-
Notifications
You must be signed in to change notification settings - Fork 143
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
skip empty lines in entry file #185
base: fedora-41
Are you sure you want to change the base?
Commits on Feb 6, 2023
-
All other architectures have start symbol. Hopefully this resolves: BUILDSTDERR: ././grub-mkimage: error: undefined symbol start. Signed-off-by: David Abdurachmanov <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for d673d42 - Browse repository at this point
Copy the full SHA d673d42View commit details -
bootstrap.conf: Force autogen.sh to use python3
The python-unversioned-command package is not installed in the buildroot, but the bootstrap script expects the python command to be present if one is not defined. So building the package leads to the following error: ./autogen.sh: line 20: python: command not found This is harmless since gnulib is included as a source anyways, because the builders can't download. But still the issue should be fixed by forcing to use python3 that's the default in Fedora now. Signed-off-by: Javier Martinez Canillas <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 2ab6c45 - Browse repository at this point
Copy the full SHA 2ab6c45View commit details -
efi/http: Export {fw,http}_path variables to make them global
The fw_path environment variable is used by http_configure() function to determine the HTTP path that should be used as prefix when using relative HTTP paths. And this is stored in the http_path environment variable. Later, that variable is looked up by grub_efihttp_open() to generate the complete path to be used in the HTTP request. But these variables are not exported, which means that are not global and so are only found in the initial context. This can cause commands like configfile that create a new context to fail because the fw_path and http_path variables will not be found. Resolves: rhbz#1616395 Signed-off-by: Javier Martinez Canillas <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 38475f5 - Browse repository at this point
Copy the full SHA 38475f5View commit details -
efi/http: Enclose literal IPv6 addresses in square brackets
According to RFC 2732 (https://www.ietf.org/rfc/rfc2732.txt), literal IPv6 addresses must be enclosed in square brackets. But GRUB currently does not do this and is causing HTTP servers to send Bad Request (400) responses. For example, the following is the HTTP stream when fetching a config file: HEAD /EFI/BOOT/grub.cfg HTTP/1.1 Host: 2000:dead:beef:a::1 Accept: */* User-Agent: UefiHttpBoot/1.0 HTTP/1.1 400 Bad Request Date: Thu, 05 Mar 2020 14:46:02 GMT Server: Apache/2.4.41 (Fedora) OpenSSL/1.1.1d Connection: close Content-Type: text/html; charset=iso-8859-1 and after enclosing the IPv6 address the HTTP request is successful: HEAD /EFI/BOOT/grub.cfg HTTP/1.1 Host: [2000:dead:beef:a::1] Accept: */* User-Agent: UefiHttpBoot/1.0 HTTP/1.1 200 OK Date: Thu, 05 Mar 2020 14:48:04 GMT Server: Apache/2.4.41 (Fedora) OpenSSL/1.1.1d Last-Modified: Thu, 27 Feb 2020 17:45:58 GMT ETag: "206-59f924b24b1da" Accept-Ranges: bytes Content-Length: 518 Resolves: rhbz#1732765 Signed-off-by: Javier Martinez Canillas <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for c49a33a - Browse repository at this point
Copy the full SHA c49a33aView commit details -
efi/net: Allow to specify a port number in addresses
The grub_efi_net_parse_address() function is not covering the case where a port number is specified in an IPv4 or IPv6 address, so will fail to parse the network address. For most cases the issue is harmless, because the function is only used to match an address with a network interface and if fails the default is used. But still is a bug that has to be fixed and it causes error messages to be printed like the following: error: net/efi/net.c:782:unrecognised network address '192.168.122.1:8080' error: net/efi/net.c:781:unrecognised network address '[2000:dead:beef:a::1]:8080' Resolves: rhbz#1732765 Signed-off-by: Javier Martinez Canillas <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 1d5a347 - Browse repository at this point
Copy the full SHA 1d5a347View commit details -
efi/ip4_config: Improve check to detect literal IPv6 addresses
The grub_efi_string_to_ip4_address() function wrongly assumes that an IPv6 address is an IPv4 address, because it doesn't take into account the case of a caller passing an IPv6 address as a string. This leads to the grub_efi_net_parse_address() function to fail and print the following error message: error: net/efi/net.c:785:unrecognised network address '2000:dead:beef:a::1' Resolves: rhbz#1732765 Signed-off-by: Javier Martinez Canillas <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for d38bbe2 - Browse repository at this point
Copy the full SHA d38bbe2View commit details -
efi/net: Print a debug message if parsing the address fails
Currently if parsing the address fails an error message is printed. But in most cases this isn't a fatal error since the grub_efi_net_parse_address() function is only used to match an address with a network interface to use. And if this fails, the default interface is used which is good enough for most cases. So instead of printing an error that would pollute the console just print a debug message if the address is not parsed correctly. A user can enable debug messages for the efinet driver to have information about the failure and the fact that the default interface is being used. Related: rhbz#1732765 Signed-off-by: Javier Martinez Canillas <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 5f331e8 - Browse repository at this point
Copy the full SHA 5f331e8View commit details -
kern/term: Also accept F8 as a user interrupt key
Make F8, which used to be the hotkey to show the Windows boot menu during boot for a long long time, also interrupt sleeps / stop the menu countdown. Signed-off-by: Javier Martinez Canillas <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for efea4aa - Browse repository at this point
Copy the full SHA efea4aaView commit details -
efi: Set image base address before jumping to the PE/COFF entry point
Upstream GRUB uses the EFI LoadImage() and StartImage() to boot the Linux kernel. But our custom EFI loader that supports Secure Boot instead uses the EFI handover protocol (for x86) or jumping directly to the PE/COFF entry point (for aarch64). This is done to allow the bootloader to verify the images using the shim lock protocol to avoid booting untrusted binaries. Since the bootloader loads the kernel from the boot media instead of using LoadImage(), it is responsible to set the Loaded Image base address before booting the kernel. Otherwise the kernel EFI stub will complain that it was not set correctly and print the following warning message: EFI stub: ERROR: FIRMWARE BUG: efi_loaded_image_t::image_base has bogus value Resolves: rhbz#1814690 Signed-off-by: Javier Martinez Canillas <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for c003e1b - Browse repository at this point
Copy the full SHA c003e1bView commit details -
tpm: Don't propagate TPM measurement errors to the verifiers layer
Currently if the EFI firmware fails to do a TPM measurement for a file, the error will be propagated to the verifiers framework and so opening the file will not succeed. This mean that buggy firmwares will prevent the system to boot since the loader won't be able to open any file. But failing to do TPM measurements shouldn't be a fatal error and the system should still be able to boot. Signed-off-by: Javier Martinez Canillas <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 2b21b64 - Browse repository at this point
Copy the full SHA 2b21b64View commit details -
x86-efi: Reduce maximum bounce buffer size to 16 MiB
The EFI linux loader allocates a bounce buffer to copy the initrd since in some machines doing DMA on addresses above 4GB is not possible during EFI. But the verifiers framework also allocates a buffer to copy the initrd in its grub_file_open() handler. It does this since the data to verify has to be passed as a single chunk to modules that use the verifiers framework. If the initrd image size is big there may not be enough memory in the heap to allocate two buffers of that size. This causes an allocation failure in the verifiers framework and leads to the initrd not being read. To prevent these allocation failures, let's reduce the maximum size of the bounce buffer used in the EFI loader. Since the data read can be copied to the actual initrd address in multilple chunks. Resolves: rhbz#1838633 Signed-off-by: Javier Martinez Canillas <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for b6da5b7 - Browse repository at this point
Copy the full SHA b6da5b7View commit details -
http: Prepend prefix when the HTTP path is relative as done in efi/http
There are two different HTTP drivers that can be used when requesting an HTTP resource: the efi/http that uses the EFI_HTTP_PROTOCOL and the http that uses GRUB's HTTP and TCP/IP implementation. The efi/http driver appends a prefix that is defined in the variable http_path, but the http driver doesn't. So using this driver and attempting to fetch a resource using a relative path fails. Signed-off-by: Javier Martinez Canillas <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for f0e1443 - Browse repository at this point
Copy the full SHA f0e1443View commit details -
Fix a missing return in efi-export-env and efi-load-env commands
Somewhere along the way this got mis-merged to include a return without a value. Fix it up. Signed-off-by: Peter Jones <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 0974ee5 - Browse repository at this point
Copy the full SHA 0974ee5View commit details -
efi+dhcp: fix some allocation error checking.
Signed-off-by: Peter Jones <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 8c89092 - Browse repository at this point
Copy the full SHA 8c89092View commit details -
efi+http: fix some allocation error checking.
Signed-off-by: Peter Jones <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 8a8faa7 - Browse repository at this point
Copy the full SHA 8a8faa7View commit details -
efi/ip[46]_config.c: fix some potential allocation overflows
In theory all of this data comes from the firmware stack and it should be safe, but it's better to be paranoid. Signed-off-by: Peter Jones <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 8368fef - Browse repository at this point
Copy the full SHA 8368fefView commit details -
efilinux: Fix integer overflows in grub_cmd_initrd
These could be triggered by an extremely large number of arguments to the initrd command on 32-bit architectures, or a crafted filesystem with very large files on any architecture. Signed-off-by: Colin Watson <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 2ad5343 - Browse repository at this point
Copy the full SHA 2ad5343View commit details -
linuxefi: fail kernel validation without shim protocol.
If certificates that signed grub are installed into db, grub can be booted directly. It will then boot any kernel without signature validation. The booted kernel will think it was booted in secureboot mode and will implement lockdown, yet it could have been tampered. This version of the patch skips calling verification, when booted without secureboot. And is indented with gnu ident. CVE-2020-15705 Reported-by: Mathieu Trudel-Lapierre <[email protected]> Signed-off-by: Dimitri John Ledkov <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 717c829 - Browse repository at this point
Copy the full SHA 717c829View commit details -
Fix const char ** pointers in grub-core/net/bootp.c
This will need to get folded back in the right place on the next rebase, but it's before "Make grub_strtol() "end" pointers have safer const qualifiers" currently, so for now I'm leaving it here instead of merging it back with the original patch. Signed-off-by: Peter Jones <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for ffff971 - Browse repository at this point
Copy the full SHA ffff971View commit details -
Fix const char ** pointers in grub-core/net/efi/ip4_config.c
This will need to get folded back in the right place on the next rebase, but it's before "Make grub_strtol() "end" pointers have safer const qualifiers" currently, so for now I'm leaving it here instead of merging it back with the original patch. Signed-off-by: Peter Jones <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for f7a7989 - Browse repository at this point
Copy the full SHA f7a7989View commit details -
Fix const char ** pointers in grub-core/net/efi/ip6_config.c
This will need to get folded back in the right place on the next rebase, but it's before "Make grub_strtol() "end" pointers have safer const qualifiers" currently, so for now I'm leaving it here instead of merging it back with the original patch. Signed-off-by: Peter Jones <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 3e2b6b2 - Browse repository at this point
Copy the full SHA 3e2b6b2View commit details -
Fix const char ** pointers in grub-core/net/efi/net.c
This will need to get folded back in the right place on the next rebase, but it's before "Make grub_strtol() "end" pointers have safer const qualifiers" currently, so for now I'm leaving it here instead of merging it back with the original patch. Signed-off-by: Peter Jones <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 7ea499c - Browse repository at this point
Copy the full SHA 7ea499cView commit details -
Fix const char ** pointers in grub-core/net/efi/pxe.c
This will need to get folded back in the right place on the next rebase, but it's before "Make grub_strtol() "end" pointers have safer const qualifiers" currently, so for now I'm leaving it here instead of merging it back with the original patch. Signed-off-by: Peter Jones <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 58b7b11 - Browse repository at this point
Copy the full SHA 58b7b11View commit details -
Add systemd integration scripts to make "systemctl reboot --boot-load…
…er-menu=xxx" work with grub This commit adds a number of scripts / config files to make "systemctl reboot --boot-loader-menu=xxx" work with grub: 1. /lib/systemd/system/systemd-logind.service.d/10-grub.conf This sets SYSTEMD_REBOOT_TO_BOOT_LOADER_MENU in the env. for logind, indicating that the boot-loader which is used supports this feature, see: https://github.com/systemd/systemd/blob/master/docs/ENVIRONMENT.md 2. /lib/systemd/system/grub-systemd-integration.service /lib/systemd/system/reboot.target.wants/grub-systemd-integration.service -> ../grub-systemd-integration.service /usr/libexec/grub/grub-systemd-integration.sh The symlink in the .wants dir causes the added service file to be started by systemd just before rebooting the system. If /run/systemd/reboot-to-boot-loader-menu exist then the service will run the grub-systemd-integration.sh script. This script sets the new menu_show_once_timeout grubenv variable to the requested timeout in seconds. 3. /etc/grub.d/14_menu_show_once This new grub-mkconfig snippet adds the necessary code to the generated grub.conf to honor the new menu_show_once_timeout variable, and to automatically clear it after consuming it. Note the service and libexec script use grub-systemd-integration as name because in the future they may be used to add further integration with systemctl reboot --foo options, e.g. support for --boot-loader-entry=NAME. A few notes about upstreaming this patch from the rhboot grub2 fork: 1. I have deliberately put the grub.conf bits for this in a new / separate grub-mkconfig snippet generator for easy upstreaming 2. Even though the commit message mentions the .wants symlink for the .service I have been unable to come up with a clean way to do this at "make install" time, this should be fixed before upstreaming. Downstream notes: 1. Since make install does not add the .wants symlink, this needs to be done in grub2.spec %install 2. This is keeping support for the "old" Fedora specific menu_show_once env variable, which has a hardcoded timeout of 60 sec in 12_menu_auto_hide in place for now. This can be dropped (eventually) in a follow-up patch once GNOME has been converted to use the systemd dbus API equivalent of "systemctl reboot --boot-loader-menu=xxx". Signed-off-by: Hans de Goede <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 3969849 - Browse repository at this point
Copy the full SHA 3969849View commit details -
systemd-integration.sh: Also set old menu_show_once grubenv var
Downstream RH / Fedora patch for compatibility with old, not (yet) regenerated grub.cfg files which miss the menu_show_once_timeout check. This older grubenv variable leads to a fixed timeout of 60 seconds. Note that the new menu_show_once_timeout will overrule these 60 seconds if both are set and the grub.cfg does have the menu_show_once_timeout check. Signed-off-by: Hans de Goede <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for a409d43 - Browse repository at this point
Copy the full SHA a409d43View commit details -
at_keyboard: use set 1 when keyboard is in Translate mode
When keyboard controller acts in Translate mode (0x40 mask), then use set 1 since translation is done. Otherwise use the mode queried from the controller (usually set 2). Added "atkeyb" debugging messages in at_keyboard module as well. Resolves: rhbz#1897587 Tested on: - Asus N53SN (set 1 used) - Dell Precision (set 1 used) - HP Elitebook (set 2 used) - HP G5430 (set 1 used, keyboard in XT mode!) - Lenovo P71 & Lenovo T460s (set 2 used) - QEMU/KVM (set 1 used) Signed-off-by: Renaud Métrich <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 0ca0907 - Browse repository at this point
Copy the full SHA 0ca0907View commit details -
grub-install: disable support for EFI platforms
For each platform, GRUB is shipped as a kernel image and a set of modules. These files are then used by the grub-install utility to install GRUB on a specific device. However, in order to support UEFI Secure Boot, the resulting EFI binary must be signed by a recognized private key. For this reason, for EFI platforms, most distributions also ship prebuilt EFI binaries signed by a distribution-specific private key. In this case, however, the grub-install utility should not be used because it would overwrite the signed EFI binary. The current fix is suboptimal because it preserves all EFI-related code. A better solution could be to modularize the code and provide a build-time option. Resolves: rhbz#1737444 Signed-off-by: Jan Hlavac <[email protected]> [rharwood: drop man page]
Configuration menu - View commit details
-
Copy full SHA for 8a95071 - Browse repository at this point
Copy the full SHA 8a95071View commit details -
New --with-debug-timestamps configure flag to prepend debug traces wi…
…th absolute and relative timestamp Signed-off-by: Renaud Métrich <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for ac68b23 - Browse repository at this point
Copy the full SHA ac68b23View commit details -
Added debug statements to grub_disk_open() and grub_disk_close() on s…
…uccess Signed-off-by: Renaud Métrich <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for f9b7176 - Browse repository at this point
Copy the full SHA f9b7176View commit details -
Introduce function grub_debug_is_enabled(void) returning 1 if 'debug'…
… is in the environment and not empty Signed-off-by: Renaud Métrich <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for b84b54c - Browse repository at this point
Copy the full SHA b84b54cView commit details -
Don't clear screen when debugging is enabled
Signed-off-by: Renaud Métrich <[email protected]> [[email protected]: rebase fuzz] Signed-off-by: Robbie Harwood <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for cfe9f9b - Browse repository at this point
Copy the full SHA cfe9f9bView commit details -
kern/file: Fix error handling in grub_file_open()
grub_file_open() calls grub_file_get_device_name(), but doesn't check the return. Instead, it checks if grub_errno is set. However, nothing initialises grub_errno here when grub_file_open() starts. This means that trying to open one file that doesn't exist and then trying to open another file that does will (incorrectly) also fail to open that second file. Let's fix that. Signed-off-by: Steve McIntyre <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 3594ccd - Browse repository at this point
Copy the full SHA 3594ccdView commit details -
grub_file_* instrumentation (new 'file' debug tag)
Signed-off-by: Renaud Métrich <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for a780b6e - Browse repository at this point
Copy the full SHA a780b6eView commit details -
ieee1275: Avoiding many unecessary open/close
Signed-off-by: Diego Domingos <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for cee8c5d - Browse repository at this point
Copy the full SHA cee8c5dView commit details -
ieee1275/powerpc: implements fibre channel discovery for ofpathname
grub-ofpathname doesn't work with fibre channel because there is no function currently implemented for it. This patch enables it by prividing a function that looks for the port name, building the entire path for OF devices. Signed-off-by: Diego Domingos <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 8506b2f - Browse repository at this point
Copy the full SHA 8506b2fView commit details -
ieee1275/powerpc: enables device mapper discovery
this patch enables the device mapper discovery on ofpath.c. Currently, when we are dealing with a device like /dev/dm-* the ofpath returns null since there is no function implemented to handle this case. This patch implements a function that will look into /sys/block/dm-* devices and search recursively inside slaves directory to find the root disk. Signed-off-by: Diego Domingos <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for cce9dc5 - Browse repository at this point
Copy the full SHA cce9dc5View commit details -
Add 'at_keyboard_fallback_set' var to force the set manually
This seems required with HP DL380p Gen 8 systems. Indeed, with this system, we can see the following sequence: 1. controller is queried to get current configuration (returns 0x30 which is quite standard) 2. controller is queried to get the current keyboard set in used, using code 0xf0 (first part) 3. controller answers with 0xfa which means "ACK" (== ok) 4. then we send "0" to tell "we want to know which set your are supporting" 5. controller answers with 0xfa ("ACK") 6. controller should then give us 1, 2, 3 or 0x43, 0x41, 0x3f, but here it gives us 0xfe which means "NACK" Since there seems no way to determine the current set, and in fact the controller expects set2 to be used, we need to rely on an environment variable. Everything has been tested on this system: using 0xFE (resend command), making sure we wait for ACK in the 2 steps "write_mode", etc. Below is litterature I used to come up with "there is no other solution": - https://wiki.osdev.org/%228042%22_PS/2_Controller - http://www-ug.eecg.toronto.edu/msl/nios_devices/datasheets/PS2%20Keyboard%20Protocol.htm - http://www.s100computers.com/My%20System%20Pages/MSDOS%20Board/PC%20Keyboard.pdf Signed-off-by: Renaud Métrich <[email protected]> Signed-off-by: Robbie Harwood <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for f94fe88 - Browse repository at this point
Copy the full SHA f94fe88View commit details -
Add suport for signing grub with an appended signature
Add infrastructure to allow firmware to verify the integrity of grub by use of a Linux-kernel-module-style appended signature. We initially target powerpc-ieee1275, but the code should be extensible to other platforms. Usually these signatures are appended to a file without modifying the ELF file itself. (This is what the 'sign-file' tool does, for example.) The verifier loads the signed file from the file system and looks at the end of the file for the appended signature. However, on powerpc-ieee1275 platforms, the bootloader is often stored directly in the PReP partition as raw bytes without a file-system. This makes determining the location of an appended signature more difficult. To address this, we add a new ELF note. The name field of shall be the string "Appended-Signature", zero-padded to 4 byte alignment. The type field shall be 0x41536967 (the ASCII values for the string "ASig"). It must be the final section in the ELF binary. The description shall contain the appended signature structure as defined by the Linux kernel. The description will also be padded to be a multiple of 4 bytes. The padding shall be added before the appended signature structure (not at the end) so that the final bytes of a signed ELF file are the appended signature magic. A subsequent patch documents how to create a grub core.img validly signed under this scheme. Signed-off-by: Daniel Axtens <[email protected]> Signed-off-by: Rashmica Gupta <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for b31e001 - Browse repository at this point
Copy the full SHA b31e001View commit details -
docs/grub: Document signing grub under UEFI
Before adding information about how grub is signed with an appended signature scheme, it's worth adding some information about how it can currently be signed for UEFI. Signed-off-by: Daniel Axtens <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for e99dcf2 - Browse repository at this point
Copy the full SHA e99dcf2View commit details -
docs/grub: Document signing grub with an appended signature
Signing grub for firmware that verifies an appended signature is a bit fiddly. I don't want people to have to figure it out from scratch so document it here. Signed-off-by: Daniel Axtens <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 80672b9 - Browse repository at this point
Copy the full SHA 80672b9View commit details -
dl: provide a fake grub_dl_set_persistent for the emu target
Trying to start grub-emu with a module that calls grub_dl_set_persistent will crash because grub-emu fakes modules and passes NULL to the module init function. Provide an empty function for the emu case. Fixes: ee7808e (dl: Add support for persistent modules) Signed-off-by: Daniel Axtens <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 552274c - Browse repository at this point
Copy the full SHA 552274cView commit details -
rsa_pad does the PKCS#1 v1.5 padding for the RSA signature scheme. We want to use it in other RSA signature verification applications. I considered and rejected putting it in lib/crypto.c. That file doesn't currently require any MPI functions, but rsa_pad does. That's not so much of a problem for the grub kernel and modules, but crypto.c also gets built into all the grub utilities. So - despite the utils not using any asymmetric ciphers - we would need to built the entire MPI infrastructure in to them. A better and simpler solution is just to spin rsa_pad out into its own PKCS#1 v1.5 module. Signed-off-by: Daniel Axtens <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 8e913d5 - Browse repository at this point
Copy the full SHA 8e913d5View commit details -
crypto: move storage for grub_crypto_pk_* to crypto.c
The way gcry_rsa and friends (the asymmetric ciphers) are loaded for the pgp module is a bit quirky. include/grub/crypto.h contains: extern struct gcry_pk_spec *grub_crypto_pk_rsa; commands/pgp.c contains the actual storage: struct gcry_pk_spec *grub_crypto_pk_rsa; And the module itself saves to the storage in pgp.c: GRUB_MOD_INIT(gcry_rsa) { grub_crypto_pk_rsa = &_gcry_pubkey_spec_rsa; } This is annoying: gcry_rsa now has a dependency on pgp! We want to be able to bring in gcry_rsa without bringing in PGP, so move the storage to crypto.c. Previously, gcry_rsa depended on pgp and mpi. Now it depends on crypto and mpi. As pgp depends on crypto, this doesn't add any new module dependencies using the PGP verfier. [FWIW, the story is different for the symmetric ciphers. cryptodisk and friends (zfs encryption etc) use grub_crypto_lookup_cipher_by_name() to get a cipher handle. That depends on grub_ciphers being populated by people calling grub_cipher_register. import_gcry.py ensures that the symmetric ciphers call it.] Signed-off-by: Daniel Axtens <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for a9b8125 - Browse repository at this point
Copy the full SHA a9b8125View commit details -
posix_wrap: tweaks in preparation for libtasn1
- Define SIZEOF_UNSIGNED_LONG_INT, it's the same as SIZEOF_UNSIGNED_LONG. - Define WORD_BIT, the size in bits of an int. This is a defined in the Single Unix Specification and in gnulib's limits.h. gnulib assumes it's 32 bits on all our platforms, including 64 bit platforms, so we also use that value. - Provide strto[u]l[l] preprocessor macros that resolve to grub_strto[u]l[l]. To avoid gcrypt redefining strtoul, we also define HAVE_STRTOUL here. Signed-off-by: Daniel Axtens <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for c671275 - Browse repository at this point
Copy the full SHA c671275View commit details -
libtasn1: import libtasn1-4.16.0
Import a very trimmed-down set of libtasn1 files: pushd /tmp wget https://ftp.gnu.org/gnu/libtasn1/libtasn1-4.16.0.tar.gz popd pushd grub-core/lib mkdir libtasn1 cp /tmp/libtasn1-4.16.0/{README.md,LICENSE} libtasn1/ mkdir libtasn1/lib cp /tmp/libtasn1-4.16.0/lib/{coding.c,decoding.c,element.c,element.h,errors.c,gstr.c,gstr.h,int.h,parser_aux.c,parser_aux.h,structure.c,structure.h} libtasn1/lib cp /tmp/libtasn1-4.16.0/lib/includes/libtasn1.h ../../include/grub/ git add libtasn1/ ../../include/grub/libtasn1.h popd Signed-off-by: Daniel Axtens <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 24714df - Browse repository at this point
Copy the full SHA 24714dfView commit details -
libtasn1: disable code not needed in grub
We don't expect to be able to write ASN.1, only read it, so we can disable some code. Do that with #if 0/#endif, rather than deletion. This means that the difference between upstream and grub is smaller, which should make updating libtasn1 easier in the future. With these exclusions we also avoid the need for minmax.h, which is convenient because it means we don't have to import it from gnulib. Signed-off-by: Daniel Axtens <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for a48f811 - Browse repository at this point
Copy the full SHA a48f811View commit details -
libtasn1: changes for grub compatibility
Do a few things to make libtasn1 compile as part of grub: - replace strcat. grub removed strcat so replace it with the appropriate calls to memcpy and strlen. - replace c_isdigit with grub_isdigit (and don't import c-ctype from gnulib) grub_isdigit provides the same functionality as c_isdigit: it determines if the input is an ASCII digit without regard for locale. - replace GL_ATTRIBUTE_PURE with __attribute__((pure)) which been supported since gcc-2.96. This avoids messing around with gnulib. - adjust libtasn1.h: drop the ASN1_API logic, it's not needed for our modules. Unconditionally support const and pure attributes and adjust header paths. - adjust header paths to "grub/libtasn1.h". - replace a 64 bit division with a call to grub_divmod64, preventing creation of __udivdi3 calls on 32 bit platforms. Signed-off-by: Daniel Axtens <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 05cbc93 - Browse repository at this point
Copy the full SHA 05cbc93View commit details -
libtasn1: compile into asn1 module
Create a wrapper file that specifies the module license. Set up the makefile so it is built. Signed-off-by: Daniel Axtens <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 17dad74 - Browse repository at this point
Copy the full SHA 17dad74View commit details -
test_asn1: test module for libtasn1
Import tests from libtasn1 that don't use functionality we don't import. I have put them here rather than in the libtasn1 directory because: - They need much more significant changes to run in the grub context. - I don't expect they will need to be changed when updating libtasn1: I expect the old tests will usually continue to pass on new versions. This doesn't test the full decoder but that will be exercised in test suites for coming patch sets. Signed-off-by: Daniel Axtens <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 7608c15 - Browse repository at this point
Copy the full SHA 7608c15View commit details -
grub-install: support embedding x509 certificates
To support verification of appended signatures, we need a way to embed the necessary public keys. Existing appended signature schemes in the Linux kernel use X.509 certificates, so allow certificates to be embedded in the grub core image in the same way as PGP keys. Signed-off-by: Alastair D'Silva <[email protected]> Signed-off-by: Daniel Axtens <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for c1c59a9 - Browse repository at this point
Copy the full SHA c1c59a9View commit details -
appended signatures: import GNUTLS's ASN.1 description files
In order to parse PKCS#7 messages and X.509 certificates with libtasn1, we need some information about how they are encoded. We get these from GNUTLS, which has the benefit that they support the features we need and are well tested. The GNUTLS license is LGPLv2.1+, which is GPLv3 compatible, allowing us to import it without issue. Signed-off-by: Daniel Axtens <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 9fec78f - Browse repository at this point
Copy the full SHA 9fec78fView commit details -
appended signatures: parse PKCS#7 signedData and X.509 certificates
This code allows us to parse: - PKCS#7 signedData messages. Only a single signerInfo is supported, which is all that the Linux sign-file utility supports creating out-of-the-box. Only RSA, SHA-256 and SHA-512 are supported. Any certificate embedded in the PKCS#7 message will be ignored. - X.509 certificates: at least enough to verify the signatures on the PKCS#7 messages. We expect that the certificates embedded in grub will be leaf certificates, not CA certificates. The parser enforces this. Signed-off-by: Daniel Axtens <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for ccea040 - Browse repository at this point
Copy the full SHA ccea040View commit details -
appended signatures: support verifying appended signatures
Building on the parsers and the ability to embed x509 certificates, as well as the existing gcrypt functionality, add a module for verifying appended signatures. This includes a verifier that requires that Linux kernels and grub modules have appended signatures, and commands to manage the list of trusted certificates for verification. Verification must be enabled by setting check_appended_signatures. If GRUB is locked down when the module is loaded, verification will be enabled and locked automatically. As with the PGP verifier, it is not a complete secure-boot solution: other mechanisms, such as a password or lockdown, must be used to ensure that a user cannot drop to the grub shell and disable verification. Signed-off-by: Daniel Axtens <[email protected]> [pjones: fix missing format specifier] Signed-off-by: Robbie Harwood <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 63dc476 - Browse repository at this point
Copy the full SHA 63dc476View commit details -
appended signatures: verification tests
These tests are run through all_functional_test and test a range of commands and behaviours. Signed-off-by: Daniel Axtens <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 63c6f04 - Browse repository at this point
Copy the full SHA 63c6f04View commit details -
appended signatures: documentation
This explains how appended signatures can be used to form part of a secure boot chain, and documents the commands and variables introduced. Signed-off-by: Daniel Axtens <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 3340363 - Browse repository at this point
Copy the full SHA 3340363View commit details -
ieee1275: enter lockdown based on /ibm,secure-boot
If the 'ibm,secure-boot' property of the root node is 2 or greater, enter lockdown. Signed-off-by: Daniel Axtens <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for a986f59 - Browse repository at this point
Copy the full SHA a986f59View commit details -
ieee1275: drop HEAP_MAX_ADDR, HEAP_MIN_SIZE
HEAP_MAX_ADDR is confusing. Currently it is set to 32MB, except on ieee1275 on x86, where it is 64MB. There is a comment which purports to explain it: /* If possible, we will avoid claiming heap above this address, because it seems to cause relocation problems with OSes that link at 4 MiB */ This doesn't make a lot of sense when the constants are well above 4MB already. It was not always this way. Prior to commit 7b5d0fe ("Increase heap limit") in 2010, HEAP_MAX_SIZE and HEAP_MAX_ADDR were indeed 4MB. However, when the constants were increased the comment was left unchanged. It's been over a decade. It doesn't seem like we have problems with claims over 4MB on powerpc or x86 ieee1275. (sparc does things completely differently and never used the constant.) Drop the constant and the check. The only use of HEAP_MIN_SIZE was to potentially override the HEAP_MAX_ADDR check. It is now unused. Remove it. Signed-off-by: Daniel Axtens <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 9531565 - Browse repository at this point
Copy the full SHA 9531565View commit details
Commits on Feb 8, 2023
-
appendedsig/x509: Also handle the Extended Key Usage extension
Red Hat certificates have both Key Usage and Extended Key Usage extensions present, but the appended signatures x509 parser doesn't handle the latter and so buils due finding an unrecognised critical extension: Error loading initial key: ../../grub-core/commands/appendedsig/x509.c:780:Unhandled critical x509 extension with OID 2.5.29.37 Fix this by also parsing the Extended Key Usage extension and handle it by verifying that the certificate has a single purpose, that is code signing. Signed-off-by: Javier Martinez Canillas <[email protected]> Signed-off-by: Daniel Axtens <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 74774af - Browse repository at this point
Copy the full SHA 74774afView commit details -
ieee1275/ofdisk: retry on open failure
This patch aims to make grub more robust when booting from SAN/Multipath disks. If a path is failing intermittently so grub will retry the OPEN and READ the disk (grub_ieee1275_open and grub_ieee1275_read) until the total amount of times specified in MAX_RETRIES. Signed-off-by: Diego Domingos <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 7baa6fd - Browse repository at this point
Copy the full SHA 7baa6fdView commit details -
Allow chainloading EFI apps from loop mounts.
Signed-off-by: Dimitri John Ledkov <[email protected]> Signed-off-by: Robbie Harwood <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 2051b97 - Browse repository at this point
Copy the full SHA 2051b97View commit details -
efinet: Add DHCP proxy support
If a proxyDHCP configuration is used, the server name, server IP and boot file values should be taken from the DHCP proxy offer instead of the DHCP server ack packet. Currently that case is not handled, add support for it. Signed-off-by: Ian Page Hands <[email protected]> Signed-off-by: Robbie Harwood <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 1794ae0 - Browse repository at this point
Copy the full SHA 1794ae0View commit details -
fs/ext2: Ignore checksum seed incompat feature
This incompat feature is used to denote that the filesystem stored its metadata checksum seed in the superblock. This is used to allow tune2fs to change the UUID on a mounted metadata_csum filesystem without having to rewrite all the disk metadata. But GRUB doesn't use the metadata checksum in anyway, so can just ignore this feature if is enabled. This is consistent with GRUB filesystem code in general which just does a best effort to access the filesystem's data. It may be removed from the ignored list in the future if supports to do metadata checksumming verification is added to the read-only FS driver. Suggested-by: Eric Sandeen <[email protected]> Suggested-by: Lukas Czerner <[email protected]> Signed-off-by: Javier Martinez Canillas <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 6e677b7 - Browse repository at this point
Copy the full SHA 6e677b7View commit details -
Don't update the cmdline when generating legacy menuentry commands
On OPAL ppc64le machines with an old petitboot version that doesn't have support to parse BLS snippets, the grub2-mkconfig script is executed to generate menuentry commands from the BLS snippets. In this case, the script is executed with the --no-grubenv-update option that indicates that no side effects should happen when running the script. But the options field in the BLS snippets are updated regardless, only do the update if --no-grubenv-update was not used. Signed-off-by: Javier Martinez Canillas <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 96d376f - Browse repository at this point
Copy the full SHA 96d376fView commit details -
Suppress gettext error message
Colin Watson's patch from comment rhboot#11 on the upstream bug: https://savannah.gnu.org/bugs/?35880#comment11 Resolves: rhbz#1592124 Signed-off-by: Paulo Flabiano Smorigo <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for ebffb6e - Browse repository at this point
Copy the full SHA ebffb6eView commit details -
grub-set-password: Always use /boot/grub2/user.cfg as password default
The GRUB configuration file is always placed in /boot/grub2/ now, even for EFI. But the tool is still creating the user.cfg in the ESP and not there. Resolves: rhbz#1955294 Signed-off-by: Javier Martinez Canillas <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 7239341 - Browse repository at this point
Copy the full SHA 7239341View commit details -
templates: Check for EFI at runtime instead of config generation time
The 30_uefi-firmware template checks if an OsIndicationsSupported UEFI var exists and EFI_OS_INDICATIONS_BOOT_TO_FW_UI bit is set, to decide whether a "fwsetup" menu entry would be added or not to the GRUB menu. But this has the problem that it will only work if the configuration file was created on an UEFI machine that supports booting to a firmware UI. This for example doesn't support creating GRUB config files when executing on systems that support both UEFI and legacy BIOS booting. Since creating the config file from legacy BIOS wouldn't allow to access the firmware UI. To prevent this, make the template to unconditionally create the grub.cfg snippet but check at runtime if was booted through UEFI to decide if this entry should be added. That way it won't be added when booting with BIOS. There's no need to check if EFI_OS_INDICATIONS_BOOT_TO_FW_UI bit is set, since that's already done by the "fwsetup" command when is executed. Resolves: rhbz#1823864 Signed-off-by: Javier Martinez Canillas <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 2ea9329 - Browse repository at this point
Copy the full SHA 2ea9329View commit details -
efi: Print an error if boot to firmware setup is not supported
The "fwsetup" command is only registered if the firmware supports booting to the firmware setup UI. But it could be possible that the GRUB config already contains a "fwsetup" entry, because it was generated in a machine that has support for this feature. To prevent users getting a "can't find command `fwsetup`" error if it is not supported by the firmware, let's just always register the command but print a more accurate message if the firmware doesn't support this option. Resolves: rhbz#1823864 Signed-off-by: Javier Martinez Canillas <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 7966a53 - Browse repository at this point
Copy the full SHA 7966a53View commit details -
arm64: Fix EFI loader kernel image allocation
We are currently allocating just enough memory for the file size, which means that the kernel BSS is in limbo (and not even zeroed). We are also not honoring the alignment specified in the image PE header. This makes us use the PE optional header in which the kernel puts the actual size it needs, including BSS, and make sure we clear it, and honors the specified alignment for the image. Signed-off-by: Benjamin Herrenschmidt <[email protected]> [pjones: arm: check for the PE magic for the compiled arch] Signed-off-by: Peter Jones <[email protected]> Signed-off-by: Robbie Harwood <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 24b32a6 - Browse repository at this point
Copy the full SHA 24b32a6View commit details -
normal/main: Discover the device to read the config from as a fallback
The GRUB core.img is generated locally, when this is done the grub2-probe tool figures out the device and partition that needs to be read to parse the GRUB configuration file. But in some cases the core.img can't be generated on the host and instead has to be done at package build time. For example, if needs to get signed with a key that's only available on the package building infrastructure. If that's the case, the prefix variable won't have a device and partition but only a directory path. So there's no way for GRUB to know from which device has to read the configuration file. To allow GRUB to continue working on that scenario, fallback to iterating over all the available devices, if reading the config failed when using the prefix and fw_path variables. Signed-off-by: Javier Martinez Canillas <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 9fa2ef9 - Browse repository at this point
Copy the full SHA 9fa2ef9View commit details -
powerpc: adjust setting of prefix for signed binary case
On RHEL-signed powerpc grub, we sign a grub with -p /grub2 and expect that there's a boot partition. Unfortunately grub_set_prefix_and_root tries to convert this to ($fwdevice)/grub2. This ends up being (ieee1275/disk)/grub2 and that falls apart pretty quickly - there's no file-system on ieee1275/disk, and it makes the search routine try things like (ieee1275/disk,msdos2)(ieee1275/disk)/grub2 which also doesn't work. Detect if we would be about to create (ieee1275/disk)/path and don't: preserve a prefix of /path instead and hope the search later finds us. Related: rhbz#1899864 Signed-off-by: Daniel Axtens <[email protected]> [[email protected]: squash in fixup commit] Signed-off-by: Robbie Harwood <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 8de4079 - Browse repository at this point
Copy the full SHA 8de4079View commit details -
fs/xfs: Fix unreadable filesystem with v4 superblock
The commit 8b1e5d1 (fs/xfs: Add bigtime incompat feature support) introduced the bigtime support by adding some features in v3 inodes. This change extended grub_xfs_inode struct by 76 bytes but also changed the computation of XFS_V2_INODE_SIZE and XFS_V3_INODE_SIZE. Prior this commit, XFS_V2_INODE_SIZE was 100 bytes. After the commit it's 84 bytes XFS_V2_INODE_SIZE becomes 16 bytes too small. As a result, the data structures aren't properly aligned and the GRUB generates "attempt to read or write outside of partition" errors when trying to read the XFS filesystem: GNU GRUB version 2.11 .... grub> set debug=efi,gpt,xfs grub> insmod part_gpt grub> ls (hd0,gpt1)/ partmap/gpt.c:93: Read a valid GPT header partmap/gpt.c:115: GPT entry 0: start=4096, length=1953125 fs/xfs.c:931: Reading sb fs/xfs.c:270: Validating superblock fs/xfs.c:295: XFS v4 superblock detected fs/xfs.c:962: Reading root ino 128 fs/xfs.c:515: Reading inode (128) - 64, 0 fs/xfs.c:515: Reading inode (739521961424144223) - 344365866970255880, 3840 error: attempt to read or write outside of partition. This commit change the XFS_V2_INODE_SIZE computation by subtracting 76 bytes instead of 92 bytes from the actual size of grub_xfs_inode struct. This 76 bytes value comes from added members: 20 grub_uint8_t unused5 1 grub_uint64_t flags2 48 grub_uint8_t unused6 This patch explicitly splits the v2 and v3 parts of the structure. The unused4 is still ending of the v2 structures and the v3 starts at unused5. Thanks to this we will avoid future corruptions of v2 or v3 inodes. The XFS_V2_INODE_SIZE is returning to its expected size and the filesystem is back to a readable state: GNU GRUB version 2.11 .... grub> set debug=efi,gpt,xfs grub> insmod part_gpt grub> ls (hd0,gpt1)/ partmap/gpt.c:93: Read a valid GPT header partmap/gpt.c:115: GPT entry 0: start=4096, length=1953125 fs/xfs.c:931: Reading sb fs/xfs.c:270: Validating superblock fs/xfs.c:295: XFS v4 superblock detected fs/xfs.c:962: Reading root ino 128 fs/xfs.c:515: Reading inode (128) - 64, 0 fs/xfs.c:515: Reading inode (128) - 64, 0 fs/xfs.c:931: Reading sb fs/xfs.c:270: Validating superblock fs/xfs.c:295: XFS v4 superblock detected fs/xfs.c:962: Reading root ino 128 fs/xfs.c:515: Reading inode (128) - 64, 0 fs/xfs.c:515: Reading inode (128) - 64, 0 fs/xfs.c:515: Reading inode (128) - 64, 0 fs/xfs.c:515: Reading inode (131) - 64, 768 efi/ fs/xfs.c:515: Reading inode (3145856) - 1464904, 0 grub2/ fs/xfs.c:515: Reading inode (132) - 64, 1024 grub/ fs/xfs.c:515: Reading inode (139) - 64, 2816 grub> Fixes: 8b1e5d1 (fs/xfs: Add bigtime incompat feature support) Signed-off-by: Erwan Velu <[email protected]> Tested-by: Carlos Maiolino <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit a4b4955)
Configuration menu - View commit details
-
Copy full SHA for dcf581b - Browse repository at this point
Copy the full SHA dcf581bView commit details -
Print module name on license check failure
At the very least, this will make it easier to track down the problem module - or, if something else has gone wrong, provide more information for debugging. Signed-off-by: Robbie Harwood <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 1ecd056 - Browse repository at this point
Copy the full SHA 1ecd056View commit details -
powerpc-ieee1275: load grub at 4MB, not 2MB
This was first reported under PFW but reproduces under SLOF. - The core.elf was 2126152 = 0x207148 bytes in size with the following program headers (per readelf): Entry point 0x200000 There are 4 program headers, starting at offset 52 Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align LOAD 0x000160 0x00200000 0x00200000 0x21f98 0x2971c RWE 0x8 GNU_STACK 0x0220f8 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4 LOAD 0x0220f8 0x00232000 0x00232000 0x1e4e50 0x1e4e50 RWE 0x4 NOTE 0x206f48 0x00000000 0x00000000 0x00200 0x00000 R 0x4 - SLOF places the ELF file at 0x4000 (after the reserved space for interrupt handlers etc.) upwards. The image was 2126152 = 0x207148 bytes in size, so it runs from 0x4000 - 0x20b148. We'll call 0x4000 the load address. 0x0 0x4000 0x20b148 |----------|--------------| | reserved | ELF contents | - SLOF then copies the first LOAD program header (for .text). That runs for 0x21f98 bytes. It runs from (load addr + 0x160) to (load addr + 0x160 + 0x21f98) = 0x4160 to 0x260f8 and we copy it to 0x200000 to 0x221f98. This overwrites the end of the image: 0x0 0x4000 0x200000 0x221f98 |----------|------------|---------------| | reserved | ELF cont.. | .text section | - SLOF zeros the bss up to PhysAddr + MemSize = 0x22971c 0x0 0x4000 0x200000 0x221f98 0x22971c |----------|------------|---------------|--------| | reserved | ELF cont.. | .text section | bss 0s | - SLOF then goes to fulfil the next LOAD header (for mods), which is for 0x1e4e50 bytes. We copy from (load addr + 0x220f8) to (load addr + 0x220f8 + 0x1e4e50) = 0x260f8 to 0x20af48 and we copy it to 0x232000 to 0x416e50: 0x0 0x4000 0x200000 0x221f98 0x22971c |----------|------------|---------------|--------| | reserved | ELF cont.. | .text section | bss 0s | |-------------| | copied area | 0x260f8 0x20af48 This goes poorly: 0x0 0x4000 0x200000 0x221f98 0x22971c 0x232000 0x40bf08 0x416e50 |----------|------------|---------------|--------|-----|-----------|-------------| | reserved | ELF cont.. | .text section | bss 0s | pad | some mods | .text start | This matches the observations on the running system - 0x40bf08 was where the contents of memory no longer matched the contents of the ELF file. This was reported as a license verification failure on SLOF as the last module's .module_license section fell past where the corruption began. Signed-off-by: Daniel Axtens <[email protected]> [[email protected]: trim very detailed commit message] Signed-off-by: Robbie Harwood <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for b35e360 - Browse repository at this point
Copy the full SHA b35e360View commit details -
grub-mkconfig: restore umask for grub.cfg
Since commit: ab2e53c grub-mkconfig: Honor a symlink when generating configuration by grub-mkconfig has inadvertently discarded umask for creating grub.cfg in the process of grub-mkconfig. The resulting wrong permission (0644) would allow unprivileged users to read grub's configuration file content. This presents a low confidentiality risk as grub.cfg may contain non-secured plain-text passwords. This patch restores the missing umask and set the file mode of creation to 0600 preventing unprivileged access. Fixes: CVE-2021-3981 Signed-off-by: Michael Chang <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 31dd7ff - Browse repository at this point
Copy the full SHA 31dd7ffView commit details -
fs/btrfs: Use full btrfs bootloader area
Up to now GRUB can only embed to the first 64 KiB before primary superblock of btrfs, effectively limiting the GRUB core size. That could consequently pose restrictions to feature enablement like advanced zstd compression. This patch attempts to utilize full unused area reserved by btrfs for the bootloader outlined in the document [1]: The first 1MiB on each device is unused with the exception of primary superblock that is on the offset 64KiB and spans 4KiB. Apart from that, adjacent sectors to superblock and first block group are not used for embedding in case of overflow and logged access to adjacent sectors could be useful for tracing it up. This patch has been tested to provide out of the box support for btrfs zstd compression with which GRUB has been installed to the partition. [1] https://btrfs.wiki.kernel.org/index.php/Manpage/btrfs(5)#BOOTLOADER_SUPPORT Signed-off-by: Michael Chang <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit b0f06a8)
Configuration menu - View commit details
-
Copy full SHA for b612cdc - Browse repository at this point
Copy the full SHA b612cdcView commit details -
Add Fedora location of DejaVu SANS font
In Fedora 35, and possibly earlier, grub would fail to configure with a complaint about DejaVu being "not found" even though it was installed. The DejaVu sans font search path is updated to reflect the distribution's current install path. Signed-off-by: Erik Edwards <[email protected]> [[email protected]: slight commit message edits] Signed-off-by: Robbie Harwood <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for b712a75 - Browse repository at this point
Copy the full SHA b712a75View commit details -
normal/menu: Don't show "Booting `%s'" msg when auto-booting with TIM…
…EOUT_STYLE_HIDDEN When the user has asked the menu code to be hidden/quiet and the current entry is being autobooted because the timeout has expired don't show the "Booting `%s'" msg. This is necessary to let flicker-free boots really be flicker free, otherwise the "Booting `%s'" msg will kick the EFI fb into text mode and show the msg, breaking the flicker-free experience. Signed-off-by: Hans de Goede <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for ebdef63 - Browse repository at this point
Copy the full SHA ebdef63View commit details -
EFI: suppress the "Welcome to GRUB!" message in EFI builds
Grub EFI builds are now often used in combination with flicker-free boot, but this breaks with upstream grub because the "Welcome to GRUB!" message will kick the EFI fb into text mode and show the msg, breaking the flicker-free experience. EFI systems are so fast, that when the menu or the countdown are enabled the message will be immediately overwritten, so in these cases not printing the message does not matter. And in case when the timeout_style is set to TIMEOUT_STYLE_HIDDEN, the user has asked grub to be quiet (for example to allow flickfree boot) annd thus the message should not be printed. Signed-off-by: Hans de Goede <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 728a82c - Browse repository at this point
Copy the full SHA 728a82cView commit details -
EFI: console: Do not set colorstate until the first text output
GRUB_MOD_INIT(normal) does an unconditional: grub_env_set ("color_normal", "light-gray/black"); which triggers a grub_term_setcolorstate() call. The original version of the "efi/console: Do not set text-mode until we actually need it" patch: https://lists.gnu.org/archive/html/grub-devel/2018-03/msg00125.html Protected against this by caching the requested state in grub_console_setcolorstate () and then only applying it when the first text output actually happens. During refactoring to move the grub_console_setcolorstate () up higher in the grub-core/term/efi/console.c file the code to cache the color-state + bail early was accidentally dropped. Restore the cache the color-state + bail early behavior from the original. Cc: Javier Martinez Canillas <[email protected]> Fixes: 2d7c3ab ("efi/console: Do not set text-mode until we actually need it") Signed-off-by: Hans de Goede <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for ae65870 - Browse repository at this point
Copy the full SHA ae65870View commit details -
EFI: console: Do not set cursor until the first text output
To allow flickerfree boot the EFI console code does not call grub_efi_set_text_mode (1) until some text is actually output. Depending on if the output text is because of an error loading e.g. the .cfg file; or because of showing the menu the cursor needs to be on or off when the first text is shown. So far the cursor was hardcoded to being on, but this is causing drawing artifacts + slow drawing of the menu as reported here: https://bugzilla.redhat.com/show_bug.cgi?id=1946969 Handle the cursorstate in the same way as the colorstate to fix this, when no text has been output yet, just cache the cursorstate and then use the last set value when the first text is output. Fixes: 2d7c3ab ("efi/console: Do not set text-mode until we actually need it") Signed-off-by: Hans de Goede <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for ec91b20 - Browse repository at this point
Copy the full SHA ec91b20View commit details -
Use visual indentation in config.h.in
Signed-off-by: Robbie Harwood <[email protected]> (cherry picked from commit de8051f) [rharwood: GRUB_RPM_CONFIG presence]
Configuration menu - View commit details
-
Copy full SHA for 256d6f0 - Browse repository at this point
Copy the full SHA 256d6f0View commit details -
Where present, ensure config-util.h precedes config.h
gnulib defines go in config-util.h, and we need to know whether to provide duplicates in config.h or not. Signed-off-by: Robbie Harwood <[email protected]> (cherry picked from commit 46e82b2) [rharwood: gensymlist isn't part of tarballs]
Configuration menu - View commit details
-
Copy full SHA for 779e2a6 - Browse repository at this point
Copy the full SHA 779e2a6View commit details -
Originally added in 9fbdec2 and subsequently modified in 552c9fd, fix-base64.patch handled two problems we have using gnulib, which are exerciesd by the base64 module but not directly caused by it. First, grub2 defines its own bool type, while gnulib expects the equivalent of stdbool.h to be present. Rather than patching gnulib, instead use gnulib's stdbool module to provide a bool type if needed. (Suggested by Simon Josefsson.) Second, our config.h doesn't always inherit config-util.h, which is where gnulib-related options like _GL_ATTRIBUTE_CONST end up. fix-base64.h worked around this by defining the attribute away, but this workaround is better placed in config.h itself, not a gnulib patch. Signed-off-by: Robbie Harwood <[email protected]> (cherry picked from commit 54fd1c3)
Configuration menu - View commit details
-
Copy full SHA for 2c722a8 - Browse repository at this point
Copy the full SHA 2c722a8View commit details -
Originally added in db7337a, this patched out all relevant invocations of abort() in gnulib. While it was not documented why at the time, testing suggests that there's no abort() implementation available for gnulib to use. gnulib's position is that the use of abort() is correct here, since it happens when input violates a "shall" from POSIX. Additionally, the code in question is probably not reachable. Since abort() is more friendly to user-space, they prefer to make no change, so we can just carry a define instead. (Suggested by Paul Eggert.) Signed-off-by: Robbie Harwood <[email protected]> (cherry picked from commit 5137c8e)
Configuration menu - View commit details
-
Copy full SHA for dc8044f - Browse repository at this point
Copy the full SHA dc8044fView commit details -
Update gnulib version and drop most gnulib patches
In addition to the changes carried in our gnulib patches, several Coverity and code hygiene fixes that were previously downstream are also included in this 3-year gnulib increment. Unfortunately, fix-width.patch is retained. Bump minimum autoconf version from 2.63 to 2.64 and automake from 1.11 to 1.14, as required by gnulib. Sync bootstrap script itself with gnulib. Update regexp module for new dynarray dependency. Fix various new warnings. Signed-off-by: Robbie Harwood <[email protected]> (cherry picked from commit deb18ff) [rharwood: backport around requirements in INSTALL]
Configuration menu - View commit details
-
Copy full SHA for c6cf390 - Browse repository at this point
Copy the full SHA c6cf390View commit details -
commands/search: Fix bug stopping iteration when --no-floppy is used
When using --no-floppy and a floppy was encountered, iterate_device() was returning 1, causing the iteration to stop instead of continuing. Signed-off-by: Renaud Métrich <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 68ba54c) Signed-off-by: Robbie Harwood <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 8569c33 - Browse repository at this point
Copy the full SHA 8569c33View commit details -
search: new --efidisk-only option on EFI systems
When using 'search' on EFI systems, we sometimes want to exclude devices that are not EFI disks (e.g. md, lvm). This is typically used when wanting to chainload when having a software raid (md) for EFI partition: with no option, 'search --file /EFI/redhat/shimx64.efi' sets root envvar to 'md/boot_efi' which cannot be used for chainloading since there is no effective EFI device behind. This commit also refactors handling of --no-floppy option. Signed-off-by: Renaud Métrich <[email protected]> [rharwood: apply rmetrich's flags initialization fix] Signed-off-by: Robbie Harwood <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 232c033 - Browse repository at this point
Copy the full SHA 232c033View commit details -
When efi.quickboot is enabled on VMWare (which is the default for hardware release 16 and later), it may happen that not all EFI devices are connected. Due to this, browsing the devices in make_devices() just fails to find devices, in particular disks or partitions for a given disk. This typically happens when network booting, then trying to chainload to local disk (this is used in deployment tools such as Red Hat Satellite), which is done through using the following grub.cfg snippet: -------- 8< ---------------- 8< ---------------- 8< -------- unset prefix search --file --set=prefix /EFI/redhat/grubx64.efi if [ -n "$prefix" ]; then chainloader ($prefix)/EFI/redhat/grubx64/efi ... -------- 8< ---------------- 8< ---------------- 8< -------- With efi.quickboot, none of the devices are connected, causing "search" to fail. Sometimes devices are connected but not the partition of the disk matching $prefix, causing partition to not be found by "chainloader". This patch introduces a new "connectefi pciroot|scsi" command which recursively connects all EFI devices starting from a given controller type: - if 'pciroot' is specified, recursion is performed for all PCI root handles - if 'scsi' is specified, recursion is performed for all SCSI I/O handles (recommended usage to avoid connecting unwanted handles which may impact Grub performances) Typical grub.cfg snippet would then be: -------- 8< ---------------- 8< ---------------- 8< -------- connectefi scsi unset prefix search --file --set=prefix /EFI/redhat/grubx64.efi if [ -n "$prefix" ]; then chainloader ($prefix)/EFI/redhat/grubx64/efi ... -------- 8< ---------------- 8< ---------------- 8< -------- The code is easily extensible to handle other arguments in the future if needed. Signed-off-by: Renaud Métrich <[email protected]> Signed-off-by: Robbie Harwood <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 25045ec - Browse repository at this point
Copy the full SHA 25045ecView commit details -
grub-core/loader/i386/efi/linux.c: do not validate kernels twice
On codebases that have shim-lock-verifier built into the grub core (like 2.06 upstream), shim-lock-verifier is in enforcing mode when booted with secureboot. It means that grub_cmd_linux() command attempts to perform shim validate upon opening linux kernel image, including kernel measurement. And the verifier correctly returns file open error when shim validate protocol is not present or shim fails to validate the kernel. This makes the call to grub_linuxefi_secure_validate() redundant, but also harmful. As validating the kernel image twice, extends the PCRs with the same measurement twice. Which breaks existing sealing policies when upgrading from grub2.04+rhboot+sb+linuxefi to grub2.06+rhboot+sb+linuxefi builds. It is also incorrect to measure the kernel twice. This patch must not be ported to older editions of grub code bases that do not have verifiers framework, or it is not builtin, or shim-lock-verifier is an optional module. This patch is tested to ensure that unsigned kernels are not possible to boot in secureboot mode when shim rejects kernel, or shim protocol is missing, and that the measurements become stable once again. The above also ensures that CVE-2020-15705 is not reintroduced. Signed-off-by: Dimitri John Ledkov <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 6e49b9a - Browse repository at this point
Copy the full SHA 6e49b9aView commit details -
grub-core/loader/arm64/linux.c: do not validate kernel twice
Call to grub_file_open(, GRUB_FILE_TYPE_LINUX_KERNEL) already passes the kernel file through shim-lock verifier when secureboot is on. Thus there is no need to validate the kernel image again. And when doing so again, duplicate PCR measurement is performed, breaking measurements compatibility with 2.04+linuxefi. This patch must not be ported to older editions of grub code bases that do not have verifiers framework, or it is not builtin, or shim-lock-verifier is an optional module. Signed-off-by: Dimitri John Ledkov <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for bd78f10 - Browse repository at this point
Copy the full SHA bd78f10View commit details -
grub-core/loader/efi/chainloader.c: do not validate chainloader twice
On secureboot systems, with shimlock verifier, call to grub_file_open(, GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE) will already pass the chainloader target through shim-lock protocol verify call. And create a TPM measurement. If verification fails, grub_cmd_chainloader will fail at file open time. This makes previous code paths for negative, and zero return codes from grub_linuxefi_secure_validate unreachable under secureboot. But also breaking measurements compatibility with 2.04+linuxefi codebases, as the chainloader file is passed through shim_lock->verify() twice (via verifier & direct call to grub_linuxefi_secure_validate) extending the PCRs twice. This reduces grub_loader options to perform grub_secureboot_chainloader when secureboot is on, and otherwise attempt grub_chainloader_boot. It means that booting with secureboot off, yet still with shim (which always verifies things successfully), will stop choosing grub_secureboot_chainloader, and opting for a more regular loadimage/startimage codepath. If we want to use the grub_secureboot_chainloader codepath in such scenarios we should adapt the code to simply check for shim_lock protocol presence / shim_lock->context() success?! But I am not sure if that is necessary. This patch must not be ported to older editions of grub code bases that do not have verifiers framework, or it is not builtin, or shim-lock-verifier is an optional module. Signed-off-by: Dimitri John Ledkov <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 93a4ef5 - Browse repository at this point
Copy the full SHA 93a4ef5View commit details -
grub-core/loader/efi/linux.c: drop now unused grub_linuxefi_secure_va…
…lidate Drop the now unused grub_linuxefi_secure_validate() as all prior users of this API now rely on the shim-lock-verifier codepath instead. This patch must not be ported to older editions of grub code bases that do not have verifiers framework, or it is not builtin, or shim-lock-verifier is an optional module. Signed-off-by: Dimitri John Ledkov <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 21b4a5e - Browse repository at this point
Copy the full SHA 21b4a5eView commit details -
powerpc: prefix detection: support device names with commas
Frustratingly, the device name itself can contain an embedded comma: e.g /pci@800000020000015/pci1014,034A@0/sas/disk@5000c50098a0ee8b So my previous approach was wrong: we cannot rely upon the presence of a comma to say that a partition has been specified! It turns out for prefixes like (,gpt2)/grub2 we really want to make up a full (device,partition)/patch prefix, because root discovery code in 10_linux will reset the root variable and use search to fill it again. If you have run grub-install, you probably don't have search built in, and if you don't have prefix containing (device,partition), grub will construct ($root)$prefix/powerpc-ieee1275/search.mod - but because $root has just been changed, this will no longer work, and the boot will fail! Retain the gist of the logic, but instead of looking for a comma, look for a leading '('. This matches the earlier code better anyway. There's certainly a better fix to be had. But any time you chose to build with a bare prefix like '/grub2', you're almost certainly going to build in search anyway, so this will do. Signed-off-by: Daniel Axtens <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 31dd02b - Browse repository at this point
Copy the full SHA 31dd02bView commit details -
The feature Retry on Fail added to GRUB can cause a LPM to take longer if the SAN is slow. When a LPM to external site occur, the path of the disk can change and thus the disk search function on grub can take some time since it is used as a hint. This can cause the Retry on Fail feature to try to access the disk 20x times (since this is hardcoded number) and, if the SAN is slow, the boot time can increase a lot. In some situations not acceptable. The following patch enables a configuration at user space of the maximum number of retries we want for this feature. The variable ofdisk_retries should be set using grub2-editenv and will be checked by retry function. If the variable is not set, so the default number of retries will be used instead.
