Debian: grub-efi: porting from LAT
This is done for moving packages that are related to secure boot out of LAT and into integ. Use grub version: 2.06-1 . Port grub-efi from LAT and make its build independent from grub2. The patches for code and changes for debian build are ported from layers ( meta-lat and meta-secure-core ) of yocto upstream. Make grub-efi independent from grub2 because some code changes for secure boot can make grub-pc's build fail. This porting of grub-efi customizes grub images and grub.cfg for efi boot. Install those files customized to grub-efi-amd64 package. Test Plan: The tests are done with all the changes for this porting, which involves efitools/shim/grub2/grub-efi/lat-sdk.sh, because they are in a chain for secure boot verification. - PASS: secure boot OK on qemu. - PASS: secure boot OK on PowerEdge R430 lab. - PASS: secure boot NG on qemu/hardware when shim/grub-efi images are without the right signatures. Story: 2009221 Task: 46402 Signed-off-by: Li Zhou <li.zhou@windriver.com> Change-Id: Ia3b482c1959b5e6462fe54f0b0e59a69db1b1ca7
This commit is contained in:
parent
a12eb5f44c
commit
48a2e836ff
81
grub/grub-efi/debian/deb_patches/0001-Make-series-null.patch
Normal file
81
grub/grub-efi/debian/deb_patches/0001-Make-series-null.patch
Normal file
@ -0,0 +1,81 @@
|
||||
From 8f26fc39497decab3f9a087d18803447a9b9295f Mon Sep 17 00:00:00 2001
|
||||
From: Li Zhou <li.zhou@windriver.com>
|
||||
Date: Wed, 31 Aug 2022 13:53:19 +0800
|
||||
Subject: [PATCH 1/2] Make series null
|
||||
|
||||
Clean the patches from debian release to get a clean grub source.
|
||||
|
||||
Signed-off-by: Li Zhou <li.zhou@windriver.com>
|
||||
---
|
||||
debian/patches/series | 61 -------------------------------------------
|
||||
1 file changed, 61 deletions(-)
|
||||
|
||||
diff --git a/debian/patches/series b/debian/patches/series
|
||||
index 748318a..e69de29 100644
|
||||
--- a/debian/patches/series
|
||||
+++ b/debian/patches/series
|
||||
@@ -1,61 +0,0 @@
|
||||
-olpc-prefix-hack.patch
|
||||
-core-in-fs.patch
|
||||
-dpkg-version-comparison.patch
|
||||
-grub-legacy-0-based-partitions.patch
|
||||
-disable-floppies.patch
|
||||
-grub.cfg-400.patch
|
||||
-gfxpayload-keep-default.patch
|
||||
-install-stage2-confusion.patch
|
||||
-mkrescue-efi-modules.patch
|
||||
-mkconfig-loopback.patch
|
||||
-restore-mkdevicemap.patch
|
||||
-gettext-quiet.patch
|
||||
-install-efi-fallback.patch
|
||||
-mkconfig-ubuntu-recovery.patch
|
||||
-install-locale-langpack.patch
|
||||
-mkconfig-nonexistent-loopback.patch
|
||||
-default-grub-d.patch
|
||||
-blacklist-1440x900x32.patch
|
||||
-mkconfig-ubuntu-distributor.patch
|
||||
-linuxefi.patch
|
||||
-mkconfig-signed-kernel.patch
|
||||
-install-signed.patch
|
||||
-wubi-no-windows.patch
|
||||
-maybe-quiet.patch
|
||||
-install-efi-adjust-distributor.patch
|
||||
-quick-boot.patch
|
||||
-quick-boot-lvm.patch
|
||||
-gfxpayload-dynamic.patch
|
||||
-vt-handoff.patch
|
||||
-probe-fusionio.patch
|
||||
-ignore-grub_func_test-failures.patch
|
||||
-mkconfig-recovery-title.patch
|
||||
-install-powerpc-machtypes.patch
|
||||
-ieee1275-clear-reset.patch
|
||||
-ppc64el-disable-vsx.patch
|
||||
-grub-install-pvxen-paths.patch
|
||||
-insmod-xzio-and-lzopio-on-xen.patch
|
||||
-grub-install-extra-removable.patch
|
||||
-mkconfig-other-inits.patch
|
||||
-zpool-full-device-name.patch
|
||||
-net-read-bracketed-ipv6-addr.patch
|
||||
-bootp-new-net_bootp6-command.patch
|
||||
-efinet-uefi-ipv6-pxe-support.patch
|
||||
-bootp-process-dhcpack-http-boot.patch
|
||||
-efinet-set-network-from-uefi-devpath.patch
|
||||
-efinet-set-dns-from-uefi-proto.patch
|
||||
-fix-lockdown.patch
|
||||
-skip-grub_cmd_set_date.patch
|
||||
-bash-completion-drop-have-checks.patch
|
||||
-at_keyboard-module-init.patch
|
||||
-uefi-secure-boot-cryptomount.patch
|
||||
-efi-variable-storage-minimise-writes.patch
|
||||
-grub-install-removable-shim.patch
|
||||
-dejavu-font-path.patch
|
||||
-xen-no-xsm-policy-in-non-xsm-options.patch
|
||||
-pc-verifiers-module.patch
|
||||
-debug_verifiers.patch
|
||||
-mkimage-fix-section-sizes.patch
|
||||
-tpm-unknown-error-non-fatal.patch
|
||||
-xfs-fix-v4-superblock.patch
|
||||
-tests-ahci-update-qemu-device-name.patch
|
||||
--
|
||||
2.17.1
|
||||
|
@ -0,0 +1,760 @@
|
||||
From a26ab5dfcde0a92011bb5422e745d92d79ba4630 Mon Sep 17 00:00:00 2001
|
||||
From: Li Zhou <li.zhou@windriver.com>
|
||||
Date: Thu, 15 Sep 2022 09:55:13 +0800
|
||||
Subject: [PATCH 2/2] grub-efi: build packages related with grub-efi
|
||||
|
||||
Grub-efi is ported from layers meta-lat\meta-secure-core of yocto,
|
||||
so that it can be compiled out of lat.
|
||||
|
||||
What are done for this purpose:
|
||||
(1) Build grub-efi using debian grub2 source code.
|
||||
Change the source name "grub2" to "grub-efi" to set up grub-efi recipe;
|
||||
Remove all the packages in control file except those related to
|
||||
grub-efi.
|
||||
(2) Remove any build about grub-pc because it is used for the
|
||||
traditional PC/BIOS and some patches for secure boot can cause failure
|
||||
when building grub-pc;
|
||||
(3) Patches for secure boot can cause warnings for ia32 platform, so
|
||||
remove it because ia32 isn't in use here;
|
||||
(4) Those unmet dependencies happen because we separate grub-efi's
|
||||
build from grub2:
|
||||
[
|
||||
The following packages have unmet dependencies:
|
||||
grub-efi-amd64 :
|
||||
Depends: grub2-common (= 2.06-1.stx.27) but 2.06-1.stx.6 is to be
|
||||
installed
|
||||
Conflicts: grub-pc but 2.06-1.stx.6 is to be installed
|
||||
grub-efi-amd64-bin :
|
||||
Depends: grub-common (= 2.06-1.stx.27) but 2.06-1.stx.6 is to be
|
||||
installed
|
||||
]
|
||||
Remove grub-efi-amd64's conflict with grub-pc to make them install
|
||||
to rootfs together;
|
||||
Remove the limit that grub-efi-amd64(-bin) and grub2-common should
|
||||
be compiled from the same module.
|
||||
(5) Create and install customized images according to yocto layers.
|
||||
Remove linuxefi because it belongs to debian specific patches, which
|
||||
have been removed;
|
||||
Customize files under /boot/efi/EFI/BOOT for package grub-efi-amd64.
|
||||
|
||||
Signed-off-by: Li Zhou <li.zhou@windriver.com>
|
||||
---
|
||||
debian/build-efi-images | 1 -
|
||||
debian/changelog | 2 +-
|
||||
debian/control | 520 +---------------------------------------
|
||||
debian/rules | 58 +++--
|
||||
4 files changed, 51 insertions(+), 530 deletions(-)
|
||||
|
||||
diff --git a/debian/build-efi-images b/debian/build-efi-images
|
||||
index 5ac6676..1c5df95 100755
|
||||
--- a/debian/build-efi-images
|
||||
+++ b/debian/build-efi-images
|
||||
@@ -148,7 +148,6 @@ case $platform in
|
||||
x86_64-efi|i386-efi)
|
||||
CD_MODULES="$CD_MODULES
|
||||
cpuid
|
||||
- linuxefi
|
||||
play
|
||||
tpm
|
||||
"
|
||||
diff --git a/debian/changelog b/debian/changelog
|
||||
index 519a692..1663a8a 100644
|
||||
--- a/debian/changelog
|
||||
+++ b/debian/changelog
|
||||
@@ -1,4 +1,4 @@
|
||||
-grub2 (2.06-1) unstable; urgency=medium
|
||||
+grub-efi (2.06-1) unstable; urgency=medium
|
||||
|
||||
* Use "command -v" in maintainer scripts rather than "which".
|
||||
* New upstream release.
|
||||
diff --git a/debian/control b/debian/control
|
||||
index 591394f..caea0c3 100644
|
||||
--- a/debian/control
|
||||
+++ b/debian/control
|
||||
@@ -1,4 +1,4 @@
|
||||
-Source: grub2
|
||||
+Source: grub-efi
|
||||
Section: admin
|
||||
Priority: optional
|
||||
Maintainer: GRUB Maintainers <pkg-grub-devel@alioth-lists.debian.net>
|
||||
@@ -41,274 +41,18 @@ Vcs-Git: https://salsa.debian.org/grub-team/grub.git
|
||||
Vcs-Browser: https://salsa.debian.org/grub-team/grub
|
||||
Rules-Requires-Root: no
|
||||
|
||||
-Package: grub2
|
||||
-Section: oldlibs
|
||||
-Architecture: any-i386 any-amd64 any-powerpc any-ppc64 any-ppc64el any-sparc any-sparc64
|
||||
-Pre-Depends: ${misc:Pre-Depends}
|
||||
-Depends: grub-pc (= ${binary:Version}) [any-i386 any-amd64] | grub-ieee1275 (= ${binary:Version}) [any-powerpc any-ppc64 any-ppc64el any-sparc any-sparc64], ${misc:Depends}
|
||||
-Multi-Arch: foreign
|
||||
-Description: GRand Unified Bootloader, version 2 (dummy package)
|
||||
- This is a dummy transitional package to handle GRUB 2 upgrades. It can be
|
||||
- safely removed.
|
||||
-
|
||||
-Package: grub-linuxbios
|
||||
-Section: oldlibs
|
||||
-Architecture: any-i386 any-amd64
|
||||
-Pre-Depends: ${misc:Pre-Depends}
|
||||
-Depends: grub-coreboot (= ${binary:Version}), ${misc:Depends}
|
||||
-Multi-Arch: foreign
|
||||
-Description: GRand Unified Bootloader, version 2 (dummy package)
|
||||
- This is a dummy transitional package that depends on grub-coreboot.
|
||||
-
|
||||
Package: grub-efi
|
||||
Architecture: any-i386 any-amd64 any-arm64 any-ia64 any-arm
|
||||
Pre-Depends: ${misc:Pre-Depends}
|
||||
-Depends: ${misc:Depends}, grub-efi-ia32 (= ${binary:Version}) [any-i386], grub-efi-amd64 (= ${binary:Version}) [any-amd64], grub-efi-arm64 (= ${binary:Version}) [any-arm64], grub-efi-ia64 (= ${binary:Version}) [any-ia64], grub-efi-arm (= ${binary:Version}) [any-arm]
|
||||
+Depends: ${misc:Depends}, grub-efi-amd64 (= ${binary:Version}) [any-amd64], grub-efi-arm64 (= ${binary:Version}) [any-arm64], grub-efi-ia64 (= ${binary:Version}) [any-ia64], grub-efi-arm (= ${binary:Version}) [any-arm]
|
||||
Multi-Arch: foreign
|
||||
Description: GRand Unified Bootloader, version 2 (dummy package)
|
||||
This is a dummy package that depends on the grub-efi-$ARCH package most likely
|
||||
to be appropriate for each architecture.
|
||||
|
||||
-Package: grub-common
|
||||
-Architecture: any
|
||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, gettext-base, ${lsb-base-depends}
|
||||
-Replaces: grub-pc (<< 2.00-4), grub-ieee1275 (<< 2.00-4), grub-efi (<< 1.99-1), grub-coreboot (<< 2.00-4), grub-linuxbios (<< 1.96+20080831-1), grub-efi-ia32 (<< 2.00-4), grub-efi-amd64 (<< 2.00-4), grub-efi-ia64 (<< 2.00-4), grub-yeeloong (<< 2.00-4), init-select
|
||||
-Recommends: os-prober (>= 1.33)
|
||||
-Suggests: multiboot-doc, grub-emu [any-i386 any-amd64 any-powerpc], mtools [any-i386 any-amd64 any-ia64 any-arm any-arm64], xorriso (>= 0.5.6.pl00), desktop-base (>= 4.0.6), console-setup
|
||||
-Conflicts: init-select
|
||||
-# mdadm: See bugs #435983 and #455746
|
||||
-Breaks: mdadm (<< 2.6.7-2), lupin-support (<< 0.55), friendly-recovery (<< 0.2.13), apport (<< 2.1.1)
|
||||
-Multi-Arch: foreign
|
||||
-Description: GRand Unified Bootloader (common files)
|
||||
- This package contains common files shared by the distinct flavours of GRUB.
|
||||
- It is shared between GRUB Legacy and GRUB 2, although a number of files
|
||||
- specific to GRUB 2 are here as long as they do not break GRUB Legacy.
|
||||
- .
|
||||
- grub-mkrescue needs the suggested packages mtools (for UEFI targets) and
|
||||
- xorriso.
|
||||
-
|
||||
-Package: grub2-common
|
||||
-# Not Architecture: any because this package contains some things which are
|
||||
-# only built when there is a real platform (e.g. grub-install), and the rest
|
||||
-# of the package is not very useful in a utilities-only build.
|
||||
-Architecture: any-i386 any-amd64 any-powerpc any-ppc64 any-ppc64el any-sparc any-sparc64 any-mipsel any-ia64 any-arm any-arm64
|
||||
-Depends: grub-common (= ${binary:Version}), dpkg (>= 1.15.4) | install-info, ${shlibs:Depends}, ${misc:Depends}
|
||||
-Replaces: grub, grub-legacy, ${legacy-doc-br}, grub-common (<< 1.99-1), grub-pc (<< 2.02+dfsg1-7), grub-coreboot (<< 2.02+dfsg1-7), grub-efi-ia32 (<< 2.02+dfsg1-7), grub-efi-amd64 (<< 2.02+dfsg1-7), grub-efi-ia64 (<< 2.02+dfsg1-7), grub-efi-arm (<< 2.02+dfsg1-7), grub-efi-arm64 (<< 2.02+dfsg1-7), grub-ieee1275 (<< 2.02+dfsg1-7), grub-uboot (<< 2.02+dfsg1-7), grub-xen (<< 2.02+dfsg1-7), grub-yeeloong (<< 2.02+dfsg1-7), grub-cloud-amd64 (<< 0.0.4)
|
||||
-Conflicts: grub-legacy
|
||||
-Breaks: grub (<< 0.97-54), ${legacy-doc-br}, shim (<< 0.9+1474479173.6c180c6-0ubuntu1~), grub-pc (<< 2.02+dfsg1-7), grub-coreboot (<< 2.02+dfsg1-7), grub-efi-ia32 (<< 2.02+dfsg1-7), grub-efi-amd64 (<< 2.02+dfsg1-7), grub-efi-ia64 (<< 2.02+dfsg1-7), grub-efi-arm (<< 2.02+dfsg1-7), grub-efi-arm64 (<< 2.02+dfsg1-7), grub-ieee1275 (<< 2.02+dfsg1-7), grub-uboot (<< 2.02+dfsg1-7), grub-xen (<< 2.02+dfsg1-7), grub-yeeloong (<< 2.02+dfsg1-7), grub-cloud-amd64 (<< 0.0.4)
|
||||
-Multi-Arch: foreign
|
||||
-Description: GRand Unified Bootloader (common files for version 2)
|
||||
- This package contains common files shared by the distinct flavours of GRUB.
|
||||
- The files in this package are specific to GRUB 2, and would break GRUB
|
||||
- Legacy if installed on the same system.
|
||||
-
|
||||
-Package: grub-emu
|
||||
-Architecture: any-i386 any-amd64 any-powerpc
|
||||
-Pre-Depends: ${misc:Pre-Depends}
|
||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version})
|
||||
-Replaces: grub-common (<= 1.97~beta3-1)
|
||||
-Multi-Arch: foreign
|
||||
-Description: GRand Unified Bootloader, version 2 (emulated version)
|
||||
- This package contains grub-emu, an emulated version of GRUB. It is only
|
||||
- provided for debugging purposes.
|
||||
-
|
||||
-Package: grub-emu-dbg
|
||||
-Section: debug
|
||||
-Architecture: any-i386 any-amd64 any-powerpc
|
||||
-Depends: ${misc:Depends}, grub-emu (= ${binary:Version}), grub-common (= ${binary:Version})
|
||||
-Multi-Arch: foreign
|
||||
-Description: GRand Unified Bootloader, version 2 (emulated debug files)
|
||||
- This package contains debugging files for grub-emu. You only need these if
|
||||
- you are trying to debug GRUB using its GDB stub.
|
||||
-
|
||||
-Package: grub-pc-bin
|
||||
-Architecture: any-i386 any-amd64
|
||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version})
|
||||
-Replaces: grub2 (<< ${source:Version}), grub-common (<= 1.97~beta2-1), grub-pc (<< 1.99-1)
|
||||
-Suggests: desktop-base (>= 4.0.6)
|
||||
-Multi-Arch: foreign
|
||||
-Description: GRand Unified Bootloader, version 2 (PC/BIOS modules)
|
||||
- GRUB is a portable, powerful bootloader. This version of GRUB is based on a
|
||||
- cleaner design than its predecessors, and provides the following new features:
|
||||
- .
|
||||
- - Scripting in grub.cfg using BASH-like syntax.
|
||||
- - Support for modern partition maps such as GPT.
|
||||
- - Modular generation of grub.cfg via update-grub. Packages providing GRUB
|
||||
- add-ons can plug in their own script rules and trigger updates by invoking
|
||||
- update-grub.
|
||||
- - VESA-based graphical mode with background image support and complete 24-bit
|
||||
- color set.
|
||||
- - Support for extended charsets. Users can write UTF-8 text to their menu
|
||||
- entries.
|
||||
- .
|
||||
- This package contains GRUB modules that have been built for use with the
|
||||
- traditional PC/BIOS architecture. It can be installed in parallel with
|
||||
- other flavours, but will not automatically install GRUB as the active boot
|
||||
- loader nor automatically update grub.cfg on upgrade unless grub-pc is also
|
||||
- installed.
|
||||
-
|
||||
-Package: grub-pc-dbg
|
||||
-Section: debug
|
||||
-Architecture: any-i386 any-amd64
|
||||
-Depends: ${misc:Depends}, grub-pc-bin (= ${binary:Version}), grub-common (= ${binary:Version})
|
||||
-Multi-Arch: foreign
|
||||
-Description: GRand Unified Bootloader, version 2 (PC/BIOS debug files)
|
||||
- This package contains debugging files for grub-pc-bin. You only need these
|
||||
- if you are trying to debug GRUB using its GDB stub.
|
||||
-
|
||||
-Package: grub-pc
|
||||
-Architecture: any-i386 any-amd64
|
||||
-Pre-Depends: ${misc:Pre-Depends}
|
||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, grub2-common (= ${binary:Version}), grub-pc-bin (= ${binary:Version}), ucf, freebsd-utils (>= 8.0-4) [kfreebsd-any], ${gfxpayload-depends}
|
||||
-Replaces: grub, grub-legacy, grub2 (<< ${source:Version}), grub-common (<= 1.97~beta2-1), grub-efi-amd64, grub-efi-ia32, grub-coreboot, grub-ieee1275
|
||||
-Conflicts: grub (<< 0.97-54), grub-legacy, grub-efi-amd64, grub-efi-ia32, grub-coreboot, grub-ieee1275, grub-xen
|
||||
-Multi-Arch: foreign
|
||||
-Description: GRand Unified Bootloader, version 2 (PC/BIOS version)
|
||||
- GRUB is a portable, powerful bootloader. This version of GRUB is based on a
|
||||
- cleaner design than its predecessors, and provides the following new features:
|
||||
- .
|
||||
- - Scripting in grub.cfg using BASH-like syntax.
|
||||
- - Support for modern partition maps such as GPT.
|
||||
- - Modular generation of grub.cfg via update-grub. Packages providing GRUB
|
||||
- add-ons can plug in their own script rules and trigger updates by invoking
|
||||
- update-grub.
|
||||
- - VESA-based graphical mode with background image support and complete 24-bit
|
||||
- color set.
|
||||
- - Support for extended charsets. Users can write UTF-8 text to their menu
|
||||
- entries.
|
||||
- .
|
||||
- This is a dependency package for a version of GRUB that has been built for
|
||||
- use with the traditional PC/BIOS architecture. Installing this package
|
||||
- indicates that this version of GRUB should be the active boot loader.
|
||||
-
|
||||
-Package: grub-rescue-pc
|
||||
-Architecture: any-i386 any-amd64
|
||||
-Depends: ${misc:Depends}
|
||||
-Multi-Arch: foreign
|
||||
-Description: GRUB bootable rescue images, version 2 (PC/BIOS version)
|
||||
- This package contains three GRUB rescue images that have been built for use
|
||||
- with the traditional PC/BIOS architecture:
|
||||
- .
|
||||
- - grub-rescue-floppy.img: floppy image.
|
||||
- - grub-rescue-cdrom.iso: El Torito CDROM image.
|
||||
- - grub-rescue-usb.img: USB image.
|
||||
-
|
||||
-Package: grub-coreboot-bin
|
||||
-Architecture: any-i386 any-amd64
|
||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version})
|
||||
-Replaces: grub2 (<< ${source:Version}), grub-common (<= 1.97~beta2-1), grub-linuxbios, grub-coreboot (<< 1.99-1)
|
||||
-Conflicts: grub-linuxbios (<< ${source:Version})
|
||||
-Multi-Arch: foreign
|
||||
-Description: GRand Unified Bootloader, version 2 (Coreboot modules)
|
||||
- GRUB is a portable, powerful bootloader. This version of GRUB is based on a
|
||||
- cleaner design than its predecessors, and provides the following new features:
|
||||
- .
|
||||
- - Scripting in grub.cfg using BASH-like syntax.
|
||||
- - Support for modern partition maps such as GPT.
|
||||
- - Modular generation of grub.cfg via update-grub. Packages providing GRUB
|
||||
- add-ons can plug in their own script rules and trigger updates by invoking
|
||||
- update-grub.
|
||||
- .
|
||||
- This package contains GRUB modules that have been built for use with
|
||||
- platforms running the Coreboot firmware. It can be installed in parallel
|
||||
- with other flavours, but will not automatically install GRUB as the active
|
||||
- boot loader nor automatically update grub.cfg on upgrade unless
|
||||
- grub-coreboot is also installed.
|
||||
-
|
||||
-Package: grub-coreboot-dbg
|
||||
-Section: debug
|
||||
-Architecture: any-i386 any-amd64
|
||||
-Depends: ${misc:Depends}, grub-coreboot-bin (= ${binary:Version}), grub-common (= ${binary:Version})
|
||||
-Multi-Arch: foreign
|
||||
-Description: GRand Unified Bootloader, version 2 (Coreboot debug files)
|
||||
- This package contains debugging files for grub-coreboot-bin. You only need
|
||||
- these if you are trying to debug GRUB using its GDB stub.
|
||||
-
|
||||
-Package: grub-coreboot
|
||||
-Architecture: any-i386 any-amd64
|
||||
-Pre-Depends: ${misc:Pre-Depends}
|
||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, grub2-common (= ${binary:Version}), grub-coreboot-bin (= ${binary:Version}), ucf
|
||||
-Replaces: grub-legacy, grub2 (<< ${source:Version}), grub-common (<= 1.97~beta2-1), grub-linuxbios, grub-efi-amd64, grub-efi-ia32, grub-pc, grub-ieee1275
|
||||
-Conflicts: grub (<< 0.97-54), grub-legacy, grub-linuxbios (<< ${source:Version}), grub-efi-amd64, grub-efi-ia32, grub-pc, grub-ieee1275, grub-xen
|
||||
-Multi-Arch: foreign
|
||||
-Description: GRand Unified Bootloader, version 2 (Coreboot version)
|
||||
- GRUB is a portable, powerful bootloader. This version of GRUB is based on a
|
||||
- cleaner design than its predecessors, and provides the following new features:
|
||||
- .
|
||||
- - Scripting in grub.cfg using BASH-like syntax.
|
||||
- - Support for modern partition maps such as GPT.
|
||||
- - Modular generation of grub.cfg via update-grub. Packages providing GRUB
|
||||
- add-ons can plug in their own script rules and trigger updates by invoking
|
||||
- update-grub.
|
||||
- .
|
||||
- This is a dependency package for a version of GRUB that has been built for
|
||||
- use with platforms running the Coreboot firmware. Installing this package
|
||||
- indicates that this version of GRUB should be the active boot loader.
|
||||
-
|
||||
-Package: grub-efi-ia32-bin
|
||||
-Architecture: any-i386 any-amd64
|
||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version})
|
||||
-Recommends: grub-efi-ia32-signed [i386], efibootmgr [linux-any]
|
||||
-Replaces: grub2 (<< ${source:Version}), grub-common (<= 1.97~beta2-1), grub-efi, grub-efi-ia32 (<< 1.99-1)
|
||||
-Multi-Arch: foreign
|
||||
-XB-Efi-Vendor: ${efi:Vendor}
|
||||
-Description: GRand Unified Bootloader, version 2 (EFI-IA32 modules)
|
||||
- GRUB is a portable, powerful bootloader. This version of GRUB is based on a
|
||||
- cleaner design than its predecessors, and provides the following new features:
|
||||
- .
|
||||
- - Scripting in grub.cfg using BASH-like syntax.
|
||||
- - Support for modern partition maps such as GPT.
|
||||
- - Modular generation of grub.cfg via update-grub. Packages providing GRUB
|
||||
- add-ons can plug in their own script rules and trigger updates by invoking
|
||||
- update-grub.
|
||||
- .
|
||||
- This package contains GRUB modules that have been built for use with the
|
||||
- EFI-IA32 architecture, as used by Intel Macs (unless a BIOS interface has
|
||||
- been activated). It can be installed in parallel with other flavours, but
|
||||
- will not automatically install GRUB as the active boot loader nor
|
||||
- automatically update grub.cfg on upgrade unless grub-efi-ia32 is also
|
||||
- installed.
