vbatts/grub
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
9644 commits 7 branches 0 tags 143 MiB
Commit graph

9644 commits

This branch
This branch
All branches
Author SHA1 Message Date
mjg59
d4bc2bf02f Merge pull request #20 from mjg59/master 
Add TPM measurement support
 2016-01-05 15:32:28 -08:00
Matthew Garrett
a0e69405e2 Measure multiboot images and modules 2016-01-05 14:35:17 -08:00
Matthew Garrett
b47b5685b5 Measure commands 
Measure each command executed by grub, which includes script execution.
 2016-01-05 14:35:17 -08:00
Matthew Garrett
2d410729e9 Measure the kernel commandline 
Measure the kernel commandline to ensure that it hasn't been modified
 2016-01-05 14:35:17 -08:00
Matthew Garrett
20e355fd5a Measure kernel and initrd on BIOS systems 
Measure the kernel and initrd when loaded on BIOS systems
 2016-01-05 14:35:17 -08:00
Matthew Garrett
738f6f09b3 Rework linux16 command 
We want a single buffer that contains the entire kernel image in order to
perform a TPM measurement. Allocate one and copy the entire kernel int it
before pulling out the individual blocks later on.
 2016-01-05 14:35:17 -08:00
Matthew Garrett
a2599ab047 Rework linux command 
We want a single buffer that contains the entire kernel image in order to
perform a TPM measurement. Allocate one and copy the entire kernel into it
before pulling out the individual blocks later on.
 2016-01-05 14:35:17 -08:00
Matthew Garrett
1e32d63145 Add BIOS boot measurement 
Measure the on-disk grub core on BIOS systems - unlike UEFI, the firmware
can't do this stage for us.
 2016-01-05 14:35:17 -08:00
Matthew Garrett
f22ee4487c Measure kernel + initrd 
Measure the kernel and initrd when loaded on UEFI systems
 2016-01-05 14:35:17 -08:00
Matthew Garrett
858f763466 Core TPM support 
Add support for performing basic TPM measurements. Right now this only
supports extending PCRs statically and only on UEFI and BIOS systems, but
will measure all modules as they're loaded.
 2016-01-05 14:35:05 -08:00
Matthew Garrett
76fb8e4341 Fix race in EFI validation 
The Secure Boot code currently reads the kernel from disk, validates the
signature and then reads it from disk again. A sufficiently exciting storage
device could modify the kernel between these two events and trigger the
execution of an untrusted kernel. Avoid re-reading it in order to ensure
this isn't a problem, and in the process speed up boot by not reading the
kernel twice.
 2016-01-05 14:14:54 -08:00
Vladimir Serbinenko
9f8f9e62af minixfs_test: Check if mkfs.minixfs supports -B option. 2016-01-05 21:10:27 +01:00
Vladimir Serbinenko
f86fd54cf0 Add memdisk support to grub-emu. 
Use it to add custom files, so that tests which need them work.
 2016-01-05 21:10:27 +01:00
Vladimir Serbinenko
3f430a0126 Move file loading functions to grub-emu. 
So that we can use it in grub-emu as well as utils.
 2016-01-05 21:10:27 +01:00
Vladimir Serbinenko
f2b54835f2 Disable progress indicator in grub-shell. 
This disables progress indicator for tests. This in turn fixes test
flakiness as they ended up timing-dependent.
 2016-01-05 21:10:10 +01:00
Vladimir Serbinenko
300be005a8 Update checksums 2016-01-05 11:55:30 +01:00
Andrei Borzenkov
aa7bb4607b acpihalt: add GRUB_ACPI_OPCODE_CREATE_DWORD_FIELD (0x8a) 
Fixes ACPI halt on ASUSTeK P8B75-V,
Bios: American Megatrends v: 0414 date: 04/24/2012

Reported-By: Goh Lip <g.lip@gmx.com>
 2016-01-02 21:33:18 +03:00
Andrei Borzenkov
19554a6034 acpihalt: fix GRUB_DSDT_TEST compilation 2016-01-02 19:02:19 +03:00
Andrei Borzenkov
ba83ed1538 Add missing BUILD_EXEEXT 2016-01-01 12:06:40 +03:00
Vladimir Serbinenko
80fdaf1d01 configure.ac: Reorder efiemu check to after link format check. 
efiemu is supposed to be disabled when compiling through exe format.
Unfortunately format was determined only after efiemu check. Reorder to fix the
problem
 2015-12-31 22:36:23 +01:00
Andrey Borzenkov
4d6e9c8a92 remove temporary .bin files (kernel and modules) 2015-12-31 23:00:25 +03:00
Andrey Borzenkov
af23303cbd add dejavu built fonts to cleanfiles 2015-12-31 22:23:12 +03:00
Andrei Borzenkov
c67025fad5 Add grub-module-verifier files to EXTRA_DIST 2015-12-31 21:35:11 +03:00
Vladimir Serbinenko
40051fedc3 configure: Add -fno-unwind-tables if supported. 
Unwind tables are useless for us bt consume space if present. Ensure that they
are not.
 2015-12-31 19:20:03 +01:00
Vladimir Serbinenko
dcc499aaf0 module-verifier: allow limited-range relocations on sparc64. 
clang as incomplete mcmodel=large support. As we don't currently need full
mcmodel=large support for sparc64, relax those checks.
 2015-12-31 18:30:39 +01:00
Vladimir Serbinenko
3b21499506 Disable build-time module check on emu. 
On emu some checks can be laxer like check for relocation range. Additionally
module loading in emu is rarely used. So skip this check rather than making
it laxer for all platforms. In ideal we may want to have slightly different
check for emu but for now this is good enough.
 2015-12-31 18:20:11 +01:00
Vladimir Serbinenko
5ae590b32d configure: Fix grub_cv_cc_fno_unwind_tables check. 
Check tries -fno-dwarf2-cfi-asm but adds -fno-asynchronous-unwind-tables
to TARGET_CFLAGS. Fix this.
 2015-12-31 18:19:15 +01:00
Vladimir Serbinenko
f1b3525385 Add -mno-stack-arg-probe on mingw. 
This argument disables generation of calls to __chkstk_ms. Those calls are
useless on GRUB as function is dummy. Yet they increase module size and
use limited-range relocations which may not work under some memory layouts.
We currently don't use such layouts on concerned platforms but lt's correct
this.
 2015-12-31 18:15:49 +01:00
Vladimir Serbinenko
68e158dffd Strip .ARM.exidx 
This section is generated by clang and is useful only for debugging.
It contains exotic relocations, so strip them to avoid them interferring
with module loading.
 2015-12-31 18:13:59 +01:00
Vladimir Serbinenko
e1b2b9bf1d module-verifier: Check range-limited relative relocations. 
Check that they point to the same module, so will end up in the same
chunk of memory.
 2015-12-31 15:29:28 +01:00
Vladimir Serbinenko
76588d1319 xen/relocator: Use local symbol to ensure that code is relocation-free. 2015-12-31 14:54:56 +01:00
Vladimir Serbinenko
60ae582142 backtrace: Fix register call syntax 2015-12-31 14:54:48 +01:00
Vladimir Serbinenko
a7cf8b1e23 Verify modules on build-time rather than failing in runtime. 2015-12-31 13:09:15 +01:00
Vladimir Serbinenko
5919626c90 sparc64: Fix assembly to let compiler to fill in memory references. 
This fixes the use of not fully relocatable (they assume that variables are
under 4G limit in virtual memory) references.
 2015-12-31 13:07:16 +01:00
Andrey Borzenkov
2333a83baa 30_os-prober: derive --class from os-prober generated label 
Currently only Windows gets distinguished icons, everything else is displayed
using the same generic one. Add additional --class based on os-prober returned
label, which usually is expected to match primary distribution name.

Also use it for Windows as well - chainloader prober may actually return
different strings (Windows, MS-DOS, Windows9xME).
 2015-12-30 22:30:16 +03:00
Vladimir Serbinenko
79cfad6fbe backtrace: Remove assembly assumption that grub_backtrace_pointer is under 4G 2015-12-30 18:19:44 +01:00
Andrei Borzenkov
93ecc3f1f8 menu: fix line count calculation for long lines 
It gave one extra screen line if length was exactly equal to screen
width.

