Commit graph

208 commits

Author SHA1 Message Date
Jesús Diéguez Fernández
46f5d51343 msr: Add new MSR modules (rdmsr/wrmsr)
In order to be able to read from and write to model-specific registers,
two new modules are added. They are i386 specific, as the cpuid module.

rdmsr module registers the command rdmsr that allows reading from a MSR.
wrmsr module registers the command wrmsr that allows writing to a MSR.

wrmsr module is disabled if UEFI secure boot is enabled.

Please note that on SMP systems, interacting with a MSR that has a scope
per hardware thread, implies that the value only applies to the
particular cpu/core/thread that ran the command.

Also, if you specify a reserved or unimplemented MSR address, it will
cause a general protection exception (which is not currently being
handled) and the system will reboot.

Signed-off-by: Jesús Diéguez Fernández <jesusdf@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2019-03-12 20:04:07 +01:00
Matthew Garrett
a791dc0e35 verifiers: Add TPM documentation
Describe the behaviour of GRUB when the TPM module is in use.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2018-12-12 14:51:43 +01:00
Daniel Kiper
878398c1a3 efi: Add EFI shim lock verifier
This module provides shim lock verification for various kernels
if UEFI secure boot is enabled on a machine.

It is recommended to put this module into GRUB2 standalone image
(avoid putting iorw and memrw modules into it; they are disallowed
if UEFI secure boot is enabled). However, it is also possible to use
it as a normal module. Though such configurations are more fragile
and less secure due to various limitations.

If the module is loaded and UEFI secure boot is enabled then:
  - module itself cannot be unloaded (persistent module),
  - the iorw and memrw modules cannot be loaded,
  - if the iorw and memrw modules are loaded then
    machine boot is disabled,
  - GRUB2 defers modules and ACPI tables verification to
    other verifiers.

Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Ross Philipson <ross.philipson@oracle.com>
2018-11-09 13:25:31 +01:00
Nicholas Vinson
51be3372ec templates: Update grub script template files
Update grub-mkconfig.in and 10_linux.in to support grub-probe's new
partuuid target.  Update grub.texi documentation.  The following table
shows how GRUB_DISABLE_LINUX_UUID, GRUB_DISABLE_LINUX_PARTUUID, and
initramfs detection interact:

Initramfs  GRUB_DISABLE_LINUX_PARTUUID  GRUB_DISABLE_LINUX_UUID  Linux Root
detected   Set                          Set                      ID Method

false      false                        false                    part UUID
false      false                        true                     part UUID
false      true                         false                    dev name
false      true                         true                     dev name
true       false                        false                    fs UUID
true       false                        true                     part UUID
true       true                         false                    fs UUID
true       true                         true                     dev name

Note: GRUB_DISABLE_LINUX_PARTUUID and GRUB_DISABLE_LINUX_UUID equate to
      'false' when unset or set to any value other than 'true'.
      GRUB_DISABLE_LINUX_PARTUUID defaults to 'true'.

Signed-off-by: Nicholas Vinson <nvinson234@gmail.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2018-04-23 13:31:02 +02:00
Jaegeuk Kim
71f9e4ac44 fs: Add F2FS support
"F2FS (Flash-Friendly File System) is flash-friendly file system which was merged
into Linux kernel v3.8 in 2013.

The motive for F2FS was to build a file system that from the start, takes into
account the characteristics of NAND flash memory-based storage devices (such as
solid-state disks, eMMC, and SD cards).

F2FS was designed on a basis of a log-structured file system approach, which
remedies some known issues of the older log structured file systems, such as
the snowball effect of wandering trees and high cleaning overhead. In addition,
since a NAND-based storage device shows different characteristics according to
its internal geometry or flash memory management scheme (such as the Flash
Translation Layer or FTL), it supports various parameters not only for
configuring on-disk layout, but also for selecting allocation and cleaning
algorithm.", quote by https://en.wikipedia.org/wiki/F2FS.

The source codes for F2FS are available from:

http://git.kernel.org/cgit/linux/kernel/git/jaegeuk/f2fs.git
http://git.kernel.org/cgit/linux/kernel/git/jaegeuk/f2fs-tools.git

This patch has been integrated in OpenMandriva Lx 3.
  https://www.openmandriva.org/

Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Pete Batard <pete@akeo.ie>
Signed-off-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2018-04-10 19:05:04 +02:00
Matthew S. Turnbull
a698240df0 grub-mkconfig/10_linux: Support multiple early initrd images
Add support for multiple, shared, early initrd images. These early
images will be loaded in the order declared, and all will be loaded
before the initrd image.

While many classes of data can be provided by early images, the
immediate use case would be for distributions to provide CPU
microcode to mitigate the Meltdown and Spectre vulnerabilities.

There are two environment variables provided for declaring the early
images.

* GRUB_EARLY_INITRD_LINUX_STOCK is for the distribution declare
  images that are provided by the distribution or installed packages.
  If undeclared, this will default to a set of common microcode image
  names.

* GRUB_EARLY_INITRD_LINUX_CUSTOM is for user created images. User
  images will be loaded after the stock images.

These separate configurations allow the distribution and user to
declare different image sets without clobbering each other.

This also makes a minor update to ensure that UUID partition labels
stay disabled when no initrd image is found, even if early images are
present.

This is a continuation of a previous patch published by Christian
Hesse in 2016:
http://lists.gnu.org/archive/html/grub-devel/2016-02/msg00025.html

Down stream Gentoo bug:
https://bugs.gentoo.org/645088

Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
Signed-off-by: Matthew S. Turnbull <sparky@bluefang-logic.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2018-03-14 13:23:27 +01:00
Vladimir Serbinenko
7108c0c86e grub.texi: Fix typo
Reported by: 	Ori Avtalion <saltyhorse>
2017-08-14 11:36:50 +02:00
Fu Wei
26c2f306fd arm64: Update the introduction of Xen boot commands in docs/grub.texi
delete: xen_linux, xen_initrd, xen_xsm
add: xen_module

This update bases on
    commit 0edd750e50
    Author: Vladimir Serbinenko <phcoder@gmail.com>
    Date:   Fri Jan 22 10:18:47 2016 +0100

        xen_boot: Remove obsolete module type distinctions.

Also bases on the module loading mechanism of Xen code:
488c2a8 docs/arm64: clarify the documention for loading XSM support
67831c4 docs/arm64: update the documentation for loading XSM support
ca32012 xen/arm64: check XSM Magic from the second unknown module.

Signed-off-by: Fu Wei <fu.wei@linaro.org>
Reviewed-by: Julien Grall <julien.grall@arm.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
2017-05-18 22:30:36 +02:00
Daniel Kahn Gillmor
bf94ef7fbd documentation: Clarify documentation for special environment variable "default".
The current documentation for the special environment variable
"default" is confusing and unclear.  This patch attempts to clean it
up.

In particular, the current documentation refers to the "number or
title", but then in the example it gives, the menu entries and
submenus all have numbers *in* their title; furthermore, there is no
example given about how to choose the number, or any indication about
whether counting is zero-indexed or 1-indexed.

Having a cleaner example and presenting all variants (numeric, title,
and id) should make it clearer to the user.

Signed-off-by: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
2017-02-03 12:32:25 +01:00
Andrei Borzenkov
f8c3af3b61 bootp: export next server IP as environment variable
Network boot autoconfiguration sets default server to next server IP
(siaddr) from BOOTP/DHCP reply, but manual configuration using net_bootp
exports only server name. Unfortunately semantic of server name is not
clearly defined. BOOTP RFC 951 defines it only for client request, and
DHCP RFC 1541 only mentions it, without any implied usage. It looks like
this field is mostly empty in server replies.

Export next server IP as net_<interface>_next_server variable. This allows
grub configuration script to set $root/$prefix based on information obtained
by net_bootp.

Reported and tested by: Nikunj A Dadhania <nikunj@linux.vnet.ibm.com>
Cc: nikunj@linux.vnet.ibm.com

v2: change variable name to net_<interface>_next_server as discussed on the list
2016-11-22 20:43:04 +03:00
Andreas Freimuth
f96b34224e Add Thinkpad T410s button cmos address. 2016-02-12 19:19:11 +01:00
Vladimir Serbinenko
5f2b285bf8 Document cpuid -p 2016-01-22 13:50:53 +01:00
Vladimir Serbinenko
dab148891e Document expr1 expr2 syntax for test command 2016-01-22 13:27:36 +01:00
Vladimir Serbinenko
4803db51ff Document bootlocation discovery limitations and xen platform limitations 2015-12-14 16:21:24 +01:00
Fu Wei
fb94736fe8 Document ARM64 xen commands 2015-11-12 11:32:01 +01:00
Andrey Borzenkov
bcf8c5814d doc: document config_directory and config_file variables 2015-11-07 17:03:38 +03:00
Andrei Borzenkov
dec7718878 Clarify use of superusers variable and menu entry access
superusers controls both CLI and editing. Also explicitly mention that
empty superusers disables them.

"Access to menuentry" is a bit vague - change to "execute menuentry"
to make it obvious, what access is granted.
2015-05-30 19:36:41 +03:00
Andrei Borzenkov
a666c8bd18 bootp: ignore gateway_ip (relay) field.
From RFC1542:

   The 'giaddr' field is rather poorly named.  It exists to facilitate
   the transfer of BOOTREQUEST messages from a client, through BOOTP
   relay agents, to servers on different networks than the client.
   Similarly, it facilitates the delivery of BOOTREPLY messages from the
   servers, through BOOTP relay agents, back to the client.  In no case
   does it represent a general IP router to be used by the client.  A
   BOOTP client MUST set the 'giaddr' field to zero (0.0.0.0) in all
   BOOTREQUEST messages it generates.

   A BOOTP client MUST NOT interpret the 'giaddr' field of a BOOTREPLY
   message to be the IP address of an IP router.  A BOOTP client SHOULD
   completely ignore the contents of the 'giaddr' field in BOOTREPLY
   messages.

Leave code ifdef'd out for the time being in case we see regression.

Suggested by: Rink Springer <rink@rink.nu>
Closes: 43396
2015-05-17 22:38:30 +03:00
Paul Menzel
e97f5f4968 docs/grub.texi: Fix spelling of cbfstool 2015-04-12 09:10:11 +03:00
Colin Watson
3d369a01ac Update some documentation to refer to Git rather than Bazaar.
* docs/grub.texi (Obtaining and Building GRUB): Refer to Git rather
than Bazaar.
* po/README: Likewise.  Fix spelling mistake.
2013-12-23 14:43:41 +00:00
Jon McCune
dd73313cba Add --no-rs-codes flag to optionally disable reed-solomon codes in grub-install and grub-bios-setup for x86 BIOS targets. 2013-12-09 16:52:12 -08:00
Andrey Borzenkov
c50e5f4543 Update color_normal and color_highlight defaults (light-gray instead of white) 2013-12-08 00:00:26 +04:00
Colin Watson
44d4884779 Merge branch 'cjwatson/timeout-style' 2013-12-03 16:15:45 +00:00
Andrey Borzenkov
be0d45555e document sleep command exit codes 2013-11-30 14:57:11 +04:00
Colin Watson
f70ab525f9 Remove a few references to GRUB_HIDDEN_TIMEOUT*
Reported by Andrey Borzenkov.
2013-11-29 17:19:37 +00:00
Colin Watson
2dbda2215c Fix documentation of behaviour after pressing ESC
Pointed out by Andrey Borzenkov.
2013-11-29 15:25:43 +00:00
Colin Watson
53cc63bf85 Add GRUB_TIMEOUT_STYLE_BUTTON support
Suggested by Vladimir Serbinenko.
2013-11-29 15:18:05 +00:00
Colin Watson
471b2683e7 Move deprecated grub-mkconfig options to a separate table
Suggested by Andrey Borzenkov.
2013-11-29 14:59:25 +00:00
Francesco Lavra
b67422d33d Fix command description in case of a device name passed as argument. 2013-11-28 17:25:52 +04:00
Colin Watson
827d87e9d6 Fix documentation of timeout expiry. 2013-11-28 11:01:53 +00:00
Colin Watson
8f236c1419 Revamp hidden timeout handling
Add a new timeout_style environment variable and a corresponding
GRUB_TIMEOUT_STYLE configuration key for grub-mkconfig.  This
controls hidden-timeout handling more simply than the previous
arrangements, and pressing any hotkeys associated with menu entries
during the hidden timeout will now boot the corresponding menu entry
immediately.

