Luca Boccassi [Tue, 15 May 2018 10:36:46 +0000 (11:36 +0100)]
Do not overwrite sentinel byte in boot_params, breaks lockdown
grub currently copies the entire boot_params, which includes setting
sentinel byte to 0xff, which triggers sanitize_boot_params in the kernel
which in turn clears various boot_params variables, including the
indication that the bootloader chain is verified and thus the kernel
disables lockdown mode. According to the information on the Fedora bug
tracker, only the information from byte 0x1f1 is necessary, so start
copying from there instead.
Author: Luca Boccassi <bluca@debian.org>
Bug-Fedora: https://bugzilla.redhat.com/show_bug.cgi?id=1418360
Forwarded: no
Michael Chang [Thu, 27 Oct 2016 21:43:21 +0000 (17:43 -0400)]
efinet: Setting DNS server from UEFI protocol
In the URI device path node, any name rahter than address can be used for
looking up the resources so that DNS service become needed to get answer of the
name's address. Unfortunately the DNS is not defined in any of the device path
nodes so that we use the EFI_IP4_CONFIG2_PROTOCOL and EFI_IP6_CONFIG_PROTOCOL
to obtain it.
These two protcols are defined the sections of UEFI specification.
include/grub/efi/api.h:
Add new structure and protocol UUID of EFI_IP4_CONFIG2_PROTOCOL and
EFI_IP6_CONFIG_PROTOCOL.
grub-core/net/drivers/efi/efinet.c:
Use the EFI_IP4_CONFIG2_PROTOCOL and EFI_IP6_CONFIG_PROTOCOL to obtain the list
of DNS server address for IPv4 and IPv6 respectively. The address of DNS
servers is structured into DHCPACK packet and feed into the same DHCP packet
processing functions to ensure the network interface is setting up the same way
it used to be.
Signed-off-by: Michael Chang <mchang@suse.com> Signed-off-by: Ken Lin <ken.lin@hpe.com>
Last-Update: 2021-09-24
Michael Chang [Thu, 27 Oct 2016 21:43:05 +0000 (17:43 -0400)]
efinet: Setting network from UEFI device path
The PXE Base Code protocol used to obtain cached PXE DHCPACK packet is no
longer provided for HTTP Boot. Instead, we have to get the HTTP boot
information from the device path nodes defined in following UEFI Specification
sections.
include/grub/efi/api.h:
Add new structure of Uniform Resource Identifiers (URI) Device Path
grub-core/net/drivers/efi/efinet.c:
Check if PXE Base Code is available, if not it will try to obtain the netboot
information from the device path where the image booted from. The DHCPACK
packet is recoverd from the information in device patch and feed into the same
DHCP packet processing functions to ensure the network interface is setting up
the same way it used to be.
Signed-off-by: Michael Chang <mchang@suse.com> Signed-off-by: Ken Lin <ken.lin@hpe.com>
Patch-Name: efinet-set-network-from-uefi-devpath.patch
Michael Chang [Thu, 27 Oct 2016 21:42:19 +0000 (17:42 -0400)]
bootp: Add processing DHCPACK packet from HTTP Boot
The vendor class identifier with the string "HTTPClient" is used to denote the
packet as responding to HTTP boot request. In DHCP4 config, the filename for
HTTP boot is the URL of the boot file while for PXE boot it is the path to the
boot file. As a consequence, the next-server becomes obseleted because the HTTP
URL already contains the server address for the boot file. For DHCP6 config,
there's no difference definition in existing config as dhcp6.bootfile-url can
be used to specify URL for both HTTP and PXE boot file.
This patch adds processing for "HTTPClient" vendor class identifier in DHCPACK
packet by treating it as HTTP format, not as the PXE format.
Signed-off-by: Michael Chang <mchang@suse.com> Signed-off-by: Ken Lin <ken.lin@hpe.com>
Last-Update: 2021-09-24
Michael Chang [Thu, 27 Oct 2016 21:41:21 +0000 (17:41 -0400)]
efinet: UEFI IPv6 PXE support
When grub2 image is booted from UEFI IPv6 PXE, the DHCPv6 Reply packet is
cached in firmware buffer which can be obtained by PXE Base Code protocol. The
network interface can be setup through the parameters in that obtained packet.
Signed-off-by: Michael Chang <mchang@suse.com> Signed-off-by: Ken Lin <ken.lin@hpe.com>
Patch-Name: efinet-uefi-ipv6-pxe-support.patch
Aaron Miller [Thu, 27 Oct 2016 21:39:49 +0000 (17:39 -0400)]
net: read bracketed ipv6 addrs and port numbers
Allow specifying port numbers for http and tftp paths, and allow ipv6 addresses
to be recognized with brackets around them, which is required to specify a port
number
Chad MILLER [Thu, 27 Oct 2016 21:15:07 +0000 (17:15 -0400)]
Tell zpool to emit full device names
zfs-initramfs currently provides extraneous, undesired symlinks to
devices directly underneath /dev/ to satisfy zpool's historical output
of unqualified device names. By including this environment variable to
signal our intent to zpool, zfs-linux packages can drop the symlink
behavior when updating to its upstream or backported output behavior.
Steve McIntyre [Wed, 3 Dec 2014 01:25:12 +0000 (01:25 +0000)]
Add support for forcing EFI installation to the removable media path
Add an extra option to grub-install "--force-extra-removable". On EFI
platforms, this will cause an extra copy of the grub-efi image to be
written to the appropriate removable media patch
/boot/efi/EFI/BOOT/BOOT$ARCH.EFI as well. This will help with broken
UEFI implementations where the firmware does not work when configured
with new boot paths.
Signed-off-by: Steve McIntyre <93sam@debian.org>
Bug-Debian: https://bugs.debian.org/767037 https://bugs.debian.org/773092
Forwarded: Not yet
Last-Update: 2021-09-24
Ian Campbell [Sun, 30 Nov 2014 12:12:52 +0000 (12:12 +0000)]
Arrange to insmod xzio and lzopio when booting a kernel as a Xen guest
This is needed in case the Linux kernel is compiled with CONFIG_KERNEL_XZ or
CONFIG_KERNEL_LZO rather than CONFIG_KERNEL_GZ (gzio is already loaded by
grub.cfg today).
Signed-off-by: Ian Campbell <ijc@debian.org>
Bug-Debian: https://bugs.debian.org/755256
Forwarded: http://lists.gnu.org/archive/html/grub-devel/2014-11/msg00091.html
Last-Update: 2014-11-30
Ian Campbell [Sat, 6 Sep 2014 11:20:12 +0000 (12:20 +0100)]
grub-install: Install PV Xen binaries into the upstream specified path
Upstream have defined a specification for where guests ought to place their
xenpv grub binaries in order to facilitate chainloading from a stage 1 grub
loaded from dom0.
VSX bit is enabled by default for Power7 and Power8 CPU models,
so we need to disable them in order to avoid instruction exceptions.
Kernel will activate it when necessary.
Colin Watson [Tue, 28 Jan 2014 14:40:02 +0000 (14:40 +0000)]
Port yaboot logic for various powerpc machine types
Some powerpc machines require not updating the NVRAM. This can be handled
by existing grub-install command-line options, but it's friendlier to detect
this automatically.
On chrp_ibm machines, use the nvram utility rather than nvsetenv. (This
is possibly suitable for other machines too, but that needs to be
verified.)
Evan Broder [Mon, 13 Jan 2014 12:13:29 +0000 (12:13 +0000)]
Add configure option to enable gfxpayload=keep dynamically
Set GRUB_GFXPAYLOAD_LINUX=keep unless it's known to be unsupported on
the current hardware. See
https://blueprints.launchpad.net/ubuntu/+spec/packageselection-foundations-n-grub2-boot-framebuffer.
Author: Colin Watson <cjwatson@ubuntu.com>
Forwarded: no
Last-Update: 2019-05-25
Steve Langasek [Tue, 30 Oct 2018 22:04:16 +0000 (15:04 -0700)]
If we don't have writable grubenv and we're on EFI, always show the menu
If we don't have writable grubenv, recordfail doesn't work, which means our
quickboot behavior - with a timeout of 0 - leaves the user without a
reliable way to access the boot menu if they're on UEFI, because unlike
BIOS, UEFI does not support checking the state of modifier keys (i.e.
holding down shift at boot is not detectable).
Handle this corner case by always using a non-zero timeout on EFI when
save_env doesn't work.
Reuse GRUB_RECORDFAIL_TIMEOUT to avoid introducing another variable.
Signed-off-by: Steve Langasek <steve.langasek@canonical.com>
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1800722
Last-Update: 2019-06-24
Colin Watson [Mon, 13 Jan 2014 12:13:28 +0000 (12:13 +0000)]
Add configure option to bypass boot menu if possible
If other operating systems are installed, then automatically unhide the
menu. Otherwise, if GRUB_HIDDEN_TIMEOUT is 0, then use keystatus if
available to check whether Shift is pressed. If it is, show the menu,
otherwise boot immediately. If keystatus is not available, then fall
back to a short delay interruptible with Escape.
This may or may not remain Ubuntu-specific, although it's not obviously
wanted upstream. It implements a requirement of
https://wiki.ubuntu.com/DesktopExperienceTeam/KarmicBootExperienceDesignSpec#Bootloader.
If the previous boot failed (defined as failing to get to the end of one
of the normal runlevels), then show the boot menu regardless.
Author: Richard Laager <rlaager@wiktel.com>
Author: Robie Basak <robie.basak@ubuntu.com>
Forwarded: no
Last-Update: 2015-09-04
Colin Watson [Mon, 13 Jan 2014 12:13:27 +0000 (12:13 +0000)]
Adjust efi_distributor for some distributions
This is not a very good approach, and certainly not sanely upstreamable;
we probably need to split GRUB_DISTRIBUTOR into a couple of different
variables.
Colin Watson [Mon, 13 Jan 2014 12:13:26 +0000 (12:13 +0000)]
Add configure option to reduce visual clutter at boot time
If this option is enabled, then do all of the following:
Don't display introductory message about line editing unless we're
actually offering a shell prompt. (This is believed to be a workaround
for a different bug. We'll go with this for now, but will drop this in
favour of a better fix upstream if somebody figures out what that is.)
Don't clear the screen just before booting if we never drew the menu in
the first place.
Remove verbose messages printed before reading configuration. In some
ways this is awkward because it makes debugging harder, but it's a
requirement for a smooth-looking boot process; we may be able to do
better in future. Upstream doesn't want this, though.
Disable the cursor as well, for similar reasons of tidiness.
Suppress kernel/initrd progress messages, except in recovery mode.
Suppress "GRUB loading" message unless Shift is held down. Upstream
doesn't want this, as it makes debugging harder. Ubuntu wants it to
provide a cleaner boot experience.
Colin Watson [Mon, 13 Jan 2014 12:13:24 +0000 (12:13 +0000)]
Skip Windows os-prober entries on Wubi systems
Since we're already being booted from the Windows boot loader, including
entries that take us back to it mostly just causes confusion, and stops
us from being able to hide the menu if there are no other OSes
installed.
Matthew Garrett [Mon, 13 Jan 2014 12:13:15 +0000 (12:13 +0000)]
Add "linuxefi" loader which avoids ExitBootServices
Origin: vendor, http://pkgs.fedoraproject.org/cgit/grub2.git/tree/grub2-linuxefi.patch
Author: Colin Watson <cjwatson@ubuntu.com>
Author: Steve Langasek <steve.langasek@canonical.com>
Author: Linn Crosetto <linn@hpe.com>
Forwarded: no
Last-Update: 2021-09-24
Colin Watson [Mon, 13 Jan 2014 12:13:06 +0000 (12:13 +0000)]
"single" -> "recovery" when friendly-recovery is installed
If configured with --enable-ubuntu-recovery, also set nomodeset for
recovery mode, and disable 'set gfxpayload=keep' even if the system
normally supports it. See
https://launchpad.net/ubuntu/+spec/desktop-o-xorg-tools-and-processes.
Author: Stéphane Graber <stgraber@ubuntu.com>
Forwarded: no
Last-Update: 2013-12-25
Colin Watson [Mon, 13 Jan 2014 12:13:05 +0000 (12:13 +0000)]
Fall back to non-EFI if booted using EFI but -efi is missing
It may be possible, particularly in recovery situations, to be booted
using EFI on x86 when only the i386-pc target is installed, or on ARM
when only the arm-uboot target is installed. There's nothing actually
stopping us installing i386-pc or arm-uboot from an EFI environment, and
it's better than returning a confusing error.
