Commit 2cd04373 authored by Rocky Automation's avatar Rocky Automation 📺
Browse files

import grub2-2.02-66.el8

parents
SOURCES/grub-2.02.tar.xz
SOURCES/theme.tar.bz2
SOURCES/unifont-5.1.20080820.pcf.gz
3d7eb6eaab28b88cb969ba9ab24af959f4d1b178 SOURCES/grub-2.02.tar.xz
cf0b7763c528902da7e8b05cfa248f20c8825ce5 SOURCES/theme.tar.bz2
87f8600ba24e521b5d20bdf6c4b71af8ae861e3a SOURCES/unifont-5.1.20080820.pcf.gz
This diff is collapsed.
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@coreos.com>
Date: Sun, 9 Aug 2015 16:12:39 -0700
Subject: [PATCH] Rework linux command
We want a single buffer that contains the entire kernel image in order to
perform a TPM measurement. Allocate one and copy the entire kernel into it
before pulling out the individual blocks later on.
---
grub-core/loader/i386/linux.c | 37 ++++++++++++++++++++++++-------------
1 file changed, 24 insertions(+), 13 deletions(-)
diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
index 9b53d3168f9..f7186be4002 100644
--- a/grub-core/loader/i386/linux.c
+++ b/grub-core/loader/i386/linux.c
@@ -685,13 +685,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
{
grub_file_t file = 0;
struct linux_i386_kernel_header lh;
+ grub_uint8_t *linux_params_ptr;
grub_uint8_t setup_sects;
- grub_size_t real_size, prot_size, prot_file_size;
+ grub_size_t real_size, prot_size, prot_file_size, kernel_offset;
grub_ssize_t len;
int i;
grub_size_t align, min_align;
int relocatable;
grub_uint64_t preferred_address = GRUB_LINUX_BZIMAGE_ADDR;
+ grub_uint8_t *kernel = NULL;
grub_dl_ref (my_mod);
@@ -705,7 +707,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
if (! file)
goto fail;
- if (grub_file_read (file, &lh, sizeof (lh)) != sizeof (lh))
+ len = grub_file_size (file);
+ kernel = grub_malloc (len);
+ if (!kernel)
+ {
+ grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("cannot allocate kernel buffer"));
+ goto fail;
+ }
+
+ if (grub_file_read (file, kernel, len) != len)
{
if (!grub_errno)
grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
@@ -713,6 +723,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
goto fail;
}
+ grub_memcpy (&lh, kernel, sizeof (lh));
+ kernel_offset = sizeof (lh);
+
if (lh.boot_flag != grub_cpu_to_le16_compile_time (0xaa55))
{
grub_error (GRUB_ERR_BAD_OS, "invalid magic number");
@@ -804,6 +817,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
preferred_address))
goto fail;
+
grub_memset (&linux_params, 0, sizeof (linux_params));
grub_memcpy (&linux_params.setup_sects, &lh.setup_sects, sizeof (lh) - 0x1F1);
@@ -812,13 +826,10 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
linux_params.ps_mouse = linux_params.padding10 = 0;
len = sizeof (linux_params) - sizeof (lh);
- if (grub_file_read (file, (char *) &linux_params + sizeof (lh), len) != len)
- {
- if (!grub_errno)
- grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
- argv[0]);
- goto fail;
- }
+
+ linux_params_ptr = (void *)&linux_params;
+ grub_memcpy (linux_params_ptr + sizeof (lh), kernel + kernel_offset, len);
+ kernel_offset += len;
linux_params.type_of_loader = GRUB_LINUX_BOOT_LOADER_TYPE;
@@ -877,7 +888,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
/* The other parameters are filled when booting. */
- grub_file_seek (file, real_size + GRUB_DISK_SECTOR_SIZE);
+ kernel_offset = real_size + GRUB_DISK_SECTOR_SIZE;
grub_dprintf ("linux", "bzImage, setup=0x%x, size=0x%x\n",
(unsigned) real_size, (unsigned) prot_size);
@@ -1025,9 +1036,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
- (sizeof (LINUX_IMAGE) - 1));
len = prot_file_size;
- if (grub_file_read (file, prot_mode_mem, len) != len && !grub_errno)
- grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
- argv[0]);
+ grub_memcpy (prot_mode_mem, kernel + kernel_offset, len);
if (grub_errno == GRUB_ERR_NONE)
{
@@ -1038,6 +1047,8 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
fail:
+ grub_free (kernel);
+
if (file)
grub_file_close (file);
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Matthew Garrett <mjg59@coreos.com>
Date: Sun, 9 Aug 2015 16:20:58 -0700
Subject: [PATCH] Rework linux16 command
We want a single buffer that contains the entire kernel image in order to
perform a TPM measurement. Allocate one and copy the entire kernel int it
before pulling out the individual blocks later on.
---
grub-core/loader/i386/pc/linux.c | 34 +++++++++++++++++++++-------------
1 file changed, 21 insertions(+), 13 deletions(-)
diff --git a/grub-core/loader/i386/pc/linux.c b/grub-core/loader/i386/pc/linux.c
index a3c87cf2fc2..caa76bee8af 100644
--- a/grub-core/loader/i386/pc/linux.c
+++ b/grub-core/loader/i386/pc/linux.c
@@ -123,13 +123,14 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
grub_file_t file = 0;
struct linux_i386_kernel_header lh;
grub_uint8_t setup_sects;
- grub_size_t real_size;
+ grub_size_t real_size, kernel_offset = 0;
grub_ssize_t len;
int i;
char *grub_linux_prot_chunk;
int grub_linux_is_bzimage;
grub_addr_t grub_linux_prot_target;
grub_err_t err;
+ grub_uint8_t *kernel = NULL;
grub_dl_ref (my_mod);
@@ -143,7 +144,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
if (! file)
goto fail;
- if (grub_file_read (file, &lh, sizeof (lh)) != sizeof (lh))
+ len = grub_file_size (file);
+ kernel = grub_malloc (len);
+ if (!kernel)
+ {
+ grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("cannot allocate kernel buffer"));
+ goto fail;
+ }
+
+ if (grub_file_read (file, kernel, len) != len)
{
if (!grub_errno)
grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
@@ -151,6 +160,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
goto fail;
}
+ grub_memcpy (&lh, kernel, sizeof (lh));
+ kernel_offset = sizeof (lh);
+
if (lh.boot_flag != grub_cpu_to_le16_compile_time (0xaa55))
{
grub_error (GRUB_ERR_BAD_OS, "invalid magic number");
@@ -314,13 +326,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
grub_memmove (grub_linux_real_chunk, &lh, sizeof (lh));
len = real_size + GRUB_DISK_SECTOR_SIZE - sizeof (lh);
- if (grub_file_read (file, grub_linux_real_chunk + sizeof (lh), len) != len)
- {
- if (!grub_errno)
- grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
- argv[0]);
- goto fail;
- }
+ grub_memcpy (grub_linux_real_chunk + sizeof (lh), kernel + kernel_offset,
+ len);
+ kernel_offset += len;
if (lh.header != grub_cpu_to_le32_compile_time (GRUB_LINUX_I386_MAGIC_SIGNATURE)
|| grub_le_to_cpu16 (lh.version) < 0x0200)
@@ -355,10 +363,8 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
}
len = grub_linux16_prot_size;
- if (grub_file_read (file, grub_linux_prot_chunk, grub_linux16_prot_size)
- != (grub_ssize_t) grub_linux16_prot_size && !grub_errno)
- grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
- argv[0]);
+ grub_memcpy (grub_linux_prot_chunk, kernel + kernel_offset, len);
+ kernel_offset += len;
if (grub_errno == GRUB_ERR_NONE)
{
@@ -368,6 +374,8 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
fail:
+ grub_free (kernel);
+
if (file)
grub_file_close (file);
This diff is collapsed.
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Tue, 6 Oct 2015 16:09:25 -0400
Subject: [PATCH] Make any of the loaders that link in efi mode honor secure
boot.
And in this case "honor" means "even if somebody does link this in, they
won't register commands if SB is enabled."
Signed-off-by: Peter Jones <pjones@redhat.com>
---
grub-core/Makefile.core.def | 1 +
grub-core/commands/iorw.c | 7 +++++
grub-core/commands/memrw.c | 7 +++++
grub-core/kern/dl.c | 1 +
grub-core/kern/efi/efi.c | 34 --------------------
grub-core/kern/efi/sb.c | 64 ++++++++++++++++++++++++++++++++++++++
grub-core/loader/efi/appleloader.c | 7 +++++
grub-core/loader/efi/chainloader.c | 1 +
grub-core/loader/i386/bsd.c | 7 +++++
grub-core/loader/i386/linux.c | 7 +++++
grub-core/loader/i386/pc/linux.c | 7 +++++
grub-core/loader/multiboot.c | 7 +++++
grub-core/loader/xnu.c | 7 +++++
include/grub/efi/efi.h | 1 -
include/grub/efi/sb.h | 29 +++++++++++++++++
include/grub/ia64/linux.h | 0
include/grub/mips/linux.h | 0
include/grub/powerpc/linux.h | 0
include/grub/sparc64/linux.h | 0
grub-core/Makefile.am | 1 +
20 files changed, 153 insertions(+), 35 deletions(-)
create mode 100644 grub-core/kern/efi/sb.c
create mode 100644 include/grub/efi/sb.h
create mode 100644 include/grub/ia64/linux.h
create mode 100644 include/grub/mips/linux.h
create mode 100644 include/grub/powerpc/linux.h
create mode 100644 include/grub/sparc64/linux.h
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index 0b4b0c2122d..e92a7ef322f 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -195,6 +195,7 @@ kernel = {
i386_multiboot = kern/i386/pc/acpi.c;
i386_coreboot = kern/acpi.c;
i386_multiboot = kern/acpi.c;
+ common = kern/efi/sb.c;
x86 = kern/i386/tsc.c;
x86 = kern/i386/tsc_pit.c;
diff --git a/grub-core/commands/iorw.c b/grub-core/commands/iorw.c
index a0c164e54f0..41a7f3f0466 100644
--- a/grub-core/commands/iorw.c
+++ b/grub-core/commands/iorw.c
@@ -23,6 +23,7 @@
#include <grub/env.h>
#include <grub/cpu/io.h>
#include <grub/i18n.h>
+#include <grub/efi/sb.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -118,6 +119,9 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
GRUB_MOD_INIT(memrw)
{
+ if (grub_efi_secure_boot())
+ return;
+
cmd_read_byte =
grub_register_extcmd ("inb", grub_cmd_read, 0,
N_("PORT"), N_("Read 8-bit value from PORT."),
@@ -146,6 +150,9 @@ GRUB_MOD_INIT(memrw)
GRUB_MOD_FINI(memrw)
{
+ if (grub_efi_secure_boot())
+ return;
+
grub_unregister_extcmd (cmd_read_byte);
grub_unregister_extcmd (cmd_read_word);
grub_unregister_extcmd (cmd_read_dword);
diff --git a/grub-core/commands/memrw.c b/grub-core/commands/memrw.c
index 98769eadb34..088cbe9e2bc 100644
--- a/grub-core/commands/memrw.c
+++ b/grub-core/commands/memrw.c
@@ -22,6 +22,7 @@
#include <grub/extcmd.h>
#include <grub/env.h>
#include <grub/i18n.h>
+#include <grub/efi/sb.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -120,6 +121,9 @@ grub_cmd_write (grub_command_t cmd, int argc, char **argv)
GRUB_MOD_INIT(memrw)
{
+ if (grub_efi_secure_boot())
+ return;
+
cmd_read_byte =
grub_register_extcmd ("read_byte", grub_cmd_read, 0,
N_("ADDR"), N_("Read 8-bit value from ADDR."),
@@ -148,6 +152,9 @@ GRUB_MOD_INIT(memrw)
GRUB_MOD_FINI(memrw)
{
+ if (grub_efi_secure_boot())
+ return;
+
grub_unregister_extcmd (cmd_read_byte);
grub_unregister_extcmd (cmd_read_word);
grub_unregister_extcmd (cmd_read_dword);
diff --git a/grub-core/kern/dl.c b/grub-core/kern/dl.c
index 04e804d1668..621070918d4 100644
--- a/grub-core/kern/dl.c
+++ b/grub-core/kern/dl.c
@@ -32,6 +32,7 @@
#include <grub/env.h>
#include <grub/cache.h>
#include <grub/i18n.h>
+#include <grub/efi/sb.h>
/* Platforms where modules are in a readonly area of memory. */
#if defined(GRUB_MACHINE_QEMU)
diff --git a/grub-core/kern/efi/efi.c b/grub-core/kern/efi/efi.c
index 91129e33566..708581fcbde 100644
--- a/grub-core/kern/efi/efi.c
+++ b/grub-core/kern/efi/efi.c
@@ -273,40 +273,6 @@ grub_efi_get_variable (const char *var, const grub_efi_guid_t *guid,
return NULL;
}
-grub_efi_boolean_t
-grub_efi_secure_boot (void)
-{
- grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
- grub_size_t datasize;
- char *secure_boot = NULL;
- char *setup_mode = NULL;
- grub_efi_boolean_t ret = 0;
-
- secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);
- if (datasize != 1 || !secure_boot)
- {
- grub_dprintf ("secureboot", "No SecureBoot variable\n");
- goto out;
- }
- grub_dprintf ("secureboot", "SecureBoot: %d\n", *secure_boot);
-
- setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize);
- if (datasize != 1 || !setup_mode)
- {
- grub_dprintf ("secureboot", "No SetupMode variable\n");
- goto out;
- }
- grub_dprintf ("secureboot", "SetupMode: %d\n", *setup_mode);
-
- if (*secure_boot && !*setup_mode)
- ret = 1;
-
- out:
- grub_free (secure_boot);
- grub_free (setup_mode);
- return ret;
-}
-
#pragma GCC diagnostic ignored "-Wcast-align"
/* Search the mods section from the PE32/PE32+ image. This code uses
diff --git a/grub-core/kern/efi/sb.c b/grub-core/kern/efi/sb.c
new file mode 100644
index 00000000000..d74778b0cac
--- /dev/null
+++ b/grub-core/kern/efi/sb.c
@@ -0,0 +1,64 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2014 Free Software Foundation, Inc.
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GRUB is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <grub/err.h>
+#include <grub/mm.h>
+#include <grub/types.h>
+#include <grub/cpu/linux.h>
+#include <grub/efi/efi.h>
+#include <grub/efi/pe32.h>
+#include <grub/efi/linux.h>
+#include <grub/efi/sb.h>
+
+int
+grub_efi_secure_boot (void)
+{
+#ifdef GRUB_MACHINE_EFI
+ grub_efi_guid_t efi_var_guid = GRUB_EFI_GLOBAL_VARIABLE_GUID;
+ grub_size_t datasize;
+ char *secure_boot = NULL;
+ char *setup_mode = NULL;
+ grub_efi_boolean_t ret = 0;
+
+ secure_boot = grub_efi_get_variable("SecureBoot", &efi_var_guid, &datasize);
+ if (datasize != 1 || !secure_boot)
+ {
+ grub_dprintf ("secureboot", "No SecureBoot variable\n");
+ goto out;
+ }
+ grub_dprintf ("secureboot", "SecureBoot: %d\n", *secure_boot);
+
+ setup_mode = grub_efi_get_variable("SetupMode", &efi_var_guid, &datasize);
+ if (datasize != 1 || !setup_mode)
+ {
+ grub_dprintf ("secureboot", "No SetupMode variable\n");
+ goto out;
+ }
+ grub_dprintf ("secureboot", "SetupMode: %d\n", *setup_mode);
+
+ if (*secure_boot && !*setup_mode)
+ ret = 1;
+
+ out:
+ grub_free (secure_boot);
+ grub_free (setup_mode);
+ return ret;
+#else
+ return 0;
+#endif
+}
diff --git a/grub-core/loader/efi/appleloader.c b/grub-core/loader/efi/appleloader.c
index 74888c463ba..69c2a10d351 100644
--- a/grub-core/loader/efi/appleloader.c
+++ b/grub-core/loader/efi/appleloader.c
@@ -24,6 +24,7 @@
#include <grub/misc.h>
#include <grub/efi/api.h>
#include <grub/efi/efi.h>
+#include <grub/efi/sb.h>
#include <grub/command.h>
#include <grub/i18n.h>
@@ -227,6 +228,9 @@ static grub_command_t cmd;
GRUB_MOD_INIT(appleloader)
{
+ if (grub_efi_secure_boot())
+ return;
+
cmd = grub_register_command ("appleloader", grub_cmd_appleloader,
N_("[OPTS]"),
/* TRANSLATORS: This command is used on EFI to
@@ -238,5 +242,8 @@ GRUB_MOD_INIT(appleloader)
GRUB_MOD_FINI(appleloader)
{
+ if (grub_efi_secure_boot())
+ return;
+
grub_unregister_command (cmd);
}
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
index af2189619a3..5cd9b6e08a8 100644
--- a/grub-core/loader/efi/chainloader.c
+++ b/grub-core/loader/efi/chainloader.c
@@ -34,6 +34,7 @@
#include <grub/efi/disk.h>
#include <grub/efi/pe32.h>
#include <grub/efi/linux.h>
+#include <grub/efi/sb.h>
#include <grub/command.h>
#include <grub/i18n.h>
#include <grub/net.h>
diff --git a/grub-core/loader/i386/bsd.c b/grub-core/loader/i386/bsd.c
index 7f96515da65..87709aa23e8 100644
--- a/grub-core/loader/i386/bsd.c
+++ b/grub-core/loader/i386/bsd.c
@@ -38,6 +38,7 @@
#ifdef GRUB_MACHINE_PCBIOS
#include <grub/machine/int.h>
#endif
+#include <grub/efi/sb.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -2124,6 +2125,9 @@ static grub_command_t cmd_netbsd_module_elf, cmd_openbsd_ramdisk;
GRUB_MOD_INIT (bsd)
{
+ if (grub_efi_secure_boot())
+ return;
+
/* Net and OpenBSD kernels are often compressed. */
grub_dl_load ("gzio");
@@ -2163,6 +2167,9 @@ GRUB_MOD_INIT (bsd)
GRUB_MOD_FINI (bsd)
{
+ if (grub_efi_secure_boot())
+ return;
+
grub_unregister_extcmd (cmd_freebsd);
grub_unregister_extcmd (cmd_openbsd);
grub_unregister_extcmd (cmd_netbsd);
diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
index f7186be4002..c84747ea857 100644
--- a/grub-core/loader/i386/linux.c
+++ b/grub-core/loader/i386/linux.c
@@ -35,6 +35,7 @@
#include <grub/i18n.h>
#include <grub/lib/cmdline.h>
#include <grub/linux.h>
+#include <grub/efi/sb.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -1156,6 +1157,9 @@ static grub_command_t cmd_linux, cmd_initrd;
GRUB_MOD_INIT(linux)
{
+ if (grub_efi_secure_boot())
+ return;
+
cmd_linux = grub_register_command ("linux", grub_cmd_linux,
0, N_("Load Linux."));
cmd_initrd = grub_register_command ("initrd", grub_cmd_initrd,
@@ -1165,6 +1169,9 @@ GRUB_MOD_INIT(linux)
GRUB_MOD_FINI(linux)
{
+ if (grub_efi_secure_boot())
+ return;
+
grub_unregister_command (cmd_linux);
grub_unregister_command (cmd_initrd);
}
diff --git a/grub-core/loader/i386/pc/linux.c b/grub-core/loader/i386/pc/linux.c
index caa76bee8af..783a3cd93bc 100644
--- a/grub-core/loader/i386/pc/linux.c
+++ b/grub-core/loader/i386/pc/linux.c
@@ -35,6 +35,7 @@
#include <grub/i386/floppy.h>
#include <grub/lib/cmdline.h>
#include <grub/linux.h>
+#include <grub/efi/sb.h>
GRUB_MOD_LICENSE ("GPLv3+");
@@ -480,6 +481,9 @@ static grub_command_t cmd_linux, cmd_linux16, cmd_initrd, cmd_initrd16;
GRUB_MOD_INIT(linux16)
{
+ if (grub_efi_secure_boot())
+ return;
+
cmd_linux =
grub_register_command ("linux", grub_cmd_linux,
0, N_("Load Linux."));
@@ -497,6 +501,9 @@ GRUB_MOD_INIT(linux16)
GRUB_MOD_FINI(linux16)
{
+ if (grub_efi_secure_boot())
+ return;
+
grub_unregister_command (cmd_linux);
grub_unregister_command (cmd_linux16);
grub_unregister_command (cmd_initrd);
diff --git a/grub-core/loader/multiboot.c b/grub-core/loader/multiboot.c
index 40c67e82489..26df46a4161 100644
--- a/grub-core/loader/multiboot.c
+++ b/grub-core/loader/multiboot.c
@@ -50,6 +50,7 @@
#include <grub/video.h>