Re: [OE-core][master][kirkstone][PATCH v2] grub2: fix several CVEs
Any comments? Thanks, Yongxin > -Original Message- > From: openembedded-core@lists.openembedded.org c...@lists.openembedded.org> On Behalf Of Yongxin Liu > Sent: Friday, August 5, 2022 10:42 > To: richard.pur...@linuxfoundation.org; st...@sakoman.com; openembedded- > c...@lists.openembedded.org > Cc: MacLeod, Randy > Subject: [OE-core][master][kirkstone][PATCH v2] grub2: fix several CVEs > > Backport CVE patches from upstream to fix: > CVE-2021-3695 > CVE-2021-3696 > CVE-2021-3697 > CVE-2022-28733 > CVE-2022-28734 > CVE-2022-28735 > > Backport the following 5 patches to make CVE patches be applied smoothly. > video-Remove-trailing-whitespaces.patch > video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch > video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch > > Signed-off-by: Yongxin Liu > --- > > V1->V2: > > Remove CVE-2022-28736 related patches. > CVE-2022-28736 related patches conflict with some grub patches in > meta-secure-core layers. So remove those patches. > Untill we find a better solution, just ignore CVE-2022-28736 for now. > > --- > ...g-Drop-greyscale-support-to-fix-heap.patch | 179 + > ...ng-Avoid-heap-OOB-R-W-inserting-huff.patch | 50 ++ > ...peg-Block-int-underflow-wild-pointer.patch | 84 +++ > ...3-net-ip-Do-IP-fragment-maths-safely.patch | 63 ++ > ...or-out-on-headers-with-LF-without-CR.patch | 58 ++ > ...Fix-OOB-write-for-split-http-headers.patch | 56 ++ > ...ct-non-kernel-files-in-the-shim_lock.patch | 111 +++ > .../video-Remove-trailing-whitespaces.patch | 693 ++ > ...eg-Abort-sooner-if-a-read-operation-.patch | 264 +++ > ...eg-Refuse-to-handle-multiple-start-o.patch | 53 ++ > meta/recipes-bsp/grub/grub2.inc | 10 + > 11 files changed, 1621 insertions(+) > create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3695-video- > readers-png-Drop-greyscale-support-to-fix-heap.patch > create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3696-video- > readers-png-Avoid-heap-OOB-R-W-inserting-huff.patch > create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3697-video- > readers-jpeg-Block-int-underflow-wild-pointer.patch > create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do- > IP-fragment-maths-safely.patch > create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28734-net-http- > Error-out-on-headers-with-LF-without-CR.patch > create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28734-net-http- > Fix-OOB-write-for-split-http-headers.patch > create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28735-kern-efi- > sb-Reject-non-kernel-files-in-the-shim_lock.patch > create mode 100644 meta/recipes-bsp/grub/files/video-Remove-trailing- > whitespaces.patch > create mode 100644 meta/recipes-bsp/grub/files/video-readers-jpeg-Abort- > sooner-if-a-read-operation-.patch > create mode 100644 meta/recipes-bsp/grub/files/video-readers-jpeg-Refuse- > to-handle-multiple-start-o.patch > > diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3695-video-readers-png- > Drop-greyscale-support-to-fix-heap.patch b/meta/recipes- > bsp/grub/files/CVE-2021-3695-video-readers-png-Drop-greyscale-support-to- > fix-heap.patch > new file mode 100644 > index 00..7f7bb1acfe > --- /dev/null > +++ b/meta/recipes-bsp/grub/files/CVE-2021-3695-video-readers-png-Drop- > greyscale-support-to-fix-heap.patch > @@ -0,0 +1,179 @@ > +From e623866d9286410156e8b9d2c82d6253a1b22d08 Mon Sep 17 00:00:00 2001 > +From: Daniel Axtens > +Date: Tue, 6 Jul 2021 18:51:35 +1000 > +Subject: [PATCH] video/readers/png: Drop greyscale support to fix heap > + out-of-bounds write > + > +A 16-bit greyscale PNG without alpha is processed in the following loop: > + > + for (i = 0; i < (data->image_width * data->image_height); > +i++, d1 += 4, d2 += 2) > + { > + d1[R3] = d2[1]; > + d1[G3] = d2[1]; > + d1[B3] = d2[1]; > + } > + > +The increment of d1 is wrong. d1 is incremented by 4 bytes per iteration, > +but there are only 3 bytes allocated for storage. This means that image > +data will overwrite somewhat-attacker-controlled parts of memory - 3 > bytes > +out of every 4 following the end of the image. > + > +This has existed since greyscale support was added in 2013 in commit > +3ccf16dff98f (grub-core/video/readers/png.c: Support grayscale). > + > +Saving starfield.png as a 16-bit greyscale image without alpha in the > gimp > +and attempting to load it causes grub-emu to crash - I don't think this > code > +has ever worked. > + > +Delete all PNG greyscale support. > + > +Fixes: CVE-2021-36
[OE-core][master][kirkstone][PATCH v2] grub2: fix several CVEs
Backport CVE patches from upstream to fix: CVE-2021-3695 CVE-2021-3696 CVE-2021-3697 CVE-2022-28733 CVE-2022-28734 CVE-2022-28735 Backport the following 5 patches to make CVE patches be applied smoothly. video-Remove-trailing-whitespaces.patch video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch Signed-off-by: Yongxin Liu --- V1->V2: Remove CVE-2022-28736 related patches. CVE-2022-28736 related patches conflict with some grub patches in meta-secure-core layers. So remove those patches. Untill we find a better solution, just ignore CVE-2022-28736 for now. --- ...g-Drop-greyscale-support-to-fix-heap.patch | 179 + ...ng-Avoid-heap-OOB-R-W-inserting-huff.patch | 50 ++ ...peg-Block-int-underflow-wild-pointer.patch | 84 +++ ...3-net-ip-Do-IP-fragment-maths-safely.patch | 63 ++ ...or-out-on-headers-with-LF-without-CR.patch | 58 ++ ...Fix-OOB-write-for-split-http-headers.patch | 56 ++ ...ct-non-kernel-files-in-the-shim_lock.patch | 111 +++ .../video-Remove-trailing-whitespaces.patch | 693 ++ ...eg-Abort-sooner-if-a-read-operation-.patch | 264 +++ ...eg-Refuse-to-handle-multiple-start-o.patch | 53 ++ meta/recipes-bsp/grub/grub2.inc | 10 + 11 files changed, 1621 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3695-video-readers-png-Drop-greyscale-support-to-fix-heap.patch create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3696-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff.patch create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3697-video-readers-jpeg-Block-int-underflow-wild-pointer.patch create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28734-net-http-Error-out-on-headers-with-LF-without-CR.patch create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28734-net-http-Fix-OOB-write-for-split-http-headers.patch create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28735-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch create mode 100644 meta/recipes-bsp/grub/files/video-Remove-trailing-whitespaces.patch create mode 100644 meta/recipes-bsp/grub/files/video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch create mode 100644 meta/recipes-bsp/grub/files/video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3695-video-readers-png-Drop-greyscale-support-to-fix-heap.patch b/meta/recipes-bsp/grub/files/CVE-2021-3695-video-readers-png-Drop-greyscale-support-to-fix-heap.patch new file mode 100644 index 00..7f7bb1acfe --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-3695-video-readers-png-Drop-greyscale-support-to-fix-heap.patch @@ -0,0 +1,179 @@ +From e623866d9286410156e8b9d2c82d6253a1b22d08 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Tue, 6 Jul 2021 18:51:35 +1000 +Subject: [PATCH] video/readers/png: Drop greyscale support to fix heap + out-of-bounds write + +A 16-bit greyscale PNG without alpha is processed in the following loop: + + for (i = 0; i < (data->image_width * data->image_height); + i++, d1 += 4, d2 += 2) + { + d1[R3] = d2[1]; + d1[G3] = d2[1]; + d1[B3] = d2[1]; + } + +The increment of d1 is wrong. d1 is incremented by 4 bytes per iteration, +but there are only 3 bytes allocated for storage. This means that image +data will overwrite somewhat-attacker-controlled parts of memory - 3 bytes +out of every 4 following the end of the image. + +This has existed since greyscale support was added in 2013 in commit +3ccf16dff98f (grub-core/video/readers/png.c: Support grayscale). + +Saving starfield.png as a 16-bit greyscale image without alpha in the gimp +and attempting to load it causes grub-emu to crash - I don't think this code +has ever worked. + +Delete all PNG greyscale support. + +Fixes: CVE-2021-3695 + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper + +Upstream-Status: Backport +CVE: CVE-2021-3695 + +Reference to upstream patch: +https://git.savannah.gnu.org/cgit/grub.git/commit/?id=e623866d9286410156e8b9d2c82d6253a1b22d08 + +Signed-off-by: Yongxin Liu +--- + grub-core/video/readers/png.c | 87 +++ + 1 file changed, 7 insertions(+), 80 deletions(-) + +diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c +index 35ae553c8..a3161e25b 100644 +--- a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c +@@ -100,7 +100,7 @@ struct grub_png_data + + unsigned image_width, image_height; + int bpp, is_16bit; +- int raw_bytes, is_gray, is_alpha, is_palette; ++ int raw_bytes, is_alpha, is_palette; + int row_bytes, color_bits; + grub_uint8_t *image_data; + +@@ -296,13 +296,13 @@ grub_png_decode_image_header (struct grub_png_data *data) + data->bp
