Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package grub2 for openSUSE:Factory checked
in at 2024-05-16 17:13:05
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/grub2 (Old)
and /work/SRC/openSUSE:Factory/.grub2.new.1880 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "grub2"
Thu May 16 17:13:05 2024 rev:329 rq:1174381 version:2.12
Changes:
--------
--- /work/SRC/openSUSE:Factory/grub2/grub2.changes 2024-05-12
17:08:23.914953603 +0200
+++ /work/SRC/openSUSE:Factory/.grub2.new.1880/grub2.changes 2024-05-16
17:14:11.973800359 +0200
@@ -1,0 +2,35 @@
+Wed May 15 06:19:54 UTC 2024 - Gary Ching-Pang Lin <g...@suse.com>
+
+- Update to the latest upstreaming TPM2 patches
+ * 0001-key_protector-Add-key-protectors-framework.patch
+ - Replace 0001-protectors-Add-key-protectors-framework.patch
+ * 0002-tpm2-Add-TPM-Software-Stack-TSS.patch
+ - Merge other TSS patches
+ * 0001-tpm2-Add-TPM2-types-structures-and-command-constants.patch
+ * 0002-tpm2-Add-more-marshal-unmarshal-functions.patch
+ * 0003-tpm2-Implement-more-TPM2-commands.patch
+ * 0003-key_protector-Add-TPM2-Key-Protector.patch
+ - Replace 0003-protectors-Add-TPM2-Key-Protector.patch
+ * 0004-cryptodisk-Support-key-protectors.patch
+ * 0005-util-grub-protect-Add-new-tool.patch
+ * 0001-tpm2-Support-authorized-policy.patch
+ - Replace 0004-tpm2-Support-authorized-policy.patch
+ * 0001-tpm2-Add-extra-RSA-SRK-types.patch
+ * 0001-tpm2-Implement-NV-index.patch
+ - Replace 0001-protectors-Implement-NV-index.patch
+ * 0002-cryptodisk-Fallback-to-passphrase.patch
+ * 0003-cryptodisk-wipe-out-the-cached-keys-from-protectors.patch
+ * 0004-diskfilter-look-up-cryptodisk-devices-first.patch
+- Refresh affected patches
+ * 0001-Improve-TPM-key-protection-on-boot-interruptions.patch
+ * grub2-bsc1220338-key_protector-implement-the-blocklist.patch
+- New manpage for grub2-protect
+
+-------------------------------------------------------------------
+Wed May 15 00:46:14 UTC 2024 - Michael Chang <mch...@suse.com>
+
+- Fix error in /etc/grub.d/20_linux_xen: file_is_not_sym not found, renamed to
+ file_is_not_xen_garbage (bsc#1224226)
+ * grub2-fix-menu-in-xen-host-server.patch
+
+-------------------------------------------------------------------
Old:
----
0001-protectors-Add-key-protectors-framework.patch
0001-protectors-Implement-NV-index.patch
0001-tpm2-Add-TPM2-types-structures-and-command-constants.patch
0002-tpm2-Add-more-marshal-unmarshal-functions.patch
0003-protectors-Add-TPM2-Key-Protector.patch
0003-tpm2-Implement-more-TPM2-commands.patch
0004-tpm2-Support-authorized-policy.patch
New:
----
0001-key_protector-Add-key-protectors-framework.patch
0001-tpm2-Add-extra-RSA-SRK-types.patch
0001-tpm2-Implement-NV-index.patch
0001-tpm2-Support-authorized-policy.patch
0003-key_protector-Add-TPM2-Key-Protector.patch
BETA DEBUG BEGIN:
Old: * 0001-key_protector-Add-key-protectors-framework.patch
- Replace 0001-protectors-Add-key-protectors-framework.patch
* 0002-tpm2-Add-TPM-Software-Stack-TSS.patch
Old: * 0001-tpm2-Implement-NV-index.patch
- Replace 0001-protectors-Implement-NV-index.patch
* 0002-cryptodisk-Fallback-to-passphrase.patch
Old: - Merge other TSS patches
* 0001-tpm2-Add-TPM2-types-structures-and-command-constants.patch
* 0002-tpm2-Add-more-marshal-unmarshal-functions.patch
Old: * 0001-tpm2-Add-TPM2-types-structures-and-command-constants.patch
* 0002-tpm2-Add-more-marshal-unmarshal-functions.patch
* 0003-tpm2-Implement-more-TPM2-commands.patch
Old: * 0003-key_protector-Add-TPM2-Key-Protector.patch
- Replace 0003-protectors-Add-TPM2-Key-Protector.patch
* 0004-cryptodisk-Support-key-protectors.patch
Old: * 0002-tpm2-Add-more-marshal-unmarshal-functions.patch
* 0003-tpm2-Implement-more-TPM2-commands.patch
* 0003-key_protector-Add-TPM2-Key-Protector.patch
Old: * 0001-tpm2-Support-authorized-policy.patch
- Replace 0004-tpm2-Support-authorized-policy.patch
* 0001-tpm2-Add-extra-RSA-SRK-types.patch
BETA DEBUG END:
BETA DEBUG BEGIN:
New:- Update to the latest upstreaming TPM2 patches
* 0001-key_protector-Add-key-protectors-framework.patch
- Replace 0001-protectors-Add-key-protectors-framework.patch
New: - Replace 0004-tpm2-Support-authorized-policy.patch
* 0001-tpm2-Add-extra-RSA-SRK-types.patch
* 0001-tpm2-Implement-NV-index.patch
New: * 0001-tpm2-Add-extra-RSA-SRK-types.patch
* 0001-tpm2-Implement-NV-index.patch
- Replace 0001-protectors-Implement-NV-index.patch
New: * 0005-util-grub-protect-Add-new-tool.patch
* 0001-tpm2-Support-authorized-policy.patch
- Replace 0004-tpm2-Support-authorized-policy.patch
New: * 0003-tpm2-Implement-more-TPM2-commands.patch
* 0003-key_protector-Add-TPM2-Key-Protector.patch
- Replace 0003-protectors-Add-TPM2-Key-Protector.patch
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ grub2.spec ++++++
--- /var/tmp/diff_new_pack.nMew8m/_old 2024-05-16 17:14:16.157952008 +0200
+++ /var/tmp/diff_new_pack.nMew8m/_new 2024-05-16 17:14:16.161952153 +0200
