Commit graph

9257 commits

Author SHA1 Message Date
mjg59
19c075a7ac Merge pull request #8 from mjg59/master
Add some more secure boot infrastructure to grub
2015-04-22 16:02:19 -07:00
Matthew Garrett
2755ecd157 Add efi getenv command
Add a command to obtain the contents of EFI firmware variables.
2015-04-22 13:08:26 -07:00
Matthew Garrett
9b669efb38 Fail validation if we can't find shim and Secure Boot is enabled
If grub is signed with a key that's in the trusted EFI keyring, an attacker
can point a boot entry at grub rather than at shim and grub will fail to
locate the shim verification protocol. This would then allow booting an
arbitrary kernel image. Fail validation if Secure Boot is enabled and we
can't find the shim protocol in order to prevent this.
2015-04-22 12:47:49 -07:00
Colin Watson
25850cfd50 Don't allow insmod when secure boot is enabled.
Hi,

Fedora's patch to forbid insmod in UEFI Secure Boot environments is fine
as far as it goes.  However, the insmod command is not the only way that
modules can be loaded.  In particular, the 'normal' command, which
implements the usual GRUB menu and the fully-featured command prompt,
will implicitly load commands not currently loaded into memory.  This
permits trivial Secure Boot violations by writing commands implementing
whatever you want to do and pointing $prefix at the malicious code.

I'm currently test-building this patch (replacing your current
grub-2.00-no-insmod-on-sb.patch), but this should be more correct.  It
moves the check into grub_dl_load_file.
2015-04-22 12:47:49 -07:00
Toomas Soome
677dcaa92b getroot: include sys/mkdev.h for makedev
Solaris (like) systems need to include sys/mkdev.h for makedev() function.
2015-04-13 19:52:28 +03:00
Toomas Soome
5b5d8666a7 core/partmap: rename 'sun' to avoid clash with predefined symbol
the symbol “sun” is defined macro in solaris derived systems, from
gcc -dM -E:

and therefore can not be used as name.
2015-04-13 19:49:15 +03:00
Paul Menzel
e97f5f4968 docs/grub.texi: Fix spelling of cbfstool 2015-04-12 09:10:11 +03:00
Andrei Borzenkov
f11db3c7fc core: avoid NULL derefrence in grub_divmod64s
It can be called with NULL for third argument.  grub_divmod32* for
now are called only from within wrappers, so skip check.

Reported-By: Michael Zimmermann <sigmaepsilon92@gmail.com>
2015-04-06 19:30:51 +03:00
Andrei Borzenkov
12bf557039 do not emit cryptomount without crypto UUID 2015-03-28 22:13:35 +03:00
Sarah Newman
7d39938474 grub-core/loader/i386/xen.c: Initialized initrd_ctx so we don't free a random pointer from the stack.
Signed-off-by: Sarah Newman <srn@prgmr.com>
2015-03-28 07:14:17 +03:00
Andrei Borzenkov
ebd92af8c3 net: trivial grub_cpu_to_XX_compile_time cleanup 2015-03-27 18:58:57 +03:00
Lunar
c9ee9bedef syslinux: Support {vesa,}menu.c32. 2015-03-27 15:15:13 +01:00
Steve McIntyre
1a33de8b56 Recognize EFI platform even in case of mismatch between Linux and EFI.
Some x86 systems might be capable of running a 64-bit Linux kernel but
only use a 32-bit EFI (e.g. Intel Bay Trail systems). It's useful for
grub-install to be able to recognise such systems, to set the default
x86 platform correctly.

To allow grub-install to know the size of the firmware rather than
just the size of the kernel, there is now an extra EFI sysfs file to
describe the underlying firmware. Read that if possible, otherwise
fall back to the kernel type as before.

Signed-off-by: Steve McIntyre <steve@einval.com>
2015-03-27 14:51:51 +01:00
Michael Zimmermann
ed07b7e128 Add missing initializers to silence suprious warnings. 2015-03-27 14:44:41 +01:00
Leif Lindholm
d47e8ab4b9 dl_helper: Cleanup
Use the new thumb_get_instruction_word/thumb_set_instruction_word
helpers throughout.

Style cleanup (missing spaces).

