Add support for performing basic TPM measurements. Right now this only
supports extending PCRs statically and only on UEFI and BIOS systems, but
will measure all modules as they're loaded.
The Secure Boot code currently reads the kernel from disk, validates the
signature and then reads it from disk again. A sufficiently exciting storage
device could modify the kernel between these two events and trigger the
execution of an untrusted kernel. Avoid re-reading it in order to ensure
this isn't a problem, and in the process speed up boot by not reading the
kernel twice.
On emu some checks can be laxer like check for relocation range. Additionally
module loading in emu is rarely used. So skip this check rather than making
it laxer for all platforms. In ideal we may want to have slightly different
check for emu but for now this is good enough.
This section is generated by clang and is useful only for debugging.
It contains exotic relocations, so strip them to avoid them interferring
with module loading.
This was lost when code was refactored. Patch restores previous behavior.
It is still not clear whether this is the right one. Due to the way we
detect DM abstraction, partitions on DM are skipped, we fall through to
generic detection which ends up in assuming parent device is BIOS disk.
It is useful to install GRUB on VM disk from the host. But it also means
that GRUB will mistakenly allow install on real system as well.
For now let's fix regression; future behavior needs to be discussed.
Closes: 45163
GRUB keeps partition offset and size in units of 512B sectors. Media paths
are defined in terms of LBA which are presumed to match HDD sector size.
This is probably cosmetic (EFI requires that partition is searched by GUID)
and still incorrect if GPT was created using different logical block size.
But current code is obviously wrong and new has better chances to be correct.
Otherwise it causes subsequent file open to fail, because grub_file_open
misinterprets set grub_errno for grub_file_get_device_name failure.
Closes: 46540
Define
* GRUB_EFI_PERSISTENT_MEMORY (UEFI memory map type 14) per UEFI 2.5
* GRUB_MEMORY_PERSISTENT (E820 type 7) per ACPI 3.0
* GRUB_MEMORY_PERSISTENT_LEGACY (E820 unofficial type 12) per ACPI 3.0
and translate GRUB_EFI_PERSISTENT_MEMORY to GRUB_MEMORY_PERSISTENT in
grub_efi_mmap_iterate().
Includes
* adding the E820 names to lsmmap
* handling the E820 types in make_efi_memtype()
Suggested-by: Vladimir 'φ-coder/phcoder' Serbinenko <phcoder@gmail.com>
Suggested-by: Andrei Borzenkov <arvidjaar@gmail.com>
While adding tcp window scaling support I was finding that I'd get some packet
loss or reordering when transferring from large distances and grub would just
timeout. This is because we weren't ack'ing when we got our OOO packet, so the
sender didn't know it needed to retransmit anything, so eventually it would fill
the window and stop transmitting, and we'd time out. Fix this by ACK'ing when
we don't find our next sequence numbered packet. With this fix I no longer time
out. Thanks,
Signed-off-by: Josef Bacik <jbacik@fb.com>
Condition was accidentally reversed, so PIT calibration always failed
when PIT was present and always succeeded when PIT was missing, but in
the latter case resulted in absurdly fast clock.
Reported and tested by Vitaly Kuznetsov <vkuznets@redhat.com>
PIT isn't available on some of new hardware including Hyper-V. So
use pmtimer for calibration. Moreover pmtimer calibration is faster, so
use it on coreboor where booting time is important.
Based on patch by Michael Chang.
9be4c45dbe added switch case between
fall through cases, causing all memory regions of unknown type to be
marked as available.
Move default case into its own block and add explicit FALLTHROUGH
annotation.
Reported by Elliott, Robert (Persistent Memory) <elliott@hpe.com>
We were resetting nb->data every time we tried a new server, but we need to do
it every time we try for a different record, otherwise we don't end up falling
back to the A record properly. Thanks,
Signed-off-by: Josef Bacik <jbacik@fb.com>
Add a command to read values from the qemu fwcfg store. This allows data
to be passed from the qemu command line to grub.
Example use:
echo '(hd0,1)' >rootdev
qemu -fw_cfg opt/rootdev,file=rootdev
fwconfig opt/rootdev root
This makes it impossible to read from stdin without controlling tty:
10:/mnt # echo -e passwd\\npasswd | setsid ./grub-mkpasswd-pbkdf2
Enter password:
Reenter password: ./grub-mkpasswd-pbkdf2: error: failure to read password.
10:/mnt
It is not possible to configure encrypted containers on multiple partitions of
the same disk; after the first one all subsequent fail with
disk/cryptodisk.c:978: already mounted as crypto0
Store partition offset in cryptomount descriptor to distinguish between them.
From original patch by dann frazier <dann.frazier@canonical.com>:
grub_net_fs_open() saves off a copy of the file structure it gets passed and
uses it to create a bufio structure. It then overwrites the passed in file
structure with this new bufio structure. Since file->name doesn't get set
until we return back to grub_file_open(), it means that only the bufio
structure gets a valid file->name. The "real" file's name is left
uninitialized. This leads to a crash when the progress module hook is called
on it.
grub_net_fs_open() already saved copy of file name as ->net->name, so change
progress module to use it.
Also, grub_file_open may leave file->name as NULL if grub_strdup fails. Check
for it.
Also-By: dann frazier <dann.frazier@canonical.com>
It cannot work anyway because host disk cannot be read. This fixes hostfs access
on native Windows build where filenames start with '\' or do not have initial
separator at all (d:\foo).
Issue was observed when running grub-fstest on Windows. On UNIX image name is
canonicalized to always start with `/' so this was not noticed.
This has side effect of allowing relative path names on host, but this already
was the case with `ls' command, so it just extends it to all commands.
Reported-By: Arch Stack <archstacker@gmail.com>
Also-By: Arch Stack <archstacker@gmail.com>
sun4v vnet devices do not implement the support of duplex and speed
instance attributes. An attempt to open such a device with
the attributes will fail:
ok select net:speed=auto,duplex=auto
Unknown key 'speed'
Unknown key 'duplex'
Manual Configuration: Host IP, boot server and filename must be specified
WARNING: /virtual-devices@100/channel-devices@200/network@0: Can't open OBP standard TFTP package
Can't open device
ok
Therefore, let's not set SUFFIX for such devices.
Signed-off-by: Stanislav Kholmanskikh <stanislav.kholmanskikh@oracle.com>
The EFI spec indicates that get_status() should return the address of the buffer
we passed into transmit to indicate the the buffer was transmitted. However we
have boxes where the firmware returns some arbitrary address instead, which
makes grub think that we've not sent anything. So since we have the SNP stuff
opened in exclusive mode just assume any non-NULL txbuf means that our transmit
occurred properly. This makes grub able to do its networking stuff properly on
our broken firmware. Thanks,
cc: Peter Jones <pjones@redhat.com>
Signed-off-by: Josef Bacik <jbacik@fb.com>
Recent tests have discovered that many of our filesystems have flawed
handling of "." and "..". Rather than attempting to fix it in filesystems
themselves, make the common code fshelp aware of "." and ".." and handle
them in this layer. Add grub_fshelp_find_file_lookup for easy conversion
of BFS, HFS and exFAT which have the same problem and don't use fshelp.
mips_attributes was introduced to work around clang problems with
-msoft-float. Those problems are now fixed and moreover .gnu_attributes
itself is unportable and creates problem with clang.
Revert "mips: Fix soft-float handling."
This partially reverts commit 6a4ecd276e.
Regression from commit:
loader/linux: do not pad initrd with zeroes at the end
a8c473288d
Wimboot fails since the change above because it expects the "trailer"
initrd element on an aligned address.
This issue shows only when newc_name is used and the last initrd
entry has a not aligned size.
Since btrfs on-disk format uses little-endian, the searched item types
(ROOT_REF, INODE_REF) need converting the byte order in order to
function properly on big-endian systems.
Emulate dot and dotdot in root directory. For other directories do not
add separator between name and extension for these two special entries.
Closes: 45335
Exclusive open on SNP will close all existing protocol instances which
may disable all receive filters on interface. Reinstall them after we
opened protocol exclusively.
Also follow UEFI specification recommendation and stop interfaces when
closing them:
Unexpected system errors, reboots and hangs can occur if an OS is loaded
and the network devices are not Shutdown() and Stopped().