@@ -338,9 +338,9 @@
Patch147: 0001-grub-probe-Deduplicate-probed-partmap-output.patch
Patch148: 0001-Fix-infinite-boot-loop-on-headless-system-in-qemu.patch
Patch149: 0001-ofdisk-improve-boot-time-by-lookup-boot-disk-first.patch
-Patch150: 0001-protectors-Add-key-protectors-framework.patch
+Patch150: 0001-key_protector-Add-key-protectors-framework.patch
Patch151: 0002-tpm2-Add-TPM-Software-Stack-TSS.patch
-Patch152: 0003-protectors-Add-TPM2-Key-Protector.patch
+Patch152: 0003-key_protector-Add-TPM2-Key-Protector.patch
Patch153: 0004-cryptodisk-Support-key-protectors.patch
Patch154: 0005-util-grub-protect-Add-new-tool.patch
Patch155: 0008-linuxefi-Use-common-grub_initrd_load.patch
@@ -358,10 +358,8 @@
Patch167: grub2-increase-crypttab-path-buffer.patch
Patch168: 0001-grub2-Set-multiple-device-path-for-a-nvmf-boot-devic.patch
Patch169: 0001-grub2-Can-t-setup-a-default-boot-device-correctly-on.patch
-Patch170: 0001-tpm2-Add-TPM2-types-structures-and-command-constants.patch
-Patch171: 0002-tpm2-Add-more-marshal-unmarshal-functions.patch
-Patch172: 0003-tpm2-Implement-more-TPM2-commands.patch
-Patch173: 0004-tpm2-Support-authorized-policy.patch
+Patch170: 0001-tpm2-Support-authorized-policy.patch
+Patch171: 0001-tpm2-Add-extra-RSA-SRK-types.patch
Patch174: 0001-clean-up-crypttab-and-linux-modules-dependency.patch
Patch175: 0002-discard-cached-key-before-entering-grub-shell-and-ed.patch
Patch176: 0001-ieee1275-ofdisk-retry-on-open-and-read-failure.patch
@@ -372,7 +370,7 @@
Patch181: 0001-font-Try-memdisk-fonts-with-the-same-name.patch
Patch182: 0001-Make-grub.cfg-compatible-to-old-binaries.patch
Patch183: grub2-change-bash-completion-dir.patch
-Patch184: 0001-protectors-Implement-NV-index.patch
+Patch184: 0001-tpm2-Implement-NV-index.patch
Patch185: 0002-cryptodisk-Fallback-to-passphrase.patch
Patch186: 0003-cryptodisk-wipe-out-the-cached-keys-from-protectors.patch
Patch187: 0004-diskfilter-look-up-cryptodisk-devices-first.patch
@@ -1225,6 +1223,7 @@
%{_mandir}/man1/%{name}-mkrelpath.1.*
%{_mandir}/man1/%{name}-mkrescue.1.*
%{_mandir}/man1/%{name}-mkstandalone.1.*
+%{_mandir}/man1/%{name}-protect.1.*
%{_mandir}/man1/%{name}-render-label.1.*
%{_mandir}/man1/%{name}-script-check.1.*
%{_mandir}/man1/%{name}-syslinux2cfg.1.*
++++++ 0001-Improve-TPM-key-protection-on-boot-interruptions.patch ++++++
--- /var/tmp/diff_new_pack.nMew8m/_old 2024-05-16 17:14:16.205953748 +0200
+++ /var/tmp/diff_new_pack.nMew8m/_new 2024-05-16 17:14:16.209953893 +0200
@@ -1,7 +1,7 @@
-From fe7ed9104cef56f9e532a0c9a7164393d5d69ae1 Mon Sep 17 00:00:00 2001
+From 27b3e919b9b51a4fedeb3a5aef19c87f0cd7b687 Mon Sep 17 00:00:00 2001
From: Michael Chang <mch...@suse.com>
Date: Fri, 17 Nov 2023 12:32:59 +0800
-Subject: [PATCH 1/4] Improve TPM key protection on boot interruptions
+Subject: [PATCH] Improve TPM key protection on boot interruptions
The unattended boot process for full disk encryption relies on an
authorized TPM policy to ensure the system's integrity before releasing
@@ -125,7 +125,7 @@
static grub_command_t cmd;
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
-index c79d4125a..d90ca06dc 100644
+index aa0d43562..babc94868 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -1071,6 +1071,9 @@ grub_cryptodisk_scan_device_real (const char *name,
@@ -139,14 +139,14 @@
dev = grub_cryptodisk_get_by_source_disk (source);
@@ -1183,6 +1186,9 @@ grub_cryptodisk_scan_device_real (const char *name,
- ret = grub_cryptodisk_insert (dev, name, source);
- if (ret != GRUB_ERR_NONE)
- goto error;
+ ret = grub_cryptodisk_insert (dev, name, source);
+ if (ret != GRUB_ERR_NONE)
+ goto error;
+#ifndef GRUB_UTIL
-+ is_tpmkey = 1;
++ is_tpmkey = 1;
+#endif
- goto cleanup;
- }
+ goto cleanup;
+ }
}
@@ -1244,7 +1250,7 @@ grub_cryptodisk_scan_device_real (const char *name,
@@ -282,6 +282,6 @@
+grub_cryptokey_tpmkey_discard (void);
#endif /* ! GRUB_CRYPTTAB_HEADER */
--
-2.42.1
+2.35.3
++++++ 0001-key_protector-Add-key-protectors-framework.patch ++++++
>From bf09618c47c6632b763960e265436294ab98dd43 Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hega...@linux.microsoft.com>
Date: Tue, 1 Feb 2022 05:02:53 -0800
Subject: [PATCH 1/5] key_protector: Add key protectors framework
A key protector encapsulates functionality to retrieve an unlocking key
for a fully-encrypted disk from a specific source. A key protector
module registers itself with the key protectors framework when it is
loaded and unregisters when unloaded. Additionally, a key protector may
accept parameters that describe how it should operate.
The key protectors framework, besides offering registration and
unregistration functions, also offers a one-stop routine for finding and
invoking a key protector by name. If a key protector with the specified
name exists and if an unlocking key is successfully retrieved by it, the
function returns to the caller the retrieved key and its length.
