From 31e72c6b0a7d65b904afa2cb77e4e633cafacc6e Mon Sep 17 00:00:00 2001 From: haochenstar Date: Fri, 26 Nov 2021 11:39:56 +0800 Subject: [PATCH] synchronize some patches --- grub.patches | 3 + ...rd-prompts-to-enter-the-current-pass.patch | 302 ++++++++++++++++++ grub2.spec | 10 +- support-TPM2.0.patch | 96 ++++++ use-default-timestamp.patch | 57 ++++ 5 files changed, 467 insertions(+), 1 deletion(-) create mode 100644 grub2-set-password-prompts-to-enter-the-current-pass.patch create mode 100644 support-TPM2.0.patch create mode 100644 use-default-timestamp.patch diff --git a/grub.patches b/grub.patches index 5feaa93..8720a82 100644 --- a/grub.patches +++ b/grub.patches @@ -353,3 +353,6 @@ Patch0352: backport-0079-efi-tpm-Fix-typo-in-grub_efi_tpm2_protocol-struct.patch Patch0353: backport-0080-misc-Add-parentheses-around-ALIGN_UP-and-ALIGN_DOWN-.patch Patch0354: backport-0081-verifiers-Fix-calling-uninitialized-function-pointer.patch Patch0355: backport-templates-Fix-bad-test-on-GRUB_DISABLE_SUBMENU.patch +Patch0356: grub2-set-password-prompts-to-enter-the-current-pass.patch +Patch0357: support-TPM2.0.patch +Patch0358: use-default-timestamp.patch diff --git a/grub2-set-password-prompts-to-enter-the-current-pass.patch b/grub2-set-password-prompts-to-enter-the-current-pass.patch new file mode 100644 index 0000000..9d02dd8 --- /dev/null +++ b/grub2-set-password-prompts-to-enter-the-current-pass.patch @@ -0,0 +1,302 @@ +From 5099013778b2433a4dee3ae5e4826d8add1c1fb7 Mon Sep 17 00:00:00 2001 +From: liuxin +Date: Thu, 2 Sep 2021 17:30:39 +0800 +Subject: [PATCH] grub2-set-password prompts to enter the current password and + add the password complexity check + +--- + util/grub-mkpasswd-pbkdf2.c | 95 +++++++++++++++++++++++++++++- + util/grub-set-password.in | 114 ++++++++++++++++++++++++++++++++++++ + 2 files changed, 207 insertions(+), 2 deletions(-) + +diff --git a/util/grub-mkpasswd-pbkdf2.c b/util/grub-mkpasswd-pbkdf2.c +index 5805f3c..68c2032 100644 +--- a/util/grub-mkpasswd-pbkdf2.c ++++ b/util/grub-mkpasswd-pbkdf2.c +@@ -42,10 +42,14 @@ + + #include "progname.h" + ++#define GRUB_PARAM_ERROR 1 ++#define GRUB_PARAM_SUCCESS 0 ++ + static struct argp_option options[] = { + {"iteration-count", 'c', N_("NUM"), 0, N_("Number of PBKDF2 iterations"), 0}, + {"buflen", 'l', N_("NUM"), 0, N_("Length of generated hash"), 0}, + {"salt", 's', N_("NUM"), 0, N_("Length of salt"), 0}, ++ {"salt arg", 'a', N_("VARCHAR"), 0, N_("preset salt var(hex code)"), 0}, + { 0, 0, 0, 0, 0, 0 } + }; + +@@ -54,8 +58,45 @@ struct arguments + unsigned int count; + unsigned int buflen; + unsigned int saltlen; ++ char * salt; + }; + ++static int illegal_char(char t) ++{ ++ int illegal = GRUB_PARAM_ERROR; ++ char legal[] = "0123456789ABCDEF"; ++ for (int i = 0; i < grub_strlen(legal); ++i) { ++ if (t == legal[i]) { ++ illegal = GRUB_PARAM_SUCCESS; ++ break; ++ } ++ } ++ return illegal; ++} ++ ++static int check_salt_verify(const char * arg) ++{ ++ grub_size_t len = grub_strlen(arg); ++ if (len <= 0 || len >= GRUB_SIZE_MAX) ++ { ++ fprintf(stderr, "salt length may be empty or too long!\n"); ++ return GRUB_PARAM_ERROR; ++ } ++ if (len % 2 != 0) ++ { ++ fprintf(stderr, "the salt value length is an even number!\n"); ++ return GRUB_PARAM_ERROR; ++ } ++ for (int i = 0; i < len; ++i) ++ { ++ if (illegal_char(arg[i])) ++ { ++ return GRUB_PARAM_ERROR; ++ } ++ } ++ return GRUB_PARAM_SUCCESS; ++} ++ + static error_t + argp_parser (int key, char *arg, struct argp_state *state) + { +@@ -76,6 +117,16 @@ argp_parser (int key, char *arg, struct argp_state *state) + case 's': + arguments->saltlen = strtoul (arg, NULL, 0); + break; ++ ++ case 'a': ++ if (check_salt_verify(arg)) ++ { ++ fprintf(stderr, "only hexadecimal numbers consisting of digits and uppercase letters are supported\n"); ++ return ARGP_ERR_UNKNOWN; ++ } ++ arguments->saltlen = grub_strlen(arg) / 2; ++ arguments->salt = arg; ++ break; + default: + return ARGP_ERR_UNKNOWN; + } +@@ -110,13 +161,44 @@ hexify (char *hex, grub_uint8_t *bin, grub_size_t n) + *hex = 0; + } + ++static void ++hextobyte(const char *hex, grub_uint8_t *bin, grub_size_t n) ++{ ++ while(n) ++ { ++ grub_uint8_t tmp = 0x00; ++ if (((*hex) <= '9') && ((*hex) >= '0')) ++ { ++ tmp += (grub_uint8_t)((*hex) - '0') << 4 & 0xf0; ++ } ++ else ++ { ++ tmp += (grub_uint8_t)((*hex) - 'A' + 10) << 4 & 0xf0; ++ } ++ hex++; ++ if (((*hex) <= '9') && ((*hex) >= '0')) ++ { ++ tmp += (grub_uint8_t)((*hex) - '0') & 0x0f; ++ } ++ else ++ { ++ tmp += (grub_uint8_t)((*hex) - 'A' + 10) & 0x0f; ++ } ++ *bin = tmp; ++ bin++; ++ hex++; ++ n -= 2; ++ } ++} ++ + int + main (int argc, char *argv[]) + { + struct arguments arguments = { + .count = 10000, + .buflen = 64, +- .saltlen = 64 ++ .saltlen = 64, ++ .salt = NULL + }; + char *result, *ptr; + gcry_err_code_t gcry_err; +@@ -133,6 +215,12 @@ main (int argc, char *argv[]) + exit(1); + } + ++ if (arguments.salt != NULL && grub_strlen(arguments.salt) != 2 * arguments.saltlen) ++ { ++ fprintf(stderr, "%s", _("If the -a parameter is set, don't set the -s parameter again\n")); ++ exit(1); ++ } ++ + buf = xmalloc (arguments.buflen); + salt = xmalloc (arguments.saltlen); + +@@ -161,7 +249,10 @@ main (int argc, char *argv[]) + } + memset (pass2, 0, sizeof (pass2)); + +- if (grub_get_random (salt, arguments.saltlen)) ++ if (arguments.salt != NULL) ++ { ++ hextobyte(arguments.salt, salt, arguments.saltlen * 2); ++ } else if (grub_get_random (salt, arguments.saltlen)) + { + memset (pass1, 0, sizeof (pass1)); + free (buf); +diff --git a/util/grub-set-password.in b/util/grub-set-password.in +index 487fbb1..3d0be26 100644 +--- a/util/grub-set-password.in ++++ b/util/grub-set-password.in +@@ -87,16 +87,130 @@ fixtty() { + } + + trap fixtty EXIT ++ ++getsaltpass() { ++ local P0 ++ local P1 ++ P0="$1" && shift ++ P1="$1" && shift ++ P2="$1" && shift ++ ++ ( echo ${P0} ; echo ${P1} ) | \ ++ LC_ALL=C ${grub_mkpasswd} -a ${P2} | \ ++ grep -v '[eE]nter password:' | \ ++ sed -e "s/PBKDF2 hash of your password is //" ++} ++ ++verifyusercfgoldpasswd() { ++ # get old password salt ++ expectsalt=`cat ${grubdir}/user.cfg | cut -d "." -f 5` ++ # get expect password ++ expectpass=`cat ${grubdir}/user.cfg` ++ prefix="GRUB2_PASSWORD=" ++ ++ stty -echo ++ echo -n "Enter Current password: " ++ read PASSWORD_CURRENT ++ echo ++ ++ needcheckpass="${prefix}$(getsaltpass "${PASSWORD_CURRENT}" "${PASSWORD_CURRENT}" "${expectsalt}")" ++ if [ "$expectpass" != "$needcheckpass" ]; then ++ echo "Authentication failed" ++ exit 1 ++ fi ++ ++ stty ${ttyopt} ++} ++ ++verifygrubcfgoldpasswd() { ++ # get old password line ++ expectpass=`cat ${grubdir}/grub.cfg | grep "password_pbkdf2 root grub.pbkdf2.sha512" | cut -d " " -f 3` ++ # if not get password, try a quotation mark match ++ if [ -z "$expectpass" ];then ++ expectpass=`cat ${grubdir}/grub.cfg | grep "password_pbkdf2 root \"grub.pbkdf2.sha512" | cut -d " " -f 3 | cut -d "\"" -f 2` ++ fi ++ if [ -z "$expectpass" ];then ++ expectpass=`cat ${grubdir}/grub.cfg | grep "password_pbkdf2 root 'grub.pbkdf2.sha512" | cut -d " " -f 3 | cut -d "'" -f 2` ++ fi ++ if [ -n "$expectpass" ];then ++ # get old password salt ++ expectsalt=`echo ${expectpass} | cut -d "." -f 5` ++ stty -echo ++ echo -n "Enter Current password: " ++ read PASSWORD_CURRENT ++ echo ++ ++ needcheckpass="$(getsaltpass "${PASSWORD_CURRENT}" "${PASSWORD_CURRENT}" "${expectsalt}")" ++ if [ "$expectpass" != "$needcheckpass" ]; then ++ echo "Authentication failed" ++ exit 1 ++ fi ++ fi ++ ++} ++ ++if [ -e ${grubdir}/user.cfg ];then ++ verifyusercfgoldpasswd ++else ++ verifygrubcfgoldpasswd ++fi ++ ++checkcomplexity() { ++ set +e ++ USERNAME=`cat ${grubdir}/grub.cfg | grep "set superusers=" | cut -d "\"" -f 2 |tail -1` ++ local P1="$1" && shift ++ if [ "$P1" = "$USERNAME" ];then ++ echo "The password contains the user name in some form" ++ exit 1 ++ fi ++ # password len >= 8 ++ strlen=`echo "$P1" | grep -E '^(.{8,}).*$'` ++ if [ -z "$strlen" ];then ++ echo "The password is shorter than 8 characters" ++ exit 1 ++ fi ++ # lowercase ++ strlow=`echo "$P1" | grep -E --color '^(.*[a-z]+).*$'` ++ # uppercase ++ strupp=`echo $P1 | grep -E --color '^(.*[A-Z]).*$'` ++ # special character ++ strts=`echo $P1 | grep -E --color '^(.*\W).*$'` ++ # num ++ strnum=`echo $P1 | grep -E --color '^(.*[0-9]).*$'` ++ complexity=0 ++ if [ -n "$strlow" ];then ++ complexity=`expr $complexity + 1` ++ fi ++ if [ -n "$strupp" ];then ++ complexity=`expr $complexity + 1` ++ fi ++ if [ -n "$strts" ];then ++ complexity=`expr $complexity + 1` ++ fi ++ if [ -n "$strnum" ];then ++ complexity=`expr $complexity + 1` ++ fi ++ if [ $complexity -lt 3 ];then ++ echo "The password contains less than 3 character classes" ++ exit 1 ++ fi ++ set -e ++} ++ + stty -echo + + # prompt & confirm new grub2 root user password + echo -n "Enter password: " + read PASSWORD + echo ++stty ${ttyopt} ++checkcomplexity $PASSWORD ++stty -echo + echo -n "Confirm password: " + read PASSWORD_CONFIRM + echo + stty ${ttyopt} ++checkcomplexity $PASSWORD_CONFIRM + + getpass() { + local P0 +-- +2.23.0 + diff --git a/grub2.spec b/grub2.spec index 30275eb..cea0f82 100644 --- a/grub2.spec +++ b/grub2.spec @@ -8,7 +8,7 @@ Name: grub2 Epoch: 1 Version: 2.04 -Release: 21 +Release: 22 Summary: Bootloader with support for Linux, Multiboot and more License: GPLv3+ URL: http://www.gnu.org/software/grub/ @@ -451,6 +451,14 @@ rm -r /boot/grub2.tmp/ || : %{_datadir}/man/man* %changelog +* Fri Nov 26 2021 xihaochen - 2.04-22 +- Type:bugfix +- ID:NA +- SUG:NA + DESC:grub2 set password prompts to enter the current pass + support TPM2.0 + use default timestamp + * Tue Nov 16 2021 fengtao - 2.04-21 - Type:bugfix - ID:NA diff --git a/support-TPM2.0.patch b/support-TPM2.0.patch new file mode 100644 index 0000000..790a60f --- /dev/null +++ b/support-TPM2.0.patch @@ -0,0 +1,96 @@ +From c4c243d19d77cab3591f0272c8e36619ccbbddf3 Mon Sep 17 00:00:00 2001 +From: gaoyusong +Date: Thu, 13 May 2021 18:34:23 +0800 +Subject: [PATCH] support TPM2.0 + +--- + grub-core/kern/verifiers.c | 25 +++++++++++++++++++------ + grub-core/script/execute.c | 12 +++++++++++- + 2 files changed, 30 insertions(+), 7 deletions(-) + +diff --git a/grub-core/kern/verifiers.c b/grub-core/kern/verifiers.c +index aa3dc7c..dfd73e5 100644 +--- a/grub-core/kern/verifiers.c ++++ b/grub-core/kern/verifiers.c +@@ -84,9 +84,16 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type) + grub_file_t ret = 0; + grub_err_t err; + int defer = 0; ++ int grub_env_flag = 0; ++ char *ptr = NULL; + + grub_dprintf ("verify", "file: %s type: %d\n", io->name, type); + ++ ptr = grub_strstr(io->name, "grubenv"); ++ if (ptr) { ++ grub_env_flag = 1; ++ } ++ + if ((type & GRUB_FILE_TYPE_MASK) == GRUB_FILE_TYPE_SIGNATURE + || (type & GRUB_FILE_TYPE_MASK) == GRUB_FILE_TYPE_VERIFY_SIGNATURE + || (type & GRUB_FILE_TYPE_SKIP_SIGNATURE)) +@@ -148,6 +155,8 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type) + verified->buf = grub_malloc (ret->size); + if (!verified->buf) + { ++ grub_error (GRUB_ERR_OUT_OF_MEMORY, ++ "cannot allocate verified buffer, the %s is too large\n", io->name); + goto fail; + } + if (grub_file_read (io, verified->buf, ret->size) != (grub_ssize_t) ret->size) +@@ -158,9 +167,11 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type) + goto fail; + } + +- err = ver->write (context, verified->buf, ret->size); +- if (err) +- goto fail; ++ if (!grub_env_flag) { ++ err = ver->write (context, verified->buf, ret->size); ++ if (err) ++ goto fail; ++ } + + err = ver->fini ? ver->fini (context) : GRUB_ERR_NONE; + if (err) +@@ -179,9 +190,11 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type) + /* Verification done earlier. So, we are happy here. */ + flags & GRUB_VERIFY_FLAGS_DEFER_AUTH) + continue; +- err = ver->write (context, verified->buf, ret->size); +- if (err) +- goto fail; ++ if (!grub_env_flag) { ++ err = ver->write (context, verified->buf, ret->size); ++ if (err) ++ goto fail; ++ } + + err = ver->fini ? ver->fini (context) : GRUB_ERR_NONE; + if (err) +diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c +index 0c6dd9c..3e761c4 100644 +--- a/grub-core/script/execute.c ++++ b/grub-core/script/execute.c +@@ -1002,7 +1002,17 @@ grub_script_execute_cmdline (struct grub_script_cmd *cmd) + argv.args[i]); + } + cmdstring[cmdlen - 1] = '\0'; +- grub_verify_string (cmdstring, GRUB_VERIFY_COMMAND); ++ ++ if (grub_strncmp(cmdstring, "[ 0 = 1 ]", 9) == 0) { ++ char res_str[] = "[ = 1 ]"; ++ grub_verify_string (res_str, GRUB_VERIFY_COMMAND); ++ } else if (grub_strncmp(cmdstring, "[ 0 = 1 -o = 1 ]", 17) == 0) { ++ char res_str[] = "[ = 1 -o = 1 ]"; ++ grub_verify_string (res_str, GRUB_VERIFY_COMMAND); ++ } else { ++ grub_verify_string (cmdstring, GRUB_VERIFY_COMMAND); ++ } ++ + grub_free (cmdstring); + invert = 0; + argc = argv.argc - 1; +-- +2.19.1 + diff --git a/use-default-timestamp.patch b/use-default-timestamp.patch new file mode 100644 index 0000000..16934bf --- /dev/null +++ b/use-default-timestamp.patch @@ -0,0 +1,57 @@ +From 8922ea771163655f1d5dc8da589a6291976ae489 Mon Sep 17 00:00:00 2001 +From: zhouyihang +Date: Thu, 10 Jun 2021 20:01:54 +0800 +Subject: [PATCH] huawei use default timestamp + +--- + docs/grub-dev.texi | 4 ++-- + docs/grub.texi | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/docs/grub-dev.texi b/docs/grub-dev.texi +index f488e82..355764a 100644 +--- a/docs/grub-dev.texi ++++ b/docs/grub-dev.texi +@@ -18,7 +18,7 @@ + + @copying + This developer manual is for GNU GRUB (version @value{VERSION}, +-@value{UPDATED}). ++24 June 2019). + + Copyright @copyright{} 1999,2000,2001,2002,2004,2005,2006,2008,2009,2010,2011 Free Software Foundation, Inc. + +@@ -40,7 +40,7 @@ Invariant Sections. + @titlepage + @sp 10 + @title the GNU GRUB developer manual +-@subtitle The GRand Unified Bootloader, version @value{VERSION}, @value{UPDATED}. ++@subtitle The GRand Unified Bootloader, version @value{VERSION}, 24 June 2019. + @author Yoshinori K. Okuji + @author Colin D Bennett + @author Vesa Jääskeläinen +diff --git a/docs/grub.texi b/docs/grub.texi +index 262388c..41c1a89 100644 +--- a/docs/grub.texi ++++ b/docs/grub.texi +@@ -18,7 +18,7 @@ + + @copying + This manual is for GNU GRUB (version @value{VERSION}, +-@value{UPDATED}). ++24 June 2019). + + Copyright @copyright{} 1999,2000,2001,2002,2004,2006,2008,2009,2010,2011,2012,2013 Free Software Foundation, Inc. + +@@ -48,7 +48,7 @@ Invariant Sections. + @titlepage + @sp 10 + @title the GNU GRUB manual +-@subtitle The GRand Unified Bootloader, version @value{VERSION}, @value{UPDATED}. ++@subtitle The GRand Unified Bootloader, version @value{VERSION}, 24 June 2019. + @author Gordon Matzigkeit + @author Yoshinori K. Okuji + @author Colin Watson +-- +2.27.0 + -- Gitee