From 3f1947bb45a54c02586d3037d1170410c9cc3719 Mon Sep 17 00:00:00 2001 From: yanan-rock Date: Sat, 26 Feb 2022 17:01:31 +0800 Subject: [PATCH] Fix arm64 kernel image not aligned on 64k boundary * backport-arm64-Fix-EFI-loader-kernel-image-allocation.patch * backport-Arm-check-for-the-PE-magic-for-the-compiled-arch.patch Signed-off-by: yanan-rock (cherry picked from commit 213914bf725818c72c2e685d5f3a39b64fea9a85) --- ...r-the-PE-magic-for-the-compiled-arch.patch | 65 ++++ ...x-EFI-loader-kernel-image-allocation.patch | 192 +++++++++++ grub.patches | 5 + ...rd-prompts-to-enter-the-current-pass.patch | 302 ++++++++++++++++++ grub2.spec | 18 +- support-TPM2.0.patch | 96 ++++++ use-default-timestamp.patch | 57 ++++ 7 files changed, 733 insertions(+), 2 deletions(-) create mode 100644 backport-Arm-check-for-the-PE-magic-for-the-compiled-arch.patch create mode 100644 backport-arm64-Fix-EFI-loader-kernel-image-allocation.patch create mode 100644 grub2-set-password-prompts-to-enter-the-current-pass.patch create mode 100644 support-TPM2.0.patch create mode 100644 use-default-timestamp.patch diff --git a/backport-Arm-check-for-the-PE-magic-for-the-compiled-arch.patch b/backport-Arm-check-for-the-PE-magic-for-the-compiled-arch.patch new file mode 100644 index 0000000..5dea6ff --- /dev/null +++ b/backport-Arm-check-for-the-PE-magic-for-the-compiled-arch.patch @@ -0,0 +1,65 @@ +From 337b3d963d28b3544e8817428fb68ca559613a39 Mon Sep 17 00:00:00 2001 +From: Peter Jones +Date: Thu, 9 Sep 2021 10:59:28 -0400 +Subject: [PATCH 2/2] Arm: check for the PE magic for the compiled arch + +In "arm64: Fix EFI loader kernel image allocation", Ben fixed the kernel +alignment to match the alignment given in the PE header. In doing so, a +check for valid PE magic was added, which was hard-coded to the value +seen on Aarch64 (GRUB_PE32_PE64_MAGIC). + +Unfortunately, this code is shared between 64-bit and 32-bit, and so +that value broke 32-bit Arm systems. + +This patch adds a constant definition for GRUB_PE32_PEXX_MAGIC, which is +either GRUB_PE32_PE64_MAGIC or GRUB_PE32_PE32_MAGIC, depending on which +platform is being built, and uses it in the header magic check. + +Resolves: rhbz#2000756 + +Signed-off-by: Peter Jones +--- + grub-core/loader/arm64/linux.c | 2 +- + include/grub/arm/linux.h | 1 + + include/grub/arm64/linux.h | 1 + + 3 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/grub-core/loader/arm64/linux.c b/grub-core/loader/arm64/linux.c +index 1da1886..f0ad052 100644 +--- a/grub-core/loader/arm64/linux.c ++++ b/grub-core/loader/arm64/linux.c +@@ -342,7 +342,7 @@ parse_pe_header (void *kernel, grub_uint64_t *total_size, + + pe = (void *)((unsigned long)kernel + lh->hdr_offset); + +- if (pe->opt.magic != GRUB_PE32_PE64_MAGIC) ++ if (pe->opt.magic != GRUB_PE32_PEXX_MAGIC) + return grub_error(GRUB_ERR_BAD_OS, "Invalid PE optional header magic"); + + *total_size = pe->opt.image_size; +diff --git a/include/grub/arm/linux.h b/include/grub/arm/linux.h +index b582f67..966a507 100644 +--- a/include/grub/arm/linux.h ++++ b/include/grub/arm/linux.h +@@ -44,6 +44,7 @@ struct grub_arm_linux_pe_header + + #if