Cc: Vladimir Serbinenko <phco...@gmail.com>
Signed-off-by: Hernan Gatta <hega...@linux.microsoft.com>
Signed-off-by: Gary Lin <g...@suse.com>
Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
---
grub-core/Makefile.am | 1 +
grub-core/Makefile.core.def | 5 +++
grub-core/disk/key_protector.c | 78 ++++++++++++++++++++++++++++++++++
include/grub/key_protector.h | 46 ++++++++++++++++++++
4 files changed, 130 insertions(+)
create mode 100644 grub-core/disk/key_protector.c
create mode 100644 include/grub/key_protector.h
diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
index f18550c1c..9d3d5f519 100644
--- a/grub-core/Makefile.am
+++ b/grub-core/Makefile.am
@@ -90,6 +90,7 @@ endif
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/parser.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/partition.h
+KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/key_protector.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/stack_protector.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index bc893e547..4307b8e2d 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -1302,6 +1302,11 @@ module = {
common = disk/raid6_recover.c;
};
+module = {
+ name = key_protector;
+ common = disk/key_protector.c;
+};
+
module = {
name = scsi;
common = disk/scsi.c;
diff --git a/grub-core/disk/key_protector.c b/grub-core/disk/key_protector.c
new file mode 100644
index 000000000..b84afe1c7
--- /dev/null
+++ b/grub-core/disk/key_protector.c
@@ -0,0 +1,78 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GRUB is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <grub/dl.h>
+#include <grub/list.h>
+#include <grub/misc.h>
+#include <grub/mm.h>
+#include <grub/key_protector.h>
+
+GRUB_MOD_LICENSE ("GPLv3+");
+
+struct grub_key_protector *grub_key_protectors = NULL;
+
+grub_err_t
+grub_key_protector_register (struct grub_key_protector *protector)
+{
+ if (protector == NULL || protector->name == NULL || grub_strlen
(protector->name) == 0)
+ return GRUB_ERR_BAD_ARGUMENT;
+
+ if (grub_key_protectors &&
+ grub_named_list_find (GRUB_AS_NAMED_LIST (grub_key_protectors),
+ protector->name))
+ return GRUB_ERR_BAD_ARGUMENT;
+
+ grub_list_push (GRUB_AS_LIST_P (&grub_key_protectors),
+ GRUB_AS_LIST (protector));
+
+ return GRUB_ERR_NONE;
+}
+
+grub_err_t
+grub_key_protector_unregister (struct grub_key_protector *protector)
+{
+ if (protector == NULL)
+ return GRUB_ERR_BAD_ARGUMENT;
+
+ grub_list_remove (GRUB_AS_LIST (protector));
+
+ return GRUB_ERR_NONE;
+}
+
+grub_err_t
+grub_key_protector_recover_key (const char *protector, grub_uint8_t **key,
+ grub_size_t *key_size)
+{
+ struct grub_key_protector *kp = NULL;
+
+ if (grub_key_protectors == NULL)
+ return GRUB_ERR_OUT_OF_RANGE;
+
+ if (protector == NULL || grub_strlen (protector) == 0)
+ return GRUB_ERR_BAD_ARGUMENT;
+
+ kp = grub_named_list_find (GRUB_AS_NAMED_LIST (grub_key_protectors),
+ protector);
+ if (kp == NULL)
+ return grub_error (GRUB_ERR_OUT_OF_RANGE,
+ N_("A key protector with name '%s' could not be found. "
+ "Is the name spelled correctly and is the "
+ "corresponding module loaded?"), protector);
+
+ return kp->recover_key (key, key_size);
+}
diff --git a/include/grub/key_protector.h b/include/grub/key_protector.h
new file mode 100644
index 000000000..6e6a6fb24
--- /dev/null
+++ b/include/grub/key_protector.h
@@ -0,0 +1,46 @@
+/*
+ * GRUB -- GRand Unified Bootloader
+ * Copyright (C) 2022 Microsoft Corporation
+ *
+ * GRUB is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * GRUB is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef GRUB_PROTECTOR_HEADER
+#define GRUB_PROTECTOR_HEADER 1
+
+#include <grub/err.h>
+#include <grub/types.h>
+
+struct grub_key_protector
+{
+ struct grub_key_protector *next;
+ struct grub_key_protector **prev;
+
+ const char *name;
+
+ grub_err_t (*recover_key) (grub_uint8_t **key, grub_size_t *key_size);
+};
+
+grub_err_t
+grub_key_protector_register (struct grub_key_protector *protector);
+
+grub_err_t
+grub_key_protector_unregister (struct grub_key_protector *protector);
+
+grub_err_t
+grub_key_protector_recover_key (const char *protector,
+ grub_uint8_t **key,
+ grub_size_t *key_size);
+
+#endif /* ! GRUB_PROTECTOR_HEADER */
--
2.35.3
++++++ 0001-tpm2-Add-extra-RSA-SRK-types.patch ++++++
>From f41a45b080cb9c6f59879a3e23f9ec2380015a16 Mon Sep 17 00:00:00 2001
From: Gary Lin <g...@suse.com>
Date: Thu, 25 Apr 2024 16:21:45 +0800
Subject: [PATCH] tpm2: Add extra RSA SRK types
Since fde-tools may set RSA3072 and RSA4096 as the SRK type, grub2 has
to support those parameters.
Signed-off-by: Gary Lin <g...@suse.com>
---
grub-core/tpm2/args.c | 12 ++++++++++++
grub-core/tpm2/module.c | 16 ++++++++++++++--
util/grub-protect.c | 4 ++--
3 files changed, 28 insertions(+), 4 deletions(-)
diff --git a/grub-core/tpm2/args.c b/grub-core/tpm2/args.c
index c11280ab9..d140364d2 100644
--- a/grub-core/tpm2/args.c
+++ b/grub-core/tpm2/args.c
@@ -92,6 +92,18 @@ grub_tpm2_protector_parse_asymmetric (const char *value,
srk_type->type = TPM_ALG_RSA;
srk_type->detail.rsa_bits = 2048;
}
+ else if (grub_strcasecmp (value, "RSA") == 0 ||
+ grub_strcasecmp (value, "RSA3072") == 0)
+ {
+ srk_type->type = TPM_ALG_RSA;
+ srk_type->detail.rsa_bits = 3072;
+ }
+ else if (grub_strcasecmp (value, "RSA") == 0 ||
+ grub_strcasecmp (value, "RSA4096") == 0)
+ {
+ srk_type->type = TPM_ALG_RSA;
+ srk_type->detail.rsa_bits = 4096;
+ }
else
return grub_error (GRUB_ERR_OUT_OF_RANGE,
N_("Value '%s' is not a valid asymmetric key type"),
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
index b754b38df..8b72ed6fa 100644
--- a/grub-core/tpm2/module.c
+++ b/grub-core/tpm2/module.c
@@ -136,8 +136,8 @@ static const struct grub_arg_option
grub_tpm2_protector_init_cmd_options[] =
.arg = NULL,
.type = ARG_TYPE_STRING,
.doc =
- N_("In SRK mode, the type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)"
- "(default: ECC)"),
+ N_("In SRK mode, the type of SRK: RSA (RSA2048), RSA3072, RSA4096, "
+ "and ECC (ECC_NIST_P256). (default: ECC)"),
},
/* NV Index-mode options */
{
@@ -541,6 +541,10 @@ srk_type_to_name (grub_srk_type_t srk_type)
{
case 2048:
return "RSA2048";
+ case 3072:
+ return "RSA3072";
+ case 4096:
+ return "RSA4096";
}
}
@@ -561,6 +565,14 @@ grub_tpm2_protector_load_key (const struct
grub_tpm2_protector_context *ctx,
.type = TPM_ALG_ECC,
.detail.ecc_curve = TPM_ECC_NIST_P256,
},
+ {
+ .type = TPM_ALG_RSA,
+ .detail.rsa_bits = 4096,
+ },
+ {
+ .type = TPM_ALG_RSA,
+ .detail.rsa_bits = 3072,
+ },
{
.type = TPM_ALG_RSA,
.detail.rsa_bits = 2048,
diff --git a/util/grub-protect.c b/util/grub-protect.c
index 869f45861..00be03ca0 100644
--- a/util/grub-protect.c
+++ b/util/grub-protect.c
@@ -199,8 +199,8 @@ static struct argp_option grub_protect_options[] =
.arg = "TYPE",
.flags = 0,
.doc =
- N_("The type of SRK: RSA (RSA2048) and ECC (ECC_NIST_P256)."
- "(default: ECC)"),
+ N_("The type of SRK: RSA (RSA2048), RSA3072, RSA4096, "
+ "and ECC (ECC_NIST_P256). (default: ECC)"),
.group = 0
},
{
--
2.35.3
++++++ 0001-tpm2-Implement-NV-index.patch ++++++
>From 947009d79e3f17b10a7753bdde8d3a4a7b757bed Mon Sep 17 00:00:00 2001
From: Patrick Colp <patrick.c...@oracle.com>
Date: Mon, 31 Jul 2023 07:01:45 -0700
Subject: [PATCH 1/4] tpm2: Implement NV index
Currently with the TPM2 protector, only SRK mode is supported and
NV index support is just a stub. Implement the NV index option.
Note: This only extends support on the unseal path. grub2_protect
has not been updated. tpm2-tools can be used to insert a key into
the NV index.
An example of inserting a key using tpm2-tools:
# Get random key.
tpm2_getrandom 32 > key.dat
# Create primary object.
tpm2_createprimary -C o -g sha256 -G ecc -c primary.ctx
# Create policy object. `pcrs.dat` contains the PCR values to seal against.
tpm2_startauthsession -S session.dat
tpm2_policypcr -S session.dat -l sha256:7,11 -f pcrs.dat -L policy.dat
tpm2_flushcontext session.dat
# Seal key into TPM.
cat key.dat | tpm2_create -C primary.ctx -u key.pub -r key.priv -L policy.dat
-i-
tpm2_load -C primary.ctx -u key.pub -r key.priv -n sealing.name -c sealing.ctx
tpm2_evictcontrol -C o -c sealing.ctx 0x81000000
Then to unseal the key in grub, add this to grub.cfg:
tpm2_key_protector_init --mode=nv --nvindex=0x81000000 --pcrs=7,11
cryptomount -u <UUID> --protector tpm2
Signed-off-by: Patrick Colp <patrick.c...@oracle.com>
Signed-off-by: Gary Lin <g...@suse.com>
Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
---
grub-core/tpm2/module.c | 25 ++++++++++++++++++++-----
1 file changed, 20 insertions(+), 5 deletions(-)
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
index e83b02865..b754b38df 100644
--- a/grub-core/tpm2/module.c
+++ b/grub-core/tpm2/module.c
@@ -1035,12 +1035,27 @@ static grub_err_t
grub_tpm2_protector_nv_recover (const struct grub_tpm2_protector_context *ctx,
grub_uint8_t **key, grub_size_t *key_size)
{
- (void)ctx;
- (void)key;
- (void)key_size;
+ TPM_HANDLE sealed_handle = ctx->nv;
+ tpm2key_policy_t policy_seq = NULL;
+ grub_err_t err;
+
+ /* Create a basic policy sequence based on the given PCR selection */
+ err = grub_tpm2_protector_simple_policy_seq (ctx, &policy_seq);
+ if (err != GRUB_ERR_NONE)
+ goto exit;
+
+ err = grub_tpm2_protector_unseal (policy_seq, sealed_handle, key, key_size);
+
+ /* Pop error messages on success */
+ if (err == GRUB_ERR_NONE)
+ while (grub_error_pop ());
+
+exit:
+ TPM2_FlushContext (sealed_handle);
- return grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET,
- N_("NV Index mode is not implemented yet"));
+ grub_tpm2key_free_policy_seq (policy_seq);
+
+ return err;
}
static grub_err_t
--
2.35.3
++++++ 0004-tpm2-Support-authorized-policy.patch ->
0001-tpm2-Support-authorized-policy.patch ++++++
--- /work/SRC/openSUSE:Factory/grub2/0004-tpm2-Support-authorized-policy.patch
2023-11-22 18:54:09.378580151 +0100
+++
/work/SRC/openSUSE:Factory/.grub2.new.1880/0001-tpm2-Support-authorized-policy.patch
2024-05-16 17:14:11.617787456 +0200
@@ -1,7 +1,7 @@
-From 542c4fc6e067e04e8b96f798882ae968c59f4948 Mon Sep 17 00:00:00 2001
+From 26a66098d5fa50b9462c8c815429a4c18f20310b Mon Sep 17 00:00:00 2001
From: Gary Lin <g...@suse.com>
Date: Thu, 6 Apr 2023 16:00:25 +0800
-Subject: [PATCH v7 16/20] tpm2: Support authorized policy
+Subject: [PATCH] tpm2: Support authorized policy
This commit handles the TPM2_PolicyAuthorize command from the key file
in TPM 2.0 Key File format.
@@ -43,12 +43,12 @@
--after \
--input sealed.key \
--output sealed.tpm \
- sign 0,2,4,7.9
+ sign 0,2,4,7,9
Then specify the key file and the key protector to grub.cfg in the EFI
system partition:
-tpm2_key_protector_init --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm
+tpm2_key_protector_init -a RSA --tpm2key=(hd0,gpt1)/boot/grub2/sealed.tpm
cryptomount -u <PART_UUID> -P tpm2
For any change in the boot components, just run the 'sign' command again
@@ -59,15 +59,16 @@
(*2) https://github.com/okirch/pcr-oracle
Signed-off-by: Gary Lin <g...@suse.com>
+Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
---
grub-core/tpm2/module.c | 84 +++++++++++++++++++++++++++++++++++++++++
1 file changed, 84 insertions(+)
diff --git a/grub-core/tpm2/module.c b/grub-core/tpm2/module.c
-index df0727215..0cbfd06e8 100644
+index 3db25ceca..e83b02865 100644
--- a/grub-core/tpm2/module.c
+++ b/grub-core/tpm2/module.c
-@@ -453,6 +453,87 @@ grub_tpm2_protector_policypcr (TPMI_SH_AUTH_SESSION
session,
+@@ -650,6 +650,87 @@ grub_tpm2_protector_policypcr (TPMI_SH_AUTH_SESSION
session,
return GRUB_ERR_NONE;
}
@@ -155,7 +156,7 @@
static grub_err_t
grub_tpm2_protector_enforce_policy (tpm2key_policy_t policy,
TPMI_SH_AUTH_SESSION session)
{
-@@ -472,6 +553,9 @@ grub_tpm2_protector_enforce_policy (tpm2key_policy_t
policy, TPMI_SH_AUTH_SESSIO
+@@ -669,6 +750,9 @@ grub_tpm2_protector_enforce_policy (tpm2key_policy_t
policy, TPMI_SH_AUTH_SESSIO
case TPM_CC_PolicyPCR:
err = grub_tpm2_protector_policypcr (session, &buf);
break;
++++++ 0002-cryptodisk-Fallback-to-passphrase.patch ++++++
--- /var/tmp/diff_new_pack.nMew8m/_old 2024-05-16 17:14:16.381960127 +0200
+++ /var/tmp/diff_new_pack.nMew8m/_new 2024-05-16 17:14:16.385960272 +0200
@@ -1,4 +1,4 @@
-From 7cc578baf26986c2badce998125b429a2aeb4d33 Mon Sep 17 00:00:00 2001
+From e62b26f9765e309691e014f322d4b02b220956a1 Mon Sep 17 00:00:00 2001
From: Patrick Colp <patrick.c...@oracle.com>
Date: Sun, 30 Jul 2023 12:58:18 -0700
Subject: [PATCH 2/4] cryptodisk: Fallback to passphrase
@@ -10,15 +10,17 @@
proceeding with the passphrase.
Signed-off-by: Patrick Colp <patrick.c...@oracle.com>
+Signed-off-by: Gary Lin <g...@suse.com>
+Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
---
grub-core/disk/cryptodisk.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
-index 6620fca00..cf37a0934 100644
+index af4104178..f9842f776 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
-@@ -1191,11 +1191,16 @@ grub_cryptodisk_scan_device_real (const char *name,
+@@ -1193,11 +1193,16 @@ grub_cryptodisk_scan_device_real (const char *name,
source->name, source->partition != NULL ? "," : "",
part != NULL ? part : N_("UNKNOWN"), dev->uuid);
grub_free (part);
++++++ 0002-tpm2-Add-TPM-Software-Stack-TSS.patch ++++++
++++ 1812 lines (skipped)
++++ between
/work/SRC/openSUSE:Factory/grub2/0002-tpm2-Add-TPM-Software-Stack-TSS.patch
++++ and
/work/SRC/openSUSE:Factory/.grub2.new.1880/0002-tpm2-Add-TPM-Software-Stack-TSS.patch
++++++ 0003-cryptodisk-wipe-out-the-cached-keys-from-protectors.patch ++++++
--- /var/tmp/diff_new_pack.nMew8m/_old 2024-05-16 17:14:16.441962302 +0200
+++ /var/tmp/diff_new_pack.nMew8m/_new 2024-05-16 17:14:16.445962447 +0200
@@ -1,4 +1,4 @@
-From 64494ffc442a5de05b237ad48d27c70d22849a44 Mon Sep 17 00:00:00 2001
+From 370e435b6ada53314888f04dcd8f096fc11cfadb Mon Sep 17 00:00:00 2001
From: Gary Lin <g...@suse.com>
Date: Thu, 3 Aug 2023 15:52:52 +0800
Subject: [PATCH 3/4] cryptodisk: wipe out the cached keys from protectors
@@ -9,16 +9,18 @@
the attacker could dump the memory to retrieve the secret key. To defend
such attack, wipe out the cached key when we don't need it.
+Cc: Fabian Vogt <fv...@suse.com>
Signed-off-by: Gary Lin <g...@suse.com>
+Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
---
grub-core/disk/cryptodisk.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
-index cf37a0934..f42437f4e 100644
+index f9842f776..aa0d43562 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
-@@ -1348,7 +1348,11 @@ grub_cryptodisk_clear_key_cache (struct
grub_cryptomount_args *cargs)
+@@ -1355,7 +1355,11 @@ grub_cryptodisk_clear_key_cache (struct
grub_cryptomount_args *cargs)
return;
for (i = 0; cargs->protectors[i]; i++)
++++++ 0003-key_protector-Add-TPM2-Key-Protector.patch ++++++
++++ 2264 lines (skipped)
++++++ 0004-cryptodisk-Support-key-protectors.patch ++++++
--- /var/tmp/diff_new_pack.nMew8m/_old 2024-05-16 17:14:16.489964041 +0200
+++ /var/tmp/diff_new_pack.nMew8m/_new 2024-05-16 17:14:16.493964186 +0200
@@ -1,42 +1,50 @@
-From 9888bf40d960339a59dc18fb6e1df5f65b4668e3 Mon Sep 17 00:00:00 2001
+From 7ce7b7889ce73174a0d8091978254ecf2d2e205f Mon Sep 17 00:00:00 2001
From: Hernan Gatta <hega...@linux.microsoft.com>
Date: Tue, 1 Feb 2022 05:02:56 -0800
-Subject: [PATCH 13/14] cryptodisk: Support key protectors
+Subject: [PATCH 4/5] cryptodisk: Support key protectors
-Add a new parameter to cryptomount to support the key protectors framework: -k.
+Add a new parameter to cryptomount to support the key protectors framework: -P.
The parameter is used to automatically retrieve a key from specified key
protectors. The parameter may be repeated to specify any number of key
protectors. These are tried in order until one provides a usable key for any
given disk.
-Signed-off-by: <Hernan Gatta hega...@linux.microsoft.com>
+Signed-off-by: Hernan Gatta <hega...@linux.microsoft.com>
+Signed-off-by: Michael Chang <mch...@suse.com>
+Signed-off-by: Gary Lin <g...@suse.com>
+Reviewed-by: Glenn Washburn <developm...@efficientek.com>
+Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
---
Makefile.util.def | 1 +
- grub-core/disk/cryptodisk.c | 166 +++++++++++++++++++++++++++++-------
- include/grub/cryptodisk.h | 14 +++
- 3 files changed, 151 insertions(+), 30 deletions(-)
+ grub-core/disk/cryptodisk.c | 172 +++++++++++++++++++++++++++++-------
+ include/grub/cryptodisk.h | 16 ++++
+ 3 files changed, 158 insertions(+), 31 deletions(-)
+diff --git a/Makefile.util.def b/Makefile.util.def
+index 3b9435307..252d70af2 100644
--- a/Makefile.util.def
+++ b/Makefile.util.def
-@@ -35,6 +35,7 @@
- common = grub-core/kern/list.c;
- common = grub-core/kern/misc.c;
- common = grub-core/kern/partition.c;
-+ common = grub-core/kern/protectors.c;
- common = grub-core/lib/crypto.c;
- common = grub-core/lib/json/json.c;
+@@ -40,6 +40,7 @@ library = {
common = grub-core/disk/luks.c;
+ common = grub-core/disk/luks2.c;
+ common = grub-core/disk/geli.c;
++ common = grub-core/disk/key_protector.c;
+ common = grub-core/disk/cryptodisk.c;
+ common = grub-core/disk/AFSplitter.c;
+ common = grub-core/lib/pbkdf2.c;
+diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
+index 2246af51b..b7648ffb7 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -26,6 +26,7 @@
#include <grub/file.h>
#include <grub/procfs.h>
#include <grub/partition.h>
-+#include <grub/protector.h>
++#include <grub/key_protector.h>
#ifdef GRUB_UTIL
#include <grub/emu/hostdisk.h>
-@@ -44,7 +45,8 @@
+@@ -44,7 +45,8 @@ enum
OPTION_KEYFILE,
OPTION_KEYFILE_OFFSET,
OPTION_KEYFILE_SIZE,
@@ -46,7 +54,7 @@
};
static const struct grub_arg_option options[] =
-@@ -58,6 +60,8 @@
+@@ -58,6 +60,8 @@ static const struct grub_arg_option options[] =
{"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0,
ARG_TYPE_INT},
{"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0,
ARG_TYPE_INT},
{"header", 'H', 0, N_("Read header from file"), 0, ARG_TYPE_STRING},
@@ -55,7 +63,7 @@
{0, 0, 0, 0, 0, 0}
};
-@@ -1061,6 +1065,7 @@
+@@ -1061,6 +1065,7 @@ grub_cryptodisk_scan_device_real (const char *name,
grub_err_t ret = GRUB_ERR_NONE;
grub_cryptodisk_t dev;
grub_cryptodisk_dev_t cr;
@@ -63,7 +71,7 @@
struct cryptodisk_read_hook_ctx read_hook_data = {0};
int askpass = 0;
char *part = NULL;
-@@ -1113,41 +1118,112 @@
+@@ -1113,41 +1118,112 @@ grub_cryptodisk_scan_device_real (const char *name,
goto error_no_close;
if (!dev)
continue;
@@ -84,13 +92,7 @@
- cargs->key_data = grub_malloc (GRUB_CRYPTODISK_MAX_PASSPHRASE);
- if (cargs->key_data == NULL)
- goto error_no_close;
-+ if (dev == NULL)
-+ {
-+ grub_error (GRUB_ERR_BAD_MODULE,
-+ "no cryptodisk module can handle this device");
-+ goto error_no_close;
-+ }
-
+-
- if (!grub_password_get ((char *) cargs->key_data,
GRUB_CRYPTODISK_MAX_PASSPHRASE))
- {
- grub_error (GRUB_ERR_BAD_ARGUMENT, "passphrase not supplied");
@@ -98,16 +100,23 @@
- }
- cargs->key_len = grub_strlen ((char *) cargs->key_data);
- }
++ if (dev == NULL)
++ {
++ grub_error (GRUB_ERR_BAD_MODULE,
++ "no cryptodisk module can handle this device");
++ goto error_no_close;
++ }
+
+- ret = cr->recover_key (source, dev, cargs);
+- if (ret != GRUB_ERR_NONE)
+- goto error;
+ if (cargs->protectors)
+ {
+ for (i = 0; cargs->protectors[i]; i++)
+ {
+ if (cargs->key_cache[i].invalid)
+ continue;
-
-- ret = cr->recover_key (source, dev, cargs);
-- if (ret != GRUB_ERR_NONE)
-- goto error;
++
+ if (cargs->key_cache[i].key == NULL)
+ {
+ ret = grub_key_protector_recover_key (cargs->protectors[i],
@@ -146,16 +155,16 @@
+ cargs->protectors[i], source->name,
+ source->partition != NULL ? "," : "",
+ part != NULL ? part : N_("UNKNOWN"), dev->uuid);
-+ grub_free (part);
-+ continue;
++ grub_free (part);
++ continue;
++ }
++ else
++ {
++ ret = grub_cryptodisk_insert (dev, name, source);
++ if (ret != GRUB_ERR_NONE)
++ goto error;
++ goto cleanup;
+ }
-+ else
-+ {
-+ ret = grub_cryptodisk_insert (dev, name, source);
-+ if (ret != GRUB_ERR_NONE)
-+ goto error;
-+ goto cleanup;
-+ }
+ }
- ret = grub_cryptodisk_insert (dev, name, source);
@@ -205,7 +214,7 @@
goto cleanup;
error:
-@@ -1258,6 +1334,20 @@
+@@ -1259,6 +1335,20 @@ grub_cryptodisk_scan_device (const char *name,
return ret;
}
@@ -226,7 +235,7 @@
static grub_err_t
grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
{
-@@ -1270,6 +1360,10 @@
+@@ -1271,6 +1361,10 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int
argc, char **args)
if (grub_cryptodisk_list == NULL)
return grub_error (GRUB_ERR_BAD_MODULE, "no cryptodisk modules loaded");
@@ -237,7 +246,7 @@
if (state[OPTION_PASSWORD].set) /* password */
{
cargs.key_data = (grub_uint8_t *) state[OPTION_PASSWORD].arg;
-@@ -1362,6 +1456,15 @@
+@@ -1363,6 +1457,15 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int
argc, char **args)
return grub_errno;
}
@@ -253,7 +262,7 @@
if (state[OPTION_UUID].set) /* uuid */
{
int found_uuid;
-@@ -1370,6 +1473,7 @@
+@@ -1371,6 +1474,7 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int
argc, char **args)
dev = grub_cryptodisk_get_by_uuid (args[0]);
if (dev)
{
@@ -261,7 +270,7 @@
grub_dprintf ("cryptodisk",
"already mounted as crypto%lu\n", dev->id);
return GRUB_ERR_NONE;
-@@ -1378,6 +1482,7 @@
+@@ -1379,6 +1483,7 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int
argc, char **args)
cargs.check_boot = state[OPTION_BOOT].set;
cargs.search_uuid = args[0];
found_uuid = grub_device_iterate (&grub_cryptodisk_scan_device, &cargs);
@@ -269,7 +278,7 @@
if (found_uuid)
return GRUB_ERR_NONE;
-@@ -1397,6 +1502,7 @@
+@@ -1398,6 +1503,7 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int
argc, char **args)
{
cargs.check_boot = state[OPTION_BOOT].set;
grub_device_iterate (&grub_cryptodisk_scan_device, &cargs);
@@ -277,7 +286,7 @@
return GRUB_ERR_NONE;
}
else
-@@ -1420,6 +1526,7 @@
+@@ -1421,6 +1527,7 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int
argc, char **args)
disk = grub_disk_open (diskname);
if (!disk)
{
@@ -285,7 +294,7 @@
if (disklast)
*disklast = ')';
return grub_errno;
-@@ -1430,12 +1537,14 @@
+@@ -1431,12 +1538,14 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int
argc, char **args)
{
grub_dprintf ("cryptodisk", "already mounted as crypto%lu\n",
dev->id);
grub_disk_close (disk);
@@ -300,7 +309,7 @@
grub_disk_close (disk);
if (disklast)
-@@ -1576,6 +1685,7 @@
+@@ -1590,6 +1699,7 @@ GRUB_MOD_INIT (cryptodisk)
cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0,
N_("[ [-p password] | [-k keyfile"
" [-O keyoffset] [-S keysize] ] ] [-H file]"
@@ -308,9 +317,11 @@
" <SOURCE|-u UUID|-a|-b>"),
N_("Mount a crypto device."), options);
grub_procfs_register ("luks_script", &luks_script);
+diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h
+index d94df68b6..0b41e249e 100644
--- a/include/grub/cryptodisk.h
+++ b/include/grub/cryptodisk.h
-@@ -70,6 +70,18 @@
+@@ -70,6 +70,18 @@ typedef gcry_err_code_t
(*grub_cryptodisk_rekey_func_t) (struct grub_cryptodisk *dev,
grub_uint64_t zoneno);
@@ -329,7 +340,7 @@
struct grub_cryptomount_args
{
/* scan: Flag to indicate that only bootable volumes should be decrypted */
-@@ -81,6 +93,10 @@
+@@ -81,6 +93,10 @@ struct grub_cryptomount_args
/* recover_key: Length of key_data */
grub_size_t key_len;
grub_file_t hdr_file;
@@ -340,4 +351,7 @@
};
typedef struct grub_cryptomount_args *grub_cryptomount_args_t;
+--
+2.35.3
+
++++++ 0004-diskfilter-look-up-cryptodisk-devices-first.patch ++++++
--- /var/tmp/diff_new_pack.nMew8m/_old 2024-05-16 17:14:16.509964766 +0200
+++ /var/tmp/diff_new_pack.nMew8m/_new 2024-05-16 17:14:16.513964911 +0200
@@ -1,4 +1,4 @@
-From b7e2fb6a680447b7bb7eb18bb7570afa8d2b7f09 Mon Sep 17 00:00:00 2001
+From 91a99dffbe78b91a0c18b32ebecf755ba9d74032 Mon Sep 17 00:00:00 2001
From: Gary Lin <g...@suse.com>
Date: Thu, 10 Aug 2023 10:19:29 +0800
Subject: [PATCH 4/4] diskfilter: look up cryptodisk devices first
@@ -12,15 +12,15 @@
Since the disk search order is based on the order of module loading, the
attacker could insert a malicious disk with the same FS-UUID root to
-trick grub2 to boot into th malicious root and further dump memory to
+trick grub2 to boot into the malicious root and further dump memory to
steal the unsealed key.
-To defend such attack, we can specify the hint provided by 'grub-probe'
-to search the encrypted partition first:
+Do defend against such an attack, we can specify the hint provided by
+'grub-probe' to search the encrypted partition first:
search --fs-uuid --set=root --hint='cryptouuid/<PART-UUID>' <FS-UUID>
-However, for LVM on a encrypted partition, the search hint provided by
+However, for LVM on an encrypted partition, the search hint provided by
'grub-probe' is:
--hint='lvmid/<VG-UUID>/<LV-UUID>'
@@ -29,20 +29,22 @@
partition, so the attacker may have the chance to fool grub2 to boot
into the malicious disk.
-To mininize the attack surface, this commit tweaks the disk device search
+To minimize the attack surface, this commit tweaks the disk device search
in diskfilter to look up cryptodisk devices first and then others, so
that the auto-unlocked disk will be found first, not the attacker's disk.
+Cc: Fabian Vogt <fv...@suse.com>
Signed-off-by: Gary Lin <g...@suse.com>
+Reviewed-by: Stefan Berger <stef...@linux.ibm.com>
---
grub-core/disk/diskfilter.c | 35 ++++++++++++++++++++++++++---------
1 file changed, 26 insertions(+), 9 deletions(-)
diff --git a/grub-core/disk/diskfilter.c b/grub-core/disk/diskfilter.c
-index 61a311efd..94832c8dd 100644
+index 41e177549..c45bef1ca 100644
--- a/grub-core/disk/diskfilter.c
+++ b/grub-core/disk/diskfilter.c
-@@ -226,15 +226,32 @@ scan_devices (const char *arname)
+@@ -322,15 +322,32 @@ scan_devices (const char *arname)
int need_rescan;
for (pull = 0; pull < GRUB_DISK_PULL_MAX; pull++)
++++++ 0005-util-grub-protect-Add-new-tool.patch ++++++
++++ 771 lines (skipped)
++++ between
/work/SRC/openSUSE:Factory/grub2/0005-util-grub-protect-Add-new-tool.patch
++++ and
/work/SRC/openSUSE:Factory/.grub2.new.1880/0005-util-grub-protect-Add-new-tool.patch
++++++ grub2-bsc1220338-key_protector-implement-the-blocklist.patch ++++++
--- /var/tmp/diff_new_pack.nMew8m/_old 2024-05-16 17:14:17.574003331 +0200
+++ /var/tmp/diff_new_pack.nMew8m/_new 2024-05-16 17:14:17.654006230 +0200
@@ -1,4 +1,4 @@
-From 139dc1c2590683cb8c0c1c13424d2436b81bffb7 Mon Sep 17 00:00:00 2001
+From beb26b1be325ea55f3f9a230152d170a3faa85d5 Mon Sep 17 00:00:00 2001
From: Gary Lin <g...@suse.com>
Date: Mon, 18 Mar 2024 14:53:11 +0800
Subject: [PATCH] key_protector: implement the blocklist
@@ -11,17 +11,17 @@
Signed-off-by: Gary Lin <g...@suse.com>
---
- grub-core/kern/protectors.c | 31 +++++++++++++++++++++++++++++++
- include/grub/efi/api.h | 5 +++++
+ grub-core/disk/key_protector.c | 31 +++++++++++++++++++++++++++++++
+ include/grub/efi/api.h | 5 +++++
2 files changed, 36 insertions(+)
-Index: grub-2.12/grub-core/kern/protectors.c
-===================================================================
---- grub-2.12.orig/grub-core/kern/protectors.c
-+++ grub-2.12/grub-core/kern/protectors.c
-@@ -21,6 +21,10 @@
- #include <grub/mm.h>
- #include <grub/protector.h>
+diff --git a/grub-core/disk/key_protector.c b/grub-core/disk/key_protector.c
+index b84afe1c7..3d630ca4f 100644
+--- a/grub-core/disk/key_protector.c
++++ b/grub-core/disk/key_protector.c
+@@ -24,6 +24,10 @@
+
+ GRUB_MOD_LICENSE ("GPLv3+");
+#ifdef GRUB_MACHINE_EFI
+#include <grub/efi/efi.h>
@@ -30,7 +30,7 @@
struct grub_key_protector *grub_key_protectors = NULL;
grub_err_t
-@@ -51,11 +55,34 @@ grub_key_protector_unregister (struct gr
+@@ -54,11 +58,34 @@ grub_key_protector_unregister (struct grub_key_protector
*protector)
return GRUB_ERR_NONE;
}
@@ -65,7 +65,7 @@
if (grub_key_protectors == NULL)
return GRUB_ERR_OUT_OF_RANGE;
-@@ -71,5 +98,9 @@ grub_key_protector_recover_key (const ch
+@@ -74,5 +101,9 @@ grub_key_protector_recover_key (const char *protector,
grub_uint8_t **key,
"Is the name spelled correctly and is the "
"corresponding module loaded?"), protector);
@@ -75,10 +75,10 @@
+
return kp->recover_key (key, key_size);
}
-Index: grub-2.12/include/grub/efi/api.h
-===================================================================
---- grub-2.12.orig/include/grub/efi/api.h
-+++ grub-2.12/include/grub/efi/api.h
+diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h
+index 7947cf592..975b90b09 100644
+--- a/include/grub/efi/api.h
++++ b/include/grub/efi/api.h
@@ -389,6 +389,11 @@
{ 0x89, 0x29, 0x48, 0xbc, 0xd9, 0x0a, 0xd3, 0x1a } \
}
@@ -91,4 +91,7 @@
struct grub_efi_sal_system_table
{
grub_uint32_t signature;
+--
+2.35.3
+
++++++ grub2-fix-menu-in-xen-host-server.patch ++++++
--- /var/tmp/diff_new_pack.nMew8m/_old 2024-05-16 17:14:18.642042040 +0200
+++ /var/tmp/diff_new_pack.nMew8m/_new 2024-05-16 17:14:18.682043491 +0200
@@ -21,6 +21,11 @@
the menu with multiple versions and also not include -dbg. Use custom.cfg
if you need any other custom entries.
+v3:
+References: bsc#1224226
+Fix the error in /etc/grub.d/20_linux_xen where file_is_not_sym was not
+found, as it has been renamed to file_is_not_xen_garbage.
+
---
util/grub-mkconfig_lib.in | 5 +++++
util/grub.d/10_linux.in | 12 ++++++++++--
@@ -59,7 +64,7 @@
+ # wildcard expasion with correct suffix (.gz) for not generating many
duplicated menu entries
+ xen_list=
+ for i in /boot/xen*.gz; do
-+ if grub_file_is_not_garbage "$i" && file_is_not_sym "$i" ; then
xen_list="$xen_list $i" ; fi
++ if grub_file_is_not_garbage "$i" && file_is_not_xen_garbage "$i" ; then
xen_list="$xen_list $i" ; fi
+ done
+fi
prepare_boot_cache=
