Libgcrypt code assumes that on x64 all SSE registers are fair game.
While it's true that CPUs in question support it, we disable it in
our compilation options. Disable the offending optimization.
Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
loader/arm64/xen_boot: Remove correctly all modules loaded by xen_module command
We need to use FOR_LIST_ELEMENTS_SAFE() instead of FOR_LIST_ELEMENTS()
as single_binary_unload(), called during the loop, is changing the list
using grub_list_remove(). Given the environment probably the old code
simply removed only the first module on the list not freeing all the others.
Gary Lin [Thu, 3 Jul 2025 06:09:41 +0000 (14:09 +0800)]
dl: Fix grub_dl_is_persistent() for emu
When attempting to build grub-emu the compilation failed with the
following error message:
include/grub/dl.h: In function ‘grub_dl_is_persistent’:
include/grub/dl.h:262:1: error: no return statement in function returning non-void [-Werror=return-type]
To avoid the error make the function always return 0.
Fixes: ba8eadde6be1 (dl: Provide a fake grub_dl_set_persistent() and grub_dl_is_persistent() for the emu target) Signed-off-by: Gary Lin <glin@suse.com> Cc: Daniel Axtens <dja@axtens.net> Cc: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Lidong Chen [Mon, 23 Jun 2025 17:46:01 +0000 (17:46 +0000)]
loader/i386/pc/linux: Fix resource leak
In grub_cmd_initrd(), memory is allocated for variable initrd_ctx
before calling grub_relocator_alloc_chunk_align_safe(). When the
function call fails, initrd_ctx should be freed before exiting
grub_cmd_initrd().
Adriano Cordova [Wed, 18 Jun 2025 15:38:14 +0000 (11:38 -0400)]
loader/efi/linux: Unload previous Linux kernel/initrd before updating kernel size
Unload previous Linux kernel/initrd before updating the global variable
kernel_size. Otherwise the previous Linux kernel gets deallocated with
the kernel_size of the Linux kernel that is being currently loaded.
Signed-off-by: Adriano Cordova <adriano.cordova@canonical.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Frediano Ziglio [Wed, 25 Jun 2025 13:42:41 +0000 (14:42 +0100)]
loader/efi/linux: Use proper type for len variable
Although the length should not exceed 2^31 grub_size_t is more
suitable for that variable. len is used to compute the size
of buffers which in C is a size_t, not a int. It is used
for GRUB_EFI_BYTES_TO_PAGES which expects unsigned values.
It is assigned to load_options_size which is unsigned, not signed.
Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Frediano Ziglio [Wed, 25 Jun 2025 13:42:40 +0000 (14:42 +0100)]
loader/efi/linux: Do not pass excessive size for source string
The size passed to grub_utf8_to_utf16() for the source string is
used as a limit for the string if NUL character is not encountered.
However, len, which is "strlen(src) * 2 + 2" is surely greater than
strlen(src). Pass the exact correct length.
Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Frediano Ziglio [Wed, 25 Jun 2025 13:42:38 +0000 (14:42 +0100)]
loader/efi/linux: Remove useless assignment
If the following allocation fails this would leave load_options NULL
while load_options_size not valid. If the allocation succeed
load_options_size is overwritten.
Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Lidong Chen [Mon, 23 Jun 2025 17:42:32 +0000 (17:42 +0000)]
Revert "lzma: Make sure we don't dereference past array"
Commit 40e261b89b71 (lib/LzmaEnc: Validate "len" before subtracting)
ensures that the variable len is at least 2. As a result, GetLenToPosState(len)
never returns a value greater than or equal to kNumLenToPosStates,
making the changes introduced in the commit 16c0dbf4bc6a (lzma: Make
sure we don't dereference past array) unreachable and no longer necessary.
This reverts commit 16c0dbf4bc6a (lzma: Make sure we don't dereference past array).
Andrew Hamilton [Sat, 21 Jun 2025 15:50:38 +0000 (10:50 -0500)]
tests/util/grub-shell: Correct netboot and file_filter test failure
Correct a test failure in netboot_test and file_filter_test caused by an
issue cleaning up the tmp directory created for netboot. Netboot creates
a subdirectory in the tmp folder that causes the rmdir to fail - so
cleanup the subdirectory first.