Author: Steve McIntyre <93sam@debian.org>
Forwarded: no
Last-Update: 2019-05-24
Colin Watson [Mon, 13 Jan 2014 12:13:01 +0000 (12:13 +0000)]
Restore grub-mkdevicemap
This is kind of a mess, requiring lots of OS-specific code to iterate
over all possible devices. However, we use it in a number of scripts to
discover devices and reimplementing those in terms of something else
would be very complicated.
Author: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
Forwarded: no
Last-Update: 2021-09-24
Colin Watson [Mon, 13 Jan 2014 12:13:00 +0000 (12:13 +0000)]
Handle filesystems loop-mounted on file images
Improve prepare_grub_to_access_device to emit appropriate commands for
such filesystems, and ignore them in Linux grub.d scripts.
This is needed for Ubuntu's Wubi installation method.
This patch isn't inherently Debian/Ubuntu-specific. losetup and
/proc/mounts are Linux-specific, though, so we might need to refine this
before sending it upstream. The changes to the Linux grub.d scripts
might be better handled by integrating 10_lupin properly instead.
Colin Watson [Mon, 13 Jan 2014 12:12:57 +0000 (12:12 +0000)]
Disable gfxpayload=keep by default
Setting gfxpayload=keep has been known to cause efifb to be
inappropriately enabled. In any case, with the current Linux kernel the
result of this option is that early kernelspace will be unable to print
anything to the console, so (for example) if boot fails and you end up
dumped to an initramfs prompt, you won't be able to see anything on the
screen. As such it shouldn't be enabled by default in Debian, no matter
what kernel options are enabled.
gfxpayload=keep is a good idea but rather ahead of its time ...
Bug-Debian: http://bugs.debian.org/567245
Forwarded: no
Last-Update: 2013-12-25
Daniel Kiper [Wed, 12 May 2021 14:37:54 +0000 (16:37 +0200)]
SECURITY: Add SECURITY file
The SECURITY file describes the GRUB project security policy.
It is based on https://github.com/wireapp/wire/blob/master/SECURITY.md
Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com> Signed-off-by: Vladimir Serbinenko <phcoder@google.com> Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Daniel Kiper [Wed, 12 May 2021 14:36:57 +0000 (16:36 +0200)]
MAINTAINERS: Add MAINTAINERS file
The MAINTAINERS file provides basic information about the GRUB project
and its maintainers.
Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com> Signed-off-by: Vladimir Serbinenko <phcoder@google.com> Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Refactor clean_grub_dir() to create a backup of all the files, instead
of just irrevocably removing them as the first action. If available,
register atexit() handler to restore the backup if errors occur before
point of no return, or remove the backup if everything was successful.
If atexit() is not available, the backup remains on disk for manual
recovery.
Some platforms defined a point of no return, i.e. after modules & core
images were updated. Failures from any commands after that stage are
ignored, and backup is cleaned up. For example, on EFI platforms update
is not reverted when efibootmgr fails.
Extra care is taken to ensure atexit() handler is only invoked by the
parent process and not any children forks. Some older GRUB codebases
can invoke parent atexit() hooks from forks, which can mess up the
backup.
This allows safer upgrades of MBR & modules, such that
modules/images/fonts/translations are consistent with MBR in case of
errors. For example accidental grub-install /dev/non-existent-disk
currently clobbers and upgrades modules in /boot/grub, despite not
actually updating any MBR.
This patch only handles backup and restore of files copied to /boot/grub.
This patch does not perform backup (or restoration) of MBR itself or
blocklists. Thus when installing i386-pc platform, corruption may still
occur with MBR and blocklists which will not be attempted to be
automatically recovered.
Also add modinfo.sh and *.efi to the cleanup/backup/restore code path,
to ensure it is also cleaned, backed up and restored.
Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
osdep/unix/exec: Avoid atexit() handlers when child execvp() fails
The functions grub_util_exec_pipe() and grub_util_exec_pipe_stderr()
currently call execvp(). If the call fails for any reason, the child
currently calls exit(127). This in turn executes the parents
atexit() handlers from the forked child, and then the same handlers
are called again from parent. This is usually not desired, and can
lead to deadlocks, and undesired behavior. So, change the exit() calls
to _exit() calls to avoid calling atexit() handlers from child.
Fixes: e75cf4a58 (unix exec: avoid atexit handlers when child exits) Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This fixes cross-compiling to x86 (e.g., the Hurd) from x86-linux of
grub-core/lib/i386/relocator64.S
This file has six sections that only build with a 64-bit assembler,
yet only the first two sections had support for a 32-bit assembler.
This patch completes this for the remaining sections.
To reproduce, update the GRUB source description in your local Guix
archive and run
The XFS now has an incompat feature flag to indicate that a filesystem
needs to be repaired. The Linux kernel refuses to mount the filesystem
that has it set and only the xfs_repair tool is able to clear that flag.
The GRUB doesn't have the concept of mounting filesystems and just
attempts to read the files. But it does some sanity checking before
attempting to read from the filesystem. Among the things which are tested,
is if the super block only has set of incompatible features flags that
are supported by GRUB. If it contains any flags that are not listed as
supported, reading the XFS filesystem fails.
Since the GRUB doesn't attempt to detect if the filesystem is inconsistent
nor replays the journal, the filesystem access is a best effort. For this
reason, ignore if the filesystem needs to be repaired and just print a debug
message. That way, if reading or booting fails later, the user is able to
figure out that the failures can be related to broken XFS filesystem.
Suggested-by: Eric Sandeen <esandeen@redhat.com> Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Carlos Maiolino [Mon, 24 May 2021 17:40:06 +0000 (19:40 +0200)]
fs/xfs: Add bigtime incompat feature support
The XFS filesystem supports a bigtime feature to overcome y2038 problem.
This patch makes the GRUB able to support the XFS filesystems with this
feature enabled.
The XFS counter for the bigtime enabled timestamps starts at 0, which
translates to GRUB_INT32_MIN (Dec 31 20:45:52 UTC 1901) in the legacy
timestamps. The conversion to Unix timestamps is made before passing the
value to other GRUB functions.
For this to work properly, GRUB requires an access to flags2 field in the
XFS ondisk inode. So, the grub_xfs_inode structure has been updated to
cover full ondisk inode.
Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com> Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Carlos Maiolino [Mon, 24 May 2021 17:40:05 +0000 (19:40 +0200)]
fs: Use 64-bit type for filesystem timestamp
Some filesystems nowadays use 64-bit types for timestamps. So, update
grub_dirhook_info struct to use an grub_int64_t type to store mtime.
This also updates the grub_unixtime2datetime() function to receive
a 64-bit timestamp argument and do 64-bit-safe divisions.
All the remaining conversion from 32-bit to 64-bit should be safe, as
32-bit to 64-bit attributions will be implicitly casted. The most
critical part in the 32-bit to 64-bit conversion is in the function
grub_unixtime2datetime() where it needs to deal with the 64-bit type.
So, for that, the grub_divmod64() helper has been used.
These changes enables the GRUB to support dates beyond y2038.
Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com> Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
types: Define PRI{x,d}GRUB_INT{32,64}_T format specifiers
There are already PRI*_T constants defined for unsigned integers but not
for signed integers. Add format specifiers for the latter.
Suggested-by: Daniel Kiper <daniel.kiper@oracle.com> Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
util/mkimage: Fix wrong PE32+ section sizes for some arches
The commit f60ba9e5945 (util/mkimage: Refactor section setup to use a helper)
added a helper function to setup PE sections. But it also changed how the
raw data offsets were calculated since all the section sizes are aligned.
However, for some platforms, i.e ia64-efi and arm64-efi, the kernel image
size is not aligned using the section alignment. This leads to the situation
in which the mods section offset in its PE section header does not match its
real placement in the PE file. So, finally the GRUB is not able to locate
and load built-in modules.
The problem surfaces on ia64-efi and arm64-efi because both platforms
require additional relocation data which is added behind .bss section.
So, we have to add some padding behind this extra data to make the
beginning of mods section properly aligned in the PE file. Fix it by
aligning the kernel_size to the section alignment. That makes the sizes
and offsets in the PE section headers to match relevant sections in the
PE32+ binary file.
Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> Tested-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
i18n: Format large integers before the translation message
The GNU gettext only supports the ISO C99 macros for integral
types. If there is a need to use unsupported formatting macros,
e.g. PRIuGRUB_UINT64_T, according to [1] the number to a string
conversion should be separated from the code printing message
requiring the internationalization. So, the function grub_snprintf()
is used to print the numeric values to an intermediate buffer and
the internationalized message contains a string format directive.
Daniel Axtens [Thu, 1 Apr 2021 15:22:04 +0000 (02:22 +1100)]
video/fb/fbfill: Use unsigned integers for width/height
Since commit 7ce3259f67ac (video/fb/fbfill: Fix potential integer
overflow), clang builds of grub-emu have failed with messages like:
/usr/bin/ld: libgrubmods.a(libgrubmods_a-fbfill.o): in function `grub_video_fbfill_direct24':
fbfill.c:(.text+0x28e): undefined reference to `__muloti4'
This appears to be due to a weird quirk in how clang compiles
which is grub_mul(unsigned int, int, &grub_size_t).
It looks like clang somewhere promotes everything to 128-bit maths
before ultimately reducing down to 64 bit for grub_size_t. I think
this is because width is signed, and indeed converting width to an
unsigned int makes the problem go away.
This conversion also makes more sense generally:
- the caller of all the fbfill_directN functions is
grub_video_fb_fill_dispatch() and it takes width and height as
unsigned ints already,
- it doesn't make sense to fill a negative width or height.
Convert the width and height arguments and associated loop counters
to unsigned ints.
Fixes: 7ce3259f67ac (video/fb/fbfill: Fix potential integer overflow) Signed-off-by: Daniel Axtens <dja@axtens.net> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Colin Watson [Fri, 19 Mar 2021 23:54:38 +0000 (23:54 +0000)]
buffer: Sync up out-of-range error message
The messages associated with other similar GRUB_ERR_OUT_OF_RANGE errors
were lacking the trailing full stop. Syncing up the strings saves a small
amount of precious core image space on i386-pc.
The ext2 (and ext3, ext4) filesystems write the number of free inodes to
location 0x410.
On a MINIX filesystem, that same location is used for the MINIX superblock
magic number.
If the number of free inodes on an ext2 filesystem is equal to any
of the four MINIX superblock magic values plus any multiple of 65536,
GRUB's MINIX filesystem code will probe it as a MINIX filesystem.
In the case of an OS using ext2 as the root filesystem, since there will
ordinarily be some amount of file creation and deletion on every bootup,
it effectively means that this situation has a 1:16384 chance of being hit
on every reboot.
This will cause GRUB's filesystem probing code to mistakenly identify an
ext2 filesystem as MINIX. This can be seen by e.g. "search --label"
incorrectly indicating that no such ext2 partition with matching label
exists, whereas in fact it does.
After spotting the rough cause of the issue I was facing here, I borrowed
much of the diagnosis/explanation from meierfra who found and investigated
the same issue in util-linux in 2010:
Ard Biesheuvel [Sun, 25 Oct 2020 13:49:34 +0000 (14:49 +0100)]
arm/linux: Fix ARM Linux header layout
The hdr_offset member of the ARM Linux image header appears at
offset 0x3c, matching the PE/COFF spec's placement of the COFF
header offset in the MS-DOS header. We're currently off by four,
so fix that.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@arm.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Fri, 5 Mar 2021 00:22:43 +0000 (18:22 -0600)]
fs/zfs/zfs: Use format code "%llu" for 64-bit uint bp->blk_prop in grub_error()
This is a temporary, less-intrusive change to get the build to success with
compiler format string checking turned on. There is a better fix which
addresses this issue, but it needs more testing. Use this change so that
format string checking on grub_error() can be turned on until the better
change is fully tested.
Signed-off-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Fri, 5 Mar 2021 00:22:41 +0000 (18:22 -0600)]
dl/elf: Use format code PRIxGRUB_UINT64_T for 64-bit arg in grub_error()
The macro ELF_R_TYPE does not change the underlying type. Here its argument
is a 64-bit Elf64_Xword. Make sure the format code matches.
For the RISC-V architecture, rel->r_info could be either Elf32_Xword or
Elf64_Xword depending on if 32 or 64-bit RISC-V is being built. So cast
to 64-bit value regardless.
Signed-off-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Fri, 5 Mar 2021 00:22:38 +0000 (18:22 -0600)]
kern/efi/mm: Format string error in grub_error()
The second format string argument, GRUB_EFI_MAX_USABLE_ADDRESS, is a macro
to a number literal. However, depending on what the target architecture, the
type can be 32 or 64 bits. Cast to a 64-bit integer. Also, change the
format string literals "%llx" to use PRIxGRUB_UINT64_T.
