[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#986625: marked as done (unblock: grub2/2.04-17)

Your message dated Sat, 10 Apr 2021 14:05:50 +0200
with message-id <1fbe6eee-4a23-9422-5eae-41a40ad9e1b3@debian.org>
and subject line Re: Bug#986625: unblock: grub2/2.04-17
has caused the Debian Bug report #986625,
regarding unblock: grub2/2.04-17
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
986625: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986625
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock grub2 2.04-17.  The --sbat fix will be needed for d-i
builds once various bits of work on shim are finished, and the verifiers
module change helps core images fit in the constrained space that's
often all that's available on BIOS systems.

You may need to manually unblock grub-efi-{amd64,arm64,ia32}-signed as
well to match, since these four source packages must all have matching
versions - I'm not sure exactly how the tools work from your end.

diff -Nru grub2-2.04/debian/.git-dpm grub2-2.04/debian/.git-dpm
--- grub2-2.04/debian/.git-dpm	2021-03-02 18:00:00.000000000 +0000
+++ grub2-2.04/debian/.git-dpm	2021-03-19 10:41:41.000000000 +0000
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-9cd32c57605b7ad713e108e0b98ebd504caa532e
-9cd32c57605b7ad713e108e0b98ebd504caa532e
+3d246c561a2c6aa18b78eae69e5100a2347dc7aa
+3d246c561a2c6aa18b78eae69e5100a2347dc7aa
 578bb115fbd47e1c464696f1f8d6183e5443975d
 578bb115fbd47e1c464696f1f8d6183e5443975d
 grub2_2.04.orig.tar.xz
diff -Nru grub2-2.04/debian/build-efi-images grub2-2.04/debian/build-efi-images
--- grub2-2.04/debian/build-efi-images	2021-03-02 18:00:00.000000000 +0000
+++ grub2-2.04/debian/build-efi-images	2021-03-19 10:41:41.000000000 +0000
@@ -224,6 +224,8 @@
 "$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name-installer.efi" \
 	-d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \
 	-m "$workdir/memdisk-netboot.fat" \
-	-p "/${efi_vendor}-installer/$deb_arch/grub" $NET_MODULES
+	-p "/${efi_vendor}-installer/$deb_arch/grub" \
+	--sbat "$sbat_csv" \
+	$NET_MODULES
 
 exit 0
diff -Nru grub2-2.04/debian/changelog grub2-2.04/debian/changelog
--- grub2-2.04/debian/changelog	2021-03-02 18:00:00.000000000 +0000
+++ grub2-2.04/debian/changelog	2021-03-19 10:41:41.000000000 +0000
@@ -1,3 +1,11 @@
+grub2 (2.04-17) unstable; urgency=medium
+
+  * Pass --sbat when building the d-i netboot image as well.
+  * i386-pc: build verifiers API as module (thanks, Michael Chang; closes:
+    #984488, #985374).
+
+ -- Colin Watson <cjwatson@debian.org>  Fri, 19 Mar 2021 10:41:41 +0000
+
 grub2 (2.04-16) unstable; urgency=medium
 
   * Fix broken advice in message when the postinst has to bail out (thanks
diff -Nru grub2-2.04/debian/patches/pc-verifiers-module.patch grub2-2.04/debian/patches/pc-verifiers-module.patch
--- grub2-2.04/debian/patches/pc-verifiers-module.patch	1970-01-01 01:00:00.000000000 +0100
+++ grub2-2.04/debian/patches/pc-verifiers-module.patch	2021-03-19 10:41:41.000000000 +0000
@@ -0,0 +1,167 @@
+From 3d246c561a2c6aa18b78eae69e5100a2347dc7aa Mon Sep 17 00:00:00 2001
+From: Michael Chang <mchang@suse.com>
+Date: Thu, 18 Mar 2021 19:30:26 +0800
+Subject: i386-pc: build verifiers API as module
+
+Given no core functions on i386-pc would require verifiers to work and
+the only consumer of the verifier API is the pgp module, it looks good
+to me that we can move the verifiers out of the kernel image and let
+moddep.lst to auto-load it when pgp is loaded on i386-pc platform.
+
+This helps to reduce the size of core image and thus can relax the
+tension of exploding on some i386-pc system with very short MBR gap
+size. See also a very comprehensive summary from Colin [1] about the
+details.
+
+[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00240.html
+
+V2:
+Drop COND_NOT_i386_pc and use !COND_i386_pc.
+Add comment in kern/verifiers.c to help understanding what's going on
+without digging into the commit history.
+
+Reported-by: Colin Watson <cjwatson@debian.org>
+Reviewed-by: Colin Watson <cjwatson@debian.org>
+Signed-off-by: Michael Chang <mchang@suse.com>
+
+Origin: other, https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00251.html
+Bug-Debian: https://bugs.debian.org/984488
+Bug-Debian: https://bugs.debian.org/985374
+Last-Update: 2021-03-18
+
+Patch-Name: pc-verifiers-module.patch
+---
+ grub-core/Makefile.am       |  2 ++
+ grub-core/Makefile.core.def |  8 +++++++-
+ grub-core/kern/main.c       |  4 ++++
+ grub-core/kern/verifiers.c  | 17 +++++++++++++++++
+ include/grub/verify.h       |  9 +++++++++
+ 5 files changed, 39 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
+index 5308caa7b..4900265a4 100644
+--- a/grub-core/Makefile.am
++++ b/grub-core/Makefile.am
+@@ -92,7 +92,9 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/partition.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/stack_protector.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h
++if !COND_i386_pc
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/verify.h
++endif
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm_private.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/net.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/memory.h
+diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
+index 248835aca..43b3da725 100644
+--- a/grub-core/Makefile.core.def
++++ b/grub-core/Makefile.core.def
+@@ -141,7 +141,7 @@ kernel = {
+   common = kern/rescue_parser.c;
+   common = kern/rescue_reader.c;
+   common = kern/term.c;
+-  common = kern/verifiers.c;
++  nopc = kern/verifiers.c;
+ 
+   noemu = kern/compiler-rt.c;
+   noemu = kern/mm.c;
+@@ -951,6 +951,12 @@ module = {
+   enable = x86_64_efi;
+ };
+ 
++module = {
++  name = verifiers;
++  common = kern/verifiers.c;
++  enable = i386_pc;
++};
++
+ module = {
+   name = hdparm;
+   common = commands/hdparm.c;
+diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
+index 2879d644a..c6fb66853 100644
+--- a/grub-core/kern/main.c
++++ b/grub-core/kern/main.c
+@@ -29,7 +29,9 @@
+ #include <grub/command.h>
+ #include <grub/reader.h>
+ #include <grub/parser.h>
++#ifndef GRUB_MACHINE_PCBIOS
+ #include <grub/verify.h>
++#endif
+ 
+ #ifdef GRUB_MACHINE_PCBIOS
+ #include <grub/machine/memory.h>
+@@ -285,8 +287,10 @@ grub_main (void)
+   grub_setcolorstate (GRUB_TERM_COLOR_STANDARD);
+ #endif
+ 
++#ifndef GRUB_MACHINE_PCBIOS
+   /* Init verifiers API. */
+   grub_verifiers_init ();
++#endif
+ 
+   grub_load_config ();
+ 
+diff --git a/grub-core/kern/verifiers.c b/grub-core/kern/verifiers.c
+index aa3dc7c64..58dbe152a 100644
+--- a/grub-core/kern/verifiers.c
++++ b/grub-core/kern/verifiers.c
+@@ -217,8 +217,25 @@ grub_verify_string (char *str, enum grub_verify_string_type type)
+   return GRUB_ERR_NONE;
+ }
+ 
++/*
++ * It is intended to build verifiers as module on i386-pc platform to minimize
++ * the impact of growing core image size could blow up the 63 sectors limit of
++ * some MBR gap one day. It is also adequate to do so, given no core function
++ * on i386-pc would require the verifiers API to work.
++ */
++#ifdef GRUB_MACHINE_PCBIOS
++GRUB_MOD_INIT(verifiers)
++#else
+ void
+ grub_verifiers_init (void)
++#endif
+ {
+   grub_file_filter_register (GRUB_FILE_FILTER_VERIFY, grub_verifiers_open);
+ }
++
++#ifdef GRUB_MACHINE_PCBIOS
++GRUB_MOD_FINI(verifiers)
++{
++  grub_file_filter_unregister (GRUB_FILE_FILTER_VERIFY);
++}
++#endif
+diff --git a/include/grub/verify.h b/include/grub/verify.h
+index cd129c398..6fde244fc 100644
+--- a/include/grub/verify.h
++++ b/include/grub/verify.h
+@@ -64,10 +64,14 @@ struct grub_file_verifier
+   grub_err_t (*verify_string) (char *str, enum grub_verify_string_type type);
+ };
+ 
++#ifdef GRUB_MACHINE_PCBIOS
++extern struct grub_file_verifier *grub_file_verifiers;
++#else
+ extern struct grub_file_verifier *EXPORT_VAR (grub_file_verifiers);
+ 
+ extern void
+ grub_verifiers_init (void);
++#endif
+ 
+ static inline void
+ grub_verifier_register (struct grub_file_verifier *ver)
+@@ -81,7 +85,12 @@ grub_verifier_unregister (struct grub_file_verifier *ver)
+   grub_list_remove (GRUB_AS_LIST (ver));
+ }
+ 
++#ifdef GRUB_MACHINE_PCBIOS
++grub_err_t
++grub_verify_string (char *str, enum grub_verify_string_type type);
++#else
+ extern grub_err_t
+ EXPORT_FUNC (grub_verify_string) (char *str, enum grub_verify_string_type type);
++#endif
+ 
+ #endif /* ! GRUB_VERIFY_HEADER */
diff -Nru grub2-2.04/debian/patches/series grub2-2.04/debian/patches/series
--- grub2-2.04/debian/patches/series	2021-03-02 18:00:00.000000000 +0000
+++ grub2-2.04/debian/patches/series	2021-03-19 10:41:41.000000000 +0000
@@ -213,3 +213,4 @@
 2021-02-security/111-kern-misc-Add-function-to-check-printf-format-against-expected-format.patch
 2021-02-security/112-gfxmenu-gui-Check-printf-format-in-the-gui_progress_bar-and-gui_label.patch
 2021-02-security/113-kern-mm-Fix-grub_debug_calloc-compilation-error.patch
+pc-verifiers-module.patch

unblock grub2/2.04-17

Thanks,

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]

--- End Message ---
--- Begin Message --- 
Hi Colin,

On 10-04-2021 12:00, Cyril Brulebois wrote:
> Happy to trust Colin and Steve on such things, please go ahead.

unblocked.

Paul

Attachment: OpenPGP_signature
Description: OpenPGP digital signature


--- End Message ---
Reply to: