Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package grub2 for openSUSE:Factory checked
in at 2024-10-23 21:08:03
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/grub2 (Old)
and /work/SRC/openSUSE:Factory/.grub2.new.26871 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "grub2"
Wed Oct 23 21:08:03 2024 rev:337 rq:1217306 version:2.12
Changes:
--------
--- /work/SRC/openSUSE:Factory/grub2/grub2.changes 2024-10-06
17:51:26.603786957 +0200
+++ /work/SRC/openSUSE:Factory/.grub2.new.26871/grub2.changes 2024-10-23
21:08:08.565371435 +0200
@@ -1,0 +2,36 @@
+Wed Oct 23 06:17:54 UTC 2024 - Michael Chang <mch...@suse.com>
+
+- Fix error: /boot/grub2/x86_64-efi/bli.mod not found (bsc#1231591)
+
+-------------------------------------------------------------------
+Tue Oct 22 07:34:04 UTC 2024 - Michael Chang <mch...@suse.com>
+
+- Keep grub packaging and dependencies in the SLE-12 and SLE-15 builds
+
+-------------------------------------------------------------------
+Fri Oct 18 07:42:27 UTC 2024 - Michael Chang <mch...@suse.com>
+
+- Power guest secure boot with key management (jsc#PED-3520) (jsc#PED-9892)
+ * 0001-ieee1275-Platform-Keystore-PKS-Support.patch
+ * 0002-ieee1275-Read-the-DB-and-DBX-secure-boot-variables.patch
+ * 0003-appendedsig-The-creation-of-trusted-and-distrusted-l.patch
+ * 0004-appendedsig-While-verifying-the-kernel-use-trusted-a.patch
+ * 0005-appendedsig-The-grub-command-s-trusted-and-distruste.patch
+ * 0006-appendedsig-documentation.patch
+ * 0007-mkimage-create-new-ELF-Note-for-SBAT.patch
+ * 0008-mkimage-adding-sbat-data-into-sbat-ELF-Note-on-power.patch
+ * grub2.spec : Building signed grub.elf with SBAT metadata
+- Support for NVMe multipath splitter (jsc#PED-10538)
+ * 0001-ieee1275-support-added-for-multiple-nvme-bootpaths.patch
+- Deleted path (jsc#PED-10538)
+ * 0001-grub2-Can-t-setup-a-default-boot-device-correctly-on.patch
+ * 0001-grub2-Set-multiple-device-path-for-a-nvmf-boot-devic.patch
+
+-------------------------------------------------------------------
+Wed Oct 16 13:50:00 UTC 2024 - Michael Chang <mch...@suse.com>
+
+- Fix not a directory error from the minix filesystem, as leftover data on disk
+ may contain its magic header so it gets misdetected (bsc#1231604)
+ * grub2-install-fix-not-a-directory-error.patch
+
+-------------------------------------------------------------------
Old:
----
0001-grub2-Can-t-setup-a-default-boot-device-correctly-on.patch
0001-grub2-Set-multiple-device-path-for-a-nvmf-boot-devic.patch
New:
----
0001-ieee1275-Platform-Keystore-PKS-Support.patch
0001-ieee1275-support-added-for-multiple-nvme-bootpaths.patch
0002-ieee1275-Read-the-DB-and-DBX-secure-boot-variables.patch
0003-appendedsig-The-creation-of-trusted-and-distrusted-l.patch
0004-appendedsig-While-verifying-the-kernel-use-trusted-a.patch
0005-appendedsig-The-grub-command-s-trusted-and-distruste.patch
0006-appendedsig-documentation.patch
0007-mkimage-create-new-ELF-Note-for-SBAT.patch
0008-mkimage-adding-sbat-data-into-sbat-ELF-Note-on-power.patch
BETA DEBUG BEGIN:
Old:- Deleted path (jsc#PED-10538)
* 0001-grub2-Can-t-setup-a-default-boot-device-correctly-on.patch
* 0001-grub2-Set-multiple-device-path-for-a-nvmf-boot-devic.patch
Old: * 0001-grub2-Can-t-setup-a-default-boot-device-correctly-on.patch
* 0001-grub2-Set-multiple-device-path-for-a-nvmf-boot-devic.patch
BETA DEBUG END:
BETA DEBUG BEGIN:
New:- Power guest secure boot with key management (jsc#PED-3520)
(jsc#PED-9892)
* 0001-ieee1275-Platform-Keystore-PKS-Support.patch
* 0002-ieee1275-Read-the-DB-and-DBX-secure-boot-variables.patch
New:- Support for NVMe multipath splitter (jsc#PED-10538)
* 0001-ieee1275-support-added-for-multiple-nvme-bootpaths.patch
- Deleted path (jsc#PED-10538)
New: * 0001-ieee1275-Platform-Keystore-PKS-Support.patch
* 0002-ieee1275-Read-the-DB-and-DBX-secure-boot-variables.patch
* 0003-appendedsig-The-creation-of-trusted-and-distrusted-l.patch
New: * 0002-ieee1275-Read-the-DB-and-DBX-secure-boot-variables.patch
* 0003-appendedsig-The-creation-of-trusted-and-distrusted-l.patch
* 0004-appendedsig-While-verifying-the-kernel-use-trusted-a.patch
New: * 0003-appendedsig-The-creation-of-trusted-and-distrusted-l.patch
* 0004-appendedsig-While-verifying-the-kernel-use-trusted-a.patch
* 0005-appendedsig-The-grub-command-s-trusted-and-distruste.patch
New: * 0004-appendedsig-While-verifying-the-kernel-use-trusted-a.patch
* 0005-appendedsig-The-grub-command-s-trusted-and-distruste.patch
* 0006-appendedsig-documentation.patch
New: * 0005-appendedsig-The-grub-command-s-trusted-and-distruste.patch
* 0006-appendedsig-documentation.patch
* 0007-mkimage-create-new-ELF-Note-for-SBAT.patch
New: * 0006-appendedsig-documentation.patch
* 0007-mkimage-create-new-ELF-Note-for-SBAT.patch
* 0008-mkimage-adding-sbat-data-into-sbat-ELF-Note-on-power.patch
New: * 0007-mkimage-create-new-ELF-Note-for-SBAT.patch
* 0008-mkimage-adding-sbat-data-into-sbat-ELF-Note-on-power.patch
* grub2.spec : Building signed grub.elf with SBAT metadata
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ grub2.spec ++++++
--- /var/tmp/diff_new_pack.ca0CkN/_old 2024-10-23 21:08:15.957678332 +0200
+++ /var/tmp/diff_new_pack.ca0CkN/_new 2024-10-23 21:08:15.973678996 +0200
@@ -356,8 +356,6 @@
Patch165: 0004-ofpath-controller-name-update.patch
Patch166: 0002-Mark-environmet-blocks-as-used-for-image-embedding.patch
Patch167: grub2-increase-crypttab-path-buffer.patch
-Patch168: 0001-grub2-Set-multiple-device-path-for-a-nvmf-boot-devic.patch
-Patch169: 0001-grub2-Can-t-setup-a-default-boot-device-correctly-on.patch
Patch170: 0001-tpm2-Support-authorized-policy.patch
Patch171: 0001-tpm2-Add-extra-RSA-SRK-types.patch
Patch174: 0001-clean-up-crypttab-and-linux-modules-dependency.patch
@@ -411,9 +409,24 @@
Patch221: 0001-fix-grub-screen-filled-with-post-screen-artifects.patch
Patch222: 0001-efinet-Skip-virtual-VLAN-devices-during-card-enumera.patch
Patch223: 0001-tpm-Skip-loopback-image-measurement.patch
+Patch224: 0001-ieee1275-Platform-Keystore-PKS-Support.patch
+Patch225: 0002-ieee1275-Read-the-DB-and-DBX-secure-boot-variables.patch
+Patch226: 0003-appendedsig-The-creation-of-trusted-and-distrusted-l.patch
+Patch227: 0004-appendedsig-While-verifying-the-kernel-use-trusted-a.patch
+Patch228: 0005-appendedsig-The-grub-command-s-trusted-and-distruste.patch
+Patch229: 0006-appendedsig-documentation.patch
+Patch230: 0007-mkimage-create-new-ELF-Note-for-SBAT.patch
+Patch231: 0008-mkimage-adding-sbat-data-into-sbat-ELF-Note-on-power.patch
+Patch232: 0001-ieee1275-support-added-for-multiple-nvme-bootpaths.patch
+%if 0%{?suse_version} > 1600
# Always requires a default cpu-platform package
Requires: grub2-%{grubarch} = %{version}-%{release}
+%else
+%if ! 0%{?only_efi:1}
+Requires: grub2-%{grubarch} = %{version}-%{release}
+%endif
+%endif
%if 0%{?only_x86_64:1}
ExclusiveArch: x86_64
@@ -427,9 +440,11 @@
architecture. It support rich scale of kernel formats, file systems,
computer architectures and hardware devices.
