Commit graph

405 commits

Author SHA1 Message Date
Michael Marineau
44f54cbf43 gpt: write backup GPT first, skip if inaccessible.
Writing the primary GPT before the backup may lead to a confusing
situation: booting a freshly updated system could consistently fail and
next boot will fall back to the old system if writing the primary works
but writing the backup fails. If the backup is written first and fails
the primary is left in the old state so the next boot will re-try and
possibly fail in the exact same way. Making that repeatable should make
it easier for users to identify the error.

Additionally if the firmware and OS disagree on the disk size, making
the backup inaccessible to GRUB, then just skip writing the backup.
When this happens the automatic call to `coreos-setgoodroot` after boot
will take care of repairing the backup.
2016-09-23 12:25:53 -07:00
Michael Marineau
e4d25afd18 gpt: prefer disk size from header over firmware
The firmware and the OS may disagree on the disk configuration and size.
Although such a setup should be avoided users are unlikely to know about
the problem, assuming everything behaves like the OS. Tolerate this as
best we can and trust the reported on-disk location over the firmware
when looking for the backup GPT. If the location is inaccessible report
the error as best we can and move on.
2016-09-23 12:25:53 -07:00
Michael Marineau
8f7045ee19 gpt: rename and update documentation for grub_gpt_update
The function now does more than just recompute checksums so give it a
more general name to reflect that.
2016-09-22 11:58:44 -07:00
Michael Marineau
7cd866bd2d gpt: report all revalidation errors
Before returning an error that the primary or backup GPT is invalid push
the existing error onto the stack so the user will be told what is bad.
2016-09-22 11:57:29 -07:00
Michael Marineau
5342b880f4 gpt: read entries table at the same time as the header
I personally think this reads easier. Also has the side effect of
directly comparing the primary and backup tables instead of presuming
they are equal if the crc32 matches.
2016-09-21 16:34:36 -07:00
Michael Marineau
f24685b22e gpt: include backup-in-sync check in revalidation 2016-09-21 16:34:36 -07:00
Michael Marineau
d2f9096444 gpt: always revalidate when recomputing checksums
This ensures all code modifying GPT data include the same sanity check
that repair does. If revalidation fails the status flags are left in the
appropriate state.
2016-09-21 16:34:36 -07:00
Michael Marineau
427fdc58e1 gpt: selectively update fields during repair
Just a little cleanup/refactor to skip touching data we don't need to.
2016-09-21 16:34:36 -07:00
Michael Marineau
1f5d29420c gpt: be more careful about relocating backup header
The header was being relocated without checking the new location is
actually safe. If the BIOS thinks the disk is smaller than the OS then
repair may relocate the header into allocated space, failing the final
validation check. So only move it if the disk has grown.