Re: [OE-core][PATCH] grub2: fix several CVEs
Withdraw this patch. The changes made in the following three patches conflict with some patches in meta-secure-core layer. loader-efi-chainloader-Simplify-the-loader-state.patch commands-boot-Add-API-to-pass-context-to-loader.patch CVE-2022-28736-loader-efi-chainloader-Use-grub_loader_set_ex.patch Will send V2. Thanks, Yongxin > -Original Message- > From: openembedded-core@lists.openembedded.org c...@lists.openembedded.org> On Behalf Of Yongxin Liu > Sent: Thursday, July 28, 2022 10:08 > To: richard.pur...@linuxfoundation.org; openembedded- > c...@lists.openembedded.org > Subject: [OE-core][PATCH] grub2: fix several CVEs > > Backport CVE patches from upstream to fix: > CVE-2021-3695 > CVE-2021-3696 > CVE-2021-3697 > CVE-2022-28733 > CVE-2022-28734 > CVE-2022-28735 > CVE-2022-28736 > > Backport the following 5 patches to make CVE patches be applied smoothly. > video-Remove-trailing-whitespaces.patch > video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch > video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch > loader-efi-chainloader-Simplify-the-loader-state.patch > commands-boot-Add-API-to-pass-context-to-loader.patch > > Signed-off-by: Yongxin Liu > --- > ...g-Drop-greyscale-support-to-fix-heap.patch | 179 + > ...ng-Avoid-heap-OOB-R-W-inserting-huff.patch | 50 ++ > ...peg-Block-int-underflow-wild-pointer.patch | 84 +++ > ...3-net-ip-Do-IP-fragment-maths-safely.patch | 63 ++ > ...or-out-on-headers-with-LF-without-CR.patch | 58 ++ > ...Fix-OOB-write-for-split-http-headers.patch | 56 ++ > ...ct-non-kernel-files-in-the-shim_lock.patch | 111 +++ > ...i-chainloader-Use-grub_loader_set_ex.patch | 86 +++ > ...ot-Add-API-to-pass-context-to-loader.patch | 168 + > ...hainloader-Simplify-the-loader-state.patch | 129 > .../video-Remove-trailing-whitespaces.patch | 693 ++ > ...eg-Abort-sooner-if-a-read-operation-.patch | 264 +++ > ...eg-Refuse-to-handle-multiple-start-o.patch | 53 ++ > meta/recipes-bsp/grub/grub2.inc | 13 + > 14 files changed, 2007 insertions(+) > create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3695-video- > readers-png-Drop-greyscale-support-to-fix-heap.patch > create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3696-video- > readers-png-Avoid-heap-OOB-R-W-inserting-huff.patch > create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3697-video- > readers-jpeg-Block-int-underflow-wild-pointer.patch > create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do- > IP-fragment-maths-safely.patch > create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28734-net-http- > Error-out-on-headers-with-LF-without-CR.patch > create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28734-net-http- > Fix-OOB-write-for-split-http-headers.patch > create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28735-kern-efi- > sb-Reject-non-kernel-files-in-the-shim_lock.patch > create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28736-loader-efi- > chainloader-Use-grub_loader_set_ex.patch > create mode 100644 meta/recipes-bsp/grub/files/commands-boot-Add-API-to- > pass-context-to-loader.patch > create mode 100644 meta/recipes-bsp/grub/files/loader-efi-chainloader- > Simplify-the-loader-state.patch > create mode 100644 meta/recipes-bsp/grub/files/video-Remove-trailing- > whitespaces.patch > create mode 100644 meta/recipes-bsp/grub/files/video-readers-jpeg-Abort- > sooner-if-a-read-operation-.patch > create mode 100644 meta/recipes-bsp/grub/files/video-readers-jpeg-Refuse- > to-handle-multiple-start-o.patch > > diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3695-video-readers-png- > Drop-greyscale-support-to-fix-heap.patch b/meta/recipes- > bsp/grub/files/CVE-2021-3695-video-readers-png-Drop-greyscale-support-to- > fix-heap.patch > new file mode 100644 > index 00..7f7bb1acfe > --- /dev/null > +++ b/meta/recipes-bsp/grub/files/CVE-2021-3695-video-readers-png-Drop- > greyscale-support-to-fix-heap.patch > @@ -0,0 +1,179 @@ > +From e623866d9286410156e8b9d2c82d6253a1b22d08 Mon Sep 17 00:00:00 2001 > +From: Daniel Axtens > +Date: Tue, 6 Jul 2021 18:51:35 +1000 > +Subject: [PATCH] video/readers/png: Drop greyscale support to fix heap > + out-of-bounds write > + > +A 16-bit greyscale PNG without alpha is processed in the following loop: > + > + for (i = 0; i < (data->image_width * data->image_height); > +i++, d1 += 4, d2 += 2) > + { > + d1[R3] = d2[1]; > + d1[G3] = d2[1]; > + d1[B3] = d2[1]; > + } > + > +The increment of d1 is wrong. d1 is incremented by 4 bytes per iteration, > +but there are only 3 bytes allocated for stora
Re: [OE-core][PATCH] grub2: fix several CVEs -- Also applies to kirkstone
> -Original Message- > From: openembedded-core@lists.openembedded.org c...@lists.openembedded.org> On Behalf Of Yongxin Liu > Sent: Friday, July 29, 2022 20:48 > To: MacLeod, Randy ; openembedded- > c...@lists.openembedded.org; st...@sakoman.com > Subject: Re: [OE-core][PATCH] grub2: fix several CVEs -- Also applies to > kirkstone > > Well, this patch cannot be applied to kirkstone directly. Need some context > change. > After it is accepted by master, I will send a cherry-picked one to kirkstone. Sorry, I took the wrong branch. It CAN be applied to kirkstone directly. Please ignore my previous email. Yongxin > > Thanks, > Yongxin > > > -Original Message- > > From: MacLeod, Randy > > Sent: Friday, July 29, 2022 20:37 > > To: Liu, Yongxin ; openembedded- > > c...@lists.openembedded.org; st...@sakoman.com > > Subject: Re: [OE-core][PATCH] grub2: fix several CVEs -- Also applies to > > kirkstone > > > > Steve, > > > > Please bring these back to kirkstone as well. > > They apply to that branch and I think that Yongxin tested there as well. > > ../Randy > > > > On 2022-07-27 22:08, Yongxin Liu wrote: > > > Backport CVE patches from upstream to fix: > > >CVE-2021-3695 > > >CVE-2021-3696 > > >CVE-2021-3697 > > >CVE-2022-28733 > > >CVE-2022-28734 > > >CVE-2022-28735 > > >CVE-2022-28736 > > > > > > Backport the following 5 patches to make CVE patches be applied smoothly. > > >video-Remove-trailing-whitespaces.patch > > >video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch > > >video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch > > >loader-efi-chainloader-Simplify-the-loader-state.patch > > >commands-boot-Add-API-to-pass-context-to-loader.patch > > > > > > Signed-off-by: Yongxin Liu > > > --- > > > ...g-Drop-greyscale-support-to-fix-heap.patch | 179 + > > > ...ng-Avoid-heap-OOB-R-W-inserting-huff.patch | 50 ++ > > > ...peg-Block-int-underflow-wild-pointer.patch | 84 +++ > > > ...3-net-ip-Do-IP-fragment-maths-safely.patch | 63 ++ > > > ...or-out-on-headers-with-LF-without-CR.patch | 58 ++ > > > ...Fix-OOB-write-for-split-http-headers.patch | 56 ++ > > > ...ct-non-kernel-files-in-the-shim_lock.patch | 111 +++ > > > ...i-chainloader-Use-grub_loader_set_ex.patch | 86 +++ > > > ...ot-Add-API-to-pass-context-to-loader.patch | 168 + > > > ...hainloader-Simplify-the-loader-state.patch | 129 > > > .../video-Remove-trailing-whitespaces.patch | 693 ++ > > > ...eg-Abort-sooner-if-a-read-operation-.patch | 264 +++ > > > ...eg-Refuse-to-handle-multiple-start-o.patch | 53 ++ > > > meta/recipes-bsp/grub/grub2.inc | 13 + > > > 14 files changed, 2007 insertions(+) > > > create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3695-video- > > readers-png-Drop-greyscale-support-to-fix-heap.patch > > > create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3696-video- > > readers-png-Avoid-heap-OOB-R-W-inserting-huff.patch > > > create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3697-video- > > readers-jpeg-Block-int-underflow-wild-pointer.patch > > > create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip- > Do- > > IP-fragment-maths-safely.patch > > > create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28734-net-http- > > Error-out-on-headers-with-LF-without-CR.patch > > > create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28734-net-http- > > Fix-OOB-write-for-split-http-headers.patch > > > create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28735-kern-efi- > > sb-Reject-non-kernel-files-in-the-shim_lock.patch > > > create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28736-loader- > efi- > > chainloader-Use-grub_loader_set_ex.patch > > > create mode 100644 meta/recipes-bsp/grub/files/commands-boot-Add-API- > to- > > pass-context-to-loader.patch > > > create mode 100644 meta/recipes-bsp/grub/files/loader-efi-chainloader- > > Simplify-the-loader-state.patch > > > create mode 100644 meta/recipes-bsp/grub/files/video-Remove-trailing- > > whitespaces.patch > > > create mode 100644 meta/recipes-bsp/grub/files/video-readers-jpeg- > Abort- > > sooner-if-a-read-operation-.patch > > > create mode 100644 meta/recipes-bsp/grub/files/video-readers-jpeg- > Refuse- > >
