Compare commits

...

No commits in common. "a9_new_sb" and "c8" have entirely different histories.

674 changed files with 69587 additions and 13166 deletions

6
.gitignore vendored
View File

@ -1,4 +1,4 @@
SOURCES/gnulib-fixes.tar.gz
SOURCES/grub-2.06.tar.xz
SOURCES/almalinuxsecurebootca0.cer
SOURCES/grub-2.02.tar.xz
SOURCES/theme.tar.bz2
SOURCES/unifont-13.0.06.pcf.gz
SOURCES/unifont-5.1.20080820.pcf.gz

View File

@ -1,4 +0,0 @@
1a07692dfaa916675a92b1383885141f490f98d2 SOURCES/gnulib-fixes.tar.gz
c9f93f1e195ec7a5a21d36a13b469788c0b29f0f SOURCES/grub-2.06.tar.xz
cf0b7763c528902da7e8b05cfa248f20c8825ce5 SOURCES/theme.tar.bz2
3b39cb0830367171760ec536cab805abdbe08bc5 SOURCES/unifont-13.0.06.pcf.gz

View File

@ -35,19 +35,20 @@ moves the check into grub_dl_load_file.
grub-core/loader/i386/efi/linux.c | 335 ++++++++++++++++++++++++++++++++++++++
grub-core/loader/i386/pc/linux.c | 10 +-
include/grub/arm/linux.h | 9 +
include/grub/arm64/linux.h | 9 +
include/grub/arm64/linux.h | 10 ++
include/grub/efi/efi.h | 7 +-
include/grub/efi/linux.h | 31 ++++
13 files changed, 618 insertions(+), 69 deletions(-)
include/grub/i386/linux.h | 1 +
14 files changed, 620 insertions(+), 69 deletions(-)
create mode 100644 grub-core/loader/efi/linux.c
create mode 100644 grub-core/loader/i386/efi/linux.c
create mode 100644 include/grub/efi/linux.h
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index 8022e1c0a79..45d3edaa4dc 100644
index 9590e87d9..0b4b0c212 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -1734,13 +1734,6 @@ module = {
@@ -1626,13 +1626,6 @@ module = {
enable = i386_pc;
};
@ -61,7 +62,7 @@ index 8022e1c0a79..45d3edaa4dc 100644
module = {
name = ntldr;
i386_pc = loader/i386/pc/ntldr.c;
@@ -1796,7 +1789,9 @@ module = {
@@ -1685,7 +1678,9 @@ module = {
module = {
name = linux;
@ -69,13 +70,13 @@ index 8022e1c0a79..45d3edaa4dc 100644
+ i386_pc = loader/i386/pc/linux.c;
+ x86_64_efi = loader/i386/efi/linux.c;
+ i386_efi = loader/i386/efi/linux.c;
i386_xen_pvh = loader/i386/linux.c;
xen = loader/i386/xen.c;
i386_pc = lib/i386/pc/vesa_modes_table.c;
@@ -1811,9 +1806,14 @@ module = {
mips = loader/mips/linux.c;
@@ -1696,9 +1691,14 @@ module = {
arm_efi = loader/arm64/linux.c;
arm_uboot = loader/arm/linux.c;
arm64 = loader/arm64/linux.c;
riscv32 = loader/riscv/linux.c;
riscv64 = loader/riscv/linux.c;
+ emu = loader/emu/linux.c;
+ fdt = lib/fdt.c;
+
@ -88,7 +89,7 @@ index 8022e1c0a79..45d3edaa4dc 100644
module = {
diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
index 48f8a79073d..b7149370950 100644
index e394cd96f..04e804d16 100644
--- a/grub-core/kern/dl.c
+++ b/grub-core/kern/dl.c
@@ -38,6 +38,14 @@
@ -106,7 +107,7 @@ index 48f8a79073d..b7149370950 100644
#pragma GCC diagnostic ignored "-Wcast-align"
@@ -695,6 +703,19 @@ grub_dl_load_file (const char *filename)
@@ -686,6 +694,19 @@ grub_dl_load_file (const char *filename)
void *core = 0;
grub_dl_t mod = 0;
@ -125,13 +126,13 @@ index 48f8a79073d..b7149370950 100644
+
grub_boot_time ("Loading module %s", filename);
file = grub_file_open (filename, GRUB_FILE_TYPE_GRUB_MODULE);
file = grub_file_open (filename);
diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
index 8cff7be0289..35b8f670602 100644
index 708581fcb..c8a9d8307 100644
--- a/grub-core/kern/efi/efi.c
+++ b/grub-core/kern/efi/efi.c
@@ -286,6 +286,34 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
return grub_efi_get_variable_with_attributes (var, guid, datasize_out, data_out, NULL);
@@ -273,6 +273,34 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
return NULL;
}
+grub_efi_boolean_t
@ -166,7 +167,7 @@ index 8cff7be0289..35b8f670602 100644
/* Search the mods section from the PE32/PE32+ image. This code uses
diff --git a/grub-core/kern/efi/mm.c b/grub-core/kern/efi/mm.c
index 9838fb2f50d..f6aef0ef649 100644
index 42ad7c570..5cdf6c943 100644
--- a/grub-core/kern/efi/mm.c
+++ b/grub-core/kern/efi/mm.c
@@ -113,6 +113,38 @@ grub_efi_drop_alloc (grub_efi_physical_address_t address,
@ -209,7 +210,7 @@ index 9838fb2f50d..f6aef0ef649 100644
void *
grub_efi_allocate_pages_real (grub_efi_physical_address_t address,
diff --git a/grub-core/loader/arm64/linux.c b/grub-core/loader/arm64/linux.c
index ef3e9f9444c..a312c668685 100644
index 1f86229f8..6c00af98d 100644
--- a/grub-core/loader/arm64/linux.c
+++ b/grub-core/loader/arm64/linux.c
@@ -29,6 +29,7 @@
@ -220,7 +221,7 @@ index ef3e9f9444c..a312c668685 100644
#include <grub/efi/pe32.h>
#include <grub/i18n.h>
#include <grub/lib/cmdline.h>
@@ -41,6 +42,7 @@ static int loaded;
@@ -40,6 +41,7 @@ static int loaded;
static void *kernel_addr;
static grub_uint64_t kernel_size;
@ -228,7 +229,7 @@ index ef3e9f9444c..a312c668685 100644
static char *linux_args;
static grub_uint32_t cmdline_size;
@@ -67,7 +69,8 @@ grub_arch_efi_linux_check_image (struct linux_arch_kernel_header * lh)
@@ -66,7 +68,8 @@ grub_armxx_efi_linux_check_image (struct linux_armxx_kernel_header * lh)
static grub_err_t
finalize_params_linux (void)
{
@ -238,7 +239,7 @@ index ef3e9f9444c..a312c668685 100644