Move Thumb MOVW/MOVT handlers into Thumb relocation section of file.
2015-03-27 14:37:16 +01:00
Martin Wilck
cf2b4a36c4 efinet: Check for immediate completition.
This both speeds GRUB up and workarounds unexpected EFI behaviour.
2015-03-27 14:27:56 +01:00
Vladimir Serbinenko
1f23c87c19 Make Makefile.util.def independent of platform. 2015-03-27 14:04:41 +01:00
Daniel Kahn Gillmor
85a7be2414 util/mkimage: Use stable timestamp when generating binaries. 2015-03-27 13:26:48 +01:00
Vladimir Serbinenko
c14f8a9366 modinfo.sh.in: Add missing config variables. 2015-03-27 12:18:25 +01:00
Vladimir Serbinenko
94222b72b5 Makefile.core.def: Remove obsolete LDADD_KERNEL 2015-03-27 12:18:25 +01:00
Vladimir Serbinenko
63034d3261 arp, icmp: Fix handling in case of oversized or invalid packets.
This restrict ARP handling to MAC and IP addresses but in practice we need
only this case anyway and other cases are very rar if exist at all. It makes
code much simpler and less error-prone.
2015-03-27 12:18:25 +01:00
Colin Watson
5974d4ba65 hostfs: Drop unnecessary feature test macros
_BSD_SOURCE was added to allow the use of DT_DIR, but that was removed
in e768b77068.  While adding
_DEFAULT_SOURCE as well works around problems with current glibc,
neither is in fact needed nowadays.
2015-03-23 14:32:30 +00:00
Vladimir Serbinenko
e9f68f1f4c compiler-rt-emu: Add missing file. 2015-03-20 13:00:53 +01:00
Vladimir Serbinenko
fe6695b7d6 emunet: Fix init error checking.
Otherwise emunet doesn't expose any cards.
2015-03-20 12:59:00 +01:00
Vladimir Serbinenko
237510486a fddboot_test: Add -no-pad to xorriso. 2015-03-20 12:58:08 +01:00
Vladimir Serbinenko
cf47a2fba5 grub-mkrescue: pass all unrecognized options unchanged to xorriso. 2015-03-20 12:55:27 +01:00
Vladimir Serbinenko
9c07daaf91 cacheinfo: Add missing license information. 2015-03-20 11:13:58 +01:00
Andrei Borzenkov
19c4156d16 grub-fs-tester: add LVM RAID1 support
LVM miscalculates bitmap size with small extent, so start with 16K as
for other RAID types.

Until version 2.02.103 LVM counts metadata segments twice when checking
available space, reduce segment count by one to account for this bug.
2015-03-19 21:31:26 +03:00
Andrei Borzenkov
527eeeeee6 core: add LVM RAID1 support
Closes 44534.
2015-03-19 21:30:27 +03:00
Andrei Borzenkov
7c9309e50a grub-fs-tester: explicitly set segment type for LVM mirror
LVM mirror defaults to RAID1 today and can be different on different
systems as set in lvm.conf.
2015-03-16 21:16:19 +03:00
Andrei Borzenkov
fa07d919d1 grub-fs-tester: better estimation of filesystem time for LVM/RAID
Write activity with LVM/RAID can happen after filesystem is unmounted.
In my testing modification time of loop files was 15 - 20 seconds
after unmount.  So use time as close to unmount as possible as
reference instead.
2015-03-15 21:24:09 +03:00
Vladimir Serbinenko
5fe21c9968 hfsplus: Fix potential access to uninited memory on invalid FS 2015-03-06 22:33:20 +01:00
Jon McCune
be41c1cf11 autogen.sh: Allow overriding the python to be used by setting $PYTHON.
Some installations have several python versions installed. Allow user
to choose which one to use by setting $PYTHON.
2015-03-06 00:34:18 +01:00
Andrei Borzenkov
8842991a56 update gnulib/argp-help.c to fix garbage in grub-mknetdir --help output
argp_help attempts to translate empty string, which results in printing
meta information about translation, like in

bor@opensuse:~/build/grub> grub2-mknetdir --help
Использование: grub2-mknetdir [ПАРАМЕТР…]
Project-Id-Version: grub 2.02-pre2
Report-Msgid-Bugs-To: bug-grub@gnu.org
...