Fixes: 1d59f39b5f1b (tests/util/grub-shell: Remove the work directory on successful run and debug is not on) Signed-off-by: Andrew Hamilton <adhamilt@gmail.com> Tested-by: Leo Sandoval <lsandova@redhat.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Lidong Chen [Wed, 18 Jun 2025 19:24:23 +0000 (19:24 +0000)]
normal/charset: Fix underflow and overflow in loop init
In bidi_line_wrap(), "kk - 1" in the for loop init, "i = kk - 1",
underflows when "kk" (unsigned int) is 0. Assigning the result of
"kk - 1" to signed int "i" may cause overflow. To address both
issues, cast "kk" to a signed type before subtraction to ensure
safe arithmetic and assignment.
Daniel Axtens [Tue, 10 Jun 2025 15:50:38 +0000 (21:20 +0530)]
dl: Provide a fake grub_dl_set_persistent() and grub_dl_is_persistent() for the emu target
Trying to start grub-emu with a module that calls grub_dl_set_persistent()
and grub_dl_is_persistent() will crash because grub-emu fakes modules and
passes NULL to the module init function.
Provide an empty function for the emu case.
Fixes: ee7808e2197c (dl: Add support for persistent modules) Signed-off-by: Daniel Axtens <dja@axtens.net> Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Andrew Hamilton [Wed, 18 Jun 2025 01:58:26 +0000 (20:58 -0500)]
util/grub-protect: Correct uninit "err" variable
In function protect_tpm2_export_tpm2key(), the "err" variable
is uninitialized in the normal (error free) path, so ensure this
defaults to GRUB_ERR_NONE.
This causes the GRUB build to fail with clang (observed with clang-14).
Fixes: 5934bf51c (util/grub-protect: Support NV index mode) Signed-off-by: Andrew Hamilton <adhamilt@gmail.com> Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Lidong Chen [Thu, 26 Jun 2025 15:05:01 +0000 (17:05 +0200)]
gnulib: Bring back the fix for resolving unused variable issue
This patch resolved a minor issue spotted by Coverity: a983d36bd917 (gnulib/regexec: Resolve unused variable)
But, it was removed by the Gnulib update: 2b7902459803 (Update gnulib version and drop most gnulib patches)
It caused Coverity to continue to flag the issue. Daniel Kiper
suggested to bring back the patch a983d36bd917 (gnulib/regexec: Resolve
unused variable).
Andrew Hamilton [Wed, 18 Jun 2025 01:58:25 +0000 (20:58 -0500)]
gnulib: Add patch to allow GRUB w/GCC-15 compile
Pull in Gnulib fix to allow lib/base64.c to compile using GCC 15 or newer.
Pulled from Gnulib commit 25df6dc425 (Silence some
-Wunterminated-string-initialization warnings.)
GCC 15 adds a new compiler warning "-Wunterminated-string-initialization"
that will trigger what is considered a false-positive in lib/base64.c as
this array is not treated as a string but an array of characters so the
lack of NUL string terminator is expected.
GCC team has added ability to flag such instances of arrays that the
compiler may think are strings as "nonstring" arrays to avoid this
warning: __attribute__((nonstring)).
Fixes: https://savannah.gnu.org/bugs/?66470 Signed-off-by: Andrew Hamilton <adhamilt@gmail.com> Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Alec Brown [Tue, 10 Jun 2025 15:19:45 +0000 (15:19 +0000)]
gnulib/regexec: Fix resource leak
In the function merge_state_with_log(), memory is allocated for the variable
next_nodes when creating a union of the variables table_nodes and log_nodes.
However, if next_state->entrance_nodes is NULL, then table_nodes becomes NULL
and we still allocate memory to copy the content of log_nodes. This can cause
a resource leak since we only free the memory for next_nodes if table_nodes
isn't NULL. To prevent this, we need to check that next_state->entrance_nodes
isn't NULL before allocating memory for the union.
This issue has been fixed in the latest version of gnulib and I've backported
this change to maintain consistency.
This issue was found by a Coverity scan of GRUB2 under the CID 473887.
Fixes: CID 473887 Signed-off-by: Alec Brown <alec.r.brown@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Alec Brown [Tue, 10 Jun 2025 15:19:44 +0000 (15:19 +0000)]
gnulib/regcomp: Fix resource leak
In the functions create_initial_state() and calc_eclosure_iter(), memory
is allocated for the elems member of a re_node_set structure but that
memory isn't freed on error. Before returning an error, a call to
re_node_set_free() should be made to prevent the resource leak.
This issue has been fixed in the latest version of gnulib and I've
backported this change to maintain consistency.
This issue was found by a Coverity scan of GRUB2 under the following
CIDs: 473869, 473888.
Fixes: CID 473869 Fixes: CID 473888 Signed-off-by: Alec Brown <alec.r.brown@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gary Lin [Fri, 13 Jun 2025 07:02:35 +0000 (15:02 +0800)]
tests/tpm2_key_protector_test: Add tests for SHA-384 PCR bank
Add a few more tests to seal and unseal the key with the SHA-384 PCR
bank instead of the default SHA-256 PCR bank.
Signed-off-by: Gary Lin <glin@suse.com> Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gary Lin [Fri, 13 Jun 2025 07:02:34 +0000 (15:02 +0800)]
tpm2_key_protector: Dump the PCR bank for key unsealing
TPM 2.0 Key File format stores the PCR selection in the parameters
for TPM2_PolicyPCR and it already contains the selected PCR bank.
Currently, tpm2_key_protector dumped the PCR bank specified by the
--bank option, and it may not be the PCR bank for key unsealing.
To dump the real PCR bank for key unsealing, this commit records the PCR
bank used by TPM2_PolicyPCR and dumps PCR values from that bank when
necessary.
Signed-off-by: Gary Lin <glin@suse.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gary Lin [Fri, 13 Jun 2025 07:02:33 +0000 (15:02 +0800)]
util/grub-protect: Fix the hash algorithm of PCR digest
For tpm2_key_protector and grub-protect, SHA-256 is chosen as the hash
algorithm for the TPM session. However, grub-protect mistakenly used the
hash algorithm of the PCR bank to calculate PCR digest. If the user
chose a PCR bank other than SHA-256, grub-protect created a non-SHA-256
PCR digest to seal the key. But, tpm2_key_protector expects a SHA-256
PCR digest to the TPM unsealing session, so it would fail due to digest
mismatch.
This commit fixes the hash algorithm of PCR digest in grub-protect to
avoid the potential unsealing failure.
Fixes: https://github.com/lcp/grub2/issues/4 Signed-off-by: Gary Lin <glin@suse.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Andrew Hamilton [Wed, 11 Jun 2025 03:15:46 +0000 (22:15 -0500)]
build: Add new header files to dist to allow building from tar
Several new header files have been added to GRUB which need
to be manually added to the dist archive. This allows building
from the tar archive created by "make dist".
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Andrew Hamilton [Wed, 11 Jun 2025 03:15:45 +0000 (22:15 -0500)]
build: Remove extra_deps.lst from EXTRA_DIST
This file is auto-generated based on the selected platform and should
not be included in the source tarball.
Fixes: 6744840b (build: Track explicit module dependencies in Makefile.core.def) Signed-off-by: Mike Gilbert <floppym@gentoo.org> Signed-off-by: Andrew Hamilton <adhamilt@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Lidong Chen [Thu, 12 Jun 2025 00:03:58 +0000 (00:03 +0000)]
lib/LzmaEnc: Validate "len" before subtracting
In LzmaEnc_CodeOneBlock(), both GetOptimumFast() and GetOptimum()
returns a value of greater or equal to 1, which is assigned to
"len". But since LZMA_MATCH_LEN_MIN == 2, "len" should be validated
before performing "len - LZMA_MATCH_LEN_MIN" to avoid underflow
when "len" equals to 1.
Lidong Chen [Thu, 5 Jun 2025 05:03:19 +0000 (05:03 +0000)]
osdep/unix/hostdisk: Fix signed integer overflow
The potential overflow issue arises at "size += ret;" because "size"
is of type ssize_t (signed) while "len" is size_t (unsigned). Repeatedly
adding read sizes, "ret", to "size" can potentially exceed the maximum
value of ssize_t, causing it to overflow into a negative or incorrect value.
The fix is to ensure "len" is within the range of SSIZE_MAX.
osdep/linux/getroot: Detect DDF container similar to IMSM
Similarly to Intel IMSM, there are BIOS and UEFI implementations that
support DDF containers natively.
DDF and IMSM are very similar in handling, especially these should not
be considered as RAID abstraction. This fixes the requirement of having
a device map when probing DDF containers.
Andrew Hamilton [Thu, 22 May 2025 03:20:41 +0000 (22:20 -0500)]
fs/fshelp: Avoid possible NULL pointer deference
Avoid attempting to defererence a NULL pointer to call read_symlink() when
the given filesystem does not provide a read_symlink() function. This could
be triggered if the calling filesystem had a file marked as a symlink.
This appears possible for HFS and was observed during fuzzing of NTFS.
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com> Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Andrew Hamilton [Thu, 22 May 2025 03:20:40 +0000 (22:20 -0500)]
fs/ntfs: Correct possible infinite loops/hangs
Correct several infinite loops/hangs found during fuzzing. The issues
fixed here could occur if certain specific malformed NTFS file systems
were presented to GRUB. Currently, GRUB does not allow NTFS file system
access when lockdown mode is enforced, so these should be of minimal
impact.
The changes made in this commit generally correct issues such as attempting
to iterate through a buffer using a length read from the NTFS file system
without confirming the length is larger than 0.
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Andrew Hamilton [Thu, 22 May 2025 03:20:39 +0000 (22:20 -0500)]
fs/ntfs: Correct possible access violations
Correct several memory access violations found during fuzzing.
The issues fixed here could occur if certain specific malformed NTFS
file systems were presented to GRUB. Currently, GRUB does not allow NTFS
file system access when lockdown mode is enforced, so these should be of
minimal impact.
The changes made in this commit generally correct issues where pointers
into data buffers were being calculated using lengths read from the
NTFS file system without sufficient bounds/sanity checking; or
attempting to access elements of a structure to free them, when the
structure pointer is NULL.
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Andrew Hamilton [Thu, 22 May 2025 03:20:38 +0000 (22:20 -0500)]
fs/ntfs: Correct attribute vs attribute list validation
Correct ntfs_test test failures around attempting to validate attribute
list entries as attributes. The NTFS code uses common logic in some
places to parse both attributes and attribute_lists which complicates
validation. Attribute lists contain different headers including a
different size of the length field (2 bytes) at offset 4 instead of the
4 byte length field used in attributes at offset 4. There are other
differences as well, but attempting to validate attribute list types
using attribute header validation was causing failure of the NTFS test
suite. This change restores some of the validation logic which may be
shared between attributes and attribute lists to be closer to the
original logic prior to fixes for previous CVEs. A following commit will
address some of the implications of removing this validation logic by
correcting some fuzzer failures (some which are exposed by removing the
validation in some of the cases).
Fixes: 067b6d225 (fs/ntfs: Implement attribute verification) Signed-off-by: Andrew Hamilton <adhamilt@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Andrew Hamilton [Thu, 22 May 2025 03:20:37 +0000 (22:20 -0500)]
fs/ntfs: Correct regression with run list calculation
Correct ntfs_test test failures around attempting to validate attribute
run list values. The calculation was incorrect for the "curr" variable.
With previous calculation, some file systems would fail validation
despite being well-formed and valid. This was caused by incrementing
"curr" by min_size which included both the (already accounted for)
min_size as well as the size of the run list. Correct by making a new
variable "run_size" to denote the current run list size to increment
both "curr" and "min_size" separately.
Fixes: 067b6d225 (fs/ntfs: Implement attribute verification) Signed-off-by: Andrew Hamilton <adhamilt@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Shreenidhi Shedi [Mon, 19 May 2025 18:19:54 +0000 (23:49 +0530)]
lib/envblk: Ignore empty new lines while parsing env files
Environment files may contain empty lines, which should be ignored
during parsing. Currently, these lines are not skipped and resulting in
incorrect behavior. This patch adds a check to skip empty lines along
with those starting with "#".
Glenn Washburn [Mon, 5 May 2025 22:09:19 +0000 (17:09 -0500)]
fs/zfs: Fix another memory leak in ZFS code
Commit b66c6f918 (fs/zfs: Fix a number of memory leaks in ZFS code)
fixes many of the same leaks detected in bug #63846 except one, which
is fixed here.
Fixes: https://savannah.gnu.org/bugs/?63846 Fixes: b66c6f918 (fs/zfs: Fix a number of memory leaks in ZFS code) Signed-off-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Mon, 5 May 2025 21:11:36 +0000 (16:11 -0500)]
tests: Disable gfxterm_menu and cmdline_cat tests
Those tests fail depending on the version of unifont. As we don't distribute
our own unifont it fails for most users. Disable them so that they don't mask
real failures. They can be reinstated once we solve unifont problem.
Signed-off-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Maxim Suhanov [Tue, 4 Mar 2025 11:02:25 +0000 (14:02 +0300)]
disk/cryptodisk: Add the "erase secrets" function
This commit adds the grub_cryptodisk_erasesecrets() function to wipe
master keys from all cryptodisks. This function is EFI-only.
Since there is no easy way to "force unmount" a given encrypted disk,
this function renders all mounted cryptodisks unusable. An attempt to
read them will return garbage.
This is why this function must be used in "no way back" conditions.
Currently, it is used when unloading the cryptodisk module and when
performing the "exit" command (it is often used to switch to the next
EFI application). This function is not called when performing the
"chainloader" command, because the callee may return to GRUB. For this
reason, users are encouraged to use "exit" instead of "chainloader" to
execute third-party boot applications.
This function does not guarantee that all secrets are wiped from RAM.
Console output, chunks from disk read requests and other may remain.
This function does not clear the IV prefix and rekey key for geli disks.
Also, this commit adds the relevant documentation improvements.
Signed-off-by: Maxim Suhanov <dfirblog@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Maxim Suhanov [Sun, 2 Mar 2025 15:08:22 +0000 (18:08 +0300)]
disk/diskfilter: Introduce the "cryptocheck" command
This command examines a given diskfilter device, e.g., an LVM disk,
and checks if underlying disks, physical volumes, are cryptodisks,
e.g., LUKS disks, this layout is called "LVM-on-LUKS".
The return value is 0 when all underlying disks (of a given device)
are cryptodisks (1 if at least one disk is unencrypted or in an
unknown state).
Users are encouraged to include the relevant check before loading
anything from an LVM disk that is supposed to be encrypted.
This further supports the CLI authentication, blocking bypass
attempts when booting from an encrypted LVM disk.
Signed-off-by: Maxim Suhanov <dfirblog@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Maxim Suhanov [Sat, 1 Mar 2025 11:16:48 +0000 (14:16 +0300)]
commands/search: Introduce the --cryptodisk-only argument
This allows users to restrict the "search" command's scope to
encrypted disks only.
Typically, this command is used to "rebase" $root and $prefix
before loading additional configuration files via "source" or
"configfile". Unfortunately, this leads to security problems,
like CVE-2023-4001, when an unexpected, attacker-controlled
device is chosen by the "search" command.
The --cryptodisk-only argument allows users to ensure that the
file system picked is encrypted.
This feature supports the CLI authentication, blocking bypass
attempts.
Signed-off-by: Maxim Suhanov <dfirblog@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Eric Sandeen [Wed, 4 Dec 2024 13:50:28 +0000 (07:50 -0600)]
fs/xfs: Fix large extent counters incompat feature support
When large extent counter / NREXT64 support was added to GRUB, it missed
a couple of direct reads of nextents which need to be changed to the new
NREXT64-aware helper as well. Without this, we'll have mis-reads of some
directories with this feature enabled.
The large extent counter fix likely raced on merge with commit 07318ee7e
(fs/xfs: Fix XFS directory extent parsing) which added the new direct
nextents reads just prior, causing this issue.
Fixes: aa7c1322671e (fs/xfs: Add large extent counters incompat feature support) Signed-off-by: Eric Sandeen <sandeen@redhat.com> Reviewed-by: Anthony Iliopoulos <ailiop@suse.com> Reviewed-by: Jon DeVree <nuxi@vault24.org> Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Without this option compiler sometimes emits R_RISCV_ALIGN relocs.
Unlike other relocs this one requires the linker to do NOP deletions
and we can't ignore them. Just instruct compiler not to emit them.
Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gary Lin [Mon, 7 Apr 2025 08:29:26 +0000 (16:29 +0800)]
INSTALL: Document the packages needed for TPM2 key protector tests
The TPM2 key protector tests require two external packages: swtpm-tools
and tpm2-tools. Add those two packages to the INSTALL file to inform
the user to install those packages before starting the TPM2 key protector
tests.
Signed-off-by: Gary Lin <glin@suse.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Gary Lin [Mon, 7 Apr 2025 08:29:21 +0000 (16:29 +0800)]
util/grub-protect: Support NV index mode
This commit implements the missing NV index mode support in grub-protect.
NV index mode stores the sealed key in the TPM non-volatile memory (NVRAM)
instead of a file. There are two supported types of TPM handles.
1. Persistent handle (0x81000000~0x81FFFFFF)
Only the raw format is supported due to the limitation of persistent
handles. This grub-protect command seals the key into the
persistent handle 0x81000000.
2. NV index handle (0x1000000~0x1FFFFFF)
Both TPM 2.0 Key File format and the raw format are supported by NV
index handles. Here is the grub-protect command to seal the key in
TPM 2.0 Key File format into the NV index handle 0x1000000.
Besides the "add" action, the corresponding "remove" action is also
introduced. To remove the data from a persistent or NV index handle,
just use "--tpm2-nvindex=HANDLE" combining with "--tpm2-evict". This
sample command removes the data from the NV index handle 0x1000000.
Gary Lin [Mon, 7 Apr 2025 08:29:20 +0000 (16:29 +0800)]
tpm2_key_protector: Support NV index handles
Previously, NV index mode only supported persistent handles which are
only for TPM objects.
On the other hand, the "NV index" handle allows the user-defined data,
so it can be an alternative to the key file and support TPM 2.0 Key
File format immediately.
The following tpm2-tools commands store the given key file, sealed.tpm,
in either TPM 2.0 Key File format or the raw format into the NV index
handle 0x1000000.
# tpm2_nvdefine -C o \
-a "ownerread|ownerwrite" \
-s $(stat -c %s sealed.tpm) \
0x1000000
# tpm2_nvwrite -C o -i sealed.tpm 0x1000000
To unseal the key in GRUB, add the "tpm2_key_protector_init" command to
grub.cfg:
Gary Lin [Mon, 7 Apr 2025 08:29:19 +0000 (16:29 +0800)]
tpm2_key_protector: Unseal key from a buffer
Extract the logic to handle the file buffer from the SRK recover
function to prepare to load the sealed key from the NV index handle,
so the NV index mode can share the same code path in the later patch.
The SRK recover function now only reads the file and sends the file
buffer to the new function.
Besides this, to avoid introducing more options for the NV index mode,
the file format is detected automatically before unmarshaling the data,
so there is no need to use the command option to specify the file format
anymore. In other words, "-T" and "-k" are the same now.
Also update grub.text to address the change.
Signed-off-by: Gary Lin <glin@suse.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gary Lin [Mon, 7 Apr 2025 08:29:18 +0000 (16:29 +0800)]
tss2: Add TPM 2.0 NV index commands
The following TPM 2.0 commands are introduced to tss2 to access the
TPM non-volatile memory associated with the NV index handles:
- TPM2_NV_DefineSpace,
- TPM2_NV_UndefineSpace,
- TPM2_NV_ReadPublic,
- TPM2_NV_Read,
- TPM2_NV_Write.
The related marshal/unmarshal functions are also introduced.
Signed-off-by: Gary Lin <glin@suse.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gary Lin [Mon, 7 Apr 2025 08:29:17 +0000 (16:29 +0800)]
tss2: Fix the missing authCommand
grub_tpm2_readpublic() and grub_tpm2_testparms() didn't check
authCommand when marshaling the input data buffer. Currently, there is
no caller using non-NULL authCommand. However, to avoid the potential
issue, the conditional check is added to insert authCommand into the
input buffer if necessary.
Also fix a few pointer checks.
Signed-off-by: Gary Lin <glin@suse.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gary Lin [Mon, 7 Apr 2025 08:29:16 +0000 (16:29 +0800)]
tpm2_key_protector: Add tpm2_dump_pcr command
The user may need to inspect the TPM 2.0 PCR values with the GRUB shell,
so the new tpm2_dump_pcr command is added to print all PCRs of the
specified bank.
Also update the document for the new command.
Signed-off-by: Gary Lin <glin@suse.com> Tested-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gary Lin [Mon, 7 Apr 2025 08:29:15 +0000 (16:29 +0800)]
tpm2_key_protector: Dump PCRs on policy fail
PCR mismatch is one common cause of TPM key unsealing fail. Since the
system may be compromised, it is not safe to boot into OS to get the PCR
values and TPM eventlog for the further investigation.
To provide some hints, GRUB now dumps PCRs on policy fail, so the user
can check the current PCR values. PCR 0~15 are chosen to cover the
firmware, bootloader, and OS.
If the user happens to have the PCR values for key sealing, the PCR dump
can be used to identify the changed PCRs and narrow down the scope for
closer inspection.
Please note that the PCR dump is trustworthy only if the GRUB binary is
authentic, so the user has to check the GRUB binary thoroughly before
using the PCR dump.
Signed-off-by: Gary Lin <glin@suse.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Patrick Colp [Thu, 3 Apr 2025 21:04:11 +0000 (14:04 -0700)]
loader/i386/linux: Update linux_kernel_params to match upstream
Update linux_kernel_params to match the v6.13.7 upstream version of boot_params.
Refactor most things out into structs, as the Linux kernel does.
edid_info should be a struct with "unsigned char dummy[128]" and efi_info should
be a struct as well, starting at 0x1c0. However, for backwards compatibility,
GRUB can have efi_systab at 0x1b8 and padding at 0x1bc (or padding at both spots).
This cuts into the end of edid_info. Make edid_info inline and only make it go
up to 0x1b8.
Signed-off-by: Patrick Colp <patrick.colp@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Lidong Chen [Thu, 27 Mar 2025 17:56:35 +0000 (17:56 +0000)]
loader/xnu: Fix memory leak
In grub_xnu_load_kext_from_dir(), when the call to grub_device_open()
failed, it simply cleaned up previously allocated memory and returned
GRUB_ERR_NONE. However, it neglected to free ctx->newdirname which is
allocated before the call to grub_device_open().
Fixes: CID 473859 Signed-off-by: Lidong Chen <lidong.chen@oracle.com> Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Lidong Chen [Thu, 27 Mar 2025 17:56:33 +0000 (17:56 +0000)]
loader/i386/linux: Fix resource leak
In grub_cmd_initrd(), initrd_ctx is allocated before calling
grub_relocator_alloc_chunk_align(). When that function fails,
initrd_ctx should be freed before exiting grub_cmd_initrd().
Lidong Chen [Thu, 27 Mar 2025 17:56:31 +0000 (17:56 +0000)]
disk/ldm: Fix memory leaks
Fix memory leaks in make_vg() with new helper functions, free_pv()
and free_lv(). Additionally, correct a check after allocating
comp->segments->nodes that mistakenly checked lv->segments->nodes
instead, likely due to a copy-paste error.
Andrew Hamilton [Thu, 20 Mar 2025 23:28:00 +0000 (18:28 -0500)]
fs/ntfs: Fix NULL pointer dereference and possible infinite loop
A regression was introduced recently as a part of the series of
filesystem related patches to address some CVEs found in GRUB.
This issue may cause either an infinite loop at startup when
accessing certain valid NTFS filesystems, or may cause a crash
due to a NULL pointer dereference on systems where NULL address
is invalid (such as may happen when calling grub-mount from
the operating system level).
Correct this issue by checking that at->attr_cur is within bounds
inside find_attr().
Fixes: https://savannah.gnu.org/bugs/?66855 Fixes: aff263187 (fs/ntfs: Fix out-of-bounds read) Signed-off-by: B Horn <b@horn.uk> Signed-off-by: Andrew Hamilton <adhamilt@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com>
The grub_malloc() has been inadvertently removed from the code after it
has been modified to use safe math functions.
Fixes: 4beeff8a (net: Use safe math macros to prevent overflows) Signed-off-by: Nicolas Frayer <nfrayer@redhat.com> Tested-by: Marta Lewandowska <mlewando@redhat.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Avnish Chouhan [Thu, 13 Mar 2025 14:15:50 +0000 (19:45 +0530)]
kern/ieee1275/init: Increase MIN_RMA size for CAS negotiation on PowerPC machines
Change RMA size from 512 MB to 768 MB which will result in more memory
at boot time for PowerPC. When vTPM, Secure Boot or FADump are enabled
on PowerPC the 512 MB RMA memory is not sufficient for boot. With this
512 MB RMA, GRUB runs out of memory and fails to boot the machine.
Sometimes even usage of CDROM requires more memory for installation and
along with the options mentioned above exhausts the boot memory which
results in boot failures. Increasing the RMA size will resolves multiple
out of memory issues observed on PowerPC machines.
Failure details (GRUB debug console dump):
kern/ieee1275/init.c:550: mm requested region of size 8513000, flags 1
kern/ieee1275/init.c:563: Cannot satisfy allocation and retain minimum runtime space
kern/ieee1275/init.c:550: mm requested region of size 8513000, flags 0
kern/ieee1275/init.c:563: Cannot satisfy allocation and retain minimum runtime space
kern/file.c:215: Closing `/ppc/ppc64/initrd.img' ...
kern/disk.c:297: Closing `ieee1275//vdevice/v-scsi@30000067/disk@8300000000000000'...
kern/disk.c:311: Closing `ieee1275//vdevice/v-scsi@30000067/disk@8300000000000000' succeeded.
kern/file.c:225: Closing `/ppc/ppc64/initrd.img' failed with 3.
kern/file.c:148: Opening `/ppc/ppc64/initrd.img' succeeded.
error: ../../grub-core/kern/mm.c:552:out of memory.
Signed-off-by: Avnish Chouhan <avnish@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Stuart Hayes [Mon, 10 Mar 2025 16:23:59 +0000 (11:23 -0500)]
fs/zfs: Fix a number of memory leaks in ZFS code
Without this fix the GRUB failed to boot linux with "out of memory" after
trying to run a "search --fs-uuid..." on a system that has 7 ZFS pools
across about 80 drives.
Signed-off-by: Stuart Hayes <stuart.w.hayes@gmail.com> Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Thomas Schmitt [Mon, 3 Mar 2025 08:12:05 +0000 (02:12 -0600)]
tests/grub_cmd_cryptomount: Remove temporary directories if successful and debug is not on
grub_cmd_cryptomount creates a directory per subtest. If a subtest is
successful and debugging is not on, the directory should be empty.
So, it can be deleted.
Signed-off-by: Thomas Schmitt <scdbackup@gmx.net> Signed-off-by: Glenn Washburn <development@efficientek.com> Tested-by: Thomas Schmitt <scdbackup@gmx.net> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Mon, 3 Mar 2025 08:12:04 +0000 (02:12 -0600)]
tests/grub_cmd_cryptomount: Default TMPDIR to /tmp
This fixes behavior where grub_cmd_cryptomount temporary files, which are
some times not cleaned up, are left in the / directory. Set TMPDIR if your
system does not have /tmp or it can not be used for some reason.
Reported-by: Thomas Schmitt <scdbackup@gmx.net> Signed-off-by: Glenn Washburn <development@efficientek.com> Tested-by: Thomas Schmitt <scdbackup@gmx.net> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Mon, 3 Mar 2025 08:12:02 +0000 (02:12 -0600)]
tests: Cleanup generated files on expected failure in grub_cmd_cryptomount
grub-shell-luks-tester only cleans up generated files when the test it
runs returns success. Sometimes tests are run that should fail. Add
a --xfail argument to grub-shell-luks-tester and pass it from
grub_cmd_cryptomount when invoking a test that is expected to fail.
Reported-by: Thomas Schmitt <scdbackup@gmx.net> Signed-off-by: Glenn Washburn <development@efficientek.com> Tested-by: Thomas Schmitt <scdbackup@gmx.net> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
projects / thirdparty / grub.git / log