Also by: Mark Salter <msalter@redhat.com>
Closes: 45204
The current code for EFI grub_exit() calls grub_efi_fini() before
returning to firmware. In the case of ARM, this leaves a timer
event running which could lead to a firmware crash. This patch
changes this so that grub_machine_fini() is called with a NORETURN
flag. This allows machine-specific shutdown to happen as well
as the shutdown done by grub_efi_fini().
Signed-off-by: Mark Salter <msalter@redhat.com>
Add support for new XFS on disk format. We have to handle optional
filetype fields in directory entries, additional CRC, LSN, UUID entries
in some structures, etc.
Signed-off-by: Jan Kara <jack@suse.cz>
Including the setjmp module in an arm64-efi image will cause it to
immediately exit with an "incompatible license" error.
The source file includes a GPLv3+ boilerplate, so fix this by declaring a
GPLv3+ license using the GRUB_MOD_LICENSE macro.
Signed-off-by: dann frazier <dann.frazier@canonical.com>
Currently, some messages cannot be mapped to the port they belong to as
the port number is missing from the output. So add `port: n` to the
debug messages.
Run the command below
$ git grep -l schedulded | xargs sed -i 's/schedulded/scheduled/g'
and revert the change in `ChangeLog-2015`.
Including "miscellaneous" spelling fix noted by richardvoigt@gmail.com
large blocks basically use extensible dataset feature, or to be exact,
setting recordsize above 128k will trigger large_block feature to be
enabled and storing such blocks is using feature extensible dataset. so
the extensible dataset is prerequisite.
Changes implement read support extensible dataset… instead of fixed DMU
types they dont specify type, making it possible to use fat zap objects
from bonus area.
While in theory permitted by the spec, modules rarely fit in low memory
anyway and not every kernel is able to handle modules in low memory anyway.
At least VMWare is known not to be able to handle modules at arbitrary
locations.
Add the descriptions of the “core”, that means no vendorcode or payload,
coreboot time stamps added up to coreboot commit a7d92441 (timestamps:
You can never have enough of them!) [1].
Running `coreboot_boottime` in the GRUB command line interface now shows
descriptions for all time stamps again on the ASRock E350M1.
[1] http://review.coreboot.org/9608
From RFC1542:
The 'giaddr' field is rather poorly named. It exists to facilitate
the transfer of BOOTREQUEST messages from a client, through BOOTP
relay agents, to servers on different networks than the client.
Similarly, it facilitates the delivery of BOOTREPLY messages from the
servers, through BOOTP relay agents, back to the client. In no case
does it represent a general IP router to be used by the client. A
BOOTP client MUST set the 'giaddr' field to zero (0.0.0.0) in all
BOOTREQUEST messages it generates.
A BOOTP client MUST NOT interpret the 'giaddr' field of a BOOTREPLY
message to be the IP address of an IP router. A BOOTP client SHOULD
completely ignore the contents of the 'giaddr' field in BOOTREPLY
messages.
Leave code ifdef'd out for the time being in case we see regression.
Suggested by: Rink Springer <rink@rink.nu>
Closes: 43396
Currently XFS driver converted inode numbers to native endianity only
when using them to compute inode position. Although this works, it is
somewhat confusing. So convert inode numbers when reading them from disk
structures as every other field.
Signed-off-by: Jan Kara <jack@suse.cz>
Directory iteration used wrong position (sizeof wrong structure) for
termination of iteration inside a directory block. Luckily the position
ended up being wrong by just 1 byte and directory entries are larger so
things worked out fine in practice. But fix the problem anyway.
Signed-off-by: Jan Kara <jack@suse.cz>
EBDA layout is not standardized so we cannot assume first two bytes
are length. Neither is it required by ACPI standard. HP 8710W is known
to contain zeroes here.
Closes: 45002
EDK2 network stack is based on Managed Network Protocol which is layered
on top of Simple Management Protocol and does background polling. This
polling races with grub for received (and probably trasmitted) packets
which causes either serious slowdown or complete failure to load files.
Open SNP device exclusively. This destroys all child MNP instances and
stops background polling.
Exclusive open cannot be done when enumerating cards, as it would destroy
PXE information we need to autoconfigure interface; and it cannot be done
during autoconfiguration as we need to do it for non-PXE boot as well. So
move SNP open to card ->open method and add matching ->close to clean up.
Based on patch from Mark Salter <msalter@redhat.com>
Also-By: Mark Salter <msalter@redhat.com>
Closes: 41731
EDK2 PXE driver creates two child devices - IPv4 and IPv6 - with
bound SNP instance. This means we get three cards for every physical
adapter when enumerating. Not only is this confusing, this may result
in grub ignoring packets that come in via the "wrong" card.
Example of device hierarchy is
Ctrl[91] PciRoot(0x0)/Pci(0x3,0x0)
Ctrl[95] PciRoot(0x0)/Pci(0x3,0x0)/MAC(525400123456,0x1)
Ctrl[B4] PciRoot(0x0)/Pci(0x3,0x0)/MAC(525400123456,0x1)/IPv4(0.0.0.0)
Ctrl[BC] PciRoot(0x0)/Pci(0x3,0x0)/MAC(525400123456,0x1)/IPv6(0000:0000:0000:0000:0000:0000:0000:0000)
Skip PXE created virtual devices when enumerating cards. Make sure to
find real card when applying initial autoconfiguration during PXE boot,
this information is associated with one of child devices.
Syslinux memdisk is using initrd image and needs to know uncompressed
size in advance. For gzip uncompressed size is at the end of compressed
stream. Grub padded each input file to 4 bytes at the end, which means
syslinux got wrong size.
Linux initramfs loader apparently does not care about trailing alignment.
So change code to align beginning of each file instead which atomatically
gives us the correct size for single file.
Reported-By: David Shaw <dshaw@jabberwocky.com>
This reverts commits 47b2bee3ef
and 8d3c4544ff. It is not safe
to free allocated cards, dangling pointers main remain. Such
cleanup requires more changes in net core.
grub_memset should zero out padding after data end. It is not clear
why it is needed at all - ZFS block is at least 512 bytes and power
of two, so it is always multiple of 16 bytes. This grub_memset
apparently never did anything.
In the past birth was always zero for holes. This feature started
to make use of birth for holes as well, so change code to test for
valid DVA address instead.
If grub is signed with a key that's in the trusted EFI keyring, an attacker
can point a boot entry at grub rather than at shim and grub will fail to
locate the shim verification protocol. This would then allow booting an
arbitrary kernel image. Fail validation if Secure Boot is enabled and we
can't find the shim protocol in order to prevent this.
Hi,
Fedora's patch to forbid insmod in UEFI Secure Boot environments is fine
as far as it goes. However, the insmod command is not the only way that
modules can be loaded. In particular, the 'normal' command, which
implements the usual GRUB menu and the fully-featured command prompt,
will implicitly load commands not currently loaded into memory. This
permits trivial Secure Boot violations by writing commands implementing
whatever you want to do and pointing $prefix at the malicious code.
I'm currently test-building this patch (replacing your current
grub-2.00-no-insmod-on-sb.patch), but this should be more correct. It
moves the check into grub_dl_load_file.
It can be called with NULL for third argument. grub_divmod32* for
now are called only from within wrappers, so skip check.
Reported-By: Michael Zimmermann <sigmaepsilon92@gmail.com>
Some x86 systems might be capable of running a 64-bit Linux kernel but
only use a 32-bit EFI (e.g. Intel Bay Trail systems). It's useful for
grub-install to be able to recognise such systems, to set the default
x86 platform correctly.
To allow grub-install to know the size of the firmware rather than
just the size of the kernel, there is now an extra EFI sysfs file to
describe the underlying firmware. Read that if possible, otherwise
fall back to the kernel type as before.
Signed-off-by: Steve McIntyre <steve@einval.com>
Use the new thumb_get_instruction_word/thumb_set_instruction_word
helpers throughout.
Style cleanup (missing spaces).
Move Thumb MOVW/MOVT handlers into Thumb relocation section of file.
This restrict ARP handling to MAC and IP addresses but in practice we need
only this case anyway and other cases are very rar if exist at all. It makes
code much simpler and less error-prone.
_BSD_SOURCE was added to allow the use of DT_DIR, but that was removed
in e768b77068. While adding
_DEFAULT_SOURCE as well works around problems with current glibc,
neither is in fact needed nowadays.
argp_help attempts to translate empty string, which results in printing
meta information about translation, like in
bor@opensuse:~/build/grub> grub2-mknetdir --help
Использование: grub2-mknetdir [ПАРАМЕТР…]
Project-Id-Version: grub 2.02-pre2
Report-Msgid-Bugs-To: bug-grub@gnu.org
...
Update gnulib/argp-help.c to the current version which fixes this
(commit b9bfe78424b871f5b92e5ee9e7d21ef951a6801d).
canonicalize_file_name clashed with gnulib function. Additionally
it was declared in 2 places: emu/misc.h and util/misc.h. Added
grub_ prefix and removed second declaration.
libgcc for boot environment isn't always present and compatible.
libgcc is often absent if endianness or bit-size at boot is different
from running OS.
libgcc may use optimised opcodes that aren't available on boot time.
So instead of relying on libgcc shipped with the compiler, supply
the functions in GRUB directly.
Tests are present to ensure that those replacement functions behave the
way compiler expects them to.
All current ciphers have blocks which are power of 2 and it's
unlikely to change. Other block length would be tricky to handle anyway.
This restriction allows avoiding extra divisions.
Add -msoft-float alongside clang arguments to specify ABI.
Specify ABI in asm files explicitly.
This trigers asm warning due to gcc failing to propagate -msoft-float
but it's tolerable.
Previously we supplied only unsigned divisions on platforms that need software
division.
Yet compiler may itself use a signed division. A typical example would be a
difference between 2 pointers which involves division by object size.
Avoid micro-optimization in grub_diskfilter_make_raid and make sure
name and fullname are independent strings. This avoids need to special
case it everywhere else.
Also fix memory leak in failure case in grub_diskfilter_make_raid.
Closes: 41582
Commit 750f4bacd3 put LV validation before
actual vg assignment. Make grub_diskfilter_make_raid to assign ->vg as
happens in other cases for consistency. Also clean up redundant code and add
explicit NULL lv->vg check in validate_lv.
Also fix segment validation in validate_lv; it became obvious when crash
was fixed.
Closes: 44199
GCC 4.9 also generates R_ARM_THM_MOVW_ABS_NC and R_ARM_THM_MOVT_ABS,
as an alternative to ABS32.
Signed-off-by: Leif Lindholm <leif.lindholm@linaro.org>
strlcpy is not available on Linux as part of standard libraries.
It probably is not worth extra configure checks espicially as we
need to handle missing function anyway.
Old condition was used to zero-out header variable on exit of the loop.
This is correct but confusing. Replace with in-loop logic.
Found by: Coverity Scan.
To be compatible with legacy pv-grub, sort disks by increasing order of handle
value. This allows reusing legacy pv-grub menu.lst which is using hdX names.
Suggested-By: Michael Chang <mchang@suse.com>
Closes: 44026
The unaligned local in __aeabi_uidivmod leads to a store to a 64bit
value at an address that is not divisible by 8 (in grub_divmod64).
The compiler most likely generates a STRD instruction to store it and
this causes an exception.
Fixes Savannah bug #43632.
This includes improvements done by Leif Lindholm.
Using the http module to download config files, produces memory errors,
after the config file is downloaded.
The error was traced to the tcp stack in grub-core/net/tcp.c. The wrong
netbuff pointer was being freed in the clean up loop.
Changing the code to free the correct netbuff pointer removes the runtime
error.
Closes 42765.
grub_pubkey_open closed original file after it was read; it set
io->device to NULL to prevent grub_file_close from trying to close device.
But network device itself is stacked (net -> bufio); and bufio preserved
original netfs file which hold reference to device. grub_file_close(io)
called grub_bufio_close which called grub_file_close for original file.
grub_file_close(netfs-file) now also called grub_device_close which
freed file->device->net. So file structure returned by grub_pubkey_open
now had device->net pointed to freed memory. When later file was closed,
it was attempted to be freed again.
Change grub_pubkey_open to behave like other filters - preserve original
parent file and pass grub_file_close down to parent. In this way only the
original file will close device. We really need to move this logic into
core instead.
Also plug memory leaks in error paths on the way.
Reported-By: Robert Kliewer <robert.kliewer@gmail.com>
Closes: bug #43601
configure_ciphers:
- several memory leaks where allocated ciphers were not freed. CID: 73813,
73710
- use after free. It is probably quite innocent as grub is single threaded,
but could potentially be a problem with memory allocator debugger turned on.
CID: 73730
luks_recover_key:
- memory leak. CID: 73854
Many routers have long router advertisment interval configured by
default. The Neighbor Discovery protocol (RFC4861) has defined default
MaxRtrAdvInterval value as 600 seconds and
MinRtrAdvInterval as 0.33*MaxRtrAdvInterval. This makes
net_ipv6_autoconf fails more often than not as currently it passively
listens the RA message to perfom address autoconfiguration.
This patch tries to send router solicitation to overcome the problem of
long RA interval.
v2:
use cpu_to_be macro for network byte order conversion
add missing error handling
Basic usage would look something like this:
gptprio.next -d usr_dev -u usr_uuid
linuxefi ($usr_dev)/boot/vmlinuz mount.usr=PARTUUID=$usr_uuid
After booting the system should set the 'successful' bit on the
partition that was used.
The EFI version of grub_machine_get_bootlocation crops the boot image
name back to the last / in order to get a directory path. However, it
does not check that *name is actually set before calling grub_strrchr
to do this, and neither does grub_strrchr before dereferencing a NULL
pointer.
Parent function, grub_set_prefix_and_root, does check the pointer
before using.
The structure size used in grub_netbuff_pull to get the pointer to
option header is apparently wrong, which leads to subsequent range check
failed and therefore not responding to any neighbor solicit message in my
testing.
The first hint of something practical, a command that can restore any of
the GPT structures from the alternate location. New test case must run
under QEMU because the loopback device used by the other unit tests does
not support writing.
The header location fields refer to 'this header' and 'alternate header'
respectively, not 'primary header' and 'backup header'. The previous
field names are backwards for the backup header.
This module is a new implementation for reading GUID Partition Tables
which is much stricter than the existing part_gpt module and exports GPT
data directly instead of the generic grub_partition structure. It will
be the basis for modules that need to read/write/update GPT data.
The current code does nothing more than read and verify the table.
struct ... foo = { 0, } is valid initializer, but older GCC emits
warning which is fatal error due to -Werror=missing-field-initializer.
So simply use full initializer to avoid these errors. This was fixed
probably in GCC 4.7.
See https://gcc.gnu.org/bugzilla/show_bug.cgi?id=36750
The AML parser implements only a small subset of possible AML
opcodes. On the Fujitsu Lifebook E744 this and another bug in
the parser (incorrect handling of TermArg data types) would lead
to the laptop not turning off (_S5 not found).
* grub-core/commands/acpihalt.c: Support OpAlias in the AML parser;
in skip_ext_op(), handle some Type2Opcodes more correctly (TermArgs
aren't always simply strings!); Add function to skip TermArgs
* include/grub/acpi.h: Add new opcodes
Currently, if "linux" fails, the "goto fail;" in grub_cmd_initrd sends us
into grub_initrd_close() without grub_initrd_init() being called, and thus
it never clears initrd_ctx->components. grub_initrd_close() then frees that
address, which is stale data from the stack. If the stack happens to have a
stale *address* there that matches a recent allocation, then you'll get a
double free later.
So initialize the memory up front.
Signed-off-by: Peter Jones <pjones@redhat.com>
We encountered a weird random kernel initrd unpacking error on btrfs
and finally found it was caused by incorrect address reference in range
check for type GRUB_BTRFS_EXTENT_REGULAR and the entire result is
unpredictable.
This is a quick fix to make the address reference to the
grub_btrfs_extent_data structure correctly, not the pointer variable
to it.
Any suggestions to this patch is welcome.
* configure.ac: Remove -m64 from checks for -mcmodel=large and
-mno-red-zone. These are always either unnecessary (x86_64-emu) or
already in TARGET_CFLAGS at this point, and they produce incorrect
results when building for x32.
* grub-core/kern/x86_64/dl.c (grub_arch_dl_relocate_symbols): Cast
pointers to Elf64_Xword via grub_addr_t, in order to work on x32.
* include/grub/x86_64/types.h (GRUB_TARGET_SIZEOF_VOID_P,
GRUB_TARGET_SIZEOF_LONG): Define to 4 on x32.