Configuration menu - View commit details
-
Copy full SHA for 58b705f - Browse repository at this point
Copy the full SHA 58b705fView commit details -
loader/efi/chainloader: grub_load_and_start_image doesn't load and start
grub_load_and_start_image only loads an image - it still requires the caller to start it. This renames it to grub_load_image. It's called from 2 places: - grub_cmd_chainloader when not using the shim protocol. - grub_secureboot_chainloader_boot if handle_image returns an error. In this case, the image is loaded and then nothing else happens which seems strange. I assume the intention is that it falls back to LoadImage and StartImage if handle_image fails, so I've made it do that. Signed-off-by: Chris Coulson <[email protected]> (cherry picked from commit b4d70820a65c00561045856b7b8355461a9545f6)
Configuration menu - View commit details
-
Copy full SHA for 0bcccb4 - Browse repository at this point
Copy the full SHA 0bcccb4View commit details -
loader/efi/chainloader: simplify the loader state
When not using the shim lock protocol, the chainloader command retains the source buffer and device path passed to LoadImage, requiring the unload hook passed to grub_loader_set to free them. It isn't required to retain this state though - they aren't required by StartImage or anything else in the boot hook, so clean them up before grub_cmd_chainloader finishes. This also wraps the loader state when using the shim lock protocol inside a struct. Signed-off-by: Chris Coulson <[email protected]> (cherry picked from commit fa39862933b3be1553a580a3a5c28073257d8046) [rharwood: fix unitialized handle and double-frees of file/dev] Signed-off-by: Robbie Harwood <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 18fb384 - Browse repository at this point
Copy the full SHA 18fb384View commit details -
commands/boot: Add API to pass context to loader
Loaders rely on global variables for saving context which is consumed in the boot hook and freed in the unload hook. In the case where a loader command is executed twice, calling grub_loader_set a second time executes the unload hook, but in some cases this runs when the loader's global context has already been updated, resulting in the updated context being freed and potential use-after-free bugs when the boot hook is subsequently called. This adds a new API (grub_loader_set_ex) which allows a loader to specify context that is passed to its boot and unload hooks. This is an alternative to requiring that loaders call grub_loader_unset before mutating their global context. Signed-off-by: Chris Coulson <[email protected]> (cherry picked from commit 4322a64dde7e8fedb58e50b79408667129d45dd3)
Configuration menu - View commit details
-
Copy full SHA for 9d43f7e - Browse repository at this point
Copy the full SHA 9d43f7eView commit details -
loader/efi/chainloader: Use grub_loader_set_ex
This ports the EFI chainloader to use grub_loader_set_ex in order to fix a use-after-free bug that occurs when grub_cmd_chainloader is executed more than once before a boot attempt is performed. Signed-off-by: Chris Coulson <[email protected]> (cherry picked from commit 4b7f0402b7cb0f67a93be736f2b75b818d7f44c9) [rharwood: context sludge from other change] Signed-off-by: Robbie Harwood <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 80687f2 - Browse repository at this point
Copy the full SHA 80687f2View commit details -
loader/i386/efi/linux: Avoid a use-after-free in the linuxefi loader
In some error paths in grub_cmd_linux, the pointer to lh may be dereferenced after the buffer it points to has been freed. There aren't any security implications from this because nothing else uses the allocator after the buffer is freed and before the pointer is dereferenced, but fix it anyway. Signed-off-by: Chris Coulson <[email protected]> (cherry picked from commit 8224f5a71af94bec8697de17e7e579792db9f9e2)
Configuration menu - View commit details
-
Copy full SHA for 82fe61a - Browse repository at this point
Copy the full SHA 82fe61aView commit details -
loader/i386/efi/linux: Use grub_loader_set_ex
This ports the linuxefi loader to use grub_loader_set_ex in order to fix a use-after-fre bug that occurs when grub_cmd_linux is executed more than once before a boot attempt is performed. This is more complicated than for the chainloader command, as the initrd command needs access to the loader state. To solve this, the linuxefi module registers a dummy initrd command at startup that returns an error. The linuxefi command then registers a proper initrd command with a higher priority that is passed the loader state. Signed-off-by: Chris Coulson <[email protected]> (cherry picked from commit 7cf736436b4c934df5ddfa6f44b46a7e07d99fdc) [rharwood/pjones: set kernel_size in context] Signed-off-by: Robbie Harwood <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 9b12533 - Browse repository at this point
Copy the full SHA 9b12533View commit details -
loader/i386/efi/linux: Fix a memory leak in the initrd command
Subsequent invocations of the initrd command result in the previous initrd being leaked, so fix that. Signed-off-by: Chris Coulson <[email protected]> (cherry picked from commit d98af31ce1e31bb22163960d53f5eb28c66582a0)
Configuration menu - View commit details
-
Copy full SHA for 3143df6 - Browse repository at this point
Copy the full SHA 3143df6View commit details -
kern/efi/sb: Reject non-kernel files in the shim_lock verifier
We must not allow other verifiers to pass things like the GRUB modules. Instead of maintaining a blocklist, maintain an allowlist of things that we do not care about. This allowlist really should be made reusable, and shared by the lockdown verifier, but this is the minimal patch addressing security concerns where the TPM verifier was able to mark modules as verified (or the OpenPGP verifier for that matter), when it should not do so on shim-powered secure boot systems. Fixes: CVE-2022-28735 Signed-off-by: Julian Andres Klode <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit fa61ad69861c1cb3f68bf853d78fae7fd93986a0)
Configuration menu - View commit details
-
Copy full SHA for 9ae95e3 - Browse repository at this point
Copy the full SHA 9ae95e3View commit details -
kern/file: Do not leak device_name on error in grub_file_open()
If we have an error in grub_file_open() before we free device_name, we will leak it. Free device_name in the error path and null out the pointer in the good path once we free it there. Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 1499a5068839fa37cb77ecef4b5bdacbd1ed12ea)
Configuration menu - View commit details
-
Copy full SHA for aa540bc - Browse repository at this point
Copy the full SHA aa540bcView commit details -
video/readers/png: Abort sooner if a read operation fails
Fuzzing revealed some inputs that were taking a long time, potentially forever, because they did not bail quickly upon encountering an I/O error. Try to catch I/O errors sooner and bail out. Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 882be97d1df6449b9fd4d593f0cb70005fde3494)
Configuration menu - View commit details
-
Copy full SHA for 726a97e - Browse repository at this point
Copy the full SHA 726a97eView commit details -
video/readers/png: Refuse to handle multiple image headers
This causes the bitmap to be leaked. Do not permit multiple image headers. Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 8ce433557adeadbc46429aabb9f850b02ad2bdfb)
Configuration menu - View commit details
-
Copy full SHA for 0cdcc7b - Browse repository at this point
Copy the full SHA 0cdcc7bView commit details -
video/readers/png: Drop greyscale support to fix heap out-of-bounds w…
…rite A 16-bit greyscale PNG without alpha is processed in the following loop: for (i = 0; i < (data->image_width * data->image_height); i++, d1 += 4, d2 += 2) { d1[R3] = d2[1]; d1[G3] = d2[1]; d1[B3] = d2[1]; } The increment of d1 is wrong. d1 is incremented by 4 bytes per iteration, but there are only 3 bytes allocated for storage. This means that image data will overwrite somewhat-attacker-controlled parts of memory - 3 bytes out of every 4 following the end of the image. This has existed since greyscale support was added in 2013 in commit 3ccf16d (grub-core/video/readers/png.c: Support grayscale). Saving starfield.png as a 16-bit greyscale image without alpha in the gimp and attempting to load it causes grub-emu to crash - I don't think this code has ever worked. Delete all PNG greyscale support. Fixes: CVE-2021-3695 Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 0e1d163382669bd734439d8864ee969616d971d9) [rharwood: context conflict] Signed-off-by: Robbie Harwood <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for ce5290a - Browse repository at this point
Copy the full SHA ce5290aView commit details -
video/readers/png: Avoid heap OOB R/W inserting huff table items
In fuzzing we observed crashes where a code would attempt to be inserted into a huffman table before the start, leading to a set of heap OOB reads and writes as table entries with negative indices were shifted around and the new code written in. Catch the case where we would underflow the array and bail. Fixes: CVE-2021-3696 Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 1ae9a91d42cb40da8a6f11fac65541858e340afa)
Configuration menu - View commit details
-
Copy full SHA for 0f76596 - Browse repository at this point
Copy the full SHA 0f76596View commit details -
video/readers/png: Sanity check some huffman codes
ASAN picked up two OOB global reads: we weren't checking if some code values fit within the cplens or cpdext arrays. Check and throw an error if not. Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit c3a8ab0cbd24153ec7b1f84a96ddfdd72ef8d117)
Configuration menu - View commit details
-
Copy full SHA for bee218b - Browse repository at this point
Copy the full SHA bee218bView commit details -
video/readers/jpeg: Abort sooner if a read operation fails
Fuzzing revealed some inputs that were taking a long time, potentially forever, because they did not bail quickly upon encountering an I/O error. Try to catch I/O errors sooner and bail out. Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit ab2e5d2e4bff488bbb557ed435a61ae102ef9f0c)
Configuration menu - View commit details
-
Copy full SHA for db1fcb1 - Browse repository at this point
Copy the full SHA db1fcb1View commit details -
video/readers/jpeg: Do not reallocate a given huff table
Fix a memory leak where an invalid file could cause us to reallocate memory for a huffman table we had already allocated memory for. Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit bc06e12b4de55cc6f926af9f064170c82b1403e9)
Configuration menu - View commit details
-
Copy full SHA for 481d030 - Browse repository at this point
Copy the full SHA 481d030View commit details -
video/readers/jpeg: Refuse to handle multiple start of streams
An invalid file could contain multiple start of stream blocks, which would cause us to reallocate and leak our bitmap. Refuse to handle multiple start of streams. Additionally, fix a grub_error() call formatting. Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit f3a854def3e281b7ad4bbea730cd3046de1da52f)
Configuration menu - View commit details
-
Copy full SHA for 46f2644 - Browse repository at this point
Copy the full SHA 46f2644View commit details -
video/readers/jpeg: Block int underflow -> wild pointer write
Certain 1 px wide images caused a wild pointer write in grub_jpeg_ycrcb_to_rgb(). This was caused because in grub_jpeg_decode_data(), we have the following loop: for (; data->r1 < nr1 && (!data->dri || rst); data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3) We did not check if vb * width >= hb * nc1. On a 64-bit platform, if that turns out to be negative, it will underflow, be interpreted as unsigned 64-bit, then be added to the 64-bit pointer, so we see data->bitmap_ptr jump, e.g.: 0x6180_0000_0480 to 0x6181_0000_0498 ^ ~--- carry has occurred and this pointer is now far away from any object. On a 32-bit platform, it will decrement the pointer, creating a pointer that won't crash but will overwrite random data. Catch the underflow and error out. Fixes: CVE-2021-3697 Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 41aeb2004db9924fecd9f2dd64bc2a5a5594a4b5)
Configuration menu - View commit details
-
Copy full SHA for bc3b1a8 - Browse repository at this point
Copy the full SHA bc3b1a8View commit details -
normal/charset: Fix array out-of-bounds formatting unicode for display
In some cases attempting to display arbitrary binary strings leads to ASAN splats reading the widthspec array out of bounds. Check the index. If it would be out of bounds, return a width of 1. I don't know if that's strictly correct, but we're not really expecting great display of arbitrary binary data, and it's certainly not worse than an OOB read. Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit fdf32abc7a3928852422c0f291d8cd1dd6b34a8d)
Configuration menu - View commit details
-
Copy full SHA for 0965ab1 - Browse repository at this point
Copy the full SHA 0965ab1View commit details -
net/netbuff: Block overly large netbuff allocs
A netbuff shouldn't be too huge. It's bounded by MTU and TCP segment reassembly. This helps avoid some bugs (and provides a spot to instrument to catch them at their source). Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit ee9591103004cd13b4efadda671536090ca7fd57)
Configuration menu - View commit details
-
Copy full SHA for 9672eb8 - Browse repository at this point
Copy the full SHA 9672eb8View commit details -
net/ip: Do IP fragment maths safely
This avoids an underflow and subsequent unpleasantness. Fixes: CVE-2022-28733 Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit eb74e5743ca7e18a5e75c392fe0b21d1549a1936)
Configuration menu - View commit details
-
Copy full SHA for 471a298 - Browse repository at this point
Copy the full SHA 471a298View commit details -
net/dns: Fix double-free addresses on corrupt DNS response
grub_net_dns_lookup() takes as inputs a pointer to an array of addresses ("addresses") for the given name, and pointer to a number of addresses ("naddresses"). grub_net_dns_lookup() is responsible for allocating "addresses", and the caller is responsible for freeing it if "naddresses" > 0. The DNS recv_hook will sometimes set and free the addresses array, for example if the packet is too short: if (ptr + 10 >= nb->tail) { if (!*data->naddresses) grub_free (*data->addresses); grub_netbuff_free (nb); return GRUB_ERR_NONE; } Later on the nslookup command code unconditionally frees the "addresses" array. Normally this is fine: the array is either populated with valid data or is NULL. But in these sorts of error cases it is neither NULL nor valid and we get a double-free. Only free "addresses" if "naddresses" > 0. It looks like the other use of grub_net_dns_lookup() is not affected. Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit eb2e69fcf51307757e43f55ee8c9354d1ee42dd1)
Configuration menu - View commit details
-
Copy full SHA for 013eae6 - Browse repository at this point
Copy the full SHA 013eae6View commit details -
net/dns: Don't read past the end of the string we're checking against
I don't really understand what's going on here but fuzzing found a bug where we read past the end of check_with. That's a C string, so use grub_strlen() to make sure we don't overread it. Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 6a97b3f4b1d5173aa516edc6dedbc63de7306d21)
Configuration menu - View commit details
-
Copy full SHA for 259dfb2 - Browse repository at this point
Copy the full SHA 259dfb2View commit details -
net/tftp: Prevent a UAF and double-free from a failed seek
A malicious tftp server can cause UAFs and a double free. An attempt to read from a network file is handled by grub_net_fs_read(). If the read is at an offset other than the current offset, grub_net_seek_real() is invoked. In grub_net_seek_real(), if a backwards seek cannot be satisfied from the currently received packets, and the underlying transport does not provide a seek method, then grub_net_seek_real() will close and reopen the network protocol layer. For tftp, the ->close() call goes to tftp_close() and frees the tftp_data_t file->data. The file->data pointer is not nulled out after the free. If the ->open() call fails, the file->data will not be reallocated and will continue point to a freed memory block. This could happen from a server refusing to send the requisite ack to the new tftp request, for example. The seek and the read will then fail, but the grub_file continues to exist: the failed seek does not necessarily cause the entire file to be thrown away (e.g. where the file is checked to see if it is gzipped/lzio/xz/etc., a read failure is interpreted as a decompressor passing on the file, not as an invalidation of the entire grub_file_t structure). This means subsequent attempts to read or seek the file will use the old file->data after free. Eventually, the file will be close()d again and file->data will be freed again. Mark a net_fs file that doesn't reopen as broken. Do not permit read() or close() on a broken file (seek is not exposed directly to the file API - it is only called as part of read, so this blocks seeks as well). As an additional defence, null out the ->data pointer if tftp_open() fails. That would have lead to a simple null pointer dereference rather than a mess of UAFs. This may affect other protocols, I haven't checked. Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit dada1dda695439bb55b2848dddc2d89843552f81)
Configuration menu - View commit details
-
Copy full SHA for 1aed0af - Browse repository at this point
Copy the full SHA 1aed0afView commit details -
Under tftp errors, we print a tftp error message from the tftp header. However, the tftph pointer is a pointer inside nb, the netbuff. Previously, we were freeing the nb and then dereferencing it. Don't do that, use it and then free it later. This isn't really _bad_ per se, especially as we're single-threaded, but it trips up fuzzers. Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 956f4329cec23e4375182030ca9b2be631a61ba5)
Configuration menu - View commit details
-
Copy full SHA for da32934 - Browse repository at this point
Copy the full SHA da32934View commit details -
net/http: Do not tear down socket if it's already been torn down
It's possible for data->sock to get torn down in tcp error handling. If we unconditionally tear it down again we will end up doing writes to an offset of the NULL pointer when we go to tear it down again. Detect if it has been torn down and don't do it again. Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit ec233d3ecf995293304de443579aab5c46c49e85)
Configuration menu - View commit details
-
Copy full SHA for 1db4acf - Browse repository at this point
Copy the full SHA 1db4acfView commit details -
net/http: Fix OOB write for split http headers
GRUB has special code for handling an http header that is split across two packets. The code tracks the end of line by looking for a "\n" byte. The code for split headers has always advanced the pointer just past the end of the line, whereas the code that handles unsplit headers does not advance the pointer. This extra advance causes the length to be one greater, which breaks an assumption in parse_line(), leading to it writing a NUL byte one byte past the end of the buffer where we reconstruct the line from the two packets. It's conceivable that an attacker controlled set of packets could cause this to zero out the first byte of the "next" pointer of the grub_mm_region structure following the current_line buffer. Do not advance the pointer in the split header case. Fixes: CVE-2022-28734 Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit e9fb459638811c12b0989dbf64e3e124974ef617)
Configuration menu - View commit details
-
Copy full SHA for b47d562 - Browse repository at this point
Copy the full SHA b47d562View commit details -
net/http: Error out on headers with LF without CR
In a similar vein to the previous patch, parse_line() would write a NUL byte past the end of the buffer if there was an HTTP header with a LF rather than a CRLF. RFC-2616 says: Many HTTP/1.1 header field values consist of words separated by LWS or special characters. These special characters MUST be in a quoted string to be used within a parameter value (as defined in section 3.6). We don't support quoted sections or continuation lines, etc. If we see an LF that's not part of a CRLF, bail out. Fixes: CVE-2022-28734 Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit d232ad41ac4979a9de4d746e5fdff9caf0e303de)
Configuration menu - View commit details
-
Copy full SHA for 72df538 - Browse repository at this point
Copy the full SHA 72df538View commit details -
fs/f2fs: Do not read past the end of nat journal entries
A corrupt f2fs file system could specify a nat journal entry count that is beyond the maximum NAT_JOURNAL_ENTRIES. Check if the specified nat journal entry count before accessing the array, and throw an error if it is too large. Signed-off-by: Sudhakar Kuppusamy <[email protected]> Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit a3988cb3f0a108dd67ac127a79a4c8479d23334e)
Configuration menu - View commit details
-
Copy full SHA for 8cc6350 - Browse repository at this point
Copy the full SHA 8cc6350View commit details -
fs/f2fs: Do not read past the end of nat bitmap
A corrupt f2fs filesystem could have a block offset or a bitmap offset that would cause us to read beyond the bounds of the nat bitmap. Introduce the nat_bitmap_size member in grub_f2fs_data which holds the size of nat bitmap. Set the size when loading the nat bitmap in nat_bitmap_ptr(), and catch when an invalid offset would create a pointer past the end of the allocated space. Check against the bitmap size in grub_f2fs_test_bit() test bit to avoid reading past the end of the nat bitmap. Signed-off-by: Sudhakar Kuppusamy <[email protected]> Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 62d63d5e38c67a6e349148bf7cb87c560e935a7e)
Configuration menu - View commit details
-
Copy full SHA for 400ca4e - Browse repository at this point
Copy the full SHA 400ca4eView commit details -
fs/f2fs: Do not copy file names that are too long
A corrupt f2fs file system might specify a name length which is greater than the maximum name length supported by the GRUB f2fs driver. We will allocate enough memory to store the overly long name, but there are only F2FS_NAME_LEN bytes in the source, so we would read past the end of the source. While checking directory entries, do not copy a file name with an invalid length. Signed-off-by: Sudhakar Kuppusamy <[email protected]> Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 9a891f638509e031d322c94e3cbcf38d36f3993a)
Configuration menu - View commit details
-
Copy full SHA for acaddf9 - Browse repository at this point
Copy the full SHA acaddf9View commit details -
fs/btrfs: Fix several fuzz issues with invalid dir item sizing
According to the btrfs code in Linux, the structure of a directory item leaf should be of the form: |struct btrfs_dir_item|name|data| in GRUB the name len and data len are in the grub_btrfs_dir_item structure's n and m fields respectively. The combined size of the structure, name and data should be less than the allocated memory, a difference to the Linux kernel's struct btrfs_dir_item is that the grub_btrfs_dir_item has an extra field for where the name is stored, so we adjust for that too. Signed-off-by: Darren Kenny <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 6d3f06c0b6a8992b9b1bb0e62af93ac5ff2781f0) [rharwood: we've an extra variable here] Signed-off-by: Robbie Harwood <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for b254bf5 - Browse repository at this point
Copy the full SHA b254bf5View commit details -
fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing
The fuzzer is generating btrfs file systems that have chunks with invalid combinations of stripes and substripes for the given RAID configurations. After examining the Linux kernel fs/btrfs/tree-checker.c code, it appears that sub-stripes should only be applied to RAID10, and in that case there should only ever be 2 of them. Similarly, RAID single should only have 1 stripe, and RAID1/1C3/1C4 should have 2. 3 or 4 stripes respectively, which is what redundancy corresponds. Some of the chunks ended up with a size of 0, which grub_malloc() still returned memory for and in turn generated ASAN errors later when accessed. While it would be possible to specifically limit the number of stripes, a more correct test was on the combination of the chunk item, and the number of stripes by the size of the chunk stripe structure in comparison to the size of the chunk itself. Signed-off-by: Darren Kenny <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 3849647b4b98a4419366708fc4b7f339c6f55ec7)
Configuration menu - View commit details
-
Copy full SHA for aa74f4b - Browse repository at this point
Copy the full SHA aa74f4bView commit details -
fs/btrfs: Fix more fuzz issues related to chunks
The corpus we generating issues in grub_btrfs_read_logical() when attempting to iterate over nstripes entries in the boot mapping. In most cases the reason for the failure was that the number of strips exceeded the possible space statically allocated in superblock bootmapping space. Each stripe entry in the bootmapping block consists of a grub_btrfs_key followed by a grub_btrfs_chunk_stripe. Another issue that came up was that while calculating the chunk size, in an earlier piece of code in that function, depending on the data provided in the btrfs file system, it would end up calculating a size that was too small to contain even 1 grub_btrfs_chunk_item, which is obviously invalid too. Signed-off-by: Darren Kenny <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit e00cd76cbadcc897a9cc4087cb2fcb5dbe15e596)
Configuration menu - View commit details
-
Copy full SHA for f887b09 - Browse repository at this point
Copy the full SHA f887b09View commit details -
misc: Make grub_min() and grub_max() more resilient.
grub_min(a,b) and grub_max(a,b) use a relatively naive implementation which leads to several problems: - they evaluate their parameters more than once - the naive way to address this, to declare temporary variables in a statement-expression, isn't resilient against nested uses, because MIN(a,MIN(b,c)) results in the temporary variables being declared in two nested scopes, which may result in a build warning depending on your build options. This patch changes our implementation to use a statement-expression inside a helper macro, and creates the symbols for the temporary variables with __COUNTER__ (A GNU C cpp extension) and token pasting to create uniquely named internal variables. Signed-off-by: Peter Jones <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for f94152b - Browse repository at this point
Copy the full SHA f94152bView commit details -
ReiserFS: switch to using grub_min()/grub_max()
This is a minor cleanup patch to remove the bespoke MIN() and MAX() definitions from the reiserfs driver, and uses grub_min() / grub_max() instead. Signed-off-by: Peter Jones <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 461b42c - Browse repository at this point
Copy the full SHA 461b42cView commit details -
misc: make grub_boot_time() also call grub_dprintf("boot",...)
Currently grub_boot_time() includes valuable debugging messages, but if you build without BOOT_TIME_STATS enabled, they are silently and confusingly compiled away. This patch changes grub_boot_time() to also log when "boot" is enabled in DEBUG, regardless of BOOT_TIME_STATS. Signed-off-by: Peter Jones <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for a21e5c1 - Browse repository at this point
Copy the full SHA a21e5c1View commit details -
modules: make .module_license read-only
Currently .module_license is set writable (that is, the section has the SHF_WRITE flag set) in the module's ELF headers. This probably never actually matters, but it can't possibly be correct. This patch sets that data as "const", which causes that flag not to be set. Signed-off-by: Peter Jones <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for f6563e1 - Browse repository at this point
Copy the full SHA f6563e1View commit details -
modules: strip .llvm_addrsig sections and similar.
Currently grub modules built with clang or gcc have several sections which we don't actually need or support. We already have a list of section to skip in genmod.sh, and this patch adds the following sections to that list (as well as a few newlines): .note.gnu.property .llvm* Note that the glob there won't work without a new enough linker, but the failure is just reversion to the status quo, so that's not a big problem. Signed-off-by: Peter Jones <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 0f66524 - Browse repository at this point
Copy the full SHA 0f66524View commit details -
modules: Don't allocate space for non-allocable sections.
Currently when loading grub modules, we allocate space for all sections, including those without SHF_ALLOC set. We then copy the sections that /do/ have SHF_ALLOC set into the allocated memory, leaving some of our allocation untouched forever. Additionally, on platforms with GOT fixups and trampolines, we currently compute alignment round-ups for the sections and sections with sh_size = 0. This patch removes the extra space from the allocation computation, and makes the allocation computation loop skip empty sections as the loading loop does. Signed-off-by: Peter Jones <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 0f76b53 - Browse repository at this point
Copy the full SHA 0f76b53View commit details -
pe: add the DOS header struct and fix some bad naming.
In order to properly validate a loaded kernel's support for being loaded without a writable stack or executable, we need to be able to properly parse arbitrary PE headers. Currently, pe32.h is written in such a way that the MS-DOS header that tells us where to find the PE header in the binary can't be accessed. Further, for some reason it calls the DOS MZ magic "GRUB_PE32_MAGIC". This patch adds the structure for the DOS header, renames the DOS magic define, and adds defines for the actual PE magic. Signed-off-by: Peter Jones <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for c850db5 - Browse repository at this point
Copy the full SHA c850db5View commit details -
EFI: allocate kernel in EFI_RUNTIME_SERVICES_CODE instead of EFI_LOAD…
…ER_DATA. On some of the firmwares with more security mitigations, EFI_LOADER_DATA doesn't get you executable memory, and we take a fault and reboot when we enter kernel. This patch correctly allocates the kernel code as EFI_RUNTIME_SERVICES_CODE rather than EFI_LOADER_DATA. Signed-off-by: Peter Jones <[email protected]> [rharwood: use kernel_size] Signed-off-by: Robbie Harwood <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 04c96d8 - Browse repository at this point
Copy the full SHA 04c96d8View commit details -
modules: load module sections at page-aligned addresses
Currently we load module sections at whatever alignment gcc+ld happened to dump into the ELF section header, which is often pretty useless. For example, by default time.mod has these sections on a current x86_64 build: $ eu-readelf -a grub-core/time.mod |& grep ^Section -A13 Section Headers: [Nr] Name Type Addr Off Size ES Flags Lk Inf Al [ 0] NULL 0 00000000 00000000 0 0 0 0 [ 1] .text PROGBITS 0 00000040 0000015e 0 AX 0 0 1 [ 2] .rela.text RELA 0 00000458 000001e0 24 I 8 1 8 [ 3] .rodata.str1.1 PROGBITS 0 0000019e 000000a1 1 AMS 0 0 1 [ 4] .module_license PROGBITS 0 00000240 0000000f 0 A 0 0 8 [ 5] .data PROGBITS 0 0000024f 00000000 0 WA 0 0 1 [ 6] .bss NOBITS 0 00000250 00000008 0 WA 0 0 8 [ 7] .modname PROGBITS 0 00000250 00000005 0 0 0 1 [ 8] .symtab SYMTAB 0 00000258 00000150 24 9 6 8 [ 9] .strtab STRTAB 0 000003a8 000000ab 0 0 0 1 [10] .shstrtab STRTAB 0 00000638 00000059 0 0 0 1 With NX protections being page based, loading sections with either a 1 or 8 *byte* alignment does absolutely nothing to help us out. This patch switches most EFI platforms to load module sections at 4kB page-aligned addresses. To do so, it adds an new per-arch function, grub_arch_dl_min_alignment(), which returns the alignment needed for dynamically loaded sections (in bytes). Currently it sets it to 4096 when GRUB_MACHINE_EFI is true on x86_64, i386, arm, arm64, and emu, and 1-byte alignment on everything else. It then changes the allocation size computation and the loader code in grub_dl_load_segments() to align the locations and sizes up to these boundaries, and fills any added padding with zeros. All of this happens before relocations are applied, so the relocations factor that in with no change. As an aside, initially Daniel Kiper and I thought that it might be a better idea to split the modules up into top-level sections as .text.modules, .rodata.modules, .data.modules, etc., so that their page permissions would get set by the loader that's loading grub itself. This turns out to have two significant downsides: 1) either in mkimage or in grub_dl_relocate_symbols(), you wind up having to dynamically process the relocations to accommodate the moved module sections, and 2) you then need to change the permissions on the modules and change them back while relocating them in grub_dl_relocate_symbols(), which means that any loader that /does/ honor the section flags but does /not/ generally support NX with the memory attributes API will cause grub to fail. Signed-off-by: Peter Jones <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 887f1d8 - Browse repository at this point
Copy the full SHA 887f1d8View commit details -
nx: add memory attribute get/set API
For NX, we need to set the page access permission attributes for write and execute permissions. This patch adds two new primitives, grub_set_mem_attrs() and grub_clear_mem_attrs(), and associated constant definitions, to be used for that purpose. For most platforms, it adds a dummy implementation that returns GRUB_ERR_NONE. On EFI platforms, it adds a common helper function, grub_efi_status_to_err(), which translates EFI error codes to grub error codes, adds headers for the EFI Memory Attribute Protocol (still pending standardization), and an implementation of the grub nx primitives using it. Signed-off-by: Peter Jones <[email protected]> [rharwood: add pjones's none/nyi fixup] Signed-off-by: Robbie Harwood <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 45bfb1c - Browse repository at this point
Copy the full SHA 45bfb1cView commit details -
nx: set page permissions for loaded modules.
For NX, we need to set write and executable permissions on the sections of grub modules when we load them. On sections with SHF_ALLOC set, which is typically everything except .modname and the symbol and string tables, this patch clears the Read Only flag on sections that have the ELF flag SHF_WRITE set, and clears the No eXecute flag on sections with SHF_EXECINSTR set. In all other cases it sets both flags. Signed-off-by: Peter Jones <[email protected]> [rharwood: arm tgptr -> tgaddr] Signed-off-by: Robbie Harwood <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for ad1b904 - Browse repository at this point
Copy the full SHA ad1b904View commit details -
nx: set attrs in our kernel loaders
For NX, our kernel loaders need to set write and execute page permissions on allocated pages and the stack. This patch adds those calls. Signed-off-by: Peter Jones <[email protected]> [rharwood: fix stack_attrs undefined, fix aarch64 callsites] Signed-off-by: Robbie Harwood <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for a9d4056 - Browse repository at this point
Copy the full SHA a9d4056View commit details -
nx: set the nx compatible flag in EFI grub images
For NX, we need the grub binary to announce that it is compatible with the NX feature. This implies that when loading the executable grub image, several attributes are true: - the binary doesn't need an executable stack - the binary doesn't need sections to be both executable and writable - the binary knows how to use the EFI Memory Attributes protocol on code it is loading. This patch adds a definition for the PE DLL Characteristics flag GRUB_PE32_NX_COMPAT, and changes grub-mkimage to set that flag. Signed-off-by: Peter Jones <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for a9ec858 - Browse repository at this point
Copy the full SHA a9ec858View commit details -
grub-probe: document the behavior of multiple -v
Signed-off-by: Robbie Harwood <[email protected]> (cherry picked from commit 51a55233eed08f7f12276afd6b3724b807a0b680)
Configuration menu - View commit details
-
Copy full SHA for 5898517 - Browse repository at this point
Copy the full SHA 5898517View commit details -
grub_fs_probe(): dprint errors from filesystems
When filesystem detection fails, all that's currently debug-logged is a series of messages like: grub-core/kern/fs.c:56:fs: Detecting ntfs... grub-core/kern/fs.c:76:fs: ntfs detection failed. repeated for each filesystem. Any messages provided to grub_error() by the filesystem are lost, and one has to break out gdb to figure out what went wrong. With this change, one instead sees: grub-core/kern/fs.c:56:fs: Detecting fat... grub-core/osdep/hostdisk.c:357:hostdisk: reusing open device `/path/to/device' grub-core/kern/fs.c:77:fs: error: invalid modification timestamp for /. grub-core/kern/fs.c:79:fs: fat detection failed. in the debug prints. Signed-off-by: Robbie Harwood <[email protected]> (cherry picked from commit 838c79d658797d0662ee7f9e033e38ee88059e02)
Configuration menu - View commit details
-
Copy full SHA for e452c07 - Browse repository at this point
Copy the full SHA e452c07View commit details -
fs/fat: don't error when mtime is 0
In the wild, we occasionally see valid ESPs where some file modification times are 0. For instance: ├── [Dec 31 1979] EFI │ ├── [Dec 31 1979] BOOT │ │ ├── [Dec 31 1979] BOOTX64.EFI │ │ └── [Dec 31 1979] fbx64.efi │ └── [Jun 27 02:41] fedora │ ├── [Dec 31 1979] BOOTX64.CSV │ ├── [Dec 31 1979] fonts │ ├── [Mar 14 03:35] fw │ │ ├── [Mar 14 03:35] fwupd-359c1169-abd6-4a0d-8bce-e4d4713335c1.cap │ │ ├── [Mar 14 03:34] fwupd-9d255c4b-2d88-4861-860d-7ee52ade9463.cap │ │ └── [Mar 14 03:34] fwupd-b36438d8-9128-49d2-b280-487be02d948b.cap │ ├── [Dec 31 1979] fwupdx64.efi │ ├── [May 10 10:47] grub.cfg │ ├── [Jun 3 12:38] grub.cfg.new.new │ ├── [May 10 10:41] grub.cfg.old │ ├── [Jun 27 02:41] grubenv │ ├── [Dec 31 1979] grubx64.efi │ ├── [Dec 31 1979] mmx64.efi │ ├── [Dec 31 1979] shim.efi │ ├── [Dec 31 1979] shimx64.efi │ └── [Dec 31 1979] shimx64-fedora.efi └── [Dec 31 1979] FSCK0000.REC 5 directories, 17 files This causes grub-probe failure, which in turn causes grub-mkconfig failure. They are valid filesystems that appear intact, and the Linux FAT stack is able to mount and manipulate them without complaint. The check for mtime of 0 has been present since 20def1a ("fat: support file modification times"). Signed-off-by: Robbie Harwood <[email protected]> (cherry picked from commit 0615c4887352e32d7bb7198e9ad0d695f9dc2c31)
Configuration menu - View commit details
-
Copy full SHA for 8a1dcbf - Browse repository at this point
Copy the full SHA 8a1dcbfView commit details -
Make debug=file show which file filters get run.
If one of the file filters breaks things, it's hard to figure out where it has happened. This makes grub log which filter is being run, which makes it easier to figure out where you are in the sequence of events. Signed-off-by: Peter Jones <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for ca59646 - Browse repository at this point
Copy the full SHA ca59646View commit details -
efi: use enumerated array positions for our allocation choices
In our kernel allocator on EFI systems, we currently have a growing amount of code that references the various allocation policies by position in the array, and of course maintenance of this code scales very poorly. This patch changes them to be enumerated, so they're easier to refer to farther along in the code without confusion. Signed-off-by: Peter Jones <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for c88cadb - Browse repository at this point
Copy the full SHA c88cadbView commit details -
efi: split allocation policy for kernel vs initrd memories.
Currently in our kernel allocator, we use the same set of choices for all of our various kernel and initramfs allocations, though they do not have exactly the same constraints. This patch adds the concept of an allocation purpose, which currently can be KERNEL_MEM or INITRD_MEM, and updates kernel_alloc() calls appropriately, but does not change any current policy decision. It also adds a few debug prints. Signed-off-by: Peter Jones <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for a9da903 - Browse repository at this point
Copy the full SHA a9da903View commit details -
efi: allocate the initrd within the bounds expressed by the kernel
Currently on x86, only linux kernels built with CONFIG_RELOCATABLE for x86_64 can be loaded above 4G, but the maximum address for the initramfs is specified via a HdrS field. This allows us to utilize that value, and unless loading the kernel above 4G, uses the value present there. If loading kernel above 4G is allowed, we assume loading the initramfs above 4G also works; in practice this has been true in the kernel code for quite some time. Resolves: rhbz#2112134 Signed-off-by: Peter Jones <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 8233b73 - Browse repository at this point
Copy the full SHA 8233b73View commit details -
efi: use EFI_LOADER_(CODE|DATA) for kernel and initrd allocations
At some point due to an erroneous kernel warning, we switched kernel and initramfs to being loaded in EFI_RUNTIME_SERVICES_CODE and EFI_RUNTIME_SERVICES_DATA memory pools. This doesn't appear to be correct according to the spec, and that kernel warning has gone away. This patch puts them back in EFI_LOADER_CODE and EFI_LOADER_DATA allocations, respectively. Resolves: rhbz#2108456 Signed-off-by: Peter Jones <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for cb965e0 - Browse repository at this point
Copy the full SHA cb965e0View commit details -
BLS: create /etc/kernel/cmdline during mkconfig
Signed-off-by: Robbie Harwood <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 2e2a825 - Browse repository at this point
Copy the full SHA 2e2a825View commit details -
squish: don't dup rhgb quiet, check mtimes
Signed-off-by: Robbie Harwood <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 3acfee4 - Browse repository at this point
Copy the full SHA 3acfee4View commit details -
Signed-off-by: Robbie Harwood <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 0720d50 - Browse repository at this point
Copy the full SHA 0720d50View commit details -
squish: BLS: only write /etc/kernel/cmdline if writable
On OSTree systems, `grub2-mkconfig` is run with `/etc` mounted read-only because as part of the promise of transactional updates, we want to make sure that we're not modifying the current deployment's state (`/etc` or `/var`). This conflicts with 0837dcd ("BLS: create /etc/kernel/cmdline during mkconfig") which wants to write to `/etc/kernel/cmdline`. I'm not exactly sure on the background there, but based on the comment I think the intent is to fulfill grubby's expectation that the file exists. However, in systems like Silverblue, kernel arguments are managed by the rpm-ostree stack and grubby is not shipped at all. Adjust the script slightly so that we only write `/etc/kernel/cmdline` if the parent directory is writable. In the future, we're hoping to simplify things further on rpm-ostree systems by not running `grub2-mkconfig` at all since libostree already directly writes BLS entries. Doing that would also have avoided this, but ratcheting it into existing systems needs more careful thought. Signed-off-by: Jonathan Lebon <[email protected]> Fixes: fedora-silverblue/issue-tracker#322
Configuration menu - View commit details
-
Copy full SHA for a2f7693 - Browse repository at this point
Copy the full SHA a2f7693View commit details -
blscfg: Don't root device in emu builds
Otherwise, we end up looking for kernel/initrd in /boot/boot which doesn't work at all. Non-emu builds need to be looking in ($root)/boot/, which is what this is for. Signed-off-by: Robbie Harwood <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 6038557 - Browse repository at this point
Copy the full SHA 6038557View commit details -
loader/arm64/linux: Remove magic number header field check
The "ARM\x64" magic number in the file header identifies an image as one that implements the bare metal boot protocol, allowing the loader to simply move the file to a suitably aligned address in memory, with sufficient headroom for the trailing .bss segment (the required memory size is described in the header as well). Note of this matters for GRUB, as it only supports EFI boot. EFI does not care about this magic number, and nor should GRUB: this prevents us from booting other PE linux images, such as the generic EFI zboot decompressor, which is a pure PE/COFF image, and does not implement the bare metal boot protocol. So drop the magic number check. Signed-off-by: Ard Biesheuvel <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> Resolves: rhbz#2125069 Signed-off-by: Jeremy Linton <[email protected]> (cherry-picked from commit 69edb31) Signed-off-by: Robbie Harwood <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 62382ef - Browse repository at this point
Copy the full SHA 62382efView commit details -
Correct BSS zeroing on aarch64
The aarch64 loader doesn't use efi bootservices, and therefor it has a very minimal loader which makes a lot of assumptions about the kernel layout. With the ZBOOT changes, the layout has changed a bit and we not should really be parsing the PE sections to determine how much data to copy, otherwise the BSS won't be setup properly. This code still makes a lot of assumptions about the the kernel layout, so its far from ideal, but it works. Resolves: rhbz#2125069 Signed-off-by: Jeremy Linton <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 9752abc - Browse repository at this point
Copy the full SHA 9752abcView commit details -
linuxefi: Invalidate i-cache before starting the kernel
We need to flush the memory range of the code we are about to execute from the instruction cache before we can safely execute it. Not doing so appears to be the source of rare synchronous exceptions a user is seeing on a Cortex-A72-based platform while executing the Linux EFI stub. Notably they seem to correlate with an instruction on a cache line boundary. Signed-off-by: dann frazier <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 9ae5901 - Browse repository at this point
Copy the full SHA 9ae5901View commit details -
x86-efi: Fix an incorrect array size in kernel allocation
In 81a6ebf ("efi: split allocation policy for kernel vs initrd memories."), I introduced a split in the kernel allocator to allow for different dynamic policies for the kernel and the initrd allocations. Unfortunately, that change increased the size of the policy data used to make decisions, but did not change the size of the temporary storage we use to back it up and restore. This results in some of .data getting clobbered at runtime, and hilarity ensues. This patch makes the size of the backup storage be based on the size of the initial policy data. Signed-off-by: Peter Jones <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for c500935 - Browse repository at this point
Copy the full SHA c500935View commit details -
commands/efi/tpm: Refine the status of log event
1. Use macro GRUB_ERR_NONE instead of hard code 0. 2. Keep lowercase of the first char for the status string of log event. Signed-off-by: Lu Ken <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 9228985)
Configuration menu - View commit details
-
Copy full SHA for bf9f867 - Browse repository at this point
Copy the full SHA bf9f867View commit details -
commands/efi/tpm: Use grub_strcpy() instead of grub_memcpy()
The event description is a string, so using grub_strcpy() is cleaner than using grub_memcpy(). Signed-off-by: Lu Ken <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit ef8679b)
Configuration menu - View commit details
-
Copy full SHA for 588414d - Browse repository at this point
Copy the full SHA 588414dView commit details -
efi/tpm: Add EFI_CC_MEASUREMENT_PROTOCOL support
The EFI_CC_MEASUREMENT_PROTOCOL abstracts the measurement for virtual firmware in confidential computing environment. It is similar to the EFI_TCG2_PROTOCOL. It was proposed by Intel and ARM and approved by UEFI organization. It is defined in Intel GHCI specification: https://cdrdv2.intel.com/v1/dl/getContent/726790 . The EDKII header file is available at https://github.com/tianocore/edk2/blob/master/MdePkg/Include/Protocol/CcMeasurement.h . Signed-off-by: Lu Ken <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 4c76565)
Configuration menu - View commit details
-
Copy full SHA for fd55945 - Browse repository at this point
Copy the full SHA fd55945View commit details -
font: Reject glyphs exceeds font->max_glyph_width or font->max_glyph_…
…height Check glyph's width and height against limits specified in font's metadata. Reject the glyph (and font) if such limits are exceeded. Signed-off-by: Zhang Boyang <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 5760fcfd466cc757540ea0d591bad6a08caeaa16)
Configuration menu - View commit details
-
Copy full SHA for 4197818 - Browse repository at this point
Copy the full SHA 4197818View commit details -
font: Fix size overflow in grub_font_get_glyph_internal()
The length of memory allocation and file read may overflow. This patch fixes the problem by using safemath macros. There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz(). It is safe replacement for such code. It has safemath-like prototype. This patch also introduces grub_cast(value, pointer), it casts value to typeof(*pointer) then store the value to *pointer. It returns true when overflow occurs or false if there is no overflow. The semantics of arguments and return value are designed to be consistent with other safemath macros. Signed-off-by: Zhang Boyang <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 941d10ad6f1dcbd12fb613002249e29ba035f985)
Configuration menu - View commit details
-
Copy full SHA for 1d99597 - Browse repository at this point
Copy the full SHA 1d99597View commit details -
font: Fix several integer overflows in grub_font_construct_glyph()
This patch fixes several integer overflows in grub_font_construct_glyph(). Glyphs of invalid size, zero or leading to an overflow, are rejected. The inconsistency between "glyph" and "max_glyph_size" when grub_malloc() returns NULL is fixed too. Fixes: CVE-2022-2601 Reported-by: Zhang Boyang <[email protected]> Signed-off-by: Zhang Boyang <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit b1805f251b31a9d3cfae5c3572ddfa630145dbbf)
Configuration menu - View commit details
-
Copy full SHA for 551e0d5 - Browse repository at this point
Copy the full SHA 551e0d5View commit details -
font: Remove grub_font_dup_glyph()
Remove grub_font_dup_glyph() since nobody is using it since 2013, and I'm too lazy to fix the integer overflow problem in it. Signed-off-by: Zhang Boyang <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 25ad31c19c331aaa2dbd9bd2b2e2655de5766a9d)
Configuration menu - View commit details
-
Copy full SHA for 1dae55f - Browse repository at this point
Copy the full SHA 1dae55fView commit details -
font: Fix integer overflow in ensure_comb_space()
In fact it can't overflow at all because glyph_id->ncomb is only 8-bit wide. But let's keep safe if somebody changes the width of glyph_id->ncomb in the future. This patch also fixes the inconsistency between render_max_comb_glyphs and render_combining_glyphs when grub_malloc() returns NULL. Signed-off-by: Zhang Boyang <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit b2740b7e4a03bb8331d48b54b119afea76bb9d5f)
Configuration menu - View commit details
-
Copy full SHA for f8852c9 - Browse repository at this point
Copy the full SHA f8852c9View commit details -
font: Fix integer overflow in BMP index
The BMP index (font->bmp_idx) is designed as a reverse lookup table of char entries (font->char_index), in order to speed up lookups for BMP chars (i.e. code < 0x10000). The values in BMP index are the subscripts of the corresponding char entries, stored in grub_uint16_t, while 0xffff means not found. This patch fixes the problem of large subscript truncated to grub_uint16_t, leading BMP index to return wrong char entry or report false miss. The code now checks for bounds and uses BMP index as a hint, and fallbacks to binary-search if necessary. On the occasion add a comment about BMP index is initialized to 0xffff. Signed-off-by: Zhang Boyang <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit afda8b60ba0712abe01ae1e64c5f7a067a0e6492)
Configuration menu - View commit details
-
Copy full SHA for 86b719f - Browse repository at this point
Copy the full SHA 86b719fView commit details -
font: Fix integer underflow in binary search of char index
If search target is less than all entries in font->index then "hi" variable is set to -1, which translates to SIZE_MAX and leads to errors. This patch fixes the problem by replacing the entire binary search code with the libstdc++'s std::lower_bound() implementation. Signed-off-by: Zhang Boyang <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit c140a086838e7c9af87842036f891b8393a8c4bc)
Configuration menu - View commit details
-
Copy full SHA for 2f03fac - Browse repository at this point
Copy the full SHA 2f03facView commit details -
kern/efi/sb: Enforce verification of font files
As a mitigation and hardening measure enforce verification of font files. Then only trusted font files can be load. This will reduce the attack surface at cost of losing the ability of end-users to customize fonts if e.g. UEFI Secure Boot is enabled. Vendors can always customize fonts because they have ability to pack fonts into their GRUB bundles. This goal is achieved by: * Removing GRUB_FILE_TYPE_FONT from shim lock verifier's skip-verification list. * Adding GRUB_FILE_TYPE_FONT to lockdown verifier's defer-auth list, so font files must be verified by a verifier before they can be loaded. Suggested-by: Daniel Kiper <[email protected]> Signed-off-by: Zhang Boyang <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 630deb8c0d8b02b670ced4b7030414bcf17aa080)
Configuration menu - View commit details
-
Copy full SHA for 5396629 - Browse repository at this point
Copy the full SHA 5396629View commit details -
Expressions like u64 = u32 * u32 are unsafe because their products are truncated to u32 even if left hand side is u64. This patch fixes all problems like that one in fbutil. To get right result not only left hand side have to be u64 but it's also necessary to cast at least one of the operands of all leaf operators of right hand side to u64, e.g. u64 = u32 * u32 + u32 * u32 should be u64 = (u64)u32 * u32 + (u64)u32 * u32. For 1-bit bitmaps grub_uint64_t have to be used. It's safe because any combination of values in (grub_uint64_t)u32 * u32 + u32 expression will not overflow grub_uint64_t. Other expressions like ptr + u32 * u32 + u32 * u32 are also vulnerable. They should be ptr + (grub_addr_t)u32 * u32 + (grub_addr_t)u32 * u32. This patch also adds a comment to grub_video_fb_get_video_ptr() which says it's arguments must be valid and no sanity check is performed (like its siblings in grub-core/video/fb/fbutil.c). Signed-off-by: Zhang Boyang <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 50a11a81bc842c58962244a2dc86bbd31a426e12)
Configuration menu - View commit details
-
Copy full SHA for 7428f10 - Browse repository at this point
Copy the full SHA 7428f10View commit details -
font: Fix an integer underflow in blit_comb()
The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may evaluate to a very big invalid value even if both ctx.bounds.height and combining_glyphs[i]->height are small integers. For example, if ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this expression evaluates to 2147483647 (expected -1). This is because coordinates are allowed to be negative but ctx.bounds.height is an unsigned int. So, the subtraction operates on unsigned ints and underflows to a very big value. The division makes things even worse. The quotient is still an invalid value even if converted back to int. This patch fixes the problem by casting ctx.bounds.height to int. As a result the subtraction will operate on int and grub_uint16_t which will be promoted to an int. So, the underflow will no longer happen. Other uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int, to ensure coordinates are always calculated on signed integers. Fixes: CVE-2022-3775 Reported-by: Daniel Axtens <[email protected]> Signed-off-by: Zhang Boyang <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 6d2668dea3774ed74c4cd1eadd146f1b846bc3d4)