Re: [OE-core][PATCH] grub2: fix several CVEs -- Also applies to kirkstone
Well, this patch cannot be applied to kirkstone directly. Need some context change. After it is accepted by master, I will send a cherry-picked one to kirkstone. Thanks, Yongxin > -Original Message- > From: MacLeod, Randy > Sent: Friday, July 29, 2022 20:37 > To: Liu, Yongxin ; openembedded- > c...@lists.openembedded.org; st...@sakoman.com > Subject: Re: [OE-core][PATCH] grub2: fix several CVEs -- Also applies to > kirkstone > > Steve, > > Please bring these back to kirkstone as well. > They apply to that branch and I think that Yongxin tested there as well. > ../Randy > > On 2022-07-27 22:08, Yongxin Liu wrote: > > Backport CVE patches from upstream to fix: > >CVE-2021-3695 > >CVE-2021-3696 > >CVE-2021-3697 > >CVE-2022-28733 > >CVE-2022-28734 > >CVE-2022-28735 > >CVE-2022-28736 > > > > Backport the following 5 patches to make CVE patches be applied smoothly. > >video-Remove-trailing-whitespaces.patch > >video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch > >video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch > >loader-efi-chainloader-Simplify-the-loader-state.patch > >commands-boot-Add-API-to-pass-context-to-loader.patch > > > > Signed-off-by: Yongxin Liu > > --- > > ...g-Drop-greyscale-support-to-fix-heap.patch | 179 + > > ...ng-Avoid-heap-OOB-R-W-inserting-huff.patch | 50 ++ > > ...peg-Block-int-underflow-wild-pointer.patch | 84 +++ > > ...3-net-ip-Do-IP-fragment-maths-safely.patch | 63 ++ > > ...or-out-on-headers-with-LF-without-CR.patch | 58 ++ > > ...Fix-OOB-write-for-split-http-headers.patch | 56 ++ > > ...ct-non-kernel-files-in-the-shim_lock.patch | 111 +++ > > ...i-chainloader-Use-grub_loader_set_ex.patch | 86 +++ > > ...ot-Add-API-to-pass-context-to-loader.patch | 168 + > > ...hainloader-Simplify-the-loader-state.patch | 129 > > .../video-Remove-trailing-whitespaces.patch | 693 ++ > > ...eg-Abort-sooner-if-a-read-operation-.patch | 264 +++ > > ...eg-Refuse-to-handle-multiple-start-o.patch | 53 ++ > > meta/recipes-bsp/grub/grub2.inc | 13 + > > 14 files changed, 2007 insertions(+) > > create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3695-video- > readers-png-Drop-greyscale-support-to-fix-heap.patch > > create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3696-video- > readers-png-Avoid-heap-OOB-R-W-inserting-huff.patch > > create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3697-video- > readers-jpeg-Block-int-underflow-wild-pointer.patch > > create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do- > IP-fragment-maths-safely.patch > > create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28734-net-http- > Error-out-on-headers-with-LF-without-CR.patch > > create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28734-net-http- > Fix-OOB-write-for-split-http-headers.patch > > create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28735-kern-efi- > sb-Reject-non-kernel-files-in-the-shim_lock.patch > > create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28736-loader-efi- > chainloader-Use-grub_loader_set_ex.patch > > create mode 100644 meta/recipes-bsp/grub/files/commands-boot-Add-API-to- > pass-context-to-loader.patch > > create mode 100644 meta/recipes-bsp/grub/files/loader-efi-chainloader- > Simplify-the-loader-state.patch > > create mode 100644 meta/recipes-bsp/grub/files/video-Remove-trailing- > whitespaces.patch > > create mode 100644 meta/recipes-bsp/grub/files/video-readers-jpeg-Abort- > sooner-if-a-read-operation-.patch > > create mode 100644 meta/recipes-bsp/grub/files/video-readers-jpeg-Refuse- > to-handle-multiple-start-o.patch > > > > diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3695-video-readers-png- > Drop-greyscale-support-to-fix-heap.patch b/meta/recipes-bsp/grub/files/CVE- > 2021-3695-video-readers-png-Drop-greyscale-support-to-fix-heap.patch > > new file mode 100644 > > index 00..7f7bb1acfe > > --- /dev/null > > +++ b/meta/recipes-bsp/grub/files/CVE-2021-3695-video-readers-png-Drop- > greyscale-support-to-fix-heap.patch > > @@ -0,0 +1,179 @@ > > +From e623866d9286410156e8b9d2c82d6253a1b22d08 Mon Sep 17 00:00:00 2001 > > +From: Daniel Axtens > > +Date: Tue, 6 Jul 2021 18:51:35 +1000 > > +Subject: [PATCH] video/readers/png: Drop greyscale support to fix heap > > + out-of-bounds write > > + > > +A 16-bit greyscale PNG without alpha is processed in the following loop: > > + > > + for
[OE-core][PATCH] grub2: fix several CVEs
Backport CVE patches from upstream to fix: CVE-2021-3695 CVE-2021-3696 CVE-2021-3697 CVE-2022-28733 CVE-2022-28734 CVE-2022-28735 CVE-2022-28736 Backport the following 5 patches to make CVE patches be applied smoothly. video-Remove-trailing-whitespaces.patch video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch loader-efi-chainloader-Simplify-the-loader-state.patch commands-boot-Add-API-to-pass-context-to-loader.patch Signed-off-by: Yongxin Liu --- ...g-Drop-greyscale-support-to-fix-heap.patch | 179 + ...ng-Avoid-heap-OOB-R-W-inserting-huff.patch | 50 ++ ...peg-Block-int-underflow-wild-pointer.patch | 84 +++ ...3-net-ip-Do-IP-fragment-maths-safely.patch | 63 ++ ...or-out-on-headers-with-LF-without-CR.patch | 58 ++ ...Fix-OOB-write-for-split-http-headers.patch | 56 ++ ...ct-non-kernel-files-in-the-shim_lock.patch | 111 +++ ...i-chainloader-Use-grub_loader_set_ex.patch | 86 +++ ...ot-Add-API-to-pass-context-to-loader.patch | 168 + ...hainloader-Simplify-the-loader-state.patch | 129 .../video-Remove-trailing-whitespaces.patch | 693 ++ ...eg-Abort-sooner-if-a-read-operation-.patch | 264 +++ ...eg-Refuse-to-handle-multiple-start-o.patch | 53 ++ meta/recipes-bsp/grub/grub2.inc | 13 + 14 files changed, 2007 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3695-video-readers-png-Drop-greyscale-support-to-fix-heap.patch create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3696-video-readers-png-Avoid-heap-OOB-R-W-inserting-huff.patch create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3697-video-readers-jpeg-Block-int-underflow-wild-pointer.patch create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28733-net-ip-Do-IP-fragment-maths-safely.patch create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28734-net-http-Error-out-on-headers-with-LF-without-CR.patch create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28734-net-http-Fix-OOB-write-for-split-http-headers.patch create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28735-kern-efi-sb-Reject-non-kernel-files-in-the-shim_lock.patch create mode 100644 meta/recipes-bsp/grub/files/CVE-2022-28736-loader-efi-chainloader-Use-grub_loader_set_ex.patch create mode 100644 meta/recipes-bsp/grub/files/commands-boot-Add-API-to-pass-context-to-loader.patch create mode 100644 meta/recipes-bsp/grub/files/loader-efi-chainloader-Simplify-the-loader-state.patch create mode 100644 meta/recipes-bsp/grub/files/video-Remove-trailing-whitespaces.patch create mode 100644 meta/recipes-bsp/grub/files/video-readers-jpeg-Abort-sooner-if-a-read-operation-.patch create mode 100644 meta/recipes-bsp/grub/files/video-readers-jpeg-Refuse-to-handle-multiple-start-o.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3695-video-readers-png-Drop-greyscale-support-to-fix-heap.patch b/meta/recipes-bsp/grub/files/CVE-2021-3695-video-readers-png-Drop-greyscale-support-to-fix-heap.patch new file mode 100644 index 00..7f7bb1acfe --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-3695-video-readers-png-Drop-greyscale-support-to-fix-heap.patch @@ -0,0 +1,179 @@ +From e623866d9286410156e8b9d2c82d6253a1b22d08 Mon Sep 17 00:00:00 2001 +From: Daniel Axtens +Date: Tue, 6 Jul 2021 18:51:35 +1000 +Subject: [PATCH] video/readers/png: Drop greyscale support to fix heap + out-of-bounds write + +A 16-bit greyscale PNG without alpha is processed in the following loop: + + for (i = 0; i < (data->image_width * data->image_height); + i++, d1 += 4, d2 += 2) + { + d1[R3] = d2[1]; + d1[G3] = d2[1]; + d1[B3] = d2[1]; + } + +The increment of d1 is wrong. d1 is incremented by 4 bytes per iteration, +but there are only 3 bytes allocated for storage. This means that image +data will overwrite somewhat-attacker-controlled parts of memory - 3 bytes +out of every 4 following the end of the image. + +This has existed since greyscale support was added in 2013 in commit +3ccf16dff98f (grub-core/video/readers/png.c: Support grayscale). + +Saving starfield.png as a 16-bit greyscale image without alpha in the gimp +and attempting to load it causes grub-emu to crash - I don't think this code +has ever worked. + +Delete all PNG greyscale support. + +Fixes: CVE-2021-3695 + +Signed-off-by: Daniel Axtens +Reviewed-by: Daniel Kiper + +Upstream-Status: Backport +CVE: CVE-2021-3695 + +Reference to upstream patch: +https://git.savannah.gnu.org/cgit/grub.git/commit/?id=e623866d9286410156e8b9d2c82d6253a1b22d08 + +Signed-off-by: Yongxin Liu +--- + grub-core/video/readers/png.c | 87 +++ + 1 file changed, 7 insertions(+), 80 deletions(-) + +diff --git a/grub-core/video/readers/png.c b/grub-core/video/readers/png.c +index 35ae553c8..a3161e25b 100644 +--- a/grub-core/video/readers/png.c b/grub-core/video/read
Re: [OE-core][PATCH] grub2: fix CVE-2021-3981
> -Original Message- > From: Richard Purdie > Sent: Thursday, January 6, 2022 21:31 > To: Liu, Yongxin ; openembedded- > c...@lists.openembedded.org > Cc: MacLeod, Randy ; Mittal, Anuj > > Subject: Re: [OE-core][PATCH] grub2: fix CVE-2021-3981 > > On Thu, 2022-01-06 at 02:38 +, Liu, Yongxin wrote: > > Hi Richard, > > > > I saw this patch has been merged to master. > > > > Could you help to merge this patch and > > > > commit 0f528608eb48809955b2610ecc4bd689f1cf8899 > > Author: Alexander Kanavin > > Date: 2021-06-15 10:12 > > > > grub: upgrade 2.04+2.06~rc1 -> 2.06 > > > > Signed-off-by: Alexander Kanavin > > Signed-off-by: Richard Purdie > > > > to branch hardknott also? Or do I need to send those patches again for > hardknott? > > Anuj (cc'd) is the hardknott maintainer who would handle this, not me. We > generally don't do version increments for stable releases unless there is a > strong pressing need to do so, particularly on a branch which is nearly out > of it's maintenance window. Thanks Richard for your explanation. The upgrade patch is not a must-have. @Mittal, Anuj Could you help to cherry pick the following patch from master to branch hardknott? commit bb554d14142f93c39fd1516a31757006531c348f Author: Yongxin Liu Date: 2021-12-27 14:54 grub2: fix CVE-2021-3981 Signed-off-by: Yongxin Liu Signed-off-by: Richard Purdie Thanks, Yongxin > > Cheers, > > Richard -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#160231): https://lists.openembedded.org/g/openembedded-core/message/160231 Mute This Topic: https://lists.openembedded.org/mt/87974226/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][PATCH] grub2: fix CVE-2021-3981
Hi Richard, I saw this patch has been merged to master. Could you help to merge this patch and commit 0f528608eb48809955b2610ecc4bd689f1cf8899 Author: Alexander Kanavin Date: 2021-06-15 10:12 grub: upgrade 2.04+2.06~rc1 -> 2.06 Signed-off-by: Alexander Kanavin Signed-off-by: Richard Purdie to branch hardknott also? Or do I need to send those patches again for hardknott? Thanks, Yongxin > -Original Message- > From: openembedded-core@lists.openembedded.org c...@lists.openembedded.org> On Behalf Of Yongxin Liu > Sent: Monday, December 27, 2021 14:55 > To: richard.pur...@linuxfoundation.org; openembedded- > c...@lists.openembedded.org > Subject: [OE-core][PATCH] grub2: fix CVE-2021-3981 > > Signed-off-by: Yongxin Liu > --- > ...onfig-Restore-umask-for-the-grub.cfg.patch | 49 +++ > meta/recipes-bsp/grub/grub2.inc | 1 + > 2 files changed, 50 insertions(+) > create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3981-grub- > mkconfig-Restore-umask-for-the-grub.cfg.patch > > diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig- > Restore-umask-for-the-grub.cfg.patch b/meta/recipes-bsp/grub/files/CVE- > 2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch > new file mode 100644 > index 00..dae26fd8bb > --- /dev/null > +++ b/meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-um > +++ ask-for-the-grub.cfg.patch > @@ -0,0 +1,49 @@ > +From 0adec29674561034771c13e446069b41ef41e4d4 Mon Sep 17 00:00:00 2001 > +From: Michael Chang > +Date: Fri, 3 Dec 2021 16:13:28 +0800 > +Subject: [PATCH] grub-mkconfig: Restore umask for the grub.cfg > + > +The commit ab2e53c8a (grub-mkconfig: Honor a symlink when generating > +configuration by grub-mkconfig) has inadvertently discarded umask for > +creating grub.cfg in the process of running grub-mkconfig. The > +resulting wrong permission (0644) would allow unprivileged users to > +read GRUB configuration file content. This presents a low > +confidentiality risk as grub.cfg may contain non-secured plain-text > passwords. > + > +This patch restores the missing umask and sets the creation file mode > +to 0600 preventing unprivileged access. > + > +Fixes: CVE-2021-3981 > + > +Signed-off-by: Michael Chang > +Reviewed-by: Daniel Kiper > + > +Upstream-Status: Backport > +CVE: CVE-2021-3981 > + > +Reference to upstream patch: > +https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0adec296745610347 > +71c13e446069b41ef41e4d4 > + > +Signed-off-by: Yongxin Liu > +--- > + util/grub-mkconfig.in | 3 +++ > + 1 file changed, 3 insertions(+) > + > +diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in index > +c3ea7612e..62335d027 100644 > +--- a/util/grub-mkconfig.in > b/util/grub-mkconfig.in > +@@ -301,7 +301,10 @@ and /etc/grub.d/* files or please file a bug report > with > + exit 1 > + else > + # none of the children aborted with error, install the new > +grub.cfg > ++oldumask=$(umask) > ++umask 077 > + cat ${grub_cfg}.new > ${grub_cfg} > ++umask $oldumask > + rm -f ${grub_cfg}.new > + fi > + fi > +-- > +2.31.1 > + > diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes- > bsp/grub/grub2.inc index bb791347dc..a72a562c5a 100644 > --- a/meta/recipes-bsp/grub/grub2.inc > +++ b/meta/recipes-bsp/grub/grub2.inc > @@ -20,6 +20,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ > file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \ > file://determinism.patch \ > file://0001-RISC-V-Restore-the-typcast-to-long.patch \ > + > + file://CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patc > + h \ > " > > SRC_URI[sha256sum] = > "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f" > -- > 2.31.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#160222): https://lists.openembedded.org/g/openembedded-core/message/160222 Mute This Topic: https://lists.openembedded.org/mt/87974226/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][PATCH] grub2: fix CVE-2021-3981
Signed-off-by: Yongxin Liu --- ...onfig-Restore-umask-for-the-grub.cfg.patch | 49 +++ meta/recipes-bsp/grub/grub2.inc | 1 + 2 files changed, 50 insertions(+) create mode 100644 meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch diff --git a/meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch b/meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch new file mode 100644 index 00..dae26fd8bb --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch @@ -0,0 +1,49 @@ +From 0adec29674561034771c13e446069b41ef41e4d4 Mon Sep 17 00:00:00 2001 +From: Michael Chang +Date: Fri, 3 Dec 2021 16:13:28 +0800 +Subject: [PATCH] grub-mkconfig: Restore umask for the grub.cfg + +The commit ab2e53c8a (grub-mkconfig: Honor a symlink when generating +configuration by grub-mkconfig) has inadvertently discarded umask for +creating grub.cfg in the process of running grub-mkconfig. The resulting +wrong permission (0644) would allow unprivileged users to read GRUB +configuration file content. This presents a low confidentiality risk +as grub.cfg may contain non-secured plain-text passwords. + +This patch restores the missing umask and sets the creation file mode +to 0600 preventing unprivileged access. + +Fixes: CVE-2021-3981 + +Signed-off-by: Michael Chang +Reviewed-by: Daniel Kiper + +Upstream-Status: Backport +CVE: CVE-2021-3981 + +Reference to upstream patch: +https://git.savannah.gnu.org/cgit/grub.git/commit/?id=0adec29674561034771c13e446069b41ef41e4d4 + +Signed-off-by: Yongxin Liu +--- + util/grub-mkconfig.in | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in +index c3ea7612e..62335d027 100644 +--- a/util/grub-mkconfig.in b/util/grub-mkconfig.in +@@ -301,7 +301,10 @@ and /etc/grub.d/* files or please file a bug report with + exit 1 + else + # none of the children aborted with error, install the new grub.cfg ++oldumask=$(umask) ++umask 077 + cat ${grub_cfg}.new > ${grub_cfg} ++umask $oldumask + rm -f ${grub_cfg}.new + fi + fi +-- +2.31.1 + diff --git a/meta/recipes-bsp/grub/grub2.inc b/meta/recipes-bsp/grub/grub2.inc index bb791347dc..a72a562c5a 100644 --- a/meta/recipes-bsp/grub/grub2.inc +++ b/meta/recipes-bsp/grub/grub2.inc @@ -20,6 +20,7 @@ SRC_URI = "${GNU_MIRROR}/grub/grub-${PV}.tar.gz \ file://0001-grub.d-10_linux.in-add-oe-s-kernel-name.patch \ file://determinism.patch \ file://0001-RISC-V-Restore-the-typcast-to-long.patch \ + file://CVE-2021-3981-grub-mkconfig-Restore-umask-for-the-grub.cfg.patch \ " SRC_URI[sha256sum] = "23b64b4c741569f9426ed2e3d0e6780796fca081bee4c99f62aa3f53ae803f5f" -- 2.31.1 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#160016): https://lists.openembedded.org/g/openembedded-core/message/160016 Mute This Topic: https://lists.openembedded.org/mt/87974226/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][PATCH] meta/recipes-bsp: Add recipe for Slim Bootloader
> -Original Message- > From: Ross Burton > Sent: Wednesday, December 15, 2021 18:47 > To: Alexander Kanavin > Cc: Liu, Yongxin ; Konrad Weihmann > ; openembedded-core@lists.openembedded.org; > richard.pur...@linuxfoundation.org > Subject: Re: [OE-core][PATCH] meta/recipes-bsp: Add recipe for Slim > Bootloader > > [Please note: This e-mail is from an EXTERNAL e-mail address] > > On Wed, 15 Dec 2021 at 08:15, Alexander Kanavin > wrote: > > Also, as this item is x86-specific, shouldn't it go to meta-intel to begin > with? > > My immediate thought was that meta-intel would be a better place for yet > another boot loader, especially one that only targets modern chips. Agree. I will submit it to meta-intel. Thanks for the comments. Thanks, Yongxin > > Ross -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#159770): https://lists.openembedded.org/g/openembedded-core/message/159770 Mute This Topic: https://lists.openembedded.org/mt/87739826/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][PATCH] meta/recipes-bsp: Add recipe for Slim Bootloader
> -Original Message- > From: Konrad Weihmann > Sent: Wednesday, December 15, 2021 15:35 > To: Liu, Yongxin ; openembedded- > c...@lists.openembedded.org; richard.pur...@linuxfoundation.org > Subject: Re: [OE-core][PATCH] meta/recipes-bsp: Add recipe for Slim > Bootloader > > On 15.12.21 08:16, Yongxin Liu wrote: > > Slim Bootloader is an open-source boot firmware running on Intel x86 > > architecture. > > > > Currently it supports qemu, apl(Apollo Lake), cfl(Coffee Lake), > > cml(Comet Lake), tgl(Tiger Lake), and ehl(Elkhart Lake). You can set > > "SLIMBOOT_TARGET" in .bb file or .bbappend file to specify or add the > > target firmware you want, for example: SLIMBOOT_TARGET = "qemu apl". > > The default target is qemu. > > > > Generated firmware and security keys are installed in build directory: > > image > > `-- usr > > `-- libexec > > `-- slimboot > > |-- Outputs > > | |-- qemu > > | |-- apl > > | `-- cfl > > `-- keys > > > > Boot firmware for qemu can be used by command: > > "qemu-system-x86_64 -machine q35 -nographic -serial mon:stdio -pflash > SlimBootloader.bin" > > > > Other boot firmware for real hardware cannot be programmed directly to > > flash, please refer to https://slimbootloader.github.io/index.html for > > more instructions. > > > > Signed-off-by: Yongxin Liu > > --- > > ...d-private-key-check-for-PKCS8-format.patch | 28 > > .../build-EDK2-BaseTools-with-bitbake.patch | 70 +++ > > ...limbootloader-BaseTools-with-bitbake.patch | 42 +++ > > meta/recipes-bsp/slimboot/slimboot_git.bb | 57 +++ > > 4 files changed, 197 insertions(+) > > create mode 100644 meta/recipes-bsp/slimboot/files/add-private-key- > check-for-PKCS8-format.patch > > create mode 100644 meta/recipes-bsp/slimboot/files/build-EDK2- > BaseTools-with-bitbake.patch > > create mode 100644 meta/recipes-bsp/slimboot/files/build- > slimbootloader-BaseTools-with-bitbake.patch > > create mode 100644 meta/recipes-bsp/slimboot/slimboot_git.bb > > > > diff --git > > a/meta/recipes-bsp/slimboot/files/add-private-key-check-for-PKCS8-form > > at.patch > > b/meta/recipes-bsp/slimboot/files/add-private-key-check-for-PKCS8-form > > at.patch > > new file mode 100644 > > index 00..a7e9d96dfb > > --- /dev/null > > +++ b/meta/recipes-bsp/slimboot/files/add-private-key-check-for-PKCS8- > > +++ format.patch > > @@ -0,0 +1,28 @@ > > +From e31e9b34f5ffccaab3788da781e05a0622cf7d45 Mon Sep 17 00:00:00 > > +2001 > > +From: Yongxin Liu > > +Date: Tue, 7 Dec 2021 16:18:43 + > > +Subject: [PATCH] add private key check for PKCS8 format > > + > > +Upstream-Status: Pending > > Pending patches are discouraged, please send them upstream Will do. > > > + > > +Signed-off-by: Yongxin Liu > > +--- > > + BootloaderCorePkg/Tools/SingleSign.py | 2 +- > > + 1 file changed, 1 insertion(+), 1 deletion(-) > > + > > +diff --git a/BootloaderCorePkg/Tools/SingleSign.py > > +b/BootloaderCorePkg/Tools/SingleSign.py > > +index 2a550bf8..5baacbde 100644 > > +--- a/BootloaderCorePkg/Tools/SingleSign.py > > b/BootloaderCorePkg/Tools/SingleSign.py > > +@@ -259,7 +259,7 @@ def single_sign_gen_pub_key (in_key, pub_key_file = > None): > > + cmdline = [get_openssl_path(), 'rsa', '-pubout', '-text', '-noout', > '-in', '%s' % in_key] > > + # Check if it is public key or private key > > + text = open(in_key, 'r').read() > > +-if '-BEGIN RSA PRIVATE KEY-' in text: > > ++if '-BEGIN RSA PRIVATE KEY-' in text or '-BEGIN PRIVATE KEY-' in > text: > > + is_prv_key = True > > + elif '-BEGIN PUBLIC KEY-' in text: > > + cmdline.extend (['-pubin']) > > +-- > > +2.33.0 > > + > > diff --git > > a/meta/recipes-bsp/slimboot/files/build-EDK2-BaseTools-with-bitbake.pa > > tch > > b/meta/recipes-bsp/slimboot/files/build-EDK2-BaseTools-with-bitbake.pa > > tch > > new file mode 100644 > > index 00..3b9db74491 > > --- /dev/null > > +++ b/meta/recipes-bsp/slimboot/files/build-EDK2-BaseTools-with-bitbak > > +++ e.patch > > @@ -0,0 +1,70 @@ > > +From ce5ed81d9dd9c37e494560edb8f0fbae83713416 Mon Sep 17 00:00:00 > > +2001 > > +From: Yongxin Liu > > +Date: Wed, 15 Dec 2021 02:19:42 + > &g
[OE-core][PATCH] meta/recipes-bsp: Add recipe for Slim Bootloader
Slim Bootloader is an open-source boot firmware running on Intel x86 architecture. Currently it supports qemu, apl(Apollo Lake), cfl(Coffee Lake), cml(Comet Lake), tgl(Tiger Lake), and ehl(Elkhart Lake). You can set "SLIMBOOT_TARGET" in .bb file or .bbappend file to specify or add the target firmware you want, for example: SLIMBOOT_TARGET = "qemu apl". The default target is qemu. Generated firmware and security keys are installed in build directory: image `-- usr `-- libexec `-- slimboot |-- Outputs | |-- qemu | |-- apl | `-- cfl `-- keys Boot firmware for qemu can be used by command: "qemu-system-x86_64 -machine q35 -nographic -serial mon:stdio -pflash SlimBootloader.bin" Other boot firmware for real hardware cannot be programmed directly to flash, please refer to https://slimbootloader.github.io/index.html for more instructions. Signed-off-by: Yongxin Liu --- ...d-private-key-check-for-PKCS8-format.patch | 28 .../build-EDK2-BaseTools-with-bitbake.patch | 70 +++ ...limbootloader-BaseTools-with-bitbake.patch | 42 +++ meta/recipes-bsp/slimboot/slimboot_git.bb | 57 +++ 4 files changed, 197 insertions(+) create mode 100644 meta/recipes-bsp/slimboot/files/add-private-key-check-for-PKCS8-format.patch create mode 100644 meta/recipes-bsp/slimboot/files/build-EDK2-BaseTools-with-bitbake.patch create mode 100644 meta/recipes-bsp/slimboot/files/build-slimbootloader-BaseTools-with-bitbake.patch create mode 100644 meta/recipes-bsp/slimboot/slimboot_git.bb diff --git a/meta/recipes-bsp/slimboot/files/add-private-key-check-for-PKCS8-format.patch b/meta/recipes-bsp/slimboot/files/add-private-key-check-for-PKCS8-format.patch new file mode 100644 index 00..a7e9d96dfb --- /dev/null +++ b/meta/recipes-bsp/slimboot/files/add-private-key-check-for-PKCS8-format.patch @@ -0,0 +1,28 @@ +From e31e9b34f5ffccaab3788da781e05a0622cf7d45 Mon Sep 17 00:00:00 2001 +From: Yongxin Liu +Date: Tue, 7 Dec 2021 16:18:43 + +Subject: [PATCH] add private key check for PKCS8 format + +Upstream-Status: Pending + +Signed-off-by: Yongxin Liu +--- + BootloaderCorePkg/Tools/SingleSign.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/BootloaderCorePkg/Tools/SingleSign.py b/BootloaderCorePkg/Tools/SingleSign.py +index 2a550bf8..5baacbde 100644 +--- a/BootloaderCorePkg/Tools/SingleSign.py b/BootloaderCorePkg/Tools/SingleSign.py +@@ -259,7 +259,7 @@ def single_sign_gen_pub_key (in_key, pub_key_file = None): + cmdline = [get_openssl_path(), 'rsa', '-pubout', '-text', '-noout', '-in', '%s' % in_key] + # Check if it is public key or private key + text = open(in_key, 'r').read() +-if '-BEGIN RSA PRIVATE KEY-' in text: ++if '-BEGIN RSA PRIVATE KEY-' in text or '-BEGIN PRIVATE KEY-' in text: + is_prv_key = True + elif '-BEGIN PUBLIC KEY-' in text: + cmdline.extend (['-pubin']) +-- +2.33.0 + diff --git a/meta/recipes-bsp/slimboot/files/build-EDK2-BaseTools-with-bitbake.patch b/meta/recipes-bsp/slimboot/files/build-EDK2-BaseTools-with-bitbake.patch new file mode 100644 index 00..3b9db74491 --- /dev/null +++ b/meta/recipes-bsp/slimboot/files/build-EDK2-BaseTools-with-bitbake.patch @@ -0,0 +1,70 @@ +From ce5ed81d9dd9c37e494560edb8f0fbae83713416 Mon Sep 17 00:00:00 2001 +From: Yongxin Liu +Date: Wed, 15 Dec 2021 02:19:42 + +Subject: [PATCH] build EDK2/BaseTools with bitbake + +EDK2 basetools are needed by QEMU FSP. Due to CRLF line terminators +in target file, the patch has to be set to binary format. + +Upstream-Status: Inappropriate [oe-core specific] + +Signed-off-by: Yongxin Liu +--- + .gitattributes | 1 + + .../Tools/PrepareBuildComponentBin.py| 6 ++ + .../build-edk2-BaseTools-with-bitbake.patch | Bin 0 -> 1375 bytes + 3 files changed, 7 insertions(+) + create mode 100644 Silicon/QemuSocPkg/FspBin/Patches/build-edk2-BaseTools-with-bitbake.patch + +diff --git a/.gitattributes b/.gitattributes +index e372c4d9..d31d5dbb 100644 +--- a/.gitattributes b/.gitattributes +@@ -17,3 +17,4 @@ + # since the files that are being patched have a mixture of line + # endings. This means it must be treated as binary. + Silicon/QemuSocPkg/FspBin/Patches/0001-Build-QEMU-FSP-2.0-binaries.patch binary ++Silicon/QemuSocPkg/FspBin/Patches/build-edk2-BaseTools-with-bitbake.patch binary +diff --git a/BootloaderCorePkg/Tools/PrepareBuildComponentBin.py b/BootloaderCorePkg/Tools/PrepareBuildComponentBin.py +index 50f24736..2cd2f5d5 100644 +--- a/BootloaderCorePkg/Tools/PrepareBuildComponentBin.py b/BootloaderCorePkg/Tools/PrepareBuildComponentBin.py +@@ -188,6 +188,12 @@ def BuildFspBins (fsp_dir, sbl_dir, fsp_inf, silicon_pkg_name, flag): + ret = subprocess.call(cmd.split(' '), cwd=fsp_d
Re: [OE-core][PATCH] mesa: Allow building the iris driver
> -Original Message- > From: Böszörményi Zoltán > Sent: Wednesday, February 24, 2021 13:36 > To: Liu, Yongxin ; openembedded- > c...@lists.openembedded.org; richard.pur...@linuxfoundation.org > Subject: Re: [OE-core][PATCH] mesa: Allow building the iris driver > > [Please note: This e-mail is from an EXTERNAL e-mail address] > > Hi, > > 2021. 02. 24. 1:31 keltezéssel, Yongxin Liu írta: > > > > Iris driver supports Broadwell and newer (Gen8+) for very low CPU > overhead. > > > > With this patch, user can add PACKAGECONFIG_append = " iris" in their > bbappend file. > > > > And then iris will be added in build options, like "-Dgallium- > drivers=swrast,virgl,iris". > > You can check mesa/2_20.3.2-r0/build/meson-logs/meson-log.txt for this. > > > > The driver can be found in build directory: > > mesa/2_20.3.2-r0/image/usr/lib64/dri/iris_dri.so > > > > > > Thanks, > > Yongxin > > Since VAR_append can appear multiple times, bbappend files can equally do > > GALLIUMDRIVERS_append_x86_class-target = ",iris" > GALLIUMDRIVERS_append_x86-64_class-target = ",iris" > > instead of this PACKAGECONFIG. > > Anyway, since this MR exists in Mesa: > https://gitlab.freedesktop.org/mesa/mesa/-/merge_requests/8015 > after a certain point this will have to be used in the upstream recipe > (pseudo-patch follows): > > ... > -DRIDRIVERS_append_x86_class-target = ",r100,r200,nouveau,i965,i915" > -DRIDRIVERS_append_x86-64_class-target = ",r100,r200,nouveau,i965,i915" > ... > +GALLIUMDRIVERS_append_x86_class-target = ",nouveau,i915,iris" > +GALLIUMDRIVERS_append_x86-64_class-target = ",nouveau,i915,iris" > ... > Great. Thanks for pointing it out. --Yongxin > Best regards, > Zoltán Böszörményi > > > > >> -Original Message- > >> From: openembedded-core@lists.openembedded.org >> c...@lists.openembedded.org> On Behalf Of Yongxin Liu > >> Sent: Thursday, February 18, 2021 16:56 > >> To: openembedded-core@lists.openembedded.org; > >> richard.pur...@linuxfoundation.org > >> Subject: [OE-core][PATCH] mesa: Allow building the iris driver > >> > >> Signed-off-by: Yongxin Liu > >> --- > >> meta/recipes-graphics/mesa/mesa.inc | 3 +++ > >> 1 file changed, 3 insertions(+) > >> > >> diff --git a/meta/recipes-graphics/mesa/mesa.inc b/meta/recipes- > >> graphics/mesa/mesa.inc index cb075a8b89..72e22d654e 100644 > >> --- a/meta/recipes-graphics/mesa/mesa.inc > >> +++ b/meta/recipes-graphics/mesa/mesa.inc > >> @@ -168,6 +168,9 @@ GALLIUMDRIVERS_append > >> ="${@bb.utils.contains('PACKAGECONFIG', 'lima', ',lima', ' > >> PACKAGECONFIG[panfrost] = "" > >> GALLIUMDRIVERS_append ="${@bb.utils.contains('PACKAGECONFIG', > >> 'panfrost', ',panfrost', '', d)}" > >> > >> +PACKAGECONFIG[iris] = "" > >> +GALLIUMDRIVERS_append ="${@bb.utils.contains('PACKAGECONFIG', > >> +'iris', > >> ',iris', '', d)}" > >> + > >> OSMESA = "${@bb.utils.contains('PACKAGECONFIG', 'gallium', > >> 'gallium', 'classic', d)}" > >> PACKAGECONFIG[osmesa] = "-Dosmesa=${OSMESA},-Dosmesa=none" > >> > >> -- > >> 2.14.5 > > > > > > > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#148541): https://lists.openembedded.org/g/openembedded-core/message/148541 Mute This Topic: https://lists.openembedded.org/mt/80725460/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
Re: [OE-core][PATCH] mesa: Allow building the iris driver
Iris driver supports Broadwell and newer (Gen8+) for very low CPU overhead. With this patch, user can add PACKAGECONFIG_append = " iris" in their bbappend file. And then iris will be added in build options, like "-Dgallium-drivers=swrast,virgl,iris". You can check mesa/2_20.3.2-r0/build/meson-logs/meson-log.txt for this. The driver can be found in build directory: mesa/2_20.3.2-r0/image/usr/lib64/dri/iris_dri.so Thanks, Yongxin > -Original Message- > From: openembedded-core@lists.openembedded.org c...@lists.openembedded.org> On Behalf Of Yongxin Liu > Sent: Thursday, February 18, 2021 16:56 > To: openembedded-core@lists.openembedded.org; > richard.pur...@linuxfoundation.org > Subject: [OE-core][PATCH] mesa: Allow building the iris driver > > Signed-off-by: Yongxin Liu > --- > meta/recipes-graphics/mesa/mesa.inc | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/meta/recipes-graphics/mesa/mesa.inc b/meta/recipes- > graphics/mesa/mesa.inc > index cb075a8b89..72e22d654e 100644 > --- a/meta/recipes-graphics/mesa/mesa.inc > +++ b/meta/recipes-graphics/mesa/mesa.inc > @@ -168,6 +168,9 @@ GALLIUMDRIVERS_append > ="${@bb.utils.contains('PACKAGECONFIG', 'lima', ',lima', ' > PACKAGECONFIG[panfrost] = "" > GALLIUMDRIVERS_append ="${@bb.utils.contains('PACKAGECONFIG', 'panfrost', > ',panfrost', '', d)}" > > +PACKAGECONFIG[iris] = "" > +GALLIUMDRIVERS_append ="${@bb.utils.contains('PACKAGECONFIG', 'iris', > ',iris', '', d)}" > + > OSMESA = "${@bb.utils.contains('PACKAGECONFIG', 'gallium', 'gallium', > 'classic', d)}" > PACKAGECONFIG[osmesa] = "-Dosmesa=${OSMESA},-Dosmesa=none" > > -- > 2.14.5 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#148526): https://lists.openembedded.org/g/openembedded-core/message/148526 Mute This Topic: https://lists.openembedded.org/mt/80725460/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][PATCH] mesa: Allow building the iris driver
Signed-off-by: Yongxin Liu --- meta/recipes-graphics/mesa/mesa.inc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/meta/recipes-graphics/mesa/mesa.inc b/meta/recipes-graphics/mesa/mesa.inc index cb075a8b89..72e22d654e 100644 --- a/meta/recipes-graphics/mesa/mesa.inc +++ b/meta/recipes-graphics/mesa/mesa.inc @@ -168,6 +168,9 @@ GALLIUMDRIVERS_append ="${@bb.utils.contains('PACKAGECONFIG', 'lima', ',lima', ' PACKAGECONFIG[panfrost] = "" GALLIUMDRIVERS_append ="${@bb.utils.contains('PACKAGECONFIG', 'panfrost', ',panfrost', '', d)}" +PACKAGECONFIG[iris] = "" +GALLIUMDRIVERS_append ="${@bb.utils.contains('PACKAGECONFIG', 'iris', ',iris', '', d)}" + OSMESA = "${@bb.utils.contains('PACKAGECONFIG', 'gallium', 'gallium', 'classic', d)}" PACKAGECONFIG[osmesa] = "-Dosmesa=${OSMESA},-Dosmesa=none" -- 2.14.5 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#148291): https://lists.openembedded.org/g/openembedded-core/message/148291 Mute This Topic: https://lists.openembedded.org/mt/80725460/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][PATCH] linux-firmware: move ibt-misc to the end of ibt packages
