Leo Sandoval [Tue, 23 Sep 2025 23:33:32 +0000 (17:33 -0600)]
kern: Include function name on debug and error print functions
With the following change, we see standard (grub_dprintf) and
error (grub_error) logs with the function name embedded (see below)
into the log which is particular useful when debugging:
Including one more field on the print log impacts the binary sizes
and in turn their respective distro packages. For Fedora rpm packages
the increase is 20k approximately.
Signed-off-by: Leo Sandoval <lsandova@redhat.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Michael Chang [Tue, 2 Sep 2025 06:58:50 +0000 (14:58 +0800)]
net/tcp: Fix TCP port number reused on reboot
GRUB's TCP stack assigns source ports for outgoing connections starting
at 21550 and increments sequentially by 1 (e.g., 21550, 21551, ...).
While this generally works, it can lead to failures if the system
reboots rapidly and reuses the same source port too soon.
This issue was observed on powerpc-ieee1275 platforms using CAS (Client
Architecture Support) reboot. In such cases, loading the initrd over
HTTP may fail with connection timeouts. Packet captures show the failed
connections are flagged as "TCP Port Number Reused" by Wireshark.
The root cause is that GRUB reuses the same port shortly after reboot,
while the server may still be tracking the previous connection in
TIME_WAIT. This can result in the server rejecting the connection
attempt or responding with a stale ACK or RST, leading to handshake
failure.
This patch fixes the issue by introducing a time based source port
selection strategy. Instead of always starting from port 21550, GRUB now
computes an initial base port based on the current RTC time, divided
into 5 minute windows. The purpose of this time based strategy is to
ensure that GRUB avoids reusing the same source port within a 5 minute
window, thereby preventing collisions with stale server side connection
tracking that could interfere with a new TCP handshake.
A step size of 8 ensures that the same port will not be reused across
reboots unless GRUB opens more than 8 TCP connections per second on
average, something that is highly unlikely. In typical usage, a GRUB
boot cycle lasts about 15 seconds and may open fewer than 100
connections total, well below the reuse threshold. This makes the
approach robust against short reboot intervals while keeping the logic
simple and deterministic.
Signed-off-by: Michael Chang <mchang@suse.com> Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
docs/grub: Document signing GRUB with an appended signature
Signing GRUB for firmware that verifies an appended signature is a
bit fiddly. I don't want people to have to figure it out from scratch
so document it here.
Signed-off-by: Daniel Axtens <dja@axtens.net> Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Daniel Axtens [Mon, 6 Oct 2025 07:25:03 +0000 (12:55 +0530)]
docs/grub: Document signing GRUB under UEFI
Before adding information about how GRUB is signed with an appended
signature scheme, it's worth adding some information about how it
can currently be signed for UEFI.
Signed-off-by: Daniel Axtens <dja@axtens.net> Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
appended signatures: GRUB commands to manage the hashes
Introducing the following GRUB commands to manage certificate/binary
hashes.
1. append_list_dbx:
Show the list of distrusted certificates and binary/certificate
hashes from the dbx list.
2. append_add_db_hash:
Add the trusted binary hash to the db list.
3. append_add_dbx_hash:
Add the distrusted certificate/binary hash to the dbx list.
Note that if signature verification (check_appended_signatures) is set to yes,
the append_add_db_hash and append_add_dbx_hash commands only accept the file
‘hash_file’ that is signed with an appended signature.
appended signatures: GRUB commands to manage the certificates
Introducing the following GRUB commands to manage the certificates.
1. append_list_db:
Show the list of trusted certificates from the db list
2. append_add_db_cert:
Add the trusted certificate to the db list
3. append_add_dbx_cert:
Add the distrusted certificate to the dbx list
4. append_verify:
Verify the signed file using db list
Note that if signature verification (check_appended_signatures) is set to yes,
the append_add_db_cert and append_add_dbx_cert commands only accept the file
‘X509_certificate’ that is signed with an appended signature.
Signed-off-by: Daniel Axtens <dja@axtens.net> Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Tested-by: Sridhar Markonda <sridharm@linux.ibm.com> Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
appended signatures: Using db and dbx lists for signature verification
Signature verification: verify the kernel against lists of hashes that are
either in dbx or db list. If it is not in the dbx list then the trusted keys
from the db list are used to verify the signature.
If secure boot is enabled with static key management mode, the trusted
certificates will be extracted from the GRUB ELF Note and added to db list.
