Bug#988585: unblock: grub2/2.04-18

[Colin Watson <cjwatson@debian.org>]

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock grub2 2.04-18.  This is mostly fixes from Steve to sort
out UEFI Secure Boot on i386.  The upstream patch to fix section size
calculation *seems* to only fix a problem on ia64 right now, which of
course wouldn't be release-critical by itself, but having
potentially-incorrect section sizes gives me the shivers so I thought it
best to include this as well.

You may need to manually unblock grub-efi-{amd64,arm64,ia32}-signed as
well to match, since these four source packages must all have matching
versions - I'm not sure exactly how the tools work from your end.

diff -Nru grub2-2.04/debian/.git-dpm grub2-2.04/debian/.git-dpm
--- grub2-2.04/debian/.git-dpm	2021-03-19 10:41:41.000000000 +0000
+++ grub2-2.04/debian/.git-dpm	2021-04-25 16:20:17.000000000 +0100
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-3d246c561a2c6aa18b78eae69e5100a2347dc7aa
-3d246c561a2c6aa18b78eae69e5100a2347dc7aa
+0eae44daa60c3f0ce8fdb349ba71b869a6738efd
+0eae44daa60c3f0ce8fdb349ba71b869a6738efd
 578bb115fbd47e1c464696f1f8d6183e5443975d
 578bb115fbd47e1c464696f1f8d6183e5443975d
 grub2_2.04.orig.tar.xz
diff -Nru grub2-2.04/debian/build-efi-images grub2-2.04/debian/build-efi-images
--- grub2-2.04/debian/build-efi-images	2021-03-19 10:41:41.000000000 +0000
+++ grub2-2.04/debian/build-efi-images	2021-04-25 16:20:17.000000000 +0100
@@ -150,12 +150,6 @@
 	cpuid
 	linuxefi
 	play
-	"
-	;;
-esac
-case $platform in
-    x86_64-efi)
-	CD_MODULES="$CD_MODULES
 	tpm
 	"
 	;;
@@ -197,6 +191,7 @@
 	"
 
 # CD boot image
+echo "Including modules $CD_MODULES in $outdir/gcd$efi_name.efi"
 "$grub_mkimage" -O "$platform" -o "$outdir/gcd$efi_name.efi" \
 	-d "$grub_core" \
 	-c "$workdir/grub-bootstrap.cfg" -m "$workdir/memdisk.fat" \
@@ -205,12 +200,14 @@
 	$CD_MODULES
 
 # Normal disk boot image
+echo "Including modules $GRUB_MODULES in $outdir/grub$efi_name.efi"
 "$grub_mkimage" -O "$platform" -o "$outdir/grub$efi_name.efi" \
 	-d "$grub_core" -p "/EFI/$efi_vendor" \
 	--sbat "$sbat_csv" \
 	$GRUB_MODULES
 
 # Normal network boot image
+echo "Including modules $NET_MODULES in $outdir/grubnet$efi_name.efi"
 "$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name.efi" \
 	-d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \
 	-m "$workdir/memdisk-netboot.fat" \
@@ -221,6 +218,7 @@
 # Special network boot image for d-i to use. Just the same as the
 # normal network boot image, but with a different value baked in for
 # the prefix setting
+echo "Including modules $NET_MODULES in $outdir/grubnet$efi_name-installer.efi"
 "$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name-installer.efi" \
 	-d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \
 	-m "$workdir/memdisk-netboot.fat" \
diff -Nru grub2-2.04/debian/changelog grub2-2.04/debian/changelog
--- grub2-2.04/debian/changelog	2021-03-19 10:41:41.000000000 +0000
+++ grub2-2.04/debian/changelog	2021-04-25 16:20:17.000000000 +0100
@@ -1,3 +1,18 @@
+grub2 (2.04-18) unstable; urgency=medium
+
+  [ Steve McIntyre ]
+  * Enable the shim_lock and tpm modules for i386-efi too. Ensure that
+    tpm is included in our EFI images.
+  * List the modules we include the EFI images - make it easier to
+    debug things.
+  * Add debug to display what's going on with verifiers
+
+  [ Colin Watson ]
+  * util/mkimage: Some fixes to PE binaries section size calculation
+    (closes: #987103).
+
+ -- Colin Watson <cjwatson@debian.org>  Sun, 25 Apr 2021 16:20:17 +0100
+
 grub2 (2.04-17) unstable; urgency=medium
 
   * Pass --sbat when building the d-i netboot image as well.
diff -Nru grub2-2.04/debian/patches/debug_verifiers.patch grub2-2.04/debian/patches/debug_verifiers.patch
--- grub2-2.04/debian/patches/debug_verifiers.patch	1970-01-01 01:00:00.000000000 +0100
+++ grub2-2.04/debian/patches/debug_verifiers.patch	2021-04-25 16:20:17.000000000 +0100
@@ -0,0 +1,28 @@
+From bb6fe7f81818b8d102ca92b174d79aebb62469a0 Mon Sep 17 00:00:00 2001
+From: Steve McIntyre <93sam@debian.org>
+Date: Sat, 17 Apr 2021 22:05:47 +0100
+Subject: Add debug to display what's going on with verifiers
+
+Patch-Name: debug_verifiers.patch
+---
+ grub-core/kern/verifiers.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/grub-core/kern/verifiers.c b/grub-core/kern/verifiers.c
+index 58dbe152a..ff984c8d8 100644
+--- a/grub-core/kern/verifiers.c
++++ b/grub-core/kern/verifiers.c
+@@ -100,11 +100,13 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type)
+   FOR_LIST_ELEMENTS(ver, grub_file_verifiers)
+     {
+       enum grub_verify_flags flags = 0;
++      grub_dprintf ("verify", "trying verifier %s\n", ver->name);
+       err = ver->init (io, type, &context, &flags);
+       if (err)
+ 	goto fail_noclose;
+       if (flags & GRUB_VERIFY_FLAGS_DEFER_AUTH)
+ 	{
++	  grub_dprintf ("verify", "verifier %s said GRUB_VERIFY_FLAGS_DEFER_AUTH\n", ver->name);
+ 	  defer = 1;
+ 	  continue;
+ 	}
diff -Nru grub2-2.04/debian/patches/enable_shim_lock_i386_efi.patch grub2-2.04/debian/patches/enable_shim_lock_i386_efi.patch
--- grub2-2.04/debian/patches/enable_shim_lock_i386_efi.patch	1970-01-01 01:00:00.000000000 +0100
+++ grub2-2.04/debian/patches/enable_shim_lock_i386_efi.patch	2021-04-25 16:20:17.000000000 +0100
@@ -0,0 +1,33 @@
+From 3d04d38e67bb78127a6ec4329634441c4bf4194c Mon Sep 17 00:00:00 2001
+From: Steve McIntyre <93sam@debian.org>
+Date: Sat, 17 Apr 2021 22:04:38 +0100
+Subject: Enable shim_lock and tpm modules for all efi platforms, not just
+ x86_64_efi
+
+Patch-Name: enable_shim_lock_i386_efi.patch
+---
+ grub-core/Makefile.core.def | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
+index 43b3da725..b9d2912a0 100644
+--- a/grub-core/Makefile.core.def
++++ b/grub-core/Makefile.core.def
+@@ -948,7 +948,7 @@ module = {
+ module = {
+   name = shim_lock;
+   common = commands/efi/shim_lock.c;
+-  enable = x86_64_efi;
++  enable = efi;
+ };
+ 
+ module = {
+@@ -2488,7 +2488,7 @@ module = {
+   name = tpm;
+   common = commands/tpm.c;
+   efi = commands/efi/tpm.c;
+-  enable = x86_64_efi;
++  enable = efi;
+ };
+ 
+ module = {
diff -Nru grub2-2.04/debian/patches/mkimage-fix-section-sizes.patch grub2-2.04/debian/patches/mkimage-fix-section-sizes.patch
--- grub2-2.04/debian/patches/mkimage-fix-section-sizes.patch	1970-01-01 01:00:00.000000000 +0100
+++ grub2-2.04/debian/patches/mkimage-fix-section-sizes.patch	2021-04-25 16:20:17.000000000 +0100
@@ -0,0 +1,109 @@
+From 0eae44daa60c3f0ce8fdb349ba71b869a6738efd Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Fri, 16 Apr 2021 21:37:23 +0200
+Subject: util/mkimage: Some fixes to PE binaries section size calculation
+
+Commit f60ba9e5945 (util/mkimage: Refactor section setup to use a helper)
+added a helper function to setup PE sections, but it caused regressions
+in some arches where the natural alignment lead to wrong section sizes.
+
+This patch fixes a few things that were caused the section sizes to be
+calculated wrongly. These fixes are:
+
+ * Only align the virtual memory addresses but not the raw data offsets.
+ * Use aligned sizes for virtual memory sizes but not for raw data sizes.
+ * Always align the sizes to set the virtual memory sizes.
+
+These seems to not cause problems for x64 and aa64 EFI platforms but was
+a problem for ia64. Because the size of the ".data" and "mods" sections
+were wrong and didn't have the correct content. Which lead to GRUB not
+being able to load any built-in module.
+
+Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+
+Bug-Debian: https://bugs.debian.org/987103
+
+Patch-Name: mkimage-fix-section-sizes.patch
+---
+ util/mkimage.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/util/mkimage.c b/util/mkimage.c
+index b354ec1d9..9c01723ef 100644
+--- a/util/mkimage.c
++++ b/util/mkimage.c
+@@ -841,7 +841,7 @@ init_pe_section(const struct grub_install_image_target_desc *image_target,
+ 
+   section->raw_data_offset = grub_host_to_target32 (*rda);
+   section->raw_data_size = grub_host_to_target32 (rsz);
+-  (*rda) = ALIGN_UP (*rda + rsz, GRUB_PE32_FILE_ALIGNMENT);
++  (*rda) = *rda + rsz;
+ 
+   section->characteristics = grub_host_to_target32 (characteristics);
+ 
+@@ -1296,7 +1296,7 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ 	char *pe_img, *pe_sbat, *header;
+ 	struct grub_pe32_section_table *section;
+ 	size_t n_sections = 4;
+-	size_t scn_size;
++	size_t scn_size, raw_size;
+ 	grub_uint32_t vma, raw_data;
+ 	size_t pe_size, header_size;
+ 	struct grub_pe32_coff_header *c;
+@@ -1397,7 +1397,8 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ 				   GRUB_PE32_SCN_MEM_EXECUTE |
+ 				   GRUB_PE32_SCN_MEM_READ);
+ 
+-	scn_size = ALIGN_UP (layout.kernel_size - layout.exec_size, GRUB_PE32_FILE_ALIGNMENT);
++	raw_size = layout.kernel_size - layout.exec_size;
++	scn_size = ALIGN_UP (raw_size, GRUB_PE32_FILE_ALIGNMENT);
+ 	/* ALIGN_UP (sbat_size, GRUB_PE32_FILE_ALIGNMENT) is done earlier. */
+ 	PE_OHDR (o32, o64, data_size) = grub_host_to_target32 (scn_size + sbat_size +
+ 							       ALIGN_UP (total_module_size,
+@@ -1405,15 +1406,16 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ 
+ 	section = init_pe_section (image_target, section, ".data",
+ 				   &vma, scn_size, image_target->section_align,
+-				   &raw_data, scn_size,
++				   &raw_data, raw_size,
+ 				   GRUB_PE32_SCN_CNT_INITIALIZED_DATA |
+ 				   GRUB_PE32_SCN_MEM_READ |
+ 				   GRUB_PE32_SCN_MEM_WRITE);
+ 
+-	scn_size = pe_size - layout.reloc_size - sbat_size - raw_data;
++	raw_size = pe_size - layout.reloc_size - sbat_size - raw_data;
++	scn_size = ALIGN_UP (raw_size, GRUB_PE32_FILE_ALIGNMENT);
+ 	section = init_pe_section (image_target, section, "mods",
+ 				   &vma, scn_size, image_target->section_align,
+-				   &raw_data, scn_size,
++				   &raw_data, raw_size,
+ 				   GRUB_PE32_SCN_CNT_INITIALIZED_DATA |
+ 				   GRUB_PE32_SCN_MEM_READ |
+ 				   GRUB_PE32_SCN_MEM_WRITE);
+@@ -1423,21 +1425,22 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ 	    pe_sbat = pe_img + raw_data;
+ 	    grub_util_load_image (sbat_path, pe_sbat);
+ 
++	    scn_size = ALIGN_UP (sbat_size, GRUB_PE32_FILE_ALIGNMENT);
+ 	    section = init_pe_section (image_target, section, ".sbat",
+-				       &vma, sbat_size,
++				       &vma, scn_size,
+ 				       image_target->section_align,
+ 				       &raw_data, sbat_size,
+ 				       GRUB_PE32_SCN_CNT_INITIALIZED_DATA |
+ 				       GRUB_PE32_SCN_MEM_READ);
+ 	  }
+ 
+-	scn_size = layout.reloc_size;
++	scn_size = ALIGN_UP (layout.reloc_size, GRUB_PE32_FILE_ALIGNMENT);
+ 	PE_OHDR (o32, o64, base_relocation_table.rva) = grub_host_to_target32 (vma);
+ 	PE_OHDR (o32, o64, base_relocation_table.size) = grub_host_to_target32 (scn_size);
+ 	memcpy (pe_img + raw_data, layout.reloc_section, scn_size);
+ 	init_pe_section (image_target, section, ".reloc",
+ 			 &vma, scn_size, image_target->section_align,
+-			 &raw_data, scn_size,
++			 &raw_data, layout.reloc_size,
+ 			 GRUB_PE32_SCN_CNT_INITIALIZED_DATA |
+ 			 GRUB_PE32_SCN_MEM_DISCARDABLE |
+ 			 GRUB_PE32_SCN_MEM_READ);
diff -Nru grub2-2.04/debian/patches/series grub2-2.04/debian/patches/series
--- grub2-2.04/debian/patches/series	2021-03-19 10:41:41.000000000 +0000
+++ grub2-2.04/debian/patches/series	2021-04-25 16:20:17.000000000 +0100
@@ -214,3 +214,6 @@
 2021-02-security/112-gfxmenu-gui-Check-printf-format-in-the-gui_progress_bar-and-gui_label.patch
 2021-02-security/113-kern-mm-Fix-grub_debug_calloc-compilation-error.patch
 pc-verifiers-module.patch
+enable_shim_lock_i386_efi.patch
+debug_verifiers.patch
+mkimage-fix-section-sizes.patch

unblock grub2/2.04-18

Thanks,

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]

Attachment: signature.asc
Description: PGP signature