Control: tags -1 d-i confirmed
Hi,
This needs an ACK from d-boot as well.
On 16-05-2021 12:05, Colin Watson wrote:
> Please unblock grub2 2.04-18. This is mostly fixes from Steve to sort
> out UEFI Secure Boot on i386. The upstream patch to fix section size
> calculation *seems* to only fix a problem on ia64 right now, which of
> course wouldn't be release-critical by itself, but having
> potentially-incorrect section sizes gives me the shivers so I thought it
> best to include this as well.
>
> You may need to manually unblock grub-efi-{amd64,arm64,ia32}-signed as
> well to match, since these four source packages must all have matching
> versions - I'm not sure exactly how the tools work from your end.
>
> diff -Nru grub2-2.04/debian/.git-dpm grub2-2.04/debian/.git-dpm
> --- grub2-2.04/debian/.git-dpm 2021-03-19 10:41:41.000000000 +0000
> +++ grub2-2.04/debian/.git-dpm 2021-04-25 16:20:17.000000000 +0100
> @@ -1,6 +1,6 @@
> # see git-dpm(1) from git-dpm package
> -3d246c561a2c6aa18b78eae69e5100a2347dc7aa
> -3d246c561a2c6aa18b78eae69e5100a2347dc7aa
> +0eae44daa60c3f0ce8fdb349ba71b869a6738efd
> +0eae44daa60c3f0ce8fdb349ba71b869a6738efd
> 578bb115fbd47e1c464696f1f8d6183e5443975d
> 578bb115fbd47e1c464696f1f8d6183e5443975d
> grub2_2.04.orig.tar.xz
> diff -Nru grub2-2.04/debian/build-efi-images grub2-2.04/debian/build-efi-images
> --- grub2-2.04/debian/build-efi-images 2021-03-19 10:41:41.000000000 +0000
> +++ grub2-2.04/debian/build-efi-images 2021-04-25 16:20:17.000000000 +0100
> @@ -150,12 +150,6 @@
> cpuid
> linuxefi
> play
> - "
> - ;;
> -esac
> -case $platform in
> - x86_64-efi)
> - CD_MODULES="$CD_MODULES
> tpm
> "
> ;;
> @@ -197,6 +191,7 @@
> "
>
> # CD boot image
> +echo "Including modules $CD_MODULES in $outdir/gcd$efi_name.efi"
> "$grub_mkimage" -O "$platform" -o "$outdir/gcd$efi_name.efi" \
> -d "$grub_core" \
> -c "$workdir/grub-bootstrap.cfg" -m "$workdir/memdisk.fat" \
> @@ -205,12 +200,14 @@
> $CD_MODULES
>
> # Normal disk boot image
> +echo "Including modules $GRUB_MODULES in $outdir/grub$efi_name.efi"
> "$grub_mkimage" -O "$platform" -o "$outdir/grub$efi_name.efi" \
> -d "$grub_core" -p "/EFI/$efi_vendor" \
> --sbat "$sbat_csv" \
> $GRUB_MODULES
>
> # Normal network boot image
> +echo "Including modules $NET_MODULES in $outdir/grubnet$efi_name.efi"
> "$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name.efi" \
> -d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \
> -m "$workdir/memdisk-netboot.fat" \
> @@ -221,6 +218,7 @@
> # Special network boot image for d-i to use. Just the same as the
> # normal network boot image, but with a different value baked in for
> # the prefix setting
> +echo "Including modules $NET_MODULES in $outdir/grubnet$efi_name-installer.efi"
> "$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name-installer.efi" \
> -d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \
> -m "$workdir/memdisk-netboot.fat" \
> diff -Nru grub2-2.04/debian/changelog grub2-2.04/debian/changelog
> --- grub2-2.04/debian/changelog 2021-03-19 10:41:41.000000000 +0000
> +++ grub2-2.04/debian/changelog 2021-04-25 16:20:17.000000000 +0100
> @@ -1,3 +1,18 @@
> +grub2 (2.04-18) unstable; urgency=medium
> +
> + [ Steve McIntyre ]
> + * Enable the shim_lock and tpm modules for i386-efi too. Ensure that
> + tpm is included in our EFI images.
> + * List the modules we include the EFI images - make it easier to
> + debug things.
> + * Add debug to display what's going on with verifiers
> +
> + [ Colin Watson ]
> + * util/mkimage: Some fixes to PE binaries section size calculation
> + (closes: #987103).
> +
> + -- Colin Watson <cjwatson@debian.org> Sun, 25 Apr 2021 16:20:17 +0100
> +
> grub2 (2.04-17) unstable; urgency=medium
>
> * Pass --sbat when building the d-i netboot image as well.
> diff -Nru grub2-2.04/debian/patches/debug_verifiers.patch grub2-2.04/debian/patches/debug_verifiers.patch
> --- grub2-2.04/debian/patches/debug_verifiers.patch 1970-01-01 01:00:00.000000000 +0100
> +++ grub2-2.04/debian/patches/debug_verifiers.patch 2021-04-25 16:20:17.000000000 +0100
> @@ -0,0 +1,28 @@
> +From bb6fe7f81818b8d102ca92b174d79aebb62469a0 Mon Sep 17 00:00:00 2001
> +From: Steve McIntyre <93sam@debian.org>
> +Date: Sat, 17 Apr 2021 22:05:47 +0100
> +Subject: Add debug to display what's going on with verifiers
> +
> +Patch-Name: debug_verifiers.patch
> +---
> + grub-core/kern/verifiers.c | 2 ++
> + 1 file changed, 2 insertions(+)
> +
> +diff --git a/grub-core/kern/verifiers.c b/grub-core/kern/verifiers.c
> +index 58dbe152a..ff984c8d8 100644
> +--- a/grub-core/kern/verifiers.c
> ++++ b/grub-core/kern/verifiers.c
> +@@ -100,11 +100,13 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type)
> + FOR_LIST_ELEMENTS(ver, grub_file_verifiers)
> + {
> + enum grub_verify_flags flags = 0;
> ++ grub_dprintf ("verify", "trying verifier %s\n", ver->name);
> + err = ver->init (io, type, &context, &flags);
> + if (err)
> + goto fail_noclose;
> + if (flags & GRUB_VERIFY_FLAGS_DEFER_AUTH)
> + {
> ++ grub_dprintf ("verify", "verifier %s said GRUB_VERIFY_FLAGS_DEFER_AUTH\n", ver->name);
> + defer = 1;
> + continue;
> + }
> diff -Nru grub2-2.04/debian/patches/enable_shim_lock_i386_efi.patch grub2-2.04/debian/patches/enable_shim_lock_i386_efi.patch
> --- grub2-2.04/debian/patches/enable_shim_lock_i386_efi.patch 1970-01-01 01:00:00.000000000 +0100
> +++ grub2-2.04/debian/patches/enable_shim_lock_i386_efi.patch 2021-04-25 16:20:17.000000000 +0100
> @@ -0,0 +1,33 @@
> +From 3d04d38e67bb78127a6ec4329634441c4bf4194c Mon Sep 17 00:00:00 2001
> +From: Steve McIntyre <93sam@debian.org>
> +Date: Sat, 17 Apr 2021 22:04:38 +0100
> +Subject: Enable shim_lock and tpm modules for all efi platforms, not just
> + x86_64_efi
> +
> +Patch-Name: enable_shim_lock_i386_efi.patch
> +---
> + grub-core/Makefile.core.def | 4 ++--
> + 1 file changed, 2 insertions(+), 2 deletions(-)
> +
> +diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
> +index 43b3da725..b9d2912a0 100644
> +--- a/grub-core/Makefile.core.def
> ++++ b/grub-core/Makefile.core.def
> +@@ -948,7 +948,7 @@ module = {
> + module = {
> + name = shim_lock;
> + common = commands/efi/shim_lock.c;
> +- enable = x86_64_efi;
> ++ enable = efi;
> + };
> +
> + module = {
> +@@ -2488,7 +2488,7 @@ module = {
> + name = tpm;
> + common = commands/tpm.c;
> + efi = commands/efi/tpm.c;
> +- enable = x86_64_efi;
> ++ enable = efi;
> + };
> +
> + module = {
> diff -Nru grub2-2.04/debian/patches/mkimage-fix-section-sizes.patch grub2-2.04/debian/patches/mkimage-fix-section-sizes.patch
> --- grub2-2.04/debian/patches/mkimage-fix-section-sizes.patch 1970-01-01 01:00:00.000000000 +0100
> +++ grub2-2.04/debian/patches/mkimage-fix-section-sizes.patch 2021-04-25 16:20:17.000000000 +0100
> @@ -0,0 +1,109 @@
> +From 0eae44daa60c3f0ce8fdb349ba71b869a6738efd Mon Sep 17 00:00:00 2001
> +From: Javier Martinez Canillas <javierm@redhat.com>
> +Date: Fri, 16 Apr 2021 21:37:23 +0200
> +Subject: util/mkimage: Some fixes to PE binaries section size calculation
> +
> +Commit f60ba9e5945 (util/mkimage: Refactor section setup to use a helper)
> +added a helper function to setup PE sections, but it caused regressions
> +in some arches where the natural alignment lead to wrong section sizes.
> +
> +This patch fixes a few things that were caused the section sizes to be
> +calculated wrongly. These fixes are:
> +
> + * Only align the virtual memory addresses but not the raw data offsets.
> + * Use aligned sizes for virtual memory sizes but not for raw data sizes.
> + * Always align the sizes to set the virtual memory sizes.
> +
> +These seems to not cause problems for x64 and aa64 EFI platforms but was
> +a problem for ia64. Because the size of the ".data" and "mods" sections
> +were wrong and didn't have the correct content. Which lead to GRUB not
> +being able to load any built-in module.
> +
> +Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
> +Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
> +
> +Bug-Debian: https://bugs.debian.org/987103
> +
> +Patch-Name: mkimage-fix-section-sizes.patch
> +---
> + util/mkimage.c | 21 ++++++++++++---------
> + 1 file changed, 12 insertions(+), 9 deletions(-)
> +
> +diff --git a/util/mkimage.c b/util/mkimage.c
> +index b354ec1d9..9c01723ef 100644
> +--- a/util/mkimage.c
> ++++ b/util/mkimage.c
> +@@ -841,7 +841,7 @@ init_pe_section(const struct grub_install_image_target_desc *image_target,
> +
> + section->raw_data_offset = grub_host_to_target32 (*rda);
> + section->raw_data_size = grub_host_to_target32 (rsz);
> +- (*rda) = ALIGN_UP (*rda + rsz, GRUB_PE32_FILE_ALIGNMENT);
> ++ (*rda) = *rda + rsz;
> +
> + section->characteristics = grub_host_to_target32 (characteristics);
> +
> +@@ -1296,7 +1296,7 @@ grub_install_generate_image (const char *dir, const char *prefix,
> + char *pe_img, *pe_sbat, *header;
> + struct grub_pe32_section_table *section;
> + size_t n_sections = 4;
> +- size_t scn_size;
> ++ size_t scn_size, raw_size;
> + grub_uint32_t vma, raw_data;
> + size_t pe_size, header_size;
> + struct grub_pe32_coff_header *c;
> +@@ -1397,7 +1397,8 @@ grub_install_generate_image (const char *dir, const char *prefix,
> + GRUB_PE32_SCN_MEM_EXECUTE |
> + GRUB_PE32_SCN_MEM_READ);
> +
> +- scn_size = ALIGN_UP (layout.kernel_size - layout.exec_size, GRUB_PE32_FILE_ALIGNMENT);
> ++ raw_size = layout.kernel_size - layout.exec_size;
> ++ scn_size = ALIGN_UP (raw_size, GRUB_PE32_FILE_ALIGNMENT);
> + /* ALIGN_UP (sbat_size, GRUB_PE32_FILE_ALIGNMENT) is done earlier. */
> + PE_OHDR (o32, o64, data_size) = grub_host_to_target32 (scn_size + sbat_size +
> + ALIGN_UP (total_module_size,
> +@@ -1405,15 +1406,16 @@ grub_install_generate_image (const char *dir, const char *prefix,
> +
> + section = init_pe_section (image_target, section, ".data",
> + &vma, scn_size, image_target->section_align,
> +- &raw_data, scn_size,
> ++ &raw_data, raw_size,
> + GRUB_PE32_SCN_CNT_INITIALIZED_DATA |
> + GRUB_PE32_SCN_MEM_READ |
> + GRUB_PE32_SCN_MEM_WRITE);
> +
> +- scn_size = pe_size - layout.reloc_size - sbat_size - raw_data;
> ++ raw_size = pe_size - layout.reloc_size - sbat_size - raw_data;
> ++ scn_size = ALIGN_UP (raw_size, GRUB_PE32_FILE_ALIGNMENT);
> + section = init_pe_section (image_target, section, "mods",
> + &vma, scn_size, image_target->section_align,
> +- &raw_data, scn_size,
> ++ &raw_data, raw_size,
> + GRUB_PE32_SCN_CNT_INITIALIZED_DATA |
> + GRUB_PE32_SCN_MEM_READ |
> + GRUB_PE32_SCN_MEM_WRITE);
> +@@ -1423,21 +1425,22 @@ grub_install_generate_image (const char *dir, const char *prefix,
> + pe_sbat = pe_img + raw_data;
> + grub_util_load_image (sbat_path, pe_sbat);
> +
> ++ scn_size = ALIGN_UP (sbat_size, GRUB_PE32_FILE_ALIGNMENT);
> + section = init_pe_section (image_target, section, ".sbat",
> +- &vma, sbat_size,
> ++ &vma, scn_size,
> + image_target->section_align,
> + &raw_data, sbat_size,
> + GRUB_PE32_SCN_CNT_INITIALIZED_DATA |
> + GRUB_PE32_SCN_MEM_READ);
> + }
> +
> +- scn_size = layout.reloc_size;
> ++ scn_size = ALIGN_UP (layout.reloc_size, GRUB_PE32_FILE_ALIGNMENT);
> + PE_OHDR (o32, o64, base_relocation_table.rva) = grub_host_to_target32 (vma);
> + PE_OHDR (o32, o64, base_relocation_table.size) = grub_host_to_target32 (scn_size);
> + memcpy (pe_img + raw_data, layout.reloc_section, scn_size);
> + init_pe_section (image_target, section, ".reloc",
> + &vma, scn_size, image_target->section_align,
> +- &raw_data, scn_size,
> ++ &raw_data, layout.reloc_size,
> + GRUB_PE32_SCN_CNT_INITIALIZED_DATA |
> + GRUB_PE32_SCN_MEM_DISCARDABLE |
> + GRUB_PE32_SCN_MEM_READ);
> diff -Nru grub2-2.04/debian/patches/series grub2-2.04/debian/patches/series
> --- grub2-2.04/debian/patches/series 2021-03-19 10:41:41.000000000 +0000
> +++ grub2-2.04/debian/patches/series 2021-04-25 16:20:17.000000000 +0100
> @@ -214,3 +214,6 @@
> 2021-02-security/112-gfxmenu-gui-Check-printf-format-in-the-gui_progress_bar-and-gui_label.patch
> 2021-02-security/113-kern-mm-Fix-grub_debug_calloc-compilation-error.patch
> pc-verifiers-module.patch
> +enable_shim_lock_i386_efi.patch
> +debug_verifiers.patch
> +mkimage-fix-section-sizes.patch
>
> unblock grub2/2.04-18
Paul
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature