Bug#928507: unblock: grub2/2.02+dfsg1-18
Control: tags -1 confirmed d-i
Hi,
On Mon, May 06, 2019 at 01:07:50PM +0100, Colin Watson wrote:
> Please unblock grub2 2.02+dfsg1-18. #927888 is RC; #927269 possibly
> should be RC since it entirely breaks one of GRUB's platforms; and
> #919915 causes upgrade trouble if you run into it.
>
> (Apologies for the .gitignore/.bzrignore noise, which is the result of
> switching to using dgit as of this upload. But it's easy enough to, er,
> ignore.)
I unblocked it, but it needs a d-i ack as well (Cc kibi, diff below).
> I don't remember if it needs to be done separately, but I've included
> the -signed versions in this unblock request just in case, since they
> should all go in together.
>
> unblock grub2/2.02+dfsg1-18
> unblock grub-efi-amd64-signed/1+2.02+dfsg1+18
> unblock grub-efi-arm64-signed/1+2.02+dfsg1+18
> unblock grub-efi-ia32-signed/1+2.02+dfsg1+18
Thanks for mentioning this. A separate unblock is needed. I unblocked them as
well.
Ivo
> diff -Nru grub2-2.02+dfsg1/debian/.git-dpm grub2-2.02+dfsg1/debian/.git-dpm
> --- grub2-2.02+dfsg1/debian/.git-dpm 2019-03-23 13:48:41.000000000 +0000
> +++ grub2-2.02+dfsg1/debian/.git-dpm 2019-05-04 22:58:32.000000000 +0100
> @@ -1,6 +1,6 @@
> # see git-dpm(1) from git-dpm package
> -3ddfe605a6a472100f529c3d7465bf4eb7fe954d
> -3ddfe605a6a472100f529c3d7465bf4eb7fe954d
> +9569221816a2a1a832be106440375a612e0121b7
> +9569221816a2a1a832be106440375a612e0121b7
> 59aeb1cfaa3d5bfd7bbeeee0f0d37f6d9eed51fe
> 59aeb1cfaa3d5bfd7bbeeee0f0d37f6d9eed51fe
> grub2_2.02+dfsg1.orig.tar.xz
> diff -Nru grub2-2.02+dfsg1/debian/.gitignore grub2-2.02+dfsg1/debian/.gitignore
> --- grub2-2.02+dfsg1/debian/.gitignore 1970-01-01 01:00:00.000000000 +0100
> +++ grub2-2.02+dfsg1/debian/.gitignore 2019-05-04 22:58:32.000000000 +0100
> @@ -0,0 +1,110 @@
> +*.bash-completion
> +*.config
> +*.debhelper*
> +*.postinst
> +*.postrm
> +*.preinst
> +*.templates
> +files
> +grub-common
> +grub-common.maintscript
> +grub-coreboot
> +grub-coreboot*.dirs
> +grub-coreboot*.install
> +grub-coreboot*.links
> +grub-coreboot*.maintscript
> +grub-coreboot-bin
> +grub-coreboot-dbg
> +grub-efi
> +grub-efi-amd64
> +grub-efi-amd64*.dirs
> +grub-efi-amd64*.install
> +grub-efi-amd64*.links
> +grub-efi-amd64*.maintscript
> +grub-efi-amd64-bin
> +grub-efi-amd64-dbg
> +grub-efi-amd64-signed-template
> +grub-efi-arm
> +grub-efi-arm*.dirs
> +grub-efi-arm*.install
> +grub-efi-arm*.links
> +grub-efi-arm*.maintscript
> +grub-efi-arm-bin
> +grub-efi-arm-dbg
> +grub-efi-arm64
> +grub-efi-arm64*.dirs
> +grub-efi-arm64*.install
> +grub-efi-arm64*.links
> +grub-efi-arm64*.maintscript
> +grub-efi-arm64-bin
> +grub-efi-arm64-dbg
> +grub-efi-arm64-signed-template
> +grub-efi-ia32
> +grub-efi-ia32*.dirs
> +grub-efi-ia32*.install
> +grub-efi-ia32*.links
> +grub-efi-ia32*.maintscript