+%if 0%{?suse_version} > 1600
%package common
Summary: Utilies to manage grub
Group: System/Boot
+%endif
Requires: gettext-runtime
%if 0%{?suse_version} >= 1140
%ifnarch s390x
@@ -456,15 +471,21 @@
Recommends: memtest86+
%endif
+%if 0%{?suse_version} > 1600
%description common
This package includes user space utlities to manage GRUB on your system.
+%endif
%package branding-upstream
Summary: Upstream branding for GRUB2's graphical console
Group: System/Fhs
BuildArch: noarch
+%if 0%{?suse_version} > 1600
Requires: %{name}-common = %{version}
+%else
+Requires: %{name} = %{version}
+%endif
%description branding-upstream
Upstream branding for GRUB2's graphical console
@@ -477,8 +498,13 @@
%if "%{platform}" != "emu"
BuildArch: noarch
%endif
+%if 0%{?suse_version} > 1600
Requires: %{name}-common = %{version}
Requires(post): %{name}-common = %{version}
+%else
+Requires: %{name} = %{version}
+Requires(post): %{name} = %{version}
+%endif
%{?update_bootloader_requires}
%description %{grubarch}
@@ -526,8 +552,13 @@
# Without it grub-install is broken so break the package as well if unavailable
Requires: efibootmgr
Requires(post): efibootmgr
+%if 0%{?suse_version} > 1600
Requires: %{name}-common = %{version}
Requires(post): %{name}-common = %{version}
+%else
+Requires: %{name} = %{version}
+Requires(post): %{name} = %{version}
+%endif
%{?update_bootloader_requires}
%{?fde_tpm_update_requires}
Provides: %{name}-efi = %{version}-%{release}
@@ -539,6 +570,7 @@
file systems, computer architectures and hardware devices. This subpackage
provides support for EFI systems.
+%if 0%{?suse_version} > 1600
%package %{grubefiarch}-bls
Summary: Image for Boot Loader Specification (BLS) support on
%{grubefiarch}
Group: System/Boot
@@ -546,6 +578,7 @@
%description %{grubefiarch}-bls
Custom EFI build tailored for Boot Loader Specification (BLS) support.
+%endif
%package %{grubefiarch}-extras
@@ -611,8 +644,13 @@
Summary: Grub2's snapper plugin
Group: System/Fhs
Requires: libxml2-tools
+%if 0%{?suse_version} > 1600
Requires: (grub2 or grub2-common)
Supplements: ((grub2 or grub2-common) and snapper)
+%else
+Requires: %{name} = %{version}
+Supplements: packageand(snapper:grub2)
+%endif
BuildArch: noarch
%description snapper-plugin
@@ -624,8 +662,13 @@
Summary: Grub2's systemd-sleep plugin
Group: System/Fhs
Requires: util-linux
+%if 0%{?suse_version} > 1600
Requires: (grub2 or grub2-common)
Supplements: ((grub2 or grub2-common) and systemd)
+%else
+Requires: grub2
+Supplements: packageand(systemd:grub2)
+%endif
BuildArch: noarch
%description systemd-sleep-plugin
@@ -774,6 +817,7 @@
./grub-mkimage -O %{grubefiarch} -o grub.efi --memdisk=./memdisk.sqsh
--prefix= %{?sbat_generation:--sbat sbat.csv} \
-d grub-core ${GRUB_MODULES}
+%if 0%{?suse_version} > 1600
rm memdisk.sqsh
# Building grubbls.efi
@@ -824,6 +868,7 @@
-d grub-core \
all_video boot font gfxmenu gfxterm gzio halt jpeg minicmd normal part_gpt
png reboot video \
fat tpm tpm2 memdisk tar squash4 xzio blscfg linux bli regexp loadenv test
echo true sleep
+%endif
%ifarch x86_64 aarch64
if test -e %{_sourcedir}/_projectcert.crt ; then
@@ -855,6 +900,14 @@
%if ! 0%{?only_efi:1}
cd build
+%ifarch ppc ppc64 ppc64le
+%if 0%{?sbat_generation}
+echo "sbat,1,SBAT
Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md"; > sbat.csv
+echo "grub,%{sbat_generation_grub},Free Software
Foundation,grub,%{version},https://www.gnu.org/software/grub/"; >> sbat.csv
+echo
"grub.%{sbat_distro},%{sbat_generation},%{sbat_distro_summary},%{name},%{version},%{sbat_distro_url}"
>> sbat.csv
+%endif
+%endif
+
%if "%{platform}" != "emu"
%define arch_specific --enable-device-mapper
TLFLAGS="-static"
@@ -984,7 +1037,7 @@
EOF
%{__tar} cvf memdisk.tar ./grub.cfg
./grub-mkimage -O %{grubarch} -o grub.elf -d grub-core -x grub.der -m
memdisk.tar \
- -c %{platform}-config --appended-signature-size
%brp_pesign_reservation ${GRUB_MODULES}
+ -c %{platform}-config -s sbat.csv --appended-signature-size
%brp_pesign_reservation ${GRUB_MODULES}
ls -l "grub.elf"
truncate -s -%brp_pesign_reservation "grub.elf"
fi
@@ -1016,7 +1069,9 @@
%ifarch x86_64
ln -srf %{buildroot}/%{_datadir}/%{name}/%{grubefiarch}/grub.efi
%{buildroot}/%{_datadir}/%{name}/%{grubefiarch}/grub-tpm.efi
%endif
+%if 0%{?suse_version} > 1600
install -m 644 grubbls.efi %{buildroot}/%{_datadir}/%{name}/%{grubefiarch}/.
+%endif
# Create grub.efi link to system efi directory
# This is for tools like kiwi not fiddling with the path
@@ -1038,7 +1093,11 @@
%endif
%ifarch x86_64 aarch64
+%if 0%{?suse_version} > 1600
export BRP_PESIGN_FILES="%{_datadir}/%{name}/%{grubefiarch}/grub.efi
%{_datadir}/%{name}/%{grubefiarch}/grubbls.efi"
+%else
+export BRP_PESIGN_FILES="%{_datadir}/%{name}/%{grubefiarch}/grub.efi"
+%endif
install -m 444 grub.der %{buildroot}/%{sysefidir}/
%endif
@@ -1171,10 +1230,20 @@
%fdupes %buildroot%{_libdir}
%fdupes %buildroot%{_datadir}
+%if 0%{?suse_version} > 1600
%pre common
+%else
+
+%pre
+%endif
%service_add_pre grub2-once.service
+%if 0%{?suse_version} > 1600
%post common
+%else
+
+%post
+%endif
%service_add_post grub2-once.service
%if ! 0%{?only_efi:1}
@@ -1202,13 +1271,28 @@
%endif
+%if 0%{?suse_version} > 1600
%preun common
+%else
+
+%preun
+%endif
%service_del_preun grub2-once.service
+%if 0%{?suse_version} > 1600
%postun common
+%else
+
+%postun
+%endif
%service_del_postun grub2-once.service
+%if 0%{?suse_version} > 1600
%files
+%else
+
+%files -f %{name}.lang
+%endif
%defattr(-,root,root,-)
%doc AUTHORS
%doc NEWS README
@@ -1218,13 +1302,15 @@
%doc README.ibm3215
%endif
+%if 0%{?suse_version} > 1600
%files common -f %{name}.lang
+%defattr(-,root,root,-)
+%endif
%if 0%{?suse_version} < 1500
%doc COPYING
%else
%license COPYING
%endif
-%defattr(-,root,root,-)
%dir /boot/%{name}
%ghost %attr(600, root, root) /boot/%{name}/grub.cfg
%{_datadir}/bash-completion/completions/grub*
@@ -1235,7 +1321,14 @@
%config(noreplace) %{_sysconfdir}/grub.d/05_crypttab
%config(noreplace) %{_sysconfdir}/grub.d/10_linux
%config(noreplace) %{_sysconfdir}/grub.d/20_linux_xen
-%config(noreplace) %{_sysconfdir}/grub.d/25_bli
+# The bli.mod is enabled in grubbls.efi, which will mostly adhere to systemd
+# standards. But it is not the case for grub.efi, as it serves no purpose
+# there, among other considerations. Therefore, the 25_bli script that loads
+# bli.mod as an external module should be disabled (by stripping off its
+# executable bit) to prevent showing 'file not found' error. This is because
+# grub.efi may intentionally lack access to external modules, as it is designed
+# to be a drop-in file, requires no external dependency (boo#1231591)
+%attr(0644, root, root) %config(noreplace) %{_sysconfdir}/grub.d/25_bli
%config(noreplace) %{_sysconfdir}/grub.d/30_uefi-firmware
%config(noreplace) %{_sysconfdir}/grub.d/40_custom
%config(noreplace) %{_sysconfdir}/grub.d/41_custom
@@ -1406,9 +1499,11 @@
%{sysefidir}/grub.der
%endif
+%if 0%{?suse_version} > 1600
%files %{grubefiarch}-bls
%defattr(-,root,root,-)
%{_datadir}/%{name}/%{grubefiarch}/grubbls.efi
+%endif
%files %{grubefiarch}-extras -f %{grubefiarch}-mod-extras.lst
%defattr(-,root,root,-)
++++++ 0001-ieee1275-Platform-Keystore-PKS-Support.patch ++++++
>From 04e8509f04a4cd123bc9f290e60f582d57b2f258 Mon Sep 17 00:00:00 2001
From: Sudhakar Kuppusamy <sudha...@linux.ibm.com>
Date: Tue, 27 Dec 2022 17:47:41 +0530
Subject: [PATCH 1/8] ieee1275: Platform Keystore (PKS) Support
enhancing the infrastructure to enable the Platform Keystore (PKS) feature,
which provides access to the SB VERSION, DB, and DBX secure boot variables
from PKS.