GRUB_HIDDEN_TIMEOUT=<non-empty> + GRUB_TIMEOUT=<non-zero> now
generates a warning, and if it shows the menu it will do so as if
the second timeout were not present.  Other combinations are
translated into reasonable equivalents.
2013-11-28 02:29:15 +00:00
Axel Kellermann
55e706c918 * util/grub.d/30_os-prober.in: Add GRUB_OS_PROBER_SKIP_LIST to
selectively skipping systems.
2013-11-19 23:39:51 +01:00
Andrey Borzenkov
c2fdb33116 document cmdpath environment variable 2013-11-16 17:00:59 +04:00
Colin Watson
3809f0163b * docs/grub.texi (Internationalisation, Supported kernels): Fix
sectioning.
2013-11-13 02:08:50 +00:00
Andrey Borzenkov
5b99970eb7 grub-reboot no more sets saved_default
Remove reference to grub-default from description of saved default entry.

Also mention that GRUB_DEFAULT=saved depends on availability of environment
block.
2013-11-10 18:24:27 +04:00
Andrey Borzenkov
5645cc7995 document GRUB_DISABLE_SUBMENU
Signed-off-by: Andrey Borzenkov <arvidjaar@gmail.com>
2013-11-10 17:40:47 +04:00
Vladimir Serbinenko
9612ebc00e Add new ports: i386-xen and x86_64-xen. This allows running GRUB in
XEN PV environment and load kernels.
2013-11-09 21:29:11 +01:00
Vladimir Serbinenko
76681e714e * docs/grub.texi (Vendor power-on keys): Add XPS M1330M based on old
e-mail by Per Öberg.
2013-11-04 22:04:22 +01:00
Vladimir Serbinenko
67508925d0 * docs/grub.texi: Document usage of menuentry id. 2013-11-04 05:15:15 +01:00
Vladimir Serbinenko
0c62124eb5 * docs/grub.texi: Add few mentions about EFI, debug and videoinfo. 2013-11-04 02:18:02 +01:00
Vladimir Serbinenko
5a01722ebc * docs/grub.texi: Mention RSA support. 2013-11-03 19:04:02 +01:00
Vladimir Serbinenko
00bfa988fc * grub-core/loader/multiboot.c: Add support for multiboot kernels
quirks.
2013-10-28 15:23:46 +01:00
Jon McCune
c16535a845 Documentation cleanup in response to ML discussion.
[v0] Accepted with modifications by phcoder@
 [v1] Introduce subsections within Security
 [v1] Correct errors regarding public key files not being automatically signature-checked in trust and verify_detached
 [v1] Replace check_signatures=enforce with check_signatures set to enforce
 [v1] Move detailed discussion of using signatures out of check_signatures environment variable description
 [v1] Use long form for option flags to security-relevant commands
 [v2] Explain the key fingerprint format for distrust and list_trusted.
 [v2] Eliminates references to grub-mkimage and UEFI Secure Boot.
 [v3] Updates in response to addition of --skip-sig to trust and verify_detached
 [  ] Restore @xref for cross-references at the start of sentences
2013-10-25 08:52:36 -07:00
Vladimir Serbinenko
bca274b455 * docs/grub.texi: Fix ordering and use pxref rather than xref. 2013-10-23 17:54:28 +02:00
Vladimir Testov
946fd07357 * grub-core/gfxmenu/gui_progress_bar.c: New option `highlight_overlay`
* docs/gurb.texi: Likewise.
2013-10-17 15:42:49 +04:00
Vladimir Testov
ad543f123b * docs/grub.texi: Graphical options information update.
Removed outdated. Updated current. Inserted missed.
2013-10-17 15:07:09 +04:00
Vladimir 'phcoder' Serbinenko
6176a0cdfa * docs/grub.texi: Mention few new platform-specific commands. 2013-10-17 01:52:44 +02:00
Vladimir Testov
b2b71bff36 * grub-core/gfxmenu/gui_list.c: New option item_pixmap_style.
* docs/grub.texi: Likewise.
2013-10-15 18:12:39 +04:00
Jon McCune
17614b8426 * docs/grub.texi: Document new signatures possibility. 2013-10-14 02:52:12 +02:00
Christian Cier-Zniewski
78170f3e85 * docs/grub.texi (Vendor power-on keys): Add Dell Latitude E4300. 2013-10-12 08:14:02 +02:00