> +grub-efi-ia32-bin
> +grub-efi-ia32-dbg
> +grub-efi-ia32-signed-template
> +grub-efi-ia64
> +grub-efi-ia64*.dirs
> +grub-efi-ia64*.install
> +grub-efi-ia64*.links
> +grub-efi-ia64*.maintscript
> +grub-efi-ia64-bin
> +grub-efi-ia64-dbg
> +grub-emu
> +grub-emu*.dirs
> +grub-emu*.install
> +grub-emu*.links
> +grub-emu*.maintscript
> +grub-emu-dbg
> +grub-extras-enabled
> +grub-extras/*/conf/*.mk
> +grub-firmware-qemu
> +grub-ieee1275
> +grub-ieee1275*.dirs
> +grub-ieee1275*.install
> +grub-ieee1275*.links
> +grub-ieee1275*.maintscript
> +grub-ieee1275-bin
> +grub-ieee1275-dbg
> +grub-linuxbios
> +grub-mount-udeb
> +grub-pc
> +grub-pc*.dirs
> +grub-pc*.install
> +grub-pc*.links
> +grub-pc*.maintscript
> +grub-pc-bin
> +grub-pc-dbg
> +grub-rescue-pc
> +grub-theme-starfield
> +grub-uboot
> +grub-uboot*.dirs
> +grub-uboot*.install
> +grub-uboot*.links
> +grub-uboot*.maintscript
> +grub-uboot-bin
> +grub-uboot-dbg
> +grub-xen
> +grub-xen*.dirs
> +grub-xen*.install
> +grub-xen*.links
> +grub-xen*.maintscript
> +grub-xen-bin
> +grub-xen-dbg
> +grub-xen-host
> +grub-yeeloong
> +grub-yeeloong*.dirs
> +grub-yeeloong*.install
> +grub-yeeloong*.links
> +grub-yeeloong*.maintscript
> +grub-yeeloong-bin
> +grub-yeeloong-dbg
> +grub2
> +grub2-common
> +prep-bootdev
> +stamps
> +tmp-*
> diff -Nru grub2-2.02+dfsg1/debian/changelog grub2-2.02+dfsg1/debian/changelog
> --- grub2-2.02+dfsg1/debian/changelog 2019-03-23 23:28:17.000000000 +0000
> +++ grub2-2.02+dfsg1/debian/changelog 2019-05-04 22:58:32.000000000 +0100
> @@ -1,3 +1,24 @@
> +grub2 (2.02+dfsg1-18) unstable; urgency=medium
> +
> + * Apply patches from Alexander Graf to fix grub-efi-arm crash (closes:
> + #927269):
> + - arm: Move trampolines into code section
> + - arm: Align section alignment with manual relocation offset code
> + * Make grub2-common Breaks+Replaces grub-cloud-amd64 (<< 0.0.4) to work
> + around that package shipping colliding configuration file names in
> + stretch-backports (closes: #919915).
> + * Apply patch from Peter Jones to forbid the "devicetree" command when
> + Secure Boot is enabled (closes: #927888).
> +
> + -- Colin Watson <cjwatson@debian.org> Sat, 04 May 2019 22:58:32 +0100
> +
> +grub2 (2.02+dfsg1-17) unstable; urgency=medium
> +
> + * Make grub-efi-*-bin recommend efibootmgr. We don't actually use it any
> + more, but it's helpful for debugging.
> +
> + -- Colin Watson <cjwatson@debian.org> Mon, 15 Apr 2019 18:38:30 +0100
> +
> grub2 (2.02+dfsg1-16) unstable; urgency=medium
>
> * Fix -Wcast-align diagnostics on ARM.
> diff -Nru grub2-2.02+dfsg1/debian/control grub2-2.02+dfsg1/debian/control
> --- grub2-2.02+dfsg1/debian/control 2019-03-23 13:48:37.000000000 +0000
> +++ grub2-2.02+dfsg1/debian/control 2019-05-04 22:58:32.000000000 +0100
> @@ -92,9 +92,9 @@
> # of the package is not very useful in a utilities-only build.
