Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

skip empty lines in entry file #185

Open
wants to merge 367 commits into
base: fedora-41
Choose a base branch
from
This pull request is big! We’re only showing the most recent 250 commits.

Commits on Feb 6, 2023

  1. Add start symbol for RISC-V

    All other architectures have start symbol.
    
    Hopefully this resolves:
    
        BUILDSTDERR: ././grub-mkimage: error: undefined symbol start.
    
    Signed-off-by: David Abdurachmanov <[email protected]>
    David Abdurachmanov authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    d673d42 View commit details
    Browse the repository at this point in the history
  2. bootstrap.conf: Force autogen.sh to use python3

    The python-unversioned-command package is not installed in the buildroot,
    but the bootstrap script expects the python command to be present if one
    is not defined. So building the package leads to the following error:
    
    ./autogen.sh: line 20: python: command not found
    
    This is harmless since gnulib is included as a source anyways, because the
    builders can't download. But still the issue should be fixed by forcing to
    use python3 that's the default in Fedora now.
    
    Signed-off-by: Javier Martinez Canillas <[email protected]>
    martinezjavier authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    2ab6c45 View commit details
    Browse the repository at this point in the history
  3. efi/http: Export {fw,http}_path variables to make them global

    The fw_path environment variable is used by http_configure() function to
    determine the HTTP path that should be used as prefix when using relative
    HTTP paths. And this is stored in the http_path environment variable.
    
    Later, that variable is looked up by grub_efihttp_open() to generate the
    complete path to be used in the HTTP request.
    
    But these variables are not exported, which means that are not global and
    so are only found in the initial context.
    
    This can cause commands like configfile that create a new context to fail
    because the fw_path and http_path variables will not be found.
    
    Resolves: rhbz#1616395
    
    Signed-off-by: Javier Martinez Canillas <[email protected]>
    martinezjavier authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    38475f5 View commit details
    Browse the repository at this point in the history
  4. efi/http: Enclose literal IPv6 addresses in square brackets

    According to RFC 2732 (https://www.ietf.org/rfc/rfc2732.txt), literal IPv6
    addresses must be enclosed in square brackets. But GRUB currently does not
    do this and is causing HTTP servers to send Bad Request (400) responses.
    
    For example, the following is the HTTP stream when fetching a config file:
    
    HEAD /EFI/BOOT/grub.cfg HTTP/1.1
    Host: 2000:dead:beef:a::1
    Accept: */*
    User-Agent: UefiHttpBoot/1.0
    
    HTTP/1.1 400 Bad Request
    Date: Thu, 05 Mar 2020 14:46:02 GMT
    Server: Apache/2.4.41 (Fedora) OpenSSL/1.1.1d
    Connection: close
    Content-Type: text/html; charset=iso-8859-1
    
    and after enclosing the IPv6 address the HTTP request is successful:
    
    HEAD /EFI/BOOT/grub.cfg HTTP/1.1
    Host: [2000:dead:beef:a::1]
    Accept: */*
    User-Agent: UefiHttpBoot/1.0
    
    HTTP/1.1 200 OK
    Date: Thu, 05 Mar 2020 14:48:04 GMT
    Server: Apache/2.4.41 (Fedora) OpenSSL/1.1.1d
    Last-Modified: Thu, 27 Feb 2020 17:45:58 GMT
    ETag: "206-59f924b24b1da"
    Accept-Ranges: bytes
    Content-Length: 518
    
    Resolves: rhbz#1732765
    
    Signed-off-by: Javier Martinez Canillas <[email protected]>
    martinezjavier authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    c49a33a View commit details
    Browse the repository at this point in the history
  5. efi/net: Allow to specify a port number in addresses

    The grub_efi_net_parse_address() function is not covering the case where a
    port number is specified in an IPv4 or IPv6 address, so will fail to parse
    the network address.
    
    For most cases the issue is harmless, because the function is only used to
    match an address with a network interface and if fails the default is used.
    
    But still is a bug that has to be fixed and it causes error messages to be
    printed like the following:
    
    error: net/efi/net.c:782:unrecognised network address '192.168.122.1:8080'
    
    error: net/efi/net.c:781:unrecognised network address '[2000:dead:beef:a::1]:8080'
    
    Resolves: rhbz#1732765
    
    Signed-off-by: Javier Martinez Canillas <[email protected]>
    martinezjavier authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    1d5a347 View commit details
    Browse the repository at this point in the history
  6. efi/ip4_config: Improve check to detect literal IPv6 addresses

    The grub_efi_string_to_ip4_address() function wrongly assumes that an IPv6
    address is an IPv4 address, because it doesn't take into account the case
    of a caller passing an IPv6 address as a string.
    
    This leads to the grub_efi_net_parse_address() function to fail and print
    the following error message:
    
    error: net/efi/net.c:785:unrecognised network address '2000:dead:beef:a::1'
    
    Resolves: rhbz#1732765
    
    Signed-off-by: Javier Martinez Canillas <[email protected]>
    martinezjavier authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    d38bbe2 View commit details
    Browse the repository at this point in the history
  7. efi/net: Print a debug message if parsing the address fails

    Currently if parsing the address fails an error message is printed. But in
    most cases this isn't a fatal error since the grub_efi_net_parse_address()
    function is only used to match an address with a network interface to use.
    
    And if this fails, the default interface is used which is good enough for
    most cases. So instead of printing an error that would pollute the console
    just print a debug message if the address is not parsed correctly.
    
    A user can enable debug messages for the efinet driver to have information
    about the failure and the fact that the default interface is being used.
    
    Related: rhbz#1732765
    
    Signed-off-by: Javier Martinez Canillas <[email protected]>
    martinezjavier authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    5f331e8 View commit details
    Browse the repository at this point in the history
  8. kern/term: Also accept F8 as a user interrupt key

    Make F8, which used to be the hotkey to show the Windows boot menu during
    boot for a long long time, also interrupt sleeps / stop the menu countdown.
    
    Signed-off-by: Javier Martinez Canillas <[email protected]>
    martinezjavier authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    efea4aa View commit details
    Browse the repository at this point in the history
  9. efi: Set image base address before jumping to the PE/COFF entry point

    Upstream GRUB uses the EFI LoadImage() and StartImage() to boot the Linux
    kernel. But our custom EFI loader that supports Secure Boot instead uses
    the EFI handover protocol (for x86) or jumping directly to the PE/COFF
    entry point (for aarch64).
    
    This is done to allow the bootloader to verify the images using the shim
    lock protocol to avoid booting untrusted binaries.
    
    Since the bootloader loads the kernel from the boot media instead of using
    LoadImage(), it is responsible to set the Loaded Image base address before
    booting the kernel.
    
    Otherwise the kernel EFI stub will complain that it was not set correctly
    and print the following warning message:
    
    EFI stub: ERROR: FIRMWARE BUG: efi_loaded_image_t::image_base has bogus value
    
    Resolves: rhbz#1814690
    
    Signed-off-by: Javier Martinez Canillas <[email protected]>
    martinezjavier authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    c003e1b View commit details
    Browse the repository at this point in the history
  10. tpm: Don't propagate TPM measurement errors to the verifiers layer

    Currently if the EFI firmware fails to do a TPM measurement for a file,
    the error will be propagated to the verifiers framework and so opening
    the file will not succeed.
    
    This mean that buggy firmwares will prevent the system to boot since the
    loader won't be able to open any file. But failing to do TPM measurements
    shouldn't be a fatal error and the system should still be able to boot.
    
    Signed-off-by: Javier Martinez Canillas <[email protected]>
    martinezjavier authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    2b21b64 View commit details
    Browse the repository at this point in the history
  11. x86-efi: Reduce maximum bounce buffer size to 16 MiB

    The EFI linux loader allocates a bounce buffer to copy the initrd since in
    some machines doing DMA on addresses above 4GB is not possible during EFI.
    
    But the verifiers framework also allocates a buffer to copy the initrd in
    its grub_file_open() handler. It does this since the data to verify has to
    be passed as a single chunk to modules that use the verifiers framework.
    
    If the initrd image size is big there may not be enough memory in the heap
    to allocate two buffers of that size. This causes an allocation failure in
    the verifiers framework and leads to the initrd not being read.
    
    To prevent these allocation failures, let's reduce the maximum size of the
    bounce buffer used in the EFI loader. Since the data read can be copied to
    the actual initrd address in multilple chunks.
    
    Resolves: rhbz#1838633
    
    Signed-off-by: Javier Martinez Canillas <[email protected]>
    martinezjavier authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    b6da5b7 View commit details
    Browse the repository at this point in the history
  12. http: Prepend prefix when the HTTP path is relative as done in efi/http

    There are two different HTTP drivers that can be used when requesting an
    HTTP resource: the efi/http that uses the EFI_HTTP_PROTOCOL and the http
    that uses GRUB's HTTP and TCP/IP implementation.
    
    The efi/http driver appends a prefix that is defined in the variable
    http_path, but the http driver doesn't.
    
    So using this driver and attempting to fetch a resource using a relative
    path fails.
    
    Signed-off-by: Javier Martinez Canillas <[email protected]>
    martinezjavier authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    f0e1443 View commit details
    Browse the repository at this point in the history
  13. Fix a missing return in efi-export-env and efi-load-env commands

    Somewhere along the way this got mis-merged to include a return without
    a value.  Fix it up.
    
    Signed-off-by: Peter Jones <[email protected]>
    vathpela authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    0974ee5 View commit details
    Browse the repository at this point in the history
  14. efi+dhcp: fix some allocation error checking.

    Signed-off-by: Peter Jones <[email protected]>
    vathpela authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    8c89092 View commit details
    Browse the repository at this point in the history
  15. efi+http: fix some allocation error checking.

    Signed-off-by: Peter Jones <[email protected]>
    vathpela authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    8a8faa7 View commit details
    Browse the repository at this point in the history
  16. efi/ip[46]_config.c: fix some potential allocation overflows

    In theory all of this data comes from the firmware stack and it should
    be safe, but it's better to be paranoid.
    
    Signed-off-by: Peter Jones <[email protected]>
    vathpela authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    8368fef View commit details
    Browse the repository at this point in the history
  17. efilinux: Fix integer overflows in grub_cmd_initrd

    These could be triggered by an extremely large number of arguments to
    the initrd command on 32-bit architectures, or a crafted filesystem with
    very large files on any architecture.
    
    Signed-off-by: Colin Watson <[email protected]>
    cjwatson authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    2ad5343 View commit details
    Browse the repository at this point in the history
  18. linuxefi: fail kernel validation without shim protocol.

    If certificates that signed grub are installed into db, grub can be
    booted directly. It will then boot any kernel without signature
    validation. The booted kernel will think it was booted in secureboot
    mode and will implement lockdown, yet it could have been tampered.
    
    This version of the patch skips calling verification, when booted
    without secureboot. And is indented with gnu ident.
    
    CVE-2020-15705
    
    Reported-by: Mathieu Trudel-Lapierre <[email protected]>
    Signed-off-by: Dimitri John Ledkov <[email protected]>
    xnox authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    717c829 View commit details
    Browse the repository at this point in the history
  19. Fix const char ** pointers in grub-core/net/bootp.c

    This will need to get folded back in the right place on the next rebase,
    but it's before "Make grub_strtol() "end" pointers have safer const
    qualifiers" currently, so for now I'm leaving it here instead of merging
    it back with the original patch.
    
    Signed-off-by: Peter Jones <[email protected]>
    vathpela authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    ffff971 View commit details
    Browse the repository at this point in the history
  20. Fix const char ** pointers in grub-core/net/efi/ip4_config.c

    This will need to get folded back in the right place on the next rebase,
    but it's before "Make grub_strtol() "end" pointers have safer const
    qualifiers" currently, so for now I'm leaving it here instead of merging
    it back with the original patch.
    
    Signed-off-by: Peter Jones <[email protected]>
    vathpela authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    f7a7989 View commit details
    Browse the repository at this point in the history
  21. Fix const char ** pointers in grub-core/net/efi/ip6_config.c

    This will need to get folded back in the right place on the next rebase,
    but it's before "Make grub_strtol() "end" pointers have safer const
    qualifiers" currently, so for now I'm leaving it here instead of merging
    it back with the original patch.
    
    Signed-off-by: Peter Jones <[email protected]>
    vathpela authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    3e2b6b2 View commit details
    Browse the repository at this point in the history
  22. Fix const char ** pointers in grub-core/net/efi/net.c

    This will need to get folded back in the right place on the next rebase,
    but it's before "Make grub_strtol() "end" pointers have safer const
    qualifiers" currently, so for now I'm leaving it here instead of merging
    it back with the original patch.
    
    Signed-off-by: Peter Jones <[email protected]>
    vathpela authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    7ea499c View commit details
    Browse the repository at this point in the history
  23. Fix const char ** pointers in grub-core/net/efi/pxe.c

    This will need to get folded back in the right place on the next rebase,
    but it's before "Make grub_strtol() "end" pointers have safer const
    qualifiers" currently, so for now I'm leaving it here instead of merging
    it back with the original patch.
    
    Signed-off-by: Peter Jones <[email protected]>
    vathpela authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    58b7b11 View commit details
    Browse the repository at this point in the history
  24. Add systemd integration scripts to make "systemctl reboot --boot-load…

    …er-menu=xxx" work with grub
    
    This commit adds a number of scripts / config files to make
    "systemctl reboot --boot-loader-menu=xxx" work with grub:
    
    1. /lib/systemd/system/systemd-logind.service.d/10-grub.conf
    This sets SYSTEMD_REBOOT_TO_BOOT_LOADER_MENU in the env. for logind,
    indicating that the boot-loader which is used supports this feature, see:
    https://github.com/systemd/systemd/blob/master/docs/ENVIRONMENT.md
    
    2. /lib/systemd/system/grub-systemd-integration.service
       /lib/systemd/system/reboot.target.wants/grub-systemd-integration.service ->
         ../grub-systemd-integration.service
       /usr/libexec/grub/grub-systemd-integration.sh
    
    The symlink in the .wants dir causes the added service file to be started
    by systemd just before rebooting the system.
    If /run/systemd/reboot-to-boot-loader-menu exist then the service will run
    the grub-systemd-integration.sh script.
    This script sets the new menu_show_once_timeout grubenv variable to the
    requested timeout in seconds.
    
    3. /etc/grub.d/14_menu_show_once
    
    This new grub-mkconfig snippet adds the necessary code to the generated
    grub.conf to honor the new menu_show_once_timeout variable, and to
    automatically clear it after consuming it.
    
    Note the service and libexec script use grub-systemd-integration as name
    because in the future they may be used to add further integration with
    systemctl reboot --foo options, e.g. support for --boot-loader-entry=NAME.
    
    A few notes about upstreaming this patch from the rhboot grub2 fork:
    1. I have deliberately put the grub.conf bits for this in a new / separate
       grub-mkconfig snippet generator for easy upstreaming
    2. Even though the commit message mentions the .wants symlink for the .service
       I have been unable to come up with a clean way to do this at "make install"
       time, this should be fixed before upstreaming.
    
    Downstream notes:
    1. Since make install does not add the .wants symlink, this needs to be done
       in grub2.spec %install
    2. This is keeping support for the "old" Fedora specific menu_show_once env
       variable, which has a hardcoded timeout of 60 sec in 12_menu_auto_hide in
       place for now. This can be dropped (eventually) in a follow-up patch once
       GNOME has been converted to use the systemd dbus API equivalent of
       "systemctl reboot --boot-loader-menu=xxx".
    
    Signed-off-by: Hans de Goede <[email protected]>
    jwrdegoede authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    3969849 View commit details
    Browse the repository at this point in the history
  25. systemd-integration.sh: Also set old menu_show_once grubenv var

    Downstream RH / Fedora patch for compatibility with old, not (yet)
    regenerated grub.cfg files which miss the menu_show_once_timeout check.
    This older grubenv variable leads to a fixed timeout of 60 seconds.
    
    Note that the new menu_show_once_timeout will overrule these 60 seconds
    if both are set and the grub.cfg does have the menu_show_once_timeout
    check.
    
    Signed-off-by: Hans de Goede <[email protected]>
    jwrdegoede authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    a409d43 View commit details
    Browse the repository at this point in the history
  26. at_keyboard: use set 1 when keyboard is in Translate mode

    When keyboard controller acts in Translate mode (0x40 mask), then use
    set 1 since translation is done.
    Otherwise use the mode queried from the controller (usually set 2).
    
    Added "atkeyb" debugging messages in at_keyboard module as well.
    
    Resolves: rhbz#1897587
    
    Tested on:
    - Asus N53SN (set 1 used)
    - Dell Precision (set 1 used)
    - HP Elitebook (set 2 used)
    - HP G5430 (set 1 used, keyboard in XT mode!)
    - Lenovo P71 & Lenovo T460s (set 2 used)
    - QEMU/KVM (set 1 used)
    
    Signed-off-by: Renaud Métrich <[email protected]>
    rmetrich authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    0ca0907 View commit details
    Browse the repository at this point in the history
  27. grub-install: disable support for EFI platforms

    For each platform, GRUB is shipped as a kernel image and a set of
    modules. These files are then used by the grub-install utility to
    install GRUB on a specific device. However, in order to support UEFI
    Secure Boot, the resulting EFI binary must be signed by a recognized
    private key. For this reason, for EFI platforms, most distributions also
    ship prebuilt EFI binaries signed by a distribution-specific private
    key. In this case, however, the grub-install utility should not be used
    because it would overwrite the signed EFI binary.
    
    The current fix is suboptimal because it preserves all EFI-related code.
    A better solution could be to modularize the code and provide a
    build-time option.
    
    Resolves: rhbz#1737444
    
    Signed-off-by: Jan Hlavac <[email protected]>
    [rharwood: drop man page]
    jhlavac authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    8a95071 View commit details
    Browse the repository at this point in the history
  28. New --with-debug-timestamps configure flag to prepend debug traces wi…

    …th absolute and relative timestamp
    
    Signed-off-by: Renaud Métrich <[email protected]>
    rmetrich authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    ac68b23 View commit details
    Browse the repository at this point in the history
  29. Added debug statements to grub_disk_open() and grub_disk_close() on s…

    …uccess
    
    Signed-off-by: Renaud Métrich <[email protected]>
    rmetrich authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    f9b7176 View commit details
    Browse the repository at this point in the history
  30. Introduce function grub_debug_is_enabled(void) returning 1 if 'debug'…

    … is in the environment and not empty
    
    Signed-off-by: Renaud Métrich <[email protected]>
    rmetrich authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    b84b54c View commit details
    Browse the repository at this point in the history
  31. Don't clear screen when debugging is enabled

    Signed-off-by: Renaud Métrich <[email protected]>
    [[email protected]: rebase fuzz]
    Signed-off-by: Robbie Harwood <[email protected]>
    rmetrich authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    cfe9f9b View commit details
    Browse the repository at this point in the history
  32. kern/file: Fix error handling in grub_file_open()

    grub_file_open() calls grub_file_get_device_name(), but doesn't check
    the return. Instead, it checks if grub_errno is set.
    
    However, nothing initialises grub_errno here when grub_file_open()
    starts. This means that trying to open one file that doesn't exist and
    then trying to open another file that does will (incorrectly) also
    fail to open that second file.
    
    Let's fix that.
    
    Signed-off-by: Steve McIntyre <[email protected]>
    Steve McIntyre authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    3594ccd View commit details
    Browse the repository at this point in the history
  33. grub_file_* instrumentation (new 'file' debug tag)

    Signed-off-by: Renaud Métrich <[email protected]>
    rmetrich authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    a780b6e View commit details
    Browse the repository at this point in the history
  34. ieee1275: Avoiding many unecessary open/close

    Signed-off-by: Diego Domingos <[email protected]>
    Diego Domingos authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    cee8c5d View commit details
    Browse the repository at this point in the history
  35. ieee1275/powerpc: implements fibre channel discovery for ofpathname

    grub-ofpathname doesn't work with fibre channel because there is no
    function currently implemented for it.
    This patch enables it by prividing a function that looks for the port
    name, building the entire path for OF devices.
    
    Signed-off-by: Diego Domingos <[email protected]>
    Diego Domingos authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    8506b2f View commit details
    Browse the repository at this point in the history
  36. ieee1275/powerpc: enables device mapper discovery

    this patch enables the device mapper discovery on ofpath.c. Currently,
    when we are dealing with a device like /dev/dm-* the ofpath returns null
    since there is no function implemented to handle this case.
    
    This patch implements a function that will look into /sys/block/dm-*
    devices and search recursively inside slaves directory to find the root
    disk.
    
    Signed-off-by: Diego Domingos <[email protected]>
    Diego Domingos authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    cce9dc5 View commit details
    Browse the repository at this point in the history
  37. Add 'at_keyboard_fallback_set' var to force the set manually

    This seems required with HP DL380p Gen 8 systems.
    Indeed, with this system, we can see the following sequence:
    
    1. controller is queried to get current configuration (returns 0x30 which is quite standard)
    2. controller is queried to get the current keyboard set in used, using code 0xf0 (first part)
    3. controller answers with 0xfa which means "ACK" (== ok)
    4. then we send "0" to tell "we want to know which set your are supporting"
    5. controller answers with 0xfa ("ACK")
    6. controller should then give us 1, 2, 3 or 0x43, 0x41, 0x3f, but here it gives us 0xfe which means "NACK"
    
    Since there seems no way to determine the current set, and in fact the
    controller expects set2 to be used, we need to rely on an environment
    variable.
    Everything has been tested on this system: using 0xFE (resend command),
    making sure we wait for ACK in the 2 steps "write_mode", etc.
    
    Below is litterature I used to come up with "there is no other
    solution":
    - https://wiki.osdev.org/%228042%22_PS/2_Controller
    - http://www-ug.eecg.toronto.edu/msl/nios_devices/datasheets/PS2%20Keyboard%20Protocol.htm
    - http://www.s100computers.com/My%20System%20Pages/MSDOS%20Board/PC%20Keyboard.pdf
    
    Signed-off-by: Renaud Métrich <[email protected]>
    Signed-off-by: Robbie Harwood <[email protected]>
    rmetrich authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    f94fe88 View commit details
    Browse the repository at this point in the history
  38. Add suport for signing grub with an appended signature

    Add infrastructure to allow firmware to verify the integrity of grub
    by use of a Linux-kernel-module-style appended signature. We initially
    target powerpc-ieee1275, but the code should be extensible to other
    platforms.
    
    Usually these signatures are appended to a file without modifying the
    ELF file itself. (This is what the 'sign-file' tool does, for example.)
    The verifier loads the signed file from the file system and looks at the
    end of the file for the appended signature. However, on powerpc-ieee1275
    platforms, the bootloader is often stored directly in the PReP partition
    as raw bytes without a file-system. This makes determining the location
    of an appended signature more difficult.
    
    To address this, we add a new ELF note.
    
    The name field of shall be the string "Appended-Signature", zero-padded
    to 4 byte alignment. The type field shall be 0x41536967 (the ASCII values
    for the string "ASig"). It must be the final section in the ELF binary.
    
    The description shall contain the appended signature structure as defined
    by the Linux kernel. The description will also be padded to be a multiple
    of 4 bytes. The padding shall be added before the appended signature
    structure (not at the end) so that the final bytes of a signed ELF file
    are the appended signature magic.
    
    A subsequent patch documents how to create a grub core.img validly signed
    under this scheme.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Signed-off-by: Rashmica Gupta <[email protected]>
    RashmicaG authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    b31e001 View commit details
    Browse the repository at this point in the history
  39. docs/grub: Document signing grub under UEFI

    Before adding information about how grub is signed with an appended
    signature scheme, it's worth adding some information about how it
    can currently be signed for UEFI.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    daxtens authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    e99dcf2 View commit details
    Browse the repository at this point in the history
  40. docs/grub: Document signing grub with an appended signature

    Signing grub for firmware that verifies an appended signature is a
    bit fiddly. I don't want people to have to figure it out from scratch
    so document it here.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    daxtens authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    80672b9 View commit details
    Browse the repository at this point in the history
  41. dl: provide a fake grub_dl_set_persistent for the emu target

    Trying to start grub-emu with a module that calls grub_dl_set_persistent
    will crash because grub-emu fakes modules and passes NULL to the module
    init function.
    