If secure boot is enabled with dynamic key management mode, the trusted
certificates and certificate/binary hash will be extracted from the PKS
and added to db list. The distrusted certificates, certificate/binary hash
are read from the PKS and added to dbx list. Both dbx and db lists usage is
added by a subsequent patch.
Note:
- If db does not exist in the PKS storage, then read the static keys as a db
default keys from the GRUB ELF Note and add them into the db list.
- If the certificate or the certificate hash exists in the dbx list, then do not
add that certificate/certificate hash to the db list.
Introducing the appended signature key management environment variable. It is
automatically set to either "static" or "dynamic" based on the Platform KeyStore.
"static": Enforce static key management signature verification. This is the
default. When the GRUB is locked down, user cannot change the value
by setting the appendedsig_key_mgmt variable back to "dynamic".
"dynamic": Enforce dynamic key management signature verification. When the GRUB
is locked down, user cannot change the value by setting the
appendedsig_key_mgmt variable back to "static".
powerpc/ieee1275: Read the db and dbx secure boot variables
Enhancing the infrastructure to enable the Platform Keystore (PKS) feature,
which provides access to the SB_VERSION, db, and dbx secure boot variables
from PKS.
If PKS is enabled, it will read secure boot variables such as db and dbx
from PKS and extract EFI Signature List (ESL) from it. The ESLs would be
saved in the Platform Keystore buffer, and the appendedsig module would
read it later to extract the certificate's details from ESL.
In the following scenarios, static key management mode will be activated:
1. When Secure Boot is enabled with static key management mode
2. When SB_VERSION is unavailable but Secure Boot is enabled
3. When PKS support is unavailable but Secure Boot is enabled
Note:
SB_VERSION: Key Management Mode
1 - Enable dynamic key management mode. Read the db and dbx variables from PKS,
and use them for signature verification.
0 - Enable static key management mode. Read keys from the GRUB ELF Note and
use it for signature verification.
appended signatures: Support verifying appended signatures
Building on the parsers and the ability to embed X.509 certificates, as well
as the existing gcrypt functionality, add a module for verifying appended
signatures.
This includes a signature verifier that requires that the Linux kernel and
GRUB modules have appended signatures for verification.
Signature verification must be enabled by setting check_appended_signatures.
If secure boot is enabled with enforce mode when the appendedsig module is
loaded, signature verification will be enabled, and trusted keys will be
extracted from the GRUB ELF Note and stored in the db and locked automatically.
Signed-off-by: Daniel Axtens <dja@axtens.net> Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
powerpc/ieee1275: Enter lockdown based on /ibm, secure-boot
Read secure boot mode from 'ibm,secure-boot' property and if the secure boot
mode is set to 2 (enforce), enter lockdown. Else it is considered as disabled.
There are three secure boot modes. They are
0 - disabled
No signature verification is performed. This is the default.
1 - audit
Signature verification is performed and if signature verification fails,
display the errors and allow the boot to continue.
2 - enforce
Lockdown the GRUB. Signature verification is performed and if signature
verification fails, display the errors and stop the boot.
Now, only support disabled and enforce.
Signed-off-by: Daniel Axtens <dja@axtens.net> Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
- X.509 certificates: at least enough to verify the signatures on the PKCS#7
messages. We expect that the certificates embedded in GRUB will be leaf
certificates, not CA certificates. The parser enforces this.
- X.509 certificates support the Extended Key Usage extension and handle it by
verifying that the certificate has a Code Signing usage.
Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> # EKU support Reported-by: Michal Suchanek <msuchanek@suse.com> # key usage issue Signed-off-by: Daniel Axtens <dja@axtens.net> Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
- PKCS#7 signed data messages. Only a single signer info is supported, which
is all that the Linux sign-file utility supports creating out-of-the-box.
Only RSA, SHA-256 and SHA-512 are supported. Any certificate embedded in
the PKCS#7 message will be ignored.
Signed-off-by: Daniel Axtens <dja@axtens.net> Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This code allows us to parse ASN1 node and allocating memory to store it.
It will work for anything where the size libtasn1 returns is right:
- Integers
- Octet strings
- DER encoding of other structures
It will _not_ work for things where libtasn1 size requires adjustment:
- Strings that require an extra NULL byte at the end
- Bit strings because libtasn1 returns the length in bits, not bytes.
If the function returns a non-NULL value, the caller must free it.
Signed-off-by: Daniel Axtens <dja@axtens.net> Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
In order to parse PKCS#7 messages and X.509 certificates with libtasn1, we need
some information about how they are encoded. We get these from GNUTLS, which has
the benefit that they support the features we need and are well tested.
To support verification of appended signatures, we need a way to embed the
necessary public keys. Existing appended signature schemes in the Linux kernel
use X.509 certificates, so allow certificates to be embedded in the GRUB core
image in the same way as PGP keys.
Signed-off-by: Alastair D'Silva <alastair@d-silva.org> Signed-off-by: Daniel Axtens <dja@axtens.net> Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
pgp: Rename OBJ_TYPE_PUBKEY to OBJ_TYPE_GPG_PUBKEY
Prior to the addition of the X.509 public key support for appended signature,
current PGP signature relied on the GPG public key. Changing the enum name
from "OBJ_TYPE_PUBKEY" to "OBJ_TYPE_GPG_PUBKEY" to differentiate between x509
certificate based appended signature and GPG certificate based PGP signature.
Signed-off-by: Alastair D'Silva <alastair@d-silva.org> Signed-off-by: Daniel Axtens <dja@axtens.net> Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
commands/pgp.c contains the actual storage:
struct gcry_pk_spec *grub_crypto_pk_rsa;
And the module itself saves to the storage in pgp.c:
GRUB_MOD_INIT(gcry_rsa)
{
grub_crypto_pk_rsa = &_gcry_pubkey_spec_rsa;
}
This is annoying: gcry_rsa now has a dependency on pgp!
We want to be able to bring in gcry_rsa without bringing in PGP, so move the
storage to crypto.c.
Previously, gcry_rsa depended on pgp and mpi. Now it depends on crypto and mpi.
As pgp depends on crypto, this doesn't add any new module dependencies using
the PGP verfier.
[FWIW, the story is different for the symmetric ciphers. cryptodisk and friends
(zfs encryption etc) use grub_crypto_lookup_cipher_by_name() to get a cipher
handle. That depends on grub_ciphers being populated by people calling
grub_cipher_register. import_gcry.py ensures that the symmetric ciphers call it.]
Signed-off-by: Daniel Axtens <dja@axtens.net> Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com> Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
powerpc/ieee1275: Add support for signing GRUB with an appended signature
Add infrastructure to allow firmware to verify the integrity of GRUB
by use of a Linux-kernel-module-style appended signature. We initially
target powerpc-ieee1275, but the code should be extensible to other
platforms.
Usually these signatures are appended to a file without modifying the
ELF file itself. (This is what the 'sign-file' tool does, for example.)
The verifier loads the signed file from the file system and looks at the
end of the file for the appended signature. However, on powerpc-ieee1275
platforms, the bootloader is often stored directly in the PReP partition
as raw bytes without a file-system. This makes determining the location
of an appended signature more difficult.
To address this, we add a new ELF Note.
The name field of shall be the string "Appended-Signature", zero-padded
to 4 byte alignment. The type field shall be 0x41536967 (the ASCII values
for the string "ASig"). It must be the final section in the ELF binary.
The description shall contain the appended signature structure as defined
by the Linux kernel. The description will also be padded to be a multiple
of 4 bytes. The padding shall be added before the appended signature
structure (not at the end) so that the final bytes of a signed ELF file
are the appended signature magic.
A subsequent patch documents how to create a GRUB core.img validly signed
under this scheme.
Signed-off-by: Rashmica Gupta <rashmica.g@gmail.com> Signed-off-by: Daniel Axtens <dja@axtens.net> Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
lib/b64dec: Use grub_size_t instead of size_t for _gpgrt_b64dec_proc() function definition
On some targets, size_t and grub_size_t may not be the same type
(unsigned long / unsigned int). This breaks the compilation because the
definition of _gpgrt_b64dec_proc() differs from gpgrt_b64dec_proc()
declaration. Fix it by using grub_size_t in the _gpgrt_b64dec_proc()
definition.
Signed-off-by: Anaëlle Cazuc <acazuc@acazuc.fr> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Andrew Hamilton [Sun, 31 Aug 2025 03:32:39 +0000 (22:32 -0500)]
libgcrypt: Allow GRUB to build with Clang
Attempts to build GRUB with Clang were failing due to errors such as:
error: redefinition of typedef 'gcry_md_hd_t' is a C11 feature
Correct this by adding a compiler pragma to disable the Clang
"typedef-redefinition" warnings. This required an update to
include/grub/crypto.h and the util/import_gcry.py script to add the
pragma to libgcrypt-grub's types.h due to u16 and similar types.
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Add tests outside the date range possible with 32-bit time calculation.
Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com> Signed-off-by: Andrew Hamilton <adhamilt@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
lib/datetime: Support dates outside of 1901..2038 range
Fixes: https://savannah.gnu.org/bugs/?63894 Fixes: https://savannah.gnu.org/bugs/?66301 Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com> Signed-off-by: Andrew Hamilton <adhamilt@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Andrew Hamilton [Mon, 25 Aug 2025 01:38:41 +0000 (20:38 -0500)]
bootstrap: Ensure shallow gnulib clone works on newer git
Update the bootstrap script to be compatible with newer versions of git
that changed the "git clone -h" output from containing:
--depth
to:
--[no-]depth
This bootstrap script is pulled the latest gnulib version from gnulib
git, commit 9a1a6385 (Silence 'time-stamp' warnings with bleeding-edge
Emacs.). This change avoids a full clone on gnulib, saving something
like 50 MB.
Fixes: https://savannah.gnu.org/bugs/?66357 Signed-off-by: Andrew Hamilton <adhamilt@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Andrew Hamilton [Sat, 23 Aug 2025 03:43:17 +0000 (22:43 -0500)]
po: Update translations to build with gettext 0.26
Gettext 0.26 validates format strings. In some cases before
the GRUB build process was converting newlines sequences (\n)
to (\<translated character>) which is invalid. Update the
impacted language sed script files to ensure newlines use
the correct escape sequence.
This avoids build errors such as:
de@hebrew.po:8192: 'msgstr' is not a valid Shell printf format string, unlike 'msgid'. Reason: This escape sequence is invalid.
Fixes: https://savannah.gnu.org/bugs/?67353 Signed-off-by: Andrew Hamilton <adhamilt@gmail.com> Reviewed-by: Vladimir Serbinenko <phcoder@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Kancy Joe [Tue, 19 Aug 2025 15:12:03 +0000 (23:12 +0800)]
term/efi/console: Treat key.scan_code 0x0102 (suspend) as Enter
Some Qualcomm-based UEFI platforms only provide volume up, volume down,
and power keys. The volume keys are already mapped to SCAN_UP and SCAN_DOWN,
while the power key is mapped to SCAN_SUSPEND (key.scan_code 0x0102).
On such devices, the power key is commonly used as the Enter (confirm)
button, since no dedicated Enter key exists. This patch treats key.scan_code
0x0102 as Enter to improve usability on these platforms.
Signed-off-by: Kancy Joe <kancy2333@outlook.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Alec Brown [Tue, 12 Aug 2025 03:45:36 +0000 (03:45 +0000)]
blsuki: Add uki command to load Unified Kernel Image entries
A Unified Kernel Image (UKI) is a single UEFI PE file that combines
a UEFI boot stub, a Linux kernel image, an initrd, and further resources.
The uki command will locate where the UKI file is and create a GRUB menu
entry to load it.
The Unified Kernel Image Specification: https://uapi-group.org/specifications/specs/unified_kernel_image/
Signed-off-by: Alec Brown <alec.r.brown@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Robbie Harwood [Tue, 12 Aug 2025 03:45:35 +0000 (03:45 +0000)]
blsuki: Check for mounted /boot in emu
Irritatingly, BLS defines paths relative to the mountpoint of the
filesystem which contains its snippets, not / or any other fixed
location. So grub-emu needs to know whether /boot is a separate
filesystem from / and conditionally prepend a path.
Signed-off-by: Robbie Harwood <rharwood@redhat.com> Signed-off-by: Alec Brown <alec.r.brown@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Alec Brown [Tue, 12 Aug 2025 03:45:34 +0000 (03:45 +0000)]
util/misc.c: Change offset type for grub_util_write_image_at()
Adding filevercmp support to grub-core/commands/blsuki.c from gnulib will cause
issues with the type of the offset parameter for grub_util_write_image_at() for
emu builds. To fix this issue, we can change the type from off_t to grub_off_t.
Signed-off-by: Alec Brown <alec.r.brown@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Peter Jones [Tue, 12 Aug 2025 03:45:33 +0000 (03:45 +0000)]
blsuki: Add blscfg command to parse Boot Loader Specification snippets
The BootLoaderSpec (BLS) defines a scheme where different bootloaders can
share a format for boot items and a configuration directory that accepts
these common configurations as drop-in files.
The BLS Specification: https://uapi-group.org/specifications/specs/boot_loader_specification/
Signed-off-by: Peter Jones <pjones@redhat.com> Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> Signed-off-by: Will Thompson <wjt@endlessm.com> Signed-off-by: Alec Brown <alec.r.brown@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Alec Brown [Tue, 12 Aug 2025 03:45:32 +0000 (03:45 +0000)]
kern/misc: Implement grub_strtok()
Add the functions grub_strtok() and grub_strtok_r() to help parse strings into
tokens separated by characters in the "delim" parameter. These functions are
present in gnulib but calling them directly from the gnulib code is quite
challenging since the call "#include <string.h>" would include the header file
grub-core/lib/posix_wrap/string.h instead of grub-core/lib/gnulib/string.h,
where strtok() and strtok_r() are declared. Since this overlap is quite
problematic, the simpler solution was to implement the code in the GRUB based
on gnulib's implementation. For more information on these functions, visit the
Linux Programmer's Manual, man strtok.
Signed-off-by: Alec Brown <alec.r.brown@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Aaron Rainbolt [Thu, 14 Aug 2025 01:36:45 +0000 (20:36 -0500)]
kern/xen: Add Xen command line parsing
Xen traditionally allows customizing guest behavior by passing arguments
to the VM kernel via the kernel command line. This is no longer possible
when using GRUB with Xen, as the kernel command line is decided by the
GRUB configuration file within the guest, not data passed to the guest
by Xen.
To work around this limitation, enable GRUB to parse a command line
passed to it by Xen, and expose data from the command line to the GRUB
configuration as environment variables. These variables can be used in
the GRUB configuration for any desired purpose, such as extending the
kernel command line passed to the guest. The command line format is
inspired by the Linux kernel's command line format.
To reduce the risk of misuse, abuse, or accidents in production, the
command line will only be parsed if it consists entirely of 7-bit ASCII
characters, only alphabetical characters and underscores are permitted
in variable names, and all variable names must start with the string
"xen_grub_env_". This also allows room for expanding the command line
arguments accepted by GRUB in the future, should other arguments end up
becoming desirable in the future.
Signed-off-by: Aaron Rainbolt <arraybolt3@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Aaron Rainbolt [Thu, 14 Aug 2025 01:36:44 +0000 (20:36 -0500)]
include/xen/xen.h: Add warning comment for cmd_line
The cmd_line field of the start_info struct is not guaranteed to be
NUL-terminated, even though it is intended to contain a NUL-terminated
string. Add a warning about this in a comment so future consumers of
this field know to check it for a NUL terminator before using it.
Signed-off-by: Aaron Rainbolt <arraybolt3@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
When grub-probe fails, the current code is to just stuff an empty result
in which causes the user to not knowingly have a system that no longer
boots. grub-probe can fail because the ZFS pool that contains the root
filesystem might have features that GRUB does not yet support which is
a common configuration for people with a rpool and a bpool. This behavior
uses the zdb utility to dump the same value as the filesystem label
would print.
Signed-off-by: Doug Goldstein <cardoe@cardoe.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
relocator: Switch to own page table while moving chunks
We need to avoid clobbering existing table between starting of chunk movers
and the moment we install target page table. Generate temporary table for
this rather than hoping that we don't clobber existing one.
Fixes 64-bit GhostBSD on 64-bit EFI.
Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Aaron Rainbolt [Thu, 14 Aug 2025 01:36:43 +0000 (20:36 -0500)]
include/xen/xen.h: Rename MAX_GUEST_CMDLINE to GRUB_XEN_MAX_GUEST_CMDLINE
The include/xen/xen.h header was using an overly generic name to refer
to the maximum length of the command line passed from Xen to a guest.
Rename it to avoid confusion or conflicts in the future.
Signed-off-by: Aaron Rainbolt <arraybolt3@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
loader/arm64/xen_boot: Set correctly bootargs property for modules
The cmdline_size already account for NUL terminator, you can see
this in xen_boot_binary_load(). The same property is set correctly
for Xen command line.
Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
loader/efi/linux: Return correct size from LoadFile2
From UEFI specifications 2.10, section 13.2.2, EFI_LOAD_FILE2_PROTOCOL.LoadFile
(see https://uefi.org/specs/UEFI/2.10/13_Protocols_Media_Access.html), for BufferSize:
On input the size of Buffer in bytes. On output with a return code
of EFI_SUCCESS, the amount of data transferred to Buffer. On output
with a return code of EFI_BUFFER_TOO_SMALL, the size of Buffer
required to retrieve the requested file.
So, set *buffer_size correctly.
Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
commands/bli: Set LoaderTpm2ActivePcrBanks runtime variable
It turns out checking from userspace is not 100% reliable to figure out
whether the firmware had TPM2 support enabled or not. For example with
EDK2 arm64, the default upstream build config bundles TPM2 support with
SecureBoot support, so if the latter is disabled, TPM2 is also unavailable.
But still, the ACPI TPM2 table is created just as if it was enabled. So,
/sys/firmware/acpi/tables/TPM2 exists and looks correct but there are no
measurements, neither the firmware nor the loader/stub can do them, and
/sys/kernel/security/tpm0/binary_bios_measurements does not exist.
So, userspace cannot really tell what was going on in UEFI mode.
The loader can use the apposite UEFI protocol to check, which is a more
definitive answer. Export the bitmask with the list of active banks as-is.
If it's not 0, then in userspace we can be sure a working TPM2 was available
in UEFI mode.
systemd-boot and systemd-stub v258 (current main) set this variable and
userspace portion consumes it to be able to tell what was available in
the firmware context.
Signed-off-by: Luca Boccassi <luca.boccassi@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Libgcrypt code assumes that on x64 all SSE registers are fair game.
While it's true that CPUs in question support it, we disable it in
our compilation options. Disable the offending optimization.
Signed-off-by: Vladimir Serbinenko <phcoder@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
loader/arm64/xen_boot: Remove correctly all modules loaded by xen_module command
We need to use FOR_LIST_ELEMENTS_SAFE() instead of FOR_LIST_ELEMENTS()
as single_binary_unload(), called during the loop, is changing the list
using grub_list_remove(). Given the environment probably the old code
simply removed only the first module on the list not freeing all the others.
Gary Lin [Thu, 3 Jul 2025 06:09:41 +0000 (14:09 +0800)]
dl: Fix grub_dl_is_persistent() for emu
When attempting to build grub-emu the compilation failed with the
following error message:
include/grub/dl.h: In function ‘grub_dl_is_persistent’:
include/grub/dl.h:262:1: error: no return statement in function returning non-void [-Werror=return-type]
To avoid the error make the function always return 0.
Fixes: ba8eadde6be1 (dl: Provide a fake grub_dl_set_persistent() and grub_dl_is_persistent() for the emu target) Signed-off-by: Gary Lin <glin@suse.com> Cc: Daniel Axtens <dja@axtens.net> Cc: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Lidong Chen [Mon, 23 Jun 2025 17:46:01 +0000 (17:46 +0000)]
loader/i386/pc/linux: Fix resource leak
In grub_cmd_initrd(), memory is allocated for variable initrd_ctx
before calling grub_relocator_alloc_chunk_align_safe(). When the
function call fails, initrd_ctx should be freed before exiting
grub_cmd_initrd().
Adriano Cordova [Wed, 18 Jun 2025 15:38:14 +0000 (11:38 -0400)]
loader/efi/linux: Unload previous Linux kernel/initrd before updating kernel size
Unload previous Linux kernel/initrd before updating the global variable
kernel_size. Otherwise the previous Linux kernel gets deallocated with
the kernel_size of the Linux kernel that is being currently loaded.
Signed-off-by: Adriano Cordova <adriano.cordova@canonical.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Frediano Ziglio [Wed, 25 Jun 2025 13:42:41 +0000 (14:42 +0100)]
loader/efi/linux: Use proper type for len variable
Although the length should not exceed 2^31 grub_size_t is more
suitable for that variable. len is used to compute the size
of buffers which in C is a size_t, not a int. It is used
for GRUB_EFI_BYTES_TO_PAGES which expects unsigned values.
It is assigned to load_options_size which is unsigned, not signed.
Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Frediano Ziglio [Wed, 25 Jun 2025 13:42:40 +0000 (14:42 +0100)]
loader/efi/linux: Do not pass excessive size for source string
The size passed to grub_utf8_to_utf16() for the source string is
used as a limit for the string if NUL character is not encountered.
However, len, which is "strlen(src) * 2 + 2" is surely greater than
strlen(src). Pass the exact correct length.
Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Frediano Ziglio [Wed, 25 Jun 2025 13:42:38 +0000 (14:42 +0100)]
loader/efi/linux: Remove useless assignment
If the following allocation fails this would leave load_options NULL
while load_options_size not valid. If the allocation succeed
load_options_size is overwritten.
Signed-off-by: Frediano Ziglio <frediano.ziglio@cloud.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Lidong Chen [Mon, 23 Jun 2025 17:42:32 +0000 (17:42 +0000)]
Revert "lzma: Make sure we don't dereference past array"
Commit 40e261b89b71 (lib/LzmaEnc: Validate "len" before subtracting)
ensures that the variable len is at least 2. As a result, GetLenToPosState(len)
never returns a value greater than or equal to kNumLenToPosStates,
making the changes introduced in the commit 16c0dbf4bc6a (lzma: Make
sure we don't dereference past array) unreachable and no longer necessary.
This reverts commit 16c0dbf4bc6a (lzma: Make sure we don't dereference past array).
Andrew Hamilton [Sat, 21 Jun 2025 15:50:38 +0000 (10:50 -0500)]
tests/util/grub-shell: Correct netboot and file_filter test failure
Correct a test failure in netboot_test and file_filter_test caused by an
issue cleaning up the tmp directory created for netboot. Netboot creates
a subdirectory in the tmp folder that causes the rmdir to fail - so
cleanup the subdirectory first.
Fixes: 1d59f39b5f1b (tests/util/grub-shell: Remove the work directory on successful run and debug is not on) Signed-off-by: Andrew Hamilton <adhamilt@gmail.com> Tested-by: Leo Sandoval <lsandova@redhat.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Lidong Chen [Wed, 18 Jun 2025 19:24:23 +0000 (19:24 +0000)]
normal/charset: Fix underflow and overflow in loop init
In bidi_line_wrap(), "kk - 1" in the for loop init, "i = kk - 1",
underflows when "kk" (unsigned int) is 0. Assigning the result of
"kk - 1" to signed int "i" may cause overflow. To address both
issues, cast "kk" to a signed type before subtraction to ensure
safe arithmetic and assignment.
Daniel Axtens [Tue, 10 Jun 2025 15:50:38 +0000 (21:20 +0530)]
dl: Provide a fake grub_dl_set_persistent() and grub_dl_is_persistent() for the emu target
Trying to start grub-emu with a module that calls grub_dl_set_persistent()
and grub_dl_is_persistent() will crash because grub-emu fakes modules and
passes NULL to the module init function.
Provide an empty function for the emu case.
Fixes: ee7808e2197c (dl: Add support for persistent modules) Signed-off-by: Daniel Axtens <dja@axtens.net> Signed-off-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Avnish Chouhan <avnish@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Andrew Hamilton [Wed, 18 Jun 2025 01:58:26 +0000 (20:58 -0500)]
util/grub-protect: Correct uninit "err" variable
In function protect_tpm2_export_tpm2key(), the "err" variable
is uninitialized in the normal (error free) path, so ensure this
defaults to GRUB_ERR_NONE.
This causes the GRUB build to fail with clang (observed with clang-14).
Fixes: 5934bf51c (util/grub-protect: Support NV index mode) Signed-off-by: Andrew Hamilton <adhamilt@gmail.com> Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Lidong Chen [Thu, 26 Jun 2025 15:05:01 +0000 (17:05 +0200)]
gnulib: Bring back the fix for resolving unused variable issue
This patch resolved a minor issue spotted by Coverity: a983d36bd917 (gnulib/regexec: Resolve unused variable)
But, it was removed by the Gnulib update: 2b7902459803 (Update gnulib version and drop most gnulib patches)
It caused Coverity to continue to flag the issue. Daniel Kiper
suggested to bring back the patch a983d36bd917 (gnulib/regexec: Resolve
unused variable).
Andrew Hamilton [Wed, 18 Jun 2025 01:58:25 +0000 (20:58 -0500)]
gnulib: Add patch to allow GRUB w/GCC-15 compile
Pull in Gnulib fix to allow lib/base64.c to compile using GCC 15 or newer.
Pulled from Gnulib commit 25df6dc425 (Silence some
-Wunterminated-string-initialization warnings.)
GCC 15 adds a new compiler warning "-Wunterminated-string-initialization"
that will trigger what is considered a false-positive in lib/base64.c as
this array is not treated as a string but an array of characters so the
lack of NUL string terminator is expected.
GCC team has added ability to flag such instances of arrays that the
compiler may think are strings as "nonstring" arrays to avoid this
warning: __attribute__((nonstring)).
Fixes: https://savannah.gnu.org/bugs/?66470 Signed-off-by: Andrew Hamilton <adhamilt@gmail.com> Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Alec Brown [Tue, 10 Jun 2025 15:19:45 +0000 (15:19 +0000)]
gnulib/regexec: Fix resource leak
In the function merge_state_with_log(), memory is allocated for the variable
next_nodes when creating a union of the variables table_nodes and log_nodes.
However, if next_state->entrance_nodes is NULL, then table_nodes becomes NULL
and we still allocate memory to copy the content of log_nodes. This can cause
a resource leak since we only free the memory for next_nodes if table_nodes
isn't NULL. To prevent this, we need to check that next_state->entrance_nodes
isn't NULL before allocating memory for the union.
This issue has been fixed in the latest version of gnulib and I've backported
this change to maintain consistency.
This issue was found by a Coverity scan of GRUB2 under the CID 473887.
Fixes: CID 473887 Signed-off-by: Alec Brown <alec.r.brown@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Alec Brown [Tue, 10 Jun 2025 15:19:44 +0000 (15:19 +0000)]
gnulib/regcomp: Fix resource leak
In the functions create_initial_state() and calc_eclosure_iter(), memory
is allocated for the elems member of a re_node_set structure but that
memory isn't freed on error. Before returning an error, a call to
re_node_set_free() should be made to prevent the resource leak.
This issue has been fixed in the latest version of gnulib and I've
backported this change to maintain consistency.
This issue was found by a Coverity scan of GRUB2 under the following
CIDs: 473869, 473888.
Fixes: CID 473869 Fixes: CID 473888 Signed-off-by: Alec Brown <alec.r.brown@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gary Lin [Fri, 13 Jun 2025 07:02:35 +0000 (15:02 +0800)]
tests/tpm2_key_protector_test: Add tests for SHA-384 PCR bank
Add a few more tests to seal and unseal the key with the SHA-384 PCR
bank instead of the default SHA-256 PCR bank.
Signed-off-by: Gary Lin <glin@suse.com> Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gary Lin [Fri, 13 Jun 2025 07:02:34 +0000 (15:02 +0800)]
tpm2_key_protector: Dump the PCR bank for key unsealing
TPM 2.0 Key File format stores the PCR selection in the parameters
for TPM2_PolicyPCR and it already contains the selected PCR bank.
Currently, tpm2_key_protector dumped the PCR bank specified by the
--bank option, and it may not be the PCR bank for key unsealing.
To dump the real PCR bank for key unsealing, this commit records the PCR
bank used by TPM2_PolicyPCR and dumps PCR values from that bank when
necessary.
Signed-off-by: Gary Lin <glin@suse.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Gary Lin [Fri, 13 Jun 2025 07:02:33 +0000 (15:02 +0800)]
util/grub-protect: Fix the hash algorithm of PCR digest
For tpm2_key_protector and grub-protect, SHA-256 is chosen as the hash
algorithm for the TPM session. However, grub-protect mistakenly used the
hash algorithm of the PCR bank to calculate PCR digest. If the user
chose a PCR bank other than SHA-256, grub-protect created a non-SHA-256
PCR digest to seal the key. But, tpm2_key_protector expects a SHA-256
PCR digest to the TPM unsealing session, so it would fail due to digest
mismatch.
This commit fixes the hash algorithm of PCR digest in grub-protect to
avoid the potential unsealing failure.
Fixes: https://github.com/lcp/grub2/issues/4 Signed-off-by: Gary Lin <glin@suse.com> Reviewed-by: Stefan Berger <stefanb@linux.ibm.com> Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Andrew Hamilton [Wed, 11 Jun 2025 03:15:46 +0000 (22:15 -0500)]
build: Add new header files to dist to allow building from tar
Several new header files have been added to GRUB which need
to be manually added to the dist archive. This allows building
from the tar archive created by "make dist".
Signed-off-by: Andrew Hamilton <adhamilt@gmail.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
projects / thirdparty / grub.git / log