After commit 3ca1d3fa1d ("linux-firmware: fix the wrong file path for ibt-misc"), if we don't change the location of ibt-misc in PACKAGES, ibt-misc will include all ibt files and make other individual ibt package empty. Signed-off-by: Yongxin Liu --- meta/recipes-kernel/linux-firmware/linux-firmware_20200619.bb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20200619.bb b/meta/recipes-kernel/linux-firmware/linux-firmware_20200619.bb index 79acccddc7..2b5963c0c8 100644 --- a/meta/recipes-kernel/linux-firmware/linux-firmware_20200619.bb +++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20200619.bb @@ -278,9 +278,10 @@ PACKAGES =+ "${PN}-ralink-license ${PN}-ralink \ ${PN}-iwlwifi-7265d ${PN}-iwlwifi-8000c ${PN}-iwlwifi-8265 \ ${PN}-iwlwifi-9000 \ ${PN}-iwlwifi-misc \ - ${PN}-ibt-license ${PN}-ibt ${PN}-ibt-misc \ + ${PN}-ibt-license ${PN}-ibt \ ${PN}-ibt-11-5 ${PN}-ibt-12-16 ${PN}-ibt-hw-37-7 ${PN}-ibt-hw-37-8 \ ${PN}-ibt-17 \ + ${PN}-ibt-misc \ ${PN}-i915-license ${PN}-i915 \ ${PN}-ice-license ${PN}-ice \ ${PN}-adsp-sst-license ${PN}-adsp-sst \ -- 2.14.4 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#140510): https://lists.openembedded.org/g/openembedded-core/message/140510 Mute This Topic: https://lists.openembedded.org/mt/75414697/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][PATCH] linux-firmware: fix the wrong file path for ibt-misc
Signed-off-by: Yongxin Liu --- meta/recipes-kernel/linux-firmware/linux-firmware_20200619.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20200619.bb b/meta/recipes-kernel/linux-firmware/linux-firmware_20200619.bb index 392e03a10a..79acccddc7 100644 --- a/meta/recipes-kernel/linux-firmware/linux-firmware_20200619.bb +++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20200619.bb @@ -813,7 +813,7 @@ FILES_${PN}-ibt-hw-37-8 = "${nonarch_base_libdir}/firmware/intel/ibt-hw-37.8*.bs FILES_${PN}-ibt-11-5= "${nonarch_base_libdir}/firmware/intel/ibt-11-5.sfi ${nonarch_base_libdir}/firmware/intel/ibt-11-5.ddc" FILES_${PN}-ibt-12-16 = "${nonarch_base_libdir}/firmware/intel/ibt-12-16.sfi ${nonarch_base_libdir}/firmware/intel/ibt-12-16.ddc" FILES_${PN}-ibt-17 = "${nonarch_base_libdir}/firmware/intel/ibt-17-*.sfi ${nonarch_base_libdir}/firmware/intel/ibt-17-*.ddc" -FILES_${PN}-ibt-misc= "${nonarch_base_libdir}/firmware/ibt-*" +FILES_${PN}-ibt-misc= "${nonarch_base_libdir}/firmware/intel/ibt-*" RDEPENDS_${PN}-ibt-hw-37-7 = "${PN}-ibt-license" RDEPENDS_${PN}-ibt-hw-37.8 = "${PN}-ibt-license" -- 2.14.4 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#140401): https://lists.openembedded.org/g/openembedded-core/message/140401 Mute This Topic: https://lists.openembedded.org/mt/75370505/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core][PATCH] linux-firmware: add ice for Intel E800 series driver
Signed-off-by: Yongxin Liu --- meta/recipes-kernel/linux-firmware/linux-firmware_20200519.bb | 9 + 1 file changed, 9 insertions(+) diff --git a/meta/recipes-kernel/linux-firmware/linux-firmware_20200519.bb b/meta/recipes-kernel/linux-firmware/linux-firmware_20200519.bb index fcad7df629..18f44bccae 100644 --- a/meta/recipes-kernel/linux-firmware/linux-firmware_20200519.bb +++ b/meta/recipes-kernel/linux-firmware/linux-firmware_20200519.bb @@ -26,6 +26,7 @@ LICENSE = "\ & Firmware-i2400m \ & Firmware-i915 \ & Firmware-ibt_firmware \ +& Firmware-ice \ & Firmware-it913x \ & Firmware-iwlwifi_firmware \ & Firmware-IntcSST2 \ @@ -155,6 +156,7 @@ NO_GENERIC_LICENSE[Firmware-hfi1_firmware] = "LICENSE.hfi1_firmware" NO_GENERIC_LICENSE[Firmware-i2400m] = "LICENCE.i2400m" NO_GENERIC_LICENSE[Firmware-i915] = "LICENSE.i915" NO_GENERIC_LICENSE[Firmware-ibt_firmware] = "LICENCE.ibt_firmware" +NO_GENERIC_LICENSE[Firmware-ice] = "LICENSE.ice" NO_GENERIC_LICENSE[Firmware-IntcSST2] = "LICENCE.IntcSST2" NO_GENERIC_LICENSE[Firmware-it913x] = "LICENCE.it913x" NO_GENERIC_LICENSE[Firmware-iwlwifi_firmware] = "LICENCE.iwlwifi_firmware" @@ -280,6 +282,7 @@ PACKAGES =+ "${PN}-ralink-license ${PN}-ralink \ ${PN}-ibt-11-5 ${PN}-ibt-12-16 ${PN}-ibt-hw-37-7 ${PN}-ibt-hw-37-8 \ ${PN}-ibt-17 \ ${PN}-i915-license ${PN}-i915 \ + ${PN}-ice-license ${PN}-ice \ ${PN}-adsp-sst-license ${PN}-adsp-sst \ ${PN}-bnx2-mips \ ${PN}-liquidio \ @@ -828,6 +831,12 @@ FILES_${PN}-i915-license = "${nonarch_base_libdir}/firmware/LICENSE.i915" FILES_${PN}-i915 = "${nonarch_base_libdir}/firmware/i915" RDEPENDS_${PN}-i915 = "${PN}-i915-license" +LICENSE_${PN}-ice = "Firmware-ice" +LICENSE_${PN}-ice-license = "Firmware-ice" +FILES_${PN}-ice-license = "${nonarch_base_libdir}/firmware/LICENSE.ice" +FILES_${PN}-ice = "${nonarch_base_libdir}/firmware/intel/ice" +RDEPENDS_${PN}-ice = "${PN}-ice-license" + FILES_${PN}-adsp-sst-license = "${nonarch_base_libdir}/firmware/LICENCE.adsp_sst" LICENSE_${PN}-adsp-sst= "Firmware-adsp_sst" LICENSE_${PN}-adsp-sst-license= "Firmware-adsp_sst" -- 2.14.4 -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#139588): https://lists.openembedded.org/g/openembedded-core/message/139588 Mute This Topic: https://lists.openembedded.org/mt/74933813/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
[OE-core] [PATCH] ltp: Add "udevadm trigger" before swap verification in mkswap01.sh
Swap verification sometimes fails due to race condition with udev. This is a known issue: https://github.com/linux-test-project/ltp/issues/458. "udevadm trigger" forces udev to sync up device events with kernel. Signed-off-by: Yongxin Liu --- ...-Add-udevadm-trigger-before-swap-verifica.patch | 35 ++ meta/recipes-extended/ltp/ltp_20190517.bb | 1 + 2 files changed, 36 insertions(+) create mode 100644 meta/recipes-extended/ltp/ltp/0001-mkswap01.sh-Add-udevadm-trigger-before-swap-verifica.patch diff --git a/meta/recipes-extended/ltp/ltp/0001-mkswap01.sh-Add-udevadm-trigger-before-swap-verifica.patch b/meta/recipes-extended/ltp/ltp/0001-mkswap01.sh-Add-udevadm-trigger-before-swap-verifica.patch new file mode 100644 index 00..1b433d3ad3 --- /dev/null +++ b/meta/recipes-extended/ltp/ltp/0001-mkswap01.sh-Add-udevadm-trigger-before-swap-verifica.patch @@ -0,0 +1,35 @@ +From fae8852a63d9fa6e56fb8b24eaf10560bd13757f Mon Sep 17 00:00:00 2001 +From: Yongxin Liu +Date: Tue, 12 Nov 2019 11:33:50 +0800 +Subject: [PATCH] mkswap01.sh: Add "udevadm trigger" before swap verification + +Fix: https://github.com/linux-test-project/ltp/issues/458 + +Sometimes the swap device cannot show up in /dev/disk/by-uuid/ +or /dev/disk/by-lable/ due to the issue #458. When this issue +happens, "blkid -c /dev/null" and "ls /dev/disk/by-uuid/" show +different UUID of the device. + +Upstream-Status: Submitted [https://patchwork.ozlabs.org/patch/1193414] + +Signed-off-by: Yongxin Liu +--- + testcases/commands/mkswap/mkswap01.sh | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/testcases/commands/mkswap/mkswap01.sh b/testcases/commands/mkswap/mkswap01.sh +index 3a348c6e6..9437c4a4e 100755 +--- a/testcases/commands/mkswap/mkswap01.sh b/testcases/commands/mkswap/mkswap01.sh +@@ -129,6 +129,8 @@ mkswap_test() + return + fi + ++ udevadm trigger --name-match=$TST_DEVICE ++ + if [ -n "$device" ]; then + mkswap_verify "$mkswap_op" "$op_arg" "$device" "$size" "$dev_file" + if [ $? -ne 0 ]; then +-- +2.14.4 + diff --git a/meta/recipes-extended/ltp/ltp_20190517.bb b/meta/recipes-extended/ltp/ltp_20190517.bb index 5915b1c72a..47aa9675d8 100644 --- a/meta/recipes-extended/ltp/ltp_20190517.bb +++ b/meta/recipes-extended/ltp/ltp_20190517.bb @@ -50,6 +50,7 @@ SRC_URI = "git://github.com/linux-test-project/ltp.git \ file://0001-syscall-rt_sigtimedwait01-Fix-wrong-sigset-length-fo.patch \ file://0001-cve-2017-17052-Avoid-unsafe-exits-in-threads.patch \ file://0001-overcommit_memory-update-for-mm-fix-false-positive-O.patch \ + file://0001-mkswap01.sh-Add-udevadm-trigger-before-swap-verifica.patch \ " S = "${WORKDIR}/git" -- 2.14.4 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] systemd: Fix invalid argument of pstore log entry
Fix "systemd-pstore: Failed to log pstore entry: Invalid argument" by backporting 1b3156edd291e0882d80a695d035dd30521345d1 from upstream. Signed-off-by: Yongxin Liu --- .../systemd/0001-pstore-fix-use-after-free.patch | 39 ++ meta/recipes-core/systemd/systemd_243.bb | 1 + 2 files changed, 40 insertions(+) create mode 100644 meta/recipes-core/systemd/systemd/0001-pstore-fix-use-after-free.patch diff --git a/meta/recipes-core/systemd/systemd/0001-pstore-fix-use-after-free.patch b/meta/recipes-core/systemd/systemd/0001-pstore-fix-use-after-free.patch new file mode 100644 index 00..fd147a18be --- /dev/null +++ b/meta/recipes-core/systemd/systemd/0001-pstore-fix-use-after-free.patch @@ -0,0 +1,39 @@ +From 1b3156edd291e0882d80a695d035dd30521345d1 Mon Sep 17 00:00:00 2001 +From: Michael Olbrich +Date: Fri, 6 Sep 2019 15:04:01 +0200 +Subject: [PATCH] pstore: fix use after free + +The memory is still needed in the sd_journal_sendv() after the 'if' block. + +(cherry picked from commit 1e19f5ac0d680a63eccae7ef1fc6ce225dca0bbf) + +Upstream-Status: Backport + +Signed-off-by: Yongxin Liu +--- + src/pstore/pstore.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/pstore/pstore.c b/src/pstore/pstore.c +index c760b3e899..8ffe523830 100644 +--- a/src/pstore/pstore.c b/src/pstore/pstore.c +@@ -117,6 +117,7 @@ static int compare_pstore_entries(const void *_a, const void *_b) { + + static int move_file(PStoreEntry *pe, const char *subdir) { + _cleanup_free_ char *ifd_path = NULL, *ofd_path = NULL; ++_cleanup_free_ void *field = NULL; + const char *suffix, *message; + struct iovec iovec[2]; + int n_iovec = 0, r; +@@ -138,7 +139,6 @@ static int move_file(PStoreEntry *pe, const char *subdir) { + iovec[n_iovec++] = IOVEC_MAKE_STRING(message); + + if (pe->content_size > 0) { +-_cleanup_free_ void *field = NULL; + size_t field_size; + + field_size = strlen("FILE=") + pe->content_size; +-- +2.14.4 + diff --git a/meta/recipes-core/systemd/systemd_243.bb b/meta/recipes-core/systemd/systemd_243.bb index 6e7f95693b..88069546a2 100644 --- a/meta/recipes-core/systemd/systemd_243.bb +++ b/meta/recipes-core/systemd/systemd_243.bb @@ -24,6 +24,7 @@ SRC_URI += "file://touchscreen.rules \ file://0005-rules-watch-metadata-changes-in-ide-devices.patch \ file://0001-unit-file.c-consider-symlink-on-filesystems-like-NFS.patch \ file://99-default.preset \ + file://0001-pstore-fix-use-after-free.patch \ " # patches needed by musl -- 2.14.4 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] init-install-efi.sh: don't assume the fixed location of efi loader
Currently, it is true that efi loader is in the same device as the rootfs image. But the script doesn't work when efi loader and rootfs image are in different live devices. This change makes the script work in this situation. Signed-off-by: Yongxin Liu --- .../initrdscripts/files/init-install-efi.sh| 29 -- 1 file changed, 22 insertions(+), 7 deletions(-) diff --git a/meta/recipes-core/initrdscripts/files/init-install-efi.sh b/meta/recipes-core/initrdscripts/files/init-install-efi.sh index b6855b5..922f97b 100644 --- a/meta/recipes-core/initrdscripts/files/init-install-efi.sh +++ b/meta/recipes-core/initrdscripts/files/init-install-efi.sh @@ -241,13 +241,28 @@ echo "Preparing boot partition..." EFIDIR="/boot/EFI/BOOT" mkdir -p $EFIDIR -# Copy the efi loader -cp /run/media/$1/EFI/BOOT/*.efi $EFIDIR -if [ -f /run/media/$1/EFI/BOOT/grub.cfg ]; then +src_boot="" + +for i in `ls /dev/${live_dev_name}*`; do +i=${i#\/dev/} +if [ -f /run/media/$i/EFI/BOOT/*.efi ]; then +# Copy the efi loader +cp /run/media/$i/EFI/BOOT/*.efi $EFIDIR +src_boot=$i +break +fi +done + +if [ -z "$src_boot" ]; then +echo "No EFI bootloader found. Installation aborted." +exit 1 +fi + +if [ -f /run/media/$src_boot/EFI/BOOT/grub.cfg ]; then root_part_uuid=$(blkid -o value -s PARTUUID ${rootfs}) GRUBCFG="$EFIDIR/grub.cfg" -cp /run/media/$1/EFI/BOOT/grub.cfg $GRUBCFG +cp /run/media/$src_boot/EFI/BOOT/grub.cfg $GRUBCFG # Update grub config for the installed image # Delete the install entry sed -i "/menuentry 'install'/,/^}/d" $GRUBCFG @@ -260,11 +275,11 @@ if [ -f /run/media/$1/EFI/BOOT/grub.cfg ]; then sed -i "s/ root=[^ ]*/ root=PARTUUID=$root_part_uuid rw $rootwait quiet /g" $GRUBCFG fi -if [ -d /run/media/$1/loader ]; then +if [ -d /run/media/$src_boot/loader ]; then rootuuid=$(blkid -o value -s PARTUUID ${rootfs}) SYSTEMDBOOT_CFGS="/boot/loader/entries/*.conf" # copy config files for systemd-boot -cp -dr /run/media/$1/loader /boot +cp -dr /run/media/$src_boot/loader /boot # delete the install entry rm -f /boot/loader/entries/install.conf # delete the initrd lines @@ -282,7 +297,7 @@ umount /tgt_root # Copy kernel artifacts. To add more artifacts just add to types # For now just support kernel types already being used by something in OE-core for types in bzImage zImage vmlinux vmlinuz fitImage; do -for kernel in `find /run/media/$1/ -name $types*`; do +for kernel in `find /run/media/$src_boot/ -name $types*`; do cp $kernel /boot done done -- 1.8.3.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] wic/bootimg-efi.py: add new source parameter "initrd_rename"
When using initrd in bootloader configuration file, we may want the name of initrd to be fixed. However, the actual name of initrd may change and depend on distro/machine's name. "initrd_rename" gives user a chance to rename initrd in final wic image. Signed-off-by: Yongxin Liu --- scripts/lib/wic/plugins/source/bootimg-efi.py | 12 ++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/scripts/lib/wic/plugins/source/bootimg-efi.py b/scripts/lib/wic/plugins/source/bootimg-efi.py index 83a7e18..852ed88 100644 --- a/scripts/lib/wic/plugins/source/bootimg-efi.py +++ b/scripts/lib/wic/plugins/source/bootimg-efi.py @@ -69,7 +69,11 @@ class BootimgEFIPlugin(SourcePlugin): if not bootimg_dir: raise WicError("Couldn't find DEPLOY_DIR_IMAGE, exiting") -cp_cmd = "cp %s/%s %s" % (bootimg_dir, initrd, hdddir) +initrd_rename = source_params.get('initrd_rename') +if initrd_rename: +cp_cmd = "cp %s/%s %s/%s" % (bootimg_dir, initrd, hdddir, initrd_rename) +else: +cp_cmd = "cp %s/%s %s" % (bootimg_dir, initrd, hdddir) exec_cmd(cp_cmd, True) else: logger.debug("Ignoring missing initrd") @@ -126,7 +130,11 @@ class BootimgEFIPlugin(SourcePlugin): if not bootimg_dir: raise WicError("Couldn't find DEPLOY_DIR_IMAGE, exiting") -cp_cmd = "cp %s/%s %s" % (bootimg_dir, initrd, hdddir) +initrd_rename = source_params.get('initrd_rename') +if initrd_rename: +cp_cmd = "cp %s/%s %s/%s" % (bootimg_dir, initrd, hdddir, initrd_rename) +else: +cp_cmd = "cp %s/%s %s" % (bootimg_dir, initrd, hdddir) exec_cmd(cp_cmd, True) else: logger.debug("Ignoring missing initrd") -- 1.8.3.1 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] sstate: add intel-microcode to SSTATE_DUPWHITELIST
intel-microcode multilib recipes can generate identical overlapping files: microcode.cpio. Signed-off-by: Yongxin Liu --- meta/classes/sstate.bbclass | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/meta/classes/sstate.bbclass b/meta/classes/sstate.bbclass index c0e54a398d..084d631523 100644 --- a/meta/classes/sstate.bbclass +++ b/meta/classes/sstate.bbclass @@ -33,10 +33,11 @@ SSTATE_DUPWHITELIST += "${DEPLOY_DIR_RPM}/sdk_provides_dummy_nativesdk/ ${DEPLOY SSTATE_DUPWHITELIST += "${DEPLOY_DIR_RPM}/buildtools_dummy_nativesdk/ ${DEPLOY_DIR_IPK}/buildtools-dummy-nativesdk/" # Archive the sources for many architectures in one deploy folder SSTATE_DUPWHITELIST += "${DEPLOY_DIR_SRC}" -# ovmf/grub-efi/systemd-boot multilib recipes can generate identical overlapping files +# ovmf/grub-efi/systemd-boot/intel-microcode multilib recipes can generate identical overlapping files SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/ovmf" SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/grub-efi" SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/systemd-boot" +SSTATE_DUPWHITELIST += "${DEPLOY_DIR_IMAGE}/microcode" SSTATE_SCAN_FILES ?= "*.la *-config *_config postinst-*" SSTATE_SCAN_CMD ??= 'find ${SSTATE_BUILDDIR} \( -name "${@"\" -o -name \"".join(d.getVar("SSTATE_SCAN_FILES").split())}" \) -type f' -- 2.14.4 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
[OE-core] [PATCH] kdump: start kdump.service after basic.target
If kdump.service is set to run on boot and dump-capture kernel isn't placed in /dev/root, kdump.service will fail to load the kernel, since other partitions are not mounted yet. Starting kdump.service after basic.target guarantees dump-capture kernel can be loaded in this situation. Signed-off-by: Yongxin Liu --- meta/recipes-kernel/kexec/kexec-tools/kdump.service | 1 + 1 file changed, 1 insertion(+) diff --git a/meta/recipes-kernel/kexec/kexec-tools/kdump.service b/meta/recipes-kernel/kexec/kexec-tools/kdump.service index 4e65a46ac4..013c5a62b3 100644 --- a/meta/recipes-kernel/kexec/kexec-tools/kdump.service +++ b/meta/recipes-kernel/kexec/kexec-tools/kdump.service @@ -1,6 +1,7 @@ [Unit] Description=Reboot and dump vmcore via kexec DefaultDependencies=no +After=basic.target [Service] Type=oneshot -- 2.14.4 -- ___ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core