> Architecture: any-i386 any-amd64 any-powerpc any-ppc64 any-ppc64el any-sparc any-sparc64 any-mipsel any-ia64 any-arm any-arm64
> Depends: grub-common (= ${binary:Version}), dpkg (>= 1.15.4) | install-info, ${shlibs:Depends}, ${misc:Depends}
> -Replaces: grub, grub-legacy, ${legacy-doc-br}, grub-common (<< 1.99-1), grub-pc (<< 2.02+dfsg1-7), grub-coreboot (<< 2.02+dfsg1-7), grub-efi-ia32 (<< 2.02+dfsg1-7), grub-efi-amd64 (<< 2.02+dfsg1-7), grub-efi-ia64 (<< 2.02+dfsg1-7), grub-efi-arm (<< 2.02+dfsg1-7), grub-efi-arm64 (<< 2.02+dfsg1-7), grub-ieee1275 (<< 2.02+dfsg1-7), grub-uboot (<< 2.02+dfsg1-7), grub-xen (<< 2.02+dfsg1-7), grub-yeeloong (<< 2.02+dfsg1-7)
> +Replaces: grub, grub-legacy, ${legacy-doc-br}, grub-common (<< 1.99-1), grub-pc (<< 2.02+dfsg1-7), grub-coreboot (<< 2.02+dfsg1-7), grub-efi-ia32 (<< 2.02+dfsg1-7), grub-efi-amd64 (<< 2.02+dfsg1-7), grub-efi-ia64 (<< 2.02+dfsg1-7), grub-efi-arm (<< 2.02+dfsg1-7), grub-efi-arm64 (<< 2.02+dfsg1-7), grub-ieee1275 (<< 2.02+dfsg1-7), grub-uboot (<< 2.02+dfsg1-7), grub-xen (<< 2.02+dfsg1-7), grub-yeeloong (<< 2.02+dfsg1-7), grub-cloud-amd64 (<< 0.0.4)
> Conflicts: grub-legacy
> -Breaks: grub (<< 0.97-54), ${legacy-doc-br}, shim (<< 0.9+1474479173.6c180c6-0ubuntu1~), grub-pc (<< 2.02+dfsg1-7), grub-coreboot (<< 2.02+dfsg1-7), grub-efi-ia32 (<< 2.02+dfsg1-7), grub-efi-amd64 (<< 2.02+dfsg1-7), grub-efi-ia64 (<< 2.02+dfsg1-7), grub-efi-arm (<< 2.02+dfsg1-7), grub-efi-arm64 (<< 2.02+dfsg1-7), grub-ieee1275 (<< 2.02+dfsg1-7), grub-uboot (<< 2.02+dfsg1-7), grub-xen (<< 2.02+dfsg1-7), grub-yeeloong (<< 2.02+dfsg1-7)
> +Breaks: grub (<< 0.97-54), ${legacy-doc-br}, shim (<< 0.9+1474479173.6c180c6-0ubuntu1~), grub-pc (<< 2.02+dfsg1-7), grub-coreboot (<< 2.02+dfsg1-7), grub-efi-ia32 (<< 2.02+dfsg1-7), grub-efi-amd64 (<< 2.02+dfsg1-7), grub-efi-ia64 (<< 2.02+dfsg1-7), grub-efi-arm (<< 2.02+dfsg1-7), grub-efi-arm64 (<< 2.02+dfsg1-7), grub-ieee1275 (<< 2.02+dfsg1-7), grub-uboot (<< 2.02+dfsg1-7), grub-xen (<< 2.02+dfsg1-7), grub-yeeloong (<< 2.02+dfsg1-7), grub-cloud-amd64 (<< 0.0.4)
> Multi-Arch: foreign
> Description: GRand Unified Bootloader (common files for version 2)
> This package contains common files shared by the distinct flavours of GRUB.
> @@ -247,7 +247,7 @@
> Package: grub-efi-ia32-bin
> Architecture: any-i386 any-amd64
> Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version})
> -Recommends: grub-efi-ia32-signed,
> +Recommends: grub-efi-ia32-signed, efibootmgr [linux-any]
> Replaces: grub2 (<< ${source:Version}), grub-common (<= 1.97~beta2-1), grub-efi, grub-efi-ia32 (<< 1.99-1)
> Multi-Arch: foreign
> XB-Efi-Vendor: ${efi:Vendor}
> @@ -308,7 +308,7 @@
> Package: grub-efi-amd64-bin
> Architecture: i386 kopensolaris-i386 any-amd64
> Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version})
> -Recommends: grub-efi-amd64-signed,
> +Recommends: grub-efi-amd64-signed, efibootmgr [linux-any]
> Replaces: grub2 (<< ${source:Version}), grub-common (<= 1.97~beta2-1), grub-efi-amd64 (<< 1.99-1)
> Multi-Arch: foreign
> XB-Efi-Vendor: ${efi:Vendor}
> @@ -418,6 +418,7 @@
> Package: grub-efi-arm-bin
> Architecture: any-arm
> Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version})
> +Recommends: efibootmgr [linux-any]
> Multi-Arch: foreign
> XB-Efi-Vendor: ${efi:Vendor}
> Description: GRand Unified Bootloader, version 2 (ARM UEFI modules)
> @@ -468,7 +469,7 @@
> Package: grub-efi-arm64-bin
> Architecture: any-arm64
> Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version})
> -Recommends: grub-efi-arm64-signed,
> +Recommends: grub-efi-arm64-signed, efibootmgr [linux-any]
> Multi-Arch: foreign
> XB-Efi-Vendor: ${efi:Vendor}
> Description: GRand Unified Bootloader, version 2 (ARM64 UEFI modules)
> diff -Nru grub2-2.02+dfsg1/debian/grub-extras/915resolution/.bzrignore grub2-2.02+dfsg1/debian/grub-extras/915resolution/.bzrignore
> --- grub2-2.02+dfsg1/debian/grub-extras/915resolution/.bzrignore 1970-01-01 01:00:00.000000000 +0100
> +++ grub2-2.02+dfsg1/debian/grub-extras/915resolution/.bzrignore 2019-05-04 22:58:32.000000000 +0100
> @@ -0,0 +1,3 @@
> +**/.deps-core
> +**/.dirstamp
> +Makefile.core.am
> diff -Nru grub2-2.02+dfsg1/debian/grub-extras/disabled/gpxe/.bzrignore grub2-2.02+dfsg1/debian/grub-extras/disabled/gpxe/.bzrignore
> --- grub2-2.02+dfsg1/debian/grub-extras/disabled/gpxe/.bzrignore 1970-01-01 01:00:00.000000000 +0100
> +++ grub2-2.02+dfsg1/debian/grub-extras/disabled/gpxe/.bzrignore 2019-05-04 22:58:32.000000000 +0100
> @@ -0,0 +1,3 @@
> +**/.deps-core
> +**/.dirstamp
> +Makefile.core.am
> diff -Nru grub2-2.02+dfsg1/debian/grub-extras/disabled/zfs/.bzrignore grub2-2.02+dfsg1/debian/grub-extras/disabled/zfs/.bzrignore
> --- grub2-2.02+dfsg1/debian/grub-extras/disabled/zfs/.bzrignore 1970-01-01 01:00:00.000000000 +0100
> +++ grub2-2.02+dfsg1/debian/grub-extras/disabled/zfs/.bzrignore 2019-05-04 22:58:32.000000000 +0100
> @@ -0,0 +1,5 @@
> +**/.deps-core
> +**/.deps-util
> +**/.dirstamp
> +Makefile.core.am
> +Makefile.util.am
> diff -Nru grub2-2.02+dfsg1/debian/grub-extras/lua/.bzrignore grub2-2.02+dfsg1/debian/grub-extras/lua/.bzrignore
> --- grub2-2.02+dfsg1/debian/grub-extras/lua/.bzrignore 1970-01-01 01:00:00.000000000 +0100
> +++ grub2-2.02+dfsg1/debian/grub-extras/lua/.bzrignore 2019-05-04 22:58:32.000000000 +0100
> @@ -0,0 +1,3 @@
> +**/.deps-core
> +**/.dirstamp
> +Makefile.core.am
> diff -Nru grub2-2.02+dfsg1/debian/grub-extras/ntldr-img/.bzrignore grub2-2.02+dfsg1/debian/grub-extras/ntldr-img/.bzrignore
> --- grub2-2.02+dfsg1/debian/grub-extras/ntldr-img/.bzrignore 1970-01-01 01:00:00.000000000 +0100
> +++ grub2-2.02+dfsg1/debian/grub-extras/ntldr-img/.bzrignore 2019-05-04 22:58:32.000000000 +0100
> @@ -0,0 +1,3 @@
> +**/.deps-core
> +**/.dirstamp
> +Makefile.core.am
> diff -Nru grub2-2.02+dfsg1/debian/patches/arm-align-section-alignment-with-manual-reloc-offset.patch grub2-2.02+dfsg1/debian/patches/arm-align-section-alignment-with-manual-reloc-offset.patch
> --- grub2-2.02+dfsg1/debian/patches/arm-align-section-alignment-with-manual-reloc-offset.patch 1970-01-01 01:00:00.000000000 +0100
> +++ grub2-2.02+dfsg1/debian/patches/arm-align-section-alignment-with-manual-reloc-offset.patch 2019-05-04 22:58:32.000000000 +0100
> @@ -0,0 +1,45 @@
> +From 98e5faf41eb40e287dc00c79f461f5afa92d8a34 Mon Sep 17 00:00:00 2001
> +From: Alexander Graf <agraf@csgraf.de>
> +Date: Tue, 30 Apr 2019 22:43:57 +0200
> +Subject: arm: Align section alignment with manual relocation offset code
> +
> +The arm relocation code has a manual special case for EFI binaries to
> +add the natural alignment to its own relocation awareness.
> +
> +Since commit a51f953f4ee87 ("mkimage: Align efi sections on 4k
> +boundary") we changed that alignment from 0x400 to 0x1000 bytes. Reflect
> +the change in that branch that we forgot as well.
> +
> +This fixes running 32bit arm grub efi binaries for me again.
> +
> +Fixes: a51f953f4ee87 ("mkimage: Align efi sections on 4k boundary")
> +Reported-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
> +Reported-by: Steve McIntyre <steve@einval.com>
> +Signed-off-by: Alexander Graf <agraf@csgraf.de>
> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
> +Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
> +Tested-by: Julien ROBIN <julien.robin28@free.fr>
> +Tested-by: Leif Lindholm <leif.lindholm@linaro.org>
> +
> +Bug-Debian: https://bugs.debian.org/927269
> +Origin: other, https://lists.gnu.org/archive/html/grub-devel/2019-04/msg00132.html
> +Last-Update: 2019-05-03
> +
> +Patch-Name: arm-align-section-alignment-with-manual-reloc-offset.patch
> +---
> + util/grub-mkimagexx.c | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c
> +index 2f80e5abc..740b30483 100644
> +--- a/util/grub-mkimagexx.c
> ++++ b/util/grub-mkimagexx.c
> +@@ -1105,7 +1105,7 @@ SUFFIX (relocate_addresses) (Elf_Ehdr *e, Elf_Shdr *sections,
> + (int) sym_addr, (int) sym_addr);
> + /* Data will be naturally aligned */
> + if (image_target->id == IMAGE_EFI)
> +- sym_addr += 0x400;
> ++ sym_addr += GRUB_PE32_SECTION_ALIGNMENT;
> + *target = grub_host_to_target32 (grub_target_to_host32 (*target) + sym_addr);
> + }
> + break;
> diff -Nru grub2-2.02+dfsg1/debian/patches/arm-move-trampolines-into-code-section.patch grub2-2.02+dfsg1/debian/patches/arm-move-trampolines-into-code-section.patch
> --- grub2-2.02+dfsg1/debian/patches/arm-move-trampolines-into-code-section.patch 1970-01-01 01:00:00.000000000 +0100
> +++ grub2-2.02+dfsg1/debian/patches/arm-move-trampolines-into-code-section.patch 2019-05-04 22:58:32.000000000 +0100
> @@ -0,0 +1,83 @@
> +From 61f1b949b4b9302b664553cdc5c77cb6fea8f897 Mon Sep 17 00:00:00 2001
> +From: Alexander Graf <agraf@csgraf.de>
> +Date: Tue, 30 Apr 2019 22:43:56 +0200
> +Subject: arm: Move trampolines into code section
> +
> +When creating T32->A32 transition jumps, the relocation code in grub
> +will generate trampolines. These trampolines live in the .data section
> +of our PE binary which means they are not marked as executable.
> +
> +This misbehavior was unmasked by commit a51f953f4ee87 ("mkimage: Align
> +efi sections on 4k boundary") which made the X/NX boundary more obvious
> +because everything became page aligned.
> +
> +To put things into proper order, let's move the arm trampolines into the
> +.text section instead. That way everyone knows they are executable.
> +
> +Fixes: a51f953f4ee87 ("mkimage: Align efi sections on 4k boundary")
> +Reported-by: Julien ROBIN <julien.robin28@free.fr>
> +Reported-by: Leif Lindholm <leif.lindholm@linaro.org>
> +Signed-off-by: Alexander Graf <agraf@csgraf.de>
> +Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
> +Tested-by: Julien ROBIN <julien.robin28@free.fr>
> +Tested-by: Leif Lindholm <leif.lindholm@linaro.org>
> +
> +Bug-Debian: https://bugs.debian.org/927269
> +Origin: other, https://lists.gnu.org/archive/html/grub-devel/2019-04/msg00131.html
> +Last-Update: 2019-05-03
> +
> +Patch-Name: arm-move-trampolines-into-code-section.patch
> +---
> + util/grub-mkimagexx.c | 32 +++++++++++++++-----------------
> + 1 file changed, 15 insertions(+), 17 deletions(-)
> +
> +diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c
> +index 6c02faffb..2f80e5abc 100644
> +--- a/util/grub-mkimagexx.c
> ++++ b/util/grub-mkimagexx.c
> +@@ -1860,6 +1860,21 @@ SUFFIX (locate_sections) (Elf_Ehdr *e, const char *kernel_path,
> + }
> + }
> +
> ++#ifdef MKIMAGE_ELF32
> ++ if (image_target->elf_target == EM_ARM)
> ++ {
> ++ grub_size_t tramp;
> ++
> ++ layout->kernel_size = ALIGN_UP (layout->kernel_size, 16);
> ++
> ++ tramp = arm_get_trampoline_size (e, sections, section_entsize,
> ++ num_sections, image_target);
> ++
> ++ layout->tramp_off = layout->kernel_size;
> ++ layout->kernel_size += ALIGN_UP (tramp, 16);
> ++ }
> ++#endif
> ++
> + layout->kernel_size = ALIGN_UP (layout->kernel_size + image_target->vaddr_offset,
> + image_target->section_align)
> + - image_target->vaddr_offset;
> +@@ -1876,23 +1891,6 @@ SUFFIX (locate_sections) (Elf_Ehdr *e, const char *kernel_path,
> + strtab,
> + image_target);
> +
> +-#ifdef MKIMAGE_ELF32
> +- if (image_target->elf_target == EM_ARM)
> +- {
> +- grub_size_t tramp;
> +- layout->kernel_size = ALIGN_UP (layout->kernel_size + image_target->vaddr_offset,
> +- image_target->section_align) - image_target->vaddr_offset;
> +-
> +- layout->kernel_size = ALIGN_UP (layout->kernel_size, 16);
> +-
> +- tramp = arm_get_trampoline_size (e, sections, section_entsize,
> +- num_sections, image_target);
> +-
> +- layout->tramp_off = layout->kernel_size;
> +- layout->kernel_size += ALIGN_UP (tramp, 16);
> +- }
> +-#endif
> +-
> + layout->bss_start = layout->kernel_size;
> + layout->end = layout->kernel_size;
> +
> diff -Nru grub2-2.02+dfsg1/debian/patches/no-devicetree-if-secure-boot.patch grub2-2.02+dfsg1/debian/patches/no-devicetree-if-secure-boot.patch
> --- grub2-2.02+dfsg1/debian/patches/no-devicetree-if-secure-boot.patch 1970-01-01 01:00:00.000000000 +0100
> +++ grub2-2.02+dfsg1/debian/patches/no-devicetree-if-secure-boot.patch 2019-05-04 22:58:32.000000000 +0100
> @@ -0,0 +1,71 @@
> +From 9569221816a2a1a832be106440375a612e0121b7 Mon Sep 17 00:00:00 2001
> +From: Peter Jones <pjones@redhat.com>
> +Date: Wed, 24 Apr 2019 10:03:04 -0400
> +Subject: Forbid the "devicetree" command when Secure Boot is enabled.
> +
> +Signed-off-by: Peter Jones <pjones@redhat.com>
> +Signed-off-by: Steve McIntyre <93sam@debian.org>
> +
> +Origin: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927888#15
> +Bug-Debian: https://bugs.debian.org/927888
> +Last-Update: 2019-05-04
> +
> +Patch-Name: no-devicetree-if-secure-boot.patch
> +---
> + grub-core/loader/arm/linux.c | 14 +++++++++++++-
> + grub-core/loader/efi/fdt.c | 8 ++++++++
> + 2 files changed, 21 insertions(+), 1 deletion(-)
> +
> +diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c
> +index 9300adc8f..72d747578 100644
> +--- a/grub-core/loader/arm/linux.c
> ++++ b/grub-core/loader/arm/linux.c
> +@@ -29,6 +29,10 @@
> + #include <grub/lib/cmdline.h>
> + #include <grub/linux.h>
> +
> ++#ifdef GRUB_MACHINE_EFI
> ++#include <grub/efi/efi.h>
> ++#endif
> ++
> + GRUB_MOD_LICENSE ("GPLv3+");
> +
> + static grub_dl_t my_mod;
> +@@ -433,9 +437,17 @@ grub_cmd_devicetree (grub_command_t cmd __attribute__ ((unused)),
> + if (argc != 1)
> + return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
> +
> ++#ifdef GRUB_MACHINE_EFI
> ++ if (grub_efi_secure_boot ())
> ++ {
> ++ return grub_error (GRUB_ERR_ACCESS_DENIED,
> ++ "Secure Boot forbids loading devicetree from %s", argv[0]);
> ++ }
> ++#endif
> ++
> + dtb = grub_file_open (argv[0]);
> + if (!dtb)
> +- goto out;
> ++ return grub_errno;
> +
> + size = grub_file_size (dtb);
> + if (size == 0)
> +diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c
> +index c9aee74ef..2def3dc5d 100644
> +--- a/grub-core/loader/efi/fdt.c
> ++++ b/grub-core/loader/efi/fdt.c
> +@@ -123,6 +123,14 @@ grub_cmd_devicetree (grub_command_t cmd __attribute__ ((unused)),
> + return GRUB_ERR_NONE;
> + }
> +
> ++#ifdef GRUB_MACHINE_EFI
> ++ if (grub_efi_secure_boot ())
> ++ {
> ++ return grub_error (GRUB_ERR_ACCESS_DENIED,
> ++ "Secure Boot forbids loading devicetree from %s", argv[0]);
> ++ }
> ++#endif
> ++
> + dtb = grub_file_open (argv[0]);
> + if (!dtb)
> + goto out;
> diff -Nru grub2-2.02+dfsg1/debian/patches/series grub2-2.02+dfsg1/debian/patches/series
> --- grub2-2.02+dfsg1/debian/patches/series 2019-03-23 13:48:37.000000000 +0000
> +++ grub2-2.02+dfsg1/debian/patches/series 2019-05-04 22:58:32.000000000 +0100
> @@ -134,3 +134,6 @@
> xfs-sparse-inodes.patch
> vsnprintf-upper-case-hex.patch
> efi-variable-storage-minimise-writes.patch
> +arm-move-trampolines-into-code-section.patch
> +arm-align-section-alignment-with-manual-reloc-offset.patch
> +no-devicetree-if-secure-boot.patch
>
Reply to: