]> git.ipfire.org Git - thirdparty/grub.git/log
thirdparty/grub.git
10 months agotpm2_key_protector: Support authorized policy
Gary Lin [Fri, 15 Nov 2024 07:34:54 +0000 (15:34 +0800)] 
tpm2_key_protector: Support authorized policy

This commit handles the TPM2_PolicyAuthorize command from the key file
in TPM 2.0 Key File format.

TPM2_PolicyAuthorize is the essential command to support authorized
policy which allows the users to sign TPM policies with their own keys.
Per TPM 2.0 Key File [1], CommandPolicy for TPM2_PolicyAuthorize
comprises "TPM2B_PUBLIC pubkey", "TPM2B_DIGEST policy_ref", and
"TPMT_SIGNATURE signature". To verify the signature, the current policy
digest is hashed with the hash algorithm written in "signature", and then
"signature" is verified with the hashed policy digest and "pubkey". Once
TPM accepts "signature", TPM2_PolicyAuthorize is invoked to authorize the
signed policy.

To create the key file with authorized policy, here are the pcr-oracle [2]
commands:

  # Generate the RSA key and create the authorized policy file
  $ pcr-oracle \
--rsa-generate-key \
--private-key policy-key.pem \
--auth authorized.policy \
create-authorized-policy 0,2,4,7,9

  # Seal the secret with the authorized policy
  $ pcr-oracle \
--key-format tpm2.0 \
--auth authorized.policy \
--input disk-secret.txt \
--output sealed.key \
seal-secret

  # Sign the predicted PCR policy
  $ pcr-oracle \
--key-format tpm2.0 \
--private-key policy-key.pem \
--from eventlog \
--stop-event "grub-file=grub.cfg" \
--after \
--input sealed.key \
--output /boot/efi/efi/grub/sealed.tpm \
sign 0,2,4,7,9

Then specify the key file and the key protector to grub.cfg in the EFI
system partition:

  tpm2_key_protector_init -a RSA --tpm2key=(hd0,gpt1)/efi/grub/sealed.tpm
  cryptomount -u <PART_UUID> -P tpm2

For any change in the boot components, just run the "sign" command again
to update the signature in sealed.tpm, and TPM can unseal the key file
with the updated PCR policy.

[1] https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html
[2] https://github.com/okirch/pcr-oracle

Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
10 months agoutil/grub-protect: Add new tool
Hernan Gatta [Fri, 15 Nov 2024 07:34:53 +0000 (15:34 +0800)] 
util/grub-protect: Add new tool

To utilize the key protectors framework, there must be a way to protect
full-disk encryption keys in the first place. The grub-protect tool
includes support for the TPM2 key protector but other protectors that
require setup ahead of time can be supported in the future.

For the TPM2 key protector, the intended flow is for a user to have
a LUKS 1 or LUKS 2-protected fully-encrypted disk. The user then creates
a new LUKS key file, say by reading /dev/urandom into a file, and creates
a new LUKS key slot for this key. Then, the user invokes the grub-protect
tool to seal this key file to a set of PCRs using the system's TPM 2.0.
The resulting sealed key file is stored in an unencrypted partition such
as the EFI System Partition (ESP) so that GRUB may read it. The user also
has to ensure the cryptomount command is included in GRUB's boot script
and that it carries the requisite key protector (-P) parameter.

Sample usage:

  $ dd if=/dev/urandom of=luks-key bs=1 count=32
  $ sudo cryptsetup luksAddKey /dev/sdb1 luks-key --pbkdf=pbkdf2 --hash=sha512

To seal the key with TPM 2.0 Key File (recommended):

  $ sudo grub-protect --action=add \
                      --protector=tpm2 \
                      --tpm2-pcrs=0,2,4,7,9 \
                      --tpm2key \
                      --tpm2-keyfile=luks-key \
                      --tpm2-outfile=/boot/efi/efi/grub/sealed.tpm

Or, to seal the key with the raw sealed key:

  $ sudo grub-protect --action=add \
                      --protector=tpm2 \
                      --tpm2-pcrs=0,2,4,7,9 \
                      --tpm2-keyfile=luks-key \
                      --tpm2-outfile=/boot/efi/efi/grub/sealed.key

Then, in the boot script, for TPM 2.0 Key File:

  tpm2_key_protector_init --tpm2key=(hd0,gpt1)/efi/grub/sealed.tpm
  cryptomount -u <SDB1_UUID> -P tpm2

Or, for the raw sealed key:

  tpm2_key_protector_init --keyfile=(hd0,gpt1)/efi/grub/sealed.key --pcrs=0,2,4,7,9
  cryptomount -u <SDB1_UUID> -P tpm2

The benefit of using TPM 2.0 Key File is that the PCR set is already
written in the key file, so there is no need to specify PCRs when
invoking tpm2_key_protector_init.

Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
10 months agocryptodisk: Support key protectors
Hernan Gatta [Fri, 15 Nov 2024 07:34:52 +0000 (15:34 +0800)] 
cryptodisk: Support key protectors

Add a new parameter to cryptomount to support the key protectors framework: -P.
The parameter is used to automatically retrieve a key from specified key
protectors. The parameter may be repeated to specify any number of key
protectors. These are tried in order until one provides a usable key for any
given disk.

Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
Signed-off-by: Michael Chang <mchang@suse.com>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
10 months agokey_protector: Add TPM2 Key Protector
Hernan Gatta [Fri, 15 Nov 2024 07:34:51 +0000 (15:34 +0800)] 
key_protector: Add TPM2 Key Protector

The TPM2 key protector is a module that enables the automatic retrieval
of a fully-encrypted disk's unlocking key from a TPM 2.0.

The theory of operation is such that the module accepts various
arguments, most of which are optional and therefore possess reasonable
defaults. One of these arguments is the keyfile/tpm2key parameter, which
is mandatory. There are two supported key formats:

1. Raw Sealed Key (--keyfile)
   When sealing a key with TPM2_Create, the public portion of the sealed
   key is stored in TPM2B_PUBLIC, and the private portion is in
   TPM2B_PRIVATE. The raw sealed key glues the fully marshalled
   TPM2B_PUBLIC and TPM2B_PRIVATE into one file.

2. TPM 2.0 Key (--tpm2key)
   The following is the ASN.1 definition of TPM 2.0 Key File:

   TPMPolicy ::= SEQUENCE {
     CommandCode   [0] EXPLICIT INTEGER
     CommandPolicy [1] EXPLICIT OCTET STRING
   }

   TPMAuthPolicy ::= SEQUENCE {
     Name    [0] EXPLICIT UTF8STRING OPTIONAL
     Policy  [1] EXPLICIT SEQUENCE OF TPMPolicy
   }

   TPMKey ::= SEQUENCE {
     type        OBJECT IDENTIFIER
     emptyAuth   [0] EXPLICIT BOOLEAN OPTIONAL
     policy      [1] EXPLICIT SEQUENCE OF TPMPolicy OPTIONAL
     secret      [2] EXPLICIT OCTET STRING OPTIONAL
     authPolicy  [3] EXPLICIT SEQUENCE OF TPMAuthPolicy OPTIONAL
     description [4] EXPLICIT UTF8String OPTIONAL,
     rsaParent   [5] EXPLICIT BOOLEAN OPTIONAL,
     parent      INTEGER
     pubkey      OCTET STRING
     privkey     OCTET STRING
   }

  The TPM2 key protector only expects a "sealed" key in DER encoding,
  so "type" is always 2.23.133.10.1.5, "emptyAuth" is "TRUE", and
  "secret" is empty. "policy" and "authPolicy" are the possible policy
  command sequences to construct the policy digest to unseal the key.
  Similar to the raw sealed key, the public portion (TPM2B_PUBLIC) of
  the sealed key is stored in "pubkey", and the private portion
  (TPM2B_PRIVATE) is in "privkey".

  For more details: https://www.hansenpartnership.com/draft-bottomley-tpm2-keys.html

This sealed key file is created via the grub-protect tool. The tool
utilizes the TPM's sealing functionality to seal (i.e., encrypt) an
unlocking key using a Storage Root Key (SRK) to the values of various
Platform Configuration Registers (PCRs). These PCRs reflect the state
of the system as it boots. If the values are as expected, the system
may be considered trustworthy, at which point the TPM allows for a
caller to utilize the private component of the SRK to unseal (i.e.,
decrypt) the sealed key file. The caller, in this case, is this key
protector.

The TPM2 key protector registers two commands:

  - tpm2_key_protector_init: Initializes the state of the TPM2 key
                             protector for later usage, clearing any
                             previous state, too, if any.

  - tpm2_key_protector_clear: Clears any state set by tpm2_key_protector_init.

The way this is expected to be used requires the user to, either
interactively or, normally, via a boot script, initialize/configure
the key protector and then specify that it be used by the "cryptomount"
command (modifications to this command are in a different patch).

For instance, to unseal the raw sealed key file:

  tpm2_key_protector_init --keyfile=(hd0,gpt1)/efi/grub/sealed-1.key
  cryptomount -u <PART1_UUID> -P tpm2

  tpm2_key_protector_init --keyfile=(hd0,gpt1)/efi/grub/sealed-2.key --pcrs=7,11
  cryptomount -u <PART2_UUID> -P tpm2

Or, to unseal the TPM 2.0 Key file:

  tpm2_key_protector_init --tpm2key=(hd0,gpt1)/efi/grub/sealed-1.tpm
  cryptomount -u <PART1_UUID> -P tpm2

  tpm2_key_protector_init --tpm2key=(hd0,gpt1)/efi/grub/sealed-2.tpm --pcrs=7,11
  cryptomount -u <PART2_UUID> -P tpm2

If a user does not initialize the key protector and attempts to use it
anyway, the protector returns an error.

Before unsealing the key, the TPM2 key protector follows the "TPMPolicy"
sequences to enforce the TPM policy commands to construct a valid policy
digest to unseal the key.

For the TPM 2.0 Key files, "authPolicy" may contain multiple "TPMPolicy"
sequences, the TPM2 key protector iterates "authPolicy" to find a valid
sequence to unseal key. If "authPolicy" is empty or all sequences in
"authPolicy" fail, the protector tries the one from "policy". In case
"policy" is also empty, the protector creates a "TPMPolicy" sequence
based on the given PCR selection.

For the raw sealed key, the TPM2 key protector treats the key file as a
TPM 2.0 Key file without "authPolicy" and "policy", so the "TPMPolicy"
sequence is always based on the PCR selection from the command
parameters.

This commit only supports one policy command: TPM2_PolicyPCR. The
command set will be extended to support advanced features, such as
authorized policy, in the later commits.

Cc: James Bottomley <jejb@linux.ibm.com>
Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
10 months agotss2: Add TPM2 Software Stack (TSS2) support
Gary Lin [Fri, 15 Nov 2024 07:34:50 +0000 (15:34 +0800)] 
tss2: Add TPM2 Software Stack (TSS2) support

A Trusted Platform Module (TPM) Software Stack (TSS) provides logic to
compose and submit TPM commands and parse responses.

A limited number of TPM commands may be accessed via the EFI TCG2
protocol. This protocol exposes functionality that is primarily geared
toward TPM usage within the context of Secure Boot. For all other TPM
commands, however, such as sealing and unsealing, this protocol does not
provide any help, with the exception of passthrough command submission.

The SubmitCommand method allows a caller to send raw commands to the
system's TPM and to receive the corresponding response. These
command/response pairs are formatted using the TPM wire protocol. To
construct commands in this way, and to parse the TPM's response, it is
necessary to, first, possess knowledge of the various TPM structures, and,
second, of the TPM wire protocol itself.

As such, this patch includes implementations of various grub_tpm2_* functions
(inventoried below), and logic to write and read command and response
buffers, respectively, using the TPM wire protocol.

Functions:
  - grub_tpm2_create(),
  - grub_tpm2_createprimary(),
  - grub_tpm2_evictcontrol(),
  - grub_tpm2_flushcontext(),
  - grub_tpm2_load(),
  - grub_tpm2_pcr_read(),
  - grub_tpm2_policygetdigest(),
  - grub_tpm2_policypcr(),
  - grub_tpm2_readpublic(),
  - grub_tpm2_startauthsession(),
  - grub_tpm2_unseal(),
  - grub_tpm2_loadexternal(),
  - grub_tpm2_hash(),
  - grub_tpm2_verifysignature(),
  - grub_tpm2_policyauthorize(),
  - grub_tpm2_testparms().

Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
10 months agotss2: Add TPM2 types and Marshal/Unmarshal functions
Gary Lin [Fri, 15 Nov 2024 07:34:49 +0000 (15:34 +0800)] 
tss2: Add TPM2 types and Marshal/Unmarshal functions

This commit adds the necessary TPM2 types and structs as the preparation
for the TPM2 Software Stack (TSS2) support. The Marshal/Unmarshal
functions are also added to handle the data structure to be submitted to
TPM2 commands and to be received from the response.

Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
10 months agotss2: Add TPM2 buffer handling functions
Gary Lin [Fri, 15 Nov 2024 07:34:48 +0000 (15:34 +0800)] 
tss2: Add TPM2 buffer handling functions

As the preparation to support TPM2 Software Stack (TSS2), this commit
implements the TPM2 buffer handling functions to pack data for the TPM2
commands and unpack the data from the response.

Cc: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
10 months agokey_protector: Add key protectors framework
Hernan Gatta [Fri, 15 Nov 2024 07:34:47 +0000 (15:34 +0800)] 
key_protector: Add key protectors framework

A key protector encapsulates functionality to retrieve an unlocking key
for a fully-encrypted disk from a specific source. A key protector
module registers itself with the key protectors framework when it is
loaded and unregisters when unloaded. Additionally, a key protector may
accept parameters that describe how it should operate.

The key protectors framework, besides offering registration and
unregistration functions, also offers a one-stop routine for finding and
invoking a key protector by name. If a key protector with the specified
name exists and if an unlocking key is successfully retrieved by it, the
function returns to the caller the retrieved key and its length.

Cc: Vladimir Serbinenko <phcoder@gmail.com>
Signed-off-by: Hernan Gatta <hegatta@linux.microsoft.com>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
10 months agolibtasn1: Add the documentation
Gary Lin [Fri, 15 Nov 2024 07:34:46 +0000 (15:34 +0800)] 
libtasn1: Add the documentation

Document libtasn1 in docs/grub-dev.texi and add the upgrade steps.
Also add the patches to make libtasn1 compatible with GRUB code.

Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
10 months agoasn1_test: Test module for libtasn1
Daniel Axtens [Fri, 15 Nov 2024 07:34:45 +0000 (15:34 +0800)] 
asn1_test: Test module for libtasn1

Import tests from libtasn1 that use functionality we import.
This test module is integrated into functional_test so that the
user can run the test in GRUB shell.

This doesn't test the full decoder but that will be exercised in
test suites for coming patch sets.

Add testcase target in accordance with commit 5e10be48e5 (tests: Add
check-native and check-nonnative make targets).

