0a, 0xa0, 0xc7, 0x83,
|
||||||
|
+ 0xb5, 0x48, 0x58, 0x5f, 0x55, 0x9e, 0x9b, 0x27, 0xcd, 0x31, 0x1f, 0x3e,
|
||||||
|
+ 0x50, 0x5a, 0x91, 0xad, 0x21, 0x1b, 0x97, 0x5b, 0xe8, 0xfa, 0x29, 0x8a,
|
||||||
|
+ 0xa4, 0x17, 0xe8, 0xab, 0x87, 0x02, 0xd6, 0x18, 0x8c, 0x9f, 0x65, 0xb7,
|
||||||
|
+ 0x2a, 0xfa, 0xde, 0x5f, 0x77, 0x30, 0x6c, 0x04, 0x22, 0xe6, 0x58, 0x26,
|
||||||
|
+ 0x14, 0x0d, 0x9c, 0x41, 0x0a, 0x82, 0x77, 0xdb, 0x40, 0xa1, 0x58, 0xac,
|
||||||
|
+ 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xb5,
|
||||||
|
+ 0x7e, 0x4d, 0x6f, 0x64, 0x75, 0x6c, 0x65, 0x20, 0x73, 0x69, 0x67, 0x6e,
|
||||||
|
+ 0x61, 0x74, 0x75, 0x72, 0x65, 0x20, 0x61, 0x70, 0x70, 0x65, 0x6e, 0x64,
|
||||||
|
+ 0x65, 0x64, 0x7e, 0x0a
|
||||||
|
+};
|
||||||
|
+unsigned int hi_signed_2nd_len = 736;
|
||||||
|
+
|
||||||
|
+unsigned char certificate_printable_der[] = {
|
||||||
|
+ 0x30, 0x82, 0x03, 0x39, 0x30, 0x82, 0x02, 0x21, 0xa0, 0x03, 0x02, 0x01,
|
||||||
|
+ 0x02, 0x02, 0x09, 0x00, 0xde, 0xf6, 0x22, 0xc4, 0xf2, 0xf1, 0x86, 0x02,
|
||||||
|
+ 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
|
||||||
|
+ 0x0b, 0x05, 0x00, 0x30, 0x2a, 0x31, 0x28, 0x30, 0x26, 0x06, 0x03, 0x55,
|
||||||
|
+ 0x04, 0x03, 0x13, 0x1f, 0x52, 0x65, 0x64, 0x20, 0x48, 0x61, 0x74, 0x20,
|
||||||
|
+ 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20, 0x42, 0x6f, 0x6f, 0x74, 0x20,
|
||||||
|
+ 0x43, 0x41, 0x20, 0x32, 0x20, 0x28, 0x62, 0x65, 0x74, 0x61, 0x29, 0x30,
|
||||||
|
+ 0x1e, 0x17, 0x0d, 0x31, 0x34, 0x31, 0x30, 0x33, 0x31, 0x31, 0x34, 0x31,
|
||||||
|
+ 0x39, 0x32, 0x33, 0x5a, 0x17, 0x0d, 0x33, 0x37, 0x31, 0x30, 0x32, 0x35,
|
||||||
|
+ 0x31, 0x34, 0x31, 0x39, 0x32, 0x33, 0x5a, 0x30, 0x2f, 0x31, 0x2d, 0x30,
|
||||||
|
+ 0x2b, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x24, 0x52, 0x65, 0x64, 0x20,
|
||||||
|
+ 0x48, 0x61, 0x74, 0x20, 0x53, 0x65, 0x63, 0x75, 0x72, 0x65, 0x20, 0x42,
|
||||||
|
+ 0x6f, 0x6f, 0x74, 0x20, 0x53, 0x69, 0x67, 0x6e, 0x69, 0x6e, 0x67, 0x20,
|
||||||
|
+ 0x33, 0x20, 0x28, 0x62, 0x65, 0x74, 0x61, 0x29, 0x30, 0x82, 0x01, 0x22,
|
||||||
|
+ 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01,
|
||||||
|
+ 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30, 0x82, 0x01, 0x0a,
|
||||||
|
+ 0x02, 0x82, 0x01, 0x01, 0x00, 0xbd, 0xda, 0xa1, 0xed, 0x8d, 0x8e, 0x15,
|
||||||
|
+ 0x5c, 0xf8, 0x01, 0x77, 0x48, 0x4a, 0x60, 0x96, 0xf9, 0x27, 0xfa, 0xe2,
|
||||||
|
+ 0xb1, 0x69, 0x0f, 0x51, 0x19, 0x52, 0x7e, 0xc4, 0x34, 0x8e, 0xe1, 0x9b,
|
||||||
|
+ 0x9c, 0xa4, 0xb1, 0x5c, 0xd6, 0x81, 0x98, 0x78, 0xfe, 0xa9, 0xe5, 0x0b,
|
||||||
|
+ 0x00, 0xba, 0x9c, 0x64, 0x7e, 0xc7, 0xcc, 0x72, 0xb1, 0x73, 0x4b, 0x11,
|
||||||
|
+ 0x07, 0x52, 0xf0, 0x20, 0x96, 0x8b, 0x99, 0x39, 0xde, 0xdb, 0xfa, 0x3d,
|
||||||
|
+ 0x45, 0xe2, 0x98, 0x7b, 0x0c, 0x41, 0xe4, 0x0c, 0xb5, 0x5d, 0x92, 0x74,
|
||||||
|
+ 0x39, 0x96, 0xe1, 0x97, 0x97, 0xa1, 0xad, 0x2e, 0xcc, 0xd0, 0x1b, 0x4d,
|
||||||
|
+ 0x9d, 0xbd, 0x3e, 0xa9, 0x36, 0x8e, 0xcc, 0xc7, 0x5f, 0x6a, 0x7d, 0x39,
|
||||||
|
+ 0x5e, 0x0b, 0x8d, 0xca, 0xe4, 0x83, 0xe9, 0x3b, 0x5c, 0x86, 0x47, 0xd4,
|
||||||
|
+ 0xba, 0x7d, 0x98, 0x26, 0xa1, 0xf4, 0xe8, 0x90, 0x6b, 0x0f, 0xf1, 0x6b,
|
||||||
|
+ 0x8c, 0xe3, 0xa2, 0x80, 0x3c, 0x96, 0xf1, 0x0a, 0xb6, 0x66, 0xc0, 0x4b,
|
||||||
|
+ 0x61, 0xf7, 0x74, 0xcd, 0xd3, 0x7b, 0x8e, 0x5e, 0x39, 0xda, 0x99, 0x20,
|
||||||
|
+ 0x33, 0x93, 0xd3, 0xf0, 0x7f, 0xad, 0x35, 0xe9, 0x88, 0x8d, 0x9c, 0xbf,
|
||||||
|
+ 0x65, 0xf1, 0x47, 0x02, 0xf9, 0x7c, 0xed, 0x27, 0x5f, 0x4a, 0x65, 0x3c,
|
||||||
|
+ 0xcf, 0x5f, 0x0e, 0x88, 0x95, 0x74, 0xde, 0xfb, 0x9e, 0x2e, 0x91, 0x9b,
|
||||||
|
+ 0x45, 0x37, 0xc8, 0x85, 0xff, 0xe3, 0x41, 0x70, 0xfe, 0xd5, 0xef, 0x0e,
|
||||||
|
+ 0x82, 0x22, 0x08, 0xb7, 0x3b, 0x44, 0x3e, 0xdc, 0x5b, 0x7f, 0xba, 0xbf,
|
||||||
|
+ 0xe6, 0x58, 0x9d, 0x02, 0x6e, 0x75, 0xbf, 0x50, 0xec, 0xcf, 0x3f, 0xa5,
|
||||||
|
+ 0x91, 0x0a, 0xe2, 0x59, 0x2c, 0xc3, 0xe7, 0x05, 0x03, 0xe8, 0xf2, 0x6f,
|
||||||
|
+ 0x2a, 0x04, 0x68, 0x9a, 0x31, 0x32, 0x8f, 0x04, 0x35, 0xcd, 0x1f, 0x34,
|
||||||
|
+ 0xcc, 0x4f, 0x79, 0x5a, 0x99, 0x8d, 0x9d, 0x5c, 0xf5, 0x02, 0x03, 0x01,
|
||||||
|
+ 0x00, 0x01, 0xa3, 0x5d, 0x30, 0x5b, 0x30, 0x0c, 0x06, 0x03, 0x55, 0x1d,
|
||||||
|
+ 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00, 0x30, 0x0b, 0x06, 0x03,
|
||||||
|
+ 0x55, 0x1d, 0x0f, 0x04, 0x04, 0x03, 0x02, 0x07, 0x80, 0x30, 0x1d, 0x06,
|
||||||
|
+ 0x03, 0x55, 0x1d, 0x0e, 0x04, 0x16, 0x04, 0x14, 0x65, 0xc5, 0xbe, 0xca,
|
||||||
|
+ 0xe6, 0x59, 0x6a, 0xfd, 0x6c, 0x71, 0xc4, 0xa7, 0x98, 0xc6, 0x25, 0x8d,
|
||||||
|
+ 0x7b, 0x67, 0x05, 0xd0, 0x30, 0x1f, 0x06, 0x03, 0x55, 0x1d, 0x23, 0x04,
|
||||||
|
+ 0x18, 0x30, 0x16, 0x80, 0x14, 0x81, 0xf8, 0xee, 0x47, 0x5c, 0x3e, 0xed,
|
||||||
|
+ 0xfb, 0xce, 0xa5, 0x84, 0xbe, 0xd7, 0xae, 0xdb, 0xd3, 0x7d, 0x64, 0xb3,
|
||||||
|
+ 0x2a, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
|
||||||
|
+ 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x66, 0x1e, 0x3d,
|
||||||
|
+ 0x1d, 0x53, 0x33, 0xde, 0x4e, 0xc7, 0xc4, 0xf4, 0xdf, 0xda, 0x18, 0x19,
|
||||||
|
+ 0x8a, 0xa9, 0xff, 0xe2, 0x63, 0x2b, 0xbe, 0xf2, 0x61, 0x63, 0xe2, 0xf6,
|
||||||
|
+ 0xed, 0x47, 0x1a, 0x71, 0x02, 0xec, 0x2a, 0xef, 0x89, 0x77, 0xe3, 0xfd,
|
||||||
|
+ 0x86, 0x69, 0xf1, 0x3f, 0x0d, 0xf9, 0x6e, 0xf9, 0x3b, 0xad, 0x26, 0x47,
|
||||||
|
+ 0xb7, 0xf2, 0x0d, 0xad, 0x23, 0xa3, 0x67, 0x3b, 0xcb, 0x6d, 0x9e, 0x03,
|
||||||
|
+ 0x0f, 0xbc, 0x69, 0x73, 0x9f, 0xd4, 0xa5, 0x0f, 0x6f, 0xf8, 0xab, 0x4d,
|
||||||
|
+ 0x36, 0xd1, 0xe0, 0xe0, 0x5d, 0x20, 0x43, 0x90, 0xc4, 0x65, 0x61, 0x93,
|
||||||
|
+ 0xe2, 0x0f, 0x51, 0x59, 0x0a, 0xf7, 0x88, 0x70, 0x57, 0xb9, 0x04, 0xa9,
|
||||||
|
+ 0x32, 0x57, 0x9c, 0xb3, 0x57, 0x38, 0x8b, 0x8e, 0x46, 0xc8, 0x32, 0x6c,
|
||||||
|
+ 0xb4, 0xf3, 0x96, 0x7f, 0x4b, 0xf0, 0x88, 0xf9, 0x7f, 0xe2, 0x71, 0xe1,
|
||||||
|
+ 0x8b, 0xe2, 0x14, 0xf1, 0x4b, 0x25, 0x00, 0x48, 0x1c, 0x7e, 0xe5, 0x8d,
|
||||||
|
+ 0x65, 0x2d, 0xeb, 0x72, 0x4f, 0x92, 0x44, 0xf3, 0xe6, 0xe0, 0xd0, 0xdf,
|
||||||
|
+ 0x85, 0xa8, 0x13, 0x4a, 0xfb, 0x99, 0xca, 0x14, 0x2c, 0x97, 0x80, 0x93,
|
||||||
|
+ 0x27, 0xd3, 0x20, 0xf8, 0x6d, 0x29, 0x28, 0x2c, 0xb9, 0x77, 0xea, 0xb1,
|
||||||
|
+ 0x63, 0xbd, 0x7d, 0x53, 0xfd, 0x4a, 0x62, 0x64, 0x0b, 0x98, 0xa8, 0xae,
|
||||||
|
+ 0x11, 0xfc, 0x6e, 0x8d, 0x63, 0xd4, 0x15, 0x55, 0xc6, 0x4c, 0x74, 0xf5,
|
||||||
|
+ 0x5f, 0xa0, 0xb9, 0x2c, 0x2d, 0x9a, 0x7a, 0x87, 0x6e, 0xf0, 0x5e, 0x25,
|
||||||
|
+ 0xed, 0xfc, 0xd8, 0xc4, 0x34, 0x33, 0x32, 0xad, 0x01, 0xd4, 0x4b, 0x49,
|
||||||
|
+ 0x51, 0xc2, 0x07, 0x7f, 0x90, 0x6d, 0xea, 0xf5, 0x4c, 0x41, 0x71, 0x64,
|
||||||
|
+ 0xeb, 0x1f, 0x29, 0xa3, 0x1f, 0x64, 0xa2, 0x1e, 0x0e, 0x6f, 0xa1, 0x67,
|
||||||
|
+ 0x99, 0x8d, 0x98, 0x1c, 0xb8, 0x53, 0x9d, 0x30, 0x1d, 0xae, 0x32, 0x56,
|
||||||
|
+ 0xd2
|
||||||
|
+};
|
||||||
|
+unsigned int certificate_printable_der_len = 829;
|
329
SOURCES/0369-appended-signatures-documentation.patch
Normal file
329
SOURCES/0369-appended-signatures-documentation.patch
Normal file
@ -0,0 +1,329 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Thu, 1 Oct 2020 13:02:09 +1000
|
||||||
|
Subject: [PATCH] appended signatures: documentation
|
||||||
|
|
||||||
|
This explains how appended signatures can be used to form part of
|
||||||
|
a secure boot chain, and documents the commands and variables
|
||||||
|
introduced.
|
||||||
|
|
||||||
|
(docs: s/grub/grub2/)
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
docs/grub.texi | 185 +++++++++++++++++++++++++++++++++++++++++++++++++++++----
|
||||||
|
1 file changed, 172 insertions(+), 13 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/docs/grub.texi b/docs/grub.texi
|
||||||
|
index a833364d5ff..97f0f47e082 100644
|
||||||
|
--- a/docs/grub.texi
|
||||||
|
+++ b/docs/grub.texi
|
||||||
|
@@ -3160,6 +3160,7 @@ These variables have special meaning to GRUB.
|
||||||
|
|
||||||
|
@menu
|
||||||
|
* biosnum::
|
||||||
|
+* check_appended_signatures::
|
||||||
|
* check_signatures::
|
||||||
|
* chosen::
|
||||||
|
* cmdpath::
|
||||||
|
@@ -3219,11 +3220,18 @@ For an alternative approach which also changes BIOS drive mappings for the
|
||||||
|
chain-loaded system, @pxref{drivemap}.
|
||||||
|
|
||||||
|
|
||||||
|
+@node check_appended_signatures
|
||||||
|
+@subsection check_appended_signatures
|
||||||
|
+
|
||||||
|
+This variable controls whether GRUB enforces appended signature validation on
|
||||||
|
+certain loaded files. @xref{Using appended signatures}.
|
||||||
|
+
|
||||||
|
+
|
||||||
|
@node check_signatures
|
||||||
|
@subsection check_signatures
|
||||||
|
|
||||||
|
-This variable controls whether GRUB enforces digital signature
|
||||||
|
-validation on loaded files. @xref{Using digital signatures}.
|
||||||
|
+This variable controls whether GRUB enforces GPG-style digital signature
|
||||||
|
+validation on loaded files. @xref{Using GPG-style digital signatures}.