Configuration menu - View commit details
-
Copy full SHA for 7c85e1a - Browse repository at this point
Copy the full SHA 7c85e1aView commit details -
font: Harden grub_font_blit_glyph() and grub_font_blit_glyph_mirror()
As a mitigation and hardening measure add sanity checks to grub_font_blit_glyph() and grub_font_blit_glyph_mirror(). This patch makes these two functions do nothing if target blitting area isn't fully contained in target bitmap. Therefore, if complex calculations in caller overflows and malicious coordinates are given, we are still safe because any coordinates which result in out-of-bound-write are rejected. However, this patch only checks for invalid coordinates, and doesn't provide any protection against invalid source glyph or destination glyph, e.g. mismatch between glyph size and buffer size. This hardening measure is designed to mitigate possible overflows in blit_comb(). If overflow occurs, it may return invalid bounding box during dry run and call grub_font_blit_glyph() with malicious coordinates during actual blitting. However, we are still safe because the scratch glyph itself is valid, although its size makes no sense, and any invalid coordinates are rejected. It would be better to call grub_fatal() if illegal parameter is detected. However, doing this may end up in a dangerous recursion because grub_fatal() would print messages to the screen and we are in the progress of drawing characters on the screen. Reported-by: Daniel Axtens <[email protected]> Signed-off-by: Zhang Boyang <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit fcd7aa0c278f7cf3fb9f93f1a3966e1792339eb6)
Configuration menu - View commit details
-
Copy full SHA for 5e5d858 - Browse repository at this point
Copy the full SHA 5e5d858View commit details -
font: Assign null_font to glyphs in ascii_font_glyph[]
The calculations in blit_comb() need information from glyph's font, e.g. grub_font_get_xheight(main_glyph->font). However, main_glyph->font is NULL if main_glyph comes from ascii_font_glyph[]. Therefore grub_font_get_*() crashes because of NULL pointer. There is already a solution, the null_font. So, assign it to those glyphs in ascii_font_glyph[]. Reported-by: Daniel Axtens <[email protected]> Signed-off-by: Zhang Boyang <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit dd539d695482069d28b40f2d3821f710cdcf6ee6)
Configuration menu - View commit details
-
Copy full SHA for 2cff5db - Browse repository at this point
Copy the full SHA 2cff5dbView commit details -
normal/charset: Fix an integer overflow in grub_unicode_aglomerate_co…
…mb() The out->ncomb is a bit-field of 8 bits. So, the max possible value is 255. However, code in grub_unicode_aglomerate_comb() doesn't check for an overflow when incrementing out->ncomb. If out->ncomb is already 255, after incrementing it will get 0 instead of 256, and cause illegal memory access in subsequent processing. This patch introduces GRUB_UNICODE_NCOMB_MAX to represent the max acceptable value of ncomb. The code now checks for this limit and ignores additional combining characters when limit is reached. Reported-by: Daniel Axtens <[email protected]> Signed-off-by: Zhang Boyang <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit da90d62316a3b105d2fbd7334d6521936bd6dcf6)
Configuration menu - View commit details
-
Copy full SHA for e1f86f1 - Browse repository at this point
Copy the full SHA e1f86f1View commit details -
font: Try opening fonts from the bundled memdisk
Signed-off-by: Robbie Harwood <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 10c5a7b - Browse repository at this point
Copy the full SHA 10c5a7bView commit details -
mm: Clarify grub_real_malloc()
When iterating through the singly linked list of free blocks, grub_real_malloc() uses p and q for the current and previous blocks respectively. This isn't super clear, so swap to using prev and cur. This makes another quirk more obvious. The comment at the top of grub_real_malloc() might lead you to believe that the function will allocate from *first if there is space in that block. It actually doesn't do that, and it can't do that with the current data structures. If we used up all of *first, we would need to change the ->next of the previous block to point to *first->next, but we can't do that because it's a singly linked list and we don't have access to *first's previous block. What grub_real_malloc() actually does is set *first to the initial previous block, and *first->next is the block we try to allocate from. That allows us to keep all the data structures consistent. Document that. Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 246ad6a)
Configuration menu - View commit details
-
Copy full SHA for ae3a583 - Browse repository at this point
Copy the full SHA ae3a583View commit details -
mm: grub_real_malloc(): Make small allocs comment match code
Small allocations move the region's *first pointer. The comment says that this happens for allocations under 64K. The code says it's for allocations under 32K. Commit 45bf8b3 changed the code intentionally: make the comment match. Fixes: 45bf8b3 (* grub-core/kern/mm.c (grub_real_malloc): Decrease cut-off of moving the) Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit a847895)
Configuration menu - View commit details
-
Copy full SHA for b51f0d4 - Browse repository at this point
Copy the full SHA b51f0d4View commit details -
The grub_free() possesses a surprising number of quirks, and also uses single-letter variable names confusingly to iterate through the free list. Document what's going on. Use prev and cur to iterate over the free list. Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 1f8d0b0)
Configuration menu - View commit details
-
Copy full SHA for 280a656 - Browse repository at this point
Copy the full SHA 280a656View commit details -
mm: Document grub_mm_init_region()
The grub_mm_init_region() does some things that seem magical, especially around region merging. Make it a bit clearer. Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 246d69b)
Configuration menu - View commit details
-
Copy full SHA for 5fc6860 - Browse repository at this point
Copy the full SHA 5fc6860View commit details -
mm: Document GRUB internal memory management structures
I spent more than a trivial quantity of time figuring out pre_size and whether a memory region's size contains the header cell or not. Document the meanings of all the properties. Hopefully now no-one else has to figure it out! Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit a6c5c52)
Configuration menu - View commit details
-
Copy full SHA for 9cfee08 - Browse repository at this point
Copy the full SHA 9cfee08View commit details -
mm: Assert that we preserve header vs region alignment
grub_mm_region_init() does: h = (grub_mm_header_t) (r + 1); where h is a grub_mm_header_t and r is a grub_mm_region_t. Cells are supposed to be GRUB_MM_ALIGN aligned, but while grub_mm_dump ensures this vs the region header, grub_mm_region_init() does not. It's better to be explicit than implicit here: rather than changing grub_mm_region_init() to ALIGN_UP(), require that the struct is explicitly a multiple of the header size. Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> Tested-by: Patrick Steinhardt <[email protected]> (cherry picked from commit 1df8fe6)
Configuration menu - View commit details
-
Copy full SHA for 3ec3df3 - Browse repository at this point
Copy the full SHA 3ec3df3View commit details -
mm: When adding a region, merge with region after as well as before
On x86_64-efi (at least) regions seem to be added from top down. The mm code will merge a new region with an existing region that comes immediately before the new region. This allows larger allocations to be satisfied that would otherwise be the case. On powerpc-ieee1275, however, regions are added from bottom up. So if we add 3x 32MB regions, we can still only satisfy a 32MB allocation, rather than the 96MB allocation we might otherwise be able to satisfy. * Define 'post_size' as being bytes lost to the end of an allocation due to being given weird sizes from firmware that are not multiples of GRUB_MM_ALIGN. * Allow merging of regions immediately _after_ existing regions, not just before. As with the other approach, we create an allocated block to represent the new space and the pass it to grub_free() to get the metadata right. Signed-off-by: Daniel Axtens <[email protected]> Tested-by: Stefan Berger <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> Tested-by: Patrick Steinhardt <[email protected]> (cherry picked from commit 052e606)
Configuration menu - View commit details
-
Copy full SHA for 77371ff - Browse repository at this point
Copy the full SHA 77371ffView commit details -
mm: Debug support for region operations
This is handy for debugging. Enable with "set debug=regions". Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> Tested-by: Patrick Steinhardt <[email protected]> (cherry picked from commit 8afa5ef)
Configuration menu - View commit details
-
Copy full SHA for 474d212 - Browse repository at this point
Copy the full SHA 474d212View commit details -
mm: Drop unused unloading of modules on OOM
In grub_memalign(), there's a commented section which would allow for unloading of unneeded modules in case where there is not enough free memory available to satisfy a request. Given that this code is never compiled in, let's remove it together with grub_dl_unload_unneeded(). Signed-off-by: Patrick Steinhardt <[email protected]> Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> Tested-by: Patrick Steinhardt <[email protected]> (cherry picked from commit 139fd9b)
Configuration menu - View commit details
-
Copy full SHA for 629bce3 - Browse repository at this point
Copy the full SHA 629bce3View commit details -
mm: Allow dynamically requesting additional memory regions
Currently, all platforms will set up their heap on initialization of the platform code. While this works mostly fine, it poses some limitations on memory management on us. Most notably, allocating big chunks of memory in the gigabyte range would require us to pre-request this many bytes from the firmware and add it to the heap from the beginning on some platforms like EFI. As this isn't needed for most configurations, it is inefficient and may even negatively impact some usecases when, e.g., chainloading. Nonetheless, allocating big chunks of memory is required sometimes, where one example is the upcoming support for the Argon2 key derival function in LUKS2. In order to avoid pre-allocating big chunks of memory, this commit implements a runtime mechanism to add more pages to the system. When a given allocation cannot be currently satisfied, we'll call a given callback set up by the platform's own memory management subsystem, asking it to add a memory area with at least "n" bytes. If this succeeds, we retry searching for a valid memory region, which should now succeed. If this fails, we try asking for "n" bytes, possibly spread across multiple regions, in hopes that region merging means that we end up with enough memory for things to work out. Signed-off-by: Patrick Steinhardt <[email protected]> Signed-off-by: Daniel Axtens <[email protected]> Tested-by: Stefan Berger <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> Tested-by: Patrick Steinhardt <[email protected]> (cherry picked from commit 887f98f)
Configuration menu - View commit details
-
Copy full SHA for dcbf777 - Browse repository at this point
Copy the full SHA dcbf777View commit details -
kern/efi/mm: Always request a fixed number of pages on init
When initializing the EFI memory subsystem, we will by default request a quarter of the available memory, bounded by a minimum/maximum value. Given that we're about to extend the EFI memory system to dynamically request additional pages from the firmware as required, this scaling of requested memory based on available memory will not make a lot of sense anymore. Remove this logic as a preparatory patch such that we'll instead defer to the runtime memory allocator. Note that ideally, we'd want to change this after dynamic requesting of pages has been implemented for the EFI platform. But because we'll need to split up initialization of the memory subsystem and the request of pages from the firmware, we'd have to duplicate quite some logic at first only to remove it afterwards again. This seems quite pointless, so we instead have patches slightly out of order. Signed-off-by: Patrick Steinhardt <[email protected]> Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> Tested-by: Patrick Steinhardt <[email protected]> (cherry picked from commit 938c376)
Configuration menu - View commit details
-
Copy full SHA for 65f6aaa - Browse repository at this point
Copy the full SHA 65f6aaaView commit details -
kern/efi/mm: Extract function to add memory regions
In preparation of support for runtime-allocating additional memory region, this patch extracts the function to retrieve the EFI memory map and add a subset of it to GRUB's own memory regions. Signed-off-by: Patrick Steinhardt <[email protected]> Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> Tested-by: Patrick Steinhardt <[email protected]> (cherry picked from commit 96a7ea2) [rharwood: backport around our nx]
Configuration menu - View commit details
-
Copy full SHA for 8d87a6f - Browse repository at this point
Copy the full SHA 8d87a6fView commit details -
kern/efi/mm: Pass up errors from add_memory_regions()
The function add_memory_regions() is currently only called on system initialization to allocate a fixed amount of pages. As such, it didn't need to return any errors: in case it failed, we cannot proceed anyway. This will change with the upcoming support for requesting more memory from the firmware at runtime, where it doesn't make sense anymore to fail hard. Refactor the function to return an error to prepare for this. Note that this does not change the behaviour when initializing the memory system because grub_efi_mm_init() knows to call grub_fatal() in case grub_efi_mm_add_regions() returns an error. Signed-off-by: Patrick Steinhardt <[email protected]> Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> Tested-by: Patrick Steinhardt <[email protected]> (cherry picked from commit 15a0156)
Configuration menu - View commit details
-
Copy full SHA for 47bd939 - Browse repository at this point
Copy the full SHA 47bd939View commit details -
kern/efi/mm: Implement runtime addition of pages
Adjust the interface of grub_efi_mm_add_regions() to take a set of GRUB_MM_ADD_REGION_* flags, which most notably is currently only the GRUB_MM_ADD_REGION_CONSECUTIVE flag. This allows us to set the function up as callback for the memory subsystem and have it call out to us in case there's not enough pages available in the current heap. Signed-off-by: Patrick Steinhardt <[email protected]> Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> Tested-by: Patrick Steinhardt <[email protected]> (cherry picked from commit 1df2934)
Configuration menu - View commit details
-
Copy full SHA for e74c93a - Browse repository at this point
Copy the full SHA e74c93aView commit details -
efi: Increase default memory allocation to 32 MiB
We have multiple reports of things being slower with a 1 MiB initial static allocation, and a report (more difficult to nail down) of a boot failure as a result of the smaller initial allocation. Make the initial memory allocation 32 MiB. Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 75e38e8)
Configuration menu - View commit details
-
Copy full SHA for a1d4228 - Browse repository at this point
Copy the full SHA a1d4228View commit details -
mm: Try invalidate disk caches last when out of memory
Every heap grow will cause all disk caches invalidated which decreases performance severely. This patch moves disk cache invalidation code to the last of memory squeezing measures. So, disk caches are released only when there are no other ways to get free memory. Signed-off-by: Zhang Boyang <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> Reviewed-by: Patrick Steinhardt <[email protected]> (cherry picked from commit 17975d1)
Configuration menu - View commit details
-
Copy full SHA for 477fa2a - Browse repository at this point
Copy the full SHA 477fa2aView commit details -
ppc64le: signed boot media changes
Skip mdraid < 1.1 on isos since mdraid* can't even Prior to this change, on ppc64le with part_msdos and the mdraid* modules enabled, we see: disk/diskfilter.c:191: scanning ieee1275/cdrom kern/disk.c:196: Opening `ieee1275/cdrom'... disk/ieee1275/ofdisk.c:477: Opening `cdrom'. disk/ieee1275/ofdisk.c:502: MAX_RETRIES set to 20 kern/disk.c:288: Opening `ieee1275/cdrom' succeeded. disk/diskfilter.c:136: Scanning for DISKFILTER devices on disk ieee1275/cdrom partmap/msdos.c:184: partition 0: flag 0x80, type 0x96, start 0x0, len 0x6a5d70 disk/diskfilter.c:136: Scanning for DISKFILTER devices on disk ieee1275/cdrom SCSI-DISK: Access beyond end of device ! SCSI-DISK: Access beyond end of device ! SCSI-DISK: Access beyond end of device ! SCSI-DISK: Access beyond end of device ! SCSI-DISK: Access beyond end of device ! disk/ieee1275/ofdisk.c:578: MAX_RETRIES set to 20 These latter two lines repeat many times, eventually ending in: kern/disk.c:388: ieee1275/cdrom read failed error: ../../grub-core/disk/ieee1275/ofdisk.c:608:failure reading sector 0x1a9720 from `ieee1275/cdrom'. and the system drops to a "grub>" prompt. Prior to 1.1, mdraid stored the superblock offset from the end of the disk, and the firmware really doesn't like reads there. Best guess was that the firmware and the iso image appear to diagree on the blocksize (512 vs. 2048), and the diskfilter RAID probing is too much for it. It's tempting to just skip probing for cdroms, but unfortunately isos can be virtualized elsewhere - such as regular disks. Also fix detection of root, and try the chrp path as a fallback if the built prefix doesn't work. Signed-off-by: Robbie Harwood <[email protected]> wip
Configuration menu - View commit details
-
Copy full SHA for de735a4 - Browse repository at this point
Copy the full SHA de735a4View commit details -
core: Fix several implicit function declarations
These #include lines ensure that grub2 continues to build with C99 where implicit function declarations are removed. Related to: <https://fedoraproject.org/wiki/Changes/PortingToModernC> <https://fedoraproject.org/wiki/Toolchain/PortingToModernC>
Configuration menu - View commit details
-
Copy full SHA for f7d929e - Browse repository at this point
Copy the full SHA f7d929eView commit details -
loader: Add support for grub-emu to kexec Linux menu entries
The GRUB emulator is used as a debugging utility but it could also be used as a user-space bootloader if there is support to boot an operating system. The Linux kernel is already able to (re)boot another kernel via the kexec boot mechanism. So the grub-emu tool could rely on this feature and have linux and initrd commands that are used to pass a kernel, initramfs image and command line parameters to kexec for booting a selected menu entry. By default the systemctl kexec option is used so systemd can shutdown all of the running services before doing a reboot using kexec. But if this is not present, it can fall back to executing the kexec user-space tool directly. The ability to force a kexec-reboot when systemctl kexec fails must only be used in controlled environments to avoid possible filesystem corruption and data loss. Signed-off-by: Raymund Will <[email protected]> Signed-off-by: John Jolly <[email protected]> Signed-off-by: Javier Martinez Canillas <[email protected]> Signed-off-by: Robbie Harwood <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit e364307) [rharwood: conflicts around makefile and grub_exit return code]
Configuration menu - View commit details
-
Copy full SHA for ba26c2d - Browse repository at this point
Copy the full SHA ba26c2dView commit details -
powerpc: Drop Open Hack'Ware - remove GRUB_IEEE1275_FLAG_FORCE_CLAIM
Open Hack'Ware was the only user. It added a lot of complexity. Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 333e63b)
Configuration menu - View commit details
-
Copy full SHA for 5434d57 - Browse repository at this point
Copy the full SHA 5434d57View commit details -
ieee1275: request memory with ibm, client-architecture-support
On PowerVM, the first time we boot a Linux partition, we may only get 256MB of real memory area, even if the partition has more memory. This isn't enough to reliably verify a kernel. Fortunately, the Power Architecture Platform Reference (PAPR) defines a method we can call to ask for more memory: the broad and powerful ibm,client-architecture-support (CAS) method. CAS can do an enormous amount of things on a PAPR platform: as well as asking for memory, you can set the supported processor level, the interrupt controller, hash vs radix mmu, and so on. If: - we are running under what we think is PowerVM (compatible property of / begins with "IBM"), and - the full amount of RMA is less than 512MB (as determined by the reg property of /memory) then call CAS as follows: (refer to the Linux on Power Architecture Reference, LoPAR, which is public, at B.5.2.3): - Use the "any" PVR value and supply 2 option vectors. - Set option vector 1 (PowerPC Server Processor Architecture Level) to "ignore". - Set option vector 2 with default or Linux-like options, including a min-rma-size of 512MB. - Set option vector 3 to request Floating Point, VMX and Decimal Floating point, but don't abort the boot if we can't get them. - Set option vector 4 to request a minimum VP percentage to 1%, which is what Linux requests, and is below the default of 10%. Without this, some systems with very large or very small configurations fail to boot. This will cause a CAS reboot and the partition will restart with 512MB of RMA. Importantly, grub will notice the 512MB and not call CAS again. Notes about the choices of parameters: - A partition can be configured with only 256MB of memory, which would mean this request couldn't be satisfied, but PFW refuses to load with only 256MB of memory, so it's a bit moot. SLOF will run fine with 256MB, but we will never call CAS under qemu/SLOF because /compatible won't begin with "IBM".) - unspecified CAS vectors take on default values. Some of these values might restrict the ability of certain hardware configurations to boot. This is why we need to specify the VP percentage in vector 4, which is in turn why we need to specify vector 3. Finally, we should have enough memory to verify a kernel, and we will reach Linux. One of the first things Linux does while still running under OpenFirmware is to call CAS with a much fuller set of options (including asking for 512MB of memory). Linux includes a much more restrictive set of PVR values and processor support levels, and this CAS invocation will likely induce another reboot. On this reboot grub will again notice the higher RMA, and not call CAS. We will get to Linux again, Linux will call CAS again, but because the values are now set for Linux this will not induce another CAS reboot and we will finally boot all the way to userspace. On all subsequent boots, everything will be configured with 512MB of RMA, so there will be no further CAS reboots from grub. (phyp is super sticky with the RMA size - it persists even on cold boots. So if you've ever booted Linux in a partition, you'll probably never have grub call CAS. It'll only ever fire the first time a partition loads grub, or if you deliberately lower the amount of memory your partition has below 512MB.) Signed-off-by: Daniel Axtens <[email protected]> Signed-off-by: Stefan Berger <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit d5571590b7de61887efac1c298901455697ba307)
Configuration menu - View commit details
-
Copy full SHA for e6503c3 - Browse repository at this point
Copy the full SHA e6503c3View commit details -
ieee1275: drop len -= 1 quirk in heap_init
This was apparently 'required by some firmware': commit dc94685 ("2007-02-12 Hollis Blanchard <[email protected]>"). It's not clear what firmware that was, and what platform from 14 years ago which exhibited the bug then is still both in use and buggy now. It doesn't cause issues on qemu (mac99 or pseries) or under PFW for Power8. I don't have access to old Mac hardware, but if anyone feels especially strongly we can put it under some feature flag. I really want to disable it under pseries because it will mess with region merging. Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit fc639d430297321ee4f77c5d2d698f698cec0dc7)
Configuration menu - View commit details
-
Copy full SHA for acedefb - Browse repository at this point
Copy the full SHA acedefbView commit details -
ieee1275: support runtime memory claiming
On powerpc-ieee1275, we are running out of memory trying to verify anything. This is because: - we have to load an entire file into memory to verify it. This is difficult to change with appended signatures. - We only have 32MB of heap. - Distro kernels are now often around 30MB. So we want to be able to claim more memory from OpenFirmware for our heap at runtime. There are some complications: - The grub mm code isn't the only thing that will make claims on memory from OpenFirmware: * PFW/SLOF will have claimed some for their own use. * The ieee1275 loader will try to find other bits of memory that we haven't claimed to place the kernel and initrd when we go to boot. * Once we load Linux, it will also try to claim memory. It claims memory without any reference to /memory/available, it just starts at min(top of RMO, 768MB) and works down. So we need to avoid this area. See arch/powerpc/kernel/prom_init.c as of v5.11. - The smallest amount of memory a ppc64 KVM guest can have is 256MB. It doesn't work with distro kernels but can work with custom kernels. We should maintain support for that. (ppc32 can boot with even less, and we shouldn't break that either.) - Even if a VM has more memory, the memory OpenFirmware makes available as Real Memory Area can be restricted. Even with our CAS work, an LPAR on a PowerVM box is likely to have only 512MB available to OpenFirmware even if it has many gigabytes of memory allocated. What should we do? We don't know in advance how big the kernel and initrd are going to be, which makes figuring out how much memory we can take a bit tricky. To figure out how much memory we should leave unused, I looked at: - an Ubuntu 20.04.1 ppc64le pseries KVM guest: vmlinux: ~30MB initrd: ~50MB - a RHEL8.2 ppc64le pseries KVM guest: vmlinux: ~30MB initrd: ~30MB So to give us a little wriggle room, I think we want to leave at least 128MB for the loader to put vmlinux and initrd in memory and leave Linux with space to satisfy its early allocations. Allow other space to be allocated at runtime. Tested-by: Stefan Berger <[email protected]> Signed-off-by: Daniel Axtens <[email protected]> (cherry picked from commit a5c710789ccdd27a84ae4a34c7d453bd585e2b66) [rharwood: _start?]
Configuration menu - View commit details
-
Copy full SHA for 23971c4 - Browse repository at this point
Copy the full SHA 23971c4View commit details -
ieee1275: implement vec5 for cas negotiation
As a legacy support, if the vector 5 is not implemented, Power Hypervisor will consider the max CPUs as 64 instead 256 currently supported during client-architecture-support negotiation. This patch implements the vector 5 and set the MAX CPUs to 256 while setting the others values to 0 (default). Signed-off-by: Diego Domingos <[email protected]> Acked-by: Daniel Axtens <[email protected]> Signed-off-by: Stefan Berger <[email protected]> Signed-off-by: Avnish Chouhan <[email protected]> (cherry picked from commit 942f19959fe7465fb52a1da39ff271a7ab704892)
Configuration menu - View commit details
-
Copy full SHA for ee9c11d - Browse repository at this point
Copy the full SHA ee9c11dView commit details -
ibmvtpm: Add support for trusted boot using a vTPM 2.0
Add support for trusted boot using a vTPM 2.0 on the IBM IEEE1275 PowerPC platform. With this patch grub now measures text and binary data into the TPM's PCRs 8 and 9 in the same way as the x86_64 platform does. This patch requires Daniel Axtens's patches for claiming more memory. Note: The tpm_init() function cannot be called from GRUB_MOD_INIT() since it does not find the device nodes upon module initialization and therefore the call to tpm_init() must be deferred to grub_tpm_measure(). For vTPM support to work on PowerVM, system driver levels 1010.30 or 1020.00 are required. Note: Previous versions of firmware levels with the 2hash-ext-log API call have a bug that, once this API call is invoked, has the effect of disabling the vTPM driver under Linux causing an error message to be displayed in the Linux kernel log. Those users will have to update their machines to the firmware levels mentioned above. Cc: Eric Snowberg <[email protected]> Signed-off-by: Stefan Berger <[email protected]> Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 2aa5ef83743dfea79377309ff4f5e9c9a55de355)
Configuration menu - View commit details
-
Copy full SHA for 5142bbe - Browse repository at this point
Copy the full SHA 5142bbeView commit details -
Open Hack'Ware was an alternative firmware of powerpc under QEMU. The last commit to any Open Hack'Ware repo I can find is from 2014 [1]. Open Hack'Ware was used for the QEMU "prep" machine type, which was deprecated in QEMU in commit 54c86f5a4844 (hw/ppc: deprecate the machine type 'prep', replaced by '40p') in QEMU v3.1, and had reportedly been broken for years before without anyone noticing. Support was removed in February 2020 by commit b2ce76a0730e (hw/ppc/prep: Remove the deprecated "prep" machine and the OpenHackware BIOS). Open Hack'Ware's limitations require some messy code in GRUB. This complexity is not worth carrying any more. Remove detection of Open Hack'Ware. We will clean up the feature flags in following commits. [1]: https://github.com/qemu/openhackware and https://repo.or.cz/w/openhackware.git are QEMU submodules. They have only small changes on top of OHW v0.4.1, which was imported into QEMU SCM in 2010. I can't find anything resembling an official repo any more. Signed-off-by: Daniel Axtens <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit f9ce538)
Configuration menu - View commit details
-
Copy full SHA for 7f8daed - Browse repository at this point
Copy the full SHA 7f8daedView commit details
Commits on Feb 16, 2023
-
osdep/linux/hostdisk: Modify sector by sysfs as disk sector
The disk sector size provided by sysfs file system considers the sector size of 512 irrespective of disk sector size, thus causing the read by the GRUB to an incorrect offset from what was originally intended. Considering the 512 sector size of sysfs data the actual sector needs to be modified corresponding to disk sector size. Signed-off-by: Mukesh Kumar Chaurasiya <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit f756484)
Configuration menu - View commit details
-
Copy full SHA for de07df2 - Browse repository at this point
Copy the full SHA de07df2View commit details
Commits on Feb 20, 2023
-
mm: Adjust new region size to take management overhead into account
When grub_memalign() encounters out-of-memory, it will try grub_mm_add_region_fn() to request more memory from system firmware. However, the size passed to it doesn't take region management overhead into account. Adding a memory area of "size" bytes may result in a heap region of less than "size" bytes really available. Thus, the new region may not be adequate for current allocation request, confusing out-of-memory handling code. This patch introduces GRUB_MM_MGMT_OVERHEAD to address the region management overhead (e.g. metadata, padding). The value of this new constant must be large enough to make sure grub_memalign(align, size) always succeeds after a successful call to grub_mm_init_region(addr, size + align + GRUB_MM_MGMT_OVERHEAD), for any given addr and size (assuming no integer overflow). The size passed to grub_mm_add_region_fn() is now correctly adjusted, thus if grub_mm_add_region_fn() succeeded, current allocation request can always succeed. Signed-off-by: Zhang Boyang <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 2282cbf)
Configuration menu - View commit details
-
Copy full SHA for 9a2887f - Browse repository at this point
Copy the full SHA 9a2887fView commit details -
mm: Preallocate some space when adding new regions
When grub_memalign() encounters out-of-memory, it will try grub_mm_add_region_fn() to request more memory from system firmware. However, it doesn't preallocate memory space for future allocation requests. In extreme cases, it requires one call to grub_mm_add_region_fn() for each memory allocation request. This can be very slow. This patch introduces GRUB_MM_HEAP_GROW_EXTRA, the minimal heap growth granularity. The new region size is now set to the bigger one of its original value and GRUB_MM_HEAP_GROW_EXTRA. Thus, it will result in some memory space preallocated if current allocations request is small. The value of GRUB_MM_HEAP_GROW_EXTRA is set to 1MB. If this value is smaller, the cost of small memory allocations will be higher. If this value is larger, more memory will be wasted and it might cause out-of-memory on machines with small amount of RAM. Signed-off-by: Zhang Boyang <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 21869ba)
Configuration menu - View commit details
-
Copy full SHA for c9176ae - Browse repository at this point
Copy the full SHA c9176aeView commit details -
mm: Avoid complex heap growth math in hot path
We do a lot of math about heap growth in hot path of grub_memalign(). However, the result is only used if out of memory is encountered, which is seldom. This patch moves these calculations away from hot path. These calculations are now only done if out of memory is encountered. This change can also help compiler to optimize integer overflow checks away. Signed-off-by: Zhang Boyang <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 65bc459)
Configuration menu - View commit details
-
Copy full SHA for 61616e1 - Browse repository at this point
Copy the full SHA 61616e1View commit details
Commits on Mar 9, 2023
-
hostdisk: work around /proc not reporting size
fstat(2) of files in /proc will yield st_size == 0 regardless of file contents. Use a negative value in grub_file_t's size to denote "ignore" and plumb through. Signed-off-by: Robbie Harwood <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 68005f2 - Browse repository at this point
Copy the full SHA 68005f2View commit details -
blscfg: check for mounted /boot in emu
Irritatingly, BLS defines paths relatives to the mountpoint of the filesystem which contains its snippets, not / or any other fixed location. So grub2-emu needs to know whether /boot is a separate filesysem from / and conditionally prepend a path. Signed-off-by: Robbie Harwood <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for f636470 - Browse repository at this point
Copy the full SHA f636470View commit details
Commits on Mar 22, 2023
-
emu/linux: work around systemctl kexec returning
Per systemctl(1), it "is asynchronous; it will return after the reboot operation is enqueued, without waiting for it to complete". This differs from kexec(8), which calls reboot(2) and therefore does not return. When not using fallback, this results in the confusing-but-harmless: error trying to perform 'systemctl kexec': 0 Aborted. Press any key to exit. on screen for a bit, followed by successful kexec. To reduce the liklihood of hitting this case, add a delay on succesful return. Ultimately, the systemd interface is racy: we can't avoid it entirely unless we never fallback on success. Signed-off-by: Robbie Harwood <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 43aed52 - Browse repository at this point
Copy the full SHA 43aed52View commit details
Commits on Mar 30, 2023
-
kern/ieee1275/init: Convert plain numbers to constants in Vec5
This patch converts the plain numbers used in Vec5 properties to constants. 1. LPAR: Client program supports logical partitioning and associated hcall()s. 2. SPLPAR: Client program supports the Shared Processor LPAR Option. 3. CMO: Enables the Cooperative Memory Over-commitment Option. 4. MAX_CPU: Defines maximum number of CPUs supported. Signed-off-by: Avnish Chouhan <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 8406cfe)
Configuration menu - View commit details
-
Copy full SHA for ae0100d - Browse repository at this point
Copy the full SHA ae0100dView commit details -
kern/ieee1275/init: Extended support in Vec5
This patch enables multiple options in Vec5 which are required and solves the boot issues seen on some machines which are looking for these specific options. 1. LPAR: Client program supports logical partitioning and associated hcall()s. 2. SPLPAR: Client program supports the Shared Processor LPAR Option. 3. DYN_RCON_MEM: Client program supports the “ibm,dynamic-reconfiguration-memory” property and it may be presented in the device tree. 4. LARGE_PAGES: Client supports pages larger than 4 KB. 5. DONATE_DCPU_CLS: Client supports donating dedicated processor cycles. 6. PCI_EXP: Client supports PCI Express implementations utilizing Message Signaled Interrupts (MSIs). 7. CMOC: Enables the Cooperative Memory Over-commitment Option. 8. EXT_CMO: Enables the Extended Cooperative Memory Over-commit Option. 9. ASSOC_REF: Enables “ibm,associativity” and “ibm,associativity-reference-points” properties. 10. AFFINITY: Enables Platform Resource Reassignment Notification. 11. NUMA: Supports NUMA Distance Lookup Table Option. 12. HOTPLUG_INTRPT: Supports Hotplug Interrupts. 13. HPT_RESIZE: Enable Hash Page Table Resize Option. 14. MAX_CPU: Defines maximum number of CPUs supported. 15. PFO_HWRNG: Supports Random Number Generator. 16. PFO_HW_COMP: Supports Compression Engine. 17. PFO_ENCRYPT: Supports Encryption Engine. 18. SUB_PROCESSORS: Supports Sub-Processors. 19. DY_MEM_V2: Client program supports the “ibm,dynamic-memory-v2” property in the “ibm,dynamic-reconfiguration-memory” node and it may be presented in the device tree. 20. DRC_INFO: Client program supports the “ibm,drc-info” property definition and it may be presented in the device tree. Signed-off-by: Avnish Chouhan <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 98d0df0)
Configuration menu - View commit details
-
Copy full SHA for 2becfab - Browse repository at this point
Copy the full SHA 2becfabView commit details -
tpm: Disable the tpm verifier if the TPM device is not present
When the tpm module is loaded, the verifier reads entire file into memory, measures it and uses verified content as a backing buffer for file accesses. However, this process may result in high memory utilization for file operations, sometimes causing a system to run out of memory which may finally lead to boot failure. To address this issue, among others, the commit 887f98f (mm: Allow dynamically requesting additional memory regions) have optimized memory management by dynamically allocating heap space to maximize memory usage and reduce threat of memory exhaustion. But in some cases problems may still arise, e.g., when large ISO images are mounted using loopback or when dealing with embedded systems with limited memory resources. Unfortunately current implementation of the tpm module doesn't allow elimination of the back buffer once it is loaded. Even if the TPM device is not present or it has been explicitly disabled. This may unnecessary allocate a lot memory. To solve this issue, a patch has been developed to detect the TPM status at module load and skip verifier registration if the device is missing or deactivated. This prevents allocation of memory for the back buffer, avoiding wasting memory when no real measure boot functionality is performed. Disabling the TPM device in the system can reduce memory usage in the GRUB. It is useful in scenarios where high memory utilization is a concern and measurements of loaded artifacts are not necessary. Signed-off-by: Michael Chang <[email protected]> Signed-off-by: Stefan Berger <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> (cherry picked from commit 30708df)
Configuration menu - View commit details
-
Copy full SHA for b09440d - Browse repository at this point
Copy the full SHA b09440dView commit details
Commits on Apr 10, 2023
-
grub_dl_set_mem_attrs(): fix format string
The grub_dprintf() call for printing the message updating attributes for GOT and trampolines passes the argument "mod->name", but the format string doesn't accept that argument. Print the module name too. Example output: > kern/dl.c:736: updating attributes for GOT and trampolines ("video_fb") Fixes: ad1b904 (nx: set page permissions for loaded modules.) Signed-off-by: Laszlo Ersek <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for ee58dd7 - Browse repository at this point
Copy the full SHA ee58dd7View commit details -
grub_dl_set_mem_attrs(): add self-check for the tramp/GOT sizes
On aarch64 UEFI, we currently have a crasher: grub_dl_load_core() grub_dl_load_core_noinit() /* independent allocation: must remain writable */ mod = grub_zalloc(); /* allocates module image with incorrect tail alignment */ grub_dl_load_segments() /* write-protecting the module image makes "mod" read-only! */ grub_dl_set_mem_attrs() grub_update_mem_attrs() grub_dl_init() /* page fault, crash */ mod->next = ...; - Commit 887f1d8 ("modules: load module sections at page-aligned addresses", 2023-02-08) forgot to page-align the allocation of the trampolines and GOT areas of grub2 modules, in grub_dl_load_segments(). - Commit ad1b904 ("nx: set page permissions for loaded modules.", 2023-02-08) calculated a common bounding box for the trampolines and GOT areas in grub_dl_set_mem_attrs(), rounded the box size up to a whole multiple of EFI page size ("arch_addralign"), and write-protected the resultant page range. Consequently, grub_dl_load_segments() places the module image in memory such that its tail -- the end of the trampolines and GOT areas -- lands at the head of a page whose tail in turn contains independent memory allocations, such as "mod". grub_dl_set_mem_attrs() will then unwittingly write-protect these other allocations too. But "mod" must remain writable: we assign "mod->next" in grub_dl_init() subsequently. Currently we crash there with a page fault / permission fault. (The crash is not trivial to hit: the tramp/GOT areas are irrelevant on x86_64, plus the page protection depends on the UEFI platform firmware providing EFI_MEMORY_ATTRIBUTE_PROTOCOL. In practice, the crash is restricted to aarch64 edk2 (ArmVirtQemu) builds containing commit 1c4dfadb4611, "ArmPkg/CpuDxe: Implement EFI memory attributes protocol", 2023-03-16.) Example log before the patch: > kern/dl.c:736: updating attributes for GOT and trampolines ("video_fb") > kern/efi/mm.c:927: set +rx -w on 0x13b88b000-0x13b88bfff before:rwx after:r-x > kern/dl.c:744: done updating module memory attributes for "video_fb" > kern/dl.c:639: flushing 0xe4f0 bytes at 0x13b87d000 > kern/arm64/cache.c:42: D$ line size: 64 > kern/arm64/cache.c:43: I$ line size: 64 > kern/dl.c:839: module name: video_fb > kern/dl.c:840: init function: 0x0 > kern/dl.c:865: Initing module video_fb > > Synchronous Exception at 0x000000013B8A76EC > PC 0x00013B8A76EC > > X0 0x000000013B88B960 X1 0x0000000000000000 X2 0x000000013F93587C X3 0x0000000000000075 > > SP 0x00000000470745C0 ELR 0x000000013B8A76EC SPSR 0x60000205 FPSR 0x00000000 > ESR 0x9600004F FAR 0x000000013B88B9D0 > > ESR : EC 0x25 IL 0x1 ISS 0x0000004F > > Data abort: Permission fault, third level Note the following: - The whole 4K page at 0x1_3B88_B000 is write-protected. - The "video_fb" module actually lives at [0x1_3B87_D000, 0x1_3B88_B4F0) -- left-inclusive, right-exclusive --; that is, in the last page (at 0x1_3B88_B000), it only occupies the first 0x4F0 bytes. - The instruction at 0x1_3B8A_76EC faults. Not shown here, but it is a store instruction, which writes to the field at offset 0x70 of the structure pointed-to by the X0 register. This is the "mod->next" assignment from grub_dl_init(). - The faulting address is therefore (X0 + 0x70), i.e., 0x1_3B88_B9D0. This is indeed the value held in the FAR register. - The faulting address 0x1_3B88_B9D0 falls in the above-noted page (at 0x1_3B88_B000), namely at offset 0x9D0. This is *beyond* the first 0x4F0 bytes that the very tail of the "video_fb" module occupies at the front of that page. For now, add a self-check that reports this bug (and prevents the crash by skipping the write protection). Example log after the patch: > kern/dl.c:742:BUG: trying to protect pages outside of module allocation > ("video_fb"): module base 0x13b87d000, size 0xe4f0; tramp/GOT base > 0x13b88b000, size 0x1000 Signed-off-by: Laszlo Ersek <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for deb4c03 - Browse repository at this point
Copy the full SHA deb4c03View commit details -
grub_dl_load_segments(): page-align the tramp/GOT areas too
The tramp/GOT write-protection in grub_dl_set_mem_attrs() requires that the tramp/GOT areas of the module image *not* share a page with any other memory allocations. Page-align the tramp/GOT areas, while satisfying their intrinsic alignment requirements too. Fixes: 887f1d8 (modules: load module sections at page-aligned addresses) Fixes: ad1b904 (nx: set page permissions for loaded modules.) Signed-off-by: Laszlo Ersek <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for c3569e4 - Browse repository at this point
Copy the full SHA c3569e4View commit details
Commits on Apr 12, 2023
-
emu: Add switch-root to grub-emu
If the kernel running grub emu is the same as the one we want to boot, it makes sense that we just switch-root instead of kexec the same kernel again by doing grub2-emu --switch-root Signed-off-by: Nicolas Frayer <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 7de33f4 - Browse repository at this point
Copy the full SHA 7de33f4View commit details
Commits on Aug 8, 2023
-
util: Enable default kernel for updates
Several kernel variants can be installed on a system in parallel. In order to allow the user to choose which kernel will be set to default after an update, re-enable grub's usage of DEFAULTKERNEL as set in /etc/sysconfig/kernel Signed-off-by: Marta Lewandowska <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for c98f9ea - Browse repository at this point
Copy the full SHA c98f9eaView commit details -
efi/http: change uint32_t to uintn_t
Modify UINT32 to UINTN in EFI_HTTP_MESSAGE to be UEFI 2.9 compliant. Signed-off-by: Keng-Yu Lin <[email protected]> Signed-off-by: Nicolas Frayer <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 205b7b4 - Browse repository at this point
Copy the full SHA 205b7b4View commit details
Commits on Sep 11, 2023
-
Add [Install] section to aux systemd units
Currently in Fedora, these services are statically enabled by symlinks, with no other way to disable them than to manually delete those symlinks. This is problematic in Fedora IoT, where grub-boot-success.timer is not supposed to be enabled. This change adds `[Install]` sections to all systemd units that are currently enabled statically, so that they can be enabled dynamically via presets or manually instead.
