Control: tags -1 d-i confirmed Hi, Putting kibi in CC for the d-i ACK, just to be sure. Paul On 08-04-2021 12:25, Colin Watson wrote: > Please unblock grub2 2.04-17. The --sbat fix will be needed for d-i > builds once various bits of work on shim are finished, and the verifiers > module change helps core images fit in the constrained space that's > often all that's available on BIOS systems. > > You may need to manually unblock grub-efi-{amd64,arm64,ia32}-signed as > well to match, since these four source packages must all have matching > versions - I'm not sure exactly how the tools work from your end. > > diff -Nru grub2-2.04/debian/.git-dpm grub2-2.04/debian/.git-dpm > --- grub2-2.04/debian/.git-dpm 2021-03-02 18:00:00.000000000 +0000 > +++ grub2-2.04/debian/.git-dpm 2021-03-19 10:41:41.000000000 +0000 > @@ -1,6 +1,6 @@ > # see git-dpm(1) from git-dpm package > -9cd32c57605b7ad713e108e0b98ebd504caa532e > -9cd32c57605b7ad713e108e0b98ebd504caa532e > +3d246c561a2c6aa18b78eae69e5100a2347dc7aa > +3d246c561a2c6aa18b78eae69e5100a2347dc7aa > 578bb115fbd47e1c464696f1f8d6183e5443975d > 578bb115fbd47e1c464696f1f8d6183e5443975d > grub2_2.04.orig.tar.xz > diff -Nru grub2-2.04/debian/build-efi-images grub2-2.04/debian/build-efi-images > --- grub2-2.04/debian/build-efi-images 2021-03-02 18:00:00.000000000 +0000 > +++ grub2-2.04/debian/build-efi-images 2021-03-19 10:41:41.000000000 +0000 > @@ -224,6 +224,8 @@ > "$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name-installer.efi" \ > -d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \ > -m "$workdir/memdisk-netboot.fat" \ > - -p "/${efi_vendor}-installer/$deb_arch/grub" $NET_MODULES > + -p "/${efi_vendor}-installer/$deb_arch/grub" \ > + --sbat "$sbat_csv" \ > + $NET_MODULES > > exit 0 > diff -Nru grub2-2.04/debian/changelog grub2-2.04/debian/changelog > --- grub2-2.04/debian/changelog 2021-03-02 18:00:00.000000000 +0000 > +++ grub2-2.04/debian/changelog 2021-03-19 10:41:41.000000000 +0000 > @@ -1,3 +1,11 @@ > +grub2 (2.04-17) unstable; urgency=medium > + > + * Pass --sbat when building the d-i netboot image as well. > + * i386-pc: build verifiers API as module (thanks, Michael Chang; closes: > + #984488, #985374). > + > + -- Colin Watson <cjwatson@debian.org> Fri, 19 Mar 2021 10:41:41 +0000 > + > grub2 (2.04-16) unstable; urgency=medium > > * Fix broken advice in message when the postinst has to bail out (thanks > diff -Nru grub2-2.04/debian/patches/pc-verifiers-module.patch grub2-2.04/debian/patches/pc-verifiers-module.patch > --- grub2-2.04/debian/patches/pc-verifiers-module.patch 1970-01-01 01:00:00.000000000 +0100 > +++ grub2-2.04/debian/patches/pc-verifiers-module.patch 2021-03-19 10:41:41.000000000 +0000 > @@ -0,0 +1,167 @@ > +From 3d246c561a2c6aa18b78eae69e5100a2347dc7aa Mon Sep 17 00:00:00 2001 > +From: Michael Chang <mchang@suse.com> > +Date: Thu, 18 Mar 2021 19:30:26 +0800 > +Subject: i386-pc: build verifiers API as module > + > +Given no core functions on i386-pc would require verifiers to work and > +the only consumer of the verifier API is the pgp module, it looks good > +to me that we can move the verifiers out of the kernel image and let > +moddep.lst to auto-load it when pgp is loaded on i386-pc platform. > + > +This helps to reduce the size of core image and thus can relax the > +tension of exploding on some i386-pc system with very short MBR gap > +size. See also a very comprehensive summary from Colin [1] about the > +details. > + > +[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00240.html > + > +V2: > +Drop COND_NOT_i386_pc and use !COND_i386_pc. > +Add comment in kern/verifiers.c to help understanding what's going on > +without digging into the commit history. > + > +Reported-by: Colin Watson <cjwatson@debian.org> > +Reviewed-by: Colin Watson <cjwatson@debian.org> > +Signed-off-by: Michael Chang <mchang@suse.com> > + > +Origin: other, https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00251.html > +Bug-Debian: https://bugs.debian.org/984488 > +Bug-Debian: https://bugs.debian.org/985374 > +Last-Update: 2021-03-18 > + > +Patch-Name: pc-verifiers-module.patch > +--- > + grub-core/Makefile.am | 2 ++ > + grub-core/Makefile.core.def | 8 +++++++- > + grub-core/kern/main.c | 4 ++++ > + grub-core/kern/verifiers.c | 17 +++++++++++++++++ > + include/grub/verify.h | 9 +++++++++ > + 5 files changed, 39 insertions(+), 1 deletion(-) > + > +diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am > +index 5308caa7b..4900265a4 100644 > +--- a/grub-core/Makefile.am > ++++ b/grub-core/Makefile.am > +@@ -92,7 +92,9 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/partition.h > + KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/stack_protector.h > + KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h > + KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h > ++if !COND_i386_pc > + KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/verify.h > ++endif > + KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm_private.h > + KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/net.h > + KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/memory.h > +diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def > +index 248835aca..43b3da725 100644 > +--- a/grub-core/Makefile.core.def > ++++ b/grub-core/Makefile.core.def > +@@ -141,7 +141,7 @@ kernel = { > + common = kern/rescue_parser.c; > + common = kern/rescue_reader.c; > + common = kern/term.c; > +- common = kern/verifiers.c; > ++ nopc = kern/verifiers.c; > + > + noemu = kern/compiler-rt.c; > + noemu = kern/mm.c; > +@@ -951,6 +951,12 @@ module = { > + enable = x86_64_efi; > + }; > + > ++module = { > ++ name = verifiers; > ++ common = kern/verifiers.c; > ++ enable = i386_pc; > ++}; > ++ > + module = { > + name = hdparm; > + common = commands/hdparm.c; > +diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c > +index 2879d644a..c6fb66853 100644 > +--- a/grub-core/kern/main.c > ++++ b/grub-core/kern/main.c > +@@ -29,7 +29,9 @@ > + #include <grub/command.h> > + #include <grub/reader.h> > + #include <grub/parser.h> > ++#ifndef GRUB_MACHINE_PCBIOS > + #include <grub/verify.h> > ++#endif > + > + #ifdef GRUB_MACHINE_PCBIOS > + #include <grub/machine/memory.h> > +@@ -285,8 +287,10 @@ grub_main (void) > + grub_setcolorstate (GRUB_TERM_COLOR_STANDARD); > + #endif > + > ++#ifndef GRUB_MACHINE_PCBIOS > + /* Init verifiers API. */ > + grub_verifiers_init (); > ++#endif > + > + grub_load_config (); > + > +diff --git a/grub-core/kern/verifiers.c b/grub-core/kern/verifiers.c > +index aa3dc7c64..58dbe152a 100644 > +--- a/grub-core/kern/verifiers.c > ++++ b/grub-core/kern/verifiers.c > +@@ -217,8 +217,25 @@ grub_verify_string (char *str, enum grub_verify_string_type type) > + return GRUB_ERR_NONE; > + } > + > ++/* > ++ * It is intended to build verifiers as module on i386-pc platform to minimize > ++ * the impact of growing core image size could blow up the 63 sectors limit of > ++ * some MBR gap one day. It is also adequate to do so, given no core function > ++ * on i386-pc would require the verifiers API to work. > ++ */ > ++#ifdef GRUB_MACHINE_PCBIOS > ++GRUB_MOD_INIT(verifiers) > ++#else > + void > + grub_verifiers_init (void) > ++#endif > + { > + grub_file_filter_register (GRUB_FILE_FILTER_VERIFY, grub_verifiers_open); > + } > ++ > ++#ifdef GRUB_MACHINE_PCBIOS > ++GRUB_MOD_FINI(verifiers) > ++{ > ++ grub_file_filter_unregister (GRUB_FILE_FILTER_VERIFY); > ++} > ++#endif > +diff --git a/include/grub/verify.h b/include/grub/verify.h > +index cd129c398..6fde244fc 100644 > +--- a/include/grub/verify.h > ++++ b/include/grub/verify.h > +@@ -64,10 +64,14 @@ struct grub_file_verifier > + grub_err_t (*verify_string) (char *str, enum grub_verify_string_type type); > + }; > + > ++#ifdef GRUB_MACHINE_PCBIOS > ++extern struct grub_file_verifier *grub_file_verifiers; > ++#else > + extern struct grub_file_verifier *EXPORT_VAR (grub_file_verifiers); > + > + extern void > + grub_verifiers_init (void); > ++#endif > + > + static inline void > + grub_verifier_register (struct grub_file_verifier *ver) > +@@ -81,7 +85,12 @@ grub_verifier_unregister (struct grub_file_verifier *ver) > + grub_list_remove (GRUB_AS_LIST (ver)); > + } > + > ++#ifdef GRUB_MACHINE_PCBIOS > ++grub_err_t > ++grub_verify_string (char *str, enum grub_verify_string_type type); > ++#else > + extern grub_err_t > + EXPORT_FUNC (grub_verify_string) (char *str, enum grub_verify_string_type type); > ++#endif > + > + #endif /* ! GRUB_VERIFY_HEADER */ > diff -Nru grub2-2.04/debian/patches/series grub2-2.04/debian/patches/series > --- grub2-2.04/debian/patches/series 2021-03-02 18:00:00.000000000 +0000 > +++ grub2-2.04/debian/patches/series 2021-03-19 10:41:41.000000000 +0000 > @@ -213,3 +213,4 @@ > 2021-02-security/111-kern-misc-Add-function-to-check-printf-format-against-expected-format.patch > 2021-02-security/112-gfxmenu-gui-Check-printf-format-in-the-gui_progress_bar-and-gui_label.patch > 2021-02-security/113-kern-mm-Fix-grub_debug_calloc-compilation-error.patch > +pc-verifiers-module.patch > > unblock grub2/2.04-17 > > Thanks, >
Attachment:
OpenPGP_signature
Description: OpenPGP digital signature