defined(__arm__) + # define GRUB_LINUX_ARMXX_MAGIC_SIGNATURE GRUB_LINUX_ARM_MAGIC_SIGNATURE ++# define GRUB_PE32_PEXX_MAGIC GRUB_PE32_PE32_MAGIC + # define linux_arch_kernel_header linux_arm_kernel_header + # define grub_armxx_linux_pe_header grub_arm_linux_pe_header + #endif +diff --git a/include/grub/arm64/linux.h b/include/grub/arm64/linux.h +index a3be9dd..20828d9 100644 +--- a/include/grub/arm64/linux.h ++++ b/include/grub/arm64/linux.h +@@ -47,6 +47,7 @@ struct grub_arm64_linux_pe_header + + #if defined(__aarch64__) + # define GRUB_LINUX_ARMXX_MAGIC_SIGNATURE GRUB_LINUX_ARM64_MAGIC_SIGNATURE ++# define GRUB_PE32_PEXX_MAGIC GRUB_PE32_PE64_MAGIC + # define linux_arch_kernel_header linux_arm64_kernel_header + # define grub_armxx_linux_pe_header grub_arm64_linux_pe_header + #endif +-- +2.23.0 diff --git a/backport-arm64-Fix-EFI-loader-kernel-image-allocation.patch b/backport-arm64-Fix-EFI-loader-kernel-image-allocation.patch new file mode 100644 index 0000000..c4b26c0 --- /dev/null +++ b/backport-arm64-Fix-EFI-loader-kernel-image-allocation.patch @@ -0,0 +1,192 @@ +From: Benjamin Herrenschmidt +Date: Mon, 2 Aug 2021 23:10:01 +1000 +Subject: [PATCH 1/2] arm64: Fix EFI loader kernel image allocation + +We are currently allocating just enough memory for the file size, +which means that the kernel BSS is in limbo (and not even zeroed). + +We are also not honoring the alignment specified in the image +PE header. + +This makes us use the PE optional header in which the kernel puts the +actual size it needs, including BSS, and make sure we clear it, and +honors the specified alignment for the image. + +Signed-off-by: Benjamin Herrenschmidt +--- + grub-core/loader/arm64/linux.c | 102 ++++++++++++++++++++++----------- + 1 file changed, 67 insertions(+), 35 deletions(-) + +diff --git a/grub-core/loader/arm64/linux.c b/grub-core/loader/arm64/linux.c +index a18c487..a803aa9 100644 +--- a/grub-core/loader/arm64/linux.c ++++ b/grub-core/loader/arm64/linux.c +@@ -40,6 +40,8 @@ GRUB_MOD_LICENSE ("GPLv3+"); + static grub_dl_t my_mod; + static int loaded; + ++static void *kernel_alloc_addr; ++static grub_uint32_t kernel_alloc_pages; + static void *kernel_addr; + static grub_uint64_t kernel_size; + static grub_uint32_t handover_offset; +@@ -223,9 +225,8 @@ grub_linux_unload (void) + GRUB_EFI_BYTES_TO_PAGES (initrd_end - initrd_start)); + initrd_start = initrd_end = 0; + grub_free (linux_args); +- if (kernel_addr) +- grub_efi_free_pages ((grub_addr_t) kernel_addr, +- GRUB_EFI_BYTES_TO_PAGES (kernel_size)); ++ if (kernel_alloc_addr) ++ grub_efi_free_pages ((grub_addr_t) kernel_alloc_addr, kernel_alloc_pages); + grub_fdt_unload (); + return GRUB_ERR_NONE; + } +@@ -330,14 +331,35 @@ grub_cmd_initrd (grub_command_t cmd __attribute__ ((unused)), + return grub_errno; + } + ++static grub_err_t ++parse_pe_header (void *kernel, grub_uint64_t *total_size, ++ grub_uint32_t *entry_offset, ++ grub_uint32_t *alignment) ++{ ++ struct linux_arch_kernel_header *lh = kernel; ++ struct grub_armxx_linux_pe_header *pe; ++ ++ pe = (void *)((unsigned long)kernel + lh->hdr_offset); ++ ++ if (pe->opt.magic != GRUB_PE32_PE64_MAGIC) ++ return grub_error(GRUB_ERR_BAD_OS, "Invalid PE optional header magic"); ++ ++ *total_size = pe->opt.image_size; ++ *entry_offset = pe->opt.entry_addr; ++ *alignment = pe->opt.section_alignment; ++ ++ return GRUB_ERR_NONE; ++} ++ + static grub_err_t + grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), + int argc, char *argv[]) + { + grub_file_t file = 0; +- struct linux_arch_kernel_header lh; +- struct grub_armxx_linux_pe_header *pe; + grub_err_t err; ++ grub_off_t filelen; ++ grub_uint32_t align; ++ void *kernel = NULL; + int rc; + + grub_dl_ref (my_mod); +@@ -351,41 +373,25 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), + file = grub_file_open (argv[0], GRUB_FILE_TYPE_LINUX_KERNEL); + if (!file) + goto fail; +- +- kernel_size = grub_file_size (file); +- +- if (grub_file_read (file, &lh, sizeof (lh)) < (long) sizeof (lh)) +- return grub_errno; +- +- if (grub_arch_efi_linux_check_image (&lh) != GRUB_ERR_NONE) +- goto fail; +- +- grub_loader_unset(); +- +- grub_dprintf ("linux", "kernel file size: %lld\n", (long long) kernel_size); +- kernel_addr = grub_efi_allocate_any_pages (GRUB_EFI_BYTES_TO_PAGES (kernel_size)); +- grub_dprintf ("linux", "kernel numpages: %lld\n", +- (long long) GRUB_EFI_BYTES_TO_PAGES (kernel_size)); +- if (!kernel_addr) ++ ++ filelen = grub_file_size (file); ++ kernel = grub_malloc(filelen); ++ if (!kernel) + { +- grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("out of memory")); ++ grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("cannot allocate kernel load buffer")); + goto fail; + } + +- grub_file_seek (file, 0); +- if (grub_file_read (file, kernel_addr, kernel_size) +- < (grub_int64_t) kernel_size) ++ if (grub_file_read (file, kernel, filelen) < (grub_ssize_t)filelen) + { +- if (!grub_errno) +- grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"), argv[0]); ++ grub_error (GRUB_ERR_FILE_READ_ERROR, N_("Can't read kernel %s"), ++ argv[0]); + goto fail; + } + +- grub_dprintf ("linux", "kernel @ %p\n", kernel_addr); +- + if (grub_efi_secure_boot ()) + { +- rc = grub_linuxefi_secure_validate (kernel_addr, kernel_size); ++ rc = grub_linuxefi_secure_validate (kernel, filelen); + if (rc <= 0) + { + grub_error (GRUB_ERR_INVALID_COMMAND, +@@ -394,8 +400,32 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), + } + } + +- pe = (void *)((unsigned long)kernel_addr + lh.hdr_offset); +- handover_offset = pe->opt.entry_addr; ++ if (grub_arch_efi_linux_check_image (kernel) != GRUB_ERR_NONE) ++ goto fail; ++ if (parse_pe_header (kernel, &kernel_size, &handover_offset, &align) != GRUB_ERR_NONE) ++ goto fail; ++ grub_dprintf ("linux", "kernel mem size : %lld\n", (long long) kernel_size); ++ grub_dprintf ("linux", "kernel entry offset : %d\n", handover_offset); ++ grub_dprintf ("linux", "kernel alignment : 0x%x\n", align); ++ ++ grub_loader_unset(); ++ ++ kernel_alloc_pages = GRUB_EFI_BYTES_TO_PAGES (kernel_size + align - 1); ++ kernel_alloc_addr = grub_efi_allocate_any_pages (kernel_alloc_pages); ++ grub_dprintf ("linux", "kernel numpages: %d\n", kernel_alloc_pages); ++ if (!kernel_alloc_addr) ++ { ++ grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("out of memory")); ++ goto fail; ++ } ++ kernel_addr = (void *)ALIGN_UP((grub_uint64_t)kernel_alloc_addr, align); ++ ++ grub_dprintf ("linux", "kernel @ %p\n", kernel_addr); ++ grub_memcpy (kernel_addr, kernel, grub_min(filelen, kernel_size)); ++ if (kernel_size > filelen) ++ grub_memset ((char *)kernel_addr + filelen, 0, kernel_size - filelen); ++ grub_free(kernel); ++ kernel = NULL; + + cmdline_size = grub_loader_cmdline_size (argc, argv) + sizeof (LINUX_IMAGE); + linux_args = grub_malloc (cmdline_size); +@@ -419,6 +449,9 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)), + } + + fail: ++ if (kernel) ++ grub_free (kernel); ++ + if (file) + grub_file_close (file); + +@@ -431,9 +464,8 @@ fail: + if (linux_args && !loaded) + grub_free (linux_args); + +- if (kernel_addr && !loaded) +- grub_efi_free_pages ((grub_addr_t) kernel_addr, +- GRUB_EFI_BYTES_TO_PAGES (kernel_size)); ++ if (kernel_alloc_addr && !loaded) ++ grub_efi_free_pages ((grub_addr_t) kernel_alloc_addr, kernel_alloc_pages); + + return grub_errno; + } +-- +2.23.0 diff --git a/grub.patches b/grub.patches index 5feaa93..3a8c74c 100644 --- a/grub.patches +++ b/grub.patches @@ -353,3 +353,8 @@ Patch0352: backport-0079-efi-tpm-Fix-typo-in-grub_efi_tpm2_protocol-struct.patch Patch0353: backport-0080-misc-Add-parentheses-around-ALIGN_UP-and-ALIGN_DOWN-.patch Patch0354: backport-0081-verifiers-Fix-calling-uninitialized-function-pointer.patch Patch0355: backport-templates-Fix-bad-test-on-GRUB_DISABLE_SUBMENU.patch +Patch0356: grub2-set-password-prompts-to-enter-the-current-pass.patch +Patch0357: support-TPM2.0.patch +Patch0358: use-default-timestamp.patch +Patch0359: backport-arm64-Fix-EFI-loader-kernel-image-allocation.patch +Patch0360: backport-Arm-check-for-the-PE-magic-for-the-compiled-arch.patch diff --git a/grub2-set-password-prompts-to-enter-the-current-pass.patch b/grub2-set-password-prompts-to-enter-the-current-pass.patch new file mode 100644 index 0000000..9d02dd8 --- /dev/null +++ b/grub2-set-password-prompts-to-enter-the-current-pass.patch @@ -0,0 +1,302 @@ +From 5099013778b2433a4dee3ae5e4826d8add1c1fb7 Mon Sep 17 00:00:00 2001 +From: liuxin +Date: Thu, 2 Sep 2021 17:30:39 +0800 +Subject: [PATCH] grub2-set-password prompts to enter the current password and + add the password complexity check + +--- + util/grub-mkpasswd-pbkdf2.c | 95 +++++++++++++++++++++++++++++- + util/grub-set-password.in | 114 ++++++++++++++++++++++++++++++++++++ + 2 files changed, 207 insertions(+), 2 deletions(-) + +diff --git a/util/grub-mkpasswd-pbkdf2.c b/util/grub-mkpasswd-pbkdf2.c +index 5805f3c..68c2032 100644 +--- a/util/grub-mkpasswd-pbkdf2.c ++++ b/util/grub-mkpasswd-pbkdf2.c +@@ -42,10 +42,14 @@ + + #include "progname.h" + ++#define GRUB_PARAM_ERROR 1 ++#define GRUB_PARAM_SUCCESS 0 ++ + static struct argp_option options[] = { + {"iteration-count", 'c', N_("NUM"), 0, N_("Number of PBKDF2 iterations"), 0}, + {"buflen", 'l', N_("NUM"), 0, N_("Length of generated hash"), 0}, + {"salt", 's', N_("NUM"), 0, N_("Length of salt"), 0}, ++ {"salt arg", 'a', N_("VARCHAR"), 0, N_("preset salt var(hex code)"), 0}, + { 