Bug#928507: unblock: grub2/2.02+dfsg1-18
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock grub2 2.02+dfsg1-18. #927888 is RC; #927269 possibly
should be RC since it entirely breaks one of GRUB's platforms; and
#919915 causes upgrade trouble if you run into it.
(Apologies for the .gitignore/.bzrignore noise, which is the result of
switching to using dgit as of this upload. But it's easy enough to, er,
ignore.)
I don't remember if it needs to be done separately, but I've included
the -signed versions in this unblock request just in case, since they
should all go in together.
unblock grub2/2.02+dfsg1-18
unblock grub-efi-amd64-signed/1+2.02+dfsg1+18
unblock grub-efi-arm64-signed/1+2.02+dfsg1+18
unblock grub-efi-ia32-signed/1+2.02+dfsg1+18
diff -Nru grub2-2.02+dfsg1/debian/.git-dpm grub2-2.02+dfsg1/debian/.git-dpm
--- grub2-2.02+dfsg1/debian/.git-dpm 2019-03-23 13:48:41.000000000 +0000
+++ grub2-2.02+dfsg1/debian/.git-dpm 2019-05-04 22:58:32.000000000 +0100
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-3ddfe605a6a472100f529c3d7465bf4eb7fe954d
-3ddfe605a6a472100f529c3d7465bf4eb7fe954d
+9569221816a2a1a832be106440375a612e0121b7
+9569221816a2a1a832be106440375a612e0121b7
59aeb1cfaa3d5bfd7bbeeee0f0d37f6d9eed51fe
59aeb1cfaa3d5bfd7bbeeee0f0d37f6d9eed51fe
grub2_2.02+dfsg1.orig.tar.xz
diff -Nru grub2-2.02+dfsg1/debian/.gitignore grub2-2.02+dfsg1/debian/.gitignore
--- grub2-2.02+dfsg1/debian/.gitignore 1970-01-01 01:00:00.000000000 +0100
+++ grub2-2.02+dfsg1/debian/.gitignore 2019-05-04 22:58:32.000000000 +0100
@@ -0,0 +1,110 @@
+*.bash-completion
+*.config
+*.debhelper*
+*.postinst
+*.postrm
+*.preinst
+*.templates
+files
+grub-common
+grub-common.maintscript
+grub-coreboot
+grub-coreboot*.dirs
+grub-coreboot*.install
+grub-coreboot*.links
+grub-coreboot*.maintscript
+grub-coreboot-bin
+grub-coreboot-dbg
+grub-efi
+grub-efi-amd64
+grub-efi-amd64*.dirs
+grub-efi-amd64*.install
+grub-efi-amd64*.links
+grub-efi-amd64*.maintscript
+grub-efi-amd64-bin
+grub-efi-amd64-dbg
+grub-efi-amd64-signed-template
+grub-efi-arm
+grub-efi-arm*.dirs
+grub-efi-arm*.install
+grub-efi-arm*.links
+grub-efi-arm*.maintscript
+grub-efi-arm-bin
+grub-efi-arm-dbg
+grub-efi-arm64
+grub-efi-arm64*.dirs
+grub-efi-arm64*.install
+grub-efi-arm64*.links
+grub-efi-arm64*.maintscript
+grub-efi-arm64-bin
+grub-efi-arm64-dbg
+grub-efi-arm64-signed-template
+grub-efi-ia32
+grub-efi-ia32*.dirs
+grub-efi-ia32*.install
+grub-efi-ia32*.links
+grub-efi-ia32*.maintscript
+grub-efi-ia32-bin
+grub-efi-ia32-dbg
+grub-efi-ia32-signed-template
+grub-efi-ia64
+grub-efi-ia64*.dirs
+grub-efi-ia64*.install
+grub-efi-ia64*.links
+grub-efi-ia64*.maintscript
+grub-efi-ia64-bin
+grub-efi-ia64-dbg
+grub-emu
+grub-emu*.dirs
+grub-emu*.install
+grub-emu*.links
+grub-emu*.maintscript
+grub-emu-dbg
+grub-extras-enabled
+grub-extras/*/conf/*.mk
+grub-firmware-qemu
+grub-ieee1275
+grub-ieee1275*.dirs
+grub-ieee1275*.install
+grub-ieee1275*.links
+grub-ieee1275*.maintscript
+grub-ieee1275-bin
+grub-ieee1275-dbg
+grub-linuxbios
+grub-mount-udeb
+grub-pc
+grub-pc*.dirs
+grub-pc*.install
+grub-pc*.links
+grub-pc*.maintscript
+grub-pc-bin
+grub-pc-dbg
+grub-rescue-pc
+grub-theme-starfield
+grub-uboot
+grub-uboot*.dirs
+grub-uboot*.install
+grub-uboot*.links
+grub-uboot*.maintscript
+grub-uboot-bin
+grub-uboot-dbg
+grub-xen
+grub-xen*.dirs
+grub-xen*.install
+grub-xen*.links
+grub-xen*.maintscript
+grub-xen-bin
+grub-xen-dbg
+grub-xen-host
+grub-yeeloong
+grub-yeeloong*.dirs
+grub-yeeloong*.install
+grub-yeeloong*.links
+grub-yeeloong*.maintscript
+grub-yeeloong-bin
+grub-yeeloong-dbg
+grub2
+grub2-common
+prep-bootdev
+stamps
+tmp-*
diff -Nru grub2-2.02+dfsg1/debian/changelog grub2-2.02+dfsg1/debian/changelog
--- grub2-2.02+dfsg1/debian/changelog 2019-03-23 23:28:17.000000000 +0000
+++ grub2-2.02+dfsg1/debian/changelog 2019-05-04 22:58:32.000000000 +0100
@@ -1,3 +1,24 @@
+grub2 (2.02+dfsg1-18) unstable; urgency=medium
+
+ * Apply patches from Alexander Graf to fix grub-efi-arm crash (closes:
+ #927269):
+ - arm: Move trampolines into code section
+ - arm: Align section alignment with manual relocation offset code
+ * Make grub2-common Breaks+Replaces grub-cloud-amd64 (<< 0.0.4) to work
+ around that package shipping colliding configuration file names in
+ stretch-backports (closes: #919915).
+ * Apply patch from Peter Jones to forbid the "devicetree" command when
+ Secure Boot is enabled (closes: #927888).
+
+ -- Colin Watson <cjwatson@debian.org> Sat, 04 May 2019 22:58:32 +0100
+
+grub2 (2.02+dfsg1-17) unstable; urgency=medium
+
+ * Make grub-efi-*-bin recommend efibootmgr. We don't actually use it any
+ more, but it's helpful for debugging.
+
+ -- Colin Watson <cjwatson@debian.org> Mon, 15 Apr 2019 18:38:30 +0100
+
grub2 (2.02+dfsg1-16) unstable; urgency=medium
* Fix -Wcast-align diagnostics on ARM.
diff -Nru grub2-2.02+dfsg1/debian/control grub2-2.02+dfsg1/debian/control
--- grub2-2.02+dfsg1/debian/control 2019-03-23 13:48:37.000000000 +0000
+++ grub2-2.02+dfsg1/debian/control 2019-05-04 22:58:32.000000000 +0100
@@ -92,9 +92,9 @@
# of the package is not very useful in a utilities-only build.
Architecture: any-i386 any-amd64 any-powerpc any-ppc64 any-ppc64el any-sparc any-sparc64 any-mipsel any-ia64 any-arm any-arm64
Depends: grub-common (= ${binary:Version}), dpkg (>= 1.15.4) | install-info, ${shlibs:Depends}, ${misc:Depends}
-Replaces: grub, grub-legacy, ${legacy-doc-br}, grub-common (<< 1.99-1), grub-pc (<< 2.02+dfsg1-7), grub-coreboot (<< 2.02+dfsg1-7), grub-efi-ia32 (<< 2.02+dfsg1-7), grub-efi-amd64 (<< 2.02+dfsg1-7), grub-efi-ia64 (<< 2.02+dfsg1-7), grub-efi-arm (<< 2.02+dfsg1-7), grub-efi-arm64 (<< 2.02+dfsg1-7), grub-ieee1275 (<< 2.02+dfsg1-7), grub-uboot (<< 2.02+dfsg1-7), grub-xen (<< 2.02+dfsg1-7), grub-yeeloong (<< 2.02+dfsg1-7)