void *fdt;
@@ -102,79 +105,70 @@ finalize_params_linux (void)
@@ -101,79 +104,70 @@ finalize_params_linux (void)
if (grub_fdt_install() != GRUB_ERR_NONE)
goto failure;
@ -250,7 +251,7 @@ index ef3e9f9444c..a312c668685 100644
-}
-
-grub_err_t
-grub_arch_efi_linux_boot_image (grub_addr_t addr, grub_size_t size, char *args)
-grub_armxx_efi_linux_boot_image (grub_addr_t addr, grub_size_t size, char *args)
-{
- grub_efi_memory_mapped_device_path_t *mempath;
- grub_efi_handle_t image_handle;
@ -283,7 +284,7 @@ index ef3e9f9444c..a312c668685 100644
-
- grub_dprintf ("linux", "linux command line: '%s'\n", args);
+ grub_dprintf ("linux", "Installed/updated FDT configuration table @ %p\n",
+ fdt);
+ fdt);
/* Convert command line to UCS-2 */
- loaded_image = grub_efi_get_loaded_image (image_handle);
@ -303,7 +304,7 @@ index ef3e9f9444c..a312c668685 100644
loaded_image->load_options_size =
2 * grub_utf8_to_utf16 (loaded_image->load_options, len,
- (grub_uint8_t *) args, len, NULL);
+ (grub_uint8_t *) linux_args, len, NULL);
+ (grub_uint8_t *) linux_args, len, NULL);
- grub_dprintf ("linux", "starting image %p\n", image_handle);
- status = b->start_image (image_handle, 0, NULL);
@ -328,15 +329,15 @@ index ef3e9f9444c..a312c668685 100644
+ if (loaded_image)
+ {
+ if (loaded_image->load_options)
+ grub_efi_free_pages ((grub_efi_physical_address_t)(grub_efi_uintn_t)loaded_image->load_options,
+ GRUB_EFI_BYTES_TO_PAGES (loaded_image->load_options_size));
+ grub_efi_free_pages ((grub_efi_physical_address_t)(grub_efi_uintn_t)loaded_image->load_options,
+ GRUB_EFI_BYTES_TO_PAGES (loaded_image->load_options_size));
+ loaded_image->load_options = NULL;
+ loaded_image->load_options_size = 0;
+ }
+}
+
+grub_err_t
+grub_arch_efi_linux_boot_image (grub_addr_t addr, char *args)
+grub_armxx_efi_linux_boot_image (grub_addr_t addr, char *args)
+{
+ grub_err_t retval;
+
@ -359,21 +360,21 @@ index ef3e9f9444c..a312c668685 100644
- if (finalize_params_linux () != GRUB_ERR_NONE)
- return grub_errno;
-
- return (grub_arch_efi_linux_boot_image((grub_addr_t)kernel_addr,
- return (grub_armxx_efi_linux_boot_image((grub_addr_t)kernel_addr,
- kernel_size, linux_args));
+ return (grub_arch_efi_linux_boot_image((grub_addr_t)kernel_addr, linux_args));
+ return grub_armxx_efi_linux_boot_image((grub_addr_t)kernel_addr, linux_args);
}
static grub_err_t
@@ -288,6 +282,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
@@ -287,6 +281,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
{
grub_file_t file = 0;
struct linux_arch_kernel_header lh;
struct linux_armxx_kernel_header lh;
+ struct grub_armxx_linux_pe_header *pe;
grub_err_t err;
grub_dl_ref (my_mod);
@@ -333,6 +328,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
@@ -331,6 +326,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
grub_dprintf ("linux", "kernel @ %p\n", kernel_addr);
@ -390,20 +391,20 @@ index ef3e9f9444c..a312c668685 100644
linux_args = grub_malloc (cmdline_size);
if (!linux_args)
diff --git a/grub-core/loader/arm64/xen_boot.c b/grub-core/loader/arm64/xen_boot.c
index 22cc25eccd9..d9b7a9ba400 100644
index 1003a0b99..f35b16caa 100644
--- a/grub-core/loader/arm64/xen_boot.c
+++ b/grub-core/loader/arm64/xen_boot.c
@@ -266,7 +266,6 @@ xen_boot (void)
return err;
return grub_arch_efi_linux_boot_image (xen_hypervisor->start,
return grub_armxx_efi_linux_boot_image (xen_hypervisor->start,
- xen_hypervisor->size,
xen_hypervisor->cmdline);
}
diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
new file mode 100644
index 00000000000..c24202a5dd1
index 000000000..c24202a5d
--- /dev/null
+++ b/grub-core/loader/efi/linux.c
@@ -0,0 +1,70 @@
@ -479,7 +480,7 @@ index 00000000000..c24202a5dd1
+#pragma GCC diagnostic pop
diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
new file mode 100644
index 00000000000..bb2616a8092
index 000000000..3db82e782
--- /dev/null
+++ b/grub-core/loader/i386/efi/linux.c
@@ -0,0 +1,335 @@
@ -588,7 +589,8 @@ index 00000000000..bb2616a8092
+
+ for (i = 0; i < argc; i++)
+ {
+ files[i] = grub_file_open (argv[i], GRUB_FILE_TYPE_LINUX_INITRD | GRUB_FILE_TYPE_NO_DECOMPRESS);
+ grub_file_filter_disable_compression ();
+ files[i] = grub_file_open (argv[i]);
+ if (! files[i])
+ goto fail;
+ nfiles++;
@ -641,7 +643,7 @@ index 00000000000..bb2616a8092
+ int argc, char *argv[])
+{
+ grub_file_t file = 0;
+ struct linux_i386_kernel_header lh;
+ struct linux_kernel_header lh;
+ grub_ssize_t len, start, filelen;
+ void *kernel = NULL;
+
@ -653,7 +655,7 @@ index 00000000000..bb2616a8092
+ goto fail;
+ }
+
+ file = grub_file_open (argv[0], GRUB_FILE_TYPE_LINUX_KERNEL);
+ file = grub_file_open (argv[0]);
+ if (! file)
+ goto fail;
+
@ -729,8 +731,7 @@ index 00000000000..bb2616a8092
+ grub_memcpy (linux_cmdline, LINUX_IMAGE, sizeof (LINUX_IMAGE));
+ grub_create_loader_cmdline (argc, argv,
+ linux_cmdline + sizeof (LINUX_IMAGE) - 1,
+ lh.cmdline_size - (sizeof (LINUX_IMAGE) - 1),
+ GRUB_VERIFY_KERNEL_CMDLINE);
+ lh.cmdline_size - (sizeof (LINUX_IMAGE) - 1));
+
+ lh.cmd_line_ptr = (grub_uint32_t)(grub_addr_t)linux_cmdline;
+
@ -819,10 +820,10 @@ index 00000000000..bb2616a8092
+ grub_unregister_command (cmd_initrdefi);
+}
diff --git a/grub-core/loader/i386/pc/linux.c b/grub-core/loader/i386/pc/linux.c
index 2a299520160..8be4c3b3f48 100644
index b69cb7a3a..a3c87cf2f 100644
--- a/grub-core/loader/i386/pc/linux.c
+++ b/grub-core/loader/i386/pc/linux.c
@@ -474,14 +474,20 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
@@ -468,14 +468,20 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
return grub_errno;
}
@ -844,7 +845,7 @@ index 2a299520160..8be4c3b3f48 100644
grub_register_command ("initrd16", grub_cmd_initrd,
0, N_("Load initrd."));
my_mod = mod;
@@ -490,5 +496,7 @@ GRUB_MOD_INIT(linux16)
@@ -484,5 +490,7 @@ GRUB_MOD_INIT(linux16)
GRUB_MOD_FINI(linux16)
{
grub_unregister_command (cmd_linux);
@ -853,7 +854,7 @@ index 2a299520160..8be4c3b3f48 100644
+ grub_unregister_command (cmd_initrd16);
}
diff --git a/include/grub/arm/linux.h b/include/grub/arm/linux.h
index bcd5a7eb186..b582f67f661 100644
index 712ba17b9..5900fc8a4 100644
--- a/include/grub/arm/linux.h
+++ b/include/grub/arm/linux.h
@@ -20,6 +20,7 @@
@ -877,24 +878,25 @@ index bcd5a7eb186..b582f67f661 100644
+
#if defined(__arm__)
# define GRUB_LINUX_ARMXX_MAGIC_SIGNATURE GRUB_LINUX_ARM_MAGIC_SIGNATURE
# define linux_arch_kernel_header linux_arm_kernel_header
# define linux_armxx_kernel_header linux_arm_kernel_header
+# define grub_armxx_linux_pe_header grub_arm_linux_pe_header
#endif
#if defined GRUB_MACHINE_UBOOT
diff --git a/include/grub/arm64/linux.h b/include/grub/arm64/linux.h
index 7e22b4ab699..ea030312df3 100644
index 8655067e0..7b533b571 100644
--- a/include/grub/arm64/linux.h
+++ b/include/grub/arm64/linux.h
@@ -19,6 +19,7 @@
@@ -19,6 +19,8 @@
#ifndef GRUB_ARM64_LINUX_HEADER
#define GRUB_ARM64_LINUX_HEADER 1
+#include <grub/efi/pe32.h>
#include <grub/types.h>
+
#define GRUB_LINUX_ARM64_MAGIC_SIGNATURE 0x644d5241 /* 'ARM\x64' */
@@ -38,9 +39,17 @@ struct linux_arm64_kernel_header
/* From linux/Documentation/arm64/booting.txt */
@@ -36,9 +38,17 @@ struct linux_arm64_kernel_header
grub_uint32_t hdr_offset; /* Offset of PE/COFF header */
};
@ -907,13 +909,13 @@ index 7e22b4ab699..ea030312df3 100644
+
#if defined(__aarch64__)
# define GRUB_LINUX_ARMXX_MAGIC_SIGNATURE GRUB_LINUX_ARM64_MAGIC_SIGNATURE
# define linux_arch_kernel_header linux_arm64_kernel_header
# define linux_armxx_kernel_header linux_arm64_kernel_header
+# define grub_armxx_linux_pe_header grub_arm64_linux_pe_header
#endif
#endif /* ! GRUB_ARM64_LINUX_HEADER */
diff --git a/include/grub/efi/efi.h b/include/grub/efi/efi.h
index 83d958f9945..6295df85f3f 100644
index 2c6648d46..1061aee97 100644
--- a/include/grub/efi/efi.h
+++ b/include/grub/efi/efi.h
@@ -47,6 +47,9 @@ EXPORT_FUNC(grub_efi_allocate_fixed) (grub_efi_physical_address_t address,
@ -926,7 +928,7 @@ index 83d958f9945..6295df85f3f 100644
void EXPORT_FUNC(grub_efi_free_pages) (grub_efi_physical_address_t address,
grub_efi_uintn_t pages);
grub_efi_uintn_t EXPORT_FUNC(grub_efi_find_mmap_size) (void);
@@ -88,6 +91,7 @@ EXPORT_FUNC (grub_efi_set_variable) (const char *var,
@@ -82,6 +85,7 @@ EXPORT_FUNC (grub_efi_set_variable) (const char *var,
const grub_efi_guid_t *guid,
void *data,
grub_size_t datasize);
@ -934,19 +936,19 @@ index 83d958f9945..6295df85f3f 100644
int
EXPORT_FUNC (grub_efi_compare_device_paths) (const grub_efi_device_path_t *dp1,
const grub_efi_device_path_t *dp2);
@@ -101,8 +105,7 @@ void *EXPORT_FUNC(grub_efi_get_firmware_fdt)(void);
@@ -95,8 +99,7 @@ void *EXPORT_FUNC(grub_efi_get_firmware_fdt)(void);
grub_err_t EXPORT_FUNC(grub_efi_get_ram_base)(grub_addr_t *);
#include <grub/cpu/linux.h>
grub_err_t grub_arch_efi_linux_check_image(struct linux_arch_kernel_header *lh);
-grub_err_t grub_arch_efi_linux_boot_image(grub_addr_t addr, grub_size_t size,
grub_err_t grub_armxx_efi_linux_check_image(struct linux_armxx_kernel_header *lh);
-grub_err_t grub_armxx_efi_linux_boot_image(grub_addr_t addr, grub_size_t size,
- char *args);
+grub_err_t grub_arch_efi_linux_boot_image(grub_addr_t addr, char *args);
+grub_err_t grub_armxx_efi_linux_boot_image(grub_addr_t addr, char *args);
#endif
grub_addr_t grub_efi_modules_addr (void);
diff --git a/include/grub/efi/linux.h b/include/grub/efi/linux.h
new file mode 100644
index 00000000000..d9ede36773b
index 000000000..d9ede3677
--- /dev/null
+++ b/include/grub/efi/linux.h
@@ -0,0 +1,31 @@
@ -981,3 +983,15 @@ index 00000000000..d9ede36773b
+ void *kernel_param);
+
+#endif /* ! GRUB_EFI_LINUX_HEADER */
diff --git a/include/grub/i386/linux.h b/include/grub/i386/linux.h
index 60c7c3b5e..bb19dbd5a 100644
--- a/include/grub/i386/linux.h
+++ b/include/grub/i386/linux.h
@@ -142,6 +142,7 @@ struct linux_i386_kernel_header
grub_uint64_t setup_data;
grub_uint64_t pref_address;
grub_uint32_t init_size;
+ grub_uint32_t handover_offset;
} GRUB_PACKED;
/* Boot parameters for Linux based on 2.6.12. This is used by the setup

View File

@ -1,24 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Fri, 11 Jun 2021 12:10:45 +0200
Subject: [PATCH] Revert "templates: Fix user-facing typo with an incorrect use
of "it's""
This reverts commit 722737630889607c3b5761f1f5a48f1674cd2821.
---
util/grub.d/30_os-prober.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/util/grub.d/30_os-prober.in b/util/grub.d/30_os-prober.in
index 5984e92d291..94622481284 100644
--- a/util/grub.d/30_os-prober.in
+++ b/util/grub.d/30_os-prober.in
@@ -36,7 +36,7 @@ if ! command -v os-prober > /dev/null || ! command -v linux-boot-prober > /dev/n
exit 0
fi
-grub_warn "$(gettext_printf "os-prober will be executed to detect other bootable partitions.\nIts output will be used to detect bootable binaries on them and create new boot entries.")"
+grub_warn "$(gettext_printf "os-prober will be executed to detect other bootable partitions.\nIt's output will be used to detect bootable binaries on them and create new boot entries.")"
OSPROBED="`os-prober | tr ' ' '^' | paste -s -d ' '`"
if [ -z "${OSPROBED}" ] ; then

View File

@ -1,71 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Fri, 11 Jun 2021 12:10:54 +0200
Subject: [PATCH] Revert "templates: Properly disable the os-prober by default"
This reverts commit 54e0a1bbf1e9106901a557195bb35e5e20fb3925.
---
util/grub-mkconfig.in | 5 +----
util/grub.d/30_os-prober.in | 8 ++++----
2 files changed, 5 insertions(+), 8 deletions(-)
diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in
index f8cbb8d7a2b..d3e879b8e5c 100644
--- a/util/grub-mkconfig.in
+++ b/util/grub-mkconfig.in
@@ -140,9 +140,6 @@ GRUB_DEVICE_PARTUUID="`${grub_probe} --device ${GRUB_DEVICE} --target=partuuid 2
GRUB_DEVICE_BOOT="`${grub_probe} --target=device /boot`"
GRUB_DEVICE_BOOT_UUID="`${grub_probe} --device ${GRUB_DEVICE_BOOT} --target=fs_uuid 2> /dev/null`" || true
-# Disable os-prober by default due to security reasons.
-GRUB_DISABLE_OS_PROBER="true"
-
# Filesystem for the device containing our userland. Used for stuff like
# choosing Hurd filesystem module.
GRUB_FS="`${grub_probe} --device ${GRUB_DEVICE} --target=fs 2> /dev/null || echo unknown`"
@@ -204,7 +201,6 @@ export GRUB_DEVICE \
GRUB_DEVICE_PARTUUID \
GRUB_DEVICE_BOOT \
GRUB_DEVICE_BOOT_UUID \
- GRUB_DISABLE_OS_PROBER \
GRUB_FS \
GRUB_FONT \
GRUB_PRELOAD_MODULES \
@@ -246,6 +242,7 @@ export GRUB_DEFAULT \
GRUB_BACKGROUND \
GRUB_THEME \
GRUB_GFXPAYLOAD_LINUX \
+ GRUB_DISABLE_OS_PROBER \
GRUB_INIT_TUNE \
GRUB_SAVEDEFAULT \
GRUB_ENABLE_CRYPTODISK \
diff --git a/util/grub.d/30_os-prober.in b/util/grub.d/30_os-prober.in
index 94622481284..80685b15f4d 100644
--- a/util/grub.d/30_os-prober.in
+++ b/util/grub.d/30_os-prober.in
@@ -26,8 +26,8 @@ export TEXTDOMAINDIR="@localedir@"
. "$pkgdatadir/grub-mkconfig_lib"
-if [ "x${GRUB_DISABLE_OS_PROBER}" = "xtrue" ]; then
- grub_warn "$(gettext_printf "os-prober will not be executed to detect other bootable partitions.\nSystems on them will not be added to the GRUB boot configuration.\nCheck GRUB_DISABLE_OS_PROBER documentation entry.")"
+if [ "x${GRUB_DISABLE_OS_PROBER}" = "xfalse" ]; then
+ gettext_printf "os-prober will not be executed to detect other bootable partitions.\nSystems on them will not be added to the GRUB boot configuration.\nCheck GRUB_DISABLE_OS_PROBER documentation entry.\n"
exit 0
fi
@@ -36,12 +36,12 @@ if ! command -v os-prober > /dev/null || ! command -v linux-boot-prober > /dev/n
exit 0
fi
-grub_warn "$(gettext_printf "os-prober will be executed to detect other bootable partitions.\nIt's output will be used to detect bootable binaries on them and create new boot entries.")"
-
OSPROBED="`os-prober | tr ' ' '^' | paste -s -d ' '`"
if [ -z "${OSPROBED}" ] ; then
# empty os-prober output, nothing doing
exit 0
+else
+ grub_warn "$(gettext_printf "os-prober was executed to detect other bootable partitions.\nIt's output will be used to detect bootable binaries on them and create new boot entries.")"
fi
osx_entry() {

View File

@ -6,17 +6,15 @@ Subject: [PATCH] Rework linux command
We want a single buffer that contains the entire kernel image in order to
perform a TPM measurement. Allocate one and copy the entire kernel into it
before pulling out the individual blocks later on.
Signed-off-by: Matthew Garrett <mjg59@coreos.com>
---
grub-core/loader/i386/linux.c | 35 +++++++++++++++++++++++------------
1 file changed, 23 insertions(+), 12 deletions(-)
grub-core/loader/i386/linux.c | 37 ++++++++++++++++++++++++-------------
1 file changed, 24 insertions(+), 13 deletions(-)
diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
index 9f74a96b19a..dccf3bb3005 100644
index 9b53d3168..f7186be40 100644
--- a/grub-core/loader/i386/linux.c
+++ b/grub-core/loader/i386/linux.c
@@ -649,13 +649,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
@@ -685,13 +685,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
{
grub_file_t file = 0;
struct linux_i386_kernel_header lh;
@ -33,7 +31,7 @@ index 9f74a96b19a..dccf3bb3005 100644
grub_dl_ref (my_mod);
@@ -669,7 +671,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
@@ -705,7 +707,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
if (! file)
goto fail;
@ -50,7 +48,7 @@ index 9f74a96b19a..dccf3bb3005 100644
{
if (!grub_errno)
grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
@@ -677,6 +687,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
@@ -713,6 +723,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
goto fail;
}
@ -60,25 +58,33 @@ index 9f74a96b19a..dccf3bb3005 100644
if (lh.boot_flag != grub_cpu_to_le16_compile_time (0xaa55))
{
grub_error (GRUB_ERR_BAD_OS, "invalid magic number");
@@ -784,13 +797,11 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
/* We've already read lh so there is no need to read it second time. */
len -= sizeof(lh);
@@ -804,6 +817,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
preferred_address))
goto fail;
- if ((len > 0) &&
- (grub_file_read (file, (char *) &linux_params + sizeof (lh), len) != len))
+ linux_params_ptr = (void *)&linux_params;
+ if (len > 0)
{
+
grub_memset (&linux_params, 0, sizeof (linux_params));
grub_memcpy (&linux_params.setup_sects, &lh.setup_sects, sizeof (lh) - 0x1F1);
@@ -812,13 +826,10 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
linux_params.ps_mouse = linux_params.padding10 = 0;
len = sizeof (linux_params) - sizeof (lh);
- if (grub_file_read (file, (char *) &linux_params + sizeof (lh), len) != len)
- {
- if (!grub_errno)
- grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
- argv[0]);
- goto fail;
+ grub_memcpy (linux_params_ptr + sizeof (lh), kernel + kernel_offset, len);
+ kernel_offset += len;
}
- }
+
+ linux_params_ptr = (void *)&linux_params;
+ grub_memcpy (linux_params_ptr + sizeof (lh), kernel + kernel_offset, len);
+ kernel_offset += len;
linux_params.code32_start = prot_mode_target + lh.code32_start - GRUB_LINUX_BZIMAGE_ADDR;
@@ -853,7 +864,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
linux_params.type_of_loader = GRUB_LINUX_BOOT_LOADER_TYPE;
@@ -877,7 +888,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
/* The other parameters are filled when booting. */
@ -87,8 +93,8 @@ index 9f74a96b19a..dccf3bb3005 100644
grub_dprintf ("linux", "bzImage, setup=0x%x, size=0x%x\n",
(unsigned) real_size, (unsigned) prot_size);
@@ -1007,9 +1018,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
}
@@ -1025,9 +1036,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
- (sizeof (LINUX_IMAGE) - 1));
len = prot_file_size;
- if (grub_file_read (file, prot_mode_mem, len) != len && !grub_errno)
@ -98,7 +104,7 @@ index 9f74a96b19a..dccf3bb3005 100644
if (grub_errno == GRUB_ERR_NONE)
{
@@ -1020,6 +1029,8 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
@@ -1038,6 +1047,8 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
fail:

View File

@ -1,70 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Javier Martinez Canillas <javierm@redhat.com>
Date: Fri, 11 Jun 2021 12:10:58 +0200
Subject: [PATCH] Revert "templates: Disable the os-prober by default"
This reverts commit e346414725a70e5c74ee87ca14e580c66f517666.
---
docs/grub.texi | 18 ++++++++----------
util/grub.d/30_os-prober.in | 5 +----
2 files changed, 9 insertions(+), 14 deletions(-)
diff --git a/docs/grub.texi b/docs/grub.texi
index f8b4b3b21a7..69f08d289f9 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -1519,13 +1519,10 @@ boot sequence. If you have problems, set this option to @samp{text} and
GRUB will tell Linux to boot in normal text mode.
@item GRUB_DISABLE_OS_PROBER
-The @command{grub-mkconfig} has a feature to use the external
-@command{os-prober} program to discover other operating systems installed on
-the same machine and generate appropriate menu entries for them. It is disabled
-by default since automatic and silent execution of @command{os-prober}, and
-creating boot entries based on that data, is a potential attack vector. Set
-this option to @samp{false} to enable this feature in the
-@command{grub-mkconfig} command.
+Normally, @command{grub-mkconfig} will try to use the external
+@command{os-prober} program, if installed, to discover other operating
+systems installed on the same system and generate appropriate menu entries
+for them. Set this option to @samp{true} to disable this.
@item GRUB_OS_PROBER_SKIP_LIST
List of space-separated FS UUIDs of filesystems to be ignored from os-prober
@@ -1853,9 +1850,10 @@ than zero; otherwise 0.
@section Multi-boot manual config
Currently autogenerating config files for multi-boot environments depends on
-os-prober and has several shortcomings. Due to that it is disabled by default.
-It is advised to use the power of GRUB syntax and do it yourself. A possible
-configuration is detailed here, feel free to adjust to your needs.
+os-prober and has several shortcomings. While fixing it is scheduled for the
+next release, meanwhile you can make use of the power of GRUB syntax and do it
+yourself. A possible configuration is detailed here, feel free to adjust to your
+needs.
First create a separate GRUB partition, big enough to hold GRUB. Some of the
following entries show how to load OS installer images from this same partition,
diff --git a/util/grub.d/30_os-prober.in b/util/grub.d/30_os-prober.in
index 80685b15f4d..1b91c102f35 100644
--- a/util/grub.d/30_os-prober.in
+++ b/util/grub.d/30_os-prober.in
@@ -26,8 +26,7 @@ export TEXTDOMAINDIR="@localedir@"
. "$pkgdatadir/grub-mkconfig_lib"
-if [ "x${GRUB_DISABLE_OS_PROBER}" = "xfalse" ]; then
- gettext_printf "os-prober will not be executed to detect other bootable partitions.\nSystems on them will not be added to the GRUB boot configuration.\nCheck GRUB_DISABLE_OS_PROBER documentation entry.\n"
+if [ "x${GRUB_DISABLE_OS_PROBER}" = "xtrue" ]; then
exit 0
fi
@@ -40,8 +39,6 @@ OSPROBED="`os-prober | tr ' ' '^' | paste -s -d ' '`"
if [ -z "${OSPROBED}" ] ; then
# empty os-prober output, nothing doing
exit 0
-else
- grub_warn "$(gettext_printf "os-prober was executed to detect other bootable partitions.\nIt's output will be used to detect bootable binaries on them and create new boot entries.")"
fi
osx_entry() {

View File

@ -6,17 +6,15 @@ Subject: [PATCH] Rework linux16 command
We want a single buffer that contains the entire kernel image in order to
perform a TPM measurement. Allocate one and copy the entire kernel int it
before pulling out the individual blocks later on.
Signed-off-by: Matthew Garrett <mjg59@coreos.com>
---
grub-core/loader/i386/pc/linux.c | 33 +++++++++++++++++++++------------
1 file changed, 21 insertions(+), 12 deletions(-)
grub-core/loader/i386/pc/linux.c | 34 +++++++++++++++++++++-------------
1 file changed, 21 insertions(+), 13 deletions(-)
diff --git a/grub-core/loader/i386/pc/linux.c b/grub-core/loader/i386/pc/linux.c
index 8be4c3b3f48..4b1750e360e 100644
index a3c87cf2f..caa76bee8 100644
--- a/grub-core/loader/i386/pc/linux.c
+++ b/grub-core/loader/i386/pc/linux.c
@@ -124,13 +124,14 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
@@ -123,13 +123,14 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
grub_file_t file = 0;
struct linux_i386_kernel_header lh;
grub_uint8_t setup_sects;
@ -32,7 +30,7 @@ index 8be4c3b3f48..4b1750e360e 100644
grub_dl_ref (my_mod);
@@ -144,7 +145,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
@@ -143,7 +144,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
if (! file)
goto fail;
@ -49,7 +47,7 @@ index 8be4c3b3f48..4b1750e360e 100644
{
if (!grub_errno)
grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
@@ -152,6 +161,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
@@ -151,6 +160,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
goto fail;
}
@ -59,7 +57,7 @@ index 8be4c3b3f48..4b1750e360e 100644
if (lh.boot_flag != grub_cpu_to_le16_compile_time (0xaa55))
{
grub_error (GRUB_ERR_BAD_OS, "invalid magic number");
@@ -320,13 +332,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
@@ -314,13 +326,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
grub_memmove (grub_linux_real_chunk, &lh, sizeof (lh));
len = real_size + GRUB_DISK_SECTOR_SIZE - sizeof (lh);
@ -76,11 +74,12 @@ index 8be4c3b3f48..4b1750e360e 100644
if (lh.header != grub_cpu_to_le32_compile_time (GRUB_LINUX_I386_MAGIC_SIGNATURE)
|| grub_le_to_cpu16 (lh.version) < 0x0200)
@@ -364,9 +372,8 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
@@ -355,10 +363,8 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
}
len = grub_linux16_prot_size;
- if (grub_file_read (file, grub_linux_prot_chunk, len) != len && !grub_errno)
- if (grub_file_read (file, grub_linux_prot_chunk, grub_linux16_prot_size)
- != (grub_ssize_t) grub_linux16_prot_size && !grub_errno)
- grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
- argv[0]);
+ grub_memcpy (grub_linux_prot_chunk, kernel + kernel_offset, len);
@ -88,7 +87,7 @@ index 8be4c3b3f48..4b1750e360e 100644
if (grub_errno == GRUB_ERR_NONE)
{
@@ -376,6 +383,8 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
@@ -368,6 +374,8 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
fail:

View File

@ -1,6 +1,6 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Raymund Will <rw@suse.com>
Date: Mon, 8 Jul 2019 11:55:18 +0200
Date: Fri, 10 Apr 2015 01:45:02 -0400
Subject: [PATCH] Add secureboot support on efi chainloader
Expand the chainloader to be able to verify the image by means of shim
@ -167,18 +167,18 @@ Signed-off-by: Laszlo Ersek <lersek@redhat.com>
---
grub-core/kern/efi/efi.c | 14 +-
grub-core/loader/arm64/linux.c | 4 +-
grub-core/loader/efi/chainloader.c | 816 +++++++++++++++++++++++++++++++++----
grub-core/loader/efi/chainloader.c | 817 +++++++++++++++++++++++++++++++++----
grub-core/loader/efi/linux.c | 25 +-
grub-core/loader/i386/efi/linux.c | 17 +-
include/grub/efi/linux.h | 2 +-
include/grub/efi/pe32.h | 52 ++-
7 files changed, 840 insertions(+), 90 deletions(-)
7 files changed, 840 insertions(+), 91 deletions(-)
diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
index 35b8f670602..4a2259aa1c7 100644
index c8a9d8307..91129e335 100644
--- a/grub-core/kern/efi/efi.c
+++ b/grub-core/kern/efi/efi.c
@@ -296,14 +296,20 @@ grub_efi_secure_boot (void)
@@ -283,14 +283,20 @@ grub_efi_secure_boot (void)
grub_efi_boolean_t ret = 0;
secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);
@ -204,18 +204,18 @@ index 35b8f670602..4a2259aa1c7 100644
if (*secure_boot && !*setup_mode)
ret = 1;
diff --git a/grub-core/loader/arm64/linux.c b/grub-core/loader/arm64/linux.c
index a312c668685..04994d5c67d 100644
index 6c00af98d..a1ac7a388 100644
--- a/grub-core/loader/arm64/linux.c
+++ b/grub-core/loader/arm64/linux.c
@@ -284,6 +284,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
struct linux_arch_kernel_header lh;
@@ -282,6 +282,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
grub_file_t file = 0;
struct linux_armxx_kernel_header lh;
struct grub_armxx_linux_pe_header *pe;
grub_err_t err;
+ int rc;
grub_dl_ref (my_mod);
@@ -328,7 +329,8 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
@@ -326,7 +327,8 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
grub_dprintf ("linux", "kernel @ %p\n", kernel_addr);
@ -226,7 +226,7 @@ index a312c668685..04994d5c67d 100644
grub_error (GRUB_ERR_INVALID_COMMAND, N_("%s has invalid signature"), argv[0]);
goto fail;
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
index 2bd80f4db3d..b54cf6986fc 100644
index adc856366..af2189619 100644
--- a/grub-core/loader/efi/chainloader.c
+++ b/grub-core/loader/efi/chainloader.c
@@ -32,6 +32,8 @@
@ -261,7 +261,15 @@ index 2bd80f4db3d..b54cf6986fc 100644
grub_dl_unref (my_mod);
return GRUB_ERR_NONE;
@@ -213,20 +221,690 @@ make_file_path (grub_efi_device_path_t *dp, const char *filename)
@@ -173,7 +181,6 @@ make_file_path (grub_efi_device_path_t *dp, const char *filename)
/* Fill the file path for the directory. */
d = (grub_efi_device_path_t *) ((char *) file_path
+ ((char *) d - (char *) dp));
- grub_efi_print_device_path (d);
copy_file_path ((grub_efi_file_path_device_path_t *) d,
dir_start, dir_end - dir_start);
@@ -191,20 +198,690 @@ make_file_path (grub_efi_device_path_t *dp, const char *filename)
return file_path;
}
@ -955,7 +963,7 @@ index 2bd80f4db3d..b54cf6986fc 100644
if (argc == 0)
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
@@ -238,15 +916,45 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
@@ -216,15 +893,45 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
address = 0;
image_handle = 0;
file_path = 0;
@ -989,7 +997,7 @@ index 2bd80f4db3d..b54cf6986fc 100644
+ *(--p16) = 0;
+ }
+
file = grub_file_open (filename, GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE);
file = grub_file_open (filename);
if (! file)
goto fail;
@ -1003,7 +1011,7 @@ index 2bd80f4db3d..b54cf6986fc 100644
if (! dev)
goto fail;
@@ -283,17 +991,14 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
@@ -261,17 +968,14 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
if (! file_path)
goto fail;
@ -1024,7 +1032,7 @@ index 2bd80f4db3d..b54cf6986fc 100644
status = efi_call_4 (b->allocate_pages, GRUB_EFI_ALLOCATE_ANY_PAGES,
GRUB_EFI_LOADER_CODE,
@@ -307,7 +1012,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
@@ -285,7 +989,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
}
boot_image = (void *) ((grub_addr_t) address);
@ -1033,7 +1041,7 @@ index 2bd80f4db3d..b54cf6986fc 100644
{
if (grub_errno == GRUB_ERR_NONE)
grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
@@ -317,7 +1022,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
@@ -295,7 +999,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
}
#if defined (__i386__) || defined (__x86_64__)
@ -1042,12 +1050,12 @@ index 2bd80f4db3d..b54cf6986fc 100644
{
struct grub_macho_fat_header *head = boot_image;
if (head->magic
@@ -326,6 +1031,14 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
@@ -304,6 +1008,14 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
grub_uint32_t i;
struct grub_macho_fat_arch *archs
= (struct grub_macho_fat_arch *) (head + 1);
+
+ if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+ if (grub_efi_secure_boot())
+ {
+ grub_error (GRUB_ERR_BAD_OS,
+ "MACHO binaries are forbidden with Secure Boot");
@ -1057,7 +1065,7 @@ index 2bd80f4db3d..b54cf6986fc 100644
for (i = 0; i < grub_cpu_to_le32 (head->nfat_arch); i++)
{
if (GRUB_MACHO_CPUTYPE_IS_HOST_CURRENT (archs[i].cputype))
@@ -340,79 +1053,39 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
@@ -318,79 +1030,39 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
> ~grub_cpu_to_le32 (archs[i].size)
|| grub_cpu_to_le32 (archs[i].offset)
+ grub_cpu_to_le32 (archs[i].size)
@ -1154,7 +1162,7 @@ index 2bd80f4db3d..b54cf6986fc 100644
if (dev)
grub_device_close (dev);
@@ -424,6 +1097,9 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
@@ -402,6 +1074,9 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
if (address)
efi_call_2 (b->free_pages, address, pages);
@ -1165,7 +1173,7 @@ index 2bd80f4db3d..b54cf6986fc 100644
return grub_errno;
diff --git a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
index c24202a5dd1..c8ecce6dfd0 100644
index c24202a5d..c8ecce6df 100644
--- a/grub-core/loader/efi/linux.c
+++ b/grub-core/loader/efi/linux.c
@@ -33,21 +33,34 @@ struct grub_efi_shim_lock
@ -1210,10 +1218,10 @@ index c24202a5dd1..c8ecce6dfd0 100644
#pragma GCC diagnostic push
diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
index bb2616a8092..6b24cbb9483 100644
index 3db82e782..8db228c5b 100644
--- a/grub-core/loader/i386/efi/linux.c
+++ b/grub-core/loader/i386/efi/linux.c
@@ -117,6 +117,8 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
@@ -118,6 +118,8 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
goto fail;
}
@ -1222,15 +1230,15 @@ index bb2616a8092..6b24cbb9483 100644
params->ramdisk_size = size;
params->ramdisk_image = (grub_uint32_t)(grub_addr_t) initrd_mem;
@@ -159,6 +161,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
struct linux_i386_kernel_header lh;
@@ -160,6 +162,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
struct linux_kernel_header lh;
grub_ssize_t len, start, filelen;
void *kernel = NULL;
+ int rc;
grub_dl_ref (my_mod);
@@ -184,11 +187,13 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
@@ -185,11 +188,13 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
if (grub_file_read (file, kernel, filelen) != filelen)
{
@ -1246,7 +1254,7 @@ index bb2616a8092..6b24cbb9483 100644
{
grub_error (GRUB_ERR_INVALID_COMMAND, N_("%s has invalid signature"),
argv[0]);
@@ -203,6 +208,8 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
@@ -204,6 +209,8 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
goto fail;
}
@ -1255,7 +1263,7 @@ index bb2616a8092..6b24cbb9483 100644
grub_memset (params, 0, 16384);
grub_memcpy (&lh, kernel, sizeof (lh));
@@ -241,6 +248,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
@@ -242,6 +249,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
goto fail;
}
@ -1278,7 +1286,7 @@ index bb2616a8092..6b24cbb9483 100644
grub_file_close (file);
diff --git a/include/grub/efi/linux.h b/include/grub/efi/linux.h
index d9ede36773b..0033d9305a9 100644
index d9ede3677..0033d9305 100644
--- a/include/grub/efi/linux.h
+++ b/include/grub/efi/linux.h
@@ -22,7 +22,7 @@
@ -1291,10 +1299,10 @@ index d9ede36773b..0033d9305a9 100644
grub_err_t
EXPORT_FUNC(grub_efi_linux_boot) (void *kernel_address, grub_off_t offset,
diff --git a/include/grub/efi/pe32.h b/include/grub/efi/pe32.h
index 0ed8781f037..a43adf27464 100644
index 7d44732d2..c03cc599f 100644
--- a/include/grub/efi/pe32.h
+++ b/include/grub/efi/pe32.h
@@ -223,7 +223,11 @@ struct grub_pe64_optional_header
@@ -214,7 +214,11 @@ struct grub_pe64_optional_header
struct grub_pe32_section_table
{
char name[8];
@ -1307,7 +1315,7 @@ index 0ed8781f037..a43adf27464 100644
grub_uint32_t virtual_address;
grub_uint32_t raw_data_size;
grub_uint32_t raw_data_offset;
@@ -234,12 +238,18 @@ struct grub_pe32_section_table
@@ -225,12 +229,18 @@ struct grub_pe32_section_table
grub_uint32_t characteristics;
};
@ -1330,7 +1338,7 @@ index 0ed8781f037..a43adf27464 100644
#define GRUB_PE32_SCN_ALIGN_1BYTES 0x00100000
#define GRUB_PE32_SCN_ALIGN_2BYTES 0x00200000
@@ -248,10 +258,28 @@ struct grub_pe32_section_table
@@ -239,10 +249,28 @@ struct grub_pe32_section_table
#define GRUB_PE32_SCN_ALIGN_16BYTES 0x00500000
#define GRUB_PE32_SCN_ALIGN_32BYTES 0x00600000
#define GRUB_PE32_SCN_ALIGN_64BYTES 0x00700000
@ -1359,7 +1367,7 @@ index 0ed8781f037..a43adf27464 100644
#define GRUB_PE32_SIGNATURE_SIZE 4
struct grub_pe32_header
@@ -274,6 +302,20 @@ struct grub_pe32_header
@@ -265,6 +293,20 @@ struct grub_pe32_header
#endif
};

View File

@ -9,94 +9,112 @@ won't register commands if SB is enabled."
Signed-off-by: Peter Jones <pjones@redhat.com>
---
grub-core/commands/iorw.c | 7 +++++++
grub-core/commands/memrw.c | 7 +++++++
grub-core/kern/dl.c | 3 ++-
grub-core/kern/efi/efi.c | 34 ----------------------------------
grub-core/loader/efi/appleloader.c | 7 +++++++
grub-core/Makefile.core.def | 1 +
grub-core/commands/iorw.c | 7 +++++
grub-core/commands/memrw.c | 7 +++++
grub-core/kern/dl.c | 1 +
grub-core/kern/efi/efi.c | 34 --------------------
grub-core/kern/efi/sb.c | 64 ++++++++++++++++++++++++++++++++++++++
grub-core/loader/efi/appleloader.c | 7 +++++
grub-core/loader/efi/chainloader.c | 1 +
grub-core/loader/i386/bsd.c | 7 +++++++
grub-core/loader/i386/linux.c | 7 +++++++
grub-core/loader/i386/pc/linux.c | 7 +++++++
grub-core/loader/multiboot.c | 7 +++++++
grub-core/loader/xnu.c | 7 +++++++
grub-core/loader/i386/bsd.c | 7 +++++
grub-core/loader/i386/linux.c | 7 +++++
grub-core/loader/i386/pc/linux.c | 7 +++++
grub-core/loader/multiboot.c | 7 +++++
grub-core/loader/xnu.c | 7 +++++
include/grub/efi/efi.h | 1 -
include/grub/efi/sb.h | 29 +++++++++++++++++
include/grub/ia64/linux.h | 0
include/grub/mips/linux.h | 0
include/grub/powerpc/linux.h | 0
include/grub/sparc64/linux.h | 0
16 files changed, 59 insertions(+), 36 deletions(-)
grub-core/Makefile.am | 1 +
20 files changed, 153 insertions(+), 35 deletions(-)
create mode 100644 grub-core/kern/efi/sb.c
create mode 100644 include/grub/efi/sb.h
create mode 100644 include/grub/ia64/linux.h
create mode 100644 include/grub/mips/linux.h
create mode 100644 include/grub/powerpc/linux.h
create mode 100644 include/grub/sparc64/linux.h
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index 0b4b0c212..e92a7ef32 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -195,6 +195,7 @@ kernel = {
i386_multiboot = kern/i386/pc/acpi.c;
i386_coreboot = kern/acpi.c;
i386_multiboot = kern/acpi.c;
+ common = kern/efi/sb.c;
x86 = kern/i386/tsc.c;
x86 = kern/i386/tsc_pit.c;
diff --git a/grub-core/commands/iorw.c b/grub-core/commands/iorw.c
index 584baec8f91..7b2999b14b5 100644
index a0c164e54..41a7f3f04 100644
--- a/grub-core/commands/iorw.c
+++ b/grub-core/commands/iorw.c
@@ -24,6 +24,7 @@
@@ -23,6 +23,7 @@
#include <grub/env.h>
#include <grub/cpu/io.h>
#include <grub/i18n.h>
#include <grub/lockdown.h>
+#include <grub/efi/sb.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -119,6 +120,9 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
@@ -118,6 +119,9 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
GRUB_MOD_INIT(memrw)
{
+ if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+ if (grub_efi_secure_boot())
+ return;
+
cmd_read_byte =
grub_register_extcmd ("inb", grub_cmd_read, 0,
N_("PORT"), N_("Read 8-bit value from PORT."),
@@ -147,6 +151,9 @@ GRUB_MOD_INIT(memrw)
@@ -146,6 +150,9 @@ GRUB_MOD_INIT(memrw)
GRUB_MOD_FINI(memrw)
{
+ if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+ if (grub_efi_secure_boot())
+ return;
+
grub_unregister_extcmd (cmd_read_byte);
grub_unregister_extcmd (cmd_read_word);
grub_unregister_extcmd (cmd_read_dword);
diff --git a/grub-core/commands/memrw.c b/grub-core/commands/memrw.c
index d401a6db0ef..39cf3a06dbd 100644
index 98769eadb..088cbe9e2 100644
--- a/grub-core/commands/memrw.c
+++ b/grub-core/commands/memrw.c
@@ -23,6 +23,7 @@
@@ -22,6 +22,7 @@
#include <grub/extcmd.h>
#include <grub/env.h>
#include <grub/i18n.h>
#include <grub/lockdown.h>
+#include <grub/efi/sb.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -121,6 +122,9 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
@@ -120,6 +121,9 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
GRUB_MOD_INIT(memrw)
{
+ if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+ if (grub_efi_secure_boot())
+ return;
+
cmd_read_byte =
grub_register_extcmd ("read_byte", grub_cmd_read, 0,
N_("ADDR"), N_("Read 8-bit value from ADDR."),
@@ -149,6 +153,9 @@ GRUB_MOD_INIT(memrw)
@@ -148,6 +152,9 @@ GRUB_MOD_INIT(memrw)
GRUB_MOD_FINI(memrw)
{
+ if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+ if (grub_efi_secure_boot())
+ return;
+
grub_unregister_extcmd (cmd_read_byte);
grub_unregister_extcmd (cmd_read_word);
grub_unregister_extcmd (cmd_read_dword);
diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
index b7149370950..7afb9e6f724 100644
index 04e804d16..621070918 100644
--- a/grub-core/kern/dl.c
+++ b/grub-core/kern/dl.c
@@ -32,6 +32,7 @@
@ -107,21 +125,12 @@ index b7149370950..7afb9e6f724 100644
/* Platforms where modules are in a readonly area of memory. */
#if defined(GRUB_MACHINE_QEMU)
@@ -704,7 +705,7 @@ grub_dl_load_file (const char *filename)
grub_dl_t mod = 0;
#ifdef GRUB_MACHINE_EFI
- if (grub_efi_secure_boot ())
+ if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
{
#if 0
/* This is an error, but grub2-mkconfig still generates a pile of
diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
index 4a2259aa1c7..8cff7be0289 100644
index 91129e335..708581fcb 100644
--- a/grub-core/kern/efi/efi.c
+++ b/grub-core/kern/efi/efi.c
@@ -286,40 +286,6 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
return grub_efi_get_variable_with_attributes (var, guid, datasize_out, data_out, NULL);
@@ -273,40 +273,6 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
return NULL;
}
-grub_efi_boolean_t
@ -161,8 +170,78 @@ index 4a2259aa1c7..8cff7be0289 100644
#pragma GCC diagnostic ignored "-Wcast-align"
/* Search the mods section from the PE32/PE32+ image. This code uses
diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
new file mode 100644
index 000000000..d74778b0c
--- /dev/null
+++ b/grub-core/kern/efi/sb.c
@@ -0,0 +1,64 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2014 Free Software Foundation, Inc.
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GRUB is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <grub/err.h>
+#include <grub/mm.h>
+#include <grub/types.h>
+#include <grub/cpu/linux.h>
+#include <grub/efi/efi.h>
+#include <grub/efi/pe32.h>
+#include <grub/efi/linux.h>
+#include <grub/efi/sb.h>
+
+int
+grub_efi_secure_boot (void)
+{
+#ifdef GRUB_MACHINE_EFI
+ grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
+ grub_size_t datasize;
+ char *secure_boot = NULL;
+ char *setup_mode = NULL;
+ grub_efi_boolean_t ret = 0;
+
+ secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);
+ if (datasize != 1 || !secure_boot)
+ {
+ grub_dprintf ("secureboot", "No SecureBoot variable\n");
+ goto out;
+ }
+ grub_dprintf ("secureboot", "SecureBoot: %d\n", *secure_boot);
+
+ setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize);
+ if (datasize != 1 || !setup_mode)
+ {
+ grub_dprintf ("secureboot", "No SetupMode variable\n");
+ goto out;
+ }
+ grub_dprintf ("secureboot", "SetupMode: %d\n", *setup_mode);
+
+ if (*secure_boot && !*setup_mode)
+ ret = 1;
+
+ out:
+ grub_free (secure_boot);
+ grub_free (setup_mode);
+ return ret;
+#else
+ return 0;
+#endif
+}
diff --git a/grub-core/loader/efi/appleloader.c b/grub-core/loader/efi/appleloader.c
index 74888c463ba..585f2b57385 100644
index 74888c463..69c2a10d3 100644
--- a/grub-core/loader/efi/appleloader.c
+++ b/grub-core/loader/efi/appleloader.c
@@ -24,6 +24,7 @@
@ -177,7 +256,7 @@ index 74888c463ba..585f2b57385 100644
GRUB_MOD_INIT(appleloader)
{
+ if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+ if (grub_efi_secure_boot())
+ return;
+
cmd = grub_register_command ("appleloader", grub_cmd_appleloader,
@ -187,13 +266,13 @@ index 74888c463ba..585f2b57385 100644
GRUB_MOD_FINI(appleloader)
{
+ if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+ if (grub_efi_secure_boot())
+ return;
+
grub_unregister_command (cmd);
}
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
index b54cf6986fc..3ff305b1d32 100644
index af2189619..5cd9b6e08 100644
--- a/grub-core/loader/efi/chainloader.c
+++ b/grub-core/loader/efi/chainloader.c
@@ -34,6 +34,7 @@
@ -205,10 +284,10 @@ index b54cf6986fc..3ff305b1d32 100644
#include <grub/i18n.h>
#include <grub/net.h>
diff --git a/grub-core/loader/i386/bsd.c b/grub-core/loader/i386/bsd.c
index 5f3290ce17b..54befc26626 100644
index 7f96515da..87709aa23 100644
--- a/grub-core/loader/i386/bsd.c
+++ b/grub-core/loader/i386/bsd.c
@@ -40,6 +40,7 @@
@@ -38,6 +38,7 @@
#ifdef GRUB_MACHINE_PCBIOS
#include <grub/machine/int.h>
#endif
@ -216,92 +295,92 @@ index 5f3290ce17b..54befc26626 100644
GRUB_MOD_LICENSE ("GPLv3+");
@@ -2137,6 +2138,9 @@ static grub_command_t cmd_netbsd_module_elf, cmd_openbsd_ramdisk;
@@ -2124,6 +2125,9 @@ static grub_command_t cmd_netbsd_module_elf, cmd_openbsd_ramdisk;
GRUB_MOD_INIT (bsd)
{
+ if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+ if (grub_efi_secure_boot())
+ return;
+
/* Net and OpenBSD kernels are often compressed. */
grub_dl_load ("gzio");
@@ -2176,6 +2180,9 @@ GRUB_MOD_INIT (bsd)
@@ -2163,6 +2167,9 @@ GRUB_MOD_INIT (bsd)
GRUB_MOD_FINI (bsd)
{
+ if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+ if (grub_efi_secure_boot())
+ return;
+
grub_unregister_extcmd (cmd_freebsd);
grub_unregister_extcmd (cmd_openbsd);
grub_unregister_extcmd (cmd_netbsd);
diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
index dccf3bb3005..4aeb0e4b9a6 100644
index f7186be40..c84747ea8 100644
--- a/grub-core/loader/i386/linux.c
+++ b/grub-core/loader/i386/linux.c
@@ -37,6 +37,7 @@
@@ -35,6 +35,7 @@
#include <grub/i18n.h>
#include <grub/lib/cmdline.h>
#include <grub/linux.h>
#include <grub/machine/kernel.h>
#include <grub/safemath.h>
+#include <grub/efi/sb.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -1138,6 +1139,9 @@ static grub_command_t cmd_linux, cmd_initrd;
@@ -1156,6 +1157,9 @@ static grub_command_t cmd_linux, cmd_initrd;
GRUB_MOD_INIT(linux)
{
+ if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+ if (grub_efi_secure_boot())
+ return;
+
cmd_linux = grub_register_command ("linux", grub_cmd_linux,
0, N_("Load Linux."));
cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd,
@@ -1147,6 +1151,9 @@ GRUB_MOD_INIT(linux)
@@ -1165,6 +1169,9 @@ GRUB_MOD_INIT(linux)
GRUB_MOD_FINI(linux)
{
+ if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+ if (grub_efi_secure_boot())
+ return;
+
grub_unregister_command (cmd_linux);
grub_unregister_command (cmd_initrd);
}
diff --git a/grub-core/loader/i386/pc/linux.c b/grub-core/loader/i386/pc/linux.c
index 4b1750e360e..e3fa1221e81 100644
index caa76bee8..783a3cd93 100644
--- a/grub-core/loader/i386/pc/linux.c
+++ b/grub-core/loader/i386/pc/linux.c
@@ -36,6 +36,7 @@
@@ -35,6 +35,7 @@
#include <grub/i386/floppy.h>
#include <grub/lib/cmdline.h>
#include <grub/linux.h>
#include <grub/safemath.h>
+#include <grub/efi/sb.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -487,6 +488,9 @@ static grub_command_t cmd_linux, cmd_linux16, cmd_initrd, cmd_initrd16;
@@ -480,6 +481,9 @@ static grub_command_t cmd_linux, cmd_linux16, cmd_initrd, cmd_initrd16;
GRUB_MOD_INIT(linux16)
{
+ if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+ if (grub_efi_secure_boot())
+ return;
+
cmd_linux =
grub_register_command ("linux", grub_cmd_linux,
0, N_("Load Linux."));
@@ -504,6 +508,9 @@ GRUB_MOD_INIT(linux16)
@@ -497,6 +501,9 @@ GRUB_MOD_INIT(linux16)
GRUB_MOD_FINI(linux16)
{
+ if (grub_efi_get_secureboot () == GRUB_EFI_SECUREBOOT_MODE_ENABLED)
+ if (grub_efi_secure_boot())
+ return;
+
grub_unregister_command (cmd_linux);
grub_unregister_command (cmd_linux16);
grub_unregister_command (cmd_initrd);
diff --git a/grub-core/loader/multiboot.c b/grub-core/loader/multiboot.c
index facb13f3d36..47e481f4576 100644
index 40c67e824..26df46a41 100644
--- a/grub-core/loader/multiboot.c
+++ b/grub-core/loader/multiboot.c
@@ -50,6 +50,7 @@
@ -312,63 +391,63 @@ index facb13f3d