0, 0, 0, 0, 0, 0 } + }; + +@@ -54,8 +58,45 @@ struct arguments + unsigned int count; + unsigned int buflen; + unsigned int saltlen; ++ char * salt; + }; + ++static int illegal_char(char t) ++{ ++ int illegal = GRUB_PARAM_ERROR; ++ char legal[] = "0123456789ABCDEF"; ++ for (int i = 0; i < grub_strlen(legal); ++i) { ++ if (t == legal[i]) { ++ illegal = GRUB_PARAM_SUCCESS; ++ break; ++ } ++ } ++ return illegal; ++} ++ ++static int check_salt_verify(const char * arg) ++{ ++ grub_size_t len = grub_strlen(arg); ++ if (len <= 0 || len >= GRUB_SIZE_MAX) ++ { ++ fprintf(stderr, "salt length may be empty or too long!\n"); ++ return GRUB_PARAM_ERROR; ++ } ++ if (len % 2 != 0) ++ { ++ fprintf(stderr, "the salt value length is an even number!\n"); ++ return GRUB_PARAM_ERROR; ++ } ++ for (int i = 0; i < len; ++i) ++ { ++ if (illegal_char(arg[i])) ++ { ++ return GRUB_PARAM_ERROR; ++ } ++ } ++ return GRUB_PARAM_SUCCESS; ++} ++ + static error_t + argp_parser (int key, char *arg, struct argp_state *state) + { +@@ -76,6 +117,16 @@ argp_parser (int key, char *arg, struct argp_state *state) + case 's': + arguments->saltlen = strtoul (arg, NULL, 0); + break; ++ ++ case 'a': ++ if (check_salt_verify(arg)) ++ { ++ fprintf(stderr, "only hexadecimal numbers consisting of digits and uppercase letters are supported\n"); ++ return ARGP_ERR_UNKNOWN; ++ } ++ arguments->saltlen = grub_strlen(arg) / 2; ++ arguments->salt = arg; ++ break; + default: + return ARGP_ERR_UNKNOWN; + } +@@ -110,13 +161,44 @@ hexify (char *hex, grub_uint8_t *bin, grub_size_t n) + *hex = 0; + } + ++static void ++hextobyte(const char *hex, grub_uint8_t *bin, grub_size_t n) ++{ ++ while(n) ++ { ++ grub_uint8_t tmp = 0x00; ++ if (((*hex) <= '9') && ((*hex) >= '0')) ++ { ++ tmp += (grub_uint8_t)((*hex) - '0') << 4 & 0xf0; ++ } ++ else ++ { ++ tmp += (grub_uint8_t)((*hex) - 'A' + 10) << 4 & 0xf0; ++ } ++ hex++; ++ if (((*hex) <= '9') && ((*hex) >= '0')) ++ { ++ tmp += (grub_uint8_t)((*hex) - '0') & 0x0f; ++ } ++ else ++ { ++ tmp += (grub_uint8_t)((*hex) - 'A' + 10) & 0x0f; ++ } ++ *bin = tmp; ++ bin++; ++ hex++; ++ n -= 2; ++ } ++} ++ + int + main (int argc, char *argv[]) + { + struct arguments arguments = { + .count = 10000, + .buflen = 64, +- .saltlen = 64 ++ .saltlen = 64, ++ .salt = NULL + }; + char *result, *ptr; + gcry_err_code_t gcry_err; +@@ -133,6 +215,12 @@ main (int argc, char *argv[]) + exit(1); + } + ++ if (arguments.salt != NULL && grub_strlen(arguments.salt) != 2 * arguments.saltlen) ++ { ++ fprintf(stderr, "%s", _("If the -a parameter is set, don't set the -s parameter again\n")); ++ exit(1); ++ } ++ + buf = xmalloc (arguments.buflen); + salt = xmalloc (arguments.saltlen); + +@@ -161,7 +249,10 @@ main (int argc, char *argv[]) + } + memset (pass2, 0, sizeof (pass2)); + +- if (grub_get_random (salt, arguments.saltlen)) ++ if (arguments.salt != NULL) ++ { ++ hextobyte(arguments.salt, salt, arguments.saltlen * 2); ++ } else if (grub_get_random (salt, arguments.saltlen)) + { + memset (pass1, 0, sizeof (pass1)); + free (buf); +diff --git a/util/grub-set-password.in b/util/grub-set-password.in +index 487fbb1..3d0be26 100644 +--- a/util/grub-set-password.in ++++ b/util/grub-set-password.in +@@ -87,16 +87,130 @@ fixtty() { + } + + trap fixtty EXIT ++ ++getsaltpass() { ++ local P0 ++ local P1 ++ P0="$1" && shift ++ P1="$1" && shift ++ P2="$1" && shift ++ ++ ( echo ${P0} ; echo ${P1} ) | \ ++ LC_ALL=C ${grub_mkpasswd} -a ${P2} | \ ++ grep -v '[eE]nter password:' | \ ++ sed -e "s/PBKDF2 hash of your password is //" ++} ++ ++verifyusercfgoldpasswd() { ++ # get old password salt ++ expectsalt=`cat ${grubdir}/user.cfg | cut -d "." -f 5` ++ # get expect password ++ expectpass=`cat ${grubdir}/user.cfg` ++ prefix="GRUB2_PASSWORD=" ++ ++ stty -echo ++ echo -n "Enter Current password: " ++ read PASSWORD_CURRENT ++ echo ++ ++ needcheckpass="${prefix}$(getsaltpass "${PASSWORD_CURRENT}" "${PASSWORD_CURRENT}" "${expectsalt}")" ++ if [ "$expectpass" != "$needcheckpass" ]; then ++ echo "Authentication failed" ++ exit 1 ++ fi ++ ++ stty ${ttyopt} ++} ++ ++verifygrubcfgoldpasswd() { ++ # get old password line ++ expectpass=`cat ${grubdir}/grub.cfg | grep "password_pbkdf2 root grub.pbkdf2.sha512" | cut -d " " -f 3` ++ # if not get password, try a quotation mark match ++ if [ -z "$expectpass" ];then ++ expectpass=`cat ${grubdir}/grub.cfg | grep "password_pbkdf2 root \"grub.pbkdf2.sha512" | cut -d " " -f 3 | cut -d "\"" -f 2` ++ fi ++ if [ -z "$expectpass" ];then ++ expectpass=`cat ${grubdir}/grub.cfg | grep "password_pbkdf2 root 'grub.pbkdf2.sha512" | cut -d " " -f 3 | cut -d "'" -f 2` ++ fi ++ if [ -n "$expectpass" ];then ++ # get old password salt ++ expectsalt=`echo ${expectpass} | cut -d "." -f 5` ++ stty -echo ++ echo -n "Enter Current password: " ++ read PASSWORD_CURRENT ++ echo ++ ++ needcheckpass="$(getsaltpass "${PASSWORD_CURRENT}" "${PASSWORD_CURRENT}" "${expectsalt}")" ++ if [ "$expectpass" != "$needcheckpass" ]; then ++ echo "Authentication failed" ++ exit 1 ++ fi ++ fi ++ ++} ++ ++if [ -e ${grubdir}/user.cfg ];then ++ verifyusercfgoldpasswd ++else ++ verifygrubcfgoldpasswd ++fi ++ ++checkcomplexity() { ++ set +e ++ USERNAME=`cat ${grubdir}/grub.cfg | grep "set superusers=" | cut -d "\"" -f 2 |tail -1` ++ local P1="$1" && shift ++ if [ "$P1" = "$USERNAME" ];then ++ echo "The password contains the user name in some form" ++ exit 1 ++ fi ++ # password len >= 8 ++ strlen=`echo "$P1" | grep -E '^(.{8,}).*$'` ++ if [ -z "$strlen" ];then ++ echo "The password is shorter than 8 characters" ++ exit 1 ++ fi ++ # lowercase ++ strlow=`echo "$P1" | grep -E --color '^(.*[a-z]+).*$'` ++ # uppercase ++ strupp=`echo $P1 | grep -E --color '^(.*[A-Z]).*$'` ++ # special character ++ strts=`echo $P1 | grep -E --color '^(.*\W).*$'` ++ # num ++ strnum=`echo $P1 | grep -E --color '^(.*[0-9]).*$'` ++ complexity=0 ++ if [ -n "$strlow" ];then ++ complexity=`expr $complexity + 1` ++ fi ++ if [ -n "$strupp" ];then ++ complexity=`expr $complexity + 1` ++ fi ++ if [ -n "$strts" ];then ++ complexity=`expr $complexity + 1` ++ fi ++ if [ -n "$strnum" ];then ++ complexity=`expr $complexity + 1` ++ fi ++ if [ $complexity -lt 3 ];then ++ echo "The password contains less than 3 character classes" ++ exit 1 ++ fi ++ set -e ++} ++ + stty -echo + + # prompt & confirm new grub2 root user password + echo -n "Enter password: " + read PASSWORD + echo ++stty ${ttyopt} ++checkcomplexity $PASSWORD ++stty -echo + echo -n "Confirm password: " + read PASSWORD_CONFIRM + echo + stty ${ttyopt} ++checkcomplexity $PASSWORD_CONFIRM + + getpass() { + local P0 +-- +2.23.0 + diff --git a/grub2.spec b/grub2.spec index 2f03e04..4725173 100644 --- a/grub2.spec +++ b/grub2.spec @@ -8,7 +8,7 @@ Name: grub2 Epoch: 1 Version: 2.04 -Release: 22 +Release: 24 Summary: Bootloader with support for Linux, Multiboot and more License: GPLv3+ URL: http://www.gnu.org/software/grub/ @@ -450,12 +450,26 @@ rm -r /boot/grub2.tmp/ || : %{_datadir}/man/man* %changelog -* Sat Feb 26 2022 zhangqiumiao - 2.04-22 +* Sat Feb 26 2022 yanan - 2.04-24 +- Type:bugfix +- CVE:NA +- SUG:NA +- DESC:Fix arm64 kernel image not aligned on 64k boundary + +* Sat Feb 26 2022 zhangqiumiao - 2.04-23 - Type:bugfix - CVE:NA - SUG:NA - DESC:disable grub-boot-success.service +* Fri Nov 26 2021 xihaochen - 2.04-22 +- Type:bugfix +- ID:NA +- SUG:NA + DESC:grub2 set password prompts to enter the current pass + support TPM2.0 + use default timestamp + * Tue Nov 16 2021 fengtao - 2.04-21 - Type:bugfix - ID:NA diff --git a/support-TPM2.0.patch b/support-TPM2.0.patch new file mode 100644 index 0000000..790a60f --- /dev/null +++ b/support-TPM2.0.patch @@ -0,0 +1,96 @@ +From c4c243d19d77cab3591f0272c8e36619ccbbddf3 Mon Sep 17 00:00:00 2001 +From: gaoyusong +Date: Thu, 13 May 2021 18:34:23 +0800 +Subject: [PATCH] support TPM2.0 + +--- + grub-core/kern/verifiers.c | 25 +++++++++++++++++++------ + grub-core/script/execute.c | 12 +++++++++++- + 2 files changed, 30 insertions(+), 7 deletions(-) + +diff --git a/grub-core/kern/verifiers.c b/grub-core/kern/verifiers.c +index aa3dc7c..dfd73e5 100644 +--- a/grub-core/kern/verifiers.c ++++ b/grub-core/kern/verifiers.c +@@ -84,9 +84,16 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type) + grub_file_t ret = 0; + grub_err_t err; + int defer = 0; ++ int grub_env_flag = 0; ++ char *ptr = NULL; + + grub_dprintf ("verify", "file: %s type: %d\n", io->name, type); + ++ ptr = grub_strstr(io->name, "grubenv"); ++ if (ptr) { ++ grub_env_flag = 1; ++ } ++ + if ((type & GRUB_FILE_TYPE_MASK) == GRUB_FILE_TYPE_SIGNATURE + || (type & GRUB_FILE_TYPE_MASK) == GRUB_FILE_TYPE_VERIFY_SIGNATURE + || (type & GRUB_FILE_TYPE_SKIP_SIGNATURE)) +@@ -148,6 +155,8 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type) + verified->buf = grub_malloc (ret->size); + if (!verified->buf) + { ++ grub_error (GRUB_ERR_OUT_OF_MEMORY, ++ "cannot allocate verified buffer, the %s is too large\n", io->name); + goto fail; + } + if (grub_file_read (io, verified->buf, ret->size) != (grub_ssize_t) ret->size) +@@ -158,9 +167,11 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type) + goto fail; + } + +- err = ver->write (context, verified->buf, ret->size); +- if (err) +- goto fail; ++ if (!grub_env_flag) { ++ err = ver->write (context, verified->buf, ret->size); ++ if (err) ++ goto fail; ++ } + + err = ver->fini ? ver->fini (context) : GRUB_ERR_NONE; + if (err) +@@ -179,9 +190,11 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type) + /* Verification done earlier. So, we are happy here. */ + flags & GRUB_VERIFY_FLAGS_DEFER_AUTH) + continue; +- err = ver->write (context, verified->buf, ret->size); +- if (err) +- goto fail; ++ if (!grub_env_flag) { ++ err = ver->write (context, verified->buf, ret->size); ++ if (err) ++ goto fail; ++ } + + err = ver->fini ? ver->fini (context) : GRUB_ERR_NONE; + if (err) +diff --git a/grub-core/script/execute.c b/grub-core/script/execute.c +index 0c6dd9c..3e761c4 100644 +--- a/grub-core/script/execute.c ++++ b/grub-core/script/execute.c +@@ -1002,7 +1002,17 @@ grub_script_execute_cmdline (struct grub_script_cmd *cmd) + argv.args[i]); + } + cmdstring[cmdlen - 1] = '\0'; +- grub_verify_string (cmdstring, GRUB_VERIFY_COMMAND); ++ ++ if (grub_strncmp(cmdstring, "[ 0 = 1 ]", 9) == 0) { ++ char res_str[] = "[ = 1 ]"; ++ grub_verify_string (res_str, GRUB_VERIFY_COMMAND); ++ } else if (grub_strncmp(cmdstring, "[ 0 = 1 -o = 1 ]", 17) == 0) { ++ char res_str[] = "[ = 1 -o = 1 ]"; ++ grub_verify_string (res_str, GRUB_VERIFY_COMMAND); ++ } else { ++ grub_verify_string (cmdstring, GRUB_VERIFY_COMMAND); ++ } ++ + grub_free (cmdstring); + invert = 0; + argc = argv.argc - 1; +-- +2.19.1 + diff --git a/use-default-timestamp.patch b/use-default-timestamp.patch new file mode 100644 index 0000000..16934bf --- /dev/null +++ b/use-default-timestamp.patch @@ -0,0 +1,57 @@ +From 8922ea771163655f1d5dc8da589a6291976ae489 Mon Sep 17 00:00:00 2001 +From: zhouyihang +Date: Thu, 10 Jun 2021 20:01:54 +0800 +Subject: [PATCH] huawei use default timestamp + +--- + docs/grub-dev.texi | 4 ++-- + docs/grub.texi | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/docs/grub-dev.texi b/docs/grub-dev.texi +index f488e82..355764a 100644 +--- a/docs/grub-dev.texi ++++ b/docs/grub-dev.texi +@@ -18,7 +18,7 @@ + + @copying + This developer manual is for GNU GRUB (version @value{VERSION}, +-@value{UPDATED}). ++24 June 2019). + + Copyright @copyright{} 1999,2000,2001,2002,2004,2005,2006,2008,2009,2010,2011 Free Software Foundation, Inc. + +@@ -40,7 +40,7 @@ Invariant Sections. + @titlepage + @sp 10 + @title the GNU GRUB developer manual +-@subtitle The GRand Unified Bootloader, version @value{VERSION}, @value{UPDATED}. ++@subtitle The GRand Unified Bootloader, version @value{VERSION}, 24 June 2019. + @author Yoshinori K. Okuji + @author Colin D Bennett + @author Vesa Jääskeläinen +diff --git a/docs/grub.texi b/docs/grub.texi +index 262388c..41c1a89 100644 +--- a/docs/grub.texi ++++ b/docs/grub.texi +@@ -18,7 +18,7 @@ + + @copying + This manual is for GNU GRUB (version @value{VERSION}, +-@value{UPDATED}). ++24 June 2019). + + Copyright @copyright{} 1999,2000,2001,2002,2004,2006,2008,2009,2010,2011,2012,2013 Free Software Foundation, Inc. + +@@ -48,7 +48,7 @@ Invariant Sections. + @titlepage + @sp 10 + @title the GNU GRUB manual +-@subtitle The GRand Unified Bootloader, version @value{VERSION}, @value{UPDATED}. ++@subtitle The GRand Unified Bootloader, version @value{VERSION}, 24 June 2019. + @author Gordon Matzigkeit + @author Yoshinori K. Okuji + @author Colin Watson +-- +2.27.0 + -- Gitee