Signed-off-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com>
Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
Tested-by: Nageswara Sastry <rnsas...@linux.ibm.com>
---
grub-core/kern/ieee1275/ieee1275.c | 117 +++++++++++++++++++++++++++++
include/grub/ieee1275/ieee1275.h | 15 ++++
2 files changed, 132 insertions(+)
diff --git a/grub-core/kern/ieee1275/ieee1275.c
b/grub-core/kern/ieee1275/ieee1275.c
index 36ca2dbfc..8d0048844 100644
--- a/grub-core/kern/ieee1275/ieee1275.c
+++ b/grub-core/kern/ieee1275/ieee1275.c
@@ -807,3 +807,120 @@ grub_ieee1275_get_block_size (grub_ieee1275_ihandle_t
ihandle)
return args.size;
}
+
+int
+grub_ieee1275_test (const char *name, grub_ieee1275_cell_t *missing)
+{
+ struct test_args
+ {
+ struct grub_ieee1275_common_hdr common;
+ grub_ieee1275_cell_t name;
+ grub_ieee1275_cell_t missing;
+ } args;
+
+ INIT_IEEE1275_COMMON (&args.common, "test", 1, 1);
+ args.name = (grub_ieee1275_cell_t) name;
+
+ if (IEEE1275_CALL_ENTRY_FN (&args) == -1)
+ return -1;
+
+ if (args.missing == IEEE1275_CELL_INVALID)
+ return -1;
+
+ *missing = args.missing;
+
+ return 0;
+}
+
+int
+grub_ieee1275_pks_max_object_size (grub_size_t *result)
+{
+ struct mos_args
+ {
+ struct grub_ieee1275_common_hdr common;
+ grub_ieee1275_cell_t size;
+ } args;
+
+ INIT_IEEE1275_COMMON (&args.common, "pks-max-object-size", 0, 1);
+
+ if (IEEE1275_CALL_ENTRY_FN (&args) == -1)
+ return -1;
+
+ if (args.size == IEEE1275_CELL_INVALID)
+ return -1;
+
+ *result = args.size;
+
+ return 0;
+}
+
+int
+grub_ieee1275_pks_read_object (grub_uint8_t consumer, grub_uint8_t *label,
+ grub_size_t label_len, grub_uint8_t *buffer,
+ grub_size_t buffer_len, grub_size_t *data_len,
+ grub_uint32_t *policies)
+{
+ struct pks_read_args
+ {
+ struct grub_ieee1275_common_hdr common;
+ grub_ieee1275_cell_t consumer;
+ grub_ieee1275_cell_t label;
+ grub_ieee1275_cell_t label_len;
+ grub_ieee1275_cell_t buffer;
+ grub_ieee1275_cell_t buffer_len;
+ grub_ieee1275_cell_t data_len;
+ grub_ieee1275_cell_t policies;
+ grub_ieee1275_cell_t rc;
+ } args;
+
+ INIT_IEEE1275_COMMON (&args.common, "pks-read-object", 5, 3);
+ args.consumer = (grub_ieee1275_cell_t) consumer;
+ args.label = (grub_ieee1275_cell_t) label;
+ args.label_len = (grub_ieee1275_cell_t) label_len;
+ args.buffer = (grub_ieee1275_cell_t) buffer;
+ args.buffer_len = (grub_ieee1275_cell_t) buffer_len;
+
+ if (IEEE1275_CALL_ENTRY_FN (&args) == -1)
+ return -1;
+
+ if (args.data_len == IEEE1275_CELL_INVALID)
+ return -1;
+
+ *data_len = args.data_len;
+ *policies = args.policies;
+
+ return (int) args.rc;
+}
+
+int
+grub_ieee1275_pks_read_sbvar (grub_uint8_t sbvarflags, grub_uint8_t sbvartype,
+ grub_uint8_t *buffer, grub_size_t buffer_len,
+ grub_size_t *data_len)
+{
+ struct pks_read_sbvar_args
+ {
+ struct grub_ieee1275_common_hdr common;
+ grub_ieee1275_cell_t sbvarflags;
+ grub_ieee1275_cell_t sbvartype;
+ grub_ieee1275_cell_t buffer;
+ grub_ieee1275_cell_t buffer_len;
+ grub_ieee1275_cell_t data_len;
+ grub_ieee1275_cell_t rc;
+ } args;
+
+ INIT_IEEE1275_COMMON (&args.common, "pks-read-sbvar", 4, 2);
+ args.sbvarflags = (grub_ieee1275_cell_t) sbvarflags;
+ args.sbvartype = (grub_ieee1275_cell_t) sbvartype;
+ args.buffer = (grub_ieee1275_cell_t) buffer;
+ args.buffer_len = (grub_ieee1275_cell_t) buffer_len;
+
+ if (IEEE1275_CALL_ENTRY_FN (&args) == -1)
+ return -1;
+
+ if (args.data_len == IEEE1275_CELL_INVALID)
+ return -1;
+
+ *data_len = args.data_len;
+
+ return (int) args.rc;
+}
diff --git a/include/grub/ieee1275/ieee1275.h b/include/grub/ieee1275/ieee1275.h
index ea90d79f7..6d8dd9463 100644
--- a/include/grub/ieee1275/ieee1275.h
+++ b/include/grub/ieee1275/ieee1275.h
@@ -237,6 +237,21 @@ char *EXPORT_FUNC(grub_ieee1275_encode_uint4)
(grub_ieee1275_ihandle_t ihandle,
grub_size_t *size);
int EXPORT_FUNC(grub_ieee1275_get_block_size) (grub_ieee1275_ihandle_t
ihandle);
+int EXPORT_FUNC (grub_ieee1275_test) (const char *name,
+ grub_ieee1275_cell_t *missing);
+
+// not exported: I don't want modules interacting with PKS.
+int grub_ieee1275_pks_max_object_size (grub_size_t *result);
+
+int grub_ieee1275_pks_read_object (grub_uint8_t consumer, grub_uint8_t *label,
+ grub_size_t label_len, grub_uint8_t *buffer,
+ grub_size_t buffer_len, grub_size_t
*data_len,
+ grub_uint32_t *policies);
+
+int grub_ieee1275_pks_read_sbvar (grub_uint8_t sbvarflags, grub_uint8_t
sbvartype,
+ grub_uint8_t *buffer, grub_size_t buffer_len,
+ grub_size_t *data_len);
+
grub_err_t EXPORT_FUNC(grub_claimmap) (grub_addr_t addr, grub_size_t size);
void EXPORT_FUNC(grub_releasemap) (void);
--
2.47.0
++++++ 0001-ieee1275-support-added-for-multiple-nvme-bootpaths.patch ++++++
>From 219b06c69d38a10349183002efb82bfec3b7ff5b Mon Sep 17 00:00:00 2001
From: Avnish Chouhan <avn...@linux.ibm.com>
Date: Wed, 21 Aug 2024 14:13:05 +0530
Subject: [PATCH] ieee1275: support added for multiple nvme bootpaths
This patch sets mupltiple NVMe boot-devices for more robust boot.
Scenario where NVMe multipaths are available, all the available bootpaths (Max
5)
will be added as the boot-device.
Signed-off-by: Avnish Chouhan <avn...@linux.ibm.com>
---
grub-core/osdep/linux/ofpath.c | 6 +--
grub-core/osdep/unix/platform.c | 65 ++++++++++++++++++++++++++++++++-
include/grub/util/install.h | 3 ++
include/grub/util/ofpath.h | 4 ++
4 files changed, 74 insertions(+), 4 deletions(-)
diff --git a/grub-core/osdep/linux/ofpath.c b/grub-core/osdep/linux/ofpath.c
index 51d331f06..55ed7ddf2 100644
--- a/grub-core/osdep/linux/ofpath.c
+++ b/grub-core/osdep/linux/ofpath.c
@@ -209,7 +209,7 @@ find_obppath (const char *sysfs_path_orig)
}
}
-static char *
+char *
xrealpath (const char *in)
{
char *out;
@@ -224,7 +224,7 @@ xrealpath (const char *in)
return out;
}
-static char *
+char *
block_device_get_sysfs_path_and_link(const char *devicenode)
{
char *rpath;
@@ -535,7 +535,7 @@ of_path_get_nvme_nsid(const char* devname)
}
-static char *
+char *
nvme_get_syspath(const char *nvmedev)
{
char *sysfs_path, *controller_node;
diff --git a/grub-core/osdep/unix/platform.c b/grub-core/osdep/unix/platform.c
index 1e2961e00..bafcc84d7 100644
--- a/grub-core/osdep/unix/platform.c
+++ b/grub-core/osdep/unix/platform.c
@@ -28,6 +28,8 @@
#include <dirent.h>
#include <string.h>
#include <errno.h>
+#include <grub/util/ofpath.h>
+#define BOOTDEV_BUFFER 1000
static char *
get_ofpathname (const char *dev)
@@ -203,6 +205,56 @@ grub_install_register_efi (const grub_disk_t
*efidir_grub_disk,
return 0;
}
+char *
+add_multiple_nvme_bootdevices (const char *install_device)
+{
+ char *sysfs_path, *nvme_ns, *ptr;
+ unsigned int nsid;
+ char *multipath_boot;
+ struct dirent *ep;
+ DIR *dp;
+
+ /*
+ * Extracting the namespace from install_device.
+ * ex. install_device : /dev/nvme1n1
+ */
+ nvme_ns = grub_strstr (install_device, "nvme");
+ nsid = of_path_get_nvme_nsid (nvme_ns);
+ if (nsid == 0)
+ return NULL;
+
+ sysfs_path = nvme_get_syspath (nvme_ns);
+ strcat (sysfs_path, "/subsystem");
+ sysfs_path = xrealpath (sysfs_path);
+ dp = opendir (sysfs_path);
+ if (!dp)
+ return NULL;
+
+ ptr = multipath_boot = xmalloc (BOOTDEV_BUFFER);
+ while ((ep = readdir (dp)) != NULL)
+ {
+ char *path;
+ if (grub_strstr (ep->d_name, "nvme"))
+ {
+ path = xasprintf ("%s%s%x ", get_ofpathname (ep->d_name),
"/namespace@", nsid);
+ if ((strlen (multipath_boot) + strlen (path)) > BOOTDEV_BUFFER)
+ {
+ grub_util_warn (_("Maximum five entries are allowed in the
bootlist"));
+ free (path);
+ break;
+ }
+ strncpy (ptr, path, strlen (path));
+ ptr += strlen (path);
+ free (path);
+ }
+ }
+
+ *--ptr = '\0';
+ closedir (dp);
+
+ return multipath_boot;
+}
+
void
grub_install_register_ieee1275 (int is_prep, const char *install_device,
int partno, const char *relpath)
@@ -242,8 +294,19 @@ grub_install_register_ieee1275 (int is_prep, const char
*install_device,
}
*ptr = '\0';
}
+ else if (grub_strstr (install_device, "nvme"))
+ {
+ boot_device = add_multiple_nvme_bootdevices (install_device);
+ }
else
- boot_device = get_ofpathname (install_device);
+ {
+ boot_device = get_ofpathname (install_device);
+ if (grub_strstr (boot_device, "nvme-of"))
+ {
+ free (boot_device);
+ boot_device = add_multiple_nvme_bootdevices (install_device);
+ }
+ }
if (grub_util_exec ((const char * []){ "nvsetenv", "boot-device",
boot_device, NULL }))
diff --git a/include/grub/util/install.h b/include/grub/util/install.h
index 563cf68e9..2fd102649 100644
--- a/include/grub/util/install.h
+++ b/include/grub/util/install.h
@@ -241,6 +241,9 @@ grub_install_register_efi (const grub_disk_t
*efidir_grub_disk,
const char *efi_distributor,
const char *force_disk);
+char *
+add_multiple_nvme_bootdevices (const char *install_device);
+
void
grub_install_register_ieee1275 (int is_prep, const char *install_device,
int partno, const char *relpath);
diff --git a/include/grub/util/ofpath.h b/include/grub/util/ofpath.h
index a0ec30620..cc3c4bfbd 100644
--- a/include/grub/util/ofpath.h
+++ b/include/grub/util/ofpath.h
@@ -31,5 +31,9 @@ void add_filename_to_pile(char *filename, struct
ofpath_files_list_root* root);
void find_file(char* filename, char* directory, struct ofpath_files_list_root*
root, int max_depth, int depth);
char* of_find_fc_host(char* host_wwpn);
+char* nvme_get_syspath (const char *nvmedev);
+char* block_device_get_sysfs_path_and_link (const char *devicenode);
+char* xrealpath (const char *in);
+unsigned int of_path_get_nvme_nsid (const char* devname);
#endif /* ! GRUB_OFPATH_MACHINE_UTIL_HEADER */
--
2.47.0
++++++ 0002-ieee1275-Read-the-DB-and-DBX-secure-boot-variables.patch ++++++
++++ 672 lines (skipped)
++++++ 0003-appendedsig-The-creation-of-trusted-and-distrusted-l.patch ++++++
++++ 832 lines (skipped)
++++++ 0004-appendedsig-While-verifying-the-kernel-use-trusted-a.patch ++++++
>From 5bff27911bb6575b80b5decf5364b7e6bde801d3 Mon Sep 17 00:00:00 2001
From: Sudhakar Kuppusamy <sudha...@linux.ibm.com>
Date: Wed, 18 Jan 2023 23:04:38 +0530
Subject: [PATCH 4/8] appendedsig: While verifying the kernel, use trusted and
distrusted lists
To verify the kernel's, the trusted key will be used from
the trusted key list. If it fails, verify it against the list of hashes
that are distrusted and trusted.
Signed-off-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com>
Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
Tested-by: Nageswara Sastry <rnsas...@linux.ibm.com>
---
grub-core/commands/appendedsig/appendedsig.c | 187 +++++++++++++------
1 file changed, 131 insertions(+), 56 deletions(-)
diff --git a/grub-core/commands/appendedsig/appendedsig.c
b/grub-core/commands/appendedsig/appendedsig.c
index 5bb09e349..f9638220e 100644
--- a/grub-core/commands/appendedsig/appendedsig.c
+++ b/grub-core/commands/appendedsig/appendedsig.c
@@ -36,6 +36,10 @@
#include <grub/platform_keystore.h>
#include "appendedsig.h"
+#define SHA256_LEN 32
+#define SHA384_LEN 48
+#define SHA512_LEN 64
+
GRUB_MOD_LICENSE ("GPLv3+");
const char magic[] = "~Module signature appended~\n";
@@ -516,6 +520,80 @@ extract_appended_signature (const grub_uint8_t *buf,
grub_size_t bufsize,
return GRUB_ERR_NONE;
}
+static grub_err_t
+grub_get_binary_hash (const grub_size_t binary_hash_size, const grub_uint8_t
*data,
+ const grub_size_t data_size, grub_uint8_t *hash,
grub_size_t *hash_size)
+{
+ grub_uuid_t guid = { 0 };
+
+ /* support SHA256, SHA384 and SHA512 for binary hash */
+ if (binary_hash_size == SHA256_LEN)
+ grub_memcpy (&guid, &GRUB_PKS_CERT_SHA256_GUID, GRUB_UUID_SIZE);
+ else if (binary_hash_size == SHA384_LEN)
+ grub_memcpy (&guid, &GRUB_PKS_CERT_SHA384_GUID, GRUB_UUID_SIZE);
+ else if (binary_hash_size == SHA512_LEN)
+ grub_memcpy (&guid, &GRUB_PKS_CERT_SHA512_GUID, GRUB_UUID_SIZE);
+ else
+ {
+ grub_dprintf ("appendedsig", "unsupported hash type (%" PRIuGRUB_SIZE ")
and skipping binary hash\n",
+ binary_hash_size);
+ return GRUB_ERR_UNKNOWN_COMMAND;
+ }
+
+ return grub_get_hash (&guid, data, data_size, hash, hash_size);
+}
+
+/*
+ * verify binary hash against the list of binary hashes that are distrusted
+ * and trusted.
+ */
+static grub_err_t
+grub_verify_binary_hash (const grub_uint8_t *data, const grub_size_t data_size)
+{
+ grub_err_t rc = GRUB_ERR_NONE;
+ grub_size_t i = 0, hash_size = 0;
+ grub_uint8_t hash[GRUB_MAX_HASH_SIZE] = { 0 };
+
+ for (i = 0; i < grub_dbx.signature_entries; i++)
+ {
+ rc = grub_get_binary_hash (grub_dbx.signature_size[i], data, data_size,
+ hash, &hash_size);
+ if (rc != GRUB_ERR_NONE)
+ continue;
+
+ if (hash_size == grub_dbx.signature_size[i] &&
+ grub_memcmp (grub_dbx.signatures[i], hash, hash_size) == 0)
+ {
+ grub_dprintf ("appendedsig", "the binary hash (%02x%02x%02x%02x) was
listed "
+ "as distrusted\n", hash[0], hash[1], hash[2], hash[3]);
+ return GRUB_ERR_BAD_SIGNATURE;
+ }
+ }
+
+ for (i = 0; i < grub_db.signature_entries; i++)
+ {
+ rc = grub_get_binary_hash (grub_db.signature_size[i], data, data_size,
+ hash, &hash_size);
+ if (rc != GRUB_ERR_NONE)
+ continue;
+
+ if (hash_size == grub_db.signature_size[i] &&
+ grub_memcmp (grub_db.signatures[i], hash, hash_size) == 0)
+ {
+ grub_dprintf ("appendedsig", "verified with a trusted binary hash "
+ "(%02x%02x%02x%02x)\n", hash[0], hash[1], hash[2],
hash[3]);
+ return GRUB_ERR_NONE;
+ }
+ }
+
+ return GRUB_ERR_EOF;
+}
+
+/*
+ * verify the kernel's integrity, the trusted key will be used from
+ * the trusted key list. If it fails, verify it against the list of binary
hashes
+ * that are distrusted and trusted.
+ */
static grub_err_t
grub_verify_appended_signature (const grub_uint8_t *buf, grub_size_t bufsize)
{
@@ -525,12 +603,12 @@ grub_verify_appended_signature (const grub_uint8_t *buf,
grub_size_t bufsize)
unsigned char *hash;
gcry_mpi_t hashmpi;
gcry_err_code_t rc;
- struct x509_certificate *pk;
+ struct x509_certificate *cert;
struct grub_appended_signature sig;
struct pkcs7_signerInfo *si;
int i;
- if (!grub_db.key_entries)
+ if (!grub_db.key_entries && !grub_db.signature_entries)
return grub_error (GRUB_ERR_BAD_SIGNATURE, N_("No trusted keys to verify
against"));
err = extract_appended_signature (buf, bufsize, &sig);
@@ -538,70 +616,67 @@ grub_verify_appended_signature (const grub_uint8_t *buf,
grub_size_t bufsize)
return err;
datasize = bufsize - sig.signature_len;
-
- for (i = 0; i < sig.pkcs7.signerInfo_count; i++)
+ /* checking kernel binary hash is presents in trusted list (db)/distrusted
list (dbx) */
+ err = grub_verify_binary_hash (buf, datasize);
+ if (err == GRUB_ERR_EOF)
{
- /* This could be optimised in a couple of ways:
- - we could only compute hashes once per hash type
- - we could track signer information and only verify where IDs match
- For now we do the naive O(trusted keys * pkcs7 signers) approach.
- */
- si = &sig.pkcs7.signerInfos[i];
- context = grub_zalloc (si->hash->contextsize);
- if (!context)
- return grub_errno;
-
- si->hash->init (context);
- si->hash->write (context, buf, datasize);
- si->hash->final (context);
- hash = si->hash->read (context);
-
- grub_dprintf ("appendedsig",
- "data size %" PRIxGRUB_SIZE ", signer %d hash
%02x%02x%02x%02x...\n",
- datasize, i, hash[0], hash[1], hash[2], hash[3]);
-
- err = GRUB_ERR_BAD_SIGNATURE;
- for (pk = grub_db.keys; pk; pk = pk->next)
+ /* verifying kernel binary signature using trusted keys from trusted
list (db) */
+ for (i = 0; i < sig.pkcs7.signerInfo_count; i++)
{
- rc = grub_crypto_rsa_pad (&hashmpi, hash, si->hash, pk->mpis[0]);
- if (rc)
+ si = &sig.pkcs7.signerInfos[i];
+ context = grub_zalloc (si->hash->contextsize);
+ if (!context)
+ return grub_errno;
+
+ si->hash->init (context);
+ si->hash->write (context, buf, datasize);
+ si->hash->final (context);
+ hash = si->hash->read (context);
+
+ grub_dprintf ("appendedsig",
+ "data size %" PRIxGRUB_SIZE ", signer %d hash
%02x%02x%02x%02x...\n",
+ datasize, i, hash[0], hash[1], hash[2], hash[3]);
+
+ err = GRUB_ERR_BAD_SIGNATURE;
+ for (cert = grub_db.keys; cert; cert = cert->next)
{
- err = grub_error (GRUB_ERR_BAD_SIGNATURE,
- N_("Error padding hash for RSA verification:
%d"), rc);
- grub_free (context);
- goto cleanup;
+ rc = grub_crypto_rsa_pad (&hashmpi, hash, si->hash,
cert->mpis[0]);
+ if (rc)
+ {
+ err = grub_error (GRUB_ERR_BAD_SIGNATURE,
+ N_("Error padding hash for RSA
verification: %d"), rc);
+ grub_free (context);
+ pkcs7_signedData_release (&sig.pkcs7);
+ return err;
+ }
+
+ rc = _gcry_pubkey_spec_rsa.verify (0, hashmpi, &si->sig_mpi,
cert->mpis, NULL, NULL);
+ gcry_mpi_release (hashmpi);
+
+ if (rc == 0)
+ {
+ grub_dprintf ("appendedsig", "verify signer %d with key '%s'
succeeded\n",
+ i, cert->subject);
+ err = GRUB_ERR_NONE;
+ break;
+ }
+
+ grub_dprintf ("appendedsig", "verify signer %d with key '%s'
failed with %d\n",
+ i, cert->subject, rc);
}
- rc = _gcry_pubkey_spec_rsa.verify (0, hashmpi, &si->sig_mpi,
- pk->mpis, NULL, NULL);
- gcry_mpi_release (hashmpi);
-
- if (rc == 0)
- {
- grub_dprintf ("appendedsig",
- "verify signer %d with key '%s' succeeded\n", i,
- pk->subject);
- err = GRUB_ERR_NONE;
- break;
- }
-
- grub_dprintf ("appendedsig",
- "verify signer %d with key '%s' failed with %d\n", i,
- pk->subject, rc);
- }
-
- grub_free (context);
+ grub_free (context);
- if (err == GRUB_ERR_NONE)
- break;
+ if (err == GRUB_ERR_NONE)
+ break;
+ }
}
- /* If we didn't verify, provide a neat message */
if (err != GRUB_ERR_NONE)
- err = grub_error (GRUB_ERR_BAD_SIGNATURE,
- N_("Failed to verify signature against a trusted key"));
+ grub_printf ("appendedsig: failed to verify signature with any trusted
key\n");
+ else
+ grub_printf ("appendedsig: successfully verified the signature with a
trusted key\n");
-cleanup:
pkcs7_signedData_release (&sig.pkcs7);
return err;
--
2.47.0
++++++ 0005-appendedsig-The-grub-command-s-trusted-and-distruste.patch ++++++
++++ 685 lines (skipped)
++++++ 0006-appendedsig-documentation.patch ++++++
>From 87831c6ce3536e5e2eeb3e2cd8a6184b9509ee04 Mon Sep 17 00:00:00 2001
From: Sudhakar Kuppusamy <sudha...@linux.ibm.com>
Date: Wed, 17 Apr 2024 23:04:43 +0530
Subject: [PATCH 6/8] appendedsig: documentation
This explains appended signatures static key and dynamic key,
and documents the commands and variables introduced.
Signed-off-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com>
Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
---
docs/grub.texi | 115 ++++++++++++++++++++++++++++++++++---------------
1 file changed, 80 insertions(+), 35 deletions(-)
diff --git a/docs/grub.texi b/docs/grub.texi
index 00c5fdc44..68d7cbb90 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -4373,7 +4373,9 @@ you forget a command, you can run the command
@command{help}
* date:: Display or set current date and time
* devicetree:: Load a device tree blob
* distrust:: Remove a pubkey from trusted keys
-* distrust_certificate:: Remove a certificate from the list of trusted
certificates
+* distrusted_certificate:: Remove a certificate from the trusted list
+* distrusted_list:: List distrusted certificates and
binary/certificate hashes
+* distrusted_signature:: Add a binary hash to the distrusted list
* drivemap:: Map a drive to another
* echo:: Display a line of text
* efitextmode:: Set/Get text output mode resolution
@@ -4390,7 +4392,6 @@ you forget a command, you can run the command
@command{help}
* hexdump:: Show raw contents of a file or memory
* insmod:: Insert a module
* keystatus:: Check key modifier status
-* list_certificates:: List trusted certificates
* list_env:: List variables in environment block
* list_trusted:: List trusted public keys
* load_env:: Load variables from environment block
@@ -4429,7 +4430,9 @@ you forget a command, you can run the command
@command{help}
* test:: Check file types and compare values
* true:: Do nothing, successfully
* trust:: Add public key to list of trusted keys
-* trust_certificate:: Add an x509 certificate to the list of trusted
certificates
+* trusted_certificate:: Add an x509 certificate to the trusted list
+* trusted_list:: List trusted certificates and binary hashes
+* trusted_signature:: Add a binary hash to the trusted list.
* unset:: Unset an environment variable
@comment * vbeinfo:: List available video modes
* verify_appended:: Verify appended digital signature
@@ -4776,15 +4779,15 @@ GPG-style digital signatures}, for more information.
@end deffn
-@node distrust_certificate
-@subsection distrust_certificate
+@node distrusted_certificate
+@subsection distrusted_certificate
-@deffn Command distrust_certificate cert_number
+@deffn Command distrusted_certificate cert_number
Remove the x509 certificate numbered @var{cert_number} from GRUB's keyring of
trusted x509 certificates for verifying appended signatures.
@var{cert_number} is the certificate number as listed by
-@command{list_certificates} (@pxref{list_certificates}).
+@command{trusted_list} (@pxref{trusted_list}).
These certificates are used to validate appended signatures when environment
variable @code{check_appended_signatures} is set to @code{enforce}
@@ -4793,6 +4796,27 @@ variable @code{check_appended_signatures} is set to
@code{enforce}
information.
@end deffn
+@node distrusted_list
+@subsection distrusted_list
+
+@deffn Command distrusted_list
+List all the distrusted x509 certificates and binary/certificate hashes.
+The output is a numbered list of certificates and binary/certificate hashes,
+showing the certificate's serial number and Common Name.
+@end deffn
+
+@node distrusted_signature
+@subsection distrusted_signature
+
+@deffn Command distrusted_signature
+Read a binary hash from the file @var{binary hash file}
+and add it to GRUB's internal distrusted list. These hash are used to
+restrict validation of linux image integrity using trusted list if appended
+signatures validation failed when the environment variable
+@code{check_appended_signatures} is set to @code{enforce}.
+
+See @xref{Using appended signatures} for more information.
+@end deffn
@node drivemap
@subsection drivemap
@@ -5069,22 +5093,6 @@ without any options, the @command{keystatus} command
returns true if and
only if checking key modifier status is supported.
@end deffn
-
-@node list_certificates
-@subsection list_certificates
-
-@deffn Command list_certificates
-List all x509 certificates trusted by GRUB for validating appended signatures.
-The output is a numbered list of certificates, showing the certificate's serial
-number and Common Name.
-
-The certificate number can be used as an argument to
-@command{distrust_certificate} (@pxref{distrust_certificate}).
-
-See @xref{Using appended signatures} for more information.
-@end deffn
-
-
@node list_env
@subsection list_env
@@ -5935,9 +5943,8 @@ and manual booting. @xref{Using GPG-style digital
signatures}, for more
information.
@end deffn
-
-@node trust_certificate
-@subsection trust_certificate
+@node trusted_certificate
+@subsection trusted_certificate
@deffn Command trust_certificate x509_certificate
Read a DER-formatted x509 certificate from the file @var{x509_certificate}
@@ -5946,7 +5953,7 @@ certificates are used to validate appended signatures
when the environment
variable @code{check_appended_signatures} is set to @code{enforce}.
Note that if @code{check_appended_signatures} is set to @code{enforce}
-when @command{trust_certificate} is executed, then @var{x509_certificate}
+when @command{trusted_certificate} is executed, then @var{x509_certificate}
must itself bear an appended signature. (It is not sufficient that
@var{x509_certificate} be signed by a trusted certificate according to the
x509 rules: grub does not include support for validating signatures within x509
@@ -5955,6 +5962,32 @@ certificates themselves.)
See @xref{Using appended signatures} for more information.
@end deffn
+@node trusted_list
+@subsection trusted_list
+
+@deffn Command trusted_list
+List all x509 certificates and binary hases trusted by GRUB for validating
+appended signatures. The output is a numbered list of certificates and binary
+hashes, showing the certificate's serial number and Common Name.
+
+The certificate number can be used as an argument to
+@command{distrusted_certificate} (@pxref{distrusted_certificate}).
+
+See @xref{Using appended signatures} for more information.
+@end deffn
+
+@node trusted_signature
+@subsection trusted_signature
+
+@deffn Command trust_signature
+Read a binary hash from the file @var{binary hash file}
+and add it to GRUB's internal trusted list. These binary hash are used to
+validate linux image integrity if appended signatures validation failed
+when the environment variable @code{check_appended_signatures} is set
+to @code{enforce}.
+
+See @xref{Using appended signatures} for more information.
+@end deffn
@node unset
@subsection unset
@@ -5979,8 +6012,8 @@ only on PC BIOS platforms.
@deffn Command verify_appended file
Verifies an appended signature on @var{file} against the trusted certificates
-known to GRUB (See @pxref{list_certificates}, @pxref{trust_certificate}, and
-@pxref{distrust_certificate}).
+known to GRUB (See @pxref{trusted_list}, @pxref{trusted_certificate}, and
+@pxref{distrusted_certificate}).
Exit code @code{$?} is set to 0 if the signature validates
successfully. If validation fails, it is set to a non-zero value.
@@ -6664,17 +6697,29 @@ with an appended signature ends with the magic string:
where @code{\n} represents the carriage-return character, @code{0x0a}.
To enable appended signature verification, load the appendedsig module and an
-x509 certificate for verification. Building the appendedsig module into the
+trusted keys for verification. Building the appendedsig module into the
core grub image is recommended.
-Certificates can be managed at boot time using the @pxref{trust_certificate},
-@pxref{distrust_certificate} and @pxref{list_certificates} commands.
-Certificates can also be built in to the core image using the @code{--x509}
-parameter to @command{grub-install} or @command{grub-mkimage}.
+For static key, Certificates will be built in to the core image using
+the @code{--x509} parameter to @command{grub-install} or
@command{grub-mkimage}.
+it can allow to list the trusted certificates and binary hashes at boot time
using
+@pxref{trusted_list} and list distrusted certificates and binary/certificate
hashes
+at boot time using @pxref{distrusted_list} commands.
+
+For dynamic key, loads the signature database (DB) and forbidden
+signature database (DBX) from platform keystore (PKS) and it can allow to list
+the trusted certificates and binary hashes at boot time using
@pxref{trusted_list}
+and list distrusted certificates and binary/certificate hashes at boot time
using
+@pxref{distrusted_list} commands.
+
+Also, it will not allow to manage add/delete of certificates/signature at boot
time using
+@pxref{trusted_certificate} and @pxref{trusted_signature},
@pxref{distrusted_certificate}
+and @pxref{distrusted_signature} commands when the environment variable
+@code{check_appended_signatures} is set to @code{enforce}.
A file can be explictly verified using the @pxref{verify_appended} command.
-Only signatures made with the SHA-256 or SHA-512 hash algorithm are supported,
+Only signatures made with the SHA-256, SH-384 and SHA-512 hash algorithm are
supported,
and only RSA signatures are supported.
A file can be signed with the @command{sign-file} utility supplied with the
--
2.47.0
++++++ 0007-mkimage-create-new-ELF-Note-for-SBAT.patch ++++++
>From 77316f09f133e9c7c5e1026b2b4f5749daac644a Mon Sep 17 00:00:00 2001
From: Sudhakar Kuppusamy <sudha...@linux.ibm.com>
Date: Wed, 17 Apr 2024 23:48:51 +0530
Subject: [PATCH 7/8] mkimage: create new ELF Note for SBAT
we add a new ELF note for SBAT which store the SBAT data.
The name field of shall be the string "Secure-Boot-Advanced-Targeting",
zero-padded
to 4 byte alignment. The type field shall be 0x41536967 (the ASCII values
for the string "sbat").
Signed-off-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com>
Co-authored-by: Daniel Axtens <d...@axtens.net>
---
include/grub/util/mkimage.h | 4 +-
util/grub-mkimagexx.c | 92 +++++++++++++++++++++++++++----------
2 files changed, 71 insertions(+), 25 deletions(-)
diff --git a/include/grub/util/mkimage.h b/include/grub/util/mkimage.h
index 6f1da89b9..881e3031f 100644
--- a/include/grub/util/mkimage.h
+++ b/include/grub/util/mkimage.h
@@ -51,12 +51,12 @@ grub_mkimage_load_image64 (const char *kernel_path,
const struct grub_install_image_target_desc
*image_target);
void
grub_mkimage_generate_elf32 (const struct grub_install_image_target_desc
*image_target,
- int note, size_t appsig_size, char **core_img,
size_t *core_size,
+ int note, size_t appsig_size, char *sbat, char
**core_img, size_t *core_size,
Elf32_Addr target_addr,
struct grub_mkimage_layout *layout);
void
grub_mkimage_generate_elf64 (const struct grub_install_image_target_desc
*image_target,
- int note, size_t appsig_size, char **core_img,
size_t *core_size,
+ int note, size_t appsig_size, char *sbat, char
**core_img, size_t *core_size,
Elf64_Addr target_addr,
struct grub_mkimage_layout *layout);
diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c
index 9488f0525..0041b2d0b 100644
--- a/util/grub-mkimagexx.c
+++ b/util/grub-mkimagexx.c
@@ -85,6 +85,14 @@ struct grub_ieee1275_note
struct grub_ieee1275_note_desc descriptor;
};
+#define GRUB_SBAT_NOTE_NAME "Secure-Boot-Advanced-Targeting"
+#define GRUB_SBAT_NOTE_TYPE 0x73626174 /* "sbat" */
+
+struct grub_sbat_note {
+ Elf32_Nhdr header;
+ char name[ALIGN_UP(sizeof(GRUB_SBAT_NOTE_NAME), 4)];
+};
+
#define GRUB_APPENDED_SIGNATURE_NOTE_NAME "Appended-Signature"
#define GRUB_APPENDED_SIGNATURE_NOTE_TYPE 0x41536967 /* "ASig" */
@@ -217,7 +225,7 @@ grub_arm_reloc_jump24 (grub_uint32_t *target, Elf32_Addr
sym_addr)
void
SUFFIX (grub_mkimage_generate_elf) (const struct
grub_install_image_target_desc *image_target,
- int note, size_t appsig_size, char
**core_img, size_t *core_size,
+ int note, size_t appsig_size, char *sbat,
char **core_img, size_t *core_size,
Elf_Addr target_addr,
struct grub_mkimage_layout *layout)
{
@@ -226,10 +234,17 @@ SUFFIX (grub_mkimage_generate_elf) (const struct
grub_install_image_target_desc
Elf_Ehdr *ehdr;
Elf_Phdr *phdr;
Elf_Shdr *shdr;
- int header_size, footer_size = 0;
+ int header_size, footer_size = 0, footer_offset = 0;
int phnum = 1;
int shnum = 4;
int string_size = sizeof (".text") + sizeof ("mods") + 1;
+ char *footer;
+
+ if (sbat)
+ {
+ phnum++;
+ footer_size += ALIGN_UP (sizeof (struct grub_sbat_note) +
layout->sbat_size, 4);
+ }
if (appsig_size)
{
@@ -263,6 +278,7 @@ SUFFIX (grub_mkimage_generate_elf) (const struct
grub_install_image_target_desc
ehdr = (void *) elf_img;
phdr = (void *) (elf_img + sizeof (*ehdr));
shdr = (void *) (elf_img + sizeof (*ehdr) + phnum * sizeof (*phdr));
+ footer = elf_img + program_size + header_size;
memcpy (ehdr->e_ident, ELFMAG, SELFMAG);
ehdr->e_ident[EI_CLASS] = ELFCLASSXX;
if (!image_target->bigendian)
@@ -435,6 +451,8 @@ SUFFIX (grub_mkimage_generate_elf) (const struct
grub_install_image_target_desc
phdr->p_filesz = grub_host_to_target32 (XEN_NOTE_SIZE);
phdr->p_memsz = 0;
phdr->p_offset = grub_host_to_target32 (header_size + program_size);
+ footer = ptr;
+ footer_offset = XEN_NOTE_SIZE;
}
if (image_target->id == IMAGE_XEN_PVH)
@@ -468,6 +486,8 @@ SUFFIX (grub_mkimage_generate_elf) (const struct
grub_install_image_target_desc
phdr->p_filesz = grub_host_to_target32 (XEN_PVH_NOTE_SIZE);
phdr->p_memsz = 0;
phdr->p_offset = grub_host_to_target32 (header_size + program_size);
+ footer = ptr;
+ footer_offset = XEN_PVH_NOTE_SIZE;
}
if (note)
@@ -498,29 +518,55 @@ SUFFIX (grub_mkimage_generate_elf) (const struct
grub_install_image_target_desc
phdr->p_filesz = grub_host_to_target32 (note_size);
phdr->p_memsz = 0;
phdr->p_offset = grub_host_to_target32 (header_size + program_size);
+ footer = (elf_img + program_size + header_size + note_size);
+ footer_offset += note_size;
}
- if (appsig_size) {
- int note_size = ALIGN_UP(sizeof (struct grub_appended_signature_note) +
appsig_size, 4);
- struct grub_appended_signature_note *note_ptr = (struct
grub_appended_signature_note *)
- (elf_img + program_size + header_size + (note ? sizeof (struct
grub_ieee1275_note) : 0));
-
- note_ptr->header.n_namesz = grub_host_to_target32 (sizeof
(GRUB_APPENDED_SIGNATURE_NOTE_NAME));
- /* needs to sit at the end, so we round this up and sign some zero padding
*/
- note_ptr->header.n_descsz = grub_host_to_target32 (ALIGN_UP(appsig_size,
4));
- note_ptr->header.n_type = grub_host_to_target32
(GRUB_APPENDED_SIGNATURE_NOTE_TYPE);
- strcpy (note_ptr->name, GRUB_APPENDED_SIGNATURE_NOTE_NAME);
-
- phdr++;
- phdr->p_type = grub_host_to_target32 (PT_NOTE);
- phdr->p_flags = grub_host_to_target32 (PF_R);
- phdr->p_align = grub_host_to_target32 (image_target->voidp_sizeof);
- phdr->p_vaddr = 0;
- phdr->p_paddr = 0;
- phdr->p_filesz = grub_host_to_target32 (note_size);
- phdr->p_memsz = 0;
- phdr->p_offset = grub_host_to_target32 (header_size + program_size + (note
? sizeof (struct grub_ieee1275_note) : 0));
- }
+ if (sbat)
+ {
+ int note_size = ALIGN_UP(sizeof (struct grub_sbat_note) +
layout->sbat_size, 4);
+ struct grub_sbat_note *note_ptr = (struct grub_sbat_note *)footer;
+
+ note_ptr->header.n_namesz = grub_host_to_target32 (sizeof
(GRUB_SBAT_NOTE_NAME));
+ note_ptr->header.n_descsz = grub_host_to_target32
(ALIGN_UP(layout->sbat_size, 4));
+ note_ptr->header.n_type = grub_host_to_target32 (GRUB_SBAT_NOTE_TYPE);
+ memcpy (note_ptr->name, GRUB_SBAT_NOTE_NAME, sizeof
(GRUB_SBAT_NOTE_NAME));
+ memcpy ((char *)(note_ptr + 1), sbat, layout->sbat_size);
+
+ phdr++;
+ phdr->p_type = grub_host_to_target32 (PT_NOTE);
+ phdr->p_flags = grub_host_to_target32 (PF_R);
+ phdr->p_align = grub_host_to_target32 (image_target->voidp_sizeof);
+ phdr->p_vaddr = 0;
+ phdr->p_paddr = 0;
+ phdr->p_filesz = grub_host_to_target32 (note_size);
+ phdr->p_memsz = 0;
+ phdr->p_offset = grub_host_to_target32 (header_size + program_size +
footer_offset);
+
+ footer += note_size;
+ footer_offset += note_size;
+ }
+
+ if (appsig_size)
+ {
+ int note_size = ALIGN_UP (sizeof (struct grub_appended_signature_note) +
appsig_size, 4);
+ struct grub_appended_signature_note *note_ptr = (struct
grub_appended_signature_note *)footer;
+ note_ptr->header.n_namesz = grub_host_to_target32 (sizeof
(GRUB_APPENDED_SIGNATURE_NOTE_NAME));
+ /* needs to sit at the end, so we round this up and sign some zero
padding */
+ note_ptr->header.n_descsz = grub_host_to_target32 (ALIGN_UP
(appsig_size, 4));
+ note_ptr->header.n_type = grub_host_to_target32
(GRUB_APPENDED_SIGNATURE_NOTE_TYPE);
+ strcpy (note_ptr->name, GRUB_APPENDED_SIGNATURE_NOTE_NAME);
+
+ phdr++;
+ phdr->p_type = grub_host_to_target32 (PT_NOTE);
+ phdr->p_flags = grub_host_to_target32 (PF_R);
+ phdr->p_align = grub_host_to_target32 (image_target->voidp_sizeof);
+ phdr->p_vaddr = 0;
+ phdr->p_paddr = 0;
+ phdr->p_filesz = grub_host_to_target32 (note_size);
+ phdr->p_memsz = 0;
+ phdr->p_offset = grub_host_to_target32 (header_size + program_size +
footer_offset);
+ }
{
char *str_start = (elf_img + sizeof (*ehdr) + phnum * sizeof (*phdr)
--
2.47.0
++++++ 0008-mkimage-adding-sbat-data-into-sbat-ELF-Note-on-power.patch ++++++
>From 32d4823762e5a0e7f8bfc5a878d39e1a019392fe Mon Sep 17 00:00:00 2001
From: Sudhakar Kuppusamy <sudha...@linux.ibm.com>
Date: Thu, 18 Apr 2024 00:00:55 +0530
Subject: [PATCH 8/8] mkimage: adding sbat data into sbat ELF Note on powerpc
it reads the SBAT data from sbat.csv and create the ELF Note for it then
store the SBAT data on it while generate image with -s option
Signed-off-by: Sudhakar Kuppusamy <sudha...@linux.ibm.com>
Co-authored-by: Daniel Axtens <d...@axtens.net>
---
util/mkimage.c | 23 +++++++++++++++++------
1 file changed, 17 insertions(+), 6 deletions(-)
diff --git a/util/mkimage.c b/util/mkimage.c
index 0737935fd..136e4a90c 100644
--- a/util/mkimage.c
+++ b/util/mkimage.c
@@ -958,8 +958,9 @@ grub_install_generate_image (const char *dir, const char
*prefix,
total_module_size += dtb_size + sizeof (struct grub_module_header);
}
- if (sbat_path != NULL && image_target->id != IMAGE_EFI)
- grub_util_error (_(".sbat section can be embedded into EFI images only"));
+ if (sbat_path != NULL && (image_target->id != IMAGE_EFI && image_target->id
!= IMAGE_PPC))
+ grub_util_error (_(".sbat section can be embedded into EFI images/"
+ "sbat ELF Note cab be added into powerpc-ieee1275
images only"));
if (disable_shim_lock)
total_module_size += sizeof (struct grub_module_header);
@@ -1835,6 +1836,16 @@ grub_install_generate_image (const char *dir, const char
*prefix,
case IMAGE_I386_IEEE1275:
{
grub_uint64_t target_addr;
+ char *sbat = NULL;
+
+ if (sbat_path != NULL)
+ {
+ sbat_size = grub_util_get_image_size (sbat_path);
+ sbat = xmalloc (sbat_size);
+ grub_util_load_image (sbat_path, sbat);
+ layout.sbat_size = sbat_size;
+ }
+
if (image_target->id == IMAGE_LOONGSON_ELF)
{
if (comp == GRUB_COMPRESSION_NONE)
@@ -1846,11 +1857,11 @@ grub_install_generate_image (const char *dir, const
char *prefix,
else
target_addr = image_target->link_addr;
if (image_target->voidp_sizeof == 4)
- grub_mkimage_generate_elf32 (image_target, note, appsig_size,
&core_img,
- &core_size, target_addr, &layout);
+ grub_mkimage_generate_elf32 (image_target, note, appsig_size, sbat,
&core_img, &core_size,
+ target_addr, &layout);
else
- grub_mkimage_generate_elf64 (image_target, note, appsig_size,
&core_img,
- &core_size, target_addr, &layout);
+ grub_mkimage_generate_elf64 (image_target, note, appsig_size, sbat,
&core_img, &core_size,
+ target_addr, &layout);
}
break;
}
--
2.47.0
++++++ grub2-install-fix-not-a-directory-error.patch ++++++
--- /var/tmp/diff_new_pack.ca0CkN/_old 2024-10-23 21:08:17.289733633 +0200
+++ /var/tmp/diff_new_pack.ca0CkN/_new 2024-10-23 21:08:17.293733799 +0200
@@ -22,17 +22,23 @@
[1] https://savannah.gnu.org/bugs/index.php?57652
[2] https://bugzilla.opensuse.org/attachment.cgi?id=828118
+v2:
+We are still encountering the error. Instead of ensuring ext[234] is tried
+before minix, make sure everything is tried before minix unless its detection
+issue can be properly addressed.
+
--- a/Makefile.am
+++ b/Makefile.am
-@@ -51,8 +51,11 @@
+@@ -51,8 +51,12 @@
-D'GRUB_MOD_INIT(x)=@MARKER@x@' $^ > $@ || (rm -f $@; exit 1)
CLEANFILES += libgrub.pp
-+# the grep/sed ensures that ext2 gets initialized before minix*
++# the grep/sed ensures that every other file system gets tested before minix*"
+# see https://savannah.gnu.org/bugs/?57652
++# see https://bugzilla.suse.com/show_bug.cgi?id=1231604
libgrub_a_init.lst: libgrub.pp
cat $< | grep '^@MARKER@' | sed 's/@MARKER@\(.*\)@/\1/g' | sort -u > $@
|| (rm -f $@; exit 1)
-+ if grep ^ext2 $@ >/dev/null; then sed '/ext2/d;/newc/iext2' < $@ >
$@.tmp && mv $@.tmp $@; fi
++ if grep ^minix $@ >/dev/null; then sed -n
'/^minix/p;/^minix/!H;$${x;s/^\n//;p}' < $@ > $@.tmp && mv $@.tmp $@; fi
CLEANFILES += libgrub_a_init.lst
libgrub_a_init.c: libgrub_a_init.lst $(top_srcdir)/geninit.sh