Cc: Vladimir Serbinenko <phcoder@gmail.com>
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
10 months agolibtasn1: Compile into asn1 module
Daniel Axtens [Fri, 15 Nov 2024 07:34:44 +0000 (15:34 +0800)] 
libtasn1: Compile into asn1 module

Create a wrapper file that specifies the module license.
Set up the makefile so it is built.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
10 months agoasn1_test: Enable the testcase only when GRUB_LONG_MAX is larger than GRUB_INT_MAX
Gary Lin [Fri, 15 Nov 2024 07:34:43 +0000 (15:34 +0800)] 
asn1_test: Enable the testcase only when GRUB_LONG_MAX is larger than GRUB_INT_MAX

There is a testcase to test the values larger than "int" but smaller
than "long". However, for some architectures, "long" and "int" are the
same and the compiler may issue a warning like this:

grub-core/tests/asn1/tests/Test_overflow.c:48:50: error: left shift of negative value [-Werror=shift-negative-value]
       unsigned long num = ((long) GRUB_UINT_MAX) << 2;
                                                  ^~

To avoid unnecessary error the testcase is enabled only when
GRUB_LONG_MAX is larger than GRUB_INT_MAX.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
10 months agoasn1_test: Use the grub-specific functions and types
Gary Lin [Fri, 15 Nov 2024 07:34:42 +0000 (15:34 +0800)] 
asn1_test: Use the grub-specific functions and types

This commit converts functions and types to the grub-specific ones:
  - LONG_MAX -> GRUB_LONG_MAX,
  - INT_MAX -> GRUB_INT_MAX,
  - UINT_MAX -> GRUB_UINT_MAX,
  - size_t -> grub_size_t,
  - memcmp() -> grub_memcmp(),
  - memcpy() -> grub_memcpy(),
  - free() -> grub_free(),
  - strcmp() -> grub_strcmp().

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
10 months agoasn1_test: Print the error messages with grub_printf()
Gary Lin [Fri, 15 Nov 2024 07:34:41 +0000 (15:34 +0800)] 
asn1_test: Print the error messages with grub_printf()

This commit replaces printf() and fprintf() with grub_printf() to print
the error messages for the testcases. Besides, asn1_strerror() is used
to convert the result code to strings instead of asn1_perror().

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
10 months agoasn1_test: Remove "verbose" and the unnecessary printf()
Gary Lin [Fri, 15 Nov 2024 07:34:40 +0000 (15:34 +0800)] 
asn1_test: Remove "verbose" and the unnecessary printf()

This commit removes the "verbose" variables and the unnecessary printf()
to simplify the output.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
10 months agoasn1_test: Return either 0 or 1 to reflect the results
Gary Lin [Fri, 15 Nov 2024 07:34:39 +0000 (15:34 +0800)] 
asn1_test: Return either 0 or 1 to reflect the results

Some testcases use exit() to end the test. Since all the asn1 testcases
are invoked as functions, this commit replaces exit() with return to
reflect the test results, so that the main test function can check the
results.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
10 months agoasn1_test: Rename the main functions to the test names
Gary Lin [Fri, 15 Nov 2024 07:34:38 +0000 (15:34 +0800)] 
asn1_test: Rename the main functions to the test names

This commit changes the main functions in the testcases to the test
names so that the real "main" test function can invokes them.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
10 months agoasn1_test: Include asn1_test.h only
Gary Lin [Fri, 15 Nov 2024 07:34:37 +0000 (15:34 +0800)] 
asn1_test: Include asn1_test.h only

This commit removes all the headers and only uses asn1_test.h.
To avoid including int.h from grub-core/lib/libtasn1-grub/lib,
CONST_DOWN is defined in reproducers.c.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
10 months agolibtasn1: Fix the potential buffer overrun
Gary Lin [Fri, 15 Nov 2024 07:34:36 +0000 (15:34 +0800)] 
libtasn1: Fix the potential buffer overrun

In _asn1_tag_der(), the first while loop for the long form may end up
with a "k" value with "ASN1_MAX_TAG_SIZE" and cause the buffer overrun
in the second while loop. This commit tweaks the conditional check to
avoid producing a too large "k".

This is a quick fix and may differ from the official upstream fix.

libtasn1 issue: https://gitlab.com/gnutls/libtasn1/-/issues/49

Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
10 months agolibtasn1: Use grub_divmod64() for division
Gary Lin [Fri, 15 Nov 2024 07:34:35 +0000 (15:34 +0800)] 
libtasn1: Use grub_divmod64() for division

Replace a 64-bit division with a call to grub_divmod64(), preventing
creation of __udivdi3() calls on 32-bit platforms.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
10 months agolibtasn1: Adjust the header paths in libtasn1.h
Gary Lin [Fri, 15 Nov 2024 07:34:34 +0000 (15:34 +0800)] 
libtasn1: Adjust the header paths in libtasn1.h

Since libtasn1.h is the header to be included by users, including the
standard POSIX headers in libtasn1.h would force the user to add the
CFLAGS/CPPFLAGS for the POSIX headers.

This commit adjusts the header paths to use the grub headers instead of
the standard POSIX headers, so that users only need to include
libtasn1.h to use libtasn1 functions.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
10 months agolibtasn1: Replace strcat() with _asn1_str_cat()
Gary Lin [Fri, 15 Nov 2024 07:34:33 +0000 (15:34 +0800)] 
libtasn1: Replace strcat() with _asn1_str_cat()

strcat() is not available in GRUB. This commit replaces strcat() and
_asn1_strcat() with the bounds-checking _asn1_str_cat().

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
10 months agolibtasn1: Replace strcat() with strcpy() in _asn1_str_cat()
Gary Lin [Fri, 15 Nov 2024 07:34:32 +0000 (15:34 +0800)] 
libtasn1: Replace strcat() with strcpy() in _asn1_str_cat()

strcat() is not available in GRUB. This commit replaces strcat() with
strcpy() in _asn1_str_cat() as the preparation to replace other strcat()
with the bounds-checking _asn1_str_cat().

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
10 months agolibtasn1: Disable code not needed in GRUB
Gary Lin [Fri, 15 Nov 2024 07:34:31 +0000 (15:34 +0800)] 
libtasn1: Disable code not needed in GRUB

We don't expect to be able to write ASN.1, only read it,
so we can disable some code.

Do that with #if 0/#endif, rather than deletion. This means
that the difference between upstream and GRUB is smaller,
which should make updating libtasn1 easier in the future.

With these exclusions we also avoid the need for minmax.h,
which is convenient because it means we don't have to
import it from gnulib.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
10 months agolibtasn1: Import libtasn1-4.19.0
Daniel Axtens [Fri, 15 Nov 2024 07:34:30 +0000 (15:34 +0800)] 
libtasn1: Import libtasn1-4.19.0

Import a very trimmed-down set of libtasn1 files:

  curl -L -O https://ftp.gnu.org/gnu/libtasn1/libtasn1-4.19.0.tar.gz
  tar xvzf libtasn1-4.19.0.tar.gz
  rm -rf grub-core/lib/libtasn1
  mkdir -p grub-core/lib/libtasn1/lib
  mkdir -p grub-core/lib/libtasn1/tests
  cp libtasn1-4.19.0/{README.md,COPYING} grub-core/lib/libtasn1
  cp libtasn1-4.19.0/lib/{coding.c,decoding.c,element.c,element.h,errors.c,gstr.c,gstr.h,int.h,parser_aux.c,parser_aux.h,structure.c,structure.h} grub-core/libtasn1/lib
  cp libtasn1-4.19.0/lib/includes/libtasn1.h grub-core/lib/libtasn1
  cp libtasn1-4.19.0/tests/{CVE-2018-1000654-1_asn1_tab.h,CVE-2018-1000654-2_asn1_tab.h,CVE-2018-1000654.c,object-id-decoding.c,object-id-encoding.c,octet-string.c,reproducers.c,Test_overflow.c,Test_simple.c,Test_strings.c} grub-core/lib/libtasn1/tests
  rm -rf libtasn1-4.19.0*

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
10 months agoposix_wrap: Tweaks in preparation for libtasn1
Daniel Axtens [Fri, 15 Nov 2024 07:34:29 +0000 (15:34 +0800)] 
posix_wrap: Tweaks in preparation for libtasn1

Cc: Vladimir Serbinenko <phcoder@gmail.com>
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Tested-by: Stefan Berger <stefanb@linux.ibm.com>
10 months agokern/fs: Honour file->read_hook() in grub_fs_blocklist_read()
Rasmus Villemoes [Thu, 29 Aug 2024 11:01:02 +0000 (13:01 +0200)] 
kern/fs: Honour file->read_hook() in grub_fs_blocklist_read()

Unlike files accessed via a normal file system, the file->read_hook() is
not honoured when using blocklist notation.

This means that when trying to use a dedicated, 1 KiB, raw partition
for the environment block and hence does something like

  save_env --file=(hd0,gpt9)0+2 X Y Z

this fails with "sparse file not allowed", which is rather unexpected,
as I've explicitly said exactly which blocks should be used. Adding
a little debugging reveals that grub_file_size(file) is 1024 as expected,
but total_length is 0, simply because the callback was never invoked, so
blocklists is an empty list.

Fix that by honouring the ->read_hook() set by the caller, also when
a "file" is specified with blocklist notation.

Signed-off-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
10 months agodocs: Fix incorrect and potentially confusing language and minor formatting
Glenn Washburn [Fri, 6 Sep 2024 01:37:11 +0000 (20:37 -0500)] 
docs: Fix incorrect and potentially confusing language and minor formatting

Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
11 months agodocs: Correct GRUB config file name for network boot
Andrew Hamilton [Thu, 31 Oct 2024 00:24:54 +0000 (19:24 -0500)] 
docs: Correct GRUB config file name for network boot

Correct the documentation for the grub.cfg searching via network that
will be done based on ethernet type, -01, which was missing, and a given
MAC address.

Fixes: https://savannah.gnu.org/bugs/?65152
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
11 months agodocs: Correct chainloader UEFI secure boot info
Andrew Hamilton [Thu, 31 Oct 2024 00:24:53 +0000 (19:24 -0500)] 
docs: Correct chainloader UEFI secure boot info

Correct documentation for UEFI secure boot to remove statement that
chainloader does not work with secure boot. This was fixed by the commit
6d05264 (kern/efi/sb: Add chainloaded image as shim's verifiable object).

Fixes: https://savannah.gnu.org/bugs/?62004
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
11 months agodocs: Correct PXE environment variables descriptions
Andrew Hamilton [Thu, 31 Oct 2024 00:24:52 +0000 (19:24 -0500)] 
docs: Correct PXE environment variables descriptions

Correct documentation for pxe_default_server, pxe_default_gatway and
pxe_blksize. Only pxe_default_server is actually used (alias for
net_default_server). So, capture this and remove the other two.

Fixes: https://savannah.gnu.org/bugs/?54480
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
11 months agoloader/multiboot: Do not add modules before successful download
Valentin Gehrke [Wed, 30 Oct 2024 17:12:56 +0000 (18:12 +0100)] 
loader/multiboot: Do not add modules before successful download

Multiboot modules that could not be read successfully, e.g. via network,
should not be added to the list of modules to forward to the operating
system that is to be booted subsequently.

This patch is necessary because even if a grub.cfg checks whether or not
a module was successfully downloaded, it is futile to retry a failed
download as the corrupted module will be forwarded either way.

Signed-off-by: Valentin Gehrke <valentin.gehrke@kernkonzept.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
11 months agogrub-mkimage: Add SBAT metadata into ELF note for PowerPC targets
Sudhakar Kuppusamy [Wed, 23 Oct 2024 12:24:33 +0000 (17:54 +0530)] 
grub-mkimage: Add SBAT metadata into ELF note for PowerPC targets

The SBAT metadata is read from CSV file and transformed into an ELF note
with the -s option.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
11 months agogrub-mkimage: Create new ELF note for SBAT
Sudhakar Kuppusamy [Wed, 23 Oct 2024 12:24:32 +0000 (17:54 +0530)] 
grub-mkimage: Create new ELF note for SBAT

In order to store the SBAT data we create a new ELF note. The string
".sbat", zero-padded to 4 byte alignment, shall be entered in the name
field. The string "SBAT"'s ASCII values, 0x53424154, should be entered
in the type field.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
11 months agocommands/legacycfg: Avoid closing file twice
Leo Sandoval [Wed, 16 Oct 2024 17:54:38 +0000 (11:54 -0600)] 
commands/legacycfg: Avoid closing file twice

An internal (at Red Hat) static soure code scan detected an
use-after-free scenario:

  Error: USE_AFTER_FREE (CWE-416):
  grub-2.06/grub-core/commands/legacycfg.c:194: freed_arg: "grub_file_close" frees "file".
  grub-2.06/grub-core/commands/legacycfg.c:201: deref_arg: Calling "grub_file_close" dereferences freed pointer "file".
  #  199|         if (!args)
  #  200|    {
  #  201|->    grub_file_close (file);
  #  202|      grub_free (suffix);
  #  203|      grub_free (entrysrc);

So, remove the extra file close call.

Signed-off-by: Leo Sandoval <lsandova@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
11 months agonx: Rename GRUB_DL_ALIGN to DL_ALIGN
Daniel Kiper [Wed, 16 Oct 2024 13:04:17 +0000 (15:04 +0200)] 
nx: Rename GRUB_DL_ALIGN to DL_ALIGN

Rename has been skipped by mistake in the original commit.

Fixes: 94649c026 (nx: Set page permissions for loaded modules)
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Tested-by: Sudeep Holla <sudeep.holla@arm.com>
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
11 months agokern/acpi: Fix out of bounds access in grub_acpi_xsdt_find_table()
Benjamin Herrenschmidt [Wed, 16 Oct 2024 05:20:24 +0000 (16:20 +1100)] 
kern/acpi: Fix out of bounds access in grub_acpi_xsdt_find_table()

The calculation of the size of the table was incorrect (copy/pasta from
grub_acpi_rsdt_find_table() I assume...). The entries are 64-bit long.

This causes us to access beyond the end of the table which is causing
crashes during boot on some systems. Typically this is causing a crash
on VMWare when using UEFI and enabling serial autodetection, as

  grub_acpi_find_table (GRUB_ACPI_SPCR_SIGNATURE);

will goes past the end of the table (the SPCR table doesn't exits).

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
Tested-by: Renata Ravanelli <rravanel@redhat.com>
12 months agonx: Set the NX compatible flag for the GRUB EFI images
Mate Kukri [Wed, 9 Oct 2024 08:16:42 +0000 (09:16 +0100)] 
nx: Set the NX compatible flag for the GRUB EFI images

For NX the GRUB binary has to announce that it is compatible with the
NX feature. This implies that when loading the executable GRUB image
several attributes are true:
  - the binary doesn't need an executable stack,
  - the binary doesn't need sections to be both executable and writable,
  - the binary knows how to use the EFI Memory Attributes Protocol on code
    it is loading.

This patch:
  - adds a definition for the PE DLL Characteristics flag GRUB_PE32_NX_COMPAT,
  - changes grub-mkimage to set that flag.

Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
12 months agonx: Set page permissions for loaded modules
Mate Kukri [Wed, 9 Oct 2024 08:16:41 +0000 (09:16 +0100)] 
nx: Set page permissions for loaded modules

For NX we need to set write and executable permissions on the sections
of GRUB modules when we load them. All allocatable sections are marked
readable. In addition:
  - SHF_WRITE sections are marked as writable,
  - and SHF_EXECINSTR sections are marked as executable.

Where relevant for the platform the tramp and GOT areas are marked non-writable.

Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
12 months agonx: Add memory attribute get/set API
Mate Kukri [Wed, 9 Oct 2024 08:16:40 +0000 (09:16 +0100)] 
nx: Add memory attribute get/set API

For NX we need to set the page access permission attributes for write
and execute permissions. This patch adds two new primitives, grub_set_mem_attrs()
and grub_clear_mem_attrs(), and associated constants definitions used
for that purpose. For most platforms it adds a dummy implementation.
On EFI platforms it implements the primitives using the EFI Memory
Attribute Protocol, defined in UEFI 2.10 specification.

Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
12 months agomodules: Load module sections at page-aligned addresses
Mate Kukri [Wed, 9 Oct 2024 08:16:39 +0000 (09:16 +0100)] 
modules: Load module sections at page-aligned addresses

Currently we load module sections at whatever alignment gcc+ld happened
to dump into the ELF section header which is often less then the page
size. Since NX protections are page based this alignment must be rounded
up to page size on platforms supporting NX protections. This patch
switches EFI platforms to load module sections at 4 KiB page-aligned
addresses. It then changes the allocation size computation and the
loader code in grub_dl_load_segments() to align the locations and sizes
up to these boundaries and fills any added padding with zeros. All of
this happens before relocations are applied, so the relocations factor
that in with no change.

Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Laszlo Ersek <lersek@redhat.com>
Signed-off-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
12 months agomodules: Don't allocate space for non-allocable sections
Peter Jones [Wed, 9 Oct 2024 08:16:38 +0000 (09:16 +0100)] 
modules: Don't allocate space for non-allocable sections

Currently when loading GRUB modules we allocate space for all sections
including those without SHF_ALLOC set. We then copy the sections that
/do/ have SHF_ALLOC set into the allocated memory leaving some of our
allocation untouched forever. Additionally, on platforms with GOT fixups
and trampolines we currently compute alignment round-ups for the
sections and sections with sh_size = 0. This patch removes the extra
space from the allocation computation and makes the allocation
computation loop skip empty sections as the loading loop does.

Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
Reviewed-By: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
12 months agomodules: Strip .llvm_addrsig sections and similar
Peter Jones [Wed, 9 Oct 2024 08:16:37 +0000 (09:16 +0100)] 
modules: Strip .llvm_addrsig sections and similar

Currently GRUB modules built with Clang or GCC have several sections
which we don't actually need or support. We already have a list of
sections to skip in genmod.sh and this patch adds the following
sections to that list (as well as a few newlines):
  - .note.gnu.property
  - .llvm*

Note that the glob there won't work without a new enough linker but the
failure is just reversion to the status quo. So, that's not a big problem.

Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
Reviewed-By: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
12 months agomodules: Make .module_license read-only
Peter Jones [Wed, 9 Oct 2024 08:16:36 +0000 (09:16 +0100)] 
modules: Make .module_license read-only

Currently .module_license is set writable, that is, the section has the
SHF_WRITE flag set, in the module's ELF headers. This probably never
actually matters but it can't possibly be correct. The patch sets that
data as "const" which causes that flag not to be set.

Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Jan Setje-Eilers <jan.setjeeilers@oracle.com>
Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
Reviewed-By: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
12 months agoi386/memory: Rename PAGE_SIZE to GRUB_PAGE_SIZE and make it global
Daniel Kiper [Sun, 6 Oct 2024 14:14:46 +0000 (17:14 +0300)] 
i386/memory: Rename PAGE_SIZE to GRUB_PAGE_SIZE and make it global

This is an x86-specific thing and should be available globally.

Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
12 months agoi386/memory: Rename PAGE_SHIFT to GRUB_PAGE_SHIFT
Daniel Kiper [Sun, 6 Oct 2024 14:14:45 +0000 (17:14 +0300)] 
i386/memory: Rename PAGE_SHIFT to GRUB_PAGE_SHIFT

This fixes naming inconsistency that goes against coding style as well
as helps to avoid potential conflicts and confusion as this constant is
used in multiple places.

Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
12 months agoi386/msr: Extract and improve MSR support detection code
Daniel Kiper [Sun, 6 Oct 2024 14:14:44 +0000 (17:14 +0300)] 
i386/msr: Extract and improve MSR support detection code

Currently rdmsr and wrmsr commands have own MSR support detection code.
This code is the same. So, it is duplicated. Additionally, this code
cannot be reused by others. Hence, extract this code to a function and
make it public. By the way, improve a code a bit.

Additionally, use GRUB_ERR_BAD_DEVICE instead of GRUB_ERR_BUG to signal
an error because errors encountered by this new routine are not bugs.

Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
12 months agoi386/msr: Rename grub_msr_read() and grub_msr_write()
Daniel Kiper [Sun, 6 Oct 2024 14:14:43 +0000 (17:14 +0300)] 
i386/msr: Rename grub_msr_read() and grub_msr_write()

Use more obvious names which match corresponding instructions:
  * grub_msr_read()  => grub_rdmsr(),
  * grub_msr_write() => grub_wrmsr().

Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
12 months agoi386/msr: Merge rdmsr.h and wrmsr.h into msr.h
Daniel Kiper [Sun, 6 Oct 2024 14:14:42 +0000 (17:14 +0300)] 
i386/msr: Merge rdmsr.h and wrmsr.h into msr.h

It does not make sense to have separate headers for individual static
functions. So, make one common place to store them.

Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Signed-off-by: Sergii Dmytruk <sergii.dmytruk@3mdeb.com>
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
12 months agocommands/tpm: Skip loopback image measurement
Michael Chang [Thu, 3 Oct 2024 07:23:22 +0000 (15:23 +0800)] 
commands/tpm: Skip loopback image measurement

The loopback image is configured to function as a disk by being mapped
as a block device. Instead of measuring the entire block device we
should focus on tracking the individual files accessed from it. For
example, we do not directly measure block devices like hd0 disk but the
files opened from it.

This method is important to avoid running out of memory since loopback
images can be very large. Trying to read and measure the whole image at
once could cause out of memory errors and disrupt the boot process.

Signed-off-by: Michael Chang <mchang@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
12 months agonet/drivers/efi/efinet: Skip virtual VLAN devices during card enumeration
Michael Chang [Thu, 3 Oct 2024 07:23:15 +0000 (15:23 +0800)] 
net/drivers/efi/efinet: Skip virtual VLAN devices during card enumeration

Similarly to the issue described in commit c52ae4057 (efinet: skip
virtual IPv4 and IPv6 devices during card enumeration) the UEFI PXE
driver creates additional VLAN child devices when a VLAN ID is
configured on a network interface associated with a physical NIC. These
virtual VLAN devices must be skipped during card enumeration to ensure
that the subsequent SNP exclusive open operation targets the correct
physical card instances. Otherwise packet transfer would fail.

A device path example with VLAN nodes:

  /MAC(123456789ABC,0x1)/Vlan(20)/IPv4(0.0.0.0,0x0,DHCP,0.0.0.0,0.0.0.0,0.0.0.0)

Signed-off-by: Michael Chang <mchang@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
12 months agoefi/console: Properly clear leftover artifacts from the screen
Michael Chang [Thu, 3 Oct 2024 07:23:08 +0000 (15:23 +0800)] 
efi/console: Properly clear leftover artifacts from the screen

A regression in GRUB 2.12 causes the GRUB screen to become cluttered
with artifacts from the previous screen whether it's the UEFI post UI,
UEFI shell or any graphical UI running before GRUB. This issue occurs
in situations like booting GRUB from the UEFI shell and going straight
to the rescue or command shell causing visual discomfort.

The regression was introduced by commit 2d7c3abd8 (efi/console: Do not
set text-mode until it is actually needed). To address the screen
flickering issue this commit suppresses the text-mode setting until the
first output is requested. Before text-mode is set any attempt to clear
the screen has no effect. This inactive period renders the clear screen
ineffective in early boot stages, potentially leaving leftover artifacts
that will clutter the GRUB console display, as there is no guarantee
there will always be a clear screen after the first output.

The issue is fixed by ensuring grub_console_cls() to work through lazy
mode-setting, while also avoiding screen clearing for the hidden menu
which the flicker-free patch aims to improve.

Fixes: 2d7c3abd8 (efi/console: Do not set text-mode until we actually need it)
Signed-off-by: Michael Chang <mchang@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
12 months agokern/riscv/efi/init: Use time register in grub_efi_get_time_ms()
Heinrich Schuchardt [Mon, 12 Aug 2024 14:13:18 +0000 (16:13 +0200)] 
kern/riscv/efi/init: Use time register in grub_efi_get_time_ms()

The cycle register is not guaranteed to count at constant frequency.
If it is counting at all depends on the state the performance monitoring
unit. Use the time register to measure time.

Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
13 months agoloader/efi/linux: Reset freed pointer
Frediano Ziglio [Tue, 3 Sep 2024 15:15:47 +0000 (16:15 +0100)] 
loader/efi/linux: Reset freed pointer

Avoid dangling pointer. Code should not be reached but better safe than sorry.

Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
13 months agoloader/efi/linux: Reuse len variable
Frediano Ziglio [Tue, 3 Sep 2024 15:15:46 +0000 (16:15 +0100)] 
loader/efi/linux: Reuse len variable

Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
13 months agolib/x86_64/relocator_asm: Use .quad instead of .long
Frediano Ziglio [Tue, 3 Sep 2024 08:00:30 +0000 (09:00 +0100)] 
lib/x86_64/relocator_asm: Use .quad instead of .long

They are single 64-bit values. Used in other assembly files too.

Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com>
Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
13 months agolib/x86_64/relocator_asm: Fix comment in code
Frediano Ziglio [Tue, 3 Sep 2024 08:00:29 +0000 (09:00 +0100)] 
lib/x86_64/relocator_asm: Fix comment in code

The instruction uses a 64-bit immediate.

Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
13 months agoloader/efi/linux: Update comment
Frediano Ziglio [Tue, 3 Sep 2024 08:00:27 +0000 (09:00 +0100)] 
loader/efi/linux: Update comment

The function called is grub_utf8_to_utf16().

Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com>
Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
13 months agoutil/grub-mkimagexx: Explicitly move modules to __bss_start for MIPS targets
Vladimir Serbinenko [Tue, 3 Sep 2024 17:58:52 +0000 (20:58 +0300)] 
util/grub-mkimagexx: Explicitly move modules to __bss_start for MIPS targets

Assembly code looks for modules at __bss_start. Make this position explicit
rather than matching BSS alignment and module alignment.

Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
13 months agoinclude/grub/offsets.h: Set mod_align to 4 on MIPS
Vladimir Serbinenko [Tue, 3 Sep 2024 17:58:51 +0000 (20:58 +0300)] 
include/grub/offsets.h: Set mod_align to 4 on MIPS

Module structure has natural alignment of 4. Respect it explicitly
rather than relying on the fact that _end is usually aligned.

Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
13 months agogentpl: Put boot/mips/startup_raw.S into beginning of the image
Vladimir Serbinenko [Tue, 3 Sep 2024 17:58:50 +0000 (20:58 +0300)] 
gentpl: Put boot/mips/startup_raw.S into beginning of the image

Otherwise it breaks the decompressors for MIPS targets.

Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
13 months agoconfigure: Add -mno-gpopt option for mips and mipsel targets
Vladimir Serbinenko [Tue, 3 Sep 2024 17:58:49 +0000 (20:58 +0300)] 
configure: Add -mno-gpopt option for mips and mipsel targets

Without it compiler generates GPREL16 references which do not work
with our memory layout.

Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
13 months agolib/xzembed/xz_dec_bcj: Silence warning when no BCJ is available
Vladimir Serbinenko [Tue, 3 Sep 2024 17:58:48 +0000 (20:58 +0300)] 
lib/xzembed/xz_dec_bcj: Silence warning when no BCJ is available

BCJ is not available for all platforms hence arguments may end up unused.

Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
13 months agofs/erofs: Replace 64-bit modulo with bitwise operations
Vladimir Serbinenko [Tue, 3 Sep 2024 17:58:47 +0000 (20:58 +0300)] 
fs/erofs: Replace 64-bit modulo with bitwise operations

Otherwise depending on compiler we end up with umoddi3 reference and
failed module dependency resolution.

Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
13 months agoconfigure: Look for .otf fonts
Vladimir Serbinenko [Tue, 3 Sep 2024 17:58:46 +0000 (20:58 +0300)] 
configure: Look for .otf fonts

Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
13 months agoloader/efi/chainloader: Do not print device path of chainloaded file
Mate Kukri [Thu, 15 Aug 2024 09:52:56 +0000 (10:52 +0100)] 
loader/efi/chainloader: Do not print device path of chainloaded file

Users have no reason to see this and it can break graphical boot.

Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
13 months agodocs: Document all GRUB modules
Andrew Hamilton [Sun, 4 Aug 2024 16:32:51 +0000 (11:32 -0500)] 
docs: Document all GRUB modules

Add documentation for all GRUB modules contained in the source code tree.
When possible, cross-references to additional detail on commands was added
from their corresponding module documentation. In addition, documentation
for the file command was added.

Signed-off-by: Andrew Hamilton <adhamilt@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
13 months agocommands/bli: Fix crash in get_part_uuid()
Michael Chang [Wed, 17 Jul 2024 06:46:46 +0000 (14:46 +0800)] 
commands/bli: Fix crash in get_part_uuid()

The get_part_uuid() function made an assumption that the target GRUB
device is a partition device and accessed device->disk->partition
without checking for NULL. There are four situations where this
assumption is problematic:

1. The device is a net device instead of a disk.
2. The device is an abstraction device, like LVM, RAID, or CRYPTO, which
   is mostly logical "disk" ((lvmid/<UUID>) and so on).
3. Firmware RAID may present the ESP to GRUB as an EFI disk (hd0) device
   if it is contained within a Linux software RAID.
4. When booting from a CD-ROM, the ESP is a VFAT image indexed by the El
   Torito boot catalog. The boot device is set to (cd0), corresponding
   to the CD-ROM image mounted as an ISO 9660 filesystem.

As a result, get_part_uuid() could lead to a NULL pointer dereference
and trigger a synchronous exception during boot if the ESP falls into
one of these categories. This patch fixes the problem by adding the
necessary checks to handle cases where the ESP is not a partition device.

Additionally, to avoid disrupting the boot process, this patch relaxes
the severity of the errors in this context to non-critical. Errors will
be logged, but they will not prevent the boot process from continuing.

Fixes: e0fa7dc84 (bli: Add a module for the Boot Loader Interface)
Signed-off-by: Michael Chang <mchang@suse.com>
Reviewed-By: Oliver Steffen <osteffen@redhat.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16 months agoutil/grub-mkrescue: Check existence of option arguments
Thomas Schmitt [Mon, 17 Jun 2024 19:03:00 +0000 (21:03 +0200)] 
util/grub-mkrescue: Check existence of option arguments

As reported by Victoriia Egorova in bug 65880, grub-mkrescue does not
verify that the expected argument of an option like -d or -k does really
exist in argv. So, check the loop counter before incrementing it inside
the loop which copies argv to argp_argv. Issue an error message similar
to what older versions of grub-mkrescue did with a missing argument,
e.g. 2.02.

Fixes: https://savannah.gnu.org/bugs/index.php?65880
Signed-off-by: Thomas Schmitt <scdbackup@gmx.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16 months agoloader/efi/fdt: Add fdtdump command to access device tree
Tobias Heider [Mon, 17 Jun 2024 15:10:26 +0000 (17:10 +0200)] 
loader/efi/fdt: Add fdtdump command to access device tree

The fdtdump command allows dumping arbitrary device tree properties
and saving them to a variable similar to the smbios command.

This is useful in scripts where further actions such as selecting
a kernel or loading another device tree depend on the compatible
or model values of the device tree provided by the firmware.

For now only the root level properties of the dtb are exposed.

Signed-off-by: Tobias Heider <tobias.heider@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16 months agoosdep/devmapper/getroot: Unmark 2 strings for translation
Vladimir Serbinenko [Mon, 17 Jun 2024 12:59:56 +0000 (15:59 +0300)] 
osdep/devmapper/getroot: Unmark 2 strings for translation

First they're use macros so they can't be translated as-is.
Second there is no point in translating them as they're too technical.

Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16 months agoloader/emu/linux: Fix determination of program name
Vladimir Serbinenko [Mon, 17 Jun 2024 12:56:31 +0000 (15:56 +0300)] 
loader/emu/linux: Fix determination of program name

Current code works only if package matches binary name transformation rules.
It's often true but is not guaranteed.

Fixes: https://savannah.gnu.org/bugs/?64410
Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16 months agodisk/cryptodisk: Fix translatable message
Vladimir Serbinenko [Mon, 17 Jun 2024 12:56:30 +0000 (15:56 +0300)] 
disk/cryptodisk: Fix translatable message

Fixes: https://savannah.gnu.org/bugs/?64408
Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16 months agotests: Add test for ZFS zstd
Vladimir Serbinenko [Mon, 17 Jun 2024 11:44:09 +0000 (14:44 +0300)] 
tests: Add test for ZFS zstd

Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16 months agofs/zfs/zfs: Add support for zstd compression
Vladimir Serbinenko [Mon, 17 Jun 2024 11:44:08 +0000 (14:44 +0300)] 
fs/zfs/zfs: Add support for zstd compression

Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16 months agokern/efi/mm: Detect calls to grub_efi_drop_alloc() with wrong page counts
Mate Kukri [Wed, 12 Jun 2024 15:14:21 +0000 (16:14 +0100)] 
kern/efi/mm: Detect calls to grub_efi_drop_alloc() with wrong page counts

Silently keeping entries in the list if the address matches, but the
page count doesn't is a bad idea, and can lead to double frees.

grub_efi_free_pages() have already freed parts of this block by this
point, and thus keeping the whole block in the list and freeing it again
at exit can lead to double frees.

Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16 months agokern/efi/mm: Change grub_efi_allocate_pages_real() to call semantically correct free...
Mate Kukri [Wed, 12 Jun 2024 15:10:50 +0000 (16:10 +0100)] 
kern/efi/mm: Change grub_efi_allocate_pages_real() to call semantically correct free function

If the firmware happens to return 0 as an address of allocated pages,
grub_efi_allocate_pages_real() tries to allocate a new set of pages,
and then free the ones at address 0.

However at that point grub_efi_store_alloc() wasn't yet called, so
freeing the pages at 0 using grub_efi_free_pages() which calls
grub_efi_drop_alloc() isn't necessary, so let's call b->free_pages()
instead.

The call to grub_efi_drop_alloc() doesn't seem particularly harmful,
because it seems to do nothing if the allocation it is asked to drop
isn't on the list, but the call to it is obviously unnecessary here.

Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16 months agokern/efi/mm: Change grub_efi_mm_add_regions() to keep track of map allocation size
Mate Kukri [Wed, 12 Jun 2024 15:10:49 +0000 (16:10 +0100)] 
kern/efi/mm: Change grub_efi_mm_add_regions() to keep track of map allocation size

If the map was too big for the initial allocation, it was freed and replaced
with a bigger one, but the free call still used the hard-coded size.

Seems like this wasn't hit for a long time, because most firmware maps
fit into 12K.

This bug was triggered on Project Mu firmware with a big memory map, and
results in the heap getting trashed and the firmware ASSERTING on
corrupted heap guard values when GRUB exits.

Signed-off-by: Mate Kukri <mate.kukri@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16 months agotests/util/grub-fs-tester: Fix EROFS label tests in grub-fs-tester
Yifan Zhao [Wed, 12 Jun 2024 07:28:41 +0000 (15:28 +0800)] 
tests/util/grub-fs-tester: Fix EROFS label tests in grub-fs-tester

mkfs.erofs with version < 1.6 does not support the -L option.
Let's detect the version of mkfs.erofs and skip the label tests
if it is not supported.

Suggested-by: Glenn Washburn <development@efficientek.com>
Signed-off-by: Yifan Zhao <zhaoyifan@sjtu.edu.cn>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16 months agotests: Switch to requiring exfatprogs from exfat-utils
Glenn Washburn [Sun, 9 Jun 2024 04:42:43 +0000 (23:42 -0500)] 
tests: Switch to requiring exfatprogs from exfat-utils

The current Debian stable, now 12, has dropped the exfat-utils package
that the exfat filesystem test requires to run. There is an exfatprogs
package that replaces exfat-utils, though it is not a drop-in replacement
because mkfs.exfat has differing command line option names. Note, that
we're not yet switching to using the exfat kernel module because this
allows the testings on kernels that do not have the module.

Update mkfs.exfat usage to adhere to the different exfatprogs usage. Also,
the exfatprogs mkfs.exfat, following the exfat specification more closely,
only allows a maximum of 22 bytes of UTF-16 characters in the volume label
compared to 30 bytes from exfat-utils. So the exfat label test is updated
accordingly.

Update documentation to note that exfatprogs is now needed and also
exfat-fuse, which is needed do the fuse mount.

Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16 months agotests/util/grub-shell-luks-tester: Fix detached header test getting wrong header...
Glenn Washburn [Sun, 9 Jun 2024 04:22:05 +0000 (23:22 -0500)] 
tests/util/grub-shell-luks-tester: Fix detached header test getting wrong header path

When $detached_header was set 1, $luksdiskfile was set to the LUKS header
file path with "${detached_header:-$luksfile}" appended, which evaluates
to "1". Fix this by using two statements to set $luksdiskfile. The first
sets it to the header file if $detached_header is set, otherwise leave it
unset. The second statement sets it to itself if it is already set,
otherwise it is set to $luksfile.

Fixes: a7b540e6e (tests: Add cryptomount functional test)
Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16 months agotests/util/grub-shell: Add flexibility in QEMU firmware handling
Glenn Washburn [Sun, 9 Jun 2024 02:42:35 +0000 (21:42 -0500)] 
tests/util/grub-shell: Add flexibility in QEMU firmware handling

First look for firmware files in the source directory and then, if not
found, look for them in locations where Debian installs them. Prefer to
use the unified firmware file and, if not found, use the pflash firmware
files split in to code and variables. By looking for files in the source
directory first, system firmware files can be overridden and it can be
ensured that the tests can be run regardless of the distro or where the
system firmware files are stored. If no firmware files are found, print
an error message and exit with error.

If a firmware VARS file is found, use it with snapshot mode enabled, which
makes the VARS writable to the virtual machine, but does not write back
the changes to the file. This allows using the readonly system VARS file
without copying it or using it in readonly mode, which causes the ARM
machine to fail. This also gives tests effectively their own ephemeral VARS
file that can be written to without causing side-effects for other tests.

Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16 months agotests/util/grub-shell: Use pflash instead of -bios to load UEFI firmware
Glenn Washburn [Sun, 9 Jun 2024 02:42:34 +0000 (21:42 -0500)] 
tests/util/grub-shell: Use pflash instead of -bios to load UEFI firmware

According to the OVMF whitepaper [1]:

  IMPORTANT: Never pass OVMF.fd to qemu with the -bios option. That option
  maps the firmware image as ROM into the guest's address space, and forces
  OVMF to emulate non-volatile variables with a fallback driver that is
  bound to have insufficient and confusing semantics.

Use the pflash interface instead. Currently the unified firmware file is
used, which contains both firmware code and variable sections. By enabling
snapshot on the pflash device, the firmware can be loaded in such a way
that variables can be written to without writing to the backing file.

Since pflash does no searching for firmware paths that are not absolute,
unlike the -bios option, also make firmware paths absolute. Additionally,
update the previous firmware paths or file names that did not correspond to
ones installed by Debian.

Use the q35 machine, instead of the default i440fx, for i386-efi because
the default machine type does not emulate a flash device, which is now
needed to load the firmware.

[1] http://www.linux-kvm.org/downloads/lersek/ovmf-whitepaper-c770f8c.txt

Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16 months agotests/util/grub-shell: Print gdbinfo if on EFI platform
Glenn Washburn [Sun, 9 Jun 2024 02:22:31 +0000 (21:22 -0500)] 
tests/util/grub-shell: Print gdbinfo if on EFI platform

Allow using GDB to debug a failing QEMU test. This output does not cause
issues for tests because it happens before the trim line, and so will be
ignored.

Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16 months agoconfigure: Add Debian/Ubuntu DejaVu font path
Glenn Washburn [Sat, 8 Jun 2024 22:44:15 +0000 (17:44 -0500)] 
configure: Add Debian/Ubuntu DejaVu font path

Signed-off-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16 months agoterm/ns8250-spcr: Add one more 16550 debug type
Udo Steinberg [Fri, 7 Jun 2024 21:44:43 +0000 (23:44 +0200)] 
term/ns8250-spcr: Add one more 16550 debug type

Type 0x01 was introduced with the ACPI DBGP table and type 0x12 was introduced
with the ACPI DBG2 table. Type 0x12 is used by the ACPI SPCR table on recent
AWS bare-metal instances (c6i/c7i). Also give each debug type a proper name.

Signed-off-by: Udo Steinberg <udo@hypervisor.org>
Reviewed-by: Glenn Washburn <development@efficientek.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16 months agoloader/i386/multiboot_mbi: Fix handling of errors in broken aout-kludge
Vladimir Serbinenko [Fri, 17 May 2024 07:53:27 +0000 (10:53 +0300)] 
loader/i386/multiboot_mbi: Fix handling of errors in broken aout-kludge

Current code in some codepaths neither discards nor reports errors.
Properly surface the error.

While on it split 2 cases of unrelated variables both named err.

Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16 months agonet/drivers/ieee1275/ofnet: Remove 200 ms timeout in get_card_packet() to reduce...
Michael Chang [Mon, 6 May 2024 02:34:22 +0000 (10:34 +0800)] 
net/drivers/ieee1275/ofnet: Remove 200 ms timeout in get_card_packet() to reduce input latency

When GRUB image is netbooted on ppc64le, the keyboard input exhibits
significant latency, reports even say that characters are processed
about once per second. This issue makes interactively trying to debug
a ppc64le config very difficult.

It seems that the latency is largely caused by a 200 ms timeout in the
idle event loop, during which the network card interface is consistently
polled for incoming packets. Often, no packets arrive during this
period, so the timeout nearly always expires, which blocks the response
to key inputs.

Furthermore, this 200 ms timeout might not need to be enforced at this
basic layer, considering that GRUB performs synchronous reads and its
timeout management is actually handled by higher layers, not directly in
the card instance. Additionally, the idle polling, which reacts to
unsolicited packets like ICMP and SLAAC, would be fine at a less frequent
polling interval, rather than needing a timeout for receiving a response.

For these reasons, we believe the timeout in get_card_packet() should be
effectively removed. According to test results, the delay has disappeared,
and it is now much easier to use interactively.

Signed-Off-by: Michael Chang <mchang@suse.com>
Tested-by: Tony Jones <tonyj@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16 months agocommands/efi/tpm: Re-enable measurements on confidential computing platforms
Hector Cao [Mon, 3 Jun 2024 21:36:25 +0000 (23:36 +0200)] 
commands/efi/tpm: Re-enable measurements on confidential computing platforms

The measurements for confidential computing has been introduced in the
commit 4c76565b6 (efi/tpm: Add EFI_CC_MEASUREMENT_PROTOCOL support).
Recently the patch 30708dfe3 (tpm: Disable the tpm verifier if the TPM
device is not present) has been introduced to optimize the memory usage
when a TPM device is not available on platforms. This fix prevents the
tpm module to be loaded on confidential computing platforms, e.g. Intel
machines with TDX enabled, where the TPM device is not available.

In this patch, we propose to load the tpm module for this use case by
generalizing the tpm feature detection in order to cover CC platforms.
Basically, we do it by detecting the availability of the
EFI_CC_MEASUREMENT_PROTOCOL EFI protocol.

Fixes: https://savannah.gnu.org/bugs/?65821
Fixes: 30708dfe3 (tpm: Disable the tpm verifier if the TPM device is not present)
Signed-off-by: Hector Cao <hector.cao@canonical.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Kuppuswamy Sathyanarayanan <sathyanarayanan.kuppuswamy@linux.intel.com>
16 months agoutil/grub-mkpasswd-pbkdf2: Simplify the main function implementation
Tianjia Zhang [Mon, 27 May 2024 12:42:04 +0000 (20:42 +0800)] 
util/grub-mkpasswd-pbkdf2: Simplify the main function implementation

Allocate memory if needed, while saving the corresponding release
operation, reducing the amount of code and code complexity.

Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16 months agokern/ieee1275/init: Add IEEE 1275 Radix support for KVM on Power
Avnish Chouhan [Thu, 23 May 2024 13:13:14 +0000 (18:43 +0530)] 
kern/ieee1275/init: Add IEEE 1275 Radix support for KVM on Power

This patch adds support for Radix, Xive and Radix_gtse in Options
vector5 which is required for KVM LPARs. KVM LPARs ONLY support
Radix and not the Hash. Not enabling Radix on any PowerVM KVM LPARs
will result in boot failure.

Signed-off-by: Avnish Chouhan <avnish@linux.ibm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16 months agofs/zfs/zfs: Mark vdev_zaps_v2 and head_errlog as supported
Vladimir Serbinenko [Thu, 16 May 2024 19:27:41 +0000 (22:27 +0300)] 
fs/zfs/zfs: Mark vdev_zaps_v2 and head_errlog as supported

We don't need any actual adjustments as we don't use the affected structures.

Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16 months agotypes: Add missing casts in compile-time byteswaps
Vladimir Serbinenko [Thu, 16 May 2024 19:22:58 +0000 (22:22 +0300)] 
types: Add missing casts in compile-time byteswaps

Without them, e.g., 0x80LL on 64-bit target is 32-bit byte-swapped to
0xffffffff80000000 instead of correct 0x80000000.

Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16 months agofont: Add Fedora-specific font paths
Vladimir Serbinenko [Thu, 16 May 2024 19:03:29 +0000 (22:03 +0300)] 
font: Add Fedora-specific font paths

Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16 months agofs/bfs: Fix improper grub_free() on non-existing files
Vladimir Serbinenko [Thu, 16 May 2024 18:37:49 +0000 (21:37 +0300)] 
fs/bfs: Fix improper grub_free() on non-existing files

Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16 months agoio/gzio: Properly init a table
Daniel Axtens [Sun, 12 May 2024 14:32:09 +0000 (00:32 +1000)] 
io/gzio: Properly init a table

ARRAY_SIZE() is the count of elements, but the element size is 4 bytes, so
this was only initing the first 1/4th of the table. Detected with valgrind.

This should only matter in error paths, and I've not been able to identify
any actual misbehaviour that results from reading in-bounds but uninited data.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16 months agoio/gzio: Abort early when get_byte() reads nothing
Daniel Axtens [Sun, 12 May 2024 14:32:08 +0000 (00:32 +1000)] 
io/gzio: Abort early when get_byte() reads nothing

This isn't intended to be a functional change, but it makes a lot of failures a lot
faster, which is extremely helpful for fuzzing.

Without this change, we keep trying and trying to read more bytes into our buffer,
never being able to (read always returns 0) and so we just return old buffer contents
over and over until the decompression process fails some other way.

Signed-off-by: Daniel Axtens <dja@axtens.net>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
16 months agocli_lock: Add build option to block command line interface
Alec Brown [Wed, 24 Jan 2024 06:26:37 +0000 (06:26 +0000)] 
cli_lock: Add build option to block command line interface

Add functionality to disable command line interface access and editing of GRUB
menu entries if GRUB image is built with --disable-cli.

Signed-off-by: Alec Brown <alec.r.brown@oracle.com>
Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
17 months agofs/erofs: Add tests for EROFS in grub-fs-tester
Yifan Zhao [Mon, 20 May 2024 17:20:59 +0000 (01:20 +0800)] 
fs/erofs: Add tests for EROFS in grub-fs-tester

This patch introduces three EROFS tests which cover compact, extended
and chunk-based inodes respectively.

Signed-off-by: Yifan Zhao <zhaoyifan@sjtu.edu.cn>
Reviewed-by: Glenn Washburn <development@efficientek.com>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
17 months agofs/erofs: Add support for the EROFS
Yifan Zhao [Mon, 20 May 2024 17:20:58 +0000 (01:20 +0800)] 
fs/erofs: Add support for the EROFS

The EROFS [1] is a lightweight read-only filesystem designed for performance
which has already been shipped in most Linux distributions as well as widely
used in several scenarios, such as Android system partitions, container
images and rootfs for embedded devices.

This patch brings in the EROFS uncompressed support. Now, it's possible to
boot directly through GRUB with an EROFS rootfs.

Support for the EROFS compressed files will be added later.

[1] https://erofs.docs.kernel.org

Signed-off-by: Yifan Zhao <zhaoyifan@sjtu.edu.cn>
Tested-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>