Configuration menu - View commit details
-
Copy full SHA for 46ca707 - Browse repository at this point
Copy the full SHA 46ca707View commit details -
arm64: Use proper memory type for kernel allocation
Currently, the kernel pages are allocated with type EFI_LOADER_DATA. While the vast majority of systems will happily execute code from those pages (i.e. don't care about memory protection), the Microsoft Surface Pro X stalls, as this memory is not designated as "executable". Therefore, allocate the kernel pages as EFI_LOADER_CODE to request memory that is actually executable. Signed-off-by: Maximilian Luz <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for dcfbf44 - Browse repository at this point
Copy the full SHA dcfbf44View commit details
Commits on Sep 29, 2023
-
Fix missing #include in ofdisk.c
Recently we started building with -Werror=implicit-function-declaration, and discovered that ofdisk.c is missing an include to declare grub_env_get(). This patch adds that #include. Signed-off-by: Peter Jones <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 2921df0 - Browse repository at this point
Copy the full SHA 2921df0View commit details
Commits on Oct 16, 2023
-
add flag to only search root dev
fixes bz#2223437 Signed-off-by: Marta Lewandowska <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 8cfc6a3 - Browse repository at this point
Copy the full SHA 8cfc6a3View commit details
Commits on Oct 20, 2023
-
kern/ieee1275/init: ppc64: Restrict high memory in presence of fadump
When a kernel dump is present then restrict the high memory regions to avoid allocating memory where the kernel dump resides. Use the ibm,kernel-dump node under /rtas to determine whether a kernel dump exists and up to which limit grub can use available memory. Set the upper_mem_limit to the size of the kernel dump section of type 'REAL_MODE_REGION' and therefore only allow grub's memory usage for high addresses from RMO_ADDR_MAX to 'upper_mem_limit'. This means that grub can use high memory in the range of RMO_ADDR_MAX (768MB) to upper_mem_limit and the kernel-dump memory regions above 'upper_mem_limit' remain untouched. This change has no effect on memory allocations below 'linux_rmo_save' (typically at 640MB). Also, fall back to allocating below rmo_linux_save in case the chunk of memory there would be larger than the chunk of memory above RMO_ADDR_MAX. This can for example occur if a free memory area is found starting at 300MB extending up to 1GB but a kernel dump is located at 768MB and therefore does not allow the allocation of the high memory area but requiring to use the chunk starting at 300MB to avoid an unnecessary out-of-memory condition. Signed-off-by: Stefan Berger <[email protected]> Reviewed-by: Hari Bathini <[email protected]> Cc: Pavithra Prakash <[email protected]> Cc: Michael Ellerman <[email protected]> Cc: Carolyn Scherrer <[email protected]> Cc: Mahesh Salgaonkar <[email protected]> Cc: Sourabh Jain <[email protected]> --- v2: check_kernel dump returns void now
Configuration menu - View commit details
-
Copy full SHA for 9f0f2df - Browse repository at this point
Copy the full SHA 9f0f2dfView commit details
Commits on Nov 7, 2023
-
UEFI Secure Boot requires signed grub binaries to work, so grub- install should not be used. However, users who have Secure Boot disabled and wish to use the command should not be prevented from doing so if they invoke --force. fixes bz#1917213 / bz#2240994 Signed-off-by: Marta Lewandowska <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 0d383a5 - Browse repository at this point
Copy the full SHA 0d383a5View commit details
Commits on Nov 14, 2023
-
Configuration menu - View commit details
-
Copy full SHA for 522adbf - Browse repository at this point
Copy the full SHA 522adbfView commit details
Commits on Nov 30, 2023
-
fs: Remove trailing whitespaces
Signed-off-by: Elyes Haouas <[email protected]> Reviewed-by: Daniel Kiper <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 4017d58 - Browse repository at this point
Copy the full SHA 4017d58View commit details -
fs/xfs: Fix memory leaks in XFS module
Signed-off-by: t.feng <[email protected]> Reviewed-by: Daniel Kiper <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 172fdee - Browse repository at this point
Copy the full SHA 172fdeeView commit details -
fs/xfs: Fix issues found while fuzzing the XFS filesystem
While performing fuzz testing with XFS filesystem images with ASAN enabled, several issues were found where the memory accesses are made beyond the data that is allocated into the struct grub_xfs_data structure's data field. The existing structure didn't store the size of the memory allocated into the buffer in the data field and had no way to check it. To resolve these issues, the data size is stored to enable checks into the data buffer. With these checks in place, the fuzzing corpus no longer cause any crashes. Signed-off-by: Darren Kenny <[email protected]> Signed-off-by: Robbie Harwood <[email protected]> Signed-off-by: Marta Lewandowska <[email protected]> Signed-off-by: Lidong Chen <[email protected]> Reviewed-by: Daniel Kiper <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 64b189b - Browse repository at this point
Copy the full SHA 64b189bView commit details -
fs/xfs: Incorrect short form directory data boundary check
After parsing of the current entry, the entry pointer is advanced to the next entry at the end of the "for" loop. In case where the last entry is at the end of the data boundary, the advanced entry pointer can point off the data boundary. The subsequent boundary check for the advanced entry pointer can cause a failure. The fix is to include the boundary check into the "for" loop condition. Signed-off-by: Lidong Chen <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> Tested-by: Sebastian Andrzej Siewior <[email protected]> Tested-by: Marta Lewandowska <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 0545461 - Browse repository at this point
Copy the full SHA 0545461View commit details -
fs/xfs: Fix XFS directory extent parsing
The XFS directory entry parsing code has never been completely correct for extent based directories. The parser correctly handles the case where the directory is contained in a single extent, but then mistakenly assumes the data blocks for the multiple extent case are each identical to the single extent case. The difference in the format of the data blocks between the two cases is tiny enough that its gone unnoticed for a very long time. A recent change introduced some additional bounds checking into the XFS parser. Like GRUB's existing parser, it is correct for the single extent case but incorrect for the multiple extent case. When parsing a directory with multiple extents, this new bounds checking is sometimes (but not always) tripped and triggers an "invalid XFS directory entry" error. This probably would have continued to go unnoticed but the /boot/grub/<arch> directory is large enough that it often has multiple extents. The difference between the two cases is that when there are multiple extents, the data blocks do not contain a trailer nor do they contain any leaf information. That information is stored in a separate set of extents dedicated to just the leaf information. These extents come after the directory entry extents and are not included in the inode size. So the existing parser already ignores the leaf extents. The only reason to read the trailer/leaf information at all is so that the parser can avoid misinterpreting that data as directory entries. So this updates the parser as follows: For the single extent case the parser doesn't change much: 1. Read the size of the leaf information from the trailer 2. Set the end pointer for the parser to the start of the leaf information. (The previous bounds checking set the end pointer to the start of the trailer, so this is actually a small improvement.) 3. Set the entries variable to the expected number of directory entries. For the multiple extent case: 1. Set the end pointer to the end of the block. 2. Do not set up the entries variable. Figuring out how many entries are in each individual block is complex and does not seem worth it when it appears to be safe to just iterate over the entire block. The bounds check itself was also dependent upon the faulty XFS parser because it accidentally used "filename + length - 1". Presumably this was able to pass the fuzzer because in the old parser there was always 8 bytes of slack space between the tail pointer and the actual end of the block. Since this is no longer the case the bounds check needs to be updated to "filename + length + 1" in order to prevent a regression in the handling of corrupt fliesystems. Notes: * When there is only one extent there will only ever be one block. If more than one block is required then XFS will always switch to holding leaf information in a separate extent. * B-tree based directories seems to be parsed properly by the same code that handles multiple extents. This is unlikely to ever occur within /boot though because its only used when there are an extremely large number of directory entries. Fixes: ef7850c (fs/xfs: Fix issues found while fuzzing the XFS filesystem) Fixes: b2499b2 (Adds support for the XFS filesystem.) Fixes: https://savannah.gnu.org/bugs/?64376 Signed-off-by: Jon DeVree <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> Tested-by: Sebastian Andrzej Siewior <[email protected]> Tested-by: Marta Lewandowska <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for a558246 - Browse repository at this point
Copy the full SHA a558246View commit details -
fs/xfs: Add large extent counters incompat feature support
XFS introduced 64-bit extent counters for inodes via a series of upstream commits and the feature was marked as stable in v6.5 via commit 61d7e8274cd8 (xfs: drop EXPERIMENTAL tag for large extent counts). Further, xfsprogs release v6.5.0 switched this feature on by default in mkfs.xfs via commit e5b18d7d1d96 (mkfs: enable large extent counts by default). Filesystems formatted with large extent count support, nrext64=1, are thus currently not recognizable by GRUB, since this is an incompat feature. Add the required support so that those filesystems and inodes with large extent counters can be read by GRUB. Signed-off-by: Anthony Iliopoulos <[email protected]> Reviewed-by: Andrey Albershteyn <[email protected]> Reviewed-by: Daniel Kiper <[email protected]> Tested-by: Marta Lewandowska <[email protected]> Tested-by: Sebastian Andrzej Siewior <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 4fb2d96 - Browse repository at this point
Copy the full SHA 4fb2d96View commit details
Commits on Dec 22, 2023
-
chainloader: remove device path debug message
Remove the debug message "/EndEntire" while using GRUB chainloader command. Signed-off-by: raravind <[email protected]> (cherry picked from commit f75f538)
Configuration menu - View commit details
-
Copy full SHA for c7572f1 - Browse repository at this point
Copy the full SHA c7572f1View commit details
Commits on Feb 7, 2024
-
grub-set-bootflag: Conservative partial fix for CVE-2024-1048
Following up on CVE-2019-14865 and taking a fresh look at grub2-set-bootflag now (through my work at CIQ on Rocky Linux), I saw some other ways in which users could still abuse this little program: 1. After CVE-2019-14865 fix, grub2-set-bootflag no longer rewrites the grubenv file in-place, but writes into a temporary file and renames it over the original, checking for error returns from each call first. This prevents the original file truncation vulnerability, but it can leave the temporary file around if the program is killed before it can rename or remove the file. There are still many ways to get the program killed, such as through RLIMIT_FSIZE triggering SIGXFSZ (tested, reliable) or by careful timing (tricky) of signals sent by process group leader, pty, pre-scheduled timers, SIGXCPU (probably not an exhaustive list). Invoking the program multiple times fills up /boot (or if /boot is not separate, then it can fill up the root filesystem). Since the files are tiny, the filesystem is likely to run out of free inodes before it'd run out of blocks, but the effect is similar - can't create new files after this point (but still can add data to existing files, such as logs). 2. After CVE-2019-14865 fix, grub2-set-bootflag naively tries to protect itself from signals by becoming full root. (This does protect it from signals sent by the user directly to the PID, but e.g. "kill -9 -1" by the user still works.) A side effect of such "protection" is that it's possible to invoke more concurrent instances of grub2-set-bootflag than the user's RLIMIT_NPROC would normally permit (as specified e.g. in /etc/security/limits.conf, or say in Apache httpd's RLimitNPROC if grub2-set-bootflag would be abused by a website script), thereby exhausting system resources (e.g., bypassing RAM usage limit if RLIMIT_AS was also set). 3. umask is inherited. Again, due to how the CVE-2019-14865 fix creates a new file, and due to how mkstemp() works, this affects grubenv's new file permissions. Luckily, mkstemp() forces them to be no more relaxed than 0600, but the user ends up being able to set them e.g. to 0. Luckily, at least in my testing GRUB still works fine even when the file has such (lack of) permissions. This commit deals with the abuses above as follows: 1. RLIMIT_FSIZE is pre-checked, so this specific way to get the process killed should no longer work. However, this isn't a complete fix because there are other ways to get the process killed after it has created the temporary file. The commit also fixes bug 1975892 ("RFE: grub2-set-bootflag should not write the grubenv when the flag being written is already set") and similar for "menu_show_once", which further reduces the abuse potential. 2. RLIMIT_NPROC bypass should be avoided by not becoming full root (aka dropping the partial "kill protection"). 3. A safe umask is set. This is a partial fix (temporary files can still accumulate, but this is harder to trigger). While at it, this commit also fixes potential 1- or 2-byte over-read of env[] if its content is malformed - this was not a security issue since the grubenv file is trusted input, and the fix is just for robustness. Signed-off-by: Solar Designer <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for fb31d80 - Browse repository at this point
Copy the full SHA fb31d80View commit details -
grub-set-bootflag: More complete fix for CVE-2024-1048
Switch to per-user fixed temporary filenames along with a weird locking mechanism, which is explained in source code comments. This is a more complete fix than the previous commit (temporary files can't accumulate). Unfortunately, it introduces new risks (by working on a temporary file shared between the user's invocations), which are _hopefully_ avoided by the patch's elaborate logic. I actually got it wrong at first, which suggests that this logic is hard to reason about, and more errors or omissions are possible. It also relies on the kernel's primitives' exact semantics to a greater extent (nothing out of the ordinary, though). Remaining issues that I think cannot reasonably be fixed without a redesign (e.g., having per-flag files with nothing else in them) and without introducing new issues: A. A user can still revert a concurrent user's attempt of setting the other flag - or of making other changes to grubenv by means other than this program. B. One leftover temporary file per user is still possible. Signed-off-by: Solar Designer <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 074973a - Browse repository at this point
Copy the full SHA 074973aView commit details -
grub-set-bootflag: Exit calmly when not running as root
Exit calmly when not installed SUID root and invoked by non-root. This allows installing user/grub-boot-success.service unconditionally while supporting non-SUID installation of the program for some limited usage. Signed-off-by: Solar Designer <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 5425919 - Browse repository at this point
Copy the full SHA 5425919View commit details
Commits on Apr 5, 2024
-
fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute …
…for the $MFT file When parsing an extremely fragmented $MFT file, i.e., the file described using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer containing bytes read from the underlying drive to store sector numbers, which are consumed later to read data from these sectors into another buffer. These sectors numbers, two 32-bit integers, are always stored at predefined offsets, 0x10 and 0x14, relative to first byte of the selected entry within the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem. However, when parsing a specially-crafted file system image, this may cause the NTFS code to write these integers beyond the buffer boundary, likely causing the GRUB memory allocator to misbehave or fail. These integers contain values which are controlled by on-disk structures of the NTFS file system. Such modification and resulting misbehavior may touch a memory range not assigned to the GRUB and owned by firmware or another EFI application/driver. This fix introduces checks to ensure that these sector numbers are never written beyond the boundary. Fixes: CVE-2023-4692 Reported-by: Maxim Suhanov <[email protected]> Signed-off-by: Maxim Suhanov <[email protected]> Reviewed-by: Daniel Kiper <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for d1d0c0d - Browse repository at this point
Copy the full SHA d1d0c0dView commit details -
fs/ntfs: Fix an OOB read when reading data from the resident $DATA at…
…tribute When reading a file containing resident data, i.e., the file data is stored in the $DATA attribute within the NTFS file record, not in external clusters, there are no checks that this resident data actually fits the corresponding file record segment. When parsing a specially-crafted file system image, the current NTFS code will read the file data from an arbitrary, attacker-chosen memory offset and of arbitrary, attacker-chosen length. This allows an attacker to display arbitrary chunks of memory, which could contain sensitive information like password hashes or even plain-text, obfuscated passwords from BS EFI variables. This fix implements a check to ensure that resident data is read from the corresponding file record segment only. Fixes: CVE-2023-4693 Reported-by: Maxim Suhanov <[email protected]> Signed-off-by: Maxim Suhanov <[email protected]> Reviewed-by: Daniel Kiper <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for ca53ebf - Browse repository at this point
Copy the full SHA ca53ebfView commit details -
fs/ntfs: Fix an OOB read when parsing directory entries from resident…
… and non-resident index attributes This fix introduces checks to ensure that index entries are never read beyond the corresponding directory index. The lack of this check is a minor issue, likely not exploitable in any way. Reported-by: Maxim Suhanov <[email protected]> Signed-off-by: Maxim Suhanov <[email protected]> Reviewed-by: Daniel Kiper <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for cd3ea53 - Browse repository at this point
Copy the full SHA cd3ea53View commit details -
fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes
This fix introduces checks to ensure that bitmaps for directory indices are never read beyond their actual sizes. The lack of this check is a minor issue, likely not exploitable in any way. Reported-by: Maxim Suhanov <[email protected]> Signed-off-by: Maxim Suhanov <[email protected]> Reviewed-by: Daniel Kiper <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for c7145e6 - Browse repository at this point
Copy the full SHA c7145e6View commit details -
fs/ntfs: Fix an OOB read when parsing a volume label
This fix introduces checks to ensure that an NTFS volume label is always read from the corresponding file record segment. The current NTFS code allows the volume label string to be read from an arbitrary, attacker-chosen memory location. However, the bytes read are always treated as UTF-16LE. So, the final string displayed is mostly unreadable and it can't be easily converted back to raw bytes. The lack of this check is a minor issue, likely not causing a significant data leak. Reported-by: Maxim Suhanov <[email protected]> Signed-off-by: Maxim Suhanov <[email protected]> Reviewed-by: Daniel Kiper <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 41e38af - Browse repository at this point
Copy the full SHA 41e38afView commit details -
fs/ntfs: Make code more readable
Move some calls used to access NTFS attribute header fields into functions with human-readable names. Suggested-by: Daniel Kiper <[email protected]> Signed-off-by: Maxim Suhanov <[email protected]> Reviewed-by: Daniel Kiper <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 511c49d - Browse repository at this point
Copy the full SHA 511c49dView commit details -
normal: Remove grub_env_set prefix in grub_try_normal_prefix
Commit de735a4 added a grub_env_set where the prefix contains the arch name in the pathname. This create issues when trying to load modules using this prefix as the pathname contains a "doubled" arch name in it (ie .../powerpc-ieee1275/powerpc-ieee1275/). Signed-off-by: Nicolas Frayer <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for c5b706d - Browse repository at this point
Copy the full SHA c5b706dView commit details
Commits on May 15, 2024
-
grub-mkconfig.in: turn off executable owner bit
Stricker permissions are required on the grub.cfg file, resulting in at most 0600 owner's file permissions. This resolves conflicting requirement permissions on grub2-pc package's grub2.cfg file. Signed-off-by: Leo Sandoval <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 423962a - Browse repository at this point
Copy the full SHA 423962aView commit details
Commits on May 22, 2024
-
fs/xfs: Handle non-continuous data blocks in directory extents
The directory extent list does not have to be a continuous list of data blocks. When GRUB tries to read a non-existant member of the list, grub_xfs_read_file() will return a block of zero'ed memory. Checking for a zero'ed magic number is sufficient to skip this non-existant data block. Prior to commit 07318ee (fs/xfs: Fix XFS directory extent parsing) this was handled as a subtle side effect of reading the (non-existant) tail data structure. Since the block was zero'ed the computation of the number of directory entries in the block would return 0 as well. Fixes: 07318ee (fs/xfs: Fix XFS directory extent parsing) Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2254370 Signed-off-by: Jon DeVree <[email protected]> Reviewed-By: Vladimir Serbinenko <[email protected]> Reviewed-by: Daniel Kiper <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for b60dfa5 - Browse repository at this point
Copy the full SHA b60dfa5View commit details
Commits on May 23, 2024
-
add flag to only search root dev
fixes bz#2223437 Signed-off-by: Marta Lewandowska <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 111f0f2 - Browse repository at this point
Copy the full SHA 111f0f2View commit details -
cmd/search: Rework of CVE-2023-4001 fix
The initial fix implemented a new flag that forces the grub cfg stub to be located on the same disk as grub. This created several issues such as RAID machines not being able to boot as their partition names under grub were different from the partition where grub is located. It also simply means that any machines with the /boot partition located on a disk other than the one containing grub won't boot. This commit denies booting if the grub cfg stub is located on a USB drive with a duplicated UUID (UUID being the same as the partition containing the actual grub cfg stub) Signed-off-by: Nicolas Frayer <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for eb2b213 - Browse repository at this point
Copy the full SHA eb2b213View commit details
Commits on May 28, 2024
-
Set non-executable stack sections on EFI assembly files
For those manual assembly files created where no '.note.GNU-stack' section is explicitly added, linker defaults it as executable and this is the reason that RHEL CI rpminspect & annocheck tests are failing. The proposed change sets the corresponding GNU-stack sections otherwise CI detects the following security vulnerability $ annocheck annocheck --ignore-unknown --verbose --profile=el9 *.rpm 2>&1 | grep FAIL | grep stack (standard input):(standard input):Hardened: ./usr/lib/grub/x86_64-efi/kernel.exec: FAIL: gnu-stack test because .note.GNU-stack section has execute permission (standard input):(standard input):Hardened: ./usr/lib/grub/x86_64-efi/kernel.img: FAIL: gnu-stack test because .note.GNU-stack section has execute permission Signed-off-by: Leo Sandoval <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 8db5849 - Browse repository at this point
Copy the full SHA 8db5849View commit details -
util/grub-mkconfig.in: revert mode to 644
By mistake, PR [1] changed the permission bits to 755 so revert it to 644 again. [1] rhboot#167 Signed-off-by: Leo Sandoval <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 9b97ca6 - Browse repository at this point
Copy the full SHA 9b97ca6View commit details
Commits on Jul 2, 2024
-
kern/ieee1275/init: Add IEEE 1275 Radix support for KVM on Power
This patch adds support for Radix, Xive and Radix_gtse in Options vector5 which is required for KVM LPARs. KVM LPARs ONLY support Radix and not the Hash. Not enabling Radix on any PowerVM KVM LPARs will result in boot failure. Signed-off-by: Avnish Chouhan <[email protected]> Reviewed-by: Daniel Kiper <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 6b8cb20 - Browse repository at this point
Copy the full SHA 6b8cb20View commit details
Commits on Jul 16, 2024
-
grub2-mkconfig: Ensure grub cfg stub is not overwritten
/boot/efi/EFI/$os_name/grub.cfg contains a grub cfg stub that should not be overwritten by grub2-mkconfig. Ensure that we prevent this from happening. Signed-off-by: Marta Lewandowska <[email protected]> Signed-off-by: Nicolas Frayer <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for 2b9a830 - Browse repository at this point
Copy the full SHA 2b9a830View commit details
Commits on Jul 19, 2024
-
skip empty lines in entry file
grub_file_getline() doesn't make any distinction between empty lines or EOF, so the following entry: title Fedora Linux (6.10.0-matteo) 40 (KDE Plasma) version 6.10.0-matteo linux /boot/vmlinuz-6.10.0-matteo options root=/dev/nvme0n1p2 ro cgroup_no_v1=all boots the kernel with an empty command line. Fix this by also checking grub_errno, which correctly signals the EOF. Signed-off-by: Matteo Croce <[email protected]>
Configuration menu - View commit details
-
Copy full SHA for d634aae - Browse repository at this point
Copy the full SHA d634aaeView commit details