+Replaces: grub, grub-legacy, ${legacy-doc-br}, grub-common (<< 1.99-1), grub-pc (<< 2.02+dfsg1-7), grub-coreboot (<< 2.02+dfsg1-7), grub-efi-ia32 (<< 2.02+dfsg1-7), grub-efi-amd64 (<< 2.02+dfsg1-7), grub-efi-ia64 (<< 2.02+dfsg1-7), grub-efi-arm (<< 2.02+dfsg1-7), grub-efi-arm64 (<< 2.02+dfsg1-7), grub-ieee1275 (<< 2.02+dfsg1-7), grub-uboot (<< 2.02+dfsg1-7), grub-xen (<< 2.02+dfsg1-7), grub-yeeloong (<< 2.02+dfsg1-7), grub-cloud-amd64 (<< 0.0.4)
Conflicts: grub-legacy
-Breaks: grub (<< 0.97-54), ${legacy-doc-br}, shim (<< 0.9+1474479173.6c180c6-0ubuntu1~), grub-pc (<< 2.02+dfsg1-7), grub-coreboot (<< 2.02+dfsg1-7), grub-efi-ia32 (<< 2.02+dfsg1-7), grub-efi-amd64 (<< 2.02+dfsg1-7), grub-efi-ia64 (<< 2.02+dfsg1-7), grub-efi-arm (<< 2.02+dfsg1-7), grub-efi-arm64 (<< 2.02+dfsg1-7), grub-ieee1275 (<< 2.02+dfsg1-7), grub-uboot (<< 2.02+dfsg1-7), grub-xen (<< 2.02+dfsg1-7), grub-yeeloong (<< 2.02+dfsg1-7)
+Breaks: grub (<< 0.97-54), ${legacy-doc-br}, shim (<< 0.9+1474479173.6c180c6-0ubuntu1~), grub-pc (<< 2.02+dfsg1-7), grub-coreboot (<< 2.02+dfsg1-7), grub-efi-ia32 (<< 2.02+dfsg1-7), grub-efi-amd64 (<< 2.02+dfsg1-7), grub-efi-ia64 (<< 2.02+dfsg1-7), grub-efi-arm (<< 2.02+dfsg1-7), grub-efi-arm64 (<< 2.02+dfsg1-7), grub-ieee1275 (<< 2.02+dfsg1-7), grub-uboot (<< 2.02+dfsg1-7), grub-xen (<< 2.02+dfsg1-7), grub-yeeloong (<< 2.02+dfsg1-7), grub-cloud-amd64 (<< 0.0.4)
Multi-Arch: foreign
Description: GRand Unified Bootloader (common files for version 2)
This package contains common files shared by the distinct flavours of GRUB.
@@ -247,7 +247,7 @@
Package: grub-efi-ia32-bin
Architecture: any-i386 any-amd64
Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version})
-Recommends: grub-efi-ia32-signed,
+Recommends: grub-efi-ia32-signed, efibootmgr [linux-any]
Replaces: grub2 (<< ${source:Version}), grub-common (<= 1.97~beta2-1), grub-efi, grub-efi-ia32 (<< 1.99-1)
Multi-Arch: foreign
XB-Efi-Vendor: ${efi:Vendor}
@@ -308,7 +308,7 @@
Package: grub-efi-amd64-bin
Architecture: i386 kopensolaris-i386 any-amd64
Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version})
-Recommends: grub-efi-amd64-signed,
+Recommends: grub-efi-amd64-signed, efibootmgr [linux-any]
Replaces: grub2 (<< ${source:Version}), grub-common (<= 1.97~beta2-1), grub-efi-amd64 (<< 1.99-1)
Multi-Arch: foreign
XB-Efi-Vendor: ${efi:Vendor}
@@ -418,6 +418,7 @@
Package: grub-efi-arm-bin
Architecture: any-arm
Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version})
+Recommends: efibootmgr [linux-any]
Multi-Arch: foreign
XB-Efi-Vendor: ${efi:Vendor}
Description: GRand Unified Bootloader, version 2 (ARM UEFI modules)
@@ -468,7 +469,7 @@
Package: grub-efi-arm64-bin
Architecture: any-arm64
Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version})
-Recommends: grub-efi-arm64-signed,
+Recommends: grub-efi-arm64-signed, efibootmgr [linux-any]
Multi-Arch: foreign
XB-Efi-Vendor: ${efi:Vendor}
Description: GRand Unified Bootloader, version 2 (ARM64 UEFI modules)
diff -Nru grub2-2.02+dfsg1/debian/grub-extras/915resolution/.bzrignore grub2-2.02+dfsg1/debian/grub-extras/915resolution/.bzrignore
--- grub2-2.02+dfsg1/debian/grub-extras/915resolution/.bzrignore 1970-01-01 01:00:00.000000000 +0100
+++ grub2-2.02+dfsg1/debian/grub-extras/915resolution/.bzrignore 2019-05-04 22:58:32.000000000 +0100
@@ -0,0 +1,3 @@
+**/.deps-core
+**/.dirstamp
+Makefile.core.am
diff -Nru grub2-2.02+dfsg1/debian/grub-extras/disabled/gpxe/.bzrignore grub2-2.02+dfsg1/debian/grub-extras/disabled/gpxe/.bzrignore
--- grub2-2.02+dfsg1/debian/grub-extras/disabled/gpxe/.bzrignore 1970-01-01 01:00:00.000000000 +0100
+++ grub2-2.02+dfsg1/debian/grub-extras/disabled/gpxe/.bzrignore 2019-05-04 22:58:32.000000000 +0100
@@ -0,0 +1,3 @@
+**/.deps-core
+**/.dirstamp
+Makefile.core.am
diff -Nru grub2-2.02+dfsg1/debian/grub-extras/disabled/zfs/.bzrignore grub2-2.02+dfsg1/debian/grub-extras/disabled/zfs/.bzrignore
--- grub2-2.02+dfsg1/debian/grub-extras/disabled/zfs/.bzrignore 1970-01-01 01:00:00.000000000 +0100
+++ grub2-2.02+dfsg1/debian/grub-extras/disabled/zfs/.bzrignore 2019-05-04 22:58:32.000000000 +0100
@@ -0,0 +1,5 @@
+**/.deps-core
+**/.deps-util
+**/.dirstamp
+Makefile.core.am
+Makefile.util.am
diff -Nru grub2-2.02+dfsg1/debian/grub-extras/lua/.bzrignore grub2-2.02+dfsg1/debian/grub-extras/lua/.bzrignore
--- grub2-2.02+dfsg1/debian/grub-extras/lua/.bzrignore 1970-01-01 01:00:00.000000000 +0100
+++ grub2-2.02+dfsg1/debian/grub-extras/lua/.bzrignore 2019-05-04 22:58:32.000000000 +0100
@@ -0,0 +1,3 @@
+**/.deps-core
+**/.dirstamp
+Makefile.core.am
diff -Nru grub2-2.02+dfsg1/debian/grub-extras/ntldr-img/.bzrignore grub2-2.02+dfsg1/debian/grub-extras/ntldr-img/.bzrignore
--- grub2-2.02+dfsg1/debian/grub-extras/ntldr-img/.bzrignore 1970-01-01 01:00:00.000000000 +0100
+++ grub2-2.02+dfsg1/debian/grub-extras/ntldr-img/.bzrignore 2019-05-04 22:58:32.000000000 +0100
@@ -0,0 +1,3 @@
+**/.deps-core
+**/.dirstamp
+Makefile.core.am
diff -Nru grub2-2.02+dfsg1/debian/patches/arm-align-section-alignment-with-manual-reloc-offset.patch grub2-2.02+dfsg1/debian/patches/arm-align-section-alignment-with-manual-reloc-offset.patch
--- grub2-2.02+dfsg1/debian/patches/arm-align-section-alignment-with-manual-reloc-offset.patch 1970-01-01 01:00:00.000000000 +0100
+++ grub2-2.02+dfsg1/debian/patches/arm-align-section-alignment-with-manual-reloc-offset.patch 2019-05-04 22:58:32.000000000 +0100
@@ -0,0 +1,45 @@
+From 98e5faf41eb40e287dc00c79f461f5afa92d8a34 Mon Sep 17 00:00:00 2001
+From: Alexander Graf <agraf@csgraf.de>
+Date: Tue, 30 Apr 2019 22:43:57 +0200
+Subject: arm: Align section alignment with manual relocation offset code
+
+The arm relocation code has a manual special case for EFI binaries to
+add the natural alignment to its own relocation awareness.
+
+Since commit a51f953f4ee87 ("mkimage: Align efi sections on 4k
+boundary") we changed that alignment from 0x400 to 0x1000 bytes. Reflect
+the change in that branch that we forgot as well.
+
+This fixes running 32bit arm grub efi binaries for me again.
+
+Fixes: a51f953f4ee87 ("mkimage: Align efi sections on 4k boundary")
+Reported-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
+Reported-by: Steve McIntyre <steve@einval.com>
+Signed-off-by: Alexander Graf <agraf@csgraf.de>
+Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
+Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
+Tested-by: Julien ROBIN <julien.robin28@free.fr>
+Tested-by: Leif Lindholm <leif.lindholm@linaro.org>
+
+Bug-Debian: https://bugs.debian.org/927269
+Origin: other, https://lists.gnu.org/archive/html/grub-devel/2019-04/msg00132.html
+Last-Update: 2019-05-03
+
+Patch-Name: arm-align-section-alignment-with-manual-reloc-offset.patch
+---
+ util/grub-mkimagexx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c
+index 2f80e5abc..740b30483 100644
+--- a/util/grub-mkimagexx.c
++++ b/util/grub-mkimagexx.c
+@@ -1105,7 +1105,7 @@ SUFFIX (relocate_addresses) (Elf_Ehdr *e, Elf_Shdr *sections,
+ (int) sym_addr, (int) sym_addr);
+ /* Data will be naturally aligned */
+ if (image_target->id == IMAGE_EFI)
+- sym_addr += 0x400;
++ sym_addr += GRUB_PE32_SECTION_ALIGNMENT;
+ *target = grub_host_to_target32 (grub_target_to_host32 (*target) + sym_addr);
+ }
+ break;
diff -Nru grub2-2.02+dfsg1/debian/patches/arm-move-trampolines-into-code-section.patch grub2-2.02+dfsg1/debian/patches/arm-move-trampolines-into-code-section.patch
--- grub2-2.02+dfsg1/debian/patches/arm-move-trampolines-into-code-section.patch 1970-01-01 01:00:00.000000000 +0100
+++ grub2-2.02+dfsg1/debian/patches/arm-move-trampolines-into-code-section.patch 2019-05-04 22:58:32.000000000 +0100
@@ -0,0 +1,83 @@
+From 61f1b949b4b9302b664553cdc5c77cb6fea8f897 Mon Sep 17 00:00:00 2001
+From: Alexander Graf <agraf@csgraf.de>
+Date: Tue, 30 Apr 2019 22:43:56 +0200
+Subject: arm: Move trampolines into code section
+
+When creating T32->A32 transition jumps, the relocation code in grub
+will generate trampolines. These trampolines live in the .data section
+of our PE binary which means they are not marked as executable.
+
+This misbehavior was unmasked by commit a51f953f4ee87 ("mkimage: Align
+efi sections on 4k boundary") which made the X/NX boundary more obvious
+because everything became page aligned.
+
+To put things into proper order, let's move the arm trampolines into the
+.text section instead. That way everyone knows they are executable.
+
+Fixes: a51f953f4ee87 ("mkimage: Align efi sections on 4k boundary")
+Reported-by: Julien ROBIN <julien.robin28@free.fr>
+Reported-by: Leif Lindholm <leif.lindholm@linaro.org>
+Signed-off-by: Alexander Graf <agraf@csgraf.de>
+Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
+Tested-by: Julien ROBIN <julien.robin28@free.fr>
+Tested-by: Leif Lindholm <leif.lindholm@linaro.org>
+
+Bug-Debian: https://bugs.debian.org/927269
+Origin: other, https://lists.gnu.org/archive/html/grub-devel/2019-04/msg00131.html
+Last-Update: 2019-05-03
+
+Patch-Name: arm-move-trampolines-into-code-section.patch
+---
+ util/grub-mkimagexx.c | 32 +++++++++++++++-----------------
+ 1 file changed, 15 insertions(+), 17 deletions(-)
+
+diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c
+index 6c02faffb..2f80e5abc 100644
+--- a/util/grub-mkimagexx.c
++++ b/util/grub-mkimagexx.c
+@@ -1860,6 +1860,21 @@ SUFFIX (locate_sections) (Elf_Ehdr *e, const char *kernel_path,
+ }
+ }
+
++#ifdef MKIMAGE_ELF32
++ if (image_target->elf_target == EM_ARM)
++ {
++ grub_size_t tramp;
++
++ layout->kernel_size = ALIGN_UP (layout->kernel_size, 16);
++
++ tramp = arm_get_trampoline_size (e, sections, section_entsize,
++ num_sections, image_target);
++
++ layout->tramp_off = layout->kernel_size;
++ layout->kernel_size += ALIGN_UP (tramp, 16);
++ }
++#endif
++
+ layout->kernel_size = ALIGN_UP (layout->kernel_size + image_target->vaddr_offset,
+ image_target->section_align)
+ - image_target->vaddr_offset;
+@@ -1876,23 +1891,6 @@ SUFFIX (locate_sections) (Elf_Ehdr *e, const char *kernel_path,
+ strtab,
+ image_target);
+
+-#ifdef MKIMAGE_ELF32
+- if (image_target->elf_target == EM_ARM)
+- {
+- grub_size_t tramp;
+- layout->kernel_size = ALIGN_UP (layout->kernel_size + image_target->vaddr_offset,
+- image_target->section_align) - image_target->vaddr_offset;
+-
+- layout->kernel_size = ALIGN_UP (layout->kernel_size, 16);
+-
+- tramp = arm_get_trampoline_size (e, sections, section_entsize,
+- num_sections, image_target);
+-
+- layout->tramp_off = layout->kernel_size;
+- layout->kernel_size += ALIGN_UP (tramp, 16);
+- }
+-#endif
+-
+ layout->bss_start = layout->kernel_size;
+ layout->end = layout->kernel_size;
+
diff -Nru grub2-2.02+dfsg1/debian/patches/no-devicetree-if-secure-boot.patch grub2-2.02+dfsg1/debian/patches/no-devicetree-if-secure-boot.patch
--- grub2-2.02+dfsg1/debian/patches/no-devicetree-if-secure-boot.patch 1970-01-01 01:00:00.000000000 +0100
+++ grub2-2.02+dfsg1/debian/patches/no-devicetree-if-secure-boot.patch 2019-05-04 22:58:32.000000000 +0100
@@ -0,0 +1,71 @@
+From 9569221816a2a1a832be106440375a612e0121b7 Mon Sep 17 00:00:00 2001
+From: Peter Jones <pjones@redhat.com>
+Date: Wed, 24 Apr 2019 10:03:04 -0400
+Subject: Forbid the "devicetree" command when Secure Boot is enabled.
