Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package grub2 for openSUSE:Factory checked
in at 2023-10-27 22:27:14
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/grub2 (Old)
and /work/SRC/openSUSE:Factory/.grub2.new.17445 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "grub2"
Fri Oct 27 22:27:14 2023 rev:305 rq:1120471 version:2.12~rc1
Changes:
--------
--- /work/SRC/openSUSE:Factory/grub2/grub2.changes 2023-10-18
21:25:15.939735325 +0200
+++ /work/SRC/openSUSE:Factory/.grub2.new.17445/grub2.changes 2023-10-27
22:27:21.573680006 +0200
@@ -1,0 +2,20 @@
+Thu Oct 26 06:04:54 UTC 2023 - Gary Ching-Pang Lin <g...@suse.com>
+
+- Fix a potential error when appending multiple keys into the
+ synthesized initrd
+ * Fix-the-size-calculation-for-the-synthesized-initrd.patch
+
+-------------------------------------------------------------------
+Wed Oct 25 01:56:09 UTC 2023 - Michael Chang <mch...@suse.com>
+
+- Fix Xen chainloding error of no matching file path found (bsc#1216081)
+ * grub2-efi-chainload-harder.patch
+
+-------------------------------------------------------------------
+Mon Oct 23 13:11:45 UTC 2023 - Michael Chang <mch...@suse.com>
+
+- Use grub-tpm2 token to unlock keyslots to make the unsealing process more
+ efficient and secure.
+ * 0001-luks2-Use-grub-tpm2-token-for-TPM2-protected-volume-.patch
+
+-------------------------------------------------------------------
@@ -788 +808 @@
-- Add patches for automatic TPM disk unlock (jsc#SLE-24018) (bsc#1196668)
+- Add patches for automatic TPM disk unlock (jsc#SLE-24018) (bsc#1196668)
(jsc#PED-1276)
@@ -871 +891 @@
- (bsc#1187810)
+ (bsc#1187810) (bsc#1209667) (bsc#1209372)
New:
----
0001-luks2-Use-grub-tpm2-token-for-TPM2-protected-volume-.patch
Fix-the-size-calculation-for-the-synthesized-initrd.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ grub2.spec ++++++
--- /var/tmp/diff_new_pack.oOFGGT/_old 2023-10-27 22:27:24.673793706 +0200
+++ /var/tmp/diff_new_pack.oOFGGT/_new 2023-10-27 22:27:24.677793852 +0200
@@ -387,6 +387,8 @@
Patch195: 0004-fs-ntfs-Fix-an-OOB-read-when-parsing-bitmaps-for-ind.patch
Patch196: 0005-fs-ntfs-Fix-an-OOB-read-when-parsing-a-volume-label.patch
Patch197: 0006-fs-ntfs-Make-code-more-readable.patch
+Patch198: 0001-luks2-Use-grub-tpm2-token-for-TPM2-protected-volume-.patch
+Patch199: Fix-the-size-calculation-for-the-synthesized-initrd.patch
Requires: gettext-runtime
%if 0%{?suse_version} >= 1140
++++++ 0001-luks2-Use-grub-tpm2-token-for-TPM2-protected-volume-.patch ++++++
>From 06af22d6c893b0249712e9a486e0cbae15160e5c Mon Sep 17 00:00:00 2001
From: Michael Chang <mch...@suse.com>
Date: Mon, 23 Oct 2023 16:11:53 +0800
Subject: [PATCH] luks2: Use grub-tpm2 token for TPM2-protected volume unlock
This commit enables the use of the grub-tpm2 token for unlocking LUKS2
volumes protected by TPM2. The token tracks keyslots associated with a
sealed key, making the unsealing process more efficient and secure.
Signed-Off-by Michael Chang <mch...@suse.com>
---
grub-core/disk/luks2.c | 81 ++++++++++++++++++++++++++++++++++++++++--
1 file changed, 79 insertions(+), 2 deletions(-)
diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c
index d5106402f..fe5ba777a 100644
--- a/grub-core/disk/luks2.c
+++ b/grub-core/disk/luks2.c
@@ -124,6 +124,14 @@ struct grub_luks2_digest
};
typedef struct grub_luks2_digest grub_luks2_digest_t;
+struct grub_luks2_token_tpm
+{
+ grub_uint64_t idx;
+ grub_uint64_t keyslots;
+ const char *timestamp;
+};
+typedef struct grub_luks2_token_tpm grub_luks2_token_tpm_t;
+
gcry_err_code_t AF_merge (const gcry_md_spec_t * hash, grub_uint8_t * src,
grub_uint8_t * dst, grub_size_t blocksize,
grub_size_t blocknumbers);
@@ -257,6 +265,39 @@ luks2_parse_digest (grub_luks2_digest_t *out, const
grub_json_t *digest)
return GRUB_ERR_NONE;
}
+static grub_err_t
+luks2_parse_token_tpm (grub_luks2_token_tpm_t *out, const grub_json_t *token)
+{
+ grub_json_t keyslots, o;
+ grub_size_t i, size;
+ grub_uint64_t bit;
+ const char *type;
+
+ if (grub_json_getstring (&type, token, "type"))
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid token type");
+ else if (grub_strcmp (type, "grub-tpm2"))
+ return GRUB_ERR_NONE;
+
+ if (grub_json_getvalue (&keyslots, token, "keyslots") ||
+ grub_json_getstring (&out->timestamp, token, "timestamp"))
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing token parameters");
+
+ if (grub_json_getsize (&size, &keyslots))
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
+ "Token references no keyslots");
+
+ out->keyslots = 0;
+ for (i = 0; i < size; i++)
+ {
+ if (grub_json_getchild (&o, &keyslots, i) ||
+ grub_json_getuint64 (&bit, &o, NULL))
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid keyslot");
+ out->keyslots |= (1 << bit);
+ }
+
+ return GRUB_ERR_NONE;
+}
+
static grub_err_t
luks2_get_keyslot (grub_luks2_keyslot_t *k, grub_luks2_digest_t *d,
grub_luks2_segment_t *s,
const grub_json_t *root, grub_size_t keyslot_json_idx)
@@ -561,13 +602,14 @@ luks2_recover_key (grub_disk_t source,
{
grub_uint8_t candidate_key[GRUB_CRYPTODISK_MAX_KEYLEN];
char cipher[32], *json_header = NULL, *ptr;
- grub_size_t candidate_key_len = 0, json_idx, size;
+ grub_size_t candidate_key_len = 0, json_idx, size, tsize;
grub_luks2_header_t header;
grub_luks2_keyslot_t keyslot;
grub_luks2_digest_t digest;
grub_luks2_segment_t segment;
+ grub_luks2_token_tpm_t token_tpm;
gcry_err_code_t gcry_ret;
- grub_json_t *json = NULL, keyslots;
+ grub_json_t *json = NULL, keyslots, tokens;
grub_err_t ret;
if (cargs->key_data == NULL || cargs->key_len == 0)
@@ -605,6 +647,37 @@ luks2_recover_key (grub_disk_t source,
goto err;
}
+ token_tpm.keyslots = 0;
+ tsize = 0;
+ if (cargs->protectors)
+ {
+ int i;
+ for (i = 0; cargs->protectors[i]; i++)
+ if (grub_strcmp(cargs->protectors[i], "tpm2") == 0)
+ break;
+
+ if (!cargs->protectors[i] ||
+ cargs->key_cache[i].invalid ||
+ grub_json_getvalue (&tokens, json, "tokens") ||
+ grub_json_getsize (&tsize, &tokens))
+ grub_dprintf ("luks2", "No valid token or not a tpm2 protector\n");
+ }
+
+ for (json_idx = 0; json_idx < tsize; json_idx++)
+ {
+ grub_json_t token;
+
+ if (grub_json_getchild (&token, &tokens, json_idx) ||
+ grub_json_getuint64 (&token_tpm.idx, &token, NULL) ||
+ grub_json_getchild (&token, &token, 0) ||
+ luks2_parse_token_tpm (&token_tpm, &token))
+ {
+ grub_dprintf ("luks2", "Could not parse token index %" PRIuGRUB_SIZE
"\n", json_idx);
+ grub_errno = GRUB_ERR_NONE;
+ continue;
+ }
+ }
+
if (grub_disk_native_sectors (source) == GRUB_DISK_SIZE_UNKNOWN)
{
/* FIXME: Allow use of source disk, and maybe cause errors in read. */
@@ -641,6 +714,10 @@ luks2_recover_key (grub_disk_t source,
continue;
}
+ if (token_tpm.keyslots &&
+ !(token_tpm.keyslots & (1 << keyslot.idx)))
+ continue;
+
grub_dprintf ("luks2", "Trying keyslot \"%" PRIuGRUB_UINT64_T "\"\n",
keyslot.idx);
/* Sector size should be one of 512, 1024, 2048, or 4096. */
--
2.42.0
++++++ Fix-the-size-calculation-for-the-synthesized-initrd.patch ++++++
>From d441356c924102b43b303520cc1c62a624b014d6 Mon Sep 17 00:00:00 2001
From: Gary Lin <g...@suse.com>
Date: Thu, 26 Oct 2023 13:18:24 +0800
Subject: [PATCH] Fix the size calculation for the synthesized initrd
When calculating the size of the synthesized initrd in
grub_initrd_component(), the ending "TRAILER!!!" is counted in for every
synthesized initrd. However, in grub_initrd_load(), only one "TRAILER!!!"
will be appended for one group of consecutive synthesized initrds. The
additional size calculation for the ending "TRAILER!!!" could make the
linux kernel to read uninitialized bytes and result in the error message
like this:
Initramfs unpacking failed: invalid magic at start of compressed archive
To fit into the original 'newc' design, the ending "TRAILER!!!" is
removed from grub_initrd_component(). Instead, in grub_initrd_init(),
the 'newc' flag is set when calculating size of the synthesized initrd
to append the ending "TRAILER!!!" later. As for grub_initrd_load(),
since the path to the unsealed key is specified in 'newc_name', it's
unnecessary to set the 'newc' flag while copying the unsealed key
because the flag is already set when parsing the path name.
Signed-off-by: Gary Lin <g...@suse.com>
---
grub-core/loader/linux.c | 23 ++++++++---------------
1 file changed, 8 insertions(+), 15 deletions(-)
diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c
index 4e028f5..9ee8f37 100644
--- a/grub-core/loader/linux.c
+++ b/grub-core/loader/linux.c
@@ -209,13 +209,6 @@ grub_initrd_component (const char *buf, int bufsz, const
char *newc_name,
&initrd_ctx->size))
goto overflow;
- initrd_ctx->size = ALIGN_UP (initrd_ctx->size, 4);
- if (grub_add (initrd_ctx->size,
- ALIGN_UP (sizeof (struct newc_head)
- + sizeof ("TRAILER!!!") - 1, 4),
- &initrd_ctx->size))
- goto overflow;
-
free_dir (root);
root = 0;
return GRUB_ERR_NONE;
@@ -312,6 +305,13 @@ grub_initrd_init (int argc, char *argv[],
goto overflow;
}
+ FOR_LIST_ELEMENTS (pk, kpuber)
+ if (pk->key && pk->path)
+ {
+ grub_initrd_component (pk->key, pk->key_len, pk->path, initrd_ctx);
+ newc = 1;
+ }
+
if (newc)
{
initrd_ctx->size = ALIGN_UP (initrd_ctx->size, 4);
@@ -324,10 +324,6 @@ grub_initrd_init (int argc, char *argv[],
root = 0;
}
- FOR_LIST_ELEMENTS (pk, kpuber)
- if (pk->key && pk->path)
- grub_initrd_component (pk->key, pk->key_len, pk->path, initrd_ctx);
-
return GRUB_ERR_NONE;
overflow:
@@ -404,10 +400,7 @@ grub_initrd_load (struct grub_linux_initrd_context
*initrd_ctx,
cursize = initrd_ctx->components[i].size;
if (initrd_ctx->components[i].buf)
- {
- grub_memcpy (ptr, initrd_ctx->components[i].buf, cursize);
- newc = 1;
- }
+ grub_memcpy (ptr, initrd_ctx->components[i].buf, cursize);
else if (grub_file_read (initrd_ctx->components[i].file, ptr, cursize)
!= cursize)
{
--
2.35.3
++++++ grub2-efi-chainload-harder.patch ++++++
--- /var/tmp/diff_new_pack.oOFGGT/_old 2023-10-27 22:27:25.089808963 +0200
+++ /var/tmp/diff_new_pack.oOFGGT/_new 2023-10-27 22:27:25.097809257 +0200
@@ -2,6 +2,10 @@
v2:
Use grub_efi_get_secureboot to get secure boot status
+v3:
+Fix null sb_context->file_path due to missing assignment of chainloaded image's
+file_path (bsc#1216081)
+
---
grub-core/loader/efi/chainloader.c | 62
+++++++++++++++++++++----------------
1 file changed, 36 insertions(+), 26 deletions(-)
@@ -73,7 +77,7 @@
}
static void*
-@@ -604,6 +605,9 @@
+@@ -607,6 +608,9 @@
if (buffer)
b->free_pool (buffer);
@@ -83,7 +87,7 @@
return 0;
}
-@@ -821,6 +825,30 @@
+@@ -825,6 +829,31 @@
status = b->load_image (0, grub_efi_image_handle, file_path,
boot_image, size,
&image_handle);
@@ -105,6 +109,7 @@
+ sb_context->dev_handle = dev_handle;
+ sb_context->address = address;
+ sb_context->pages = pages;
++ sb_context->file_path = file_path;
+ grub_file_close (file);
+ grub_loader_set_ex (grub_secureboot_chainloader_boot,
+ grub_secureboot_chainloader_unload, sb_context, 0);
