mirrors/meta-secure-core
1
0
Fork 0
mirror of https://github.com/jiazhang0/meta-secure-core.git synced 2026-01-12 01:00:15 +00:00
Code Issues Projects Releases Wiki Activity

grub-efi: refresh patches for grub 2.06

Browse Source 
Rebase patch:
0001-grub-verify-Add-strict_security-variable.patch
Grub-get-and-set-efi-variables.patch
mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch

Drop 0001-fs-ext2-fix-the-file-not-found-error-when-symlink-fi.patch
since it has been merged upstream.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
This commit is contained in:
Yi Zhao
2021-03-23 15:20:49 +08:00
committed by Jia Zhang
parent ee0d07240e
commit 4e1cc676dc
5 changed files with 52 additions and 84 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
meta-efi-secure-boot/recipes-bsp/grub/grub-efi-efi-secure-boot.inc
View File

@@ -28,7 +28,6 @@ SRC_URI += "\
file://Grub-get-and-set-efi-variables.patch \
file://uefi_verify.patch \
file://0001-grub-verify-Add-strict_security-variable.patch \
file://0001-fs-ext2-fix-the-file-not-found-error-when-symlink-fi.patch \
file://grub-efi.cfg \
file://boot-menu.inc \
${@d.getVar('GRUB_MOKVERIFY_PATCH', True) if d.getVar('UEFI_SELOADER', True) == '1' else ''} \

40
meta-efi-secure-boot/recipes-bsp/grub/grub-efi/0001-fs-ext2-fix-the-file-not-found-error-when-symlink-fi.patch
View File

@@ -1,40 +0,0 @@
From 5fe53d80b7294198687a96e72471ddb968c7de34 Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Wed, 6 Jan 2021 17:07:26 +0800
Subject: [PATCH] fs/ext2: fix the file not found error when symlink filesize
is 60
We encountered a file not found error when the symlink filesize is 60:
$ ls -l initrd
lrwxrwxrwx 1 root root 60 Jan 6 16:37 initrd -> secure-core-image-initramfs-5.10.2-yoctodev-standard.cpio.gz
When booting, we got the following error in grub:
error: file `/initrd' not found
The root cause is although the size of diro->inode.symlink is 60, it
includes the trailing '\0'. So if the symlink filesize is exactly 60, it
is also stored in a separate block rather than in the inode.
Upstream-Status: Submitted [https://lists.gnu.org/archive/html/grub-devel/2021-01/msg00018.html]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
grub-core/fs/ext2.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c
index ac33bcd68..cb5058e8b 100644
--- a/grub-core/fs/ext2.c
+++ b/grub-core/fs/ext2.c
@@ -732,7 +732,7 @@ grub_ext2_read_symlink (grub_fshelp_node_t node)
/* If the filesize of the symlink is bigger than
60 the symlink is stored in a separate block,
otherwise it is stored in the inode. */
- if (grub_le_to_cpu32 (diro->inode.size) <= sizeof (diro->inode.symlink))
+ if (grub_le_to_cpu32 (diro->inode.size) < sizeof (diro->inode.symlink))
grub_memcpy (symlink,
diro->inode.symlink,
grub_le_to_cpu32 (diro->inode.size));
--
2.25.1

29
meta-efi-secure-boot/recipes-bsp/grub/grub-efi/0001-grub-verify-Add-strict_security-variable.patch
View File

@@ -1,7 +1,7 @@
From 8a7ad88b4880e25df1f54b80631dc035e1e25662 Mon Sep 17 00:00:00 2001
From 9f330999565e1e82ce5b9460ffefa933cc47d67c Mon Sep 17 00:00:00 2001
From: Jason Wessel <jason.wessel@windriver.com>
Date: Thu, 17 Oct 2019 12:35:01 -0700
Subject: [PATCH] grub verify: Add strict_security variable
Subject: [PATCH] grub verify: Add strict_security variable
With strict_security set to 1, it is impossible to change the value of
check_signatures. It will also cause grub to reboot instead of
@@ -12,14 +12,16 @@ Upstream-Status: Pending
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
---
grub-core/commands/pgp.c | 16 +++++++++++++++-
grub-core/kern/main.c | 9 +++++++++
grub-core/normal/main.c | 7 +++++--
grub-core/commands/pgp.c | 16 +++++++++++++++-
grub-core/kern/main.c | 9 +++++++++
grub-core/normal/main.c | 7 +++++--
3 files changed, 29 insertions(+), 3 deletions(-)
diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c
index 5daa1e9..ed8514c 100644
--- a/grub-core/commands/pgp.c
+++ b/grub-core/commands/pgp.c
@@ -864,6 +864,7 @@ grub_cmd_verify_signature (grub_extcmd_c
@@ -864,6 +864,7 @@ grub_cmd_verify_signature (grub_extcmd_context_t ctxt,
}
static int sec = 0;
@@ -60,17 +62,19 @@ Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
grub_pk_trusted = 0;
FOR_MODULES (header)
diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
index 73967e2..86e7f35 100644
--- a/grub-core/kern/main.c
+++ b/grub-core/kern/main.c
@@ -29,6 +29,7 @@
#include <grub/command.h>
@@ -30,6 +30,7 @@
#include <grub/reader.h>
#include <grub/parser.h>
#include <grub/verify.h>
+#include <grub/time.h>
#ifdef GRUB_MACHINE_PCBIOS
#include <grub/machine/memory.h>
@@ -308,5 +309,13 @@ grub_main (void)
@@ -312,5 +313,13 @@ grub_main (void)
grub_boot_time ("After execution of embedded config. Attempt to go to normal mode");
grub_load_normal_mode ();
@@ -84,9 +88,11 @@ Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
+ }
grub_rescue_run ();
}
diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
index c4ebe9e..2c3f4f8 100644
--- a/grub-core/normal/main.c
+++ b/grub-core/normal/main.c
@@ -301,8 +301,11 @@ grub_enter_normal_mode (const char *conf
@@ -302,8 +302,11 @@ grub_enter_normal_mode (const char *config)
grub_boot_time ("Entering normal mode");
nested_level++;
grub_normal_execute (config, 0, 0);
@@ -100,3 +106,6 @@ Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
nested_level--;
if (grub_normal_exit_level)
grub_normal_exit_level--;
--
2.17.1

2
meta-efi-secure-boot/recipes-bsp/grub/grub-efi/Grub-get-and-set-efi-variables.patch
View File

@@ -158,7 +158,7 @@ index 0000000..6aeda80
+ if (EFI_VAR_INVALID == efi_type)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("invalid format specifier"));
+
+ efi_var = grub_efi_get_variable (args[0], &global, &efi_var_size);
+ grub_efi_get_variable (args[0], &global, &efi_var_size, &efi_var);
+ if (!efi_var || !efi_var_size)
+ {
+ status = grub_error (GRUB_ERR_READ_ERROR, N_("cannot read variable"));

64
meta-efi-secure-boot/recipes-bsp/grub/grub-efi/mok2verify-support-to-verify-non-PE-file-with-PKCS-7.patch
View File

@@ -1,4 +1,4 @@
From 3aa619ea2c9d35cc242f0ae870782522176ce018 Mon Sep 17 00:00:00 2001
From 14eda2e512ec14fcae9de63f87457e4dad1a0206 Mon Sep 17 00:00:00 2001
From: Lans Zhang <jia.zhang@windriver.com>
Date: Wed, 12 Jul 2017 16:02:13 +0800
Subject: [PATCH] mok2verify: support to verify non-PE file with PKCS#7
@@ -52,10 +52,10 @@ Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
create mode 100644 include/grub/efi/mok2verify.h
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index 18d2316..59a5cf1 100644
index 2f2765e..f07d6ea 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -1869,6 +1869,12 @@ module = {
@@ -1894,6 +1894,12 @@ module = {
enable = efi;
};
@@ -101,7 +101,7 @@ index bbca81e..3f44a7e 100644
grub_machine_fini (grub_loader_flags);
diff --git a/grub-core/gfxmenu/gui_label.c b/grub-core/gfxmenu/gui_label.c
index a4c8178..da49c9e 100644
index 1c19054..52d4755 100644
--- a/grub-core/gfxmenu/gui_label.c
+++ b/grub-core/gfxmenu/gui_label.c
@@ -24,6 +24,9 @@
@@ -157,11 +157,11 @@ index a4c8178..da49c9e 100644
+ value = _("enter: boot, `e': options, `c': cmd-line");
+ }
/* FIXME: Add more templates here if needed. */
self->template = grub_strdup (value);
self->text = grub_xasprintf (value, self->value);
if (grub_printf_fmt_check(value, "%d") != GRUB_ERR_NONE)
diff --git a/grub-core/lib/efi/mok2verify.c b/grub-core/lib/efi/mok2verify.c
new file mode 100644
index 0000000..790efa0
index 0000000..eb268a2
--- /dev/null
+++ b/grub-core/lib/efi/mok2verify.c
@@ -0,0 +1,182 @@
@@ -241,11 +241,11 @@ index 0000000..790efa0
+grub_is_secured (void)
+{
+ grub_efi_guid_t global_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
+ void *var;
+ void *var = NULL;
+ grub_size_t var_size = 0;
+ int secured = 0;
+
+ var = grub_efi_get_variable ("SecureBoot", &global_guid, &var_size);
+ grub_efi_get_variable ("SecureBoot", &global_guid, &var_size, &var);
+ if (!var)
+ return grub_error (GRUB_ERR_READ_ERROR, N_("cannot read variable"));
+
@@ -254,8 +254,8 @@ index 0000000..790efa0
+
+ grub_free (var);
+
+ var = grub_efi_get_variable ("MokSBState", &grub_efi_mok2_verify_protoco_guid,
+ &var_size);
+ grub_efi_get_variable ("MokSBState", &grub_efi_mok2_verify_protoco_guid,
+ &var_size, &var);
+ if (!var || (var_size == 1 && *(grub_uint8_t *) var == 0))
+ secured = 1;
+
@@ -348,20 +348,20 @@ index 0000000..790efa0
+
+#pragma GCC diagnostic error "-Wvla"
diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
index 3a264b9..9caabdd 100644
index 14d6a80..cfbb858 100644
--- a/grub-core/loader/i386/linux.c
+++ b/grub-core/loader/i386/linux.c
@@ -40,6 +40,9 @@
#include <grub/lib/cmdline.h>
@@ -41,6 +41,9 @@
#include <grub/linux.h>
#include <grub/machine/kernel.h>
#include <grub/safemath.h>
+#ifdef GRUB_MACHINE_EFI
+#include <grub/efi/mok2verify.h>
+#endif
GRUB_MOD_LICENSE ("GPLv3+");
@@ -656,6 +659,55 @@ grub_shim_verify (grub_addr_t addr, grub_ssize_t size)
@@ -664,6 +667,55 @@ grub_shim_verify (grub_addr_t addr, grub_ssize_t size)
return GRUB_ERR_NONE;
}
@@ -417,7 +417,7 @@ index 3a264b9..9caabdd 100644
static grub_err_t
grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
int argc, char *argv[])
@@ -678,6 +730,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
@@ -686,6 +738,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
goto fail;
}
@@ -427,7 +427,7 @@ index 3a264b9..9caabdd 100644
file = grub_file_open (argv[0], GRUB_FILE_TYPE_LINUX_KERNEL);
if (! file)
goto fail;
@@ -1139,6 +1194,11 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
@@ -1145,6 +1200,11 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)),
fail:
grub_initrd_close (&initrd_ctx);
@@ -440,7 +440,7 @@ index 3a264b9..9caabdd 100644
}
diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c
index 8c8565a..7b989d4 100644
index 3fe390f..8b743d7 100644
--- a/grub-core/loader/linux.c
+++ b/grub-core/loader/linux.c
@@ -5,6 +5,9 @@
@@ -453,7 +453,7 @@ index 8c8565a..7b989d4 100644
struct newc_head
{
@@ -279,6 +282,7 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
@@ -278,6 +281,7 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
int newc = 0;
struct dir *root = 0;
grub_ssize_t cursize = 0;
@@ -461,7 +461,7 @@ index 8c8565a..7b989d4 100644
for (i = 0; i < initrd_ctx->nfiles; i++)
{
@@ -322,6 +326,25 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
@@ -321,6 +325,25 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
grub_initrd_close (initrd_ctx);
return grub_errno;
}
@@ -487,7 +487,7 @@ index 8c8565a..7b989d4 100644
ptr += cursize;
}
if (newc)
@@ -330,7 +353,9 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
@@ -329,7 +352,9 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx,
ptr += ALIGN_UP_OVERHEAD (cursize, 4);
ptr = make_header (ptr, "TRAILER!!!", sizeof ("TRAILER!!!") - 1, 0, 0);
}
@@ -499,10 +499,10 @@ index 8c8565a..7b989d4 100644
+ return err;
}
diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
index 316ce53..5610106 100644
index 2c3f4f8..c97df84 100644
--- a/grub-core/normal/main.c
+++ b/grub-core/normal/main.c
@@ -33,6 +33,9 @@
@@ -34,6 +34,9 @@
#include <grub/charset.h>
#include <grub/script_sh.h>
#include <grub/bufio.h>
@@ -512,7 +512,7 @@ index 316ce53..5610106 100644
GRUB_MOD_LICENSE ("GPLv3+");
@@ -195,6 +198,8 @@ read_config_file (const char *config)
@@ -196,6 +199,8 @@ read_config_file (const char *config)
return newmenu;
}
@@ -521,7 +521,7 @@ index 316ce53..5610106 100644
/* Initialize the screen. */
void
grub_normal_init_page (struct grub_term_output *term,
@@ -202,13 +207,24 @@ grub_normal_init_page (struct grub_term_output *term,
@@ -203,13 +208,24 @@ grub_normal_init_page (struct grub_term_output *term,
{
grub_ssize_t msg_len;
int posx;
@@ -547,7 +547,7 @@ index 316ce53..5610106 100644
if (!msg_formatted)
return;
@@ -233,6 +249,8 @@ grub_normal_init_page (struct grub_term_output *term,
@@ -234,6 +250,8 @@ grub_normal_init_page (struct grub_term_output *term,
grub_free (unicode_msg);
}
@@ -556,7 +556,7 @@ index 316ce53..5610106 100644
static void
read_lists (const char *val)
{
@@ -273,6 +291,20 @@ grub_normal_execute (const char *config, int nested, int batch)
@@ -274,6 +292,20 @@ grub_normal_execute (const char *config, int nested, int batch)
if (config)
{
@@ -577,7 +577,7 @@ index 316ce53..5610106 100644
menu = read_config_file (config);
/* Ignore any error. */
@@ -304,7 +336,10 @@ grub_enter_normal_mode (const char *config)
@@ -305,7 +337,10 @@ grub_enter_normal_mode (const char *config)
const char *val = grub_env_get ("strict_security");
if (!(val && (val[0] == '1' || val[0] == 'e'))) {
grub_boot_time ("Entering shell");
@@ -589,7 +589,7 @@ index 316ce53..5610106 100644
}
nested_level--;
if (grub_normal_exit_level)
@@ -341,6 +376,13 @@ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)),
@@ -359,6 +394,13 @@ grub_cmd_normal (struct grub_command *cmd __attribute__ ((unused)),
grub_enter_normal_mode (argv[0]);
quit:
@@ -603,7 +603,7 @@ index 316ce53..5610106 100644
return 0;
}
@@ -528,8 +570,11 @@ GRUB_MOD_INIT(normal)
@@ -546,8 +588,11 @@ GRUB_MOD_INIT(normal)
/* Register a command "normal" for the rescue mode. */
grub_register_command ("normal", grub_cmd_normal,
0, N_("Enter normal mode."));
@@ -618,7 +618,7 @@ index 316ce53..5610106 100644
/* Reload terminal colors when these variables are written to. */
grub_register_variable_hook ("color_normal", NULL, grub_env_write_color_normal);
diff --git a/grub-core/normal/menu.c b/grub-core/normal/menu.c
index d5e0c79..512f710 100644
index 8397886..76c3f5a 100644
--- a/grub-core/normal/menu.c
+++ b/grub-core/normal/menu.c
@@ -32,6 +32,9 @@
@@ -631,7 +631,7 @@ index d5e0c79..512f710 100644
/* Time to delay after displaying an error message about a default/fallback
entry failing to boot. */
@@ -773,18 +776,30 @@ run_menu (grub_menu_t menu, int nested, int *auto_boot)
@@ -772,18 +775,30 @@ run_menu (grub_menu_t menu, int nested, int *auto_boot)
break;
case 'c':