Additionally, if the backup is valid then we can assume its current
location is good enough and leave it as-is.
2016-09-21 16:34:36 -07:00
Michael Marineau
de8d29ef89 gpt: check header and entries status bits together
Use the new status function which checks *_HEADER_VALID and
*_ENTRIES_VALID bits together. It doesn't make sense for the header and
entries bits to mismatch so don't allow for it.
2016-09-21 13:50:06 -07:00
Michael Marineau
f4e09602dc gpt: allow repair function to noop
Simplifies usage a little.
2016-09-21 13:12:31 -07:00
Michael Marineau
3dda6a863a gpt: use inline functions for checking status bits
This should prevent bugs like 6078f836 and 4268f3da.
2016-09-21 13:12:03 -07:00
Vito Caputo
92b5bd1ce3 gpt: add helper for picking a valid header
Eliminate some repetition in primary vs. backup header acquisition.
2016-09-02 17:04:13 -07:00
Michael Marineau
bf127238ee gpt: fix partition table indexing and validation
Portions of the code attempted to handle the fact that GPT entries on
disk may be larger than the currently defined struct while others
assumed the data could be indexed by the struct size directly. This
never came up because no utility uses a size larger than 128 bytes but
for the sake of safety we need to do this by the spec.
2016-09-02 17:04:13 -07:00
Michael Marineau
87dfbf34c4 Merge pull request #33 from marineam/repair-corruption
Fix gptprio to properly detect and repair corruption
2016-08-22 19:40:21 -07:00
Michael Marineau
b2ca30d335 fix checking alternate_lba 2016-08-22 18:30:56 -07:00
Michael Marineau
c68fcd3b1a gpt: refuse to write to sector 0 2016-08-22 17:51:48 -07:00
Michael Marineau
8278022a0b gpt: improve validation of GPT headers
Adds basic validation of all the disk locations in the headers, reducing
the chance of corrupting weird locations on disk.
2016-08-22 17:51:48 -07:00
Michael Marineau
6078f83638 gpt: properly detect and repair invalid tables
GPT_BOTH_VALID is 4 bits so simple a boolean check is not sufficient.
This broken condition allowed gptprio to trust bogus disk locations in
headers that were marked invalid causing arbitrary disk corruption.
2016-08-22 17:33:17 -07:00
Michael Marineau
c2f5fde6ab gpt: add verbose debug logging 2016-08-22 13:02:29 -07:00
Michael Marineau
a8ad608425 gpt: do not use disk sizes GRUB will reject as invalid later on
GRUB assumes that no disk is ever larger than 1EiB and rejects
reads/writes to such locations. Unfortunately this is not conveyed in
the usual way with the special GRUB_DISK_SIZE_UNKNOWN value.
2016-07-25 15:35:01 -07:00
Matthew Garrett
bb3473d7c8 Rework TPM measurements
Rework TPM measurements to use fewer PCRs. After discussion with upstream,
it's preferable to avoid using so many PCRs. Instead, measure into PCRs 8
and 9 but use a prefix in the event log to indicate which subsystem carried
out the measurements.
2016-03-23 17:03:43 -07:00
Matthew Garrett
2d410729e9 Measure the kernel commandline
Measure the kernel commandline to ensure that it hasn't been modified
2016-01-05 14:35:17 -08:00
Michael Marineau
286f1b63df Merge branch 'master' of git://git.savannah.gnu.org/grub 2015-12-17 12:01:00 -08:00
Hector Marco-Gisbert
451d80e52d Fix security issue when reading username and password
This patch fixes two integer underflows at:
  * grub-core/lib/crypto.c
  * grub-core/normal/auth.c

CVE-2015-8370

Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
Signed-off-by: Ismael Ripoll-Ripoll <iripoll@disca.upv.es>
Also-By: Andrey Borzenkov <arvidjaar@gmail.com>
2015-12-16 07:57:18 +03:00
Vladimir Serbinenko
25a9b8f208 fdt.mod: Move license tag to the right file. 2015-11-09 16:15:30 +01:00
Vladimir Serbinenko
cfabe05cc6 mips: Make setjmp code N32-compliant. 2015-10-11 13:20:26 +02:00
Andrei Borzenkov
6e21195890 progress: avoid NULL dereference for net files
From original patch by dann frazier <dann.frazier@canonical.com>:

  grub_net_fs_open() saves off a copy of the file structure it gets passed and
  uses it to create a bufio structure. It then overwrites the passed in file
  structure with this new bufio structure. Since file->name doesn't get set
  until we return back to grub_file_open(), it means that only the bufio
  structure gets a valid file->name. The "real" file's name is left
  uninitialized. This leads to a crash when the progress module hook is called
  on it.

grub_net_fs_open() already saved copy of file name as ->net->name, so change
progress module to use it.

Also, grub_file_open may leave file->name as NULL if grub_strdup fails. Check
for it.

Also-By: dann frazier <dann.frazier@canonical.com>
2015-10-10 11:44:14 +03:00
Alex Crawford
53a4e99990 gpt: add search by disk uuid command 2015-08-31 16:20:37 -07:00
Michael Marineau
91391dc52b Merge pull request #14 from coreos/gnu
Merge upstream GRUB changes
2015-08-13 13:32:56 -07:00
Michael Marineau
d9823e47bc Merge pull request #13 from marineam/lecrc32
gpt: clean up little-endian crc32 computation
2015-07-31 16:24:02 -07:00
Michael Marineau
c7c750ecc2 Merge upstream changes as of April 29th 2015-07-31 15:41:48 -07:00
Michael Marineau
c78ed0bff4 gpt: clean up little-endian crc32 computation
- Remove problematic cast from *uint8_t to *uint32_t (alignment issue).
 - Remove dynamic allocation and associated error handling paths.
 - Match parameter ordering to existing grub_crypto_hash function.
2015-07-31 15:19:41 -07:00
Vladimir Serbinenko
eecdbebc84 Remove mips_attributes.
mips_attributes was introduced to work around clang problems with
-msoft-float. Those problems are now fixed and moreover .gnu_attributes
itself is unportable and creates problem with clang.

Revert "mips: Fix soft-float handling."

This partially reverts commit 6a4ecd276e.
2015-07-22 21:05:11 +02:00
Andrei Borzenkov
a6f7d1abce reed_solomon: fix memory leak
Found by: Coverity scan.
CID: 96688
2015-06-20 23:38:18 +03:00
Andrei Borzenkov
48cd9dc104 syslinux_parse: assorted issues found by Coverity
1. Remove unneeded NULL check
CID: 96607

2. Do not allocate storage for initrd, copy it directly from input
buffer. Avoids memory leak in failure path.
CID: 96604

3. Unchecked error return from print()
CID: 96601, 73595
2015-06-19 18:38:25 +03:00
Andrei Borzenkov
8067fe28ed syslinux_parse: make print_escaped actually stop before `to'
The only current user is mboot.c32 which unfortunately is not covered
by regression tests.
2015-06-19 17:35:17 +03:00
dann frazier
3ac342205d arm64/setjmp: Add missing license macro
Including the setjmp module in an arm64-efi image will cause it to
immediately exit with an "incompatible license" error.

The source file includes a GPLv3+ boilerplate, so fix this by declaring a
GPLv3+ license using the GRUB_MOD_LICENSE macro.

Signed-off-by: dann frazier <dann.frazier@canonical.com>
2015-06-01 17:02:04 +01:00
Daniel Kiper
71783dc978 i386/relocator: Remove unused extern grub_relocator64_rip_addr
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
2015-05-07 18:00:47 +02:00
Andrei Borzenkov
f11db3c7fc core: avoid NULL derefrence in grub_divmod64s
It can be called with NULL for third argument.  grub_divmod32* for
now are called only from within wrappers, so skip check.

Reported-By: Michael Zimmermann <sigmaepsilon92@gmail.com>
2015-04-06 19:30:51 +03:00
Lunar
c9ee9bedef syslinux: Support {vesa,}menu.c32. 2015-03-27 15:15:13 +01:00
Vladimir Serbinenko
dc06aa949b syslinux_parse: Fix the case of unknown localboot.
Reported by: Jordan Uggla
2015-03-04 14:19:29 +01:00
Vladimir Serbinenko
064360e667 Remove libgcc dependency.
libgcc for boot environment isn't always present and compatible.
libgcc is often absent if endianness or bit-size at boot is different
from running OS.
libgcc may use optimised opcodes that aren't available on boot time.
So instead of relying on libgcc shipped with the compiler, supply
the functions in GRUB directly.
Tests are present to ensure that those replacement functions behave the
way compiler expects them to.
2015-03-03 20:50:37 +01:00
Vladimir Serbinenko
94f701a826 crypto: restrict cipher block size to power of 2.
All current ciphers have blocks which are power of 2 and it's
unlikely to change. Other block length would be tricky to handle anyway.
This restriction allows avoiding extra divisions.
2015-02-26 22:04:40 +01:00
Vladimir Serbinenko
80310ad07d Add missing lib/division.c 2015-02-26 18:22:40 +01:00
Vladimir Serbinenko
6a4ecd276e mips: Fix soft-float handling.
Add -msoft-float alongside clang arguments to specify ABI.
Specify ABI in asm files explicitly.
This trigers asm warning due to gcc failing to propagate -msoft-float
but it's tolerable.
2015-02-23 22:33:28 +01:00
Vladimir Serbinenko
e29af836d0 Don't remove initrd= parameter.
Based on simplified patch by Lunar.

Reported by: Lunar
2015-02-16 15:56:26 +01:00
Vladimir Serbinenko
b23635fcff syslinux_parse: Always output comments even if no entries are found. 2015-02-16 10:54:20 +01:00
Andrei Borzenkov
2efab86d5a syslinux_parse: fix memory leak.
Found by: Coverity scan.
2015-01-28 20:09:25 +03:00
Vladimir Serbinenko
9ee5ae1fae Document intentional fallthroughs.
Found by: Coverity scan.
2015-01-27 17:17:58 +01:00