Reported by Michael Chang.
Also-By: Michael Chang <mchang@suse.com>
 2015-12-30 06:20:51 +03:00
Vladimir Serbinenko
dbab354157 grub-mkrescue: Delete temporary file 
Reported by: Thomas Schmitt
 2015-12-29 17:48:34 +01:00
Vladimir Serbinenko
4111882828 grub-mount: Fix oath parsing. 
Brackets detection was copied from somewhere else and makes no sense in case
of grub-mount and prevents user from accessing and files with ) in them.
 2015-12-29 17:43:05 +01:00
Vladimir Serbinenko
ca7bb46d5c exfat: Fix stream extension flag parsing. 2015-12-29 17:42:25 +01:00
Andrei Borzenkov
3bca85b418 devmapper: check for valid device abstraction in get_grub_dev 
This was lost when code was refactored. Patch restores previous behavior.

It is still not clear whether this is the right one. Due to the way we
detect DM abstraction, partitions on DM are skipped, we fall through to
generic detection which ends up in assuming parent device is BIOS disk.

It is useful to install GRUB on VM disk from the host. But it also means
that GRUB will mistakenly allow install on real system as well.

For now let's fix regression; future behavior needs to be discussed.

Closes: 45163
 2015-12-26 21:45:22 +03:00
Michael Marineau
fcefc6bbc5 Merge pull request #19 from marineam/merge 
Merge upstream GRUB changes
 2015-12-22 17:30:18 -08:00
Andrei Borzenkov
a9399f2e1e windows: correct LBA in generated EFI HDD media paths 
GRUB keeps partition offset and size in units of 512B sectors. Media paths
are defined in terms of LBA which are presumed to match HDD sector size.

This is probably cosmetic (EFI requires that partition is searched by GUID)
and still incorrect if GPT was created using different logical block size.
But current code is obviously wrong and new has better chances to be correct.
 2015-12-19 11:32:49 +03:00
Michael Marineau
286f1b63df Merge branch 'master' of git://git.savannah.gnu.org/grub 2015-12-17 12:01:00 -08:00
Michael Marineau
c81cf64a40 Revert "linguas: use en_US as UTF-8 locale, C.UTF-8 is not a standard locale." 
This reverts commit 28b0af948e.
Superseded by a39137aefe upstream.
 2015-12-17 12:00:03 -08:00
Robert Elliott
c79c59f129 lsefimmap: support persistent memory and other UEFI 2.5 features 
This should accompany
	76ce1de740 Translate UEFI persistent memory type

1. Add a string for the EfiPersistentMemory type 14 that was
added in UEFI 2.5.

2. Decode the memory attributes that were added in UEFI 2.5:
* NV (non-volatile)
* MORE_RELIABLE (higher reliable, e.g., mirrored memory in a system
  with partial memory mirroring)
* RO (read-only)

3. Use proper IEC binary units (KiB, MiB, etc.) for power-of-two
values rather than misusing SI power-of-ten units (KB, MB, etc.)

4. The lsmmap command only decodes memory ranges sizes up to GiB scale
units.  Persistent memory ranges will reach into the TiB scale.
Since 64-bit size field supports TiB, PiB, and EiB, decode all of
them for completeness.

5. In the lsefimmap command, rewrite the print statements to
* avoid rounding
* avoid a big nested if/else tree.

For example: In the sixth entry below, the value of 309MB implies
316416KB but is really reporting 316436KB.

Widen the size column to 6 digits to accommodate typical cases.
The worst case value would require 14 digits; if that happens,
let the columns get out of sync.

Old format:
Type      Physical start  - end             #Pages     Size Attributes
conv-mem  0000000000000000-0000000000092fff 00000093  588KB UC WC WT WB
reserved  0000000000093000-0000000000093fff 00000001    4KB UC WC WT WB
conv-mem  0000000000094000-000000000009ffff 0000000c   48KB UC WC WT WB
conv-mem  0000000000100000-000000000fffffff 0000ff00  255MB UC WC WT WB
BS-code   0000000010000000-0000000010048fff 00000049  292KB UC WC WT WB
conv-mem  0000000010049000-000000002354dfff 00013505  309MB UC WC WT WB
ldr-data  000000002354e000-000000003ecfffff 0001b7b2  439MB UC WC WT WB
BS-data   000000003ed00000-000000003ed7ffff 00000080  512KB UC WC WT WB
conv-mem  000000003ed80000-000000006af5ffff 0002c1e0  705MB UC WC WT WB
reserved  000000006af60000-000000006b55ffff 00000600    6MB UC WC WT WB
BS-data   000000006b560000-000000006b560fff 00000001    4KB UC WC WT WB
RT-data   000000006b561000-000000006b5e1fff 00000081  516KB RT UC WC WT WB
BS-data   000000006b5e2000-000000006ecfafff 00003719   55MB UC WC WT WB
BS-code   000000006ecfb000-000000006ecfbfff 00000001    4KB UC WC WT WB
conv-mem  000000006ecfc000-00000000711fafff 000024ff   36MB UC WC WT WB
BS-data   00000000711fb000-000000007128dfff 00000093  588KB UC WC WT WB
Unk 0d    0000000880000000-0000000e7fffffff 00600000   24GB UC WC WT WB NV
reserved  0000001680000000-0000001c7fffffff 00600000   24GB UC WC WT WB NV

New format:
Type      Physical start  - end             #Pages        Size Attributes
conv-mem  0000000000000000-0000000000092fff 00000093    588KiB UC WC WT WB
reserved  0000000000093000-0000000000093fff 00000001      4KiB UC WC WT WB
conv-mem  0000000000094000-000000000009ffff 0000000c     48KiB UC WC WT WB
conv-mem  0000000000100000-000000000fffffff 0000ff00    255MiB UC WC WT WB
BS-code   0000000010000000-0000000010048fff 00000049    292KiB UC WC WT WB
conv-mem  0000000010049000-000000002354dfff 00013505 316436KiB UC WC WT WB
ldr-data  000000002354e000-000000003ecfffff 0001b7b2 450248KiB UC WC WT WB
BS-data   000000003ed00000-000000003ed7ffff 00000080    512KiB UC WC WT WB
conv-mem  000000003ed80000-000000006af5ffff 0002c1e0 722816KiB UC WC WT WB
reserved  000000006af60000-000000006b55ffff 00000600      6MiB UC WC WT WB
BS-data   000000006b560000-000000006b560fff 00000001      4KiB UC WC WT WB
RT-data   000000006b561000-000000006b5e1fff 00000081    516KiB RT UC WC WT WB
BS-data   000000006b5e2000-000000006ecfafff 00003719  56420KiB UC WC WT WB
BS-code   000000006ecfb000-000000006ecfbfff 00000001      4KiB UC WC WT WB
conv-mem  000000006ecfc000-0000000071222fff 00002527  38044KiB UC WC WT WB
BS-data   0000000071223000-00000000712ddfff 000000bb    748KiB UC WC WT WB
persist   0000000880000000-0000000e7fffffff 00600000     24GiB UC WC WT WB NV
reserved  0000001680000000-0000001c7fffffff 00600000     24GiB UC WC WT WB NV
 2015-12-17 21:00:44 +03:00
Andrei Borzenkov
609c049dcc kernel: print and reset grub_errno after each embedded config line 
Otherwise it causes subsequent file open to fail, because grub_file_open
misinterprets set grub_errno for grub_file_get_device_name failure.

Closes: 46540
 2015-12-16 21:20:30 +03:00
Andrei Borzenkov
7136b545c1 Erase backspaced character in grub_username_get 
It probably does not work across linefeed, but hopefully user names are not
that long (and nobody is using terminal that small).
 2015-12-16 19:20:10 +03:00
Hector Marco-Gisbert
451d80e52d Fix security issue when reading username and password 
This patch fixes two integer underflows at:
  * grub-core/lib/crypto.c
  * grub-core/normal/auth.c

CVE-2015-8370

Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
Signed-off-by: Ismael Ripoll-Ripoll <iripoll@disca.upv.es>
Also-By: Andrey Borzenkov <arvidjaar@gmail.com>
 2015-12-16 07:57:18 +03:00
Andrei Borzenkov
ff5726b878 NEWS: more additions 
Also-By: Robert Elliott <elliott@hpe.com>
 2015-12-15 10:43:12 +03:00