+
+Signed-off-by: Peter Jones <pjones@redhat.com>
+Signed-off-by: Steve McIntyre <93sam@debian.org>
+
+Origin: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927888#15
+Bug-Debian: https://bugs.debian.org/927888
+Last-Update: 2019-05-04
+
+Patch-Name: no-devicetree-if-secure-boot.patch
+---
+ grub-core/loader/arm/linux.c | 14 +++++++++++++-
+ grub-core/loader/efi/fdt.c | 8 ++++++++
+ 2 files changed, 21 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c
+index 9300adc8f..72d747578 100644
+--- a/grub-core/loader/arm/linux.c
++++ b/grub-core/loader/arm/linux.c
+@@ -29,6 +29,10 @@
+ #include <grub/lib/cmdline.h>
+ #include <grub/linux.h>
+
++#ifdef GRUB_MACHINE_EFI
++#include <grub/efi/efi.h>
++#endif
++
+ GRUB_MOD_LICENSE ("GPLv3+");
+
+ static grub_dl_t my_mod;
+@@ -433,9 +437,17 @@ grub_cmd_devicetree (grub_command_t cmd __attribute__ ((unused)),
+ if (argc != 1)
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
+
++#ifdef GRUB_MACHINE_EFI
++ if (grub_efi_secure_boot ())
++ {
++ return grub_error (GRUB_ERR_ACCESS_DENIED,
++ "Secure Boot forbids loading devicetree from %s", argv[0]);
++ }
++#endif
++
+ dtb = grub_file_open (argv[0]);
+ if (!dtb)
+- goto out;
++ return grub_errno;
+
+ size = grub_file_size (dtb);
+ if (size == 0)
+diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c
+index c9aee74ef..2def3dc5d 100644
+--- a/grub-core/loader/efi/fdt.c
++++ b/grub-core/loader/efi/fdt.c
+@@ -123,6 +123,14 @@ grub_cmd_devicetree (grub_command_t cmd __attribute__ ((unused)),
+ return GRUB_ERR_NONE;
+ }
+
++#ifdef GRUB_MACHINE_EFI
++ if (grub_efi_secure_boot ())
++ {
++ return grub_error (GRUB_ERR_ACCESS_DENIED,
++ "Secure Boot forbids loading devicetree from %s", argv[0]);
++ }
++#endif
++
+ dtb = grub_file_open (argv[0]);
+ if (!dtb)
+ goto out;
diff -Nru grub2-2.02+dfsg1/debian/patches/series grub2-2.02+dfsg1/debian/patches/series
--- grub2-2.02+dfsg1/debian/patches/series 2019-03-23 13:48:37.000000000 +0000
+++ grub2-2.02+dfsg1/debian/patches/series 2019-05-04 22:58:32.000000000 +0100
@@ -134,3 +134,6 @@
xfs-sparse-inodes.patch
vsnprintf-upper-case-hex.patch
efi-variable-storage-minimise-writes.patch
+arm-move-trampolines-into-code-section.patch
+arm-align-section-alignment-with-manual-reloc-offset.patch
+no-devicetree-if-secure-boot.patch
--
Colin Watson [cjwatson@debian.org]
Reply to: