Bug#988585: marked as done (unblock: grub2/2.04-18)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Thu, 20 May 2021 19:34:14 +0200
with message-id <0ed73623-086e-da2f-d3ea-8139af9c019b@debian.org>
and subject line Re: Bug#988585: unblock: grub2/2.04-18
has caused the Debian Bug report #988585,
regarding unblock: grub2/2.04-18
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
988585: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=988585
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: grub2/2.04-18
• From: Colin Watson <cjwatson@debian.org>
• Date: Sun, 16 May 2021 11:05:39 +0100
• Message-id: <[🔎] 20210516100539.GA25510@riva.ucam.org>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock grub2 2.04-18.  This is mostly fixes from Steve to sort
out UEFI Secure Boot on i386.  The upstream patch to fix section size
calculation *seems* to only fix a problem on ia64 right now, which of
course wouldn't be release-critical by itself, but having
potentially-incorrect section sizes gives me the shivers so I thought it
best to include this as well.

You may need to manually unblock grub-efi-{amd64,arm64,ia32}-signed as
well to match, since these four source packages must all have matching
versions - I'm not sure exactly how the tools work from your end.

diff -Nru grub2-2.04/debian/.git-dpm grub2-2.04/debian/.git-dpm
--- grub2-2.04/debian/.git-dpm	2021-03-19 10:41:41.000000000 +0000
+++ grub2-2.04/debian/.git-dpm	2021-04-25 16:20:17.000000000 +0100
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-3d246c561a2c6aa18b78eae69e5100a2347dc7aa
-3d246c561a2c6aa18b78eae69e5100a2347dc7aa
+0eae44daa60c3f0ce8fdb349ba71b869a6738efd
+0eae44daa60c3f0ce8fdb349ba71b869a6738efd
 578bb115fbd47e1c464696f1f8d6183e5443975d
 578bb115fbd47e1c464696f1f8d6183e5443975d
 grub2_2.04.orig.tar.xz
diff -Nru grub2-2.04/debian/build-efi-images grub2-2.04/debian/build-efi-images
--- grub2-2.04/debian/build-efi-images	2021-03-19 10:41:41.000000000 +0000
+++ grub2-2.04/debian/build-efi-images	2021-04-25 16:20:17.000000000 +0100
@@ -150,12 +150,6 @@
 	cpuid
 	linuxefi
 	play
-	"
-	;;
-esac
-case $platform in
-    x86_64-efi)
-	CD_MODULES="$CD_MODULES
 	tpm
 	"
 	;;
@@ -197,6 +191,7 @@
 	"
 
 # CD boot image
+echo "Including modules $CD_MODULES in $outdir/gcd$efi_name.efi"
 "$grub_mkimage" -O "$platform" -o "$outdir/gcd$efi_name.efi" \
 	-d "$grub_core" \
 	-c "$workdir/grub-bootstrap.cfg" -m "$workdir/memdisk.fat" \
@@ -205,12 +200,14 @@
 	$CD_MODULES
 
 # Normal disk boot image
+echo "Including modules $GRUB_MODULES in $outdir/grub$efi_name.efi"
 "$grub_mkimage" -O "$platform" -o "$outdir/grub$efi_name.efi" \
 	-d "$grub_core" -p "/EFI/$efi_vendor" \
 	--sbat "$sbat_csv" \
 	$GRUB_MODULES
 
 # Normal network boot image
+echo "Including modules $NET_MODULES in $outdir/grubnet$efi_name.efi"
 "$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name.efi" \
 	-d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \
 	-m "$workdir/memdisk-netboot.fat" \
@@ -221,6 +218,7 @@
 # Special network boot image for d-i to use. Just the same as the
 # normal network boot image, but with a different value baked in for
 # the prefix setting
+echo "Including modules $NET_MODULES in $outdir/grubnet$efi_name-installer.efi"
 "$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name-installer.efi" \
 	-d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \
 	-m "$workdir/memdisk-netboot.fat" \
diff -Nru grub2-2.04/debian/changelog grub2-2.04/debian/changelog
--- grub2-2.04/debian/changelog	2021-03-19 10:41:41.000000000 +0000
+++ grub2-2.04/debian/changelog	2021-04-25 16:20:17.000000000 +0100
@@ -1,3 +1,18 @@
+grub2 (2.04-18) unstable; urgency=medium
+
+  [ Steve McIntyre ]
+  * Enable the shim_lock and tpm modules for i386-efi too. Ensure that
+    tpm is included in our EFI images.
+  * List the modules we include the EFI images - make it easier to
+    debug things.
+  * Add debug to display what's going on with verifiers
+
+  [ Colin Watson ]
+  * util/mkimage: Some fixes to PE binaries section size calculation
+    (closes: #987103).
+
+ -- Colin Watson <cjwatson@debian.org>  Sun, 25 Apr 2021 16:20:17 +0100
+
 grub2 (2.04-17) unstable; urgency=medium
 
   * Pass --sbat when building the d-i netboot image as well.
diff -Nru grub2-2.04/debian/patches/debug_verifiers.patch grub2-2.04/debian/patches/debug_verifiers.patch
--- grub2-2.04/debian/patches/debug_verifiers.patch	1970-01-01 01:00:00.000000000 +0100
+++ grub2-2.04/debian/patches/debug_verifiers.patch	2021-04-25 16:20:17.000000000 +0100
@@ -0,0 +1,28 @@
+From bb6fe7f81818b8d102ca92b174d79aebb62469a0 Mon Sep 17 00:00:00 2001
+From: Steve McIntyre <93sam@debian.org>
+Date: Sat, 17 Apr 2021 22:05:47 +0100
+Subject: Add debug to display what's going on with verifiers
+
+Patch-Name: debug_verifiers.patch
+---
+ grub-core/kern/verifiers.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/grub-core/kern/verifiers.c b/grub-core/kern/verifiers.c
+index 58dbe152a..ff984c8d8 100644
+--- a/grub-core/kern/verifiers.c
++++ b/grub-core/kern/verifiers.c
+@@ -100,11 +100,13 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type type)
+   FOR_LIST_ELEMENTS(ver, grub_file_verifiers)
+     {
+       enum grub_verify_flags flags = 0;
++      grub_dprintf ("verify", "trying verifier %s\n", ver->name);
+       err = ver->init (io, type, &context, &flags);
+       if (err)
+ 	goto fail_noclose;
+       if (flags & GRUB_VERIFY_FLAGS_DEFER_AUTH)
+ 	{
++	  grub_dprintf ("verify", "verifier %s said GRUB_VERIFY_FLAGS_DEFER_AUTH\n", ver->name);
+ 	  defer = 1;
+ 	  continue;
+ 	}
diff -Nru grub2-2.04/debian/patches/enable_shim_lock_i386_efi.patch grub2-2.04/debian/patches/enable_shim_lock_i386_efi.patch
--- grub2-2.04/debian/patches/enable_shim_lock_i386_efi.patch	1970-01-01 01:00:00.000000000 +0100
+++ grub2-2.04/debian/patches/enable_shim_lock_i386_efi.patch	2021-04-25 16:20:17.000000000 +0100
@@ -0,0 +1,33 @@
+From 3d04d38e67bb78127a6ec4329634441c4bf4194c Mon Sep 17 00:00:00 2001
+From: Steve McIntyre <93sam@debian.org>
+Date: Sat, 17 Apr 2021 22:04:38 +0100
+Subject: Enable shim_lock and tpm modules for all efi platforms, not just
+ x86_64_efi
+
+Patch-Name: enable_shim_lock_i386_efi.patch
+---
+ grub-core/Makefile.core.def | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
+index 43b3da725..b9d2912a0 100644
+--- a/grub-core/Makefile.core.def
++++ b/grub-core/Makefile.core.def
+@@ -948,7 +948,7 @@ module = {
+ module = {
+   name = shim_lock;
+   common = commands/efi/shim_lock.c;
+-  enable = x86_64_efi;
++  enable = efi;
+ };
+ 
+ module = {
+@@ -2488,7 +2488,7 @@ module = {
+   name = tpm;
+   common = commands/tpm.c;
+   efi = commands/efi/tpm.c;
+-  enable = x86_64_efi;
++  enable = efi;
+ };
+ 
+ module = {
diff -Nru grub2-2.04/debian/patches/mkimage-fix-section-sizes.patch grub2-2.04/debian/patches/mkimage-fix-section-sizes.patch
--- grub2-2.04/debian/patches/mkimage-fix-section-sizes.patch	1970-01-01 01:00:00.000000000 +0100
+++ grub2-2.04/debian/patches/mkimage-fix-section-sizes.patch	2021-04-25 16:20:17.000000000 +0100
@@ -0,0 +1,109 @@
+From 0eae44daa60c3f0ce8fdb349ba71b869a6738efd Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javierm@redhat.com>
+Date: Fri, 16 Apr 2021 21:37:23 +0200
+Subject: util/mkimage: Some fixes to PE binaries section size calculation
+
+Commit f60ba9e5945 (util/mkimage: Refactor section setup to use a helper)
+added a helper function to setup PE sections, but it caused regressions
+in some arches where the natural alignment lead to wrong section sizes.
+
+This patch fixes a few things that were caused the section sizes to be
+calculated wrongly. These fixes are:
+
+ * Only align the virtual memory addresses but not the raw data offsets.
+ * Use aligned sizes for virtual memory sizes but not for raw data sizes.
+ * Always align the sizes to set the virtual memory sizes.
+
+These seems to not cause problems for x64 and aa64 EFI platforms but was
+a problem for ia64. Because the size of the ".data" and "mods" sections
+were wrong and didn't have the correct content. Which lead to GRUB not
+being able to load any built-in module.
+
+Reported-by: John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>
+Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
+
+Bug-Debian: https://bugs.debian.org/987103
+
+Patch-Name: mkimage-fix-section-sizes.patch
+---
+ util/mkimage.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/util/mkimage.c b/util/mkimage.c
+index b354ec1d9..9c01723ef 100644
+--- a/util/mkimage.c
++++ b/util/mkimage.c
+@@ -841,7 +841,7 @@ init_pe_section(const struct grub_install_image_target_desc *image_target,
+ 
+   section->raw_data_offset = grub_host_to_target32 (*rda);
+   section->raw_data_size = grub_host_to_target32 (rsz);
+-  (*rda) = ALIGN_UP (*rda + rsz, GRUB_PE32_FILE_ALIGNMENT);
++  (*rda) = *rda + rsz;
+ 
+   section->characteristics = grub_host_to_target32 (characteristics);
+ 
+@@ -1296,7 +1296,7 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ 	char *pe_img, *pe_sbat, *header;
+ 	struct grub_pe32_section_table *section;
+ 	size_t n_sections = 4;
+-	size_t scn_size;
++	size_t scn_size, raw_size;
+ 	grub_uint32_t vma, raw_data;
+ 	size_t pe_size, header_size;
+ 	struct grub_pe32_coff_header *c;
+@@ -1397,7 +1397,8 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ 				   GRUB_PE32_SCN_MEM_EXECUTE |
+ 				   GRUB_PE32_SCN_MEM_READ);
+ 
+-	scn_size = ALIGN_UP (layout.kernel_size - layout.exec_size, GRUB_PE32_FILE_ALIGNMENT);
++	raw_size = layout.kernel_size - layout.exec_size;
++	scn_size = ALIGN_UP (raw_size, GRUB_PE32_FILE_ALIGNMENT);
+ 	/* ALIGN_UP (sbat_size, GRUB_PE32_FILE_ALIGNMENT) is done earlier. */
+ 	PE_OHDR (o32, o64, data_size) = grub_host_to_target32 (scn_size + sbat_size +
+ 							       ALIGN_UP (total_module_size,
+@@ -1405,15 +1406,16 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ 
+ 	section = init_pe_section (image_target, section, ".data",
+ 				   &vma, scn_size, image_target->section_align,
+-				   &raw_data, scn_size,
++				   &raw_data, raw_size,
+ 				   GRUB_PE32_SCN_CNT_INITIALIZED_DATA |
+ 				   GRUB_PE32_SCN_MEM_READ |
+ 				   GRUB_PE32_SCN_MEM_WRITE);
+ 
+-	scn_size = pe_size - layout.reloc_size - sbat_size - raw_data;
++	raw_size = pe_size - layout.reloc_size - sbat_size - raw_data;
++	scn_size = ALIGN_UP (raw_size, GRUB_PE32_FILE_ALIGNMENT);
+ 	section = init_pe_section (image_target, section, "mods",
+ 				   &vma, scn_size, image_target->section_align,
+-				   &raw_data, scn_size,
++				   &raw_data, raw_size,
+ 				   GRUB_PE32_SCN_CNT_INITIALIZED_DATA |
+ 				   GRUB_PE32_SCN_MEM_READ |
+ 				   GRUB_PE32_SCN_MEM_WRITE);
+@@ -1423,21 +1425,22 @@ grub_install_generate_image (const char *dir, const char *prefix,
+ 	    pe_sbat = pe_img + raw_data;
+ 	    grub_util_load_image (sbat_path, pe_sbat);
+ 
++	    scn_size = ALIGN_UP (sbat_size, GRUB_PE32_FILE_ALIGNMENT);
+ 	    section = init_pe_section (image_target, section, ".sbat",
+-				       &vma, sbat_size,
++				       &vma, scn_size,
+ 				       image_target->section_align,
+ 				       &raw_data, sbat_size,
+ 				       GRUB_PE32_SCN_CNT_INITIALIZED_DATA |
+ 				       GRUB_PE32_SCN_MEM_READ);
+ 	  }
+ 
+-	scn_size = layout.reloc_size;
++	scn_size = ALIGN_UP (layout.reloc_size, GRUB_PE32_FILE_ALIGNMENT);
+ 	PE_OHDR (o32, o64, base_relocation_table.rva) = grub_host_to_target32 (vma);
+ 	PE_OHDR (o32, o64, base_relocation_table.size) = grub_host_to_target32 (scn_size);
+ 	memcpy (pe_img + raw_data, layout.reloc_section, scn_size);
+ 	init_pe_section (image_target, section, ".reloc",
+ 			 &vma, scn_size, image_target->section_align,
+-			 &raw_data, scn_size,
++			 &raw_data, layout.reloc_size,
+ 			 GRUB_PE32_SCN_CNT_INITIALIZED_DATA |
+ 			 GRUB_PE32_SCN_MEM_DISCARDABLE |
+ 			 GRUB_PE32_SCN_MEM_READ);
diff -Nru grub2-2.04/debian/patches/series grub2-2.04/debian/patches/series
--- grub2-2.04/debian/patches/series	2021-03-19 10:41:41.000000000 +0000
+++ grub2-2.04/debian/patches/series	2021-04-25 16:20:17.000000000 +0100
@@ -214,3 +214,6 @@
 2021-02-security/112-gfxmenu-gui-Check-printf-format-in-the-gui_progress_bar-and-gui_label.patch
 2021-02-security/113-kern-mm-Fix-grub_debug_calloc-compilation-error.patch
 pc-verifiers-module.patch
+enable_shim_lock_i386_efi.patch
+debug_verifiers.patch
+mkimage-fix-section-sizes.patch

unblock grub2/2.04-18

Thanks,

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

• To: 988585-done@bugs.debian.org, Colin Watson <cjwatson@debian.org>
• Subject: Re: Bug#988585: unblock: grub2/2.04-18
• From: Paul Gevers <elbrus@debian.org>
• Date: Thu, 20 May 2021 19:34:14 +0200
• Message-id: <0ed73623-086e-da2f-d3ea-8139af9c019b@debian.org>
• In-reply-to: <[🔎] 20210520160226.xomsgmwhh4fk5xgw@mraw.org>
• References: <[🔎] 20210516100539.GA25510@riva.ucam.org> <[🔎] f1c5a8aa-3432-a362-1c77-8ae4fcd0667b@debian.org> <[🔎] 20210516100539.GA25510@riva.ucam.org> <[🔎] 20210520160226.xomsgmwhh4fk5xgw@mraw.org>

Hi

On 20-05-2021 18:02, Cyril Brulebois wrote:
> Paul Gevers <elbrus@debian.org> (2021-05-20):
>> This needs an ACK from d-boot as well.
> 
> No objections, thanks.

Unblocked.

Paul

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

--- End Message ---