    Provide an empty function for the emu case.
    
    Fixes: ee7808e (dl: Add support for persistent modules)
    Signed-off-by: Daniel Axtens <[email protected]>
    daxtens authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    552274c View commit details
    Browse the repository at this point in the history
  42. pgp: factor out rsa_pad

    rsa_pad does the PKCS#1 v1.5 padding for the RSA signature scheme.
    We want to use it in other RSA signature verification applications.
    
    I considered and rejected putting it in lib/crypto.c. That file doesn't
    currently require any MPI functions, but rsa_pad does. That's not so
    much of a problem for the grub kernel and modules, but crypto.c also
    gets built into all the grub utilities. So - despite the utils not
    using any asymmetric ciphers -  we would need to built the entire MPI
    infrastructure in to them.
    
    A better and simpler solution is just to spin rsa_pad out into its own
    PKCS#1 v1.5 module.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    daxtens authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    8e913d5 View commit details
    Browse the repository at this point in the history
  43. crypto: move storage for grub_crypto_pk_* to crypto.c

    The way gcry_rsa and friends (the asymmetric ciphers) are loaded for the
    pgp module is a bit quirky.
    
    include/grub/crypto.h contains:
      extern struct gcry_pk_spec *grub_crypto_pk_rsa;
    
    commands/pgp.c contains the actual storage:
      struct gcry_pk_spec *grub_crypto_pk_rsa;
    
    And the module itself saves to the storage in pgp.c:
      GRUB_MOD_INIT(gcry_rsa)
      {
        grub_crypto_pk_rsa = &_gcry_pubkey_spec_rsa;
      }
    
    This is annoying: gcry_rsa now has a dependency on pgp!
    
    We want to be able to bring in gcry_rsa without bringing in PGP,
    so move the storage to crypto.c.
    
    Previously, gcry_rsa depended on pgp and mpi. Now it depends on
    crypto and mpi. As pgp depends on crypto, this doesn't add any new
    module dependencies using the PGP verfier.
    
    [FWIW, the story is different for the symmetric ciphers. cryptodisk
    and friends (zfs encryption etc) use grub_crypto_lookup_cipher_by_name()
    to get a cipher handle. That depends on grub_ciphers being populated
    by people calling grub_cipher_register. import_gcry.py ensures that the
    symmetric ciphers call it.]
    
    Signed-off-by: Daniel Axtens <[email protected]>
    daxtens authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    a9b8125 View commit details
    Browse the repository at this point in the history
  44. posix_wrap: tweaks in preparation for libtasn1

     - Define SIZEOF_UNSIGNED_LONG_INT, it's the same as
       SIZEOF_UNSIGNED_LONG.
    
     - Define WORD_BIT, the size in bits of an int. This is a defined
       in the Single Unix Specification and in gnulib's limits.h. gnulib
       assumes it's 32 bits on all our platforms, including 64 bit
       platforms, so we also use that value.
    
     - Provide strto[u]l[l] preprocessor macros that resolve to
       grub_strto[u]l[l]. To avoid gcrypt redefining strtoul, we
       also define HAVE_STRTOUL here.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    daxtens authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    c671275 View commit details
    Browse the repository at this point in the history
  45. libtasn1: import libtasn1-4.16.0

    Import a very trimmed-down set of libtasn1 files:
    
    pushd /tmp
    wget https://ftp.gnu.org/gnu/libtasn1/libtasn1-4.16.0.tar.gz
    popd
    pushd grub-core/lib
    mkdir libtasn1
    cp /tmp/libtasn1-4.16.0/{README.md,LICENSE} libtasn1/
    mkdir libtasn1/lib
    cp /tmp/libtasn1-4.16.0/lib/{coding.c,decoding.c,element.c,element.h,errors.c,gstr.c,gstr.h,int.h,parser_aux.c,parser_aux.h,structure.c,structure.h}  libtasn1/lib
    cp /tmp/libtasn1-4.16.0/lib/includes/libtasn1.h ../../include/grub/
    git add libtasn1/ ../../include/grub/libtasn1.h
    popd
    
    Signed-off-by: Daniel Axtens <[email protected]>
    daxtens authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    24714df View commit details
    Browse the repository at this point in the history
  46. libtasn1: disable code not needed in grub

    We don't expect to be able to write ASN.1, only read it,
    so we can disable some code.
    
    Do that with #if 0/#endif, rather than deletion. This means
    that the difference between upstream and grub is smaller,
    which should make updating libtasn1 easier in the future.
    
    With these exclusions we also avoid the need for minmax.h,
    which is convenient because it means we don't have to
    import it from gnulib.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    daxtens authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    a48f811 View commit details
    Browse the repository at this point in the history
  47. libtasn1: changes for grub compatibility

    Do a few things to make libtasn1 compile as part of grub:
    
     - replace strcat. grub removed strcat so replace it with the appropriate
       calls to memcpy and strlen.
    
     - replace c_isdigit with grub_isdigit (and don't import c-ctype from
       gnulib) grub_isdigit provides the same functionality as c_isdigit: it
       determines if the input is an ASCII digit without regard for locale.
    
     - replace GL_ATTRIBUTE_PURE with __attribute__((pure)) which been
       supported since gcc-2.96. This avoids messing around with gnulib.
    
     - adjust libtasn1.h: drop the ASN1_API logic, it's not needed for our
       modules. Unconditionally support const and pure attributes and adjust
       header paths.
    
     - adjust header paths to "grub/libtasn1.h".
    
     - replace a 64 bit division with a call to grub_divmod64, preventing
       creation of __udivdi3 calls on 32 bit platforms.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    daxtens authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    05cbc93 View commit details
    Browse the repository at this point in the history
  48. libtasn1: compile into asn1 module

    Create a wrapper file that specifies the module license.
    Set up the makefile so it is built.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    daxtens authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    17dad74 View commit details
    Browse the repository at this point in the history
  49. test_asn1: test module for libtasn1

    Import tests from libtasn1 that don't use functionality we don't
    import. I have put them here rather than in the libtasn1 directory
    because:
    
     -  They need much more significant changes to run in the grub
        context.
    
     -  I don't expect they will need to be changed when updating
        libtasn1: I expect the old tests will usually continue to pass on
        new versions.
    
    This doesn't test the full decoder but that will be exercised in
    test suites for coming patch sets.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    daxtens authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    7608c15 View commit details
    Browse the repository at this point in the history
  50. grub-install: support embedding x509 certificates

    To support verification of appended signatures, we need a way to
    embed the necessary public keys. Existing appended signature schemes
    in the Linux kernel use X.509 certificates, so allow certificates to
    be embedded in the grub core image in the same way as PGP keys.
    
    Signed-off-by: Alastair D'Silva <[email protected]>
    Signed-off-by: Daniel Axtens <[email protected]>
    deece authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    c1c59a9 View commit details
    Browse the repository at this point in the history
  51. appended signatures: import GNUTLS's ASN.1 description files

    In order to parse PKCS#7 messages and X.509 certificates with libtasn1,
    we need some information about how they are encoded.
    
    We get these from GNUTLS, which has the benefit that they support the
    features we need and are well tested.
    
    The GNUTLS license is LGPLv2.1+, which is GPLv3 compatible, allowing
    us to import it without issue.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    daxtens authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    9fec78f View commit details
    Browse the repository at this point in the history
  52. appended signatures: parse PKCS#7 signedData and X.509 certificates

    This code allows us to parse:
    
     - PKCS#7 signedData messages. Only a single signerInfo is supported,
       which is all that the Linux sign-file utility supports creating
       out-of-the-box. Only RSA, SHA-256 and SHA-512 are supported.
       Any certificate embedded in the PKCS#7 message will be ignored.
    
     - X.509 certificates: at least enough to verify the signatures on the
       PKCS#7 messages. We expect that the certificates embedded in grub will
       be leaf certificates, not CA certificates. The parser enforces this.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    daxtens authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    ccea040 View commit details
    Browse the repository at this point in the history
  53. appended signatures: support verifying appended signatures

    Building on the parsers and the ability to embed x509 certificates, as
    well as the existing gcrypt functionality, add a module for verifying
    appended signatures.
    
    This includes a verifier that requires that Linux kernels and grub modules
    have appended signatures, and commands to manage the list of trusted
    certificates for verification.
    
    Verification must be enabled by setting check_appended_signatures. If
    GRUB is locked down when the module is loaded, verification will be
    enabled and locked automatically.
    
    As with the PGP verifier, it is not a complete secure-boot solution:
    other mechanisms, such as a password or lockdown, must be used to ensure
    that a user cannot drop to the grub shell and disable verification.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    [pjones: fix missing format specifier]
    Signed-off-by: Robbie Harwood <[email protected]>
    daxtens authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    63dc476 View commit details
    Browse the repository at this point in the history
  54. appended signatures: verification tests

    These tests are run through all_functional_test and test a range
    of commands and behaviours.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    daxtens authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    63c6f04 View commit details
    Browse the repository at this point in the history
  55. appended signatures: documentation

    This explains how appended signatures can be used to form part of
    a secure boot chain, and documents the commands and variables
    introduced.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    daxtens authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    3340363 View commit details
    Browse the repository at this point in the history
  56. ieee1275: enter lockdown based on /ibm,secure-boot

    If the 'ibm,secure-boot' property of the root node is 2 or greater,
    enter lockdown.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    daxtens authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    a986f59 View commit details
    Browse the repository at this point in the history
  57. ieee1275: drop HEAP_MAX_ADDR, HEAP_MIN_SIZE

    HEAP_MAX_ADDR is confusing. Currently it is set to 32MB, except
    on ieee1275 on x86, where it is 64MB.
    
    There is a comment which purports to explain it:
    
    /* If possible, we will avoid claiming heap above this address, because it
       seems to cause relocation problems with OSes that link at 4 MiB */
    
    This doesn't make a lot of sense when the constants are well above 4MB
    already. It was not always this way. Prior to
    commit 7b5d0fe ("Increase heap limit") in 2010, HEAP_MAX_SIZE and
    HEAP_MAX_ADDR were indeed 4MB. However, when the constants were increased
    the comment was left unchanged.
    
    It's been over a decade. It doesn't seem like we have problems with
    claims over 4MB on powerpc or x86 ieee1275. (sparc does things completely
    differently and never used the constant.)
    
    Drop the constant and the check.
    
    The only use of HEAP_MIN_SIZE was to potentially override the
    HEAP_MAX_ADDR check. It is now unused. Remove it.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    daxtens authored and frozencemetery committed Feb 6, 2023
    Configuration menu
    Copy the full SHA
    9531565 View commit details
    Browse the repository at this point in the history

Commits on Feb 8, 2023

  1. appendedsig/x509: Also handle the Extended Key Usage extension

    Red Hat certificates have both Key Usage and Extended Key Usage extensions
    present, but the appended signatures x509 parser doesn't handle the latter
    and so buils due finding an unrecognised critical extension:
    
    Error loading initial key:
    ../../grub-core/commands/appendedsig/x509.c:780:Unhandled critical x509 extension with OID 2.5.29.37
    
    Fix this by also parsing the Extended Key Usage extension and handle it by
    verifying that the certificate has a single purpose, that is code signing.
    
    Signed-off-by: Javier Martinez Canillas <[email protected]>
    Signed-off-by: Daniel Axtens <[email protected]>
    martinezjavier authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    74774af View commit details
    Browse the repository at this point in the history
  2. ieee1275/ofdisk: retry on open failure

    This patch aims to make grub more robust when booting from SAN/Multipath disks.
    
    If a path is failing intermittently so grub will retry the OPEN and READ the
    disk (grub_ieee1275_open and grub_ieee1275_read) until the total amount of times
    specified in MAX_RETRIES.
    
    Signed-off-by: Diego Domingos <[email protected]>
    Diego Domingos authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    7baa6fd View commit details
    Browse the repository at this point in the history
  3. Allow chainloading EFI apps from loop mounts.

    Signed-off-by: Dimitri John Ledkov <[email protected]>
    Signed-off-by: Robbie Harwood <[email protected]>
    xnox authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    2051b97 View commit details
    Browse the repository at this point in the history
  4. efinet: Add DHCP proxy support

    If a proxyDHCP configuration is used, the server name, server IP and boot
    file values should be taken from the DHCP proxy offer instead of the DHCP
    server ack packet. Currently that case is not handled, add support for it.
    
    Signed-off-by: Ian Page Hands <[email protected]>
    Signed-off-by: Robbie Harwood <[email protected]>
    iphands authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    1794ae0 View commit details
    Browse the repository at this point in the history
  5. fs/ext2: Ignore checksum seed incompat feature

    This incompat feature is used to denote that the filesystem stored its
    metadata checksum seed in the superblock. This is used to allow tune2fs
    to change the UUID on a mounted metadata_csum filesystem without having
    to rewrite all the disk metadata.
    
    But GRUB doesn't use the metadata checksum in anyway, so can just ignore
    this feature if is enabled. This is consistent with GRUB filesystem code
    in general which just does a best effort to access the filesystem's data.
    
    It may be removed from the ignored list in the future if supports to do
    metadata checksumming verification is added to the read-only FS driver.
    
    Suggested-by: Eric Sandeen <[email protected]>
    Suggested-by: Lukas Czerner <[email protected]>
    Signed-off-by: Javier Martinez Canillas <[email protected]>
    martinezjavier authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    6e677b7 View commit details
    Browse the repository at this point in the history
  6. Don't update the cmdline when generating legacy menuentry commands

    On OPAL ppc64le machines with an old petitboot version that doesn't have
    support to parse BLS snippets, the grub2-mkconfig script is executed to
    generate menuentry commands from the BLS snippets.
    
    In this case, the script is executed with the --no-grubenv-update option
    that indicates that no side effects should happen when running the script.
    
    But the options field in the BLS snippets are updated regardless, only do
    the update if --no-grubenv-update was not used.
    
    Signed-off-by: Javier Martinez Canillas <[email protected]>
    martinezjavier authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    96d376f View commit details
    Browse the repository at this point in the history
  7. Suppress gettext error message

    Colin Watson's patch from comment rhboot#11 on the upstream bug:
    https://savannah.gnu.org/bugs/?35880#comment11
    
    Resolves: rhbz#1592124
    
    Signed-off-by: Paulo Flabiano Smorigo <[email protected]>
    pfsmorigo authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    ebffb6e View commit details
    Browse the repository at this point in the history
  8. grub-set-password: Always use /boot/grub2/user.cfg as password default

    The GRUB configuration file is always placed in /boot/grub2/ now, even for
    EFI. But the tool is still creating the user.cfg in the ESP and not there.
    
    Resolves: rhbz#1955294
    
    Signed-off-by: Javier Martinez Canillas <[email protected]>
    martinezjavier authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    7239341 View commit details
    Browse the repository at this point in the history
  9. templates: Check for EFI at runtime instead of config generation time

    The 30_uefi-firmware template checks if an OsIndicationsSupported UEFI var
    exists and EFI_OS_INDICATIONS_BOOT_TO_FW_UI bit is set, to decide whether
    a "fwsetup" menu entry would be added or not to the GRUB menu.
    
    But this has the problem that it will only work if the configuration file
    was created on an UEFI machine that supports booting to a firmware UI.
    
    This for example doesn't support creating GRUB config files when executing
    on systems that support both UEFI and legacy BIOS booting. Since creating
    the config file from legacy BIOS wouldn't allow to access the firmware UI.
    
    To prevent this, make the template to unconditionally create the grub.cfg
    snippet but check at runtime if was booted through UEFI to decide if this
    entry should be added. That way it won't be added when booting with BIOS.
    
    There's no need to check if EFI_OS_INDICATIONS_BOOT_TO_FW_UI bit is set,
    since that's already done by the "fwsetup" command when is executed.
    
    Resolves: rhbz#1823864
    
    Signed-off-by: Javier Martinez Canillas <[email protected]>
    martinezjavier authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    2ea9329 View commit details
    Browse the repository at this point in the history
  10. efi: Print an error if boot to firmware setup is not supported

    The "fwsetup" command is only registered if the firmware supports booting
    to the firmware setup UI. But it could be possible that the GRUB config
    already contains a "fwsetup" entry, because it was generated in a machine
    that has support for this feature.
    
    To prevent users getting a "can't find command `fwsetup`" error if it is
    not supported by the firmware, let's just always register the command but
    print a more accurate message if the firmware doesn't support this option.
    
    Resolves: rhbz#1823864
    
    Signed-off-by: Javier Martinez Canillas <[email protected]>
    martinezjavier authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    7966a53 View commit details
    Browse the repository at this point in the history
  11. arm64: Fix EFI loader kernel image allocation

    We are currently allocating just enough memory for the file size,
    which means that the kernel BSS is in limbo (and not even zeroed).
    
    We are also not honoring the alignment specified in the image
    PE header.
    
    This makes us use the PE optional header in which the kernel puts the
    actual size it needs, including BSS, and make sure we clear it, and
    honors the specified alignment for the image.
    
    Signed-off-by: Benjamin Herrenschmidt <[email protected]>
    [pjones: arm: check for the PE magic for the compiled arch]
    Signed-off-by: Peter Jones <[email protected]>
    Signed-off-by: Robbie Harwood <[email protected]>
    ozbenh authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    24b32a6 View commit details
    Browse the repository at this point in the history
  12. normal/main: Discover the device to read the config from as a fallback

    The GRUB core.img is generated locally, when this is done the grub2-probe
    tool figures out the device and partition that needs to be read to parse
    the GRUB configuration file.
    
    But in some cases the core.img can't be generated on the host and instead
    has to be done at package build time. For example, if needs to get signed
    with a key that's only available on the package building infrastructure.
    
    If that's the case, the prefix variable won't have a device and partition
    but only a directory path. So there's no way for GRUB to know from which
    device has to read the configuration file.
    
    To allow GRUB to continue working on that scenario, fallback to iterating
    over all the available devices, if reading the config failed when using
    the prefix and fw_path variables.
    
    Signed-off-by: Javier Martinez Canillas <[email protected]>
    martinezjavier authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    9fa2ef9 View commit details
    Browse the repository at this point in the history
  13. powerpc: adjust setting of prefix for signed binary case

    On RHEL-signed powerpc grub, we sign a grub with -p /grub2 and expect
    that there's a boot partition.
    
    Unfortunately grub_set_prefix_and_root tries to convert this to
    ($fwdevice)/grub2. This ends up being (ieee1275/disk)/grub2 and that
    falls apart pretty quickly - there's no file-system on ieee1275/disk,
    and it makes the search routine try things like
    (ieee1275/disk,msdos2)(ieee1275/disk)/grub2 which also doesn't work.
    
    Detect if we would be about to create (ieee1275/disk)/path and don't:
    preserve a prefix of /path instead and hope the search later finds us.
    
    Related: rhbz#1899864
    
    Signed-off-by: Daniel Axtens <[email protected]>
    [[email protected]: squash in fixup commit]
    Signed-off-by: Robbie Harwood <[email protected]>
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    8de4079 View commit details
    Browse the repository at this point in the history
  14. fs/xfs: Fix unreadable filesystem with v4 superblock

    The commit 8b1e5d1 (fs/xfs: Add bigtime incompat feature support)
    introduced the bigtime support by adding some features in v3 inodes.
    This change extended grub_xfs_inode struct by 76 bytes but also changed
    the computation of XFS_V2_INODE_SIZE and XFS_V3_INODE_SIZE. Prior this
    commit, XFS_V2_INODE_SIZE was 100 bytes. After the commit it's 84 bytes
    XFS_V2_INODE_SIZE becomes 16 bytes too small.
    
    As a result, the data structures aren't properly aligned and the GRUB
    generates "attempt to read or write outside of partition" errors when
    trying to read the XFS filesystem:
    
                                 GNU GRUB  version 2.11
    	....
    	grub> set debug=efi,gpt,xfs
    	grub> insmod part_gpt
    	grub> ls (hd0,gpt1)/
    	partmap/gpt.c:93: Read a valid GPT header
    	partmap/gpt.c:115: GPT entry 0: start=4096, length=1953125
    	fs/xfs.c:931: Reading sb
    	fs/xfs.c:270: Validating superblock
    	fs/xfs.c:295: XFS v4 superblock detected
    	fs/xfs.c:962: Reading root ino 128
    	fs/xfs.c:515: Reading inode (128) - 64, 0
    	fs/xfs.c:515: Reading inode (739521961424144223) - 344365866970255880, 3840
    	error: attempt to read or write outside of partition.
    
    This commit change the XFS_V2_INODE_SIZE computation by subtracting 76
    bytes instead of 92 bytes from the actual size of grub_xfs_inode struct.
    This 76 bytes value comes from added members:
    	20 grub_uint8_t   unused5
    	 1 grub_uint64_t  flags2
            48 grub_uint8_t   unused6
    
    This patch explicitly splits the v2 and v3 parts of the structure.
    The unused4 is still ending of the v2 structures and the v3 starts
    at unused5. Thanks to this we will avoid future corruptions of v2
    or v3 inodes.
    
    The XFS_V2_INODE_SIZE is returning to its expected size and the
    filesystem is back to a readable state:
    
                          GNU GRUB  version 2.11
    	....
    	grub> set debug=efi,gpt,xfs
    	grub> insmod part_gpt
    	grub> ls (hd0,gpt1)/
    	partmap/gpt.c:93: Read a valid GPT header
    	partmap/gpt.c:115: GPT entry 0: start=4096, length=1953125
    	fs/xfs.c:931: Reading sb
    	fs/xfs.c:270: Validating superblock
    	fs/xfs.c:295: XFS v4 superblock detected
    	fs/xfs.c:962: Reading root ino 128
    	fs/xfs.c:515: Reading inode (128) - 64, 0
    	fs/xfs.c:515: Reading inode (128) - 64, 0
    	fs/xfs.c:931: Reading sb
    	fs/xfs.c:270: Validating superblock
    	fs/xfs.c:295: XFS v4 superblock detected
    	fs/xfs.c:962: Reading root ino 128
    	fs/xfs.c:515: Reading inode (128) - 64, 0
    	fs/xfs.c:515: Reading inode (128) - 64, 0
    	fs/xfs.c:515: Reading inode (128) - 64, 0
    	fs/xfs.c:515: Reading inode (131) - 64, 768
    	efi/ fs/xfs.c:515: Reading inode (3145856) - 1464904, 0
    	grub2/ fs/xfs.c:515: Reading inode (132) - 64, 1024
    	grub/ fs/xfs.c:515: Reading inode (139) - 64, 2816
    	grub>
    
    Fixes: 8b1e5d1 (fs/xfs: Add bigtime incompat feature support)
    
    Signed-off-by: Erwan Velu <[email protected]>
    Tested-by: Carlos Maiolino <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit a4b4955)
    ErwanAliasr1 authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    dcf581b View commit details
    Browse the repository at this point in the history
  15. Print module name on license check failure

    At the very least, this will make it easier to track down the problem
    module - or, if something else has gone wrong, provide more information
    for debugging.
    
    Signed-off-by: Robbie Harwood <[email protected]>
    frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    1ecd056 View commit details
    Browse the repository at this point in the history
  16. powerpc-ieee1275: load grub at 4MB, not 2MB

    This was first reported under PFW but reproduces under SLOF.
    
     - The core.elf was 2126152 = 0x207148 bytes in size with the following
       program headers (per readelf):
    
    Entry point 0x200000
    There are 4 program headers, starting at offset 52
    
    Program Headers:
      Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
      LOAD           0x000160 0x00200000 0x00200000 0x21f98 0x2971c RWE 0x8
      GNU_STACK      0x0220f8 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4
      LOAD           0x0220f8 0x00232000 0x00232000 0x1e4e50 0x1e4e50 RWE 0x4
      NOTE           0x206f48 0x00000000 0x00000000 0x00200 0x00000 R   0x4
    
     - SLOF places the ELF file at 0x4000 (after the reserved space for
       interrupt handlers etc.) upwards. The image was 2126152 = 0x207148
       bytes in size, so it runs from 0x4000 - 0x20b148. We'll call 0x4000 the
       load address.
    
    0x0        0x4000         0x20b148
     |----------|--------------|
     | reserved | ELF contents |
    
     - SLOF then copies the first LOAD program header (for .text). That runs
       for 0x21f98 bytes. It runs from
          (load addr + 0x160) to (load addr + 0x160 + 0x21f98)
        = 0x4160 to 0x260f8
       and we copy it to 0x200000 to 0x221f98. This overwrites the end of the
       image:
    
    0x0       0x4000     0x200000        0x221f98
     |----------|------------|---------------|
     | reserved | ELF cont.. | .text section |
    
     - SLOF zeros the bss up to PhysAddr + MemSize = 0x22971c
    
    0x0       0x4000      0x200000       0x221f98 0x22971c
     |----------|------------|---------------|--------|
     | reserved | ELF cont.. | .text section | bss 0s |
    
     - SLOF then goes to fulfil the next LOAD header (for mods), which is
       for 0x1e4e50 bytes. We copy from
          (load addr + 0x220f8) to (load addr + 0x220f8 + 0x1e4e50)
        = 0x260f8 to 0x20af48
       and we copy it to 0x232000 to 0x416e50:
    
    0x0       0x4000      0x200000       0x221f98 0x22971c
     |----------|------------|---------------|--------|
     | reserved | ELF cont.. | .text section | bss 0s |
                   |-------------|
                   | copied area |
                0x260f8      0x20af48
    
       This goes poorly:
    
    0x0       0x4000      0x200000       0x221f98 0x22971c 0x232000 0x40bf08      0x416e50
     |----------|------------|---------------|--------|-----|-----------|-------------|
     | reserved | ELF cont.. | .text section | bss 0s | pad | some mods | .text start |
    
    This matches the observations on the running system - 0x40bf08 was where
    the contents of memory no longer matched the contents of the ELF file.
    
    This was reported as a license verification failure on SLOF as the
    last module's .module_license section fell past where the corruption
    began.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    [[email protected]: trim very detailed commit message]
    Signed-off-by: Robbie Harwood <[email protected]>
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    b35e360 View commit details
    Browse the repository at this point in the history
  17. grub-mkconfig: restore umask for grub.cfg

    Since commit:
    
      ab2e53c grub-mkconfig: Honor a symlink when generating configuration
    by grub-mkconfig
    
    has inadvertently discarded umask for creating grub.cfg in the process
    of grub-mkconfig. The resulting wrong permission (0644) would allow
    unprivileged users to read grub's configuration file content. This
    presents a low confidentiality risk as grub.cfg may contain non-secured
    plain-text passwords.
    
    This patch restores the missing umask and set the file mode of creation
    to 0600 preventing unprivileged access.
    
    Fixes: CVE-2021-3981
    
    Signed-off-by: Michael Chang <[email protected]>
    Michael Chang via Grub-devel authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    31dd7ff View commit details
    Browse the repository at this point in the history
  18. fs/btrfs: Use full btrfs bootloader area

    Up to now GRUB can only embed to the first 64 KiB before primary
    superblock of btrfs, effectively limiting the GRUB core size. That
    could consequently pose restrictions to feature enablement like
    advanced zstd compression.
    
    This patch attempts to utilize full unused area reserved by btrfs for
    the bootloader outlined in the document [1]:
    
      The first 1MiB on each device is unused with the exception of primary
      superblock that is on the offset 64KiB and spans 4KiB.
    
    Apart from that, adjacent sectors to superblock and first block group
    are not used for embedding in case of overflow and logged access to
    adjacent sectors could be useful for tracing it up.
    
    This patch has been tested to provide out of the box support for btrfs
    zstd compression with which GRUB has been installed to the partition.
    
    [1] https://btrfs.wiki.kernel.org/index.php/Manpage/btrfs(5)#BOOTLOADER_SUPPORT
    
    Signed-off-by: Michael Chang <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit b0f06a8)
    WenhuaChang authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    b612cdc View commit details
    Browse the repository at this point in the history
  19. Add Fedora location of DejaVu SANS font

    In Fedora 35, and possibly earlier, grub would fail to configure with a
    complaint about DejaVu being "not found" even though it was installed.
    The DejaVu sans font search path is updated to reflect the
    distribution's current install path.
    
    Signed-off-by: Erik Edwards <[email protected]>
    [[email protected]: slight commit message edits]
    Signed-off-by: Robbie Harwood <[email protected]>
    fluteze authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    b712a75 View commit details
    Browse the repository at this point in the history
  20. normal/menu: Don't show "Booting `%s'" msg when auto-booting with TIM…

    …EOUT_STYLE_HIDDEN
    
    When the user has asked the menu code to be hidden/quiet and the current
    entry is being autobooted because the timeout has expired don't show
    the "Booting `%s'" msg.
    
    This is necessary to let flicker-free boots really be flicker free,
    otherwise the "Booting `%s'" msg will kick the EFI fb into text mode
    and show the msg, breaking the flicker-free experience.
    
    Signed-off-by: Hans de Goede <[email protected]>
    jwrdegoede authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    ebdef63 View commit details
    Browse the repository at this point in the history
  21. EFI: suppress the "Welcome to GRUB!" message in EFI builds

    Grub EFI builds are now often used in combination with flicker-free
    boot, but this breaks with upstream grub because the "Welcome to GRUB!"
    message will kick the EFI fb into text mode and show the msg,
    breaking the flicker-free experience.
    
    EFI systems are so fast, that when the menu or the countdown are enabled
    the message will be immediately overwritten, so in these cases not
    printing the message does not matter.
    
    And in case when the timeout_style is set to TIMEOUT_STYLE_HIDDEN,
    the user has asked grub to be quiet (for example to allow flickfree
    boot) annd thus the message should not be printed.
    
    Signed-off-by: Hans de Goede <[email protected]>
    jwrdegoede authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    728a82c View commit details
    Browse the repository at this point in the history
  22. EFI: console: Do not set colorstate until the first text output

    GRUB_MOD_INIT(normal) does an unconditional:
    
    grub_env_set ("color_normal", "light-gray/black");
    
    which triggers a grub_term_setcolorstate() call. The original version
    of the "efi/console: Do not set text-mode until we actually need it" patch:
    https://lists.gnu.org/archive/html/grub-devel/2018-03/msg00125.html
    
    Protected against this by caching the requested state in
    grub_console_setcolorstate () and then only applying it when the first
    text output actually happens. During refactoring to move the
    grub_console_setcolorstate () up higher in the grub-core/term/efi/console.c
    file the code to cache the color-state + bail early was accidentally
    dropped.
    
    Restore the cache the color-state + bail early behavior from the original.
    
    Cc: Javier Martinez Canillas <[email protected]>
    Fixes: 2d7c3ab ("efi/console: Do not set text-mode until we actually need it")
    Signed-off-by: Hans de Goede <[email protected]>
    jwrdegoede authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    ae65870 View commit details
    Browse the repository at this point in the history
  23. EFI: console: Do not set cursor until the first text output

    To allow flickerfree boot the EFI console code does not call
    grub_efi_set_text_mode (1) until some text is actually output.
    
    Depending on if the output text is because of an error loading
    e.g. the .cfg file; or because of showing the menu the cursor needs
    to be on or off when the first text is shown.
    
    So far the cursor was hardcoded to being on, but this is causing
    drawing artifacts + slow drawing of the menu as reported here:
    https://bugzilla.redhat.com/show_bug.cgi?id=1946969
    
    Handle the cursorstate in the same way as the colorstate to fix this,
    when no text has been output yet, just cache the cursorstate and
    then use the last set value when the first text is output.
    
    Fixes: 2d7c3ab ("efi/console: Do not set text-mode until we actually need it")
    Signed-off-by: Hans de Goede <[email protected]>
    jwrdegoede authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    ec91b20 View commit details
    Browse the repository at this point in the history
  24. Use visual indentation in config.h.in

    Signed-off-by: Robbie Harwood <[email protected]>
    (cherry picked from commit de8051f)
    [rharwood: GRUB_RPM_CONFIG presence]
    frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    256d6f0 View commit details
    Browse the repository at this point in the history
  25. Where present, ensure config-util.h precedes config.h

    gnulib defines go in config-util.h, and we need to know whether to
    provide duplicates in config.h or not.
    
    Signed-off-by: Robbie Harwood <[email protected]>
    (cherry picked from commit 46e82b2)
    [rharwood: gensymlist isn't part of tarballs]
    frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    779e2a6 View commit details
    Browse the repository at this point in the history
  26. Drop gnulib fix-base64.patch

    Originally added in 9fbdec2 and
    subsequently modified in 552c9fd,
    fix-base64.patch handled two problems we have using gnulib, which are
    exerciesd by the base64 module but not directly caused by it.
    
    First, grub2 defines its own bool type, while gnulib expects the
    equivalent of stdbool.h to be present.  Rather than patching gnulib,
    instead use gnulib's stdbool module to provide a bool type if needed.
    (Suggested by Simon Josefsson.)
    
    Second, our config.h doesn't always inherit config-util.h, which is
    where gnulib-related options like _GL_ATTRIBUTE_CONST end up.
    fix-base64.h worked around this by defining the attribute away, but this
    workaround is better placed in config.h itself, not a gnulib patch.
    
    Signed-off-by: Robbie Harwood <[email protected]>
    (cherry picked from commit 54fd1c3)
    frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    2c722a8 View commit details
    Browse the repository at this point in the history
  27. Drop gnulib no-abort.patch

    Originally added in db7337a, this
    patched out all relevant invocations of abort() in gnulib.  While it was
    not documented why at the time, testing suggests that there's no abort()
    implementation available for gnulib to use.
    
    gnulib's position is that the use of abort() is correct here, since it
    happens when input violates a "shall" from POSIX.  Additionally, the
    code in question is probably not reachable.  Since abort() is more
    friendly to user-space, they prefer to make no change, so we can just
    carry a define instead.  (Suggested by Paul Eggert.)
    
    Signed-off-by: Robbie Harwood <[email protected]>
    (cherry picked from commit 5137c8e)
    frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    dc8044f View commit details
    Browse the repository at this point in the history
  28. Update gnulib version and drop most gnulib patches

    In addition to the changes carried in our gnulib patches, several
    Coverity and code hygiene fixes that were previously downstream are also
    included in this 3-year gnulib increment.
    
    Unfortunately, fix-width.patch is retained.
    
    Bump minimum autoconf version from 2.63 to 2.64 and automake from 1.11
    to 1.14, as required by gnulib.
    
    Sync bootstrap script itself with gnulib.
    
    Update regexp module for new dynarray dependency.
    
    Fix various new warnings.
    
    Signed-off-by: Robbie Harwood <[email protected]>
    (cherry picked from commit deb18ff)
    [rharwood: backport around requirements in INSTALL]
    frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    c6cf390 View commit details
    Browse the repository at this point in the history
  29. commands/search: Fix bug stopping iteration when --no-floppy is used

    When using --no-floppy and a floppy was encountered, iterate_device()
    was returning 1, causing the iteration to stop instead of continuing.
    
    Signed-off-by: Renaud Métrich <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 68ba54c)
    Signed-off-by: Robbie Harwood <[email protected]>
    rmetrich authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    8569c33 View commit details
    Browse the repository at this point in the history
  30. search: new --efidisk-only option on EFI systems

    When using 'search' on EFI systems, we sometimes want to exclude devices
    that are not EFI disks (e.g. md, lvm).
    This is typically used when wanting to chainload when having a software
    raid (md) for EFI partition:
    with no option, 'search --file /EFI/redhat/shimx64.efi' sets root envvar
    to 'md/boot_efi' which cannot be used for chainloading since there is no
    effective EFI device behind.
    
    This commit also refactors handling of --no-floppy option.
    
    Signed-off-by: Renaud Métrich <[email protected]>
    [rharwood: apply rmetrich's flags initialization fix]
    Signed-off-by: Robbie Harwood <[email protected]>
    rmetrich authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    232c033 View commit details
    Browse the repository at this point in the history
  31. efi: new 'connectefi' command

    When efi.quickboot is enabled on VMWare (which is the default for
    hardware release 16 and later), it may happen that not all EFI devices
    are connected. Due to this, browsing the devices in make_devices() just
    fails to find devices, in particular disks or partitions for a given
    disk.
    This typically happens when network booting, then trying to chainload to
    local disk (this is used in deployment tools such as Red Hat Satellite),
    which is done through using the following grub.cfg snippet:
    -------- 8< ---------------- 8< ---------------- 8< --------
    unset prefix
    search --file --set=prefix /EFI/redhat/grubx64.efi
    if [ -n "$prefix" ]; then
      chainloader ($prefix)/EFI/redhat/grubx64/efi
    ...
    -------- 8< ---------------- 8< ---------------- 8< --------
    
    With efi.quickboot, none of the devices are connected, causing "search"
    to fail. Sometimes devices are connected but not the partition of the
    disk matching $prefix, causing partition to not be found by
    "chainloader".
    
    This patch introduces a new "connectefi pciroot|scsi" command which
    recursively connects all EFI devices starting from a given controller
    type:
    - if 'pciroot' is specified, recursion is performed for all PCI root
      handles
    - if 'scsi' is specified, recursion is performed for all SCSI I/O
      handles (recommended usage to avoid connecting unwanted handles which
      may impact Grub performances)
    
    Typical grub.cfg snippet would then be:
    -------- 8< ---------------- 8< ---------------- 8< --------
    connectefi scsi
    unset prefix
    search --file --set=prefix /EFI/redhat/grubx64.efi
    if [ -n "$prefix" ]; then
      chainloader ($prefix)/EFI/redhat/grubx64/efi
    ...
    -------- 8< ---------------- 8< ---------------- 8< --------
    
    The code is easily extensible to handle other arguments in the future if
    needed.
    
    Signed-off-by: Renaud Métrich <[email protected]>
    Signed-off-by: Robbie Harwood <[email protected]>
    rmetrich authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    25045ec View commit details
    Browse the repository at this point in the history
  32. grub-core/loader/i386/efi/linux.c: do not validate kernels twice

    On codebases that have shim-lock-verifier built into the grub core
    (like 2.06 upstream), shim-lock-verifier is in enforcing mode when
    booted with secureboot. It means that grub_cmd_linux() command
    attempts to perform shim validate upon opening linux kernel image,
    including kernel measurement. And the verifier correctly returns file
    open error when shim validate protocol is not present or shim fails to
    validate the kernel.
    
    This makes the call to grub_linuxefi_secure_validate() redundant, but
    also harmful. As validating the kernel image twice, extends the PCRs
    with the same measurement twice. Which breaks existing sealing
    policies when upgrading from grub2.04+rhboot+sb+linuxefi to
    grub2.06+rhboot+sb+linuxefi builds. It is also incorrect to measure
    the kernel twice.
    
    This patch must not be ported to older editions of grub code bases
    that do not have verifiers framework, or it is not builtin, or
    shim-lock-verifier is an optional module.
    
    This patch is tested to ensure that unsigned kernels are not possible
    to boot in secureboot mode when shim rejects kernel, or shim protocol
    is missing, and that the measurements become stable once again. The
    above also ensures that CVE-2020-15705 is not reintroduced.
    
    Signed-off-by: Dimitri John Ledkov <[email protected]>
    xnox authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    6e49b9a View commit details
    Browse the repository at this point in the history
  33. grub-core/loader/arm64/linux.c: do not validate kernel twice

    Call to grub_file_open(, GRUB_FILE_TYPE_LINUX_KERNEL) already passes
    the kernel file through shim-lock verifier when secureboot is on. Thus
    there is no need to validate the kernel image again. And when doing so
    again, duplicate PCR measurement is performed, breaking measurements
    compatibility with 2.04+linuxefi.
    
    This patch must not be ported to older editions of grub code bases
    that do not have verifiers framework, or it is not builtin, or
    shim-lock-verifier is an optional module.
    
    Signed-off-by: Dimitri John Ledkov <[email protected]>
    xnox authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    bd78f10 View commit details
    Browse the repository at this point in the history
  34. grub-core/loader/efi/chainloader.c: do not validate chainloader twice

    On secureboot systems, with shimlock verifier, call to
    grub_file_open(, GRUB_FILE_TYPE_EFI_CHAINLOADED_IMAGE) will already
    pass the chainloader target through shim-lock protocol verify
    call. And create a TPM measurement. If verification fails,
    grub_cmd_chainloader will fail at file open time.
    
    This makes previous code paths for negative, and zero return codes
    from grub_linuxefi_secure_validate unreachable under secureboot. But
    also breaking measurements compatibility with 2.04+linuxefi codebases,
    as the chainloader file is passed through shim_lock->verify() twice
    (via verifier & direct call to grub_linuxefi_secure_validate)
    extending the PCRs twice.
    
    This reduces grub_loader options to perform
    grub_secureboot_chainloader when secureboot is on, and otherwise
    attempt grub_chainloader_boot.
    
    It means that booting with secureboot off, yet still with shim (which
    always verifies things successfully), will stop choosing
    grub_secureboot_chainloader, and opting for a more regular
    loadimage/startimage codepath. If we want to use the
    grub_secureboot_chainloader codepath in such scenarios we should adapt
    the code to simply check for shim_lock protocol presence /
    shim_lock->context() success?! But I am not sure if that is necessary.
    
    This patch must not be ported to older editions of grub code bases
    that do not have verifiers framework, or it is not builtin, or
    shim-lock-verifier is an optional module.
    
    Signed-off-by: Dimitri John Ledkov <[email protected]>
    xnox authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    93a4ef5 View commit details
    Browse the repository at this point in the history
  35. grub-core/loader/efi/linux.c: drop now unused grub_linuxefi_secure_va…

    …lidate
    
    Drop the now unused grub_linuxefi_secure_validate() as all prior users
    of this API now rely on the shim-lock-verifier codepath instead.
    
    This patch must not be ported to older editions of grub code bases
    that do not have verifiers framework, or it is not builtin, or
    shim-lock-verifier is an optional module.
    
    Signed-off-by: Dimitri John Ledkov <[email protected]>
    xnox authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    21b4a5e View commit details
    Browse the repository at this point in the history
  36. powerpc: prefix detection: support device names with commas

    Frustratingly, the device name itself can contain an embedded comma:
    e.g /pci@800000020000015/pci1014,034A@0/sas/disk@5000c50098a0ee8b
    
    So my previous approach was wrong: we cannot rely upon the presence
    of a comma to say that a partition has been specified!
    
    It turns out for prefixes like (,gpt2)/grub2 we really want to make
    up a full (device,partition)/patch prefix, because root discovery code
    in 10_linux will reset the root variable and use search to fill it again.
    If you have run grub-install, you probably don't have search built in,
    and if you don't have prefix containing (device,partition), grub will
    construct ($root)$prefix/powerpc-ieee1275/search.mod - but because $root
    has just been changed, this will no longer work, and the boot will fail!
    
    Retain the gist of the logic, but instead of looking for a comma, look for
    a leading '('. This matches the earlier code better anyway.
    
    There's certainly a better fix to be had. But any time you chose to build
    with a bare prefix like '/grub2', you're almost certainly going to build in
    search anyway, so this will do.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    31dd02b View commit details
    Browse the repository at this point in the history
  37. make ofdisk_retries optional

    The feature Retry on Fail added to GRUB can cause a LPM to take
    longer if the SAN is slow.
    
    When a LPM to external site occur, the path of the disk can change
    and thus the disk search function on grub can take some time since
    it is used as a hint. This can cause the Retry on Fail feature to
    try to access the disk 20x times (since this is hardcoded number)
    and, if the SAN is slow, the boot time can increase a lot.
    In some situations not acceptable.
    
    The following patch enables a configuration at user space of the
    maximum number of retries we want for this feature.
    
    The variable ofdisk_retries should be set using grub2-editenv
    and will be checked by retry function. If the variable is not set,
    so the default number of retries will be used instead.
    Diego Domingos authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    58b705f View commit details
    Browse the repository at this point in the history
  38. loader/efi/chainloader: grub_load_and_start_image doesn't load and start

    grub_load_and_start_image only loads an image - it still requires the
    caller to start it. This renames it to grub_load_image.
    
    It's called from 2 places:
    - grub_cmd_chainloader when not using the shim protocol.
    - grub_secureboot_chainloader_boot if handle_image returns an error.
    In this case, the image is loaded and then nothing else happens which
    seems strange. I assume the intention is that it falls back to LoadImage
    and StartImage if handle_image fails, so I've made it do that.
    
    Signed-off-by: Chris Coulson <[email protected]>
    (cherry picked from commit b4d70820a65c00561045856b7b8355461a9545f6)
    chrisccoulson authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    0bcccb4 View commit details
    Browse the repository at this point in the history
  39. loader/efi/chainloader: simplify the loader state

    When not using the shim lock protocol, the chainloader command retains
    the source buffer and device path passed to LoadImage, requiring the
    unload hook passed to grub_loader_set to free them. It isn't required
    to retain this state though - they aren't required by StartImage or
    anything else in the boot hook, so clean them up before
    grub_cmd_chainloader finishes.
    
    This also wraps the loader state when using the shim lock protocol
    inside a struct.
    
    Signed-off-by: Chris Coulson <[email protected]>
    (cherry picked from commit fa39862933b3be1553a580a3a5c28073257d8046)
    [rharwood: fix unitialized handle and double-frees of file/dev]
    Signed-off-by: Robbie Harwood <[email protected]>
    chrisccoulson authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    18fb384 View commit details
    Browse the repository at this point in the history
  40. commands/boot: Add API to pass context to loader

    Loaders rely on global variables for saving context which is consumed
    in the boot hook and freed in the unload hook. In the case where a loader
    command is executed twice, calling grub_loader_set a second time executes
    the unload hook, but in some cases this runs when the loader's global
    context has already been updated, resulting in the updated context being
    freed and potential use-after-free bugs when the boot hook is subsequently
    called.
    
    This adds a new API (grub_loader_set_ex) which allows a loader to specify
    context that is passed to its boot and unload hooks. This is an alternative
    to requiring that loaders call grub_loader_unset before mutating their
    global context.
    
    Signed-off-by: Chris Coulson <[email protected]>
    (cherry picked from commit 4322a64dde7e8fedb58e50b79408667129d45dd3)
    chrisccoulson authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    9d43f7e View commit details
    Browse the repository at this point in the history
  41. loader/efi/chainloader: Use grub_loader_set_ex

    This ports the EFI chainloader to use grub_loader_set_ex in order to fix
    a use-after-free bug that occurs when grub_cmd_chainloader is executed
    more than once before a boot attempt is performed.
    
    Signed-off-by: Chris Coulson <[email protected]>
    (cherry picked from commit 4b7f0402b7cb0f67a93be736f2b75b818d7f44c9)
    [rharwood: context sludge from other change]
    Signed-off-by: Robbie Harwood <[email protected]>
    chrisccoulson authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    80687f2 View commit details
    Browse the repository at this point in the history
  42. loader/i386/efi/linux: Avoid a use-after-free in the linuxefi loader

    In some error paths in grub_cmd_linux, the pointer to lh may be
    dereferenced after the buffer it points to has been freed. There aren't
    any security implications from this because nothing else uses the
    allocator after the buffer is freed and before the pointer is
    dereferenced, but fix it anyway.
    
    Signed-off-by: Chris Coulson <[email protected]>
    (cherry picked from commit 8224f5a71af94bec8697de17e7e579792db9f9e2)
    chrisccoulson authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    82fe61a View commit details
    Browse the repository at this point in the history
  43. loader/i386/efi/linux: Use grub_loader_set_ex

    This ports the linuxefi loader to use grub_loader_set_ex in order to fix
    a use-after-fre bug that occurs when grub_cmd_linux is executed more than
    once before a boot attempt is performed.
    
    This is more complicated than for the chainloader command, as the initrd
    command needs access to the loader state. To solve this, the linuxefi
    module registers a dummy initrd command at startup that returns an error.
    The linuxefi command then registers a proper initrd command with a higher
    priority that is passed the loader state.
    
    Signed-off-by: Chris Coulson <[email protected]>
    (cherry picked from commit 7cf736436b4c934df5ddfa6f44b46a7e07d99fdc)
    [rharwood/pjones: set kernel_size in context]
    Signed-off-by: Robbie Harwood <[email protected]>
    chrisccoulson authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    9b12533 View commit details
    Browse the repository at this point in the history
  44. loader/i386/efi/linux: Fix a memory leak in the initrd command

    Subsequent invocations of the initrd command result in the previous
    initrd being leaked, so fix that.
    
    Signed-off-by: Chris Coulson <[email protected]>
    (cherry picked from commit d98af31ce1e31bb22163960d53f5eb28c66582a0)
    chrisccoulson authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    3143df6 View commit details
    Browse the repository at this point in the history
  45. kern/efi/sb: Reject non-kernel files in the shim_lock verifier

    We must not allow other verifiers to pass things like the GRUB modules.
    Instead of maintaining a blocklist, maintain an allowlist of things
    that we do not care about.
    
    This allowlist really should be made reusable, and shared by the
    lockdown verifier, but this is the minimal patch addressing
    security concerns where the TPM verifier was able to mark modules
    as verified (or the OpenPGP verifier for that matter), when it
    should not do so on shim-powered secure boot systems.
    
    Fixes: CVE-2022-28735
    
    Signed-off-by: Julian Andres Klode <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit fa61ad69861c1cb3f68bf853d78fae7fd93986a0)
    julian-klode authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    9ae95e3 View commit details
    Browse the repository at this point in the history
  46. kern/file: Do not leak device_name on error in grub_file_open()

    If we have an error in grub_file_open() before we free device_name, we
    will leak it.
    
    Free device_name in the error path and null out the pointer in the good
    path once we free it there.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 1499a5068839fa37cb77ecef4b5bdacbd1ed12ea)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    aa540bc View commit details
    Browse the repository at this point in the history
  47. video/readers/png: Abort sooner if a read operation fails

    Fuzzing revealed some inputs that were taking a long time, potentially
    forever, because they did not bail quickly upon encountering an I/O error.
    
    Try to catch I/O errors sooner and bail out.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 882be97d1df6449b9fd4d593f0cb70005fde3494)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    726a97e View commit details
    Browse the repository at this point in the history
  48. video/readers/png: Refuse to handle multiple image headers

    This causes the bitmap to be leaked. Do not permit multiple image headers.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 8ce433557adeadbc46429aabb9f850b02ad2bdfb)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    0cdcc7b View commit details
    Browse the repository at this point in the history
  49. video/readers/png: Drop greyscale support to fix heap out-of-bounds w…

    …rite
    
    A 16-bit greyscale PNG without alpha is processed in the following loop:
    
          for (i = 0; i < (data->image_width * data->image_height);
    	   i++, d1 += 4, d2 += 2)
    	{
    	  d1[R3] = d2[1];
    	  d1[G3] = d2[1];
    	  d1[B3] = d2[1];
    	}
    
    The increment of d1 is wrong. d1 is incremented by 4 bytes per iteration,
    but there are only 3 bytes allocated for storage. This means that image
    data will overwrite somewhat-attacker-controlled parts of memory - 3 bytes
    out of every 4 following the end of the image.
    
    This has existed since greyscale support was added in 2013 in commit
    3ccf16d (grub-core/video/readers/png.c: Support grayscale).
    
    Saving starfield.png as a 16-bit greyscale image without alpha in the gimp
    and attempting to load it causes grub-emu to crash - I don't think this code
    has ever worked.
    
    Delete all PNG greyscale support.
    
    Fixes: CVE-2021-3695
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 0e1d163382669bd734439d8864ee969616d971d9)
    [rharwood: context conflict]
    Signed-off-by: Robbie Harwood <[email protected]>
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    ce5290a View commit details
    Browse the repository at this point in the history
  50. video/readers/png: Avoid heap OOB R/W inserting huff table items

    In fuzzing we observed crashes where a code would attempt to be inserted
    into a huffman table before the start, leading to a set of heap OOB reads
    and writes as table entries with negative indices were shifted around and
    the new code written in.
    
    Catch the case where we would underflow the array and bail.
    
    Fixes: CVE-2021-3696
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 1ae9a91d42cb40da8a6f11fac65541858e340afa)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    0f76596 View commit details
    Browse the repository at this point in the history
  51. video/readers/png: Sanity check some huffman codes

    ASAN picked up two OOB global reads: we weren't checking if some code
    values fit within the cplens or cpdext arrays. Check and throw an error
    if not.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit c3a8ab0cbd24153ec7b1f84a96ddfdd72ef8d117)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    bee218b View commit details
    Browse the repository at this point in the history
  52. video/readers/jpeg: Abort sooner if a read operation fails

    Fuzzing revealed some inputs that were taking a long time, potentially
    forever, because they did not bail quickly upon encountering an I/O error.
    
    Try to catch I/O errors sooner and bail out.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit ab2e5d2e4bff488bbb557ed435a61ae102ef9f0c)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    db1fcb1 View commit details
    Browse the repository at this point in the history
  53. video/readers/jpeg: Do not reallocate a given huff table

    Fix a memory leak where an invalid file could cause us to reallocate
    memory for a huffman table we had already allocated memory for.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit bc06e12b4de55cc6f926af9f064170c82b1403e9)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    481d030 View commit details
    Browse the repository at this point in the history
  54. video/readers/jpeg: Refuse to handle multiple start of streams

    An invalid file could contain multiple start of stream blocks, which
    would cause us to reallocate and leak our bitmap. Refuse to handle
    multiple start of streams.
    
    Additionally, fix a grub_error() call formatting.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit f3a854def3e281b7ad4bbea730cd3046de1da52f)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    46f2644 View commit details
    Browse the repository at this point in the history
  55. video/readers/jpeg: Block int underflow -> wild pointer write

    Certain 1 px wide images caused a wild pointer write in
    grub_jpeg_ycrcb_to_rgb(). This was caused because in grub_jpeg_decode_data(),
    we have the following loop:
    
    for (; data->r1 < nr1 && (!data->dri || rst);
         data->r1++, data->bitmap_ptr += (vb * data->image_width - hb * nc1) * 3)
    
    We did not check if vb * width >= hb * nc1.
    
    On a 64-bit platform, if that turns out to be negative, it will underflow,
    be interpreted as unsigned 64-bit, then be added to the 64-bit pointer, so
    we see data->bitmap_ptr jump, e.g.:
    
    0x6180_0000_0480 to
    0x6181_0000_0498
         ^
         ~--- carry has occurred and this pointer is now far away from
              any object.
    
    On a 32-bit platform, it will decrement the pointer, creating a pointer
    that won't crash but will overwrite random data.
    
    Catch the underflow and error out.
    
    Fixes: CVE-2021-3697
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 41aeb2004db9924fecd9f2dd64bc2a5a5594a4b5)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    bc3b1a8 View commit details
    Browse the repository at this point in the history
  56. normal/charset: Fix array out-of-bounds formatting unicode for display

    In some cases attempting to display arbitrary binary strings leads
    to ASAN splats reading the widthspec array out of bounds.
    
    Check the index. If it would be out of bounds, return a width of 1.
    I don't know if that's strictly correct, but we're not really expecting
    great display of arbitrary binary data, and it's certainly not worse than
    an OOB read.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit fdf32abc7a3928852422c0f291d8cd1dd6b34a8d)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    0965ab1 View commit details
    Browse the repository at this point in the history
  57. net/netbuff: Block overly large netbuff allocs

    A netbuff shouldn't be too huge. It's bounded by MTU and TCP segment
    reassembly.
    
    This helps avoid some bugs (and provides a spot to instrument to catch
    them at their source).
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit ee9591103004cd13b4efadda671536090ca7fd57)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    9672eb8 View commit details
    Browse the repository at this point in the history
  58. net/ip: Do IP fragment maths safely

    This avoids an underflow and subsequent unpleasantness.
    
    Fixes: CVE-2022-28733
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit eb74e5743ca7e18a5e75c392fe0b21d1549a1936)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    471a298 View commit details
    Browse the repository at this point in the history
  59. net/dns: Fix double-free addresses on corrupt DNS response

    grub_net_dns_lookup() takes as inputs a pointer to an array of addresses
    ("addresses") for the given name, and pointer to a number of addresses
    ("naddresses"). grub_net_dns_lookup() is responsible for allocating
    "addresses", and the caller is responsible for freeing it if
    "naddresses" > 0.
    
    The DNS recv_hook will sometimes set and free the addresses array,
    for example if the packet is too short:
    
          if (ptr + 10 >= nb->tail)
    	{
    	  if (!*data->naddresses)
    	    grub_free (*data->addresses);
    	  grub_netbuff_free (nb);
    	  return GRUB_ERR_NONE;
    	}
    
    Later on the nslookup command code unconditionally frees the "addresses"
    array. Normally this is fine: the array is either populated with valid
    data or is NULL. But in these sorts of error cases it is neither NULL
    nor valid and we get a double-free.
    
    Only free "addresses" if "naddresses" > 0.
    
    It looks like the other use of grub_net_dns_lookup() is not affected.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit eb2e69fcf51307757e43f55ee8c9354d1ee42dd1)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    013eae6 View commit details
    Browse the repository at this point in the history
  60. net/dns: Don't read past the end of the string we're checking against

    I don't really understand what's going on here but fuzzing found
    a bug where we read past the end of check_with. That's a C string,
    so use grub_strlen() to make sure we don't overread it.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 6a97b3f4b1d5173aa516edc6dedbc63de7306d21)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    259dfb2 View commit details
    Browse the repository at this point in the history
  61. net/tftp: Prevent a UAF and double-free from a failed seek

    A malicious tftp server can cause UAFs and a double free.
    
    An attempt to read from a network file is handled by grub_net_fs_read(). If
    the read is at an offset other than the current offset, grub_net_seek_real()
    is invoked.
    
    In grub_net_seek_real(), if a backwards seek cannot be satisfied from the
    currently received packets, and the underlying transport does not provide
    a seek method, then grub_net_seek_real() will close and reopen the network
    protocol layer.
    
    For tftp, the ->close() call goes to tftp_close() and frees the tftp_data_t
    file->data. The file->data pointer is not nulled out after the free.
    
    If the ->open() call fails, the file->data will not be reallocated and will
    continue point to a freed memory block. This could happen from a server
    refusing to send the requisite ack to the new tftp request, for example.
    
    The seek and the read will then fail, but the grub_file continues to exist:
    the failed seek does not necessarily cause the entire file to be thrown
    away (e.g. where the file is checked to see if it is gzipped/lzio/xz/etc.,
    a read failure is interpreted as a decompressor passing on the file, not as
    an invalidation of the entire grub_file_t structure).
    
    This means subsequent attempts to read or seek the file will use the old
    file->data after free. Eventually, the file will be close()d again and
    file->data will be freed again.
    
    Mark a net_fs file that doesn't reopen as broken. Do not permit read() or
    close() on a broken file (seek is not exposed directly to the file API -
    it is only called as part of read, so this blocks seeks as well).
    
    As an additional defence, null out the ->data pointer if tftp_open() fails.
    That would have lead to a simple null pointer dereference rather than
    a mess of UAFs.
    
    This may affect other protocols, I haven't checked.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit dada1dda695439bb55b2848dddc2d89843552f81)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    1aed0af View commit details
    Browse the repository at this point in the history
  62. net/tftp: Avoid a trivial UAF

    Under tftp errors, we print a tftp error message from the tftp header.
    However, the tftph pointer is a pointer inside nb, the netbuff. Previously,
    we were freeing the nb and then dereferencing it. Don't do that, use it
    and then free it later.
    
    This isn't really _bad_ per se, especially as we're single-threaded, but
    it trips up fuzzers.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 956f4329cec23e4375182030ca9b2be631a61ba5)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    da32934 View commit details
    Browse the repository at this point in the history
  63. net/http: Do not tear down socket if it's already been torn down

    It's possible for data->sock to get torn down in tcp error handling.
    If we unconditionally tear it down again we will end up doing writes
    to an offset of the NULL pointer when we go to tear it down again.
    
    Detect if it has been torn down and don't do it again.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit ec233d3ecf995293304de443579aab5c46c49e85)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    1db4acf View commit details
    Browse the repository at this point in the history
  64. net/http: Fix OOB write for split http headers

    GRUB has special code for handling an http header that is split
    across two packets.
    
    The code tracks the end of line by looking for a "\n" byte. The
    code for split headers has always advanced the pointer just past the
    end of the line, whereas the code that handles unsplit headers does
    not advance the pointer. This extra advance causes the length to be
    one greater, which breaks an assumption in parse_line(), leading to
    it writing a NUL byte one byte past the end of the buffer where we
    reconstruct the line from the two packets.
    
    It's conceivable that an attacker controlled set of packets could
    cause this to zero out the first byte of the "next" pointer of the
    grub_mm_region structure following the current_line buffer.
    
    Do not advance the pointer in the split header case.
    
    Fixes: CVE-2022-28734
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit e9fb459638811c12b0989dbf64e3e124974ef617)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    b47d562 View commit details
    Browse the repository at this point in the history
  65. net/http: Error out on headers with LF without CR

    In a similar vein to the previous patch, parse_line() would write
    a NUL byte past the end of the buffer if there was an HTTP header
    with a LF rather than a CRLF.
    
    RFC-2616 says:
    
      Many HTTP/1.1 header field values consist of words separated by LWS
      or special characters. These special characters MUST be in a quoted
      string to be used within a parameter value (as defined in section 3.6).
    
    We don't support quoted sections or continuation lines, etc.
    
    If we see an LF that's not part of a CRLF, bail out.
    
    Fixes: CVE-2022-28734
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit d232ad41ac4979a9de4d746e5fdff9caf0e303de)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    72df538 View commit details
    Browse the repository at this point in the history
  66. fs/f2fs: Do not read past the end of nat journal entries

    A corrupt f2fs file system could specify a nat journal entry count
    that is beyond the maximum NAT_JOURNAL_ENTRIES.
    
    Check if the specified nat journal entry count before accessing the
    array, and throw an error if it is too large.
    
    Signed-off-by: Sudhakar Kuppusamy <[email protected]>
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit a3988cb3f0a108dd67ac127a79a4c8479d23334e)
    SudhakarKuppusamy1 authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    8cc6350 View commit details
    Browse the repository at this point in the history
  67. fs/f2fs: Do not read past the end of nat bitmap

    A corrupt f2fs filesystem could have a block offset or a bitmap
    offset that would cause us to read beyond the bounds of the nat
    bitmap.
    
    Introduce the nat_bitmap_size member in grub_f2fs_data which holds
    the size of nat bitmap.
    
    Set the size when loading the nat bitmap in nat_bitmap_ptr(), and
    catch when an invalid offset would create a pointer past the end of
    the allocated space.
    
    Check against the bitmap size in grub_f2fs_test_bit() test bit to avoid
    reading past the end of the nat bitmap.
    
    Signed-off-by: Sudhakar Kuppusamy <[email protected]>
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 62d63d5e38c67a6e349148bf7cb87c560e935a7e)
    SudhakarKuppusamy1 authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    400ca4e View commit details
    Browse the repository at this point in the history
  68. fs/f2fs: Do not copy file names that are too long

    A corrupt f2fs file system might specify a name length which is greater
    than the maximum name length supported by the GRUB f2fs driver.
    
    We will allocate enough memory to store the overly long name, but there
    are only F2FS_NAME_LEN bytes in the source, so we would read past the end
    of the source.
    
    While checking directory entries, do not copy a file name with an invalid
    length.
    
    Signed-off-by: Sudhakar Kuppusamy <[email protected]>
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 9a891f638509e031d322c94e3cbcf38d36f3993a)
    SudhakarKuppusamy1 authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    acaddf9 View commit details
    Browse the repository at this point in the history
  69. fs/btrfs: Fix several fuzz issues with invalid dir item sizing

    According to the btrfs code in Linux, the structure of a directory item
    leaf should be of the form:
    
      |struct btrfs_dir_item|name|data|
    
    in GRUB the name len and data len are in the grub_btrfs_dir_item
    structure's n and m fields respectively.
    
    The combined size of the structure, name and data should be less than
    the allocated memory, a difference to the Linux kernel's struct
    btrfs_dir_item is that the grub_btrfs_dir_item has an extra field for
    where the name is stored, so we adjust for that too.
    
    Signed-off-by: Darren Kenny <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 6d3f06c0b6a8992b9b1bb0e62af93ac5ff2781f0)
    [rharwood: we've an extra variable here]
    Signed-off-by: Robbie Harwood <[email protected]>
    darrenkenny authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    b254bf5 View commit details
    Browse the repository at this point in the history
  70. fs/btrfs: Fix more ASAN and SEGV issues found with fuzzing

    The fuzzer is generating btrfs file systems that have chunks with
    invalid combinations of stripes and substripes for the given RAID
    configurations.
    
    After examining the Linux kernel fs/btrfs/tree-checker.c code, it
    appears that sub-stripes should only be applied to RAID10, and in that
    case there should only ever be 2 of them.
    
    Similarly, RAID single should only have 1 stripe, and RAID1/1C3/1C4
    should have 2. 3 or 4 stripes respectively, which is what redundancy
    corresponds.
    
    Some of the chunks ended up with a size of 0, which grub_malloc() still
    returned memory for and in turn generated ASAN errors later when
    accessed.
    
    While it would be possible to specifically limit the number of stripes,
    a more correct test was on the combination of the chunk item, and the
    number of stripes by the size of the chunk stripe structure in
    comparison to the size of the chunk itself.
    
    Signed-off-by: Darren Kenny <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 3849647b4b98a4419366708fc4b7f339c6f55ec7)
    darrenkenny authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    aa74f4b View commit details
    Browse the repository at this point in the history
  71. fs/btrfs: Fix more fuzz issues related to chunks

    The corpus we generating issues in grub_btrfs_read_logical() when
    attempting to iterate over nstripes entries in the boot mapping.
    
    In most cases the reason for the failure was that the number of strips
    exceeded the possible space statically allocated in superblock bootmapping
    space. Each stripe entry in the bootmapping block consists of
    a grub_btrfs_key followed by a grub_btrfs_chunk_stripe.
    
    Another issue that came up was that while calculating the chunk size,
    in an earlier piece of code in that function, depending on the data
    provided in the btrfs file system, it would end up calculating a size
    that was too small to contain even 1 grub_btrfs_chunk_item, which is
    obviously invalid too.
    
    Signed-off-by: Darren Kenny <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit e00cd76cbadcc897a9cc4087cb2fcb5dbe15e596)
    darrenkenny authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    f887b09 View commit details
    Browse the repository at this point in the history
  72. misc: Make grub_min() and grub_max() more resilient.

    grub_min(a,b) and grub_max(a,b) use a relatively naive implementation
    which leads to several problems:
    - they evaluate their parameters more than once
    - the naive way to address this, to declare temporary variables in a
      statement-expression, isn't resilient against nested uses, because
      MIN(a,MIN(b,c)) results in the temporary variables being declared in
      two nested scopes, which may result in a build warning depending on
      your build options.
    
    This patch changes our implementation to use a statement-expression
    inside a helper macro, and creates the symbols for the temporary
    variables with __COUNTER__ (A GNU C cpp extension) and token pasting to
    create uniquely named internal variables.
    
    Signed-off-by: Peter Jones <[email protected]>
    vathpela authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    f94152b View commit details
    Browse the repository at this point in the history
  73. ReiserFS: switch to using grub_min()/grub_max()

    This is a minor cleanup patch to remove the bespoke MIN() and MAX()
    definitions from the reiserfs driver, and uses grub_min() / grub_max()
    instead.
    
    Signed-off-by: Peter Jones <[email protected]>
    vathpela authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    461b42c View commit details
    Browse the repository at this point in the history
  74. misc: make grub_boot_time() also call grub_dprintf("boot",...)

    Currently grub_boot_time() includes valuable debugging messages, but if
    you build without BOOT_TIME_STATS enabled, they are silently and
    confusingly compiled away.
    
    This patch changes grub_boot_time() to also log when "boot" is enabled
    in DEBUG, regardless of BOOT_TIME_STATS.
    
    Signed-off-by: Peter Jones <[email protected]>
    vathpela authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    a21e5c1 View commit details
    Browse the repository at this point in the history
  75. modules: make .module_license read-only

    Currently .module_license is set writable (that is, the section has the
    SHF_WRITE flag set) in the module's ELF headers.  This probably never
    actually matters, but it can't possibly be correct.
    
    This patch sets that data as "const", which causes that flag not to be
    set.
    
    Signed-off-by: Peter Jones <[email protected]>
    vathpela authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    f6563e1 View commit details
    Browse the repository at this point in the history
  76. modules: strip .llvm_addrsig sections and similar.

    Currently grub modules built with clang or gcc have several sections
    which we don't actually need or support.
    
    We already have a list of section to skip in genmod.sh, and this patch
    adds the following sections to that list (as well as a few newlines):
    
    .note.gnu.property
    .llvm*
    
    Note that the glob there won't work without a new enough linker, but the
    failure is just reversion to the status quo, so that's not a big problem.
    
    Signed-off-by: Peter Jones <[email protected]>
    vathpela authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    0f66524 View commit details
    Browse the repository at this point in the history
  77. modules: Don't allocate space for non-allocable sections.

    Currently when loading grub modules, we allocate space for all sections,
    including those without SHF_ALLOC set.  We then copy the sections that
    /do/ have SHF_ALLOC set into the allocated memory, leaving some of our
    allocation untouched forever.  Additionally, on platforms with GOT
    fixups and trampolines, we currently compute alignment round-ups for the
    sections and sections with sh_size = 0.
    
    This patch removes the extra space from the allocation computation, and
    makes the allocation computation loop skip empty sections as the loading
    loop does.
    
    Signed-off-by: Peter Jones <[email protected]>
    vathpela authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    0f76b53 View commit details
    Browse the repository at this point in the history
  78. pe: add the DOS header struct and fix some bad naming.

    In order to properly validate a loaded kernel's support for being loaded
    without a writable stack or executable, we need to be able to properly
    parse arbitrary PE headers.
    
    Currently, pe32.h is written in such a way that the MS-DOS header that
    tells us where to find the PE header in the binary can't be accessed.
    Further, for some reason it calls the DOS MZ magic "GRUB_PE32_MAGIC".
    
    This patch adds the structure for the DOS header, renames the DOS magic
    define, and adds defines for the actual PE magic.
    
    Signed-off-by: Peter Jones <[email protected]>
    vathpela authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    c850db5 View commit details
    Browse the repository at this point in the history
  79. EFI: allocate kernel in EFI_RUNTIME_SERVICES_CODE instead of EFI_LOAD…

    …ER_DATA.
    
    On some of the firmwares with more security mitigations, EFI_LOADER_DATA
    doesn't get you executable memory, and we take a fault and reboot when
    we enter kernel.
    
    This patch correctly allocates the kernel code as EFI_RUNTIME_SERVICES_CODE
    rather than EFI_LOADER_DATA.
    
    Signed-off-by: Peter Jones <[email protected]>
    [rharwood: use kernel_size]
    Signed-off-by: Robbie Harwood <[email protected]>
    vathpela authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    04c96d8 View commit details
    Browse the repository at this point in the history
  80. modules: load module sections at page-aligned addresses

    Currently we load module sections at whatever alignment gcc+ld happened
    to dump into the ELF section header, which is often pretty useless.  For
    example, by default time.mod has these sections on a current x86_64
    build:
    
    $ eu-readelf -a grub-core/time.mod |& grep ^Section -A13
    Section Headers:
    [Nr] Name            Type         Addr  Off      Size     ES Flags Lk Inf Al
    [ 0]                 NULL         0     00000000 00000000  0        0   0  0
    [ 1] .text           PROGBITS     0     00000040 0000015e  0 AX     0   0  1
    [ 2] .rela.text      RELA         0     00000458 000001e0 24 I      8   1  8
    [ 3] .rodata.str1.1  PROGBITS     0     0000019e 000000a1  1 AMS    0   0  1
    [ 4] .module_license PROGBITS     0     00000240 0000000f  0 A      0   0  8
    [ 5] .data           PROGBITS     0     0000024f 00000000  0 WA     0   0  1
    [ 6] .bss            NOBITS       0     00000250 00000008  0 WA     0   0  8
    [ 7] .modname        PROGBITS     0     00000250 00000005  0        0   0  1
    [ 8] .symtab         SYMTAB       0     00000258 00000150 24        9   6  8
    [ 9] .strtab         STRTAB       0     000003a8 000000ab  0        0   0  1
    [10] .shstrtab       STRTAB       0     00000638 00000059  0        0   0  1
    
    With NX protections being page based, loading sections with either a 1
    or 8 *byte* alignment does absolutely nothing to help us out.
    
    This patch switches most EFI platforms to load module sections at 4kB
    page-aligned addresses.  To do so, it adds an new per-arch function,
    grub_arch_dl_min_alignment(), which returns the alignment needed for
    dynamically loaded sections (in bytes).  Currently it sets it to 4096
    when GRUB_MACHINE_EFI is true on x86_64, i386, arm, arm64, and emu, and
    1-byte alignment on everything else.
    
    It then changes the allocation size computation and the loader code in
    grub_dl_load_segments() to align the locations and sizes up to these
    boundaries, and fills any added padding with zeros.
    
    All of this happens before relocations are applied, so the relocations
    factor that in with no change.
    
    As an aside, initially Daniel Kiper and I thought that it might be a
    better idea to split the modules up into top-level sections as
    .text.modules, .rodata.modules, .data.modules, etc., so that their page
    permissions would get set by the loader that's loading grub itself.
    This turns out to have two significant downsides: 1) either in mkimage
    or in grub_dl_relocate_symbols(), you wind up having to dynamically
    process the relocations to accommodate the moved module sections, and 2)
    you then need to change the permissions on the modules and change them
    back while relocating them in grub_dl_relocate_symbols(), which means
    that any loader that /does/ honor the section flags but does /not/
    generally support NX with the memory attributes API will cause grub to
    fail.
    
    Signed-off-by: Peter Jones <[email protected]>
    vathpela authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    887f1d8 View commit details
    Browse the repository at this point in the history
  81. nx: add memory attribute get/set API

    For NX, we need to set the page access permission attributes for write
    and execute permissions.
    
    This patch adds two new primitives, grub_set_mem_attrs() and
    grub_clear_mem_attrs(), and associated constant definitions, to be used
    for that purpose.
    
    For most platforms, it adds a dummy implementation that returns
    GRUB_ERR_NONE.  On EFI platforms, it adds a common helper function,
    grub_efi_status_to_err(), which translates EFI error codes to grub error
    codes, adds headers for the EFI Memory Attribute Protocol (still pending
    standardization), and an implementation of the grub nx primitives using
    it.
    
    Signed-off-by: Peter Jones <[email protected]>
    [rharwood: add pjones's none/nyi fixup]
    Signed-off-by: Robbie Harwood <[email protected]>
    vathpela authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    45bfb1c View commit details
    Browse the repository at this point in the history
  82. nx: set page permissions for loaded modules.

    For NX, we need to set write and executable permissions on the sections
    of grub modules when we load them.
    
    On sections with SHF_ALLOC set, which is typically everything except
    .modname and the symbol and string tables, this patch clears the Read
    Only flag on sections that have the ELF flag SHF_WRITE set, and clears
    the No eXecute flag on sections with SHF_EXECINSTR set.  In all other
    cases it sets both flags.
    
    Signed-off-by: Peter Jones <[email protected]>
    [rharwood: arm tgptr -> tgaddr]
    Signed-off-by: Robbie Harwood <[email protected]>
    vathpela authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    ad1b904 View commit details
    Browse the repository at this point in the history
  83. nx: set attrs in our kernel loaders

    For NX, our kernel loaders need to set write and execute page
    permissions on allocated pages and the stack.
    
    This patch adds those calls.
    
    Signed-off-by: Peter Jones <[email protected]>
    [rharwood: fix stack_attrs undefined, fix aarch64 callsites]
    Signed-off-by: Robbie Harwood <[email protected]>
    vathpela authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    a9d4056 View commit details
    Browse the repository at this point in the history
  84. nx: set the nx compatible flag in EFI grub images

    For NX, we need the grub binary to announce that it is compatible with
    the NX feature.  This implies that when loading the executable grub
    image, several attributes are true:
    
    - the binary doesn't need an executable stack
    - the binary doesn't need sections to be both executable and writable
    - the binary knows how to use the EFI Memory Attributes protocol on code
      it is loading.
    
    This patch adds a definition for the PE DLL Characteristics flag
    GRUB_PE32_NX_COMPAT, and changes grub-mkimage to set that flag.
    
    Signed-off-by: Peter Jones <[email protected]>
    vathpela authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    a9ec858 View commit details
    Browse the repository at this point in the history
  85. grub-probe: document the behavior of multiple -v

    Signed-off-by: Robbie Harwood <[email protected]>
    (cherry picked from commit 51a55233eed08f7f12276afd6b3724b807a0b680)
    frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    5898517 View commit details
    Browse the repository at this point in the history
  86. grub_fs_probe(): dprint errors from filesystems

    When filesystem detection fails, all that's currently debug-logged is a
    series of messages like:
    
        grub-core/kern/fs.c:56:fs: Detecting ntfs...
        grub-core/kern/fs.c:76:fs: ntfs detection failed.
    
    repeated for each filesystem.  Any messages provided to grub_error() by
    the filesystem are lost, and one has to break out gdb to figure out what
    went wrong.
    
    With this change, one instead sees:
    
        grub-core/kern/fs.c:56:fs: Detecting fat...
        grub-core/osdep/hostdisk.c:357:hostdisk: reusing open device
        `/path/to/device'
        grub-core/kern/fs.c:77:fs: error: invalid modification timestamp for /.
        grub-core/kern/fs.c:79:fs: fat detection failed.
    
    in the debug prints.
    
    Signed-off-by: Robbie Harwood <[email protected]>
    (cherry picked from commit 838c79d658797d0662ee7f9e033e38ee88059e02)
    frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    e452c07 View commit details
    Browse the repository at this point in the history
  87. fs/fat: don't error when mtime is 0

    In the wild, we occasionally see valid ESPs where some file modification times
    are 0.  For instance:
    
        ├── [Dec 31  1979]  EFI
        │   ├── [Dec 31  1979]  BOOT
        │   │   ├── [Dec 31  1979]  BOOTX64.EFI
        │   │   └── [Dec 31  1979]  fbx64.efi
        │   └── [Jun 27 02:41]  fedora
        │       ├── [Dec 31  1979]  BOOTX64.CSV
        │       ├── [Dec 31  1979]  fonts
        │       ├── [Mar 14 03:35]  fw
        │       │   ├── [Mar 14 03:35]  fwupd-359c1169-abd6-4a0d-8bce-e4d4713335c1.cap
        │       │   ├── [Mar 14 03:34]  fwupd-9d255c4b-2d88-4861-860d-7ee52ade9463.cap
        │       │   └── [Mar 14 03:34]  fwupd-b36438d8-9128-49d2-b280-487be02d948b.cap
        │       ├── [Dec 31  1979]  fwupdx64.efi
        │       ├── [May 10 10:47]  grub.cfg
        │       ├── [Jun  3 12:38]  grub.cfg.new.new
        │       ├── [May 10 10:41]  grub.cfg.old
        │       ├── [Jun 27 02:41]  grubenv
        │       ├── [Dec 31  1979]  grubx64.efi
        │       ├── [Dec 31  1979]  mmx64.efi
        │       ├── [Dec 31  1979]  shim.efi
        │       ├── [Dec 31  1979]  shimx64.efi
        │       └── [Dec 31  1979]  shimx64-fedora.efi
        └── [Dec 31  1979]  FSCK0000.REC
    
        5 directories, 17 files
    
    This causes grub-probe failure, which in turn causes grub-mkconfig
    failure.  They are valid filesystems that appear intact, and the Linux
    FAT stack is able to mount and manipulate them without complaint.
    
    The check for mtime of 0 has been present since
    20def1a ("fat: support file
    modification times").
    
    Signed-off-by: Robbie Harwood <[email protected]>
    (cherry picked from commit 0615c4887352e32d7bb7198e9ad0d695f9dc2c31)
    frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    8a1dcbf View commit details
    Browse the repository at this point in the history
  88. Make debug=file show which file filters get run.

    If one of the file filters breaks things, it's hard to figure out where
    it has happened.
    
    This makes grub log which filter is being run, which makes it easier to
    figure out where you are in the sequence of events.
    
    Signed-off-by: Peter Jones <[email protected]>
    vathpela authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    ca59646 View commit details
    Browse the repository at this point in the history
  89. efi: use enumerated array positions for our allocation choices

    In our kernel allocator on EFI systems, we currently have a growing
    amount of code that references the various allocation policies by
    position in the array, and of course maintenance of this code scales
    very poorly.
    
    This patch changes them to be enumerated, so they're easier to refer to
    farther along in the code without confusion.
    
    Signed-off-by: Peter Jones <[email protected]>
    vathpela authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    c88cadb View commit details
    Browse the repository at this point in the history
  90. efi: split allocation policy for kernel vs initrd memories.

    Currently in our kernel allocator, we use the same set of choices for
    all of our various kernel and initramfs allocations, though they do not
    have exactly the same constraints.
    
    This patch adds the concept of an allocation purpose, which currently
    can be KERNEL_MEM or INITRD_MEM, and updates kernel_alloc() calls
    appropriately, but does not change any current policy decision.  It
    also adds a few debug prints.
    
    Signed-off-by: Peter Jones <[email protected]>
    vathpela authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    a9da903 View commit details
    Browse the repository at this point in the history
  91. efi: allocate the initrd within the bounds expressed by the kernel

    Currently on x86, only linux kernels built with CONFIG_RELOCATABLE for
    x86_64 can be loaded above 4G, but the maximum address for the initramfs
    is specified via a HdrS field.  This allows us to utilize that value,
    and unless loading the kernel above 4G, uses the value present there.
    If loading kernel above 4G is allowed, we assume loading the initramfs
    above 4G also works; in practice this has been true in the kernel code
    for quite some time.
    
    Resolves: rhbz#2112134
    
    Signed-off-by: Peter Jones <[email protected]>
    vathpela authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    8233b73 View commit details
    Browse the repository at this point in the history
  92. efi: use EFI_LOADER_(CODE|DATA) for kernel and initrd allocations

    At some point due to an erroneous kernel warning, we switched kernel and
    initramfs to being loaded in EFI_RUNTIME_SERVICES_CODE and
    EFI_RUNTIME_SERVICES_DATA memory pools.  This doesn't appear to be
    correct according to the spec, and that kernel warning has gone away.
    
    This patch puts them back in EFI_LOADER_CODE and EFI_LOADER_DATA
    allocations, respectively.
    
    Resolves: rhbz#2108456
    
    Signed-off-by: Peter Jones <[email protected]>
    vathpela authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    cb965e0 View commit details
    Browse the repository at this point in the history
  93. BLS: create /etc/kernel/cmdline during mkconfig

    Signed-off-by: Robbie Harwood <[email protected]>
    frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    2e2a825 View commit details
    Browse the repository at this point in the history
  94. squish: don't dup rhgb quiet, check mtimes

    Signed-off-by: Robbie Harwood <[email protected]>
    frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    3acfee4 View commit details
    Browse the repository at this point in the history
  95. squish: give up on rhgb quiet

    Signed-off-by: Robbie Harwood <[email protected]>
    frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    0720d50 View commit details
    Browse the repository at this point in the history
  96. squish: BLS: only write /etc/kernel/cmdline if writable

    On OSTree systems, `grub2-mkconfig` is run with `/etc` mounted read-only
    because as part of the promise of transactional updates, we want to make
    sure that we're not modifying the current deployment's state (`/etc` or
    `/var`).
    
    This conflicts with 0837dcd ("BLS: create /etc/kernel/cmdline during
    mkconfig") which wants to write to `/etc/kernel/cmdline`. I'm not
    exactly sure on the background there, but based on the comment I think
    the intent is to fulfill grubby's expectation that the file exists.
    
    However, in systems like Silverblue, kernel arguments are managed by the
    rpm-ostree stack and grubby is not shipped at all.
    
    Adjust the script slightly so that we only write `/etc/kernel/cmdline`
    if the parent directory is writable.
    
    In the future, we're hoping to simplify things further on rpm-ostree
    systems by not running `grub2-mkconfig` at all since libostree already
    directly writes BLS entries. Doing that would also have avoided this,
    but ratcheting it into existing systems needs more careful thought.
    
    Signed-off-by: Jonathan Lebon <[email protected]>
    
    Fixes: fedora-silverblue/issue-tracker#322
    jlebon authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    a2f7693 View commit details
    Browse the repository at this point in the history
  97. blscfg: Don't root device in emu builds

    Otherwise, we end up looking for kernel/initrd in /boot/boot which
    doesn't work at all.  Non-emu builds need to be looking in
    ($root)/boot/, which is what this is for.
    
    Signed-off-by: Robbie Harwood <[email protected]>
    frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    6038557 View commit details
    Browse the repository at this point in the history
  98. loader/arm64/linux: Remove magic number header field check

    The "ARM\x64" magic number in the file header identifies an image as one
    that implements the bare metal boot protocol, allowing the loader to
    simply move the file to a suitably aligned address in memory, with
    sufficient headroom for the trailing .bss segment (the required memory
    size is described in the header as well).
    
    Note of this matters for GRUB, as it only supports EFI boot. EFI does
    not care about this magic number, and nor should GRUB: this prevents us
    from booting other PE linux images, such as the generic EFI zboot
    decompressor, which is a pure PE/COFF image, and does not implement the
    bare metal boot protocol.
    
    So drop the magic number check.
    
    Signed-off-by: Ard Biesheuvel <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    Resolves: rhbz#2125069
    Signed-off-by: Jeremy Linton <[email protected]>
    (cherry-picked from commit 69edb31)
    Signed-off-by: Robbie Harwood <[email protected]>
    ardbiesheuvel authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    62382ef View commit details
    Browse the repository at this point in the history
  99. Correct BSS zeroing on aarch64

    The aarch64 loader doesn't use efi bootservices, and
    therefor it has a very minimal loader which makes a lot
    of assumptions about the kernel layout. With the ZBOOT
    changes, the layout has changed a bit and we not should
    really be parsing the PE sections to determine how much
    data to copy, otherwise the BSS won't be setup properly.
    
    This code still makes a lot of assumptions about the
    the kernel layout, so its far from ideal, but it works.
    
    Resolves: rhbz#2125069
    
    Signed-off-by: Jeremy Linton <[email protected]>
    jlintonarm authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    9752abc View commit details
    Browse the repository at this point in the history
  100. linuxefi: Invalidate i-cache before starting the kernel

    We need to flush the memory range of the code we are about to execute
    from the instruction cache before we can safely execute it. Not doing
    so appears to be the source of rare synchronous exceptions a user
    is seeing on a Cortex-A72-based platform while executing the Linux EFI
    stub. Notably they seem to correlate with an instruction on a cache
    line boundary.
    
    Signed-off-by: dann frazier <[email protected]>
    dann frazier authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    9ae5901 View commit details
    Browse the repository at this point in the history
  101. x86-efi: Fix an incorrect array size in kernel allocation

    In 81a6ebf ("efi: split allocation
    policy for kernel vs initrd memories."), I introduced a split in the
    kernel allocator to allow for different dynamic policies for the kernel
    and the initrd allocations.
    
    Unfortunately, that change increased the size of the policy data used to
    make decisions, but did not change the size of the temporary storage we
    use to back it up and restore.  This results in some of .data getting
    clobbered at runtime, and hilarity ensues.
    
    This patch makes the size of the backup storage be based on the size of
    the initial policy data.
    
    Signed-off-by: Peter Jones <[email protected]>
    vathpela authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    c500935 View commit details
    Browse the repository at this point in the history
  102. commands/efi/tpm: Refine the status of log event

    1. Use macro GRUB_ERR_NONE instead of hard code 0.
    2. Keep lowercase of the first char for the status string of log event.
    
    Signed-off-by: Lu Ken <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 9228985)
    kenplusplus authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    bf9f867 View commit details
    Browse the repository at this point in the history
  103. commands/efi/tpm: Use grub_strcpy() instead of grub_memcpy()

    The event description is a string, so using grub_strcpy() is cleaner than
    using grub_memcpy().
    
    Signed-off-by: Lu Ken <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit ef8679b)
    kenplusplus authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    588414d View commit details
    Browse the repository at this point in the history
  104. efi/tpm: Add EFI_CC_MEASUREMENT_PROTOCOL support

    The EFI_CC_MEASUREMENT_PROTOCOL abstracts the measurement for virtual firmware
    in confidential computing environment. It is similar to the EFI_TCG2_PROTOCOL.
    It was proposed by Intel and ARM and approved by UEFI organization.
    
    It is defined in Intel GHCI specification: https://cdrdv2.intel.com/v1/dl/getContent/726790 .
    The EDKII header file is available at https://github.com/tianocore/edk2/blob/master/MdePkg/Include/Protocol/CcMeasurement.h .
    
    Signed-off-by: Lu Ken <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 4c76565)
    kenplusplus authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    fd55945 View commit details
    Browse the repository at this point in the history
  105. font: Reject glyphs exceeds font->max_glyph_width or font->max_glyph_…

    …height
    
    Check glyph's width and height against limits specified in font's
    metadata. Reject the glyph (and font) if such limits are exceeded.
    
    Signed-off-by: Zhang Boyang <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 5760fcfd466cc757540ea0d591bad6a08caeaa16)
    zhangboyang authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    4197818 View commit details
    Browse the repository at this point in the history
  106. font: Fix size overflow in grub_font_get_glyph_internal()

    The length of memory allocation and file read may overflow. This patch
    fixes the problem by using safemath macros.
    
    There is a lot of code repetition like "(x * y + 7) / 8". It is unsafe
    if overflow happens. This patch introduces grub_video_bitmap_calc_1bpp_bufsz().
    It is safe replacement for such code. It has safemath-like prototype.
    
    This patch also introduces grub_cast(value, pointer), it casts value to
    typeof(*pointer) then store the value to *pointer. It returns true when
    overflow occurs or false if there is no overflow. The semantics of arguments
    and return value are designed to be consistent with other safemath macros.
    
    Signed-off-by: Zhang Boyang <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 941d10ad6f1dcbd12fb613002249e29ba035f985)
    zhangboyang authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    1d99597 View commit details
    Browse the repository at this point in the history
  107. font: Fix several integer overflows in grub_font_construct_glyph()

    This patch fixes several integer overflows in grub_font_construct_glyph().
    Glyphs of invalid size, zero or leading to an overflow, are rejected.
    The inconsistency between "glyph" and "max_glyph_size" when grub_malloc()
    returns NULL is fixed too.
    
    Fixes: CVE-2022-2601
    
    Reported-by: Zhang Boyang <[email protected]>
    Signed-off-by: Zhang Boyang <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit b1805f251b31a9d3cfae5c3572ddfa630145dbbf)
    zhangboyang authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    551e0d5 View commit details
    Browse the repository at this point in the history
  108. font: Remove grub_font_dup_glyph()

    Remove grub_font_dup_glyph() since nobody is using it since 2013, and
    I'm too lazy to fix the integer overflow problem in it.
    
    Signed-off-by: Zhang Boyang <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 25ad31c19c331aaa2dbd9bd2b2e2655de5766a9d)
    zhangboyang authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    1dae55f View commit details
    Browse the repository at this point in the history
  109. font: Fix integer overflow in ensure_comb_space()

    In fact it can't overflow at all because glyph_id->ncomb is only 8-bit
    wide. But let's keep safe if somebody changes the width of glyph_id->ncomb
    in the future. This patch also fixes the inconsistency between
    render_max_comb_glyphs and render_combining_glyphs when grub_malloc()
    returns NULL.
    
    Signed-off-by: Zhang Boyang <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit b2740b7e4a03bb8331d48b54b119afea76bb9d5f)
    zhangboyang authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    f8852c9 View commit details
    Browse the repository at this point in the history
  110. font: Fix integer overflow in BMP index

    The BMP index (font->bmp_idx) is designed as a reverse lookup table of
    char entries (font->char_index), in order to speed up lookups for BMP
    chars (i.e. code < 0x10000). The values in BMP index are the subscripts
    of the corresponding char entries, stored in grub_uint16_t, while 0xffff
    means not found.
    
    This patch fixes the problem of large subscript truncated to grub_uint16_t,
    leading BMP index to return wrong char entry or report false miss. The
    code now checks for bounds and uses BMP index as a hint, and fallbacks
    to binary-search if necessary.
    
    On the occasion add a comment about BMP index is initialized to 0xffff.
    
    Signed-off-by: Zhang Boyang <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit afda8b60ba0712abe01ae1e64c5f7a067a0e6492)
    zhangboyang authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    86b719f View commit details
    Browse the repository at this point in the history
  111. font: Fix integer underflow in binary search of char index

    If search target is less than all entries in font->index then "hi"
    variable is set to -1, which translates to SIZE_MAX and leads to errors.
    
    This patch fixes the problem by replacing the entire binary search code
    with the libstdc++'s std::lower_bound() implementation.
    
    Signed-off-by: Zhang Boyang <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit c140a086838e7c9af87842036f891b8393a8c4bc)
    zhangboyang authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    2f03fac View commit details
    Browse the repository at this point in the history
  112. kern/efi/sb: Enforce verification of font files

    As a mitigation and hardening measure enforce verification of font
    files. Then only trusted font files can be load. This will reduce the
    attack surface at cost of losing the ability of end-users to customize
    fonts if e.g. UEFI Secure Boot is enabled. Vendors can always customize
    fonts because they have ability to pack fonts into their GRUB bundles.
    
    This goal is achieved by:
    
      * Removing GRUB_FILE_TYPE_FONT from shim lock verifier's
        skip-verification list.
    
      * Adding GRUB_FILE_TYPE_FONT to lockdown verifier's defer-auth list,
        so font files must be verified by a verifier before they can be loaded.
    
    Suggested-by: Daniel Kiper <[email protected]>
    Signed-off-by: Zhang Boyang <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 630deb8c0d8b02b670ced4b7030414bcf17aa080)
    zhangboyang authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    5396629 View commit details
    Browse the repository at this point in the history
  113. fbutil: Fix integer overflow

    Expressions like u64 = u32 * u32 are unsafe because their products are
    truncated to u32 even if left hand side is u64. This patch fixes all
    problems like that one in fbutil.
    
    To get right result not only left hand side have to be u64 but it's also
    necessary to cast at least one of the operands of all leaf operators of
    right hand side to u64, e.g. u64 = u32 * u32 + u32 * u32 should be
    u64 = (u64)u32 * u32 + (u64)u32 * u32.
    
    For 1-bit bitmaps grub_uint64_t have to be used. It's safe because any
    combination of values in (grub_uint64_t)u32 * u32 + u32 expression will
    not overflow grub_uint64_t.
    
    Other expressions like ptr + u32 * u32 + u32 * u32 are also vulnerable.
    They should be ptr + (grub_addr_t)u32 * u32 + (grub_addr_t)u32 * u32.
    
    This patch also adds a comment to grub_video_fb_get_video_ptr() which
    says it's arguments must be valid and no sanity check is performed
    (like its siblings in grub-core/video/fb/fbutil.c).
    
    Signed-off-by: Zhang Boyang <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 50a11a81bc842c58962244a2dc86bbd31a426e12)
    zhangboyang authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    7428f10 View commit details
    Browse the repository at this point in the history
  114. font: Fix an integer underflow in blit_comb()

    The expression (ctx.bounds.height - combining_glyphs[i]->height) / 2 may
    evaluate to a very big invalid value even if both ctx.bounds.height and
    combining_glyphs[i]->height are small integers. For example, if
    ctx.bounds.height is 10 and combining_glyphs[i]->height is 12, this
    expression evaluates to 2147483647 (expected -1). This is because
    coordinates are allowed to be negative but ctx.bounds.height is an
    unsigned int. So, the subtraction operates on unsigned ints and
    underflows to a very big value. The division makes things even worse.
    The quotient is still an invalid value even if converted back to int.
    
    This patch fixes the problem by casting ctx.bounds.height to int. As
    a result the subtraction will operate on int and grub_uint16_t which
    will be promoted to an int. So, the underflow will no longer happen. Other
    uses of ctx.bounds.height (and ctx.bounds.width) are also casted to int,
    to ensure coordinates are always calculated on signed integers.
    
    Fixes: CVE-2022-3775
    
    Reported-by: Daniel Axtens <[email protected]>
    Signed-off-by: Zhang Boyang <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 6d2668dea3774ed74c4cd1eadd146f1b846bc3d4)
    zhangboyang authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    7c85e1a View commit details
    Browse the repository at this point in the history
  115. font: Harden grub_font_blit_glyph() and grub_font_blit_glyph_mirror()

    As a mitigation and hardening measure add sanity checks to
    grub_font_blit_glyph() and grub_font_blit_glyph_mirror(). This patch
    makes these two functions do nothing if target blitting area isn't fully
    contained in target bitmap. Therefore, if complex calculations in caller
    overflows and malicious coordinates are given, we are still safe because
    any coordinates which result in out-of-bound-write are rejected. However,
    this patch only checks for invalid coordinates, and doesn't provide any
    protection against invalid source glyph or destination glyph, e.g.
    mismatch between glyph size and buffer size.
    
    This hardening measure is designed to mitigate possible overflows in
    blit_comb(). If overflow occurs, it may return invalid bounding box
    during dry run and call grub_font_blit_glyph() with malicious
    coordinates during actual blitting. However, we are still safe because
    the scratch glyph itself is valid, although its size makes no sense, and
    any invalid coordinates are rejected.
    
    It would be better to call grub_fatal() if illegal parameter is detected.
    However, doing this may end up in a dangerous recursion because grub_fatal()
    would print messages to the screen and we are in the progress of drawing
    characters on the screen.
    
    Reported-by: Daniel Axtens <[email protected]>
    Signed-off-by: Zhang Boyang <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit fcd7aa0c278f7cf3fb9f93f1a3966e1792339eb6)
    zhangboyang authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    5e5d858 View commit details
    Browse the repository at this point in the history
  116. font: Assign null_font to glyphs in ascii_font_glyph[]

    The calculations in blit_comb() need information from glyph's font, e.g.
    grub_font_get_xheight(main_glyph->font). However, main_glyph->font is
    NULL if main_glyph comes from ascii_font_glyph[]. Therefore
    grub_font_get_*() crashes because of NULL pointer.
    
    There is already a solution, the null_font. So, assign it to those glyphs
    in ascii_font_glyph[].
    
    Reported-by: Daniel Axtens <[email protected]>
    Signed-off-by: Zhang Boyang <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit dd539d695482069d28b40f2d3821f710cdcf6ee6)
    zhangboyang authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    2cff5db View commit details
    Browse the repository at this point in the history
  117. normal/charset: Fix an integer overflow in grub_unicode_aglomerate_co…

    …mb()
    
    The out->ncomb is a bit-field of 8 bits. So, the max possible value is 255.
    However, code in grub_unicode_aglomerate_comb() doesn't check for an
    overflow when incrementing out->ncomb. If out->ncomb is already 255,
    after incrementing it will get 0 instead of 256, and cause illegal
    memory access in subsequent processing.
    
    This patch introduces GRUB_UNICODE_NCOMB_MAX to represent the max
    acceptable value of ncomb. The code now checks for this limit and
    ignores additional combining characters when limit is reached.
    
    Reported-by: Daniel Axtens <[email protected]>
    Signed-off-by: Zhang Boyang <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit da90d62316a3b105d2fbd7334d6521936bd6dcf6)
    zhangboyang authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    e1f86f1 View commit details
    Browse the repository at this point in the history
  118. font: Try opening fonts from the bundled memdisk

    Signed-off-by: Robbie Harwood <[email protected]>
    chrisccoulson authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    10c5a7b View commit details
    Browse the repository at this point in the history
  119. mm: Clarify grub_real_malloc()

    When iterating through the singly linked list of free blocks,
    grub_real_malloc() uses p and q for the current and previous blocks
    respectively. This isn't super clear, so swap to using prev and cur.
    
    This makes another quirk more obvious. The comment at the top of
    grub_real_malloc() might lead you to believe that the function will
    allocate from *first if there is space in that block.
    
    It actually doesn't do that, and it can't do that with the current
    data structures. If we used up all of *first, we would need to change
    the ->next of the previous block to point to *first->next, but we
    can't do that because it's a singly linked list and we don't have
    access to *first's previous block.
    
    What grub_real_malloc() actually does is set *first to the initial
    previous block, and *first->next is the block we try to allocate
    from. That allows us to keep all the data structures consistent.
    
    Document that.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 246ad6a)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    ae3a583 View commit details
    Browse the repository at this point in the history
  120. mm: grub_real_malloc(): Make small allocs comment match code

    Small allocations move the region's *first pointer. The comment
    says that this happens for allocations under 64K. The code says
    it's for allocations under 32K. Commit 45bf8b3 changed the
    code intentionally: make the comment match.
    
    Fixes: 45bf8b3 (* grub-core/kern/mm.c (grub_real_malloc): Decrease cut-off of moving the)
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit a847895)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    b51f0d4 View commit details
    Browse the repository at this point in the history
  121. mm: Document grub_free()

    The grub_free() possesses a surprising number of quirks, and also
    uses single-letter variable names confusingly to iterate through
    the free list.
    
    Document what's going on.
    
    Use prev and cur to iterate over the free list.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 1f8d0b0)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    280a656 View commit details
    Browse the repository at this point in the history
  122. mm: Document grub_mm_init_region()

    The grub_mm_init_region() does some things that seem magical, especially
    around region merging. Make it a bit clearer.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 246d69b)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    5fc6860 View commit details
    Browse the repository at this point in the history
  123. mm: Document GRUB internal memory management structures

    I spent more than a trivial quantity of time figuring out pre_size and
    whether a memory region's size contains the header cell or not.
    
    Document the meanings of all the properties. Hopefully now no-one else
    has to figure it out!
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit a6c5c52)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    9cfee08 View commit details
    Browse the repository at this point in the history
  124. mm: Assert that we preserve header vs region alignment

    grub_mm_region_init() does:
    
      h = (grub_mm_header_t) (r + 1);
    
    where h is a grub_mm_header_t and r is a grub_mm_region_t.
    
    Cells are supposed to be GRUB_MM_ALIGN aligned, but while grub_mm_dump
    ensures this vs the region header, grub_mm_region_init() does not.
    
    It's better to be explicit than implicit here: rather than changing
    grub_mm_region_init() to ALIGN_UP(), require that the struct is
    explicitly a multiple of the header size.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    Tested-by: Patrick Steinhardt <[email protected]>
    (cherry picked from commit 1df8fe6)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    3ec3df3 View commit details
    Browse the repository at this point in the history
  125. mm: When adding a region, merge with region after as well as before

    On x86_64-efi (at least) regions seem to be added from top down. The mm
    code will merge a new region with an existing region that comes
    immediately before the new region. This allows larger allocations to be
    satisfied that would otherwise be the case.
    
    On powerpc-ieee1275, however, regions are added from bottom up. So if
    we add 3x 32MB regions, we can still only satisfy a 32MB allocation,
    rather than the 96MB allocation we might otherwise be able to satisfy.
    
      * Define 'post_size' as being bytes lost to the end of an allocation
        due to being given weird sizes from firmware that are not multiples
        of GRUB_MM_ALIGN.
    
      * Allow merging of regions immediately _after_ existing regions, not
        just before. As with the other approach, we create an allocated
        block to represent the new space and the pass it to grub_free() to
        get the metadata right.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Tested-by: Stefan Berger <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    Tested-by: Patrick Steinhardt <[email protected]>
    (cherry picked from commit 052e606)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    77371ff View commit details
    Browse the repository at this point in the history
  126. mm: Debug support for region operations

    This is handy for debugging. Enable with "set debug=regions".
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    Tested-by: Patrick Steinhardt <[email protected]>
    (cherry picked from commit 8afa5ef)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    474d212 View commit details
    Browse the repository at this point in the history
  127. mm: Drop unused unloading of modules on OOM

    In grub_memalign(), there's a commented section which would allow for
    unloading of unneeded modules in case where there is not enough free
    memory available to satisfy a request. Given that this code is never
    compiled in, let's remove it together with grub_dl_unload_unneeded().
    
    Signed-off-by: Patrick Steinhardt <[email protected]>
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    Tested-by: Patrick Steinhardt <[email protected]>
    (cherry picked from commit 139fd9b)
    pks-t authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    629bce3 View commit details
    Browse the repository at this point in the history
  128. mm: Allow dynamically requesting additional memory regions

    Currently, all platforms will set up their heap on initialization of the
    platform code. While this works mostly fine, it poses some limitations
    on memory management on us. Most notably, allocating big chunks of
    memory in the gigabyte range would require us to pre-request this many
    bytes from the firmware and add it to the heap from the beginning on
    some platforms like EFI. As this isn't needed for most configurations,
    it is inefficient and may even negatively impact some usecases when,
    e.g., chainloading. Nonetheless, allocating big chunks of memory is
    required sometimes, where one example is the upcoming support for the
    Argon2 key derival function in LUKS2.
    
    In order to avoid pre-allocating big chunks of memory, this commit
    implements a runtime mechanism to add more pages to the system. When
    a given allocation cannot be currently satisfied, we'll call a given
    callback set up by the platform's own memory management subsystem,
    asking it to add a memory area with at least "n" bytes. If this
    succeeds, we retry searching for a valid memory region, which should
    now succeed.
    
    If this fails, we try asking for "n" bytes, possibly spread across
    multiple regions, in hopes that region merging means that we end up
    with enough memory for things to work out.
    
    Signed-off-by: Patrick Steinhardt <[email protected]>
    Signed-off-by: Daniel Axtens <[email protected]>
    Tested-by: Stefan Berger <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    Tested-by: Patrick Steinhardt <[email protected]>
    (cherry picked from commit 887f98f)
    pks-t authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    dcbf777 View commit details
    Browse the repository at this point in the history
  129. kern/efi/mm: Always request a fixed number of pages on init

    When initializing the EFI memory subsystem, we will by default request
    a quarter of the available memory, bounded by a minimum/maximum value.
    Given that we're about to extend the EFI memory system to dynamically
    request additional pages from the firmware as required, this scaling of
    requested memory based on available memory will not make a lot of sense
    anymore.
    
    Remove this logic as a preparatory patch such that we'll instead defer
    to the runtime memory allocator. Note that ideally, we'd want to change
    this after dynamic requesting of pages has been implemented for the EFI
    platform. But because we'll need to split up initialization of the
    memory subsystem and the request of pages from the firmware, we'd have
    to duplicate quite some logic at first only to remove it afterwards
    again. This seems quite pointless, so we instead have patches slightly
    out of order.
    
    Signed-off-by: Patrick Steinhardt <[email protected]>
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    Tested-by: Patrick Steinhardt <[email protected]>
    (cherry picked from commit 938c376)
    pks-t authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    65f6aaa View commit details
    Browse the repository at this point in the history
  130. kern/efi/mm: Extract function to add memory regions

    In preparation of support for runtime-allocating additional memory
    region, this patch extracts the function to retrieve the EFI memory
    map and add a subset of it to GRUB's own memory regions.
    
    Signed-off-by: Patrick Steinhardt <[email protected]>
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    Tested-by: Patrick Steinhardt <[email protected]>
    (cherry picked from commit 96a7ea2)
    [rharwood: backport around our nx]
    pks-t authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    8d87a6f View commit details
    Browse the repository at this point in the history
  131. kern/efi/mm: Pass up errors from add_memory_regions()

    The function add_memory_regions() is currently only called on system
    initialization to allocate a fixed amount of pages. As such, it didn't
    need to return any errors: in case it failed, we cannot proceed anyway.
    This will change with the upcoming support for requesting more memory
    from the firmware at runtime, where it doesn't make sense anymore to
    fail hard.
    
    Refactor the function to return an error to prepare for this. Note that
    this does not change the behaviour when initializing the memory system
    because grub_efi_mm_init() knows to call grub_fatal() in case
    grub_efi_mm_add_regions() returns an error.
    
    Signed-off-by: Patrick Steinhardt <[email protected]>
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    Tested-by: Patrick Steinhardt <[email protected]>
    (cherry picked from commit 15a0156)
    pks-t authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    47bd939 View commit details
    Browse the repository at this point in the history
  132. kern/efi/mm: Implement runtime addition of pages

    Adjust the interface of grub_efi_mm_add_regions() to take a set of
    GRUB_MM_ADD_REGION_* flags, which most notably is currently only the
    GRUB_MM_ADD_REGION_CONSECUTIVE flag. This allows us to set the function
    up as callback for the memory subsystem and have it call out to us in
    case there's not enough pages available in the current heap.
    
    Signed-off-by: Patrick Steinhardt <[email protected]>
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    Tested-by: Patrick Steinhardt <[email protected]>
    (cherry picked from commit 1df2934)
    pks-t authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    e74c93a View commit details
    Browse the repository at this point in the history
  133. efi: Increase default memory allocation to 32 MiB

    We have multiple reports of things being slower with a 1 MiB initial static
    allocation, and a report (more difficult to nail down) of a boot failure
    as a result of the smaller initial allocation.
    
    Make the initial memory allocation 32 MiB.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 75e38e8)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    a1d4228 View commit details
    Browse the repository at this point in the history
  134. mm: Try invalidate disk caches last when out of memory

    Every heap grow will cause all disk caches invalidated which decreases
    performance severely. This patch moves disk cache invalidation code to
    the last of memory squeezing measures. So, disk caches are released only
    when there are no other ways to get free memory.
    
    Signed-off-by: Zhang Boyang <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    Reviewed-by: Patrick Steinhardt <[email protected]>
    (cherry picked from commit 17975d1)
    zhangboyang authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    477fa2a View commit details
    Browse the repository at this point in the history
  135. ppc64le: signed boot media changes

    Skip mdraid < 1.1 on isos since mdraid* can't even
    
    Prior to this change, on ppc64le with part_msdos and the mdraid* modules
    enabled, we see:
    
        disk/diskfilter.c:191: scanning ieee1275/cdrom
        kern/disk.c:196: Opening `ieee1275/cdrom'...
        disk/ieee1275/ofdisk.c:477: Opening `cdrom'.
        disk/ieee1275/ofdisk.c:502: MAX_RETRIES set to 20
        kern/disk.c:288: Opening `ieee1275/cdrom' succeeded.
        disk/diskfilter.c:136: Scanning for DISKFILTER devices on disk ieee1275/cdrom
        partmap/msdos.c:184: partition 0: flag 0x80, type 0x96, start 0x0, len
        0x6a5d70
        disk/diskfilter.c:136: Scanning for DISKFILTER devices on disk ieee1275/cdrom
        SCSI-DISK: Access beyond end of device !
        SCSI-DISK: Access beyond end of device !
        SCSI-DISK: Access beyond end of device !
        SCSI-DISK: Access beyond end of device !
        SCSI-DISK: Access beyond end of device !
        disk/ieee1275/ofdisk.c:578: MAX_RETRIES set to 20
    
    These latter two lines repeat many times, eventually ending in:
    
        kern/disk.c:388: ieee1275/cdrom read failed
        error: ../../grub-core/disk/ieee1275/ofdisk.c:608:failure reading sector
        0x1a9720 from `ieee1275/cdrom'.
    
    and the system drops to a "grub>" prompt.
    
    Prior to 1.1, mdraid stored the superblock offset from the end of the
    disk, and the firmware really doesn't like reads there.  Best guess was
    that the firmware and the iso image appear to diagree on the blocksize
    (512 vs. 2048), and the diskfilter RAID probing is too much for it.
    It's tempting to just skip probing for cdroms, but unfortunately isos
    can be virtualized elsewhere - such as regular disks.
    
    Also fix detection of root, and try the chrp path as a fallback if the
    built prefix doesn't work.
    
    Signed-off-by: Robbie Harwood <[email protected]>
    
    wip
    frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    de735a4 View commit details
    Browse the repository at this point in the history
  136. core: Fix several implicit function declarations

    These #include lines ensure that grub2 continues to build with C99
    where implicit function declarations are removed.
    
    Related to:
    
      <https://fedoraproject.org/wiki/Changes/PortingToModernC>
      <https://fedoraproject.org/wiki/Toolchain/PortingToModernC>
    submachine authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    f7d929e View commit details
    Browse the repository at this point in the history
  137. loader: Add support for grub-emu to kexec Linux menu entries

    The GRUB emulator is used as a debugging utility but it could also be
    used as a user-space bootloader if there is support to boot an operating
    system.
    
    The Linux kernel is already able to (re)boot another kernel via the
    kexec boot mechanism. So the grub-emu tool could rely on this feature
    and have linux and initrd commands that are used to pass a kernel,
    initramfs image and command line parameters to kexec for booting
    a selected menu entry.
    
    By default the systemctl kexec option is used so systemd can shutdown
    all of the running services before doing a reboot using kexec. But if
    this is not present, it can fall back to executing the kexec user-space
    tool directly. The ability to force a kexec-reboot when systemctl kexec
    fails must only be used in controlled environments to avoid possible
    filesystem corruption and data loss.
    
    Signed-off-by: Raymund Will <[email protected]>
    Signed-off-by: John Jolly <[email protected]>
    Signed-off-by: Javier Martinez Canillas <[email protected]>
    Signed-off-by: Robbie Harwood <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit e364307)
    [rharwood: conflicts around makefile and grub_exit return code]
    rw4s authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    ba26c2d View commit details
    Browse the repository at this point in the history
  138. powerpc: Drop Open Hack'Ware - remove GRUB_IEEE1275_FLAG_FORCE_CLAIM

    Open Hack'Ware was the only user. It added a lot of complexity.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 333e63b)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    5434d57 View commit details
    Browse the repository at this point in the history
  139. ieee1275: request memory with ibm, client-architecture-support

    On PowerVM, the first time we boot a Linux partition, we may only get
    256MB of real memory area, even if the partition has more memory.
    
    This isn't enough to reliably verify a kernel. Fortunately, the Power
    Architecture Platform Reference (PAPR) defines a method we can call to ask
    for more memory: the broad and powerful ibm,client-architecture-support
    (CAS) method.
    
    CAS can do an enormous amount of things on a PAPR platform: as well as
    asking for memory, you can set the supported processor level, the interrupt
    controller, hash vs radix mmu, and so on.
    
    If:
    
     - we are running under what we think is PowerVM (compatible property of /
       begins with "IBM"), and
    
     - the full amount of RMA is less than 512MB (as determined by the reg
       property of /memory)
    
    then call CAS as follows: (refer to the Linux on Power Architecture
    Reference, LoPAR, which is public, at B.5.2.3):
    
     - Use the "any" PVR value and supply 2 option vectors.
    
     - Set option vector 1 (PowerPC Server Processor Architecture Level)
       to "ignore".
    
     - Set option vector 2 with default or Linux-like options, including a
       min-rma-size of 512MB.
    
     - Set option vector 3 to request Floating Point, VMX and Decimal Floating
       point, but don't abort the boot if we can't get them.
    
     - Set option vector 4 to request a minimum VP percentage to 1%, which is
       what Linux requests, and is below the default of 10%. Without this,
       some systems with very large or very small configurations fail to boot.
    
    This will cause a CAS reboot and the partition will restart with 512MB
    of RMA. Importantly, grub will notice the 512MB and not call CAS again.
    
    Notes about the choices of parameters:
    
     - A partition can be configured with only 256MB of memory, which would
       mean this request couldn't be satisfied, but PFW refuses to load with
       only 256MB of memory, so it's a bit moot. SLOF will run fine with 256MB,
       but we will never call CAS under qemu/SLOF because /compatible won't
       begin with "IBM".)
    
     - unspecified CAS vectors take on default values. Some of these values
       might restrict the ability of certain hardware configurations to boot.
       This is why we need to specify the VP percentage in vector 4, which is
       in turn why we need to specify vector 3.
    
    Finally, we should have enough memory to verify a kernel, and we will
    reach Linux. One of the first things Linux does while still running under
    OpenFirmware is to call CAS with a much fuller set of options (including
    asking for 512MB of memory). Linux includes a much more restrictive set of
    PVR values and processor support levels, and this CAS invocation will likely
    induce another reboot. On this reboot grub will again notice the higher RMA,
    and not call CAS. We will get to Linux again, Linux will call CAS again, but
    because the values are now set for Linux this will not induce another CAS
    reboot and we will finally boot all the way to userspace.
    
    On all subsequent boots, everything will be configured with 512MB of RMA,
    so there will be no further CAS reboots from grub. (phyp is super sticky
    with the RMA size - it persists even on cold boots. So if you've ever booted
    Linux in a partition, you'll probably never have grub call CAS. It'll only
    ever fire the first time a partition loads grub, or if you deliberately lower
    the amount of memory your partition has below 512MB.)
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Signed-off-by: Stefan Berger <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit d5571590b7de61887efac1c298901455697ba307)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    e6503c3 View commit details
    Browse the repository at this point in the history
  140. ieee1275: drop len -= 1 quirk in heap_init

    This was apparently 'required by some firmware': commit dc94685
    ("2007-02-12  Hollis Blanchard  <[email protected]>").
    
    It's not clear what firmware that was, and what platform from 14 years ago
    which exhibited the bug then is still both in use and buggy now.
    
    It doesn't cause issues on qemu (mac99 or pseries) or under PFW for Power8.
    
    I don't have access to old Mac hardware, but if anyone feels especially
    strongly we can put it under some feature flag. I really want to disable
    it under pseries because it will mess with region merging.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit fc639d430297321ee4f77c5d2d698f698cec0dc7)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    acedefb View commit details
    Browse the repository at this point in the history
  141. ieee1275: support runtime memory claiming

    On powerpc-ieee1275, we are running out of memory trying to verify
    anything. This is because:
    
     - we have to load an entire file into memory to verify it. This is
       difficult to change with appended signatures.
     - We only have 32MB of heap.
     - Distro kernels are now often around 30MB.
    
    So we want to be able to claim more memory from OpenFirmware for our heap
    at runtime.
    
    There are some complications:
    
     - The grub mm code isn't the only thing that will make claims on
       memory from OpenFirmware:
    
        * PFW/SLOF will have claimed some for their own use.
    
        * The ieee1275 loader will try to find other bits of memory that we
          haven't claimed to place the kernel and initrd when we go to boot.
    
        * Once we load Linux, it will also try to claim memory. It claims
          memory without any reference to /memory/available, it just starts
          at min(top of RMO, 768MB) and works down. So we need to avoid this
          area. See arch/powerpc/kernel/prom_init.c as of v5.11.
    
     - The smallest amount of memory a ppc64 KVM guest can have is 256MB.
       It doesn't work with distro kernels but can work with custom kernels.
       We should maintain support for that. (ppc32 can boot with even less,
       and we shouldn't break that either.)
    
     - Even if a VM has more memory, the memory OpenFirmware makes available
       as Real Memory Area can be restricted. Even with our CAS work, an LPAR
       on a PowerVM box is likely to have only 512MB available to OpenFirmware
       even if it has many gigabytes of memory allocated.
    
    What should we do?
    
    We don't know in advance how big the kernel and initrd are going to be,
    which makes figuring out how much memory we can take a bit tricky.
    
    To figure out how much memory we should leave unused, I looked at:
    
     - an Ubuntu 20.04.1 ppc64le pseries KVM guest:
        vmlinux: ~30MB
        initrd:  ~50MB
    
     - a RHEL8.2 ppc64le pseries KVM guest:
        vmlinux: ~30MB
        initrd:  ~30MB
    
    So to give us a little wriggle room, I think we want to leave at least
    128MB for the loader to put vmlinux and initrd in memory and leave Linux
    with space to satisfy its early allocations.
    
    Allow other space to be allocated at runtime.
    
    Tested-by: Stefan Berger <[email protected]>
    Signed-off-by: Daniel Axtens <[email protected]>
    (cherry picked from commit a5c710789ccdd27a84ae4a34c7d453bd585e2b66)
    [rharwood: _start?]
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    23971c4 View commit details
    Browse the repository at this point in the history
  142. ieee1275: implement vec5 for cas negotiation

    As a legacy support, if the vector 5 is not implemented, Power Hypervisor will
    consider the max CPUs as 64 instead 256 currently supported during
    client-architecture-support negotiation.
    
    This patch implements the vector 5 and set the MAX CPUs to 256 while setting the
    others values to 0 (default).
    
    Signed-off-by: Diego Domingos <[email protected]>
    Acked-by: Daniel Axtens <[email protected]>
    Signed-off-by: Stefan Berger <[email protected]>
    Signed-off-by: Avnish Chouhan <[email protected]>
    (cherry picked from commit 942f19959fe7465fb52a1da39ff271a7ab704892)
    Diego Domingos authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    ee9c11d View commit details
    Browse the repository at this point in the history
  143. ibmvtpm: Add support for trusted boot using a vTPM 2.0

    Add support for trusted boot using a vTPM 2.0 on the IBM IEEE1275
    PowerPC platform. With this patch grub now measures text and binary data
    into the TPM's PCRs 8 and 9 in the same way as the x86_64 platform
    does.
    
    This patch requires Daniel Axtens's patches for claiming more memory.
    
    Note: The tpm_init() function cannot be called from GRUB_MOD_INIT() since
    it does not find the device nodes upon module initialization and
    therefore the call to tpm_init() must be deferred to grub_tpm_measure().
    
    For vTPM support to work on PowerVM, system driver levels 1010.30
    or 1020.00 are required.
    
    Note: Previous versions of firmware levels with the 2hash-ext-log
    API call have a bug that, once this API call is invoked, has the
    effect of disabling the vTPM driver under Linux causing an error
    message to be displayed in the Linux kernel log. Those users will
    have to update their machines to the firmware levels mentioned
    above.
    
    Cc: Eric Snowberg <[email protected]>
    Signed-off-by: Stefan Berger <[email protected]>
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 2aa5ef83743dfea79377309ff4f5e9c9a55de355)
    stefanberger authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    5142bbe View commit details
    Browse the repository at this point in the history
  144. powerpc: Drop Open Hack'Ware

    Open Hack'Ware was an alternative firmware of powerpc under QEMU.
    
    The last commit to any Open Hack'Ware repo I can find is from 2014 [1].
    
    Open Hack'Ware was used for the QEMU "prep" machine type, which was
    deprecated in QEMU in commit 54c86f5a4844 (hw/ppc: deprecate the
    machine type 'prep', replaced by '40p') in QEMU v3.1, and had reportedly
    been broken for years before without anyone noticing. Support was removed
    in February 2020 by commit b2ce76a0730e (hw/ppc/prep: Remove the
    deprecated "prep" machine and the OpenHackware BIOS).
    
    Open Hack'Ware's limitations require some messy code in GRUB. This
    complexity is not worth carrying any more.
    
    Remove detection of Open Hack'Ware. We will clean up the feature flags
    in following commits.
    
    [1]: https://github.com/qemu/openhackware and
         https://repo.or.cz/w/openhackware.git are QEMU submodules. They have
         only small changes on top of OHW v0.4.1, which was imported into
         QEMU SCM in 2010. I can't find anything resembling an official repo
         any more.
    
    Signed-off-by: Daniel Axtens <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit f9ce538)
    daxtens authored and frozencemetery committed Feb 8, 2023
    Configuration menu
    Copy the full SHA
    7f8daed View commit details
    Browse the repository at this point in the history

Commits on Feb 16, 2023

  1. osdep/linux/hostdisk: Modify sector by sysfs as disk sector

    The disk sector size provided by sysfs file system considers the sector
    size of 512 irrespective of disk sector size, thus causing the read by
    the GRUB to an incorrect offset from what was originally intended.
    
    Considering the 512 sector size of sysfs data the actual sector needs to
    be modified corresponding to disk sector size.
    
    Signed-off-by: Mukesh Kumar Chaurasiya <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit f756484)
    Mukesh Kumar Chaurasiya authored and frozencemetery committed Feb 16, 2023
    Configuration menu
    Copy the full SHA
    de07df2 View commit details
    Browse the repository at this point in the history

Commits on Feb 20, 2023

  1. mm: Adjust new region size to take management overhead into account

    When grub_memalign() encounters out-of-memory, it will try
    grub_mm_add_region_fn() to request more memory from system firmware.
    However, the size passed to it doesn't take region management overhead
    into account. Adding a memory area of "size" bytes may result in a heap
    region of less than "size" bytes really available. Thus, the new region
    may not be adequate for current allocation request, confusing
    out-of-memory handling code.
    
    This patch introduces GRUB_MM_MGMT_OVERHEAD to address the region
    management overhead (e.g. metadata, padding). The value of this new
    constant must be large enough to make sure grub_memalign(align, size)
    always succeeds after a successful call to
      grub_mm_init_region(addr, size + align + GRUB_MM_MGMT_OVERHEAD),
    for any given addr and size (assuming no integer overflow).
    
    The size passed to grub_mm_add_region_fn() is now correctly adjusted,
    thus if grub_mm_add_region_fn() succeeded, current allocation request
    can always succeed.
    
    Signed-off-by: Zhang Boyang <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 2282cbf)
    zhangboyang authored and frozencemetery committed Feb 20, 2023
    Configuration menu
    Copy the full SHA
    9a2887f View commit details
    Browse the repository at this point in the history
  2. mm: Preallocate some space when adding new regions

    When grub_memalign() encounters out-of-memory, it will try
    grub_mm_add_region_fn() to request more memory from system firmware.
    However, it doesn't preallocate memory space for future allocation
    requests. In extreme cases, it requires one call to
    grub_mm_add_region_fn() for each memory allocation request. This can
    be very slow.
    
    This patch introduces GRUB_MM_HEAP_GROW_EXTRA, the minimal heap growth
    granularity. The new region size is now set to the bigger one of its
    original value and GRUB_MM_HEAP_GROW_EXTRA. Thus, it will result in some
    memory space preallocated if current allocations request is small.
    
    The value of GRUB_MM_HEAP_GROW_EXTRA is set to 1MB. If this value is
    smaller, the cost of small memory allocations will be higher. If this
    value is larger, more memory will be wasted and it might cause
    out-of-memory on machines with small amount of RAM.
    
    Signed-off-by: Zhang Boyang <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 21869ba)
    zhangboyang authored and frozencemetery committed Feb 20, 2023
    Configuration menu
    Copy the full SHA
    c9176ae View commit details
    Browse the repository at this point in the history
  3. mm: Avoid complex heap growth math in hot path

    We do a lot of math about heap growth in hot path of grub_memalign().
    However, the result is only used if out of memory is encountered, which
    is seldom.
    
    This patch moves these calculations away from hot path. These
    calculations are now only done if out of memory is encountered. This
    change can also help compiler to optimize integer overflow checks away.
    
    Signed-off-by: Zhang Boyang <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 65bc459)
    zhangboyang authored and frozencemetery committed Feb 20, 2023
    Configuration menu
    Copy the full SHA
    61616e1 View commit details
    Browse the repository at this point in the history

Commits on Mar 9, 2023

  1. hostdisk: work around /proc not reporting size

    fstat(2) of files in /proc will yield st_size == 0 regardless of file
    contents.  Use a negative value in grub_file_t's size to denote "ignore"
    and plumb through.
    
    Signed-off-by: Robbie Harwood <[email protected]>
    frozencemetery committed Mar 9, 2023
    Configuration menu
    Copy the full SHA
    68005f2 View commit details
    Browse the repository at this point in the history
  2. blscfg: check for mounted /boot in emu

    Irritatingly, BLS defines paths relatives to the mountpoint of the
    filesystem which contains its snippets, not / or any other fixed
    location.  So grub2-emu needs to know whether /boot is a separate
    filesysem from / and conditionally prepend a path.
    
    Signed-off-by: Robbie Harwood <[email protected]>
    frozencemetery committed Mar 9, 2023
    Configuration menu
    Copy the full SHA
    f636470 View commit details
    Browse the repository at this point in the history

Commits on Mar 22, 2023

  1. emu/linux: work around systemctl kexec returning

    Per systemctl(1), it "is asynchronous; it will return after the reboot
    operation is enqueued, without waiting for it to complete".  This
    differs from kexec(8), which calls reboot(2) and therefore does not
    return.
    
    When not using fallback, this results in the confusing-but-harmless:
    
        error trying to perform 'systemctl kexec': 0
        Aborted. Press any key to exit.
    
    on screen for a bit, followed by successful kexec.
    
    To reduce the liklihood of hitting this case, add a delay on succesful
    return.  Ultimately, the systemd interface is racy: we can't avoid it
    entirely unless we never fallback on success.
    
    Signed-off-by: Robbie Harwood <[email protected]>
    frozencemetery committed Mar 22, 2023
    Configuration menu
    Copy the full SHA
    43aed52 View commit details
    Browse the repository at this point in the history

Commits on Mar 30, 2023

  1. kern/ieee1275/init: Convert plain numbers to constants in Vec5

    This patch converts the plain numbers used in Vec5 properties to constants.
    
    1. LPAR: Client program supports logical partitioning and
       associated hcall()s.
    2. SPLPAR: Client program supports the Shared
       Processor LPAR Option.
    3. CMO: Enables the Cooperative Memory Over-commitment Option.
    4. MAX_CPU: Defines maximum number of CPUs supported.
    
    Signed-off-by: Avnish Chouhan <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 8406cfe)
    AvnishChouhan-IBM authored and frozencemetery committed Mar 30, 2023
    Configuration menu
    Copy the full SHA
    ae0100d View commit details
    Browse the repository at this point in the history
  2. kern/ieee1275/init: Extended support in Vec5

    This patch enables multiple options in Vec5 which are required and
    solves the boot issues seen on some machines which are looking for
    these specific options.
    
    1. LPAR: Client program supports logical partitioning and
       associated hcall()s.
    2. SPLPAR: Client program supports the Shared
       Processor LPAR Option.
    3. DYN_RCON_MEM: Client program supports the
       “ibm,dynamic-reconfiguration-memory” property and it may be
       presented in the device tree.
    4. LARGE_PAGES: Client supports pages larger than 4 KB.
    5. DONATE_DCPU_CLS: Client supports donating dedicated processor cycles.
    6. PCI_EXP: Client supports PCI Express implementations
       utilizing Message Signaled Interrupts (MSIs).
    
    7. CMOC: Enables the Cooperative Memory Over-commitment Option.
    8. EXT_CMO: Enables the Extended Cooperative Memory Over-commit Option.
    
    9. ASSOC_REF: Enables “ibm,associativity” and
       “ibm,associativity-reference-points” properties.
    10. AFFINITY: Enables Platform Resource Reassignment Notification.
    11. NUMA: Supports NUMA Distance Lookup Table Option.
    
    12. HOTPLUG_INTRPT: Supports Hotplug Interrupts.
    13. HPT_RESIZE: Enable Hash Page Table Resize Option.
    
    14. MAX_CPU: Defines maximum number of CPUs supported.
    
    15. PFO_HWRNG: Supports Random Number Generator.
    16. PFO_HW_COMP: Supports Compression Engine.
    17. PFO_ENCRYPT: Supports Encryption Engine.
    
    18. SUB_PROCESSORS: Supports Sub-Processors.
    
    19. DY_MEM_V2: Client program supports the “ibm,dynamic-memory-v2” property in the
        “ibm,dynamic-reconfiguration-memory” node and it may be presented in the device tree.
    20. DRC_INFO: Client program supports the “ibm,drc-info” property definition and it may be
        presented in the device tree.
    
    Signed-off-by: Avnish Chouhan <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 98d0df0)
    AvnishChouhan-IBM authored and frozencemetery committed Mar 30, 2023
    Configuration menu
    Copy the full SHA
    2becfab View commit details
    Browse the repository at this point in the history
  3. tpm: Disable the tpm verifier if the TPM device is not present

    When the tpm module is loaded, the verifier reads entire file into
    memory, measures it and uses verified content as a backing buffer for
    file accesses. However, this process may result in high memory
    utilization for file operations, sometimes causing a system to run out
    of memory which may finally lead to boot failure. To address this issue,
    among others, the commit 887f98f (mm: Allow dynamically requesting
    additional memory regions) have optimized memory management by
    dynamically allocating heap space to maximize memory usage and reduce
    threat of memory exhaustion. But in some cases problems may still arise,
    e.g., when large ISO images are mounted using loopback or when dealing
    with embedded systems with limited memory resources.
    
    Unfortunately current implementation of the tpm module doesn't allow
    elimination of the back buffer once it is loaded. Even if the TPM device
    is not present or it has been explicitly disabled. This may unnecessary
    allocate a lot memory. To solve this issue, a patch has been developed
    to detect the TPM status at module load and skip verifier registration
    if the device is missing or deactivated. This prevents allocation of
    memory for the back buffer, avoiding wasting memory when no real measure
    boot functionality is performed. Disabling the TPM device in the system
    can reduce memory usage in the GRUB. It is useful in scenarios where
    high memory utilization is a concern and measurements of loaded
    artifacts are not necessary.
    
    Signed-off-by: Michael Chang <[email protected]>
    Signed-off-by: Stefan Berger <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    (cherry picked from commit 30708df)
    WenhuaChang authored and frozencemetery committed Mar 30, 2023
    Configuration menu
    Copy the full SHA
    b09440d View commit details
    Browse the repository at this point in the history

Commits on Apr 10, 2023

  1. grub_dl_set_mem_attrs(): fix format string

    The grub_dprintf() call for printing the message
    
      updating attributes for GOT and trampolines
    
    passes the argument "mod->name", but the format string doesn't accept that
    argument.
    
    Print the module name too.
    
    Example output:
    
    > kern/dl.c:736: updating attributes for GOT and trampolines ("video_fb")
    
    Fixes: ad1b904 (nx: set page permissions for loaded modules.)
    Signed-off-by: Laszlo Ersek <[email protected]>
    lersek authored and frozencemetery committed Apr 10, 2023
    Configuration menu
    Copy the full SHA
    ee58dd7 View commit details
    Browse the repository at this point in the history
  2. grub_dl_set_mem_attrs(): add self-check for the tramp/GOT sizes

    On aarch64 UEFI, we currently have a crasher:
    
      grub_dl_load_core()
        grub_dl_load_core_noinit()
    
          /* independent allocation: must remain writable */
          mod = grub_zalloc();
    
          /* allocates module image with incorrect tail alignment */
          grub_dl_load_segments()
    
          /* write-protecting the module image makes "mod" read-only! */
          grub_dl_set_mem_attrs()
            grub_update_mem_attrs()
    
        grub_dl_init()
          /* page fault, crash */
          mod->next = ...;
    
    - Commit 887f1d8 ("modules: load module sections at page-aligned
      addresses", 2023-02-08) forgot to page-align the allocation of the
      trampolines and GOT areas of grub2 modules, in grub_dl_load_segments().
    
    - Commit ad1b904 ("nx: set page permissions for loaded modules.",
      2023-02-08) calculated a common bounding box for the trampolines and GOT
      areas in grub_dl_set_mem_attrs(), rounded the box size up to a whole
      multiple of EFI page size ("arch_addralign"), and write-protected the
      resultant page range.
    
    Consequently, grub_dl_load_segments() places the module image in memory
    such that its tail -- the end of the trampolines and GOT areas -- lands at
    the head of a page whose tail in turn contains independent memory
    allocations, such as "mod". grub_dl_set_mem_attrs() will then unwittingly
    write-protect these other allocations too.
    
    But "mod" must remain writable: we assign "mod->next" in grub_dl_init()
    subsequently. Currently we crash there with a page fault / permission
    fault.
    
    (The crash is not trivial to hit: the tramp/GOT areas are irrelevant on
    x86_64, plus the page protection depends on the UEFI platform firmware
    providing EFI_MEMORY_ATTRIBUTE_PROTOCOL. In practice, the crash is
    restricted to aarch64 edk2 (ArmVirtQemu) builds containing commit
    1c4dfadb4611, "ArmPkg/CpuDxe: Implement EFI memory attributes protocol",
    2023-03-16.)
    
    Example log before the patch:
    
    > kern/dl.c:736: updating attributes for GOT and trampolines ("video_fb")
    > kern/efi/mm.c:927: set +rx -w on 0x13b88b000-0x13b88bfff before:rwx after:r-x
    > kern/dl.c:744: done updating module memory attributes for "video_fb"
    > kern/dl.c:639: flushing 0xe4f0 bytes at 0x13b87d000
    > kern/arm64/cache.c:42: D$ line size: 64
    > kern/arm64/cache.c:43: I$ line size: 64
    > kern/dl.c:839: module name: video_fb
    > kern/dl.c:840: init function: 0x0
    > kern/dl.c:865: Initing module video_fb
    >
    > Synchronous Exception at 0x000000013B8A76EC
    > PC 0x00013B8A76EC
    >
    >   X0 0x000000013B88B960   X1 0x0000000000000000   X2 0x000000013F93587C   X3 0x0000000000000075
    >
    >   SP 0x00000000470745C0  ELR 0x000000013B8A76EC  SPSR 0x60000205  FPSR 0x00000000
    >  ESR 0x9600004F          FAR 0x000000013B88B9D0
    >
    >  ESR : EC 0x25  IL 0x1  ISS 0x0000004F
    >
    > Data abort: Permission fault, third level
    
    Note the following:
    
    - The whole 4K page at 0x1_3B88_B000 is write-protected.
    
    - The "video_fb" module actually lives at [0x1_3B87_D000, 0x1_3B88_B4F0)
      -- left-inclusive, right-exclusive --; that is, in the last page (at
      0x1_3B88_B000), it only occupies the first 0x4F0 bytes.
    
    - The instruction at 0x1_3B8A_76EC faults. Not shown here, but it is a
      store instruction, which writes to the field at offset 0x70 of the
      structure pointed-to by the X0 register. This is the "mod->next"
      assignment from grub_dl_init().
    
    - The faulting address is therefore (X0 + 0x70), i.e., 0x1_3B88_B9D0. This
      is indeed the value held in the FAR register.
    
    - The faulting address 0x1_3B88_B9D0 falls in the above-noted page (at
      0x1_3B88_B000), namely at offset 0x9D0. This is *beyond* the first 0x4F0
      bytes that the very tail of the "video_fb" module occupies at the front
      of that page.
    
    For now, add a self-check that reports this bug (and prevents the crash by
    skipping the write protection).
    
    Example log after the patch:
    
    > kern/dl.c:742:BUG: trying to protect pages outside of module allocation
    > ("video_fb"): module base 0x13b87d000, size 0xe4f0; tramp/GOT base
    > 0x13b88b000, size 0x1000
    
    Signed-off-by: Laszlo Ersek <[email protected]>
    lersek authored and frozencemetery committed Apr 10, 2023
    Configuration menu
    Copy the full SHA
    deb4c03 View commit details
    Browse the repository at this point in the history
  3. grub_dl_load_segments(): page-align the tramp/GOT areas too

    The tramp/GOT write-protection in grub_dl_set_mem_attrs() requires that
    the tramp/GOT areas of the module image *not* share a page with any other
    memory allocations. Page-align the tramp/GOT areas, while satisfying their
    intrinsic alignment requirements too.
    
    Fixes: 887f1d8 (modules: load module sections at page-aligned addresses)
    Fixes: ad1b904 (nx: set page permissions for loaded modules.)
    Signed-off-by: Laszlo Ersek <[email protected]>
    lersek authored and frozencemetery committed Apr 10, 2023
    Configuration menu
    Copy the full SHA
    c3569e4 View commit details
    Browse the repository at this point in the history

Commits on Apr 12, 2023

  1. emu: Add switch-root to grub-emu

    If the kernel running grub emu is the same as the one we want to
    boot, it makes sense that we just switch-root instead of kexec
    the same kernel again by doing grub2-emu --switch-root
    
    Signed-off-by: Nicolas Frayer <[email protected]>
    nfrayer authored and frozencemetery committed Apr 12, 2023
    Configuration menu
    Copy the full SHA
    7de33f4 View commit details
    Browse the repository at this point in the history

Commits on Aug 8, 2023

  1. util: Enable default kernel for updates

    Several kernel variants can be installed on a system in parallel.
    In order to allow the user to choose which kernel will be set to
    default after an update, re-enable grub's usage of DEFAULTKERNEL as
    set in /etc/sysconfig/kernel
    
    Signed-off-by: Marta Lewandowska <[email protected]>
    marta-lewandowska authored and nfrayer committed Aug 8, 2023
    Configuration menu
    Copy the full SHA
    c98f9ea View commit details
    Browse the repository at this point in the history
  2. efi/http: change uint32_t to uintn_t

    Modify UINT32 to UINTN in EFI_HTTP_MESSAGE to
    be UEFI 2.9 compliant.
    
    Signed-off-by: Keng-Yu Lin <[email protected]>
    Signed-off-by: Nicolas Frayer <[email protected]>
    keng-yu authored and nfrayer committed Aug 8, 2023
    Configuration menu
    Copy the full SHA
    205b7b4 View commit details
    Browse the repository at this point in the history

Commits on Sep 11, 2023

  1. Add [Install] section to aux systemd units

    Currently in Fedora, these services are statically enabled by symlinks,
    with no other way to disable them than to manually delete those symlinks.
    This is problematic in Fedora IoT, where grub-boot-success.timer is
    not supposed to be enabled.
    
    This change adds `[Install]` sections to all systemd units that are
    currently enabled statically, so that they can be enabled dynamically
    via presets or manually instead.
    LorbusChris authored and nfrayer committed Sep 11, 2023
    Configuration menu
    Copy the full SHA
    46ca707 View commit details
    Browse the repository at this point in the history
  2. arm64: Use proper memory type for kernel allocation

    Currently, the kernel pages are allocated with type EFI_LOADER_DATA.
    While the vast majority of systems will happily execute code from those
    pages (i.e. don't care about memory protection), the Microsoft Surface
    Pro X stalls, as this memory is not designated as "executable".
    
    Therefore, allocate the kernel pages as EFI_LOADER_CODE to request
    memory that is actually executable.
    
    Signed-off-by: Maximilian Luz <[email protected]>
    qzed authored and nfrayer committed Sep 11, 2023
    Configuration menu
    Copy the full SHA
    dcfbf44 View commit details
    Browse the repository at this point in the history

Commits on Sep 29, 2023

  1. Fix missing #include in ofdisk.c

    Recently we started building with -Werror=implicit-function-declaration,
    and discovered that ofdisk.c is missing an include to declare
    grub_env_get().
    
    This patch adds that #include.
    
    Signed-off-by: Peter Jones <[email protected]>
    vathpela committed Sep 29, 2023
    Configuration menu
    Copy the full SHA
    2921df0 View commit details
    Browse the repository at this point in the history

Commits on Oct 16, 2023

  1. add flag to only search root dev

    fixes bz#2223437
    
    Signed-off-by: Marta Lewandowska <[email protected]>
    marta-lewandowska authored and nfrayer committed Oct 16, 2023
    Configuration menu
    Copy the full SHA
    8cfc6a3 View commit details
    Browse the repository at this point in the history

Commits on Oct 20, 2023

  1. kern/ieee1275/init: ppc64: Restrict high memory in presence of fadump

    When a kernel dump is present then restrict the high memory regions to
    avoid allocating memory where the kernel dump resides. Use the
    ibm,kernel-dump node under /rtas to determine whether a kernel dump exists
    and up to which limit grub can use available memory. Set the
    upper_mem_limit to the size of the kernel dump section of type
    'REAL_MODE_REGION' and therefore only allow grub's memory usage for high
    addresses from RMO_ADDR_MAX to 'upper_mem_limit'. This means that grub can
    use high memory in the range of RMO_ADDR_MAX (768MB) to upper_mem_limit and
    the kernel-dump memory regions above 'upper_mem_limit' remain untouched.
    This change has no effect on memory allocations below 'linux_rmo_save'
    (typically at 640MB).
    
    Also, fall back to allocating below rmo_linux_save in case the chunk of
    memory there would be larger than the chunk of memory above RMO_ADDR_MAX.
    This can for example occur if a free memory area is found starting at 300MB
    extending up to 1GB but a kernel dump is located at 768MB and therefore
    does not allow the allocation of the high memory area but requiring to use
    the chunk starting at 300MB to avoid an unnecessary out-of-memory
    condition.
    
    Signed-off-by: Stefan Berger <[email protected]>
    Reviewed-by: Hari Bathini <[email protected]>
    Cc: Pavithra Prakash <[email protected]>
    Cc: Michael Ellerman <[email protected]>
    Cc: Carolyn Scherrer <[email protected]>
    Cc: Mahesh Salgaonkar <[email protected]>
    Cc: Sourabh Jain <[email protected]>
    
    ---
    
    v2: check_kernel dump returns void now
    stefanberger authored and nfrayer committed Oct 20, 2023
    Configuration menu
    Copy the full SHA
    9f0f2df View commit details
    Browse the repository at this point in the history

Commits on Nov 7, 2023

  1. grub-install on EFI if forced

    UEFI Secure Boot requires signed grub binaries to work, so grub-
    install should not be used. However, users who have Secure Boot
    disabled and wish to use the command should not be prevented from
    doing so if they invoke --force.
    
    fixes bz#1917213 / bz#2240994
    
    Signed-off-by: Marta Lewandowska <[email protected]>
    marta-lewandowska authored and nfrayer committed Nov 7, 2023
    Configuration menu
    Copy the full SHA
    0d383a5 View commit details
    Browse the repository at this point in the history

Commits on Nov 14, 2023

  1. Configuration menu
    Copy the full SHA
    522adbf View commit details
    Browse the repository at this point in the history

Commits on Nov 30, 2023

  1. fs: Remove trailing whitespaces

    Signed-off-by: Elyes Haouas <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    ElyesH authored and vathpela committed Nov 30, 2023
    Configuration menu
    Copy the full SHA
    4017d58 View commit details
    Browse the repository at this point in the history
  2. fs/xfs: Fix memory leaks in XFS module

    Signed-off-by: t.feng <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    t.feng authored and vathpela committed Nov 30, 2023
    Configuration menu
    Copy the full SHA
    172fdee View commit details
    Browse the repository at this point in the history
  3. fs/xfs: Fix issues found while fuzzing the XFS filesystem

    While performing fuzz testing with XFS filesystem images with ASAN
    enabled, several issues were found where the memory accesses are made
    beyond the data that is allocated into the struct grub_xfs_data
    structure's data field.
    
    The existing structure didn't store the size of the memory allocated into
    the buffer in the data field and had no way to check it. To resolve these
    issues, the data size is stored to enable checks into the data buffer.
    
    With these checks in place, the fuzzing corpus no longer cause any crashes.
    
    Signed-off-by: Darren Kenny <[email protected]>
    Signed-off-by: Robbie Harwood <[email protected]>
    Signed-off-by: Marta Lewandowska <[email protected]>
    Signed-off-by: Lidong Chen <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    darrenkenny authored and vathpela committed Nov 30, 2023
    Configuration menu
    Copy the full SHA
    64b189b View commit details
    Browse the repository at this point in the history
  4. fs/xfs: Incorrect short form directory data boundary check

    After parsing of the current entry, the entry pointer is advanced
    to the next entry at the end of the "for" loop. In case where the
    last entry is at the end of the data boundary, the advanced entry
    pointer can point off the data boundary. The subsequent boundary
    check for the advanced entry pointer can cause a failure.
    
    The fix is to include the boundary check into the "for" loop
    condition.
    
    Signed-off-by: Lidong Chen <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    Tested-by: Sebastian Andrzej Siewior <[email protected]>
    Tested-by: Marta Lewandowska <[email protected]>
    Lidong Chen authored and vathpela committed Nov 30, 2023
    Configuration menu
    Copy the full SHA
    0545461 View commit details
    Browse the repository at this point in the history
  5. fs/xfs: Fix XFS directory extent parsing

    The XFS directory entry parsing code has never been completely correct
    for extent based directories. The parser correctly handles the case
    where the directory is contained in a single extent, but then mistakenly
    assumes the data blocks for the multiple extent case are each identical
    to the single extent case. The difference in the format of the data
    blocks between the two cases is tiny enough that its gone unnoticed for
    a very long time.
    
    A recent change introduced some additional bounds checking into the XFS
    parser. Like GRUB's existing parser, it is correct for the single extent
    case but incorrect for the multiple extent case. When parsing a directory
    with multiple extents, this new bounds checking is sometimes (but not
    always) tripped and triggers an "invalid XFS directory entry" error. This
    probably would have continued to go unnoticed but the /boot/grub/<arch>
    directory is large enough that it often has multiple extents.
    
    The difference between the two cases is that when there are multiple
    extents, the data blocks do not contain a trailer nor do they contain
    any leaf information. That information is stored in a separate set of
    extents dedicated to just the leaf information. These extents come after
    the directory entry extents and are not included in the inode size. So
    the existing parser already ignores the leaf extents.
    
    The only reason to read the trailer/leaf information at all is so that
    the parser can avoid misinterpreting that data as directory entries. So
    this updates the parser as follows:
    
    For the single extent case the parser doesn't change much:
    1. Read the size of the leaf information from the trailer
    2. Set the end pointer for the parser to the start of the leaf
       information. (The previous bounds checking set the end pointer to the
       start of the trailer, so this is actually a small improvement.)
    3. Set the entries variable to the expected number of directory entries.
    
    For the multiple extent case:
    1. Set the end pointer to the end of the block.
    2. Do not set up the entries variable. Figuring out how many entries are
       in each individual block is complex and does not seem worth it when
       it appears to be safe to just iterate over the entire block.
    
    The bounds check itself was also dependent upon the faulty XFS parser
    because it accidentally used "filename + length - 1". Presumably this
    was able to pass the fuzzer because in the old parser there was always
    8 bytes of slack space between the tail pointer and the actual end of
    the block. Since this is no longer the case the bounds check needs to be
    updated to "filename + length + 1" in order to prevent a regression in
    the handling of corrupt fliesystems.
    
    Notes:
    * When there is only one extent there will only ever be one block. If
      more than one block is required then XFS will always switch to holding
      leaf information in a separate extent.
    * B-tree based directories seems to be parsed properly by the same code
      that handles multiple extents. This is unlikely to ever occur within
      /boot though because its only used when there are an extremely large
      number of directory entries.
    
    Fixes: ef7850c (fs/xfs: Fix issues found while fuzzing the XFS filesystem)
    Fixes: b2499b2 (Adds support for the XFS filesystem.)
    Fixes: https://savannah.gnu.org/bugs/?64376
    
    Signed-off-by: Jon DeVree <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    Tested-by: Sebastian Andrzej Siewior <[email protected]>
    Tested-by: Marta Lewandowska <[email protected]>
    nuxi authored and vathpela committed Nov 30, 2023
    Configuration menu
    Copy the full SHA
    a558246 View commit details
    Browse the repository at this point in the history
  6. fs/xfs: Add large extent counters incompat feature support

    XFS introduced 64-bit extent counters for inodes via a series of
    upstream commits and the feature was marked as stable in v6.5 via
    commit 61d7e8274cd8 (xfs: drop EXPERIMENTAL tag for large extent
    counts).
    
    Further, xfsprogs release v6.5.0 switched this feature on by default
    in mkfs.xfs via commit e5b18d7d1d96 (mkfs: enable large extent counts
    by default).
    
    Filesystems formatted with large extent count support, nrext64=1, are
    thus currently not recognizable by GRUB, since this is an incompat
    feature. Add the required support so that those filesystems and inodes
    with large extent counters can be read by GRUB.
    
    Signed-off-by: Anthony Iliopoulos <[email protected]>
    Reviewed-by: Andrey Albershteyn <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    Tested-by: Marta Lewandowska <[email protected]>
    Tested-by: Sebastian Andrzej Siewior <[email protected]>
    Anthony Iliopoulos authored and vathpela committed Nov 30, 2023
    Configuration menu
    Copy the full SHA
    4fb2d96 View commit details
    Browse the repository at this point in the history

Commits on Dec 22, 2023

  1. chainloader: remove device path debug message

    Remove the debug message "/EndEntire" while using GRUB chainloader command.
    
    Signed-off-by: raravind  <[email protected]>
    (cherry picked from commit f75f538)
    raravind007 authored and nfrayer committed Dec 22, 2023
    Configuration menu
    Copy the full SHA
    c7572f1 View commit details
    Browse the repository at this point in the history

Commits on Feb 7, 2024

  1. grub-set-bootflag: Conservative partial fix for CVE-2024-1048

    Following up on CVE-2019-14865 and taking a fresh look at
    grub2-set-bootflag now (through my work at CIQ on Rocky Linux), I saw some
    other ways in which users could still abuse this little program:
    
    1. After CVE-2019-14865 fix, grub2-set-bootflag no longer rewrites the
    grubenv file in-place, but writes into a temporary file and renames it
    over the original, checking for error returns from each call first.
    This prevents the original file truncation vulnerability, but it can
    leave the temporary file around if the program is killed before it can
    rename or remove the file.  There are still many ways to get the program
    killed, such as through RLIMIT_FSIZE triggering SIGXFSZ (tested,
    reliable) or by careful timing (tricky) of signals sent by process group
    leader, pty, pre-scheduled timers, SIGXCPU (probably not an exhaustive
    list).  Invoking the program multiple times fills up /boot (or if /boot
    is not separate, then it can fill up the root filesystem).  Since the
    files are tiny, the filesystem is likely to run out of free inodes
    before it'd run out of blocks, but the effect is similar - can't create
    new files after this point (but still can add data to existing files,
    such as logs).
    
    2. After CVE-2019-14865 fix, grub2-set-bootflag naively tries to protect
    itself from signals by becoming full root.  (This does protect it from
    signals sent by the user directly to the PID, but e.g. "kill -9 -1" by
    the user still works.)  A side effect of such "protection" is that it's
    possible to invoke more concurrent instances of grub2-set-bootflag than
    the user's RLIMIT_NPROC would normally permit (as specified e.g. in
    /etc/security/limits.conf, or say in Apache httpd's RLimitNPROC if
    grub2-set-bootflag would be abused by a website script), thereby
    exhausting system resources (e.g., bypassing RAM usage limit if
    RLIMIT_AS was also set).
    
    3. umask is inherited.  Again, due to how the CVE-2019-14865 fix creates
    a new file, and due to how mkstemp() works, this affects grubenv's new
    file permissions.  Luckily, mkstemp() forces them to be no more relaxed
    than 0600, but the user ends up being able to set them e.g. to 0.
    Luckily, at least in my testing GRUB still works fine even when the file
    has such (lack of) permissions.
    
    This commit deals with the abuses above as follows:
    
    1. RLIMIT_FSIZE is pre-checked, so this specific way to get the process
    killed should no longer work.  However, this isn't a complete fix
    because there are other ways to get the process killed after it has
    created the temporary file.
    
    The commit also fixes bug 1975892 ("RFE: grub2-set-bootflag should not
    write the grubenv when the flag being written is already set") and
    similar for "menu_show_once", which further reduces the abuse potential.
    
    2. RLIMIT_NPROC bypass should be avoided by not becoming full root (aka
    dropping the partial "kill protection").
    
    3. A safe umask is set.
    
    This is a partial fix (temporary files can still accumulate, but this is
    harder to trigger).
    
    While at it, this commit also fixes potential 1- or 2-byte over-read of
    env[] if its content is malformed - this was not a security issue since the
    grubenv file is trusted input, and the fix is just for robustness.
    
    Signed-off-by: Solar Designer <[email protected]>
    solardiz authored and nfrayer committed Feb 7, 2024
    Configuration menu
    Copy the full SHA
    fb31d80 View commit details
    Browse the repository at this point in the history
  2. grub-set-bootflag: More complete fix for CVE-2024-1048

    Switch to per-user fixed temporary filenames along with a weird locking
    mechanism, which is explained in source code comments.  This is a more
    complete fix than the previous commit (temporary files can't accumulate).
    Unfortunately, it introduces new risks (by working on a temporary file
    shared between the user's invocations), which are _hopefully_ avoided by
    the patch's elaborate logic.  I actually got it wrong at first, which
    suggests that this logic is hard to reason about, and more errors or
    omissions are possible.  It also relies on the kernel's primitives' exact
    semantics to a greater extent (nothing out of the ordinary, though).
    
    Remaining issues that I think cannot reasonably be fixed without a
    redesign (e.g., having per-flag files with nothing else in them) and
    without introducing new issues:
    
    A. A user can still revert a concurrent user's attempt of setting the
    other flag - or of making other changes to grubenv by means other than
    this program.
    
    B. One leftover temporary file per user is still possible.
    
    Signed-off-by: Solar Designer <[email protected]>
    solardiz authored and nfrayer committed Feb 7, 2024
    Configuration menu
    Copy the full SHA
    074973a View commit details
    Browse the repository at this point in the history
  3. grub-set-bootflag: Exit calmly when not running as root

    Exit calmly when not installed SUID root and invoked by non-root.  This
    allows installing user/grub-boot-success.service unconditionally while
    supporting non-SUID installation of the program for some limited usage.
    
    Signed-off-by: Solar Designer <[email protected]>
    solardiz authored and nfrayer committed Feb 7, 2024
    Configuration menu
    Copy the full SHA
    5425919 View commit details
    Browse the repository at this point in the history

Commits on Apr 5, 2024

  1. fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute …

    …for the $MFT file
    
    When parsing an extremely fragmented $MFT file, i.e., the file described
    using the $ATTRIBUTE_LIST attribute, current NTFS code will reuse a buffer
    containing bytes read from the underlying drive to store sector numbers,
    which are consumed later to read data from these sectors into another buffer.
    
    These sectors numbers, two 32-bit integers, are always stored at predefined
    offsets, 0x10 and 0x14, relative to first byte of the selected entry within
    the $ATTRIBUTE_LIST attribute. Usually, this won't cause any problem.
    
    However, when parsing a specially-crafted file system image, this may cause
    the NTFS code to write these integers beyond the buffer boundary, likely
    causing the GRUB memory allocator to misbehave or fail. These integers contain
    values which are controlled by on-disk structures of the NTFS file system.
    
    Such modification and resulting misbehavior may touch a memory range not
    assigned to the GRUB and owned by firmware or another EFI application/driver.
    
    This fix introduces checks to ensure that these sector numbers are never
    written beyond the boundary.
    
    Fixes: CVE-2023-4692
    
    Reported-by: Maxim Suhanov <[email protected]>
    Signed-off-by: Maxim Suhanov <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    Maxim Suhanov authored and nfrayer committed Apr 5, 2024
    Configuration menu
    Copy the full SHA
    d1d0c0d View commit details
    Browse the repository at this point in the history
  2. fs/ntfs: Fix an OOB read when reading data from the resident $DATA at…

    …tribute
    
    When reading a file containing resident data, i.e., the file data is stored in
    the $DATA attribute within the NTFS file record, not in external clusters,
    there are no checks that this resident data actually fits the corresponding
    file record segment.
    
    When parsing a specially-crafted file system image, the current NTFS code will
    read the file data from an arbitrary, attacker-chosen memory offset and of
    arbitrary, attacker-chosen length.
    
    This allows an attacker to display arbitrary chunks of memory, which could
    contain sensitive information like password hashes or even plain-text,
    obfuscated passwords from BS EFI variables.
    
    This fix implements a check to ensure that resident data is read from the
    corresponding file record segment only.
    
    Fixes: CVE-2023-4693
    
    Reported-by: Maxim Suhanov <[email protected]>
    Signed-off-by: Maxim Suhanov <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    Maxim Suhanov authored and nfrayer committed Apr 5, 2024
    Configuration menu
    Copy the full SHA
    ca53ebf View commit details
    Browse the repository at this point in the history
  3. fs/ntfs: Fix an OOB read when parsing directory entries from resident…

    … and non-resident index attributes
    
    This fix introduces checks to ensure that index entries are never read
    beyond the corresponding directory index.
    
    The lack of this check is a minor issue, likely not exploitable in any way.
    
    Reported-by: Maxim Suhanov <[email protected]>
    Signed-off-by: Maxim Suhanov <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    Maxim Suhanov authored and nfrayer committed Apr 5, 2024
    Configuration menu
    Copy the full SHA
    cd3ea53 View commit details
    Browse the repository at this point in the history
  4. fs/ntfs: Fix an OOB read when parsing bitmaps for index attributes

    This fix introduces checks to ensure that bitmaps for directory indices
    are never read beyond their actual sizes.
    
    The lack of this check is a minor issue, likely not exploitable in any way.
    
    Reported-by: Maxim Suhanov <[email protected]>
    Signed-off-by: Maxim Suhanov <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    Maxim Suhanov authored and nfrayer committed Apr 5, 2024
    Configuration menu
    Copy the full SHA
    c7145e6 View commit details
    Browse the repository at this point in the history
  5. fs/ntfs: Fix an OOB read when parsing a volume label

    This fix introduces checks to ensure that an NTFS volume label is always
    read from the corresponding file record segment.
    
    The current NTFS code allows the volume label string to be read from an
    arbitrary, attacker-chosen memory location. However, the bytes read are
    always treated as UTF-16LE. So, the final string displayed is mostly
    unreadable and it can't be easily converted back to raw bytes.
    
    The lack of this check is a minor issue, likely not causing a significant
    data leak.
    
    Reported-by: Maxim Suhanov <[email protected]>
    Signed-off-by: Maxim Suhanov <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    Maxim Suhanov authored and nfrayer committed Apr 5, 2024
    Configuration menu
    Copy the full SHA
    41e38af View commit details
    Browse the repository at this point in the history
  6. fs/ntfs: Make code more readable

    Move some calls used to access NTFS attribute header fields into
    functions with human-readable names.
    
    Suggested-by: Daniel Kiper <[email protected]>
    Signed-off-by: Maxim Suhanov <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    Maxim Suhanov authored and nfrayer committed Apr 5, 2024
    Configuration menu
    Copy the full SHA
    511c49d View commit details
    Browse the repository at this point in the history
  7. normal: Remove grub_env_set prefix in grub_try_normal_prefix

    Commit de735a4 added a grub_env_set where the prefix contains
    the arch name in the pathname. This create issues when trying to
    load modules using this prefix as the pathname contains a "doubled"
    arch name in it (ie .../powerpc-ieee1275/powerpc-ieee1275/).
    
    Signed-off-by: Nicolas Frayer <[email protected]>
    nfrayer committed Apr 5, 2024
    Configuration menu
    Copy the full SHA
    c5b706d View commit details
    Browse the repository at this point in the history

Commits on May 15, 2024

  1. grub-mkconfig.in: turn off executable owner bit

    Stricker permissions are required on the grub.cfg file, resulting in
    at most 0600 owner's file permissions. This resolves conflicting
    requirement permissions on grub2-pc package's grub2.cfg file.
    
    Signed-off-by: Leo Sandoval <[email protected]>
    lsandov1 committed May 15, 2024
    Configuration menu
    Copy the full SHA
    423962a View commit details
    Browse the repository at this point in the history

Commits on May 22, 2024

  1. fs/xfs: Handle non-continuous data blocks in directory extents

    The directory extent list does not have to be a continuous list of data
    blocks. When GRUB tries to read a non-existant member of the list,
    grub_xfs_read_file() will return a block of zero'ed memory. Checking for
    a zero'ed magic number is sufficient to skip this non-existant data block.
    
    Prior to commit 07318ee (fs/xfs: Fix XFS directory extent parsing)
    this was handled as a subtle side effect of reading the (non-existant)
    tail data structure. Since the block was zero'ed the computation of the
    number of directory entries in the block would return 0 as well.
    
    Fixes: 07318ee (fs/xfs: Fix XFS directory extent parsing)
    Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2254370
    
    Signed-off-by: Jon DeVree <[email protected]>
    Reviewed-By: Vladimir Serbinenko <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    nuxi authored and nfrayer committed May 22, 2024
    Configuration menu
    Copy the full SHA
    b60dfa5 View commit details
    Browse the repository at this point in the history

Commits on May 23, 2024

  1. add flag to only search root dev

    fixes bz#2223437
    
    Signed-off-by: Marta Lewandowska <[email protected]>
    marta-lewandowska authored and nfrayer committed May 23, 2024
    Configuration menu
    Copy the full SHA
    111f0f2 View commit details
    Browse the repository at this point in the history
  2. cmd/search: Rework of CVE-2023-4001 fix

    The initial fix implemented a new flag that forces the grub cfg
    stub to be located on the same disk as grub. This created several
    issues such as RAID machines not being able to boot as their
    partition names under grub were different from the partition where
    grub is located. It also simply means that any machines with the
    /boot partition located on a disk other than the one containing grub
    won't boot.
    This commit denies booting if the grub cfg stub is located on a USB
    drive with a duplicated UUID (UUID being the same as the partition
    containing the actual grub cfg stub)
    
    Signed-off-by: Nicolas Frayer <[email protected]>
    nfrayer committed May 23, 2024
    Configuration menu
    Copy the full SHA
    eb2b213 View commit details
    Browse the repository at this point in the history

Commits on May 28, 2024

  1. Set non-executable stack sections on EFI assembly files

    For those manual assembly files created where no '.note.GNU-stack'
    section is explicitly added, linker defaults it as executable and this
    is the reason that RHEL CI rpminspect & annocheck tests are
    failing. The proposed change sets the corresponding GNU-stack
    sections otherwise CI detects the following security vulnerability
    
       $ annocheck annocheck --ignore-unknown --verbose --profile=el9 *.rpm 2>&1 | grep FAIL | grep stack
       (standard input):(standard input):Hardened: ./usr/lib/grub/x86_64-efi/kernel.exec: FAIL: gnu-stack test because .note.GNU-stack section has execute permission
       (standard input):(standard input):Hardened: ./usr/lib/grub/x86_64-efi/kernel.img: FAIL: gnu-stack test because .note.GNU-stack section has execute permission
    
    Signed-off-by: Leo Sandoval <[email protected]>
    lsandov1 committed May 28, 2024
    Configuration menu
    Copy the full SHA
    8db5849 View commit details
    Browse the repository at this point in the history
  2. util/grub-mkconfig.in: revert mode to 644

    By mistake, PR [1] changed the permission bits to 755 so revert it to
    644 again.
    
    [1] rhboot#167
    
    Signed-off-by: Leo Sandoval <[email protected]>
    lsandov1 committed May 28, 2024
    Configuration menu
    Copy the full SHA
    9b97ca6 View commit details
    Browse the repository at this point in the history

Commits on Jul 2, 2024

  1. kern/ieee1275/init: Add IEEE 1275 Radix support for KVM on Power

    This patch adds support for Radix, Xive and Radix_gtse in Options
    vector5 which is required for KVM LPARs. KVM LPARs ONLY support
    Radix and not the Hash. Not enabling Radix on any PowerVM KVM LPARs
    will result in boot failure.
    
    Signed-off-by: Avnish Chouhan <[email protected]>
    Reviewed-by: Daniel Kiper <[email protected]>
    Avnish Chouhan authored and nfrayer committed Jul 2, 2024
    Configuration menu
    Copy the full SHA
    6b8cb20 View commit details
    Browse the repository at this point in the history

Commits on Jul 16, 2024

  1. grub2-mkconfig: Ensure grub cfg stub is not overwritten

    /boot/efi/EFI/$os_name/grub.cfg contains a grub cfg stub
    that should not be overwritten by grub2-mkconfig.
    Ensure that we prevent this from happening.
    
    Signed-off-by: Marta Lewandowska <[email protected]>
    Signed-off-by: Nicolas Frayer <[email protected]>
    nfrayer committed Jul 16, 2024
    Configuration menu
    Copy the full SHA
    2b9a830 View commit details
    Browse the repository at this point in the history

Commits on Jul 19, 2024

  1. skip empty lines in entry file

    grub_file_getline() doesn't make any distinction between empty lines or EOF,
    so the following entry:
    
        title Fedora Linux (6.10.0-matteo) 40 (KDE Plasma)
        version 6.10.0-matteo
        linux /boot/vmlinuz-6.10.0-matteo
    
        options root=/dev/nvme0n1p2 ro cgroup_no_v1=all
    
    boots the kernel with an empty command line.
    Fix this by also checking grub_errno, which correctly signals the EOF.
    
    Signed-off-by: Matteo Croce <[email protected]>
    teknoraver committed Jul 19, 2024
    Configuration menu
    Copy the full SHA
    d634aae View commit details
    Browse the repository at this point in the history