Update gnulib/argp-help.c to the current version which fixes this
(commit b9bfe78424b871f5b92e5ee9e7d21ef951a6801d).
2015-03-05 20:19:47 +03:00
Andrey Borzenkov
20f21d8978 update m4/extern-inline.m4 to upstream version to fix compilation on FreeBSD
In file included from util/grub-mkimage.c:54:0:
./grub-core/gnulib/argp.h:627:49: error: '__sbistype' is static but
used in inline function '_option_is_short' which is not static
[-Werror] cc1: all warnings being treated as errors gmake[2]: ***
[util/grub_mkimage-grub-mkimage.o] Error 1

Update m4/extern-inline.m4 to current upstream gnulib version that
contains fix for this (commit b9bfe78424b871f5b92e5ee9e7d21ef951a6801d).

Reported-By: Beeblebrox <zaphod@berentweb.com>
2015-03-05 19:25:56 +03:00
Vladimir Serbinenko
dc06aa949b syslinux_parse: Fix the case of unknown localboot.
Reported by: Jordan Uggla
2015-03-04 14:19:29 +01:00
Vladimir Serbinenko
5959b15c1c configure.ac: Fix the name of pciaccess header. 2015-03-04 01:01:45 +01:00
Vladimir Serbinenko
27d1a67f8a Fix canonicalize_file_name clash.
canonicalize_file_name clashed with gnulib function. Additionally
it was declared in 2 places: emu/misc.h and util/misc.h. Added
grub_ prefix and removed second declaration.
2015-03-04 01:00:19 +01:00
Vladimir Serbinenko
9d25b0da9a Remove emu libusb support.
It's disabled by default and has been broken for a long time.
As nobody is interested in fixing and maintaining it, remove it.
2015-03-03 20:59:36 +01:00
Vladimir Serbinenko
9f95d12153 configure.ac: Remove unused COND_clang 2015-03-03 20:50:37 +01:00
Vladimir Serbinenko
064360e667 Remove libgcc dependency.
libgcc for boot environment isn't always present and compatible.
libgcc is often absent if endianness or bit-size at boot is different
from running OS.
libgcc may use optimised opcodes that aren't available on boot time.
So instead of relying on libgcc shipped with the compiler, supply
the functions in GRUB directly.
Tests are present to ensure that those replacement functions behave the
way compiler expects them to.
2015-03-03 20:50:37 +01:00
Vladimir Serbinenko
77697d14e5 types.h: Use __builtin_bswap* with clang.
clang pretends to be GCC 4.2 but we use __builtin_bswap* only with GCC 4.3+.
clang support __builtin_bswap*, so use it.
2015-03-03 20:50:37 +01:00
Vladimir Serbinenko
aa6ccc05c1 configure.ac: Set $CPPFLAGS when checking for no_app_regs.
Fixes compilation for sparc64 with clang.
2015-03-03 20:50:37 +01:00
Vladimir Serbinenko
87ec3b7fa9 Don't continue to query block-size if disk doesn't have it.
Stops poluting screen with a lot of "block-size: exception -21".
2015-03-03 20:50:37 +01:00
Andrei Borzenkov
018f79da6f grub-probe: free temporary variable 2015-02-28 20:19:57 +03:00
Vladimir Serbinenko
0d6498a67d exclude.pot: Add new technical strings 2015-02-28 16:23:27 +01:00
Vladimir Serbinenko
afd6b6bbae grub-probe: Mark a "[default=]" for translation. 2015-02-28 16:22:46 +01:00
Vladimir Serbinenko
ddde9ca71a grub-shell: Add missing --locale-directory.
Fixes the language tests is no make install was done.
2015-02-28 15:14:16 +01:00
Vladimir Serbinenko
050505ab8f ntfs_test: Skip is setfattr is unavailable. 2015-02-28 15:13:41 +01:00
Vladimir Serbinenko
66b0e6649b emu/cache: Change declaration of __clear_cache to match builtin declaration.
Fixes compile of arm64-emu.
2015-02-26 22:20:59 +01:00