Signed-off-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Fri, 5 Mar 2021 00:22:37 +0000 (18:22 -0600)]
commands/pgp: Format code for grub_error() is incorrect
The format code is for a 32-bit int, but the argument, keyid, is declared as
a 64 bit int. The comment above says keyid is 32-bit. I'm not sure if the
comment or declaration is wrong, so force the display of a 64-bit int for now.
Signed-off-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Fri, 5 Mar 2021 00:22:35 +0000 (18:22 -0600)]
disk/dmraid_nvidia: Format string error in grub_error()
The grub_error() has a format string expecting two arguments, but only one
provided. According to the comments in the struct grub_nv_super definition,
the version field looks like a version number where major.minor is encoded
as each a byte in the two-byte short.
Signed-off-by: Glenn Washburn <development@efficientek.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Philip Müller [Tue, 9 Mar 2021 21:10:14 +0000 (22:10 +0100)]
templates: Properly disable the os-prober by default
This patch does the following:
- really disables os-prober by default in the util/grub-mkconfig.in
by setting GRUB_DISABLE_OS_PROBER to true,
- fixes the logic in the util/grub.d/30_os-prober.in,
- updates the grub_warn() lines.
Reason for the code shuffling in the util/grub-mkconfig.in:
The default was GRUB_DISABLE_OS_PROBER=false if you don't set
GRUB_DISABLE_OS_PROBER at all. To prevent os-prober from starting we
have to set it by default to true and shuffle GRUB_DISABLE_OS_PROBER to
code section, which is executed by the script. However we still give an
option to the user to overwrite it with false, if he wants to execute
os-prober after all.
Fixes: e3464147 (templates: Disable the os-prober by default) Reported-by: Didier Spaier <didier@slint.fr> Reported-by: Lennart Sorensen <lsorense@csclub.uwaterloo.ca> Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> Signed-off-by: Philip Müller <philm@manjaro.org> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Michael Chang [Fri, 5 Mar 2021 13:48:53 +0000 (21:48 +0800)]
kern/efi/sb: Add chainloaded image as shim's verifiable object
While attempting to dual boot Microsoft Windows with UEFI chainloader,
it failed with below error when UEFI Secure Boot was enabled:
error ../../grub-core/kern/verifiers.c:119:verification requested but
nobody cares: /EFI/Microsoft/Boot/bootmgfw.efi.
It is a regression, as previously it worked without any problem.
It turns out chainloading PE image has been locked down by commit 578c95298 (kern: Add lockdown support). However, we should consider it
as verifiable object by shim to allow booting in UEFI Secure Boot mode.
The chainloaded PE image could also have trusted signature created by
vendor with their pubkey cert in db. For that matters it's usage should
not be locked down under UEFI Secure Boot, and instead shim should be
allowed to validate a PE binary signature before running it.
Fixes: 578c95298 (kern: Add lockdown support) Signed-off-by: Michael Chang <mchang@suse.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Glenn Washburn [Mon, 1 Mar 2021 19:36:28 +0000 (13:36 -0600)]
disk/pata: Suppress error message "no device connected"
This error message comes from the grub_print_error() in
grub_pata_device_initialize(), which does not pass on the error, and is
raised in check_device(). The function check_device() needs to return this
as an error because check_device() is also used in grub_pata_open(), which
does pass on this error to indicate that the device can not be used.
This is actually not an error when displayed by grub_pata_device_initialize()
because it just indicates that there are no pata devices seen. This may be
confusing to end users who do not have pata devices yet are loading the
pata module (perhaps implicitly via nativedisk). This also causes unnecessary
output which may need to be accounted for in functional testing.
Instead print to the debug log when check_device() raises this "error" and
pop the error from the error stack. If there is another error on the stack
then print the error stack as those should be real errors.
Signed-off-by: Glenn Washburn <development@efficientek.com> Acked-by: Paul Menzel <pmenzel@molgen.mpg.de> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Yi Zhao [Fri, 8 Jan 2021 00:39:47 +0000 (08:39 +0800)]
fs/ext2: Fix a file not found error when a symlink filesize is equal to 60
We encountered a file not found error when the symlink filesize is
equal to 60:
$ ls -l initrd
lrwxrwxrwx 1 root root 60 Jan 6 16:37 initrd -> secure-core-image-initramfs-5.10.2-yoctodev-standard.cpio.gz
When booting, we got the following error in the GRUB:
error: file `/initrd' not found
The root cause is that the size of diro->inode.symlink is equal to 60
and a symlink name has to be terminated with NUL there. So, if the
symlink filesize is exactly 60 then it is also stored in a separate
block rather than in the inode itself.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Tianjia Zhang [Mon, 11 Jan 2021 03:04:36 +0000 (11:04 +0800)]
loader/i386/linux: Do not use grub_le_to_cpu32() for relocatable variable
The relocatable variable is defined as grub_uint8_t. Relevant
member in setup_header structure is also defined as one byte
in Linux boot protocol. By semantic definition it is a bool type.
It is not appropriate to treat it as a four bytes. This patch
fixes the issue.
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Tianjia Zhang [Mon, 11 Jan 2021 03:04:51 +0000 (11:04 +0800)]
loader/i386/linux: Remove redundant code from in grub_cmd_linux()
The preferred_address has been assigned to GRUB_LINUX_BZIMAGE_ADDR
during initialization in grub_cmd_linux(). The assignment here
is redundant and should be removed.
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
efi: The device-tree must be in EfiACPIReclaimMemory
According to the Embedded Base Boot Requirements (EBBR) specification the
device-tree passed to Linux as a configuration table must reside in
EfiACPIReclaimMemory.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
commands/efi/lsefisystab: Add short text for EFI_RT_PROPERTIES_TABLE_GUID
UEFI specification 2.8 errata B introduced the EFI_RT_PROPERTIES_TABLE
describing the services available at runtime.
The lsefisystab command is used to display installed EFI configuration
tables. Currently it only shows the GUID but not a short text for the
new table.
Provide a short text for the EFI_RT_PROPERTIES_TABLE_GUID.
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Petr Vorel [Tue, 2 Mar 2021 16:16:57 +0000 (17:16 +0100)]
docs/luks2: Mention key derivation function support
To give users hint why Argon2, the default in cryptsetup for LUKS2, does
not work.
Signed-off-by: Petr Vorel <pvorel@suse.cz> Acked-by: Paul Menzel <pmenzel@molgen.mpg.de> Reviewed-by: Patrick Steinhardt <ps@pks.im> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Derek Foreman [Fri, 26 Feb 2021 18:05:07 +0000 (12:05 -0600)]
commands/file: Fix array/enum desync
The commit f1957dc8a (RISC-V: Add to build system) added two entries to
the options array, but only 1 entry to the enum. This resulted in
everything after the insertion point being off by one.
This broke at least the "file --is-hibernated-hiberfil" command.
Bring the two back in sync by splitting the IS_RISCV_EFI enum entry into
two, as is done for other architectures.
Signed-off-by: Derek Foreman <derek@endlessos.org> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Fix compilation error due to missing parameter to
grub_printf() when MM_DEBUG is defined.
Fixes: 64e26162e (calloc: Make sure we always have an overflow-checking calloc() available) Signed-off-by: Marco A Benatto <mbenatto@redhat.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Alex Burmashev [Tue, 16 Feb 2021 10:12:12 +0000 (11:12 +0100)]
templates: Disable the os-prober by default
The os-prober is enabled by default what may lead to potentially
dangerous use cases and borderline opening attack vectors. This
patch disables the os-prober, adds warning messages and updates
GRUB_DISABLE_OS_PROBER configuration option documentation. This
way we make it clear that the os-prober usage is not recommended.
Simplistic nature of this change allows downstream vendors, who
really want os-prober to be enabled out of the box in their
relevant products, easily revert to it's old behavior.
Reported-by: NyankoSec (<nyanko@10x.moe>, https://twitter.com/NyankoSec),
working with SSD Secure Disclosure Signed-off-by: Alex Burmashev <alexander.burmashev@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
gfxmenu/gui: Check printf() format in the gui_progress_bar and gui_label
The gui_progress_bar and gui_label components can display the timeout
value. The format string can be set through a theme file. This patch
adds a validation step to the format string.
If a user loads a theme file into the GRUB without this patch then
a GUI label with the following settings
+ label {
...
id = "__timeout__"
text = "%s"
}
will interpret the current timeout value as string pointer and print the
memory at that position on the screen. It is not desired behavior.
Signed-off-by: Thomas Frauendorfer | Miray Software <tf@miray.de> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>