|
||||||
|
|
||||||
|
@node chosen
|
||||||
|
@subsection chosen
|
||||||
|
@@ -3937,6 +3945,7 @@ you forget a command, you can run the command @command{help}
|
||||||
|
* date:: Display or set current date and time
|
||||||
|
* devicetree:: Load a device tree blob
|
||||||
|
* distrust:: Remove a pubkey from trusted keys
|
||||||
|
+* distrust_certificate:: Remove a certificate from the list of trusted certificates
|
||||||
|
* drivemap:: Map a drive to another
|
||||||
|
* echo:: Display a line of text
|
||||||
|
* eval:: Evaluate agruments as GRUB commands
|
||||||
|
@@ -3953,6 +3962,7 @@ you forget a command, you can run the command @command{help}
|
||||||
|
* keystatus:: Check key modifier status
|
||||||
|
* linux:: Load a Linux kernel
|
||||||
|
* linux16:: Load a Linux kernel (16-bit mode)
|
||||||
|
+* list_certificates:: List trusted certificates
|
||||||
|
* list_env:: List variables in environment block
|
||||||
|
* list_trusted:: List trusted public keys
|
||||||
|
* load_env:: Load variables from environment block
|
||||||
|
@@ -3989,9 +3999,11 @@ you forget a command, you can run the command @command{help}
|
||||||
|
* test:: Check file types and compare values
|
||||||
|
* true:: Do nothing, successfully
|
||||||
|
* trust:: Add public key to list of trusted keys
|
||||||
|
+* trust_certificate:: Add an x509 certificate to the list of trusted certificates
|
||||||
|
* unset:: Unset an environment variable
|
||||||
|
* uppermem:: Set the upper memory size
|
||||||
|
@comment * vbeinfo:: List available video modes
|
||||||
|
+* verify_appended:: Verify appended digital signature
|
||||||
|
* verify_detached:: Verify detached digital signature
|
||||||
|
* videoinfo:: List available video modes
|
||||||
|
@comment * xen_*:: Xen boot commands for AArch64
|
||||||
|
@@ -4282,9 +4294,28 @@ These keys are used to validate signatures when environment variable
|
||||||
|
@code{check_signatures} is set to @code{enforce}
|
||||||
|
(@pxref{check_signatures}), and by some invocations of
|
||||||
|
@command{verify_detached} (@pxref{verify_detached}). @xref{Using
|
||||||
|
-digital signatures}, for more information.
|
||||||
|
+GPG-style digital signatures}, for more information.
|
||||||
|
@end deffn
|
||||||
|
|
||||||
|
+
|
||||||
|
+@node distrust_certificate
|
||||||
|
+@subsection distrust_certificate
|
||||||
|
+
|
||||||
|
+@deffn Command distrust_certificate cert_number
|
||||||
|
+Remove the x509 certificate numbered @var{cert_number} from GRUB's keyring of
|
||||||
|
+trusted x509 certificates for verifying appended signatures.
|
||||||
|
+
|
||||||
|
+@var{cert_number} is the certificate number as listed by
|
||||||
|
+@command{list_certificates} (@pxref{list_certificates}).
|
||||||
|
+
|
||||||
|
+These certificates are used to validate appended signatures when environment
|
||||||
|
+variable @code{check_appended_signatures} is set to @code{enforce}
|
||||||
|
+(@pxref{check_appended_signatures}), and by @command{verify_appended}
|
||||||
|
+(@pxref{verify_appended}). See @xref{Using appended signatures} for more
|
||||||
|
+information.
|
||||||
|
+@end deffn
|
||||||
|
+
|
||||||
|
+
|
||||||
|
@node drivemap
|
||||||
|
@subsection drivemap
|
||||||
|
|
||||||
|
@@ -4542,6 +4573,21 @@ This command is only available on x86 systems.
|
||||||
|
@end deffn
|
||||||
|
|
||||||
|
|
||||||
|
+@node list_certificates
|
||||||
|
+@subsection list_certificates
|
||||||
|
+
|
||||||
|
+@deffn Command list_certificates
|
||||||
|
+List all x509 certificates trusted by GRUB for validating appended signatures.
|
||||||
|
+The output is a numbered list of certificates, showing the certificate's serial
|
||||||
|
+number and Common Name.
|
||||||
|
+
|
||||||
|
+The certificate number can be used as an argument to
|
||||||
|
+@command{distrust_certificate} (@pxref{distrust_certificate}).
|
||||||
|
+
|
||||||
|
+See @xref{Using appended signatures} for more information.
|
||||||
|
+@end deffn
|
||||||
|
+
|
||||||
|
+
|
||||||
|
@node list_env
|
||||||
|
@subsection list_env
|
||||||
|
|
||||||
|
@@ -4561,7 +4607,7 @@ The output is in GPG's v4 key fingerprint format (i.e., the output of
|
||||||
|
@code{gpg --fingerprint}). The least significant four bytes (last
|
||||||
|
eight hexadecimal digits) can be used as an argument to
|
||||||
|
@command{distrust} (@pxref{distrust}).
|
||||||
|
-@xref{Using digital signatures}, for more information about uses for
|
||||||
|
+@xref{Using GPG-style digital signatures}, for more information about uses for
|
||||||
|
these keys.
|
||||||
|
@end deffn
|
||||||
|
|
||||||
|
@@ -4596,8 +4642,12 @@ When used with care, @option{--skip-sig} and the whitelist enable an
|
||||||
|
administrator to configure a system to boot only signed
|
||||||
|
configurations, but to allow the user to select from among multiple
|
||||||
|
configurations, and to enable ``one-shot'' boot attempts and
|
||||||
|
-``savedefault'' behavior. @xref{Using digital signatures}, for more
|
||||||
|
+``savedefault'' behavior. @xref{Using GPG-style digital signatures}, for more
|
||||||
|
information.
|
||||||
|
+
|
||||||
|
+Extra care should be taken when combining this command with appended signatures
|
||||||
|
+(@pxref{Using appended signatures}), as this file is not validated by an
|
||||||
|
+appended signature and could set @code{check_appended_signatures=no}.
|
||||||
|
@end deffn
|
||||||
|
|
||||||
|
|
||||||
|
@@ -4883,7 +4933,7 @@ read. It is possible to modify a digitally signed environment block
|
||||||
|
file from within GRUB using this command, such that its signature will
|
||||||
|
no longer be valid on subsequent boots. Care should be taken in such
|
||||||
|
advanced configurations to avoid rendering the system
|
||||||
|
-unbootable. @xref{Using digital signatures}, for more information.
|
||||||
|
+unbootable. @xref{Using GPG-style digital signatures}, for more information.
|
||||||
|
@end deffn
|
||||||
|
|
||||||
|
|
||||||
|
@@ -5208,11 +5258,31 @@ signatures when environment variable @code{check_signatures} is set to
|
||||||
|
must itself be properly signed. The @option{--skip-sig} option can be
|
||||||
|
used to disable signature-checking when reading @var{pubkey_file}
|
||||||
|
itself. It is expected that @option{--skip-sig} is useful for testing
|
||||||
|
-and manual booting. @xref{Using digital signatures}, for more
|
||||||
|
+and manual booting. @xref{Using GPG-style digital signatures}, for more
|
||||||
|
information.
|
||||||
|
@end deffn
|
||||||
|
|
||||||
|
|
||||||
|
+@node trust_certificate
|
||||||
|
+@subsection trust_certificate
|
||||||
|
+
|
||||||
|
+@deffn Command trust_certificate x509_certificate
|
||||||
|
+Read an DER-formatted x509 certificate from the file @var{x509_certificate}
|
||||||
|
+and add it to GRUB's internal list of trusted x509 certificates. These
|
||||||
|
+certificates are used to validate appended signatures when the environment
|
||||||
|
+variable @code{check_appended_signatures} is set to @code{enforce}.
|
||||||
|
+
|
||||||
|
+Note that if @code{check_appended_signatures} is set to @code{enforce}
|
||||||
|
+when @command{trust_certificate} is executed, then @var{x509_certificate}
|
||||||
|
+must itself bear an appended signature. (It is not sufficient that
|
||||||
|
+@var{x509_certificate} be signed by a trusted certificate according to the
|
||||||
|
+x509 rules: grub does not include support for validating signatures within x509
|
||||||
|
+certificates themselves.)
|
||||||
|
+
|
||||||
|
+See @xref{Using appended signatures} for more information.
|
||||||
|
+@end deffn
|
||||||
|
+
|
||||||
|
+
|
||||||
|
@node unset
|
||||||
|
@subsection unset
|
||||||
|
|
||||||
|
@@ -5237,6 +5307,18 @@ only on PC BIOS platforms.
|
||||||
|
@end deffn
|
||||||
|
@end ignore
|
||||||
|
|
||||||
|
+@node verify_appended
|
||||||
|
+@subsection verify_appended
|
||||||
|
+
|
||||||
|
+@deffn Command verify_appended file
|
||||||
|
+Verifies an appended signature on @var{file} against the trusted certificates
|
||||||
|
+known to GRUB (See @pxref{list_certificates}, @pxref{trust_certificate}, and
|
||||||
|
+@pxref{distrust_certificate}).
|
||||||
|
+
|
||||||
|
+Exit code @code{$?} is set to 0 if the signature validates
|
||||||
|
+successfully. If validation fails, it is set to a non-zero value.
|
||||||
|
+See @xref{Using appended signatures}, for more information.
|
||||||
|
+@end deffn
|
||||||
|
|
||||||
|
@node verify_detached
|
||||||
|
@subsection verify_detached
|
||||||
|
@@ -5255,7 +5337,7 @@ tried.
|
||||||
|
|
||||||
|
Exit code @code{$?} is set to 0 if the signature validates
|
||||||
|
successfully. If validation fails, it is set to a non-zero value.
|
||||||
|
-@xref{Using digital signatures}, for more information.
|
||||||
|
+@xref{Using GPG-style digital signatures}, for more information.
|
||||||
|
@end deffn
|
||||||
|
|
||||||
|
@node videoinfo
|
||||||
|
@@ -5601,9 +5683,10 @@ environment variables and commands are listed in the same order.
|
||||||
|
@chapter Security
|
||||||
|
|
||||||
|
@menu
|
||||||
|
-* Authentication and authorisation:: Users and access control
|
||||||
|
-* Using digital signatures:: Booting digitally signed code
|
||||||
|
-* Signing GRUB itself:: Ensuring the integrity of the GRUB core image
|
||||||
|
+* Authentication and authorisation:: Users and access control
|
||||||
|
+* Using GPG-style digital signatures:: Booting digitally signed code
|
||||||
|
+* Using appended signatures:: An alternative approach to booting digitally signed code
|
||||||
|
+* Signing GRUB itself:: Ensuring the integrity of the GRUB core image
|
||||||
|
@end menu
|
||||||
|
|
||||||
|
@node Authentication and authorisation
|
||||||
|
@@ -5676,8 +5759,8 @@ generating configuration files with authentication. You can use
|
||||||
|
adding @kbd{set superusers=} and @kbd{password} or @kbd{password_pbkdf2}
|
||||||
|
commands.
|
||||||
|
|
||||||
|
-@node Using digital signatures
|
||||||
|
-@section Using digital signatures in GRUB
|
||||||
|
+@node Using GPG-style digital signatures
|
||||||
|
+@section Using GPG-style digital signatures in GRUB
|
||||||
|
|
||||||
|
GRUB's @file{core.img} can optionally provide enforcement that all files
|
||||||
|
subsequently read from disk are covered by a valid digital signature.
|
||||||
|
@@ -5760,6 +5843,82 @@ or BIOS) configuration to cause the machine to boot from a different
|
||||||
|
(attacker-controlled) device. GRUB is at best only one link in a
|
||||||
|
secure boot chain.
|
||||||
|
|
||||||
|
+@node Using appended signatures
|
||||||
|
+@section Using appended signatures in GRUB
|
||||||
|
+
|
||||||
|
+GRUB supports verifying Linux-style 'appended signatures' for secure boot.
|
||||||
|
+Appended signatures are PKCS#7 messages containing a signature over the
|
||||||
|
+contents of a file, plus some metadata, appended to the end of a file. A file
|
||||||
|
+with an appended signature ends with the magic string:
|
||||||
|
+
|
||||||
|
+@example
|
||||||
|
+~Module signature appended~\n
|
||||||
|
+@end example
|
||||||
|
+
|
||||||
|
+where @code{\n} represents the carriage-return character, @code{0x0a}.
|
||||||
|
+
|
||||||
|
+To enable appended signature verification, load the appendedsig module and an
|
||||||
|
+x509 certificate for verification. Building the appendedsig module into the
|
||||||
|
+core grub image is recommended.
|
||||||
|
+
|
||||||
|
+Certificates can be managed at boot time using the @pxref{trust_certificate},
|
||||||
|
+@pxref{distrust_certificate} and @pxref{list_certificates} commands.
|
||||||
|
+Certificates can also be built in to the core image using the @code{--x509}
|
||||||
|
+parameter to @command{grub-install} or @command{grub-mkimage}.
|
||||||
|
+
|
||||||
|
+A file can be explictly verified using the @pxref{verify_appended} command.
|
||||||
|
+
|
||||||
|
+Only signatures made with the SHA-256 or SHA-512 hash algorithm are supported,
|
||||||
|
+and only RSA signatures are supported.
|
||||||
|
+
|
||||||
|
+A file can be signed with the @command{sign-file} utility supplied with the
|
||||||
|
+Linux kernel source. For example, if you have @code{signing.key} as the private
|
||||||
|
+key and @code{certificate.der} as the x509 certificate containing the public key:
|
||||||
|
+
|
||||||
|
+@example
|
||||||
|
+sign-file SHA256 signing.key certificate.der vmlinux vmlinux.signed
|
||||||
|
+@end example
|
||||||
|
+
|
||||||
|
+Enforcement of signature verification is controlled by the
|
||||||
|
+@code{check_appended_signatures} variable. Verification will only take place
|
||||||
|
+when files are loaded if the variable is set to @code{enforce}. If a
|
||||||
|
+certificate is built into the grub core image with the @code{--x509} parameter,
|
||||||
|
+the variable will be automatically set to @code{enforce} when the appendedsig
|
||||||
|
+module is loaded.
|
||||||
|
+
|
||||||
|
+Unlike GPG-style signatures, not all files loaded by GRUB are required to be
|
||||||
|
+signed. Once verification is turned on, the following file types must carry
|
||||||
|
+appended signatures:
|
||||||
|
+
|
||||||
|
+@enumerate
|
||||||
|
+@item Linux, Multiboot, BSD, XNU and Plan9 kernels
|
||||||
|
+@item Grub modules, except those built in to the core image
|
||||||
|
+@item Any new certificate files to be trusted
|
||||||
|
+@end enumerate
|
||||||
|
+
|
||||||
|
+ACPI tables and Device Tree images will not be checked for appended signatures
|
||||||
|
+but must be verified by another mechanism such as GPG-style signatures before
|
||||||
|
+they will be loaded.
|
||||||
|
+
|
||||||
|
+No attempt is made to validate any other file type. In particular,
|
||||||
|
+chain-loaded binaries are not verified - if your platform supports
|
||||||
|
+chain-loading and this cannot be disabled, consider an alternative secure
|
||||||
|
+boot mechanism.
|
||||||
|
+
|
||||||
|
+As with GPG-style appended signatures, signature checking does @strong{not}
|
||||||
|
+stop an attacker with console access from dropping manually to the GRUB
|
||||||
|
+console and executing:
|
||||||
|
+
|
||||||
|
+@example
|
||||||
|
+set check_appended_signatures=no
|
||||||
|
+@end example
|
||||||
|
+
|
||||||
|
+Refer to the section on password-protecting GRUB (@pxref{Authentication
|
||||||
|
+and authorisation}) for more information on preventing this.
|
||||||
|
+
|
||||||
|
+Additionally, special care must be taken around the @command{loadenv} command,
|
||||||
|
+which can be used to turn off @code{check_appended_signature}.
|
||||||
|
+
|
||||||
|
@node Signing GRUB itself
|
||||||
|
@section Signing GRUB itself
|
||||||
|
|
@ -0,0 +1,137 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Daniel Axtens <dja@axtens.net>
|
||||||
|
Date: Mon, 28 Sep 2020 11:11:17 +1000
|
||||||
|
Subject: [PATCH] ieee1275: link appended-signature enforcement to
|
||||||
|
/ibm,secure-boot
|
||||||
|
|
||||||
|
If the 'ibm,secure-boot' property of the root node is 2 or greater,
|
||||||
|
require that the kernel pass appended-signature verification.
|
||||||
|
|
||||||
|
Do not consider the presence of a certificate to enforce verification.
|
||||||
|
|
||||||
|
Signed-off-by: Daniel Axtens <dja@axtens.net>
|
||||||
|
---
|
||||||
|
grub-core/commands/appendedsig/appendedsig.c | 44 +++++++++++++++++++++-------
|
||||||
|
grub-core/kern/ieee1275/init.c | 26 ++++++++++++++++
|
||||||
|
2 files changed, 60 insertions(+), 10 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/commands/appendedsig/appendedsig.c b/grub-core/commands/appendedsig/appendedsig.c
|
||||||
|
index 5d8897be5c8..4ef2ec2893c 100644
|
||||||
|
--- a/grub-core/commands/appendedsig/appendedsig.c
|
||||||
|
+++ b/grub-core/commands/appendedsig/appendedsig.c
|
||||||
|
@@ -95,10 +95,24 @@ static char *
|
||||||
|
grub_env_write_sec (struct grub_env_var *var __attribute__((unused)),
|
||||||
|
const char *val)
|
||||||
|
{
|
||||||
|
+ if (check_sigs == 2)
|
||||||
|
+ return grub_strdup ("forced");
|
||||||
|
check_sigs = (*val == '1') || (*val == 'e');
|
||||||
|
return grub_strdup (check_sigs ? "enforce" : "no");
|
||||||
|
}
|
||||||
|
|
||||||
|
+static const char *
|
||||||
|
+grub_env_read_sec (struct grub_env_var *var __attribute__ ((unused)),
|
||||||
|
+ const char *val __attribute__ ((unused)))
|
||||||
|
+{
|
||||||
|
+ if (check_sigs == 2)
|
||||||
|
+ return "forced";
|
||||||
|
+ else if (check_sigs == 1)
|
||||||
|
+ return "enforce";
|
||||||
|
+ else
|
||||||
|
+ return "no";
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static grub_err_t
|
||||||
|
read_cert_from_file (grub_file_t f, struct x509_certificate *certificate)
|
||||||
|
{
|
||||||
|
@@ -552,14 +566,20 @@ GRUB_MOD_INIT (appendedsig)
|
||||||
|
val = grub_env_get ("check_appended_signatures");
|
||||||
|
grub_dprintf ("appendedsig", "check_appended_signatures='%s'\n", val);
|
||||||
|
|
||||||
|
- if (val && (val[0] == '1' || val[0] == 'e'))
|
||||||
|
- check_sigs = 1;
|
||||||
|
- else
|
||||||
|
- check_sigs = 0;
|
||||||
|
+ if (val)
|
||||||
|
+ {
|
||||||
|
+ if (val[0] == '2' || val[0] == 'f')
|
||||||
|
+ check_sigs = 2;
|
||||||
|
+ else if (val[0] == '1' || val[0] == 'e')
|
||||||
|
+ check_sigs = 1;
|
||||||
|
+ else
|
||||||
|
+ check_sigs = 0;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
grub_trusted_key = NULL;
|
||||||
|
|
||||||
|
- grub_register_variable_hook ("check_appended_signatures", 0,
|
||||||
|
+ grub_register_variable_hook ("check_appended_signatures",
|
||||||
|
+ grub_env_read_sec,
|
||||||
|
grub_env_write_sec);
|
||||||
|
grub_env_export ("check_appended_signatures");
|
||||||
|
|
||||||
|
@@ -603,11 +623,15 @@ GRUB_MOD_INIT (appendedsig)
|
||||||
|
grub_trusted_key = pk;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (!val || val[0] == '\0')
|
||||||
|
- {
|
||||||
|
- grub_env_set ("check_appended_signatures",
|
||||||
|
- grub_trusted_key ? "enforce" : "no");
|
||||||
|
- }
|
||||||
|
+ /*
|
||||||
|
+ * When controlled by ibm,secure-boot, we don't want the presence of
|
||||||
|
+ * a certificate to enforce secure boot.
|
||||||
|
+ * if (!val || val[0] == '\0')
|
||||||
|
+ * {
|
||||||
|
+ * grub_env_set ("check_appended_signatures",
|
||||||
|
+ * grub_trusted_key ? "enforce" : "no");
|
||||||
|
+ * }
|
||||||
|
+ */
|
||||||
|
|
||||||
|
cmd_trust =
|
||||||
|
grub_register_command ("trust_certificate", grub_cmd_trust,
|
||||||
|
diff --git a/grub-core/kern/ieee1275/init.c b/grub-core/kern/ieee1275/init.c
|
||||||
|
index e731a57a47b..22dc3013d86 100644
|
||||||
|
--- a/grub-core/kern/ieee1275/init.c
|
||||||
|
+++ b/grub-core/kern/ieee1275/init.c
|
||||||
|
@@ -268,6 +268,30 @@ grub_parse_cmdline (void)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+static void
|
||||||
|
+grub_get_ieee1275_secure_boot (void)
|
||||||
|
+{
|
||||||
|
+ grub_ieee1275_phandle_t root;
|
||||||
|
+ int rc;
|
||||||
|
+ grub_uint32_t is_sb;
|
||||||
|
+
|
||||||
|
+ grub_ieee1275_finddevice ("/", &root);
|
||||||
|
+
|
||||||
|
+ rc = grub_ieee1275_get_integer_property (root, "ibm,secure-boot", &is_sb,
|
||||||
|
+ sizeof (is_sb), 0);
|
||||||
|
+
|
||||||
|
+ /* ibm,secure-boot:
|
||||||
|
+ * 0 - disabled
|
||||||
|
+ * 1 - audit
|
||||||
|
+ * 2 - enforce
|
||||||
|
+ * 3 - enforce + OS-specific behaviour
|
||||||
|
+ *
|
||||||
|
+ * We only support enforce.
|
||||||
|
+ */
|
||||||
|
+ if (rc >= 0 && is_sb >= 2)
|
||||||
|
+ grub_env_set("check_appended_signatures", "forced");
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
grub_addr_t grub_modbase;
|
||||||
|
|
||||||
|
void
|
||||||
|
@@ -290,6 +314,8 @@ grub_machine_init (void)
|
||||||
|
#else
|
||||||
|
grub_install_get_time_ms (grub_rtc_get_time_ms);
|
||||||
|
#endif
|
||||||
|
+
|
||||||
|
+ grub_get_ieee1275_secure_boot ();
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
37
SOURCES/0371-include-grub-verify.h-Add-include-guard.patch
Normal file
37
SOURCES/0371-include-grub-verify.h-Add-include-guard.patch
Normal file
@ -0,0 +1,37 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Leif Lindholm <leif.lindholm@linaro.org>
|
||||||
|
Date: Wed, 14 Nov 2018 19:29:15 +0000
|
||||||
|
Subject: [PATCH] include/grub/verify.h: Add include guard
|
||||||
|
|
||||||
|
verify.h was added without include guards. This means compiling anything
|
||||||
|
including both include/grub/verify.h and include/grub/lib/cmdline.h fails
|
||||||
|
(at least grub-core/loader/arm64/linux.c.
|
||||||
|
|
||||||
|
Add the necessary include guard.
|
||||||
|
|
||||||
|
Signed-off-by: Leif Lindholm <leif.lindholm@linaro.org>
|
||||||
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
---
|
||||||
|
include/grub/verify.h | 5 +++++
|
||||||
|
1 file changed, 5 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/include/grub/verify.h b/include/grub/verify.h
|
||||||
|
index 60c13e7ea8e..ace72d74663 100644
|
||||||
|
--- a/include/grub/verify.h
|
||||||
|
+++ b/include/grub/verify.h
|
||||||
|
@@ -16,6 +16,9 @@
|
||||||
|
* along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
+#ifndef GRUB_VERIFY_HEADER
|
||||||
|
+#define GRUB_VERIFY_HEADER 1
|
||||||
|
+
|
||||||
|
#include <grub/file.h>
|
||||||
|
#include <grub/list.h>
|
||||||
|
|
||||||
|
@@ -89,3 +92,5 @@ char grub_is_dangerous_module (grub_file_t io);
|
||||||
|
* Returns the name if one is loaded, otherwise NULL.
|
||||||
|
*/
|
||||||
|
const char *grub_dangerous_module_loaded (void);
|
||||||
|
+
|
||||||
|
+#endif /* ! GRUB_VERIFY_HEADER */
|
@ -0,0 +1,40 @@
|
|||||||
|
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Lee Jones <lee.jones@linaro.org>
|
||||||
|
Date: Tue, 20 Nov 2018 10:45:04 +0000
|
||||||
|
Subject: [PATCH] arm64/xen: Fix too few arguments to function
|
||||||
|
grub_create_loader_cmdline()
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
Without this fix, building xen_boot.c omits:
|
||||||
|
|
||||||
|
loader/arm64/xen_boot.c: In function ‘xen_boot_binary_load’:
|
||||||
|
loader/arm64/xen_boot.c:370:7: error: too few arguments to function ‘grub_create_loader_cmdline’
|
||||||
|
grub_create_loader_cmdline (argc - 1, argv + 1, binary->cmdline,
|
||||||
|
^~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
In file included from loader/arm64/xen_boot.c:36:0:
|
||||||
|
../include/grub/lib/cmdline.h:29:12: note: declared here
|
||||||
|
grub_err_t grub_create_loader_cmdline (int argc, char *argv[], char *buf,
|
||||||
|
|
||||||
|
Signed-off-by: Lee Jones <lee.jones@linaro.org>
|
||||||
|
Reviewed-by: Julien Grall <julien.grall@arm.com>
|
||||||
|
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
||||||
|
---
|
||||||
|
grub-core/loader/arm64/xen_boot.c | 3 ++-
|
||||||
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/grub-core/loader/arm64/xen_boot.c b/grub-core/loader/arm64/xen_boot.c
|
||||||
|
index 318c833de57..1a337866f08 100644
|
||||||
|
--- a/grub-core/loader/arm64/xen_boot.c
|
||||||
|
+++ b/grub-core/loader/arm64/xen_boot.c
|
||||||
|
@@ -367,7 +367,8 @@ xen_boot_binary_load (struct xen_boot_binary *binary, grub_file_t file,
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
grub_create_loader_cmdline (argc - 1, argv + 1, binary->cmdline,
|
||||||
|
- binary->cmdline_size);
|
||||||
|
+ binary->cmdline_size,
|
||||||
|
+ GRUB_VERIFY_KERNEL_CMDLINE);
|
||||||
|
grub_dprintf ("xen_loader",
|
||||||
|
"Xen_boot cmdline @ %p %s, size: %d\n",
|
||||||
|
binary->cmdline, binary->cmdline, binary->cmdline_size);
|
@ -45,14 +45,14 @@ Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|||||||
include/grub/lockdown.h | 44 +++++++++++++++++++++
|
include/grub/lockdown.h | 44 +++++++++++++++++++++
|
||||||
conf/Makefile.common | 2 +
|
conf/Makefile.common | 2 +
|
||||||
docs/grub-dev.texi | 27 +++++++++++++
|
docs/grub-dev.texi | 27 +++++++++++++
|
||||||
docs/grub.texi | 9 +++++
|
docs/grub.texi | 8 ++++
|
||||||
grub-core/Makefile.am | 5 ++-
|
grub-core/Makefile.am | 5 ++-
|
||||||
11 files changed, 239 insertions(+), 1 deletion(-)
|
11 files changed, 238 insertions(+), 1 deletion(-)
|
||||||
create mode 100644 grub-core/kern/lockdown.c
|
create mode 100644 grub-core/kern/lockdown.c
|
||||||
create mode 100644 include/grub/lockdown.h
|
create mode 100644 include/grub/lockdown.h
|
||||||
|
|
||||||
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
|
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
|
||||||
index c8a50b4fcfa..0eb7f312b29 100644
|
index 8914083d13f..02fbecd4b81 100644
|
||||||
--- a/grub-core/Makefile.core.def
|
--- a/grub-core/Makefile.core.def
|
||||||
+++ b/grub-core/Makefile.core.def
|
+++ b/grub-core/Makefile.core.def
|
||||||
@@ -197,6 +197,7 @@ kernel = {
|
@@ -197,6 +197,7 @@ kernel = {
|
||||||
@ -389,21 +389,20 @@ index 3ce827ab726..421dd410e50 100644
|
|||||||
@appendix Copying This Manual
|
@appendix Copying This Manual
|
||||||
|
|
||||||
diff --git a/docs/grub.texi b/docs/grub.texi
|
diff --git a/docs/grub.texi b/docs/grub.texi
|
||||||
index c54bee31679..0a53c28ee88 100644
|
index 97f0f47e082..f957535dbea 100644
|
||||||
--- a/docs/grub.texi
|
--- a/docs/grub.texi
|
||||||
+++ b/docs/grub.texi
|
+++ b/docs/grub.texi
|
||||||
@@ -5610,6 +5610,8 @@ environment variables and commands are listed in the same order.
|
@@ -5687,6 +5687,7 @@ environment variables and commands are listed in the same order.
|
||||||
@menu
|
* Using GPG-style digital signatures:: Booting digitally signed code
|
||||||
* Authentication and authorisation:: Users and access control
|
* Using appended signatures:: An alternative approach to booting digitally signed code
|
||||||
* Using digital signatures:: Booting digitally signed code
|
* Signing GRUB itself:: Ensuring the integrity of the GRUB core image
|
||||||
+* Lockdown:: Lockdown when booting on a secure setup
|
+* Lockdown:: Lockdown when booting on a secure setup
|
||||||
+
|
|
||||||
@end menu
|
@end menu
|
||||||
|
|
||||||
@node Authentication and authorisation
|
@node Authentication and authorisation
|
||||||
@@ -5772,6 +5774,13 @@ or BIOS) configuration to cause the machine to boot from a different
|
@@ -5977,6 +5978,13 @@ As with UEFI secure boot, it is necessary to build in the required modules,
|
||||||
(attacker-controlled) device. GRUB is at best only one link in a
|
or sign them separately.
|
||||||
secure boot chain.
|
|
||||||
|
|
||||||
+@node Lockdown
|
+@node Lockdown
|
||||||
+@section Lockdown when booting on a secure setup
|
+@section Lockdown when booting on a secure setup
|
@ -38,10 +38,10 @@ index f87ddaeb1ee..30cba7f5ea2 100644
|
|||||||
|
|
||||||
int
|
int
|
||||||
diff --git a/docs/grub.texi b/docs/grub.texi
|
diff --git a/docs/grub.texi b/docs/grub.texi
|
||||||
index 0a53c28ee88..6f5efaace32 100644
|
index f957535dbea..755de88d7d8 100644
|
||||||
--- a/docs/grub.texi
|
--- a/docs/grub.texi
|
||||||
+++ b/docs/grub.texi
|
+++ b/docs/grub.texi
|
||||||
@@ -5781,6 +5781,9 @@ The GRUB can be locked down when booted on a secure boot environment, for exampl
|
@@ -5985,6 +5985,9 @@ The GRUB can be locked down when booted on a secure boot environment, for exampl
|
||||||
if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will
|
if the UEFI secure boot is enabled. On a locked down configuration, the GRUB will
|
||||||
be restricted and some operations/commands cannot be executed.
|
be restricted and some operations/commands cannot be executed.
|
||||||
|
|
@ -22,7 +22,7 @@ Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|||||||
2 files changed, 13 insertions(+), 7 deletions(-)
|
2 files changed, 13 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
diff --git a/grub-core/commands/acpi.c b/grub-core/commands/acpi.c
|
diff --git a/grub-core/commands/acpi.c b/grub-core/commands/acpi.c
|
||||||
index 9f02f22019a..a2912989b5c 100644
|
index 5a1499aa0e3..1215f2a62ef 100644
|
||||||
--- a/grub-core/commands/acpi.c
|
--- a/grub-core/commands/acpi.c
|
||||||
+++ b/grub-core/commands/acpi.c
|
+++ b/grub-core/commands/acpi.c
|
||||||
@@ -27,6 +27,7 @@
|
@@ -27,6 +27,7 @@
|
||||||
@ -55,10 +55,10 @@ index 9f02f22019a..a2912989b5c 100644
|
|||||||
|
|
||||||
GRUB_MOD_FINI(acpi)
|
GRUB_MOD_FINI(acpi)
|
||||||
diff --git a/docs/grub.texi b/docs/grub.texi
|
diff --git a/docs/grub.texi b/docs/grub.texi
|
||||||
index 6f5efaace32..a724d0712ed 100644
|
index 755de88d7d8..01acf672b80 100644
|
||||||
--- a/docs/grub.texi
|
--- a/docs/grub.texi
|
||||||
+++ b/docs/grub.texi
|
+++ b/docs/grub.texi
|
||||||
@@ -4033,6 +4033,11 @@ Normally, this command will replace the Root System Description Pointer
|
@@ -4038,6 +4038,11 @@ Normally, this command will replace the Root System Description Pointer
|
||||||
(RSDP) in the Extended BIOS Data Area to point to the new tables. If the
|
(RSDP) in the Extended BIOS Data Area to point to the new tables. If the
|
||||||
@option{--no-ebda} option is used, the new tables will be known only to
|
@option{--no-ebda} option is used, the new tables will be known only to
|
||||||
GRUB, but may be used by GRUB's EFI emulation.
|
GRUB, but may be used by GRUB's EFI emulation.
|
@ -50,10 +50,10 @@ index 57b4e9a72a9..7ebf32e1e5e 100644
|
|||||||
}
|
}
|
||||||
|
|
||||||
diff --git a/docs/grub.texi b/docs/grub.texi
|
diff --git a/docs/grub.texi b/docs/grub.texi
|
||||||
index a724d0712ed..a9b02190404 100644
|
index 01acf672b80..f1675b6140c 100644
|
||||||
--- a/docs/grub.texi
|
--- a/docs/grub.texi
|
||||||
+++ b/docs/grub.texi
|
+++ b/docs/grub.texi
|
||||||
@@ -4098,6 +4098,10 @@ this page is to be filtered. This syntax makes it easy to represent patterns
|
@@ -4103,6 +4103,10 @@ this page is to be filtered. This syntax makes it easy to represent patterns
|
||||||
that are often result of memory damage, due to physical distribution of memory
|
that are often result of memory damage, due to physical distribution of memory
|
||||||
cells.
|
cells.
|
||||||
|
|
@ -27,7 +27,7 @@ Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|||||||
4 files changed, 16 insertions(+), 14 deletions(-)
|
4 files changed, 16 insertions(+), 14 deletions(-)
|
||||||
|
|
||||||
diff --git a/grub-core/commands/efi/loadbios.c b/grub-core/commands/efi/loadbios.c
|
diff --git a/grub-core/commands/efi/loadbios.c b/grub-core/commands/efi/loadbios.c
|
||||||
index 132cadbc764..3da4c26df7a 100644
|
index d41d521a4ae..5c7725f8bd8 100644
|
||||||
--- a/grub-core/commands/efi/loadbios.c
|
--- a/grub-core/commands/efi/loadbios.c
|
||||||
+++ b/grub-core/commands/efi/loadbios.c
|
+++ b/grub-core/commands/efi/loadbios.c
|
||||||
@@ -205,14 +205,14 @@ static grub_command_t cmd_fakebios, cmd_loadbios;
|
@@ -205,14 +205,14 @@ static grub_command_t cmd_fakebios, cmd_loadbios;
|
||||||
@ -53,10 +53,10 @@ index 132cadbc764..3da4c26df7a 100644
|
|||||||
|
|
||||||
GRUB_MOD_FINI(loadbios)
|
GRUB_MOD_FINI(loadbios)
|
||||||
diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c
|
diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c
|
||||||
index ea29d7a724a..ff2911baa67 100644
|
index 1e944a2b671..653f2e07692 100644
|
||||||
--- a/grub-core/loader/arm/linux.c
|
--- a/grub-core/loader/arm/linux.c
|
||||||
+++ b/grub-core/loader/arm/linux.c
|
+++ b/grub-core/loader/arm/linux.c
|
||||||
@@ -489,9 +489,9 @@ GRUB_MOD_INIT (linux)
|
@@ -493,9 +493,9 @@ GRUB_MOD_INIT (linux)
|
||||||
0, N_("Load Linux."));
|
0, N_("Load Linux."));
|
||||||
cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd,
|
cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd,
|
||||||
0, N_("Load initrd."));
|
0, N_("Load initrd."));
|
||||||
@ -70,7 +70,7 @@ index ea29d7a724a..ff2911baa67 100644
|
|||||||
current_fdt = (const void *) grub_arm_firmware_get_boot_data ();
|
current_fdt = (const void *) grub_arm_firmware_get_boot_data ();
|
||||||
machine_type = grub_arm_firmware_get_machine_type ();
|
machine_type = grub_arm_firmware_get_machine_type ();
|
||||||
diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c
|
diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c
|
||||||
index a9dbcfdfeaf..c0ea050dc8b 100644
|
index e3ee3ad79d6..64c560f5610 100644
|
||||||
--- a/grub-core/loader/efi/fdt.c
|
--- a/grub-core/loader/efi/fdt.c
|
||||||
+++ b/grub-core/loader/efi/fdt.c
|
+++ b/grub-core/loader/efi/fdt.c
|
||||||
@@ -167,8 +167,8 @@ static grub_command_t cmd_devicetree;
|
@@ -167,8 +167,8 @@ static grub_command_t cmd_devicetree;
|
||||||
@ -85,10 +85,10 @@ index a9dbcfdfeaf..c0ea050dc8b 100644
|
|||||||
|
|
||||||
GRUB_MOD_FINI (fdt)
|
GRUB_MOD_FINI (fdt)
|
||||||
diff --git a/docs/grub.texi b/docs/grub.texi
|
diff --git a/docs/grub.texi b/docs/grub.texi
|
||||||
index a9b02190404..71943b15dd1 100644
|
index f1675b6140c..c55452307dc 100644
|
||||||
--- a/docs/grub.texi
|
--- a/docs/grub.texi
|
||||||
+++ b/docs/grub.texi
|
+++ b/docs/grub.texi
|
||||||
@@ -4276,13 +4276,15 @@ hour, minute, and second unchanged.
|
@@ -4281,13 +4281,15 @@ hour, minute, and second unchanged.
|
||||||
|
|
||||||
|
|
||||||
@node devicetree
|
@node devicetree
|
@ -14,10 +14,10 @@ Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|||||||
1 file changed, 17 insertions(+), 14 deletions(-)
|
1 file changed, 17 insertions(+), 14 deletions(-)
|
||||||
|
|
||||||
diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
|
diff --git a/grub-core/loader/xnu.c b/grub-core/loader/xnu.c
|
||||||
index 2bf02489bad..0c4b33250fb 100644
|
index 5944dc5eafc..b33a384321c 100644
|
||||||
--- a/grub-core/loader/xnu.c
|
--- a/grub-core/loader/xnu.c
|
||||||
+++ b/grub-core/loader/xnu.c
|
+++ b/grub-core/loader/xnu.c
|
||||||
@@ -1480,20 +1480,23 @@ GRUB_MOD_INIT(xnu)
|
@@ -1489,20 +1489,23 @@ GRUB_MOD_INIT(xnu)
|
||||||
N_("Load XNU image."));
|
N_("Load XNU image."));
|
||||||
cmd_kernel64 = grub_register_command ("xnu_kernel64", grub_cmd_xnu_kernel64,
|
cmd_kernel64 = grub_register_command ("xnu_kernel64", grub_cmd_xnu_kernel64,
|
||||||
0, N_("Load 64-bit XNU image."));
|
0, N_("Load 64-bit XNU image."));
|
@ -14,10 +14,10 @@ Reviewed-by: Javier Martinez Canillas <javierm@redhat.com>
|
|||||||
1 file changed, 21 insertions(+)
|
1 file changed, 21 insertions(+)
|
||||||
|
|
||||||
diff --git a/docs/grub.texi b/docs/grub.texi
|
diff --git a/docs/grub.texi b/docs/grub.texi
|
||||||
index 71943b15dd1..067aa294162 100644
|
index c55452307dc..314bbeb8471 100644
|
||||||
--- a/docs/grub.texi
|
--- a/docs/grub.texi
|
||||||
+++ b/docs/grub.texi
|
+++ b/docs/grub.texi
|
||||||
@@ -3941,6 +3941,7 @@ you forget a command, you can run the command @command{help}
|
@@ -3942,6 +3942,7 @@ you forget a command, you can run the command @command{help}
|
||||||
* cpuid:: Check for CPU features
|
* cpuid:: Check for CPU features
|
||||||
* crc:: Compute or check CRC32 checksums
|
* crc:: Compute or check CRC32 checksums
|
||||||
* cryptomount:: Mount a crypto device
|
* cryptomount:: Mount a crypto device
|
||||||
@ -25,7 +25,7 @@ index 71943b15dd1..067aa294162 100644
|
|||||||
* date:: Display or set current date and time
|
* date:: Display or set current date and time
|
||||||
* devicetree:: Load a device tree blob
|
* devicetree:: Load a device tree blob
|
||||||
* distrust:: Remove a pubkey from trusted keys
|
* distrust:: Remove a pubkey from trusted keys
|
||||||
@@ -4098,6 +4099,8 @@ this page is to be filtered. This syntax makes it easy to represent patterns
|
@@ -4103,6 +4104,8 @@ this page is to be filtered. This syntax makes it easy to represent patterns
|
||||||
that are often result of memory damage, due to physical distribution of memory
|
that are often result of memory damage, due to physical distribution of memory
|
||||||
cells.
|
cells.
|
||||||
|
|
||||||
@ -34,7 +34,7 @@ index 71943b15dd1..067aa294162 100644
|
|||||||
Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
|
Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}).
|
||||||
This prevents removing EFI memory regions to potentially subvert the
|
This prevents removing EFI memory regions to potentially subvert the
|
||||||
security mechanisms provided by the UEFI secure boot.
|
security mechanisms provided by the UEFI secure boot.
|
||||||
@@ -4261,6 +4264,24 @@ GRUB suports devices encrypted using LUKS and geli. Note that necessary modules
|
@@ -4266,6 +4269,24 @@ GRUB suports devices encrypted using LUKS and geli. Note that necessary modules
|
||||||
be used.
|
be used.
|
||||||
@end deffn
|
@end deffn
|
||||||
|
|
@ -25,12 +25,12 @@ Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|||||||
3 files changed, 19 insertions(+), 5 deletions(-)
|
3 files changed, 19 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c
|
diff --git a/grub-core/commands/minicmd.c b/grub-core/commands/minicmd.c
|
||||||
index b25ca4b9f17..4660a020bda 100644
|
index 6d66b7c453a..2bd3ac76f2d 100644
|
||||||
--- a/grub-core/commands/minicmd.c
|
--- a/grub-core/commands/minicmd.c
|
||||||
+++ b/grub-core/commands/minicmd.c
|
+++ b/grub-core/commands/minicmd.c
|
||||||
@@ -137,8 +137,11 @@ grub_mini_cmd_rmmod (struct grub_command *cmd __attribute__ ((unused)),
|
@@ -140,8 +140,11 @@ grub_mini_cmd_rmmod (struct grub_command *cmd __attribute__ ((unused)),
|
||||||
if (! mod)
|
if (grub_dl_is_persistent (mod))
|
||||||
return grub_error (GRUB_ERR_BAD_ARGUMENT, "no such module");
|
return grub_error (GRUB_ERR_BAD_ARGUMENT, "cannot unload persistent module");
|
||||||
|
|
||||||
- if (grub_dl_unref (mod) <= 0)
|
- if (grub_dl_unref (mod) <= 0)
|
||||||
- grub_dl_unload (mod);
|
- grub_dl_unload (mod);
|
||||||
@ -43,7 +43,7 @@ index b25ca4b9f17..4660a020bda 100644
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
|
diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
|
||||||
index 91105bc4677..333c1329eab 100644
|
index d7a7c8f97b0..520126beab7 100644
|
||||||
--- a/grub-core/kern/dl.c
|
--- a/grub-core/kern/dl.c
|
||||||
+++ b/grub-core/kern/dl.c
|
+++ b/grub-core/kern/dl.c
|
||||||
@@ -621,6 +621,15 @@ grub_dl_unref (grub_dl_t mod)
|
@@ -621,6 +621,15 @@ grub_dl_unref (grub_dl_t mod)
|
||||||
@ -63,10 +63,10 @@ index 91105bc4677..333c1329eab 100644
|
|||||||
grub_dl_flush_cache (grub_dl_t mod)
|
grub_dl_flush_cache (grub_dl_t mod)
|
||||||
{
|
{
|
||||||
diff --git a/include/grub/dl.h b/include/grub/dl.h
|
diff --git a/include/grub/dl.h b/include/grub/dl.h
|
||||||
index 7b5bfb07ce6..a58fbc767c0 100644
|
index 877821dcb04..6a3e251b455 100644
|
||||||
--- a/include/grub/dl.h
|
--- a/include/grub/dl.h
|
||||||
+++ b/include/grub/dl.h
|
+++ b/include/grub/dl.h
|
||||||
@@ -204,9 +204,11 @@ grub_dl_t EXPORT_FUNC(grub_dl_load) (const char *name);
|
@@ -205,9 +205,11 @@ grub_dl_t EXPORT_FUNC(grub_dl_load) (const char *name);
|
||||||
grub_dl_t grub_dl_load_core (void *addr, grub_size_t size);
|
grub_dl_t grub_dl_load_core (void *addr, grub_size_t size);
|
||||||
grub_dl_t EXPORT_FUNC(grub_dl_load_core_noinit) (void *addr, grub_size_t size);
|
grub_dl_t EXPORT_FUNC(grub_dl_load_core_noinit) (void *addr, grub_size_t size);
|
||||||
int EXPORT_FUNC(grub_dl_unload) (grub_dl_t mod);
|
int EXPORT_FUNC(grub_dl_unload) (grub_dl_t mod);
|
@ -15,7 +15,7 @@ Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|||||||
1 file changed, 7 insertions(+), 2 deletions(-)
|
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
diff --git a/grub-core/net/net.c b/grub-core/net/net.c
|
diff --git a/grub-core/net/net.c b/grub-core/net/net.c
|
||||||
index 0e72bbb9b39..50d0609038c 100644
|
index 1fd104aeaf2..a27c53eee1c 100644
|
||||||
--- a/grub-core/net/net.c
|
--- a/grub-core/net/net.c
|
||||||
+++ b/grub-core/net/net.c
|
+++ b/grub-core/net/net.c
|
||||||
@@ -89,8 +89,13 @@ grub_net_link_layer_add_address (struct grub_net_card *card,
|
@@ -89,8 +89,13 @@ grub_net_link_layer_add_address (struct grub_net_card *card,
|
@ -15,7 +15,7 @@ Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|||||||
1 file changed, 4 deletions(-)
|
1 file changed, 4 deletions(-)
|
||||||
|
|
||||||
diff --git a/grub-core/io/lzopio.c b/grub-core/io/lzopio.c
|
diff --git a/grub-core/io/lzopio.c b/grub-core/io/lzopio.c
|
||||||
index 7559c6c9cab..dcb58746da1 100644
|
index 84edf6dd2dc..6bf14daf474 100644
|
||||||
--- a/grub-core/io/lzopio.c
|
--- a/grub-core/io/lzopio.c
|
||||||
+++ b/grub-core/io/lzopio.c
|
+++ b/grub-core/io/lzopio.c
|
||||||
@@ -125,8 +125,6 @@ read_block_header (struct grub_lzopio *lzopio)
|
@@ -125,8 +125,6 @@ read_block_header (struct grub_lzopio *lzopio)
|
@ -15,7 +15,7 @@ Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|||||||
1 file changed, 5 insertions(+), 1 deletion(-)
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
diff --git a/grub-core/lib/syslinux_parse.c b/grub-core/lib/syslinux_parse.c
|
diff --git a/grub-core/lib/syslinux_parse.c b/grub-core/lib/syslinux_parse.c
|
||||||
index 21ca040ada7..2eb59ff8ac4 100644
|
index 83e7bdb9161..f477feff1c3 100644
|
||||||
--- a/grub-core/lib/syslinux_parse.c
|
--- a/grub-core/lib/syslinux_parse.c
|
||||||
+++ b/grub-core/lib/syslinux_parse.c
|
+++ b/grub-core/lib/syslinux_parse.c
|
||||||
@@ -737,7 +737,10 @@ syslinux_parse_real (struct syslinux_menu *menu)
|
@@ -737,7 +737,10 @@ syslinux_parse_real (struct syslinux_menu *menu)
|
@ -16,7 +16,7 @@ Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|||||||
1 file changed, 12 insertions(+), 3 deletions(-)
|
1 file changed, 12 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
diff --git a/grub-core/commands/hashsum.c b/grub-core/commands/hashsum.c
|
diff --git a/grub-core/commands/hashsum.c b/grub-core/commands/hashsum.c
|
||||||
index d18687351a5..282922bba1e 100644
|
index 456ba908b6f..b8a22b0c8bb 100644
|
||||||
--- a/grub-core/commands/hashsum.c
|
--- a/grub-core/commands/hashsum.c
|
||||||
+++ b/grub-core/commands/hashsum.c
|
+++ b/grub-core/commands/hashsum.c
|
||||||
@@ -128,11 +128,17 @@ check_list (const gcry_md_spec_t *hash, const char *hashfilename,
|
@@ -128,11 +128,17 @@ check_list (const gcry_md_spec_t *hash, const char *hashfilename,
|
||||||
@ -48,6 +48,6 @@ index d18687351a5..282922bba1e 100644
|
|||||||
+ grub_free (buf);
|
+ grub_free (buf);
|
||||||
+ return grub_errno;
|
+ return grub_errno;
|
||||||
+ }
|
+ }
|
||||||
if (!uncompress)
|
file = grub_file_open (filename, GRUB_FILE_TYPE_TO_HASH
|
||||||
grub_file_filter_disable_compression ();
|
| (!uncompress ? GRUB_FILE_TYPE_NO_DECOMPRESS
|
||||||
file = grub_file_open (filename);
|
: GRUB_FILE_TYPE_NONE));
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue
Block a user