Bug#986625: unblock: grub2/2.04-17

[Paul Gevers <elbrus@debian.org>]

Control: tags -1 d-i confirmed

Hi,

Putting kibi in CC for the d-i ACK, just to be sure.

Paul

On 08-04-2021 12:25, Colin Watson wrote:
> Please unblock grub2 2.04-17.  The --sbat fix will be needed for d-i
> builds once various bits of work on shim are finished, and the verifiers
> module change helps core images fit in the constrained space that's
> often all that's available on BIOS systems.
> 
> You may need to manually unblock grub-efi-{amd64,arm64,ia32}-signed as
> well to match, since these four source packages must all have matching
> versions - I'm not sure exactly how the tools work from your end.
> 
> diff -Nru grub2-2.04/debian/.git-dpm grub2-2.04/debian/.git-dpm
> --- grub2-2.04/debian/.git-dpm	2021-03-02 18:00:00.000000000 +0000
> +++ grub2-2.04/debian/.git-dpm	2021-03-19 10:41:41.000000000 +0000
> @@ -1,6 +1,6 @@
>  # see git-dpm(1) from git-dpm package
> -9cd32c57605b7ad713e108e0b98ebd504caa532e
> -9cd32c57605b7ad713e108e0b98ebd504caa532e
> +3d246c561a2c6aa18b78eae69e5100a2347dc7aa
> +3d246c561a2c6aa18b78eae69e5100a2347dc7aa
>  578bb115fbd47e1c464696f1f8d6183e5443975d
>  578bb115fbd47e1c464696f1f8d6183e5443975d
>  grub2_2.04.orig.tar.xz
> diff -Nru grub2-2.04/debian/build-efi-images grub2-2.04/debian/build-efi-images
> --- grub2-2.04/debian/build-efi-images	2021-03-02 18:00:00.000000000 +0000
> +++ grub2-2.04/debian/build-efi-images	2021-03-19 10:41:41.000000000 +0000
> @@ -224,6 +224,8 @@
>  "$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name-installer.efi" \
>  	-d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \
>  	-m "$workdir/memdisk-netboot.fat" \
> -	-p "/${efi_vendor}-installer/$deb_arch/grub" $NET_MODULES
> +	-p "/${efi_vendor}-installer/$deb_arch/grub" \
> +	--sbat "$sbat_csv" \
> +	$NET_MODULES
>  
>  exit 0
> diff -Nru grub2-2.04/debian/changelog grub2-2.04/debian/changelog
> --- grub2-2.04/debian/changelog	2021-03-02 18:00:00.000000000 +0000
> +++ grub2-2.04/debian/changelog	2021-03-19 10:41:41.000000000 +0000
> @@ -1,3 +1,11 @@
> +grub2 (2.04-17) unstable; urgency=medium
> +
> +  * Pass --sbat when building the d-i netboot image as well.
> +  * i386-pc: build verifiers API as module (thanks, Michael Chang; closes:
> +    #984488, #985374).
> +
> + -- Colin Watson <cjwatson@debian.org>  Fri, 19 Mar 2021 10:41:41 +0000
> +
>  grub2 (2.04-16) unstable; urgency=medium
>  
>    * Fix broken advice in message when the postinst has to bail out (thanks
> diff -Nru grub2-2.04/debian/patches/pc-verifiers-module.patch grub2-2.04/debian/patches/pc-verifiers-module.patch
> --- grub2-2.04/debian/patches/pc-verifiers-module.patch	1970-01-01 01:00:00.000000000 +0100
> +++ grub2-2.04/debian/patches/pc-verifiers-module.patch	2021-03-19 10:41:41.000000000 +0000
> @@ -0,0 +1,167 @@
> +From 3d246c561a2c6aa18b78eae69e5100a2347dc7aa Mon Sep 17 00:00:00 2001
> +From: Michael Chang <mchang@suse.com>
> +Date: Thu, 18 Mar 2021 19:30:26 +0800
> +Subject: i386-pc: build verifiers API as module
> +
> +Given no core functions on i386-pc would require verifiers to work and
> +the only consumer of the verifier API is the pgp module, it looks good
> +to me that we can move the verifiers out of the kernel image and let
> +moddep.lst to auto-load it when pgp is loaded on i386-pc platform.
> +
> +This helps to reduce the size of core image and thus can relax the
> +tension of exploding on some i386-pc system with very short MBR gap
> +size. See also a very comprehensive summary from Colin [1] about the
> +details.
> +
> +[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00240.html
> +
> +V2:
> +Drop COND_NOT_i386_pc and use !COND_i386_pc.
> +Add comment in kern/verifiers.c to help understanding what's going on
> +without digging into the commit history.
> +
> +Reported-by: Colin Watson <cjwatson@debian.org>
> +Reviewed-by: Colin Watson <cjwatson@debian.org>
> +Signed-off-by: Michael Chang <mchang@suse.com>
> +
> +Origin: other, https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00251.html
> +Bug-Debian: https://bugs.debian.org/984488
> +Bug-Debian: https://bugs.debian.org/985374
> +Last-Update: 2021-03-18
> +
> +Patch-Name: pc-verifiers-module.patch
> +---
> + grub-core/Makefile.am       |  2 ++
> + grub-core/Makefile.core.def |  8 +++++++-
> + grub-core/kern/main.c       |  4 ++++
> + grub-core/kern/verifiers.c  | 17 +++++++++++++++++
> + include/grub/verify.h       |  9 +++++++++
> + 5 files changed, 39 insertions(+), 1 deletion(-)
> +
> +diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
> +index 5308caa7b..4900265a4 100644
> +--- a/grub-core/Makefile.am
> ++++ b/grub-core/Makefile.am
> +@@ -92,7 +92,9 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/partition.h
> + KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/stack_protector.h
> + KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h
> + KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h
> ++if !COND_i386_pc
> + KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/verify.h
> ++endif
> + KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm_private.h
> + KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/net.h
> + KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/memory.h
> +diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
> +index 248835aca..43b3da725 100644
> +--- a/grub-core/Makefile.core.def
> ++++ b/grub-core/Makefile.core.def
> +@@ -141,7 +141,7 @@ kernel = {
> +   common = kern/rescue_parser.c;
> +   common = kern/rescue_reader.c;
> +   common = kern/term.c;
> +-  common = kern/verifiers.c;
> ++  nopc = kern/verifiers.c;
> + 
> +   noemu = kern/compiler-rt.c;
> +   noemu = kern/mm.c;
> +@@ -951,6 +951,12 @@ module = {
> +   enable = x86_64_efi;
> + };
> + 
> ++module = {
> ++  name = verifiers;
> ++  common = kern/verifiers.c;
> ++  enable = i386_pc;
> ++};
> ++
> + module = {
> +   name = hdparm;
> +   common = commands/hdparm.c;
> +diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
> +index 2879d644a..c6fb66853 100644
> +--- a/grub-core/kern/main.c
> ++++ b/grub-core/kern/main.c
> +@@ -29,7 +29,9 @@
> + #include <grub/command.h>
> + #include <grub/reader.h>
> + #include <grub/parser.h>
> ++#ifndef GRUB_MACHINE_PCBIOS
> + #include <grub/verify.h>
> ++#endif
> + 
> + #ifdef GRUB_MACHINE_PCBIOS
> + #include <grub/machine/memory.h>
> +@@ -285,8 +287,10 @@ grub_main (void)
> +   grub_setcolorstate (GRUB_TERM_COLOR_STANDARD);
> + #endif
> + 
> ++#ifndef GRUB_MACHINE_PCBIOS
> +   /* Init verifiers API. */
> +   grub_verifiers_init ();
> ++#endif
> + 
> +   grub_load_config ();
> + 
> +diff --git a/grub-core/kern/verifiers.c b/grub-core/kern/verifiers.c
> +index aa3dc7c64..58dbe152a 100644
> +--- a/grub-core/kern/verifiers.c
> ++++ b/grub-core/kern/verifiers.c
> +@@ -217,8 +217,25 @@ grub_verify_string (char *str, enum grub_verify_string_type type)
> +   return GRUB_ERR_NONE;
> + }
> + 
> ++/*
> ++ * It is intended to build verifiers as module on i386-pc platform to 
minimize
> ++ * the impact of growing core image size could blow up the 63 sectors 
limit of
> ++ * some MBR gap one day. It is also adequate to do so, given no core function
> ++ * on i386-pc would require the verifiers API to work.
> ++ */
> ++#ifdef GRUB_MACHINE_PCBIOS
> ++GRUB_MOD_INIT(verifiers)
> ++#else
> + void
> + grub_verifiers_init (void)
> ++#endif
> + {
> +   grub_file_filter_register (GRUB_FILE_FILTER_VERIFY, grub_verifiers_open);
> + }
> ++
> ++#ifdef GRUB_MACHINE_PCBIOS
> ++GRUB_MOD_FINI(verifiers)
> ++{
> ++  grub_file_filter_unregister (GRUB_FILE_FILTER_VERIFY);
> ++}
> ++#endif
> +diff --git a/include/grub/verify.h b/include/grub/verify.h
> +index cd129c398..6fde244fc 100644
> +--- a/include/grub/verify.h
> ++++ b/include/grub/verify.h
> +@@ -64,10 +64,14 @@ struct grub_file_verifier
> +   grub_err_t (*verify_string) (char *str, enum grub_verify_string_type type);
> + };
> + 
> ++#ifdef GRUB_MACHINE_PCBIOS
> ++extern struct grub_file_verifier *grub_file_verifiers;
> ++#else
> + extern struct grub_file_verifier *EXPORT_VAR (grub_file_verifiers);
> + 
> + extern void
> + grub_verifiers_init (void);
> ++#endif
> + 
> + static inline void
> + grub_verifier_register (struct grub_file_verifier *ver)
> +@@ -81,7 +85,12 @@ grub_verifier_unregister (struct grub_file_verifier 
*ver)
> +   grub_list_remove (GRUB_AS_LIST (ver));
> + }
> + 
> ++#ifdef GRUB_MACHINE_PCBIOS
> ++grub_err_t
> ++grub_verify_string (char *str, enum grub_verify_string_type type);
> ++#else
> + extern grub_err_t
> + EXPORT_FUNC (grub_verify_string) (char *str, enum grub_verify_string_type type);
> ++#endif
> + 
> + #endif /* ! GRUB_VERIFY_HEADER */
> diff -Nru grub2-2.04/debian/patches/series grub2-2.04/debian/patches/series
> --- grub2-2.04/debian/patches/series	2021-03-02 18:00:00.000000000 +0000
> +++ grub2-2.04/debian/patches/series	2021-03-19 10:41:41.000000000 +0000
> @@ -213,3 +213,4 @@
>  2021-02-security/111-kern-misc-Add-function-to-check-printf-format-against-expected-format.patch
>  2021-02-security/112-gfxmenu-gui-Check-printf-format-in-the-gui_progress_bar-and-gui_label.patch
>  2021-02-security/113-kern-mm-Fix-grub_debug_calloc-compilation-error.patch
> +pc-verifiers-module.patch
> 
> unblock grub2/2.04-17
> 
> Thanks,
>

Attachment: OpenPGP_signature
Description: OpenPGP digital signature