|
||||
-
|
||||
-Package: grub-efi-ia32-dbg
|
||||
-Section: debug
|
||||
-Architecture: any-i386 any-amd64
|
||||
-Depends: ${misc:Depends}, grub-efi-ia32-bin (= ${binary:Version}), grub-common (= ${binary:Version})
|
||||
-Multi-Arch: foreign
|
||||
-Description: GRand Unified Bootloader, version 2 (EFI-IA32 debug files)
|
||||
- This package contains debugging files for grub-efi-ia32-bin. You only need
|
||||
- these if you are trying to debug GRUB using its GDB stub.
|
||||
-
|
||||
-Package: grub-efi-ia32
|
||||
-Architecture: any-i386 any-amd64
|
||||
-Pre-Depends: ${misc:Pre-Depends}
|
||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, grub2-common (= ${binary:Version}), grub-efi-ia32-bin (= ${binary:Version}), ucf
|
||||
-Replaces: grub, grub-legacy, grub2 (<< ${source:Version}), grub-common (<= 1.97~beta2-1), grub-efi, grub-efi-amd64, grub-pc, grub-coreboot, grub-ieee1275
|
||||
-Conflicts: grub (<< 0.97-54), grub-legacy, grub-efi-amd64, grub-pc, grub-coreboot, grub-ieee1275, grub-xen, elilo
|
||||
-Multi-Arch: foreign
|
||||
-Description: GRand Unified Bootloader, version 2 (EFI-IA32 version)
|
||||
- GRUB is a portable, powerful bootloader. This version of GRUB is based on a
|
||||
- cleaner design than its predecessors, and provides the following new features:
|
||||
- .
|
||||
- - Scripting in grub.cfg using BASH-like syntax.
|
||||
- - Support for modern partition maps such as GPT.
|
||||
- - Modular generation of grub.cfg via update-grub. Packages providing GRUB
|
||||
- add-ons can plug in their own script rules and trigger updates by invoking
|
||||
- update-grub.
|
||||
- .
|
||||
- This is a dependency package for a version of GRUB that has been built for
|
||||
- use with the EFI-IA32 architecture, as used by Intel Macs (unless a BIOS
|
||||
- interface has been activated). Installing this package indicates that this
|
||||
- version of GRUB should be the active boot loader.
|
||||
-
|
||||
-Package: grub-efi-ia32-signed-template
|
||||
-Architecture: i386
|
||||
-Description: GRand Unified Bootloader, version 2 (EFI-IA32 signing template)
|
||||
- This package contains template files for grub-efi-ia32-signed.
|
||||
- This is only needed for Secure Boot signing.
|
||||
-
|
||||
Package: grub-efi-amd64-bin
|
||||
Architecture: i386 kopensolaris-i386 any-amd64
|
||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version})
|
||||
+Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common
|
||||
Recommends: grub-efi-amd64-signed [amd64], efibootmgr [linux-any]
|
||||
Replaces: grub2 (<< ${source:Version}), grub-common (<= 1.97~beta2-1), grub-efi-amd64 (<< 1.99-1)
|
||||
Multi-Arch: foreign
|
||||
@@ -342,9 +86,9 @@ Description: GRand Unified Bootloader, version 2 (EFI-AMD64 debug files)
|
||||
Package: grub-efi-amd64
|
||||
Architecture: i386 kopensolaris-i386 any-amd64
|
||||
Pre-Depends: ${misc:Pre-Depends}
|
||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, grub2-common (= ${binary:Version}), grub-efi-amd64-bin (= ${binary:Version}), ucf
|
||||
-Replaces: grub, grub-legacy, grub2 (<< ${source:Version}), grub-common (<= 1.97~beta2-1), grub-pc, grub-efi-ia32, grub-coreboot, grub-ieee1275
|
||||
-Conflicts: grub, grub-legacy, grub-efi-ia32, grub-pc, grub-coreboot, grub-ieee1275, grub-xen, elilo
|
||||
+Depends: ${shlibs:Depends}, ${misc:Depends}, grub2-common, grub-efi-amd64-bin, ucf
|
||||
+Replaces: grub, grub-legacy, grub2 (<< ${source:Version}), grub-common (<= 1.97~beta2-1), grub-pc, grub-coreboot, grub-ieee1275
|
||||
+Conflicts: grub, grub-legacy, grub-coreboot, grub-ieee1275, grub-xen, elilo
|
||||
Multi-Arch: foreign
|
||||
Description: GRand Unified Bootloader, version 2 (EFI-AMD64 version)
|
||||
GRUB is a portable, powerful bootloader. This version of GRUB is based on a
|
||||
@@ -522,255 +266,3 @@ Architecture: arm64
|
||||
Description: GRand Unified Bootloader, version 2 (ARM64 UEFI signing template)
|
||||
This package contains template files for grub-efi-arm64-signed.
|
||||
This is only needed for Secure Boot signing.
|
||||
-
|
||||
-Package: grub-ieee1275-bin
|
||||
-Architecture: any-i386 any-amd64 any-powerpc any-ppc64 any-ppc64el any-sparc any-sparc64
|
||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version})
|
||||
-Replaces: grub2 (<< ${source:Version}), grub-common (<= 1.97~beta2-1), grub-ieee1275 (<< 1.99-1)
|
||||
-Suggests: genisoimage [any-powerpc any-ppc64 any-ppc64el]
|
||||
-Multi-Arch: foreign
|
||||
-Description: GRand Unified Bootloader, version 2 (Open Firmware modules)
|
||||
- GRUB is a portable, powerful bootloader. This version of GRUB is based on a
|
||||
- cleaner design than its predecessors, and provides the following new features:
|
||||
- .
|
||||
- - Scripting in grub.cfg using BASH-like syntax.
|
||||
- - Support for modern partition maps such as GPT.
|
||||
- - Modular generation of grub.cfg via update-grub. Packages providing GRUB
|
||||
- add-ons can plug in their own script rules and trigger updates by invoking
|
||||
- update-grub.
|
||||
- .
|
||||
- This package contains GRUB modules that have been built for use with Open
|
||||
- Firmware implementations. It can be installed in parallel with other
|
||||
- flavours, but will not automatically install GRUB as the active boot loader
|
||||
- nor automatically update grub.cfg on upgrade unless grub-ieee1275 is also
|
||||
- installed.
|
||||
-
|
||||
-Package: grub-ieee1275-dbg
|
||||
-Section: debug
|
||||
-Architecture: any-i386 any-amd64 any-powerpc any-ppc64 any-ppc64el any-sparc any-sparc64
|
||||
-Depends: ${misc:Depends}, grub-ieee1275-bin (= ${binary:Version}), grub-common (= ${binary:Version})
|
||||
-Multi-Arch: foreign
|
||||
-Description: GRand Unified Bootloader, version 2 (Open Firmware debug files)
|
||||
- This package contains debugging files for grub-ieee1275-bin. You only
|
||||
- need these if you are trying to debug GRUB using its GDB stub.
|
||||
-
|
||||
-Package: grub-ieee1275
|
||||
-Architecture: any-i386 any-amd64 any-powerpc any-ppc64 any-ppc64el any-sparc any-sparc64
|
||||
-Pre-Depends: ${misc:Pre-Depends}
|
||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, grub2-common (= ${binary:Version}), grub-ieee1275-bin (= ${binary:Version}), ucf, powerpc-ibm-utils (>= 1.2.12-1) [any-powerpc any-ppc64 any-ppc64el], powerpc-utils [any-powerpc any-ppc64 any-ppc64el]
|
||||
-Replaces: grub-legacy, grub2 (<< ${source:Version}), grub-common (<= 1.97~beta2-1), grub-efi-amd64, grub-efi-ia32, grub-coreboot, grub-pc
|
||||
-Conflicts: grub (<< 0.97-54), grub-legacy, grub-efi-amd64, grub-efi-ia32, grub-coreboot, grub-pc, grub-xen
|
||||
-Multi-Arch: foreign
|
||||
-Description: GRand Unified Bootloader, version 2 (Open Firmware version)
|
||||
- GRUB is a portable, powerful bootloader. This version of GRUB is based on a
|
||||
- cleaner design than its predecessors, and provides the following new features:
|
||||
- .
|
||||
- - Scripting in grub.cfg using BASH-like syntax.
|
||||
- - Support for modern partition maps such as GPT.
|
||||
- - Modular generation of grub.cfg via update-grub. Packages providing GRUB
|
||||
- add-ons can plug in their own script rules and trigger updates by invoking
|
||||
- update-grub.
|
||||
- .
|
||||
- This is a dependency package for a version of GRUB that has been built for
|
||||
- use with Open Firmware implementations. Installing this package indicates
|
||||
- that this version of GRUB should be the active boot loader.
|
||||
-
|
||||
-Package: grub-firmware-qemu
|
||||
-Architecture: any-i386 any-amd64
|
||||
-Depends: ${misc:Depends}
|
||||
-Recommends: qemu-system-x86
|
||||
-Enhances: qemu-system-x86
|
||||
-Multi-Arch: foreign
|
||||
-Description: GRUB firmware image for QEMU
|
||||
- This package contains a binary of GRUB that has been built for use as
|
||||
- firmware for QEMU. It can be used as a replacement for other PC BIOS
|
||||
- images provided by seabios, bochsbios, and so on.
|
||||
- .
|
||||
- In order to make QEMU use this firmware, simply add `-bios grub.bin' when
|
||||
- invoking it.
|
||||
- .
|
||||
- This package behaves in the same way as GRUB for coreboot, but doesn't
|
||||
- contain any code from coreboot itself, and is only suitable for QEMU. If
|
||||
- you want to install GRUB as firmware on real hardware, you need to use the
|
||||
- grub-coreboot package, and manually combine that with coreboot.
|
||||
-
|
||||
-Package: grub-uboot-bin
|
||||
-Architecture: any-arm
|
||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version})
|
||||
-Multi-Arch: foreign
|
||||
-Description: GRand Unified Bootloader, version 2 (ARM U-Boot modules)
|
||||
- GRUB is a portable, powerful bootloader. This version of GRUB is based on a
|
||||
- cleaner design than its predecessors, and provides the following new features:
|
||||
- .
|
||||
- - Scripting in grub.cfg using BASH-like syntax.
|
||||
- - Support for modern partition maps such as GPT.
|
||||
- - Modular generation of grub.cfg via update-grub. Packages providing GRUB
|
||||
- add-ons can plug in their own script rules and trigger updates by invoking
|
||||
- update-grub.
|
||||
- .
|
||||
- This package contains GRUB modules that have been built for use with ARM
|
||||
- systems with U-Boot. It can be installed in parallel with other flavours,
|
||||
- but will not automatically install GRUB as the active boot loader nor
|
||||
- automatically update grub.cfg on upgrade unless grub-uboot is also
|
||||
- installed.
|
||||
-
|
||||
-Package: grub-uboot-dbg
|
||||
-Section: debug
|
||||
-Architecture: any-arm
|
||||
-Depends: ${misc:Depends}, grub-uboot-bin (= ${binary:Version}), grub-common (= ${binary:Version})
|
||||
-Multi-Arch: foreign
|
||||
-Description: GRand Unified Bootloader, version 2 (ARM U-Boot debug files)
|
||||
- This package contains debugging files for grub-uboot-bin. You only need
|
||||
- these if you are trying to debug GRUB using its GDB stub.
|
||||
-
|
||||
-Package: grub-uboot
|
||||
-Architecture: any-arm
|
||||
-Pre-Depends: ${misc:Pre-Depends}
|
||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, grub2-common (= ${binary:Version}), grub-uboot-bin (= ${binary:Version}), ucf
|
||||
-Conflicts: grub-efi-arm
|
||||
-Multi-Arch: foreign
|
||||
-Description: GRand Unified Bootloader, version 2 (ARM U-Boot version)
|
||||
- GRUB is a portable, powerful bootloader. This version of GRUB is based on a
|
||||
- cleaner design than its predecessors, and provides the following new features:
|
||||
- .
|
||||
- - Scripting in grub.cfg using BASH-like syntax.
|
||||
- - Support for modern partition maps such as GPT.
|
||||
- - Modular generation of grub.cfg via update-grub. Packages providing GRUB
|
||||
- add-ons can plug in their own script rules and trigger updates by invoking
|
||||
- update-grub.
|
||||
- .
|
||||
- This is a dependency package for a version of GRUB that has been built for
|
||||
- use with ARM systems with U-Boot. Installing this package indicates that
|
||||
- this version of GRUB should be the active boot loader.
|
||||
-
|
||||
-Package: grub-xen-bin
|
||||
-Architecture: i386 amd64
|
||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version})
|
||||
-Multi-Arch: foreign
|
||||
-Description: GRand Unified Bootloader, version 2 (Xen modules)
|
||||
- GRUB is a portable, powerful bootloader. This version of GRUB is based on a
|
||||
- cleaner design than its predecessors, and provides the following new features:
|
||||
- .
|
||||
- - Scripting in grub.cfg using BASH-like syntax.
|
||||
- - Support for modern partition maps such as GPT.
|
||||
- - Modular generation of grub.cfg via update-grub. Packages providing GRUB
|
||||
- add-ons can plug in their own script rules and trigger updates by invoking
|
||||
- update-grub.
|
||||
- .
|
||||
- This package contains GRUB modules that have been built for use with the
|
||||
- Xen hypervisor (i.e. PV-GRUB). It can be installed in parallel with other
|
||||
- flavours, but will not automatically install GRUB as the active boot loader
|
||||
- nor automatically update grub.cfg on upgrade unless grub-xen is also
|
||||
- installed.
|
||||
-
|
||||
-Package: grub-xen-dbg
|
||||
-Section: debug
|
||||
-Architecture: i386 amd64
|
||||
-Depends: ${misc:Depends}, grub-xen-bin (= ${binary:Version}), grub-common (= ${binary:Version})
|
||||
-Multi-Arch: foreign
|
||||
-Description: GRand Unified Bootloader, version 2 (Xen debug files)
|
||||
- This package contains debugging files for grub-xen-bin. You only need
|
||||
- these if you are trying to debug GRUB using its GDB stub.
|
||||
-
|
||||
-Package: grub-xen
|
||||
-Architecture: i386 amd64
|
||||
-Pre-Depends: ${misc:Pre-Depends}
|
||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, grub2-common (= ${binary:Version}), grub-xen-bin (= ${binary:Version}), ucf
|
||||
-Conflicts: grub (<< 0.97-54), grub-legacy, grub-efi-amd64, grub-efi-ia32, grub-coreboot, grub-ieee1275, grub-pc
|
||||
-Multi-Arch: foreign
|
||||
-Description: GRand Unified Bootloader, version 2 (Xen version)
|
||||
- GRUB is a portable, powerful bootloader. This version of GRUB is based on a
|
||||
- cleaner design than its predecessors, and provides the following new features:
|
||||
- .
|
||||
- - Scripting in grub.cfg using BASH-like syntax.
|
||||
- - Support for modern partition maps such as GPT.
|
||||
- - Modular generation of grub.cfg via update-grub. Packages providing GRUB
|
||||
- add-ons can plug in their own script rules and trigger updates by invoking
|
||||
- update-grub.
|
||||
- .
|
||||
- This is a dependency package for a version of GRUB that has been built for
|
||||
- use with the Xen hypervisor (i.e. PV-GRUB). Installing this package
|
||||
- indicates that this version of GRUB should be the active boot loader.
|
||||
-
|
||||
-Package: grub-xen-host
|
||||
-Architecture: i386 amd64
|
||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, grub-xen-bin (= ${binary:Version})
|
||||
-Multi-Arch: foreign
|
||||
-Description: GRand Unified Bootloader, version 2 (Xen host version)
|
||||
- GRUB is a portable, powerful bootloader. This version of GRUB is based on a
|
||||
- cleaner design than its predecessors, and provides the following new features:
|
||||
- .
|
||||
- - Scripting in grub.cfg using BASH-like syntax.
|
||||
- - Support for modern partition maps such as GPT.
|
||||
- - Modular generation of grub.cfg via update-grub. Packages providing GRUB
|
||||
- add-ons can plug in their own script rules and trigger updates by invoking
|
||||
- update-grub.
|
||||
- .
|
||||
- This package arranges for GRUB binary images which can be used to boot a Xen
|
||||
- guest (i.e. PV-GRUB) to be present in the control domain filesystem.
|
||||
-
|
||||
-Package: grub-yeeloong-bin
|
||||
-Architecture: any-mipsel
|
||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version})
|
||||
-Replaces: grub-common (<< 1.98+20100617-2), grub-yeeloong (<< 1.99-1)
|
||||
-Multi-Arch: foreign
|
||||
-Description: GRand Unified Bootloader, version 2 (Yeeloong modules)
|
||||
- GRUB is a portable, powerful bootloader. This version of GRUB is based on a
|
||||
- cleaner design than its predecessors, and provides the following new features:
|
||||
- .
|
||||
- - Scripting in grub.cfg using BASH-like syntax.
|
||||
- - Support for modern partition maps such as GPT.
|
||||
- - Modular generation of grub.cfg via update-grub. Packages providing GRUB
|
||||
- add-ons can plug in their own script rules and trigger updates by invoking
|
||||
- update-grub.
|
||||
- .
|
||||
- This package contains GRUB modules that have been built for use with the
|
||||
- Lemote Yeeloong laptop. It can be installed in parallel with other
|
||||
- flavours, but will not automatically install GRUB as the active boot loader
|
||||
- nor automatically update grub.cfg on upgrade unless grub-yeeloong is also
|
||||
- installed.
|
||||
-
|
||||
-Package: grub-yeeloong-dbg
|
||||
-Section: debug
|
||||
-Architecture: any-mipsel
|
||||
-Depends: ${misc:Depends}, grub-yeeloong-bin (= ${binary:Version}), grub-common (= ${binary:Version})
|
||||
-Multi-Arch: foreign
|
||||
-Description: GRand Unified Bootloader, version 2 (Yeeloong debug files)
|
||||
- This package contains debugging files for grub-yeeloong-bin. You only
|
||||
- need these if you are trying to debug GRUB using its GDB stub.
|
||||
-
|
||||
-Package: grub-yeeloong
|
||||
-Architecture: any-mipsel
|
||||
-Pre-Depends: ${misc:Pre-Depends}
|
||||
-Depends: ${shlibs:Depends}, ${misc:Depends}, grub2-common (= ${binary:Version}), grub-yeeloong-bin (= ${binary:Version}), ucf
|
||||
-Replaces: grub-common (<< 1.98+20100617-2)
|
||||
-Multi-Arch: foreign
|
||||
-Description: GRand Unified Bootloader, version 2 (Yeeloong version)
|
||||
- GRUB is a portable, powerful bootloader. This version of GRUB is based on a
|
||||
- cleaner design than its predecessors, and provides the following new features:
|
||||
- .
|
||||
- - Scripting in grub.cfg using BASH-like syntax.
|
||||
- - Support for modern partition maps such as GPT.
|
||||
- - Modular generation of grub.cfg via update-grub. Packages providing GRUB
|
||||
- add-ons can plug in their own script rules and trigger updates by invoking
|
||||
- update-grub.
|
||||
- .
|
||||
- This is a dependency package for a version of GRUB that has been built for
|
||||
- use with the Lemote Yeeloong laptop. Installing this package indicates
|
||||
- that this version of GRUB should be the active boot loader.
|
||||
-
|
||||
-Package: grub-theme-starfield
|
||||
-# Could be Architecture: any, but in practice this package is useless in a
|
||||
-# utilities-only build.
|
||||
-Architecture: any-i386 any-amd64 any-powerpc any-ppc64 any-ppc64el any-sparc any-sparc64 any-mipsel any-ia64 any-arm any-arm64
|
||||
-Depends: ${misc:Depends}, grub-common (= ${binary:Version})
|
||||
-Multi-Arch: foreign
|
||||
-Description: GRand Unified Bootloader, version 2 (starfield theme)
|
||||
- This is the default theme for GRUB's graphical menu.
|
||||
-
|
||||
-Package: grub-mount-udeb
|
||||
-Package-Type: udeb
|
||||
-Section: debian-installer
|
||||
-Architecture: linux-any kfreebsd-any
|
||||
-Depends: ${shlibs:Depends}, ${misc:Depends}
|
||||
-Description: export GRUB filesystems using FUSE
|
||||
diff --git a/debian/rules b/debian/rules
|
||||
index be8f870..c22ba5a 100755
|
||||
--- a/debian/rules
|
||||
+++ b/debian/rules
|
||||
@@ -55,7 +55,7 @@ BUILD_PACKAGES := $(strip $(shell dh_listpackages))
|
||||
# REAL_PACKAGES build an actual grub variant (and therefore have both configure
|
||||
# and build stages). EXTRA_PACKAGES do not build grub but may depend on a
|
||||
# REAL_PACKAGE (and therefore only have a build stage)
|
||||
-REAL_PACKAGES = grub-common grub-emu grub-pc grub-coreboot grub-efi-ia32 grub-efi-amd64 grub-efi-ia64 grub-efi-arm grub-efi-arm64 grub-ieee1275 grub-firmware-qemu grub-uboot grub-xen grub-yeeloong
|
||||
+REAL_PACKAGES = grub-common grub-emu grub-pc grub-coreboot grub-efi-amd64 grub-efi-ia64 grub-efi-arm grub-efi-arm64 grub-ieee1275 grub-firmware-qemu grub-uboot grub-xen grub-yeeloong
|
||||
EXTRA_PACKAGES = grub-rescue-pc grub-xen-host
|
||||
|
||||
ifneq (,$(filter i386 amd64,$(DEB_HOST_ARCH_CPU)))
|
||||
@@ -111,8 +111,6 @@ DEFAULT_HIDDEN_TIMEOUT_BOOL := false
|
||||
endif
|
||||
|
||||
# Secure Boot
|
||||
-debian/stamps/build-grub-efi-ia32 install/grub-efi-ia32: export SB_PLATFORM := i386-efi
|
||||
-debian/stamps/build-grub-efi-ia32 install/grub-efi-ia32: export SB_EFI_NAME := ia32
|
||||
debian/stamps/build-grub-efi-amd64 install/grub-efi-amd64: export SB_PLATFORM := x86_64-efi
|
||||
debian/stamps/build-grub-efi-amd64 install/grub-efi-amd64: export SB_EFI_NAME := x64
|
||||
debian/stamps/build-grub-efi-arm64 install/grub-efi-arm64: export SB_PLATFORM := arm64-efi
|
||||
@@ -169,10 +167,10 @@ override_dh_autoreconf:
|
||||
PYTHON=python3 \
|
||||
dh_autoreconf -- ./autogen.sh
|
||||
|
||||
-debian/stamps/configure-grub-common: debian/stamps/configure-grub-$(COMMON_PLATFORM)
|
||||
+debian/stamps/configure-grub-common:
|
||||
touch $@
|
||||
|
||||
-debian/stamps/build-grub-common: debian/stamps/build-grub-$(COMMON_PLATFORM)
|
||||
+debian/stamps/build-grub-common:
|
||||
touch $@
|
||||
|
||||
debian/stamps/configure-grub-none debian/stamps/configure-grub-pc debian/stamps/configure-grub-ieee1275 debian/stamps/configure-grub-coreboot debian/stamps/configure-grub-emu debian/stamps/configure-grub-uboot debian/stamps/configure-grub-yeeloong:
|
||||
@@ -181,10 +179,6 @@ debian/stamps/configure-grub-none debian/stamps/configure-grub-pc debian/stamps/
|
||||
touch $@
|
||||
|
||||
# This name scheme leaves room for things like amd32 someday
|
||||
-debian/stamps/configure-grub-efi-ia32:
|
||||
- mkdir -p debian/stamps obj/$(package)
|
||||
- dh_auto_configure -- $(confflags) --with-platform=efi --target=i386-pe --program-prefix=""
|
||||
- touch $@
|
||||
debian/stamps/configure-grub-efi-amd64:
|
||||
mkdir -p debian/stamps $(subst debian/stamps/configure-,obj/,$@)
|
||||
dh_auto_configure -- $(confflags) --with-platform=efi --target=amd64-pe --program-prefix=""
|
||||
@@ -214,7 +208,7 @@ debian/stamps/build-grub-none debian/stamps/build-grub-efi-ia64 debian/stamps/bu
|
||||
dh_auto_build
|
||||
touch $@
|
||||
|
||||
-debian/stamps/build-grub-efi-ia32 debian/stamps/build-grub-efi-amd64 debian/stamps/build-grub-efi-arm64: debian/stamps/build-%: debian/stamps/configure-% debian/stamps/build-grub-$(COMMON_PLATFORM)
|
||||
+debian/stamps/build-grub-efi-amd64 debian/stamps/build-grub-efi-arm64: debian/stamps/build-%: debian/stamps/configure-%
|
||||
dh_auto_build
|
||||
grub_dir=`mktemp -d` ; \
|
||||
sed -e "s/@DEB_VERSION@/$(deb_version)/g" \
|
||||
@@ -222,7 +216,7 @@ debian/stamps/build-grub-efi-ia32 debian/stamps/build-grub-efi-amd64 debian/stam
|
||||
<debian/sbat.$(SB_EFI_VENDOR).csv.in \
|
||||
>$${grub_dir}/sbat.$(SB_EFI_VENDOR).csv; \
|
||||
debian/build-efi-images \
|
||||
- obj/grub-$(COMMON_PLATFORM)/grub-mkimage \
|
||||
+ obj/$(package)/grub-mkimage \
|
||||
obj/$(package)/grub-core \
|
||||
obj/monolithic/$(package) \
|
||||
$(DEB_HOST_ARCH) $(SB_PLATFORM) $(SB_EFI_NAME) \
|
||||
@@ -350,7 +344,20 @@ install/grub-none:
|
||||
# files.
|
||||
mkdir -p debian/tmp-$(package)/usr/share/locale
|
||||
|
||||
-install/grub-pc install/grub-efi-ia32 install/grub-efi-amd64 install/grub-efi-ia64 install/grub-efi-arm install/grub-efi-arm64 install/grub-ieee1275 install/grub-coreboot install/grub-emu install/grub-uboot install/grub-xen install/grub-yeeloong:
|
||||
+D_PACKAGE := debian/grub-efi-amd64/
|
||||
+EFI_BOOT_PATH := /boot/efi/EFI/BOOT
|
||||
+DISTRO_NAME := StarlingX
|
||||
+DISTRO_VERSION :=
|
||||
+OSTREE_GRUB_PW_FILE := ./boot_cfg_pw
|
||||
+OSTREE_GRUB_USER := root
|
||||
+OSTREE_CONSOLE := console=ttyS0,115200
|
||||
+GRUB_BUILDIN := boot linux ext2 fat serial part_msdos part_gpt normal efi_gop iso9660 configfile search loadenv test tftp efinet reboot chain regexp efivar
|
||||
+GRUB_SECURE_BUILDIN := tftp reboot chain efivar password_pbkdf2 pgp gcry_rsa gcry_sha256 gcry_sha512 --pubkey ./boot_pub_key
|
||||
+GRUB_TARGET := x86_64
|
||||
+GRUB_PREFIX_DIR := /EFI/BOOT
|
||||
+OBJ_DIR := ./obj/grub-efi-amd64
|
||||
+
|
||||
+install/grub-efi-amd64 install/grub-efi-ia64 install/grub-efi-arm install/grub-efi-arm64 install/grub-ieee1275 install/grub-coreboot install/grub-emu install/grub-uboot install/grub-xen install/grub-yeeloong:
|
||||
set -e ; \
|
||||
if [ "$@" = "install/grub-xen" ] ; then \
|
||||
dh_auto_install -Bobj/grub-xen-i386 --destdir=debian/tmp-$(package); \
|
||||
@@ -470,6 +477,30 @@ install/grub-pc install/grub-efi-ia32 install/grub-efi-amd64 install/grub-efi-ia
|
||||
# files.
|
||||
mkdir -p debian/tmp-$(package)/usr/share/locale
|
||||
|
||||
+ if [ "$@" = "install/grub-efi-amd64" ] ; then \
|
||||
+ install -d $(D_PACKAGE)/$(EFI_BOOT_PATH) ; \
|
||||
+ install -m 0600 ./grub-runtime.cfg $(D_PACKAGE)$(EFI_BOOT_PATH)/grub.cfg ; \
|
||||
+ sed -i "s#%DISTRO_NAME%#$(DISTRO_NAME)#g" "$(D_PACKAGE)$(EFI_BOOT_PATH)/grub.cfg" ; \
|
||||
+ sed -i "s#%DISTRO_VERSION%#$(DISTRO_VERSION)#g" "$(D_PACKAGE)$(EFI_BOOT_PATH)/grub.cfg" ; \
|
||||
+ echo -n "password_pbkdf2 $(OSTREE_GRUB_USER) " > ./pw ; \
|
||||
+ cat "$(OSTREE_GRUB_PW_FILE)" >> ./pw ; \
|
||||
+ sed -i "s#%OSTREE_GRUB_USER%#$(OSTREE_GRUB_USER)#g" "$(D_PACKAGE)$(EFI_BOOT_PATH)/grub.cfg" ; \
|
||||
+ str_pw=`cat ./pw` ; \
|
||||
+ sed -i "s#%OSTREE_GRUB_PW%#$${str_pw}#g" "$(D_PACKAGE)$(EFI_BOOT_PATH)/grub.cfg" ; \
|
||||
+ sed -i "s#%OSTREE_CONSOLE%#$(OSTREE_CONSOLE)#g" "$(D_PACKAGE)$(EFI_BOOT_PATH)/grub.cfg" ; \
|
||||
+ $(OBJ_DIR)/grub-mkimage -c ./cfg_nosecure -p "$(GRUB_PREFIX_DIR)" -d "$(OBJ_DIR)/grub-core" \
|
||||
+ -O "$(GRUB_TARGET)-efi" -o "./bootx64-nosig.efi" \
|
||||
+ $(GRUB_BUILDIN) ; \
|
||||
+ install -m 0644 ./bootx64-nosig.efi $(D_PACKAGE)$(EFI_BOOT_PATH)/bootx64-nosig.efi ; \
|
||||
+ $(OBJ_DIR)/grub-editenv "$(D_PACKAGE)$(EFI_BOOT_PATH)/grubenv" create ; \
|
||||
+ install -d $(D_PACKAGE)$(EFI_BOOT_PATH)/$(GRUB_TARGET)-efi ; \
|
||||
+ $(OBJ_DIR)/grub-mkimage -c ./cfg -p "$(GRUB_PREFIX_DIR)" -d "$(OBJ_DIR)/grub-core" \
|
||||
+ -O "$(GRUB_TARGET)-efi" -o "./grubx64.efi" \
|
||||
+ $(GRUB_BUILDIN) $(GRUB_SECURE_BUILDIN) ; \
|
||||
+ install -m 0644 ./grubx64.efi $(D_PACKAGE)$(EFI_BOOT_PATH)/grubx64.efi ; \
|
||||
+ install -m 0644 $(OBJ_DIR)/grub-core/*.mod $(D_PACKAGE)$(EFI_BOOT_PATH)/$(GRUB_TARGET)-efi ; \
|
||||
+ fi
|
||||
+
|
||||
common_subst = \
|
||||
if [ -e debian/grub-common.$(1) ]; then \
|
||||
sed 's/@COMMON_PLATFORM@/$(COMMON_PLATFORM)/g' \
|
||||
@@ -495,13 +526,12 @@ endif
|
||||
|
||||
NON_PLATFORM_PACKAGES = $(filter grub2 grub-linuxbios grub-efi grub-rescue-pc grub-firmware-qemu grub-xen-host,$(BUILD_PACKAGES))
|
||||
COMMON_PLATFORM_PACKAGES = $(filter grub-common grub2-common grub-theme-starfield grub-mount-udeb,$(BUILD_PACKAGES))
|
||||
-PLATFORM_PACKAGES = $(filter grub-pc grub-efi-ia32 grub-efi-amd64 grub-efi-ia64 grub-efi-arm grub-efi-arm64 grub-ieee1275 grub-coreboot grub-uboot grub-xen grub-yeeloong,$(BUILD_PACKAGES))
|
||||
+PLATFORM_PACKAGES = $(filter grub-pc grub-efi-amd64 grub-efi-ia64 grub-efi-arm grub-efi-arm64 grub-ieee1275 grub-coreboot grub-uboot grub-xen grub-yeeloong,$(BUILD_PACKAGES))
|
||||
|
||||
override_dh_install:
|
||||
ifneq (,$(NON_PLATFORM_PACKAGES))
|
||||
dh_install $(patsubst %,-p%,$(NON_PLATFORM_PACKAGES))
|
||||
endif
|
||||
- dh_install $(patsubst %,-p%,$(COMMON_PLATFORM_PACKAGES)) --sourcedir=debian/tmp-grub-$(COMMON_PLATFORM)
|
||||
rm -f debian/grub2-common/usr/share/info/dir*
|
||||
rm -f debian/grub-theme-starfield/usr/share/grub/themes/starfield/COPYING.CC-BY-SA-3.0
|
||||
ifneq (,$(PLATFORM_PACKAGES))
|
||||
--
|
||||
2.17.1
|
||||
|
2
grub/grub-efi/debian/deb_patches/series
Normal file
2
grub/grub-efi/debian/deb_patches/series
Normal file
@ -0,0 +1,2 @@
|
||||
0001-Make-series-null.patch
|
||||
0002-grub-efi-build-packages-related-with-grub-efi.patch
|
41
grub/grub-efi/debian/dl_hook
Executable file
41
grub/grub-efi/debian/dl_hook
Executable file
@ -0,0 +1,41 @@
|
||||
#!/bin/bash
|
||||
#
|
||||
# Copyright (c) 2022 Wind River Systems, Inc.
|
||||
#
|
||||
# Licensed to the Apache Software Foundation (ASF) under one
|
||||
# or more contributor license agreements. The ASF licenses this
|
||||
# file to you under the Apache License, Version 2.0 (the
|
||||
# "License"); you may not use this file except in compliance
|
||||
# with the License. You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing,
|
||||
# software distributed under the License is distributed on an
|
||||
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
||||
# KIND, either express or implied. See the License for the
|
||||
# specific language governing permissions and limitations
|
||||
# under the License.
|
||||
#
|
||||
|
||||
# The only parameter is the name of the folder where the source code
|
||||
# is extracted to. Pay attention to that the extracted package should
|
||||
# be put at the same path where this script is located.
|
||||
# Tools needed: tar
|
||||
|
||||
tar xvf grub2_2.06.orig.tar.xz
|
||||
if [ $? -ne 0 ]
|
||||
then
|
||||
echo "tar failed: orig source!"
|
||||
exit 1
|
||||
fi
|
||||
mv grub-2.06 $1
|
||||
|
||||
cd $1
|
||||
tar xvf ../grub2_2.06-1.debian.tar.xz
|
||||
if [ $? -ne 0 ]
|
||||
then
|
||||
echo "tar failed: debian folder!"
|
||||
exit 1
|
||||
fi
|
||||
cp ../local_debian/files/* ./
|
1
grub/grub-efi/debian/files/boot_cfg_pw
Normal file
1
grub/grub-efi/debian/files/boot_cfg_pw
Normal file
@ -0,0 +1 @@
|
||||
grub.pbkdf2.sha512.10000.7C392DD2FFEA15F1E050CF88DB414F128724C55039614BFCF22D9F3AA775E534BEC0A0A2E6C49FE3CBBC7A1A9CE7546D11FD198197A375044EF96D189EC22141.712E252EC3009DD64C5157615DF84F46B3D4A7C6F40DF941CB62C8965B25AA3D62B0D2080545FCB7801A62A72244F87DC13FF26D740A32D96D5F85017BB4AB03
|
BIN
grub/grub-efi/debian/files/boot_pub_key
Normal file
BIN
grub/grub-efi/debian/files/boot_pub_key
Normal file
Binary file not shown.
4
grub/grub-efi/debian/files/cfg
Normal file
4
grub/grub-efi/debian/files/cfg
Normal file
@ -0,0 +1,4 @@
|
||||
set strict_security=1
|
||||
search.file ($cmdpath)/EFI/BOOT/grub.cfg root
|
||||
set prefix=($root)/EFI/BOOT
|
||||
set skip_check_cfg=1
|
2
grub/grub-efi/debian/files/cfg_nosecure
Normal file
2
grub/grub-efi/debian/files/cfg_nosecure
Normal file
@ -0,0 +1,2 @@
|
||||
search.file ($cmdpath)/EFI/BOOT/grub.cfg root
|
||||
set prefix=($root)/EFI/BOOT
|
123
grub/grub-efi/debian/files/grub-runtime.cfg
Normal file
123
grub/grub-efi/debian/files/grub-runtime.cfg
Normal file
@ -0,0 +1,123 @@
|
||||
set default="0"
|
||||
set timeout=3
|
||||
set color_normal='light-gray/black'
|
||||
set color_highlight='light-green/blue'
|
||||
|
||||
set boot_part="otaboot"
|
||||
set root_part="otaroot"
|
||||
set flux_part="fluxdata"
|
||||
set rollback_part="_b"
|
||||
set ab="1"
|
||||
set ostree_console="%OSTREE_CONSOLE%"
|
||||
set kernel=vmlinuz
|
||||
set kernel_rollback=vmlinuz
|
||||
set kernel_params=""
|
||||
set kernel_params_ext=""
|
||||
|
||||
if [ "${legacy_bios}" != "1" ]; then
|
||||
set boot_env_path=${prefix}
|
||||
fi
|
||||
|
||||
if [ -e ${boot_env_path}/boot.env ]; then
|
||||
load_env -s -f ${boot_env_path}/boot.env
|
||||
|
||||
if [ "${boot_tried_count}" -eq "0" ]; then
|
||||
set boot_tried_count="1"
|
||||
elif [ "${boot_tried_count}" -eq "1" ]; then
|
||||
set boot_tried_count="2"
|
||||
elif [ "${boot_tried_count}" -eq "2" ]; then
|
||||
set boot_tried_count="3"
|
||||
elif [ "${boot_tried_count}" -eq "3" ]; then
|
||||
if [ "${default}" -eq "1" ]; then
|
||||
set default="0"
|
||||
else
|
||||
set default="1"
|
||||
fi
|
||||
save_env -f ${boot_env_path}/boot.env default
|
||||
set boot_tried_count="0"
|
||||
fi
|
||||
save_env -f ${boot_env_path}/boot.env boot_tried_count
|
||||
fi
|
||||
|
||||
search --no-floppy --label --set=avol ${boot_part}${boot_mode}
|
||||
if [ -e ($avol)/1/kernel.env ] ; then
|
||||
load_env -s -f ($avol)/1/kernel.env kernel
|
||||
fi
|
||||
if [ "$ab" = "1" ] ; then
|
||||
search --no-floppy --label --set=bvol ${boot_part}${rollback_part}
|
||||
if [ -e ($avol)/1/kernel.env ] ; then
|
||||
load_env -s -f ($avol)/1/kernel.env kernel_rollback
|
||||
fi
|
||||
else
|
||||
if [ -e ($avol)/2/kernel.env ] ; then
|
||||
load_env -s -f ($avol)/2/kernel.env kernel_rollback
|
||||
fi
|
||||
fi
|
||||
|
||||
get_efivar -f uint8 -s secured SecureBoot
|
||||
if [ "${secured}" = "1" ]; then
|
||||
# Enable user authentication to make grub unlockable
|
||||
set superusers="%OSTREE_GRUB_USER%"
|
||||
%OSTREE_GRUB_PW%
|
||||
else
|
||||
get_efivar -f uint8 -s unprovisioned SetupMode
|
||||
if [ "${unprovisioned}" = "1" ]; then
|
||||
set timeout=0
|
||||
|
||||
menuentry "Automatic Certificate Provision" --unrestricted {
|
||||
chainloader ${prefix}/LockDown.efi
|
||||
}
|
||||
fi
|
||||
fi
|
||||
|
||||
menuentry "%DISTRO_NAME% %DISTRO_VERSION% ostree${boot_mode} ${kernel}" --unrestricted {
|
||||
set fallback=1
|
||||
if [ "${legacy_bios}" != "1" ]; then
|
||||
efi-watchdog enable 0 180
|
||||
fi
|
||||
search --no-floppy --label --set=root ${boot_part}${boot_mode}
|
||||
if [ -e /1/kernel.env ] ; then
|
||||
load_env -s -f /1/kernel.env kernel_params_ext
|
||||
fi
|
||||
linux /1/${kernel} rw rootwait ostree_boot=LABEL=${boot_part}${boot_mode} ostree_root=LABEL=${root_part}${boot_mode} flux=${flux_part} ostree=/ostree/1 $ostree_console $kernel_params $kernel_params_ext
|
||||
initrd /1/initramfs
|
||||
}
|
||||
|
||||
if [ "$ab" = "1" ] ; then
|
||||
menuentry "%DISTRO_NAME% %DISTRO_VERSION% ostree ${kernel_rollback} rollback${rollback_part}" --unrestricted {
|
||||
search --no-floppy --label --set=root ${boot_part}${rollback_part}
|
||||
if [ -e /1/kernel.env ] ; then
|
||||
load_env -s -f /1/kernel.env kernel_params_ext
|
||||
fi
|
||||
linux /1/${kernel_rollback} rw rootwait ostree_boot=LABEL=${boot_part}${rollback_part} ostree_root=LABEL=${root_part}${rollback_part} flux=${flux_part} ostree=/ostree/1 $ostree_console $kernel_params $kernel_params_ext
|
||||
initrd /1/initramfs
|
||||
}
|
||||
else
|
||||
menuentry "%DISTRO_NAME% %DISTRO_VERSION% ostree${boot_mode} ${kernel_rollback} rollback" --unrestricted {
|
||||
set fallback=1
|
||||
if [ "${legacy_bios}" != "1" ]; then
|
||||
efi-watchdog enable 0 180
|
||||
fi
|
||||
search --no-floppy --label --set=root ${boot_part}${boot_mode}
|
||||
if [ -e /2/kernel.env ] ; then
|
||||
load_env -s -f /2/kernel.env kernel_params_ext
|
||||
fi
|
||||
linux /2/${kernel_rollback} rw rootwait ostree_boot=LABEL=${boot_part}${boot_mode} ostree_root=LABEL=${root_part}${boot_mode} flux=${flux_part} ostree=/ostree/2 $ostree_console $kernel_params $kernel_params_ext
|
||||
initrd /2/initramfs
|
||||
}
|
||||
fi
|
||||
|
||||
if [ -s ${prefix}/igrub.cfg ] ; then
|
||||
source ${prefix}/igrub.cfg
|
||||
search --no-floppy --label --set=avol ${boot_part}${boot_mode}
|
||||
if [ "$ab" = "1" ] ; then
|
||||
search --no-floppy --label --set=bvol ${boot_part}${rollback_part}
|
||||
if [ ! -s ($avol)/1/${kernel} -a ! -s ($bvol)/1/${kernel_rollback} ] ; then
|
||||
set default="2"
|
||||
fi
|
||||
else
|
||||
if [ ! -s ($avol)/1/${kernel} -a ! -s ($avol)/2/${kernel_rollback} ] ; then
|
||||
set default="2"
|
||||
fi
|
||||
fi
|
||||
fi
|
27
grub/grub-efi/debian/meta_data.yaml
Normal file
27
grub/grub-efi/debian/meta_data.yaml
Normal file
@ -0,0 +1,27 @@
|
||||
---
|
||||
debver: 2.06-1
|
||||
debname: grub-efi
|
||||
serial: true
|
||||
dl_hook: dl_hook
|
||||
dl_files:
|
||||
grub2_2.06.orig.tar.xz:
|
||||
topdir: null
|
||||
url:
|
||||
"https://snapshot.debian.org/archive/debian/20211128T160803Z/\
|
||||
pool/main/g/grub2/grub2_2.06.orig.tar.xz"
|
||||
sha256sum: b79ea44af91b93d17cd3fe80bdae6ed43770678a9a5ae192ccea803ebb657ee1
|
||||
grub2_2.06-1.debian.tar.xz:
|
||||
topdir: null
|
||||
url:
|
||||
"https://snapshot.debian.org/archive/debian/20211128T160803Z/\
|
||||
pool/main/g/grub2/grub2_2.06-1.debian.tar.xz"
|
||||
sha256sum: 16a1a89d93abf8beb148dc30738be1bda05ed3c09cfffd4a1f5e1a0328c74b26
|
||||
src_files:
|
||||
- debian/files/boot_cfg_pw
|
||||
- debian/files/boot_pub_key
|
||||
- debian/files/cfg
|
||||
- debian/files/cfg_nosecure
|
||||
- debian/files/grub-runtime.cfg
|
||||
revision:
|
||||
dist: $STX_DIST
|
||||
PKG_GITREVCOUNT: true
|
32
grub/grub-efi/debian/patches/0001-grub2-add-tboot.patch
Normal file
32
grub/grub-efi/debian/patches/0001-grub2-add-tboot.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From be38cbc51f89493c46e299950937b85893ca05e8 Mon Sep 17 00:00:00 2001
|
||||
From: Bin Qian <bin.qian@windriver.com>
|
||||
Date: Tue, 21 Nov 2017 15:36:42 -0500
|
||||
Subject: [PATCH] grub2: add tboot
|
||||
|
||||
Original patch is 1001-add-tboot.patch
|
||||
|
||||
Signed-off-by: Bin Qian <bin.qian@windriver.com>
|
||||
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
|
||||
---
|
||||
util/grub.d/10_linux.in | 5 +++++
|
||||
1 file changed, 5 insertions(+)
|
||||
|
||||
diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in
|
||||
index 0cd4cf5..81435a8 100644
|
||||
--- a/util/grub.d/10_linux.in
|
||||
+++ b/util/grub.d/10_linux.in
|
||||
@@ -28,6 +28,11 @@ vt_handoff="@VT_HANDOFF@"
|
||||
|
||||
. "$pkgdatadir/grub-mkconfig_lib"
|
||||
|
||||
+tboot=`cat /proc/cmdline | xargs -n1 | grep '^tboot=true$'` || true
|
||||
+if [ -n "$tboot" ]; then
|
||||
+ exit 0
|
||||
+fi
|
||||
+
|
||||
export TEXTDOMAIN=@PACKAGE@
|
||||
export TEXTDOMAINDIR="@localedir@"
|
||||
|
||||
--
|
||||
2.25.1
|
||||
|
@ -0,0 +1,48 @@
|
||||
From bbd8d33b8646785ee31b435e9decf4271d6ecb68 Mon Sep 17 00:00:00 2001
|
||||
From: Yue Tao <Yue.Tao@windriver.com>
|
||||
Date: Sun, 5 Dec 2021 10:01:05 +0800
|
||||
Subject: [PATCH] grub2: checking if loop devices are available
|
||||
|
||||
Building in a chroot environment, may not have loop device.
|
||||
|
||||
Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
|
||||
---
|
||||
tests/ext234_test.in | 5 +++++
|
||||
tests/fat_test.in | 5 +++++
|
||||
2 files changed, 10 insertions(+)
|
||||
|
||||
diff --git a/tests/ext234_test.in b/tests/ext234_test.in
|
||||
index 4f1eb52..380850e 100644
|
||||
--- a/tests/ext234_test.in
|
||||
+++ b/tests/ext234_test.in
|
||||
@@ -25,6 +25,11 @@ if ! which mkfs.ext4 >/dev/null 2>&1; then
|
||||
exit 77
|
||||
fi
|
||||
|
||||
+if ! losetup -f >/dev/null 2>&1; then
|
||||
+ echo "No loop device, cannot test."
|
||||
+ exit 77
|
||||
+fi
|
||||
+
|
||||
"@builddir@/grub-fs-tester" ext2_old
|
||||
"@builddir@/grub-fs-tester" ext2
|
||||
"@builddir@/grub-fs-tester" ext3
|
||||
diff --git a/tests/fat_test.in b/tests/fat_test.in
|
||||
index b6b4748..ab5348a 100644
|
||||
--- a/tests/fat_test.in
|
||||
+++ b/tests/fat_test.in
|
||||
@@ -15,6 +15,11 @@ if ! which mkfs.vfat >/dev/null 2>&1; then
|
||||
exit 77
|
||||
fi
|
||||
|
||||
+if ! losetup -f >/dev/null 2>&1; then
|
||||
+ echo "No loop device, cannot test."
|
||||
+ exit 77
|
||||
+fi
|
||||
+
|
||||
"@builddir@/grub-fs-tester" vfat16a
|
||||
"@builddir@/grub-fs-tester" vfat12a
|
||||
"@builddir@/grub-fs-tester" vfat12
|
||||
--
|
||||
2.25.1
|
||||
|
@ -0,0 +1,153 @@
|
||||
From d8d9c3ce2441be42fc65d2bde5d0fb299de39ad0 Mon Sep 17 00:00:00 2001
|
||||
From: Jiang Lu <lu.jiang@windriver.com>
|
||||
Date: Thu, 31 Jan 2019 15:27:03 +0800
|
||||
Subject: [PATCH] Make UEFI watchdog behaviour configurable
|
||||
|
||||
Starting with d9a0c9413e81d3c0affc6383693bdd28dc863a5c, GRUB unconditionally
|
||||
disables watchdog on EFI platforms. This opens up a window (starting at GRUB's
|
||||
grub_efi_init(), until OS re-enables it) when EFI system operates w/o watchdog.
|
||||
If an EFI system gets stuck in that window, the chipset will never reset the
|
||||
system.
|
||||
|
||||
Create a command line interface to enable/disable watchdog:
|
||||
efi-watchdog (enable|disable) <code> <timeout>
|
||||
|
||||
Signed-off-by: Jiang Lu <lu.jiang@windriver.com>
|
||||
|
||||
Rebase for grub 2.06
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
---
|
||||
docs/grub.texi | 11 +++++++
|
||||
grub-core/kern/efi/init.c | 68 +++++++++++++++++++++++++++++++++++++++
|
||||
2 files changed, 79 insertions(+)
|
||||
|
||||
diff --git a/docs/grub.texi b/docs/grub.texi
|
||||
index f8b4b3b..95e8367 100644
|
||||
--- a/docs/grub.texi
|
||||
+++ b/docs/grub.texi
|
||||
@@ -3991,6 +3991,7 @@ you forget a command, you can run the command @command{help}
|
||||
* distrust:: Remove a pubkey from trusted keys
|
||||
* drivemap:: Map a drive to another
|
||||
* echo:: Display a line of text
|
||||
+* efi-watchdog:: Manipulate EFI watchdog
|
||||
* eval:: Evaluate agruments as GRUB commands
|
||||
* export:: Export an environment variable
|
||||
* false:: Do nothing, unsuccessfully
|
||||
@@ -4442,6 +4443,16 @@ When interpreting backslash escapes, backslash followed by any other
|
||||
character will print that character.
|
||||
@end deffn
|
||||
|
||||
+@node efi-watchdog
|
||||
+@subsection efi-watchdog
|
||||
+
|
||||
+@deffn Command efi-watchdog enable|disable <code> <timeout>
|
||||
+Enable or disable the system's watchdog timer. Only available in EFI targeted
|
||||
+GRUB.
|
||||
+The <code> is logged upon watchdog timeout event. The UEFI BIOS reserves codes
|
||||
+0x0000 to 0xFFFF.
|
||||
+The <timeout> represents number of seconds to set the watchdog timeout to.
|
||||
+@end deffn
|
||||
|
||||
@node eval
|
||||
@subsection eval
|
||||
diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
|
||||
index 7facacf..4a88397 100644
|
||||
--- a/grub-core/kern/efi/init.c
|
||||
+++ b/grub-core/kern/efi/init.c
|
||||
@@ -28,6 +28,8 @@
|
||||
#include <grub/mm.h>
|
||||
#include <grub/kernel.h>
|
||||
#include <grub/stack_protector.h>
|
||||
+#include <grub/extcmd.h>
|
||||
+#include <grub/command.h>
|
||||
|
||||
#ifdef GRUB_STACK_PROTECTOR
|
||||
|
||||
@@ -82,6 +84,68 @@ stack_protector_init (void)
|
||||
|
||||
grub_addr_t grub_modbase;
|
||||
|
||||
+static grub_command_t cmd_list;
|
||||
+
|
||||
+static grub_err_t
|
||||
+grub_cmd_efi_watchdog (grub_command_t cmd __attribute__ ((unused)),
|
||||
+ int argc, char **args)
|
||||
+{
|
||||
+ long input;
|
||||
+ grub_efi_status_t status;
|
||||
+ grub_efi_uintn_t timeout;
|
||||
+ grub_efi_uint64_t code;
|
||||
+
|
||||
+ if (argc < 1)
|
||||
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
||||
+ N_("usage: efi-watchdog (enable|disable) <code> <timeout>"));
|
||||
+
|
||||
+ if (grub_strcasecmp (args[0], "enable") == 0) {
|
||||
+
|
||||
+ if (argc != 3)
|
||||
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
||||
+ N_("usage: efi-watchdog enable <code> <timeout>"));
|
||||
+
|
||||
+ input = grub_strtol (args[1], 0, 0);
|
||||
+
|
||||
+ if (input >= 0) {
|
||||
+ code = input;
|
||||
+ } else {
|
||||
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
||||
+ N_("<code> must be non-negative"));
|
||||
+ }
|
||||
+
|
||||
+ input = grub_strtol (args[2], 0, 0);
|
||||
+
|
||||
+ if (input >= 0) {
|
||||
+ timeout = (grub_efi_uintn_t) input;
|
||||
+ } else {
|
||||
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
||||
+ N_("<timeout> must be non-negative"));
|
||||
+ }
|
||||
+
|
||||
+ } else if (grub_strcasecmp (args[0], "disable") == 0) {
|
||||
+
|
||||
+ if (argc != 1)
|
||||
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
||||
+ N_("usage: efi-watchdog disable"));
|
||||
+ timeout = 0;
|
||||
+ code = 0;
|
||||
+
|
||||
+ } else {
|
||||
+ return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
||||
+ N_("usage: efi-watchdog (enable|disable) <code> <timeout>"));
|
||||
+ }
|
||||
+
|
||||
+ status = efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer,
|
||||
+ timeout, code, sizeof(L"GRUB"), L"GRUB");
|
||||
+
|
||||
+ if (status != GRUB_EFI_SUCCESS)
|
||||
+ return grub_error (GRUB_ERR_BUG,
|
||||
+ N_("Unexpected UEFI SetWatchdogTimer() error"));
|
||||
+ else
|
||||
+ return GRUB_ERR_NONE;
|
||||
+}
|
||||
+
|
||||
void
|
||||
grub_efi_init (void)
|
||||
{
|
||||
@@ -109,6 +173,9 @@ grub_efi_init (void)
|
||||
0, 0, 0, NULL);
|
||||
|
||||
grub_efidisk_init ();
|
||||
+
|
||||
+ cmd_list = grub_register_command ("efi-watchdog", grub_cmd_efi_watchdog, 0,
|
||||
+ N_("Enable/Disable system's watchdog timer."));
|
||||
}
|
||||
|
||||
void (*grub_efi_net_config) (grub_efi_handle_t hnd,
|
||||
@@ -146,4 +213,5 @@ grub_efi_fini (void)
|
||||
{
|
||||
grub_efidisk_fini ();
|
||||
grub_console_fini ();
|
||||
+ grub_unregister_command (cmd_list);
|
||||
}
|
||||
--
|
||||
2.17.1
|
||||
|
45
grub/grub-efi/debian/patches/0004-correct-grub_errno.patch
Normal file
45
grub/grub-efi/debian/patches/0004-correct-grub_errno.patch
Normal file
@ -0,0 +1,45 @@
|
||||
From fcab9daa2e62bcf2f6165fca4378d0e8a919a276 Mon Sep 17 00:00:00 2001
|
||||
From: Hongxu Jia <hongxu.jia@windriver.com>
|
||||
Date: Sat, 19 Mar 2022 20:01:58 +0800
|
||||
Subject: [PATCH] correct grub_errno
|
||||
|
||||
Correct grub_errno if allocate memory at preferred address success.
|
||||
|
||||
Usually allocate memory at preferred address will fail and then
|
||||
allocate to another address. During second time allocate, it reset
|
||||
grub_errno = GRUB_ERR_NONE.
|
||||
|
||||
While grub efi working on a server with huge memory, allocate memory at
|
||||
preferred address will succeed, no need to allocate again, and no change
|
||||
to correct grub_errno. It caused load kernel image fail in this
|
||||
situation.
|
||||
|
||||
Set grub_errno = GRUB_ERR_NONE if first allocate success
|
||||
|
||||
Upstream-Status: Inappropriate [oe specific]
|
||||
|
||||
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
||||
[lz: Adapt the git shortlog.]
|
||||
Signed-off-by: Li Zhou <li.zhou@windriver.com>
|
||||
---
|
||||
grub-core/loader/i386/linux.c | 4 ++++
|
||||
1 file changed, 4 insertions(+)
|
||||
|
||||
diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
|
||||
index 9f74a96..747cfe0 100644
|
||||
--- a/grub-core/loader/i386/linux.c
|
||||
+++ b/grub-core/loader/i386/linux.c
|
||||
@@ -179,6 +179,10 @@ allocate_pages (grub_size_t prot_size, grub_size_t *align,
|
||||
prot_size, 1,
|
||||
GRUB_RELOCATOR_PREFERENCE_LOW,
|
||||
1);
|
||||
+
|
||||
+ if (!err)
|
||||
+ grub_errno = GRUB_ERR_NONE;
|
||||
+
|
||||
for (; err && *align + 1 > min_align; (*align)--)
|
||||
{
|
||||
grub_errno = GRUB_ERR_NONE;
|
||||
--
|
||||
2.17.1
|
||||
|
@ -0,0 +1,98 @@
|
||||
From 01120b5ec61ae7bbe550b1e2fe0f75c2d2073b1f Mon Sep 17 00:00:00 2001
|
||||
From: Hongxu Jia <hongxu.jia@windriver.com>
|
||||
Date: Fri, 6 May 2022 15:44:14 +0800
|
||||
Subject: [PATCH] grub verify: Add skip_check_cfg variable
|
||||
|
||||
While check_signatures enabled, with skip_check_cfg set to 1
|
||||
- Do not verify the signature on the file that has suffix `.cfg'
|
||||
- Do not authenticate user and password if cfg is changed
|
||||
|
||||
Implement function grub_strendswith to find cfg file
|
||||
|
||||
Upstream-Status: Pending
|
||||
|
||||
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
|
||||
---
|
||||
grub-core/commands/pgp.c | 12 ++++++++++++
|
||||
grub-core/kern/misc.c | 12 ++++++++++++
|
||||
grub-core/normal/auth.c | 5 +++++
|
||||
include/grub/misc.h | 1 +
|
||||
4 files changed, 30 insertions(+)
|
||||
|
||||
diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c
|
||||
index 5daa1e9..e60a29a 100644
|
||||
--- a/grub-core/commands/pgp.c
|
||||
+++ b/grub-core/commands/pgp.c
|
||||
@@ -873,6 +873,18 @@ grub_pubkey_init (grub_file_t io, enum grub_file_type type __attribute__ ((unuse
|
||||
char *fsuf, *ptr;
|
||||
grub_err_t err;
|
||||
struct grub_pubkey_context *ctxt;
|
||||
+ const char *val;
|
||||
+
|
||||
+ /* SKip to check the signature of cfg */
|
||||
+ val = grub_env_get ("skip_check_cfg");
|
||||
+ if (val && (val[0] == '1'))
|
||||
+ {
|
||||
+ if (grub_strendswith (io->name, ".cfg"))
|
||||
+ {
|
||||
+ *flags = GRUB_VERIFY_FLAGS_SKIP_VERIFICATION;
|
||||
+ return GRUB_ERR_NONE;
|
||||
+ }
|
||||
+ }
|
||||
|
||||
if (!sec)
|
||||
{
|
||||
diff --git a/grub-core/kern/misc.c b/grub-core/kern/misc.c
|
||||
index 3af336e..8bf1d90 100644
|
||||
--- a/grub-core/kern/misc.c
|
||||
+++ b/grub-core/kern/misc.c
|
||||
@@ -280,6 +280,18 @@ grub_strncmp (const char *s1, const char *s2, grub_size_t n)
|
||||
return (int) (grub_uint8_t) *s1 - (int) (grub_uint8_t) *s2;
|
||||
}
|
||||
|
||||
+int
|
||||
+grub_strendswith (const char *str, const char *suffix)
|
||||
+{
|
||||
+ if (!str || !suffix)
|
||||
+ return 0;
|
||||
+ grub_size_t lenstr = grub_strlen(str);
|
||||
+ grub_size_t lensuffix = grub_strlen(suffix);
|
||||
+ if (lensuffix > lenstr)
|
||||
+ return 0;
|
||||
+ return grub_strncmp(str + lenstr - lensuffix, suffix, lensuffix) == 0;
|
||||
+}
|
||||
+
|
||||
char *
|
||||
grub_strchr (const char *s, int c)
|
||||
{
|
||||
diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c
|
||||
index 6be678c..57a1a42 100644
|
||||
--- a/grub-core/normal/auth.c
|
||||
+++ b/grub-core/normal/auth.c
|
||||
@@ -136,6 +136,11 @@ is_authenticated (const char *userlist)
|
||||
const char *superusers;
|
||||
struct grub_auth_user *user;
|
||||
|
||||
+ /* SKip to authenticate grub cfg */
|
||||
+ const char *val = grub_env_get ("skip_check_cfg");
|
||||
+ if (val && (val[0] == '1'))
|
||||
+ return 1;
|
||||
+
|
||||
superusers = grub_env_get ("superusers");
|
||||
|
||||
if (!superusers)
|
||||
diff --git a/include/grub/misc.h b/include/grub/misc.h
|
||||
index 7d2b551..cce29d7 100644
|
||||
--- a/include/grub/misc.h
|
||||
+++ b/include/grub/misc.h
|
||||
@@ -82,6 +82,7 @@ grub_memcpy (void *dest, const void *src, grub_size_t n)
|
||||
int EXPORT_FUNC(grub_memcmp) (const void *s1, const void *s2, grub_size_t n);
|
||||
int EXPORT_FUNC(grub_strcmp) (const char *s1, const char *s2);
|
||||
int EXPORT_FUNC(grub_strncmp) (const char *s1, const char *s2, grub_size_t n);
|
||||
+int EXPORT_FUNC(grub_strendswith) (const char *str, const char *suffix);
|
||||
|
||||
char *EXPORT_FUNC(grub_strchr) (const char *s, int c);
|
||||
char *EXPORT_FUNC(grub_strrchr) (const char *s, int c);
|
||||
--
|
||||
2.17.1
|
||||
|
@ -0,0 +1,82 @@
|
||||
From 3d9946f69f5ec17da747aa683ff7b5ccf9c31252 Mon Sep 17 00:00:00 2001
|
||||
From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
|
||||
Date: Fri, 27 Mar 2015 08:01:41 -0700
|
||||
Subject: [PATCH] pe32.h: add header structures for TE and DOS executables
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Add header structures to describe the Terse Executable format and
|
||||
the DOS header format for executable images.
|
||||
|
||||
These definitions are needed in subsequent commits to parse and
|
||||
verify the identity of the executable image when utilizing a shim
|
||||
to boot LUV.
|
||||
|
||||
Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
|
||||
|
||||
Add definitions of macros IMAGE_FILE_MACHINE_* which is involved by
|
||||
0004-efi-chainloader-port-shim-to-grub.patch.
|
||||
|
||||
Signed-off-by: Kai Kang <kai.kang@windriver.com>
|
||||
---
|
||||
include/grub/efi/pe32.h | 46 +++++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 46 insertions(+)
|
||||
|
||||
diff --git a/include/grub/efi/pe32.h b/include/grub/efi/pe32.h
|
||||
index 0ed8781..de3a720 100644
|
||||
--- a/include/grub/efi/pe32.h
|
||||
+++ b/include/grub/efi/pe32.h
|
||||
@@ -331,4 +331,50 @@ struct grub_pe32_reloc
|
||||
#define GRUB_PE32_REL_I386_DIR32 0x6
|
||||
#define GRUB_PE32_REL_I386_REL32 0x14
|
||||
|
||||
+//
|
||||
+// PE32+ Machine type for EFI images
|
||||
+//
|
||||
+#define IMAGE_FILE_MACHINE_I386 0x014c
|
||||
+#define IMAGE_FILE_MACHINE_IA64 0x0200
|
||||
+#define IMAGE_FILE_MACHINE_EBC 0x0EBC
|
||||
+#define IMAGE_FILE_MACHINE_X64 0x8664
|
||||
+#define IMAGE_FILE_MACHINE_ARMTHUMB_MIXED 0x01c2
|
||||
+#define IMAGE_FILE_MACHINE_ARM64 0xaa64
|
||||
+
|
||||
+struct grub_te_header
|
||||
+{
|
||||
+ grub_uint16_t signature;
|
||||
+ grub_uint16_t machine;
|
||||
+ grub_uint8_t num_sections;
|
||||
+ grub_uint8_t subsystem;
|
||||
+ grub_uint16_t stripped_size;
|
||||
+ grub_uint32_t entry_point;
|
||||
+ grub_uint32_t code_base;
|
||||
+ grub_uint64_t image_base;
|
||||
+ struct grub_pe32_data_directory data_directory[2];
|
||||
+};
|
||||
+
|
||||
+struct grub_dos_header
|
||||
+{
|
||||
+ grub_uint16_t magic;
|
||||
+ grub_uint16_t cblp;
|
||||
+ grub_uint16_t cp;
|
||||
+ grub_uint16_t crlc;
|
||||
+ grub_uint16_t cparhdr;
|
||||
+ grub_uint16_t minalloc;
|
||||
+ grub_uint16_t maxalloc;
|
||||
+ grub_uint16_t ss;
|
||||
+ grub_uint16_t sp;
|
||||
+ grub_uint16_t csum;
|
||||
+ grub_uint16_t ip;
|
||||
+ grub_uint16_t cs;
|
||||
+ grub_uint16_t lfarlc;
|
||||
+ grub_uint16_t ovno;
|
||||
+ grub_uint16_t res[4];
|
||||
+ grub_uint16_t oemid;
|
||||
+ grub_uint16_t oeminfo;
|
||||
+ grub_uint16_t res2[10];
|
||||
+ grub_uint32_t lfanew;
|
||||
+};
|
||||
+
|
||||
#endif /* ! GRUB_EFI_PE32_HEADER */
|
||||
--
|
||||
2.17.1
|
||||
|
@ -0,0 +1,161 @@
|
||||
From 1b807419bd99382cfeb9584ab7e8c10a0e416c5d Mon Sep 17 00:00:00 2001
|
||||
From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
|
||||
Date: Fri, 27 Mar 2015 08:09:58 -0700
|
||||
Subject: [PATCH] shim: add needed data structures
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Add the needed data structures for shim to load, parse, relocate and
|
||||
execute a binary. This includes file-parsing structures, an identifier for
|
||||
the UEFI protocol for image verification under secure boot provided by shim.
|
||||
|
||||
Shim is thin loader developed by Matthew Garret
|
||||
(https://github.com/rhinstaller/shim). This code was ported from such project.
|
||||
|
||||
Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
|
||||
---
|
||||
include/grub/efi/shim.h | 132 ++++++++++++++++++++++++++++++++++++++++
|
||||
1 file changed, 132 insertions(+)
|
||||
create mode 100644 include/grub/efi/shim.h
|
||||
|
||||
diff --git a/include/grub/efi/shim.h b/include/grub/efi/shim.h
|
||||
new file mode 100644
|
||||
index 0000000..4b92a00
|
||||
--- /dev/null
|
||||
+++ b/include/grub/efi/shim.h
|
||||
@@ -0,0 +1,132 @@
|
||||
+/*
|
||||
+ * shim.h - interface to shim: UEFI first-stage bootloader
|
||||
+ *
|
||||
+ * Copyright 2015 Intel Corporation.
|
||||
+ *
|
||||
+ * Redistribution and use in source and binary forms, with or without
|
||||
+ * modification, are permitted provided that the following conditions
|
||||
+ * are met:
|
||||
+ *
|
||||
+ * Redistributions of source code must retain the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer.
|
||||
+ *
|
||||
+ * Redistributions in binary form must reproduce the above copyright
|
||||
+ * notice, this list of conditions and the following disclaimer in the
|
||||
+ * documentation and/or other materials provided with the
|
||||
+ * distribution.
|
||||
+ *
|
||||
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
|
||||
+ * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
|
||||
+ * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
|
||||
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
|
||||
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
||||
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
||||
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
|
||||
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
||||
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
|
||||
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
+ *
|
||||
+ * Significant portions of this code are derived from Red Hat shim: UEFI
|
||||
+ * first-stage bootloader.
|
||||
+ * (https://github.com/rhinstaller/shim) and are Copyright 2012 Red Hat, Inc
|
||||
+ */
|
||||
+
|
||||
+#ifndef GRUB_SHIM_HEADER
|
||||
+#define GRUB_SHIM_HEADER 1
|
||||
+
|
||||
+#include <grub/efi/pe32.h>
|
||||
+
|
||||
+struct grub_nt_headers32
|
||||
+{
|
||||
+ grub_efi_uint32_t signature;
|
||||
+ struct grub_pe32_coff_header file_hdr;
|
||||
+ struct grub_pe32_optional_header opt_hdr;
|
||||
+};
|
||||
+
|
||||
+struct grub_nt_headers64
|
||||
+{
|
||||
+ grub_efi_uint32_t signature;
|
||||
+ struct grub_pe32_coff_header file_hdr;
|
||||
+ struct grub_pe64_optional_header opt_hdr;
|
||||
+};
|
||||
+
|
||||
+struct grub_image_base_relocation
|
||||
+{
|
||||
+ grub_efi_uint32_t virtual_address;
|
||||
+ grub_efi_uint32_t block_size;
|
||||
+};
|
||||
+
|
||||
+struct grub_shim_pe_coff_loader_image_context {
|
||||
+ grub_efi_uint64_t image_address;
|
||||
+ grub_efi_uint64_t image_size;
|
||||
+ grub_efi_uint64_t entry_point;
|
||||
+ grub_efi_uintn_t header_size;
|
||||
+ grub_efi_uint16_t image_type;
|
||||
+ grub_efi_uint16_t num_sections;
|
||||
+ struct grub_pe32_section_table *first_section;
|
||||
+ struct grub_pe32_data_directory *reloc_dir;
|
||||
+ struct grub_pe32_data_directory *sec_dir;
|
||||
+ grub_efi_uint64_t number_of_rva_and_sizes;
|
||||
+ union grub_shim_optional_header_union *pe_hdr;
|
||||
+};
|
||||
+
|
||||
+struct grub_shim_lock
|
||||
+{
|
||||
+ grub_efi_status_t
|
||||
+ (*verify) (void *buffer,
|
||||
+ grub_uint32_t size);
|
||||
+
|
||||
+ grub_efi_status_t
|
||||
+ (*hash) (grub_int8_t *data,
|
||||
+ grub_int32_t datasize,
|
||||
+ struct grub_shim_pe_coff_loader_image_context *context,
|
||||
+ grub_uint8_t sha256hash,
|
||||
+ grub_uint8_t sha1hash);
|
||||
+
|
||||
+ grub_efi_status_t
|
||||
+ (*context) (void *data,
|
||||
+ grub_uint32_t datasize,
|
||||
+ struct grub_shim_pe_coff_loader_image_context *context);
|
||||
+};
|
||||
+
|
||||
+union grub_shim_optional_header_union
|
||||
+{
|
||||
+ struct grub_nt_headers32 pe32;
|
||||
+ struct grub_nt_headers64 pe32plus;
|
||||
+ struct grub_te_header te;
|
||||
+};
|
||||
+
|
||||
+#define GRUB_EFI_SHIM_PROTOCOL_GUID \
|
||||
+ { 0x605dab50, 0xe046, 0x4300, \
|
||||
+ { 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 } \
|
||||
+ }
|
||||
+
|
||||
+#define SIGNATURE_16(A, B) ((A) | (B << 8))
|
||||
+#define SIGNATURE_32(A, B, C, D) (SIGNATURE_16 (A, B) | (SIGNATURE_16 (C, D) << 16))
|
||||
+
|
||||
+#define EFI_IMAGE_DOS_SIGNATURE SIGNATURE_16('M', 'Z')
|
||||
+#define EFI_IMAGE_NT_SIGNATURE SIGNATURE_32('P', 'E', '\0', '\0')
|
||||
+
|
||||
+#define EFI_IMAGE_DIRECTORY_ENTRY_BASERELOC 5
|
||||
+
|
||||
+#define ALIGN_VALUE(Value, Alignment) ((Value) + (((Alignment) - (Value)) & ((Alignment) - 1)))
|
||||
+#define ALIGN_POINTER(Pointer, Alignment) ((void *) (ALIGN_VALUE ((grub_efi_uintn_t)(Pointer), (Alignment))))
|
||||
+
|
||||
+/* Based relocation types. */
|
||||
+
|
||||
+#define EFI_IMAGE_REL_BASED_ABSOLUTE 0
|
||||
+#define EFI_IMAGE_REL_BASED_HIGH 1
|
||||
+#define EFI_IMAGE_REL_BASED_LOW 2
|
||||
+#define EFI_IMAGE_REL_BASED_HIGHLOW 3
|
||||
+#define EFI_IMAGE_REL_BASED_HIGHADJ 4
|
||||
+#define EFI_IMAGE_REL_BASED_MIPS_JMPADDR 5
|
||||
+#define EFI_IMAGE_REL_BASED_ARM_MOV32A 5
|
||||
+#define EFI_IMAGE_REL_BASED_ARM_MOV32T 7
|
||||
+#define EFI_IMAGE_REL_BASED_IA64_IMM64 9
|
||||
+#define EFI_IMAGE_REL_BASED_MIPS_JMPADDR16 9
|
||||
+#define EFI_IMAGE_REL_BASED_DIR64 10
|
||||
+
|
||||
+
|
||||
+#endif /* ! GRUB_SHIM_HEADER */
|
||||
--
|
||||
2.17.1
|
||||
|
@ -0,0 +1,83 @@
|
||||
From a210b02b15d68bfe38651295f35edb1a21cef475 Mon Sep 17 00:00:00 2001
|
||||
From: Matt Fleming <matt.fleming@intel.com>
|
||||
Date: Fri, 27 Mar 2015 08:11:19 -0700
|
||||
Subject: [PATCH] efi: chainloader: implement an UEFI Exit service
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Implement an UEFI Exit service for shim in grub.
|
||||
When exiting, grub will call the UEFI boot-time service Exit. The
|
||||
effect of this is that UEFI will jump to the entry point of the
|
||||
UEFI started image. If we execute an image using shim within grub,
|
||||
shim takes care of loading/parsing/relocating/executing the image.
|
||||
Under this scenario, we also need to take care of the Exit call. Thus,
|
||||
we need to reimplement the function to make sure we perform a jump
|
||||
to the instruction after which shim executed the image.
|
||||
|
||||
Once we have taken care of the exit of the shim-executed image
|
||||
the system Exit call is restored.
|
||||
|
||||
Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
|
||||
[lz: Adapt git shortlog.]
|
||||
Signed-off-by: Li Zhou <li.zhou@windriver.com>
|
||||
---
|
||||
grub-core/kern/x86_64/efi/callwrap.S | 23 +++++++++++++++++++++++
|
||||
include/grub/efi/api.h | 4 ++++
|
||||
2 files changed, 27 insertions(+)
|
||||
|
||||
diff --git a/grub-core/kern/x86_64/efi/callwrap.S b/grub-core/kern/x86_64/efi/callwrap.S
|
||||
index 1337fd9..b849c2c 100644
|
||||
--- a/grub-core/kern/x86_64/efi/callwrap.S
|
||||
+++ b/grub-core/kern/x86_64/efi/callwrap.S
|
||||
@@ -48,6 +48,26 @@ FUNCTION(efi_wrap_1)
|
||||
addq $40, %rsp
|
||||
ret
|
||||
|
||||
+FUNCTION(efi_call_foo)
|
||||
+ pushq %rbp
|
||||
+ pushq %r12
|
||||
+ pushq %r13
|
||||
+ pushq %r14
|
||||
+ pushq %r15
|
||||
+ movq %rsp, saved_sp(%rip)
|
||||
+ subq $48, %rsp
|
||||
+ mov %rsi, %rcx
|
||||
+ call *%rdi
|
||||
+
|
||||
+FUNCTION(efi_shim_exit)
|
||||
+ movq saved_sp(%rip), %rsp
|
||||
+ popq %r15
|
||||
+ popq %r14
|
||||
+ popq %r13
|
||||
+ popq %r12
|
||||
+ popq %rbp
|
||||
+ ret
|
||||
+
|
||||
FUNCTION(efi_wrap_2)
|
||||
subq $40, %rsp
|
||||
mov %rsi, %rcx
|
||||
@@ -127,3 +147,6 @@ FUNCTION(efi_wrap_10)
|
||||
call *%rdi
|
||||
addq $88, %rsp
|
||||
ret
|
||||
+
|
||||
+ .data
|
||||
+saved_sp: .quad 0
|
||||
diff --git a/include/grub/efi/api.h b/include/grub/efi/api.h
|
||||
index f1a5221..de3bbbd 100644
|
||||
--- a/include/grub/efi/api.h
|
||||
+++ b/include/grub/efi/api.h
|
||||
@@ -1776,6 +1776,10 @@ typedef struct grub_efi_rng_protocol grub_efi_rng_protocol_t;
|
||||
|
||||
grub_uint64_t EXPORT_FUNC(efi_wrap_0) (void *func);
|
||||
grub_uint64_t EXPORT_FUNC(efi_wrap_1) (void *func, grub_uint64_t arg1);
|
||||
+grub_efi_status_t EXPORT_FUNC(efi_shim_exit) (grub_efi_handle_t handle, grub_efi_status_t exit_status,
|
||||
+ grub_efi_uintn_t exit_data_size, grub_efi_char16_t *exit_data) __attribute__((noreturn));
|
||||
+grub_uint64_t EXPORT_FUNC(efi_call_foo) (void *func, grub_uint64_t arg1,
|
||||
+ grub_uint64_t arg2);
|
||||
grub_uint64_t EXPORT_FUNC(efi_wrap_2) (void *func, grub_uint64_t arg1,
|
||||
grub_uint64_t arg2);
|
||||
grub_uint64_t EXPORT_FUNC(efi_wrap_3) (void *func, grub_uint64_t arg1,
|
||||
--
|
||||
2.17.1
|
||||
|
@ -0,0 +1,582 @@
|
||||
From cb88b18b2648c89bccedb7bda25e398618110cbc Mon Sep 17 00:00:00 2001
|
||||
From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
|
||||
Date: Fri, 27 Mar 2015 08:19:21 -0700
|
||||
Subject: [PATCH] efi: chainloader: port shim to grub
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Shim is a thin loader to execute signed binaries under the
|
||||
chain of trust of UEFI secure boot. Before executing the image,
|
||||
shim verifies that such image is signed with any of the Machine
|
||||
Owner Keys (MOKs). If the verification is successful, shim will
|
||||
load, parse, relocate and execute the image.
|
||||
|
||||
Shim is useful in case the user does not want to modify the UEFI
|
||||
database of valid certificates (DB).
|
||||
|
||||
This commit ports Matthew Garret's code from shim to grub in order
|
||||
to provide to grub the capability of load and execute trusted
|
||||
binaries. This is useful in case we need to chainload two bootloaders.
|
||||
|
||||
Shim can be found here: https://github.com/rhinstaller/shim
|
||||
|
||||
Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
|
||||
---
|
||||
grub-core/loader/efi/chainloader.c | 534 +++++++++++++++++++++++++++++
|
||||
1 file changed, 534 insertions(+)
|
||||
|
||||
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
|
||||
index 2bd80f4..d192e2d 100644
|
||||
--- a/grub-core/loader/efi/chainloader.c
|
||||
+++ b/grub-core/loader/efi/chainloader.c
|
||||
@@ -32,6 +32,7 @@
|
||||
#include <grub/efi/api.h>
|
||||
#include <grub/efi/efi.h>
|
||||
#include <grub/efi/disk.h>
|
||||
+#include <grub/efi/shim.h>
|
||||
#include <grub/command.h>
|
||||
#include <grub/i18n.h>
|
||||
#include <grub/net.h>
|
||||
@@ -49,6 +50,539 @@ static grub_efi_uintn_t pages;
|
||||
static grub_efi_device_path_t *file_path;
|
||||
static grub_efi_handle_t image_handle;
|
||||
static grub_efi_char16_t *cmdline;
|
||||
+static grub_int32_t shim_used;
|
||||
+static grub_efi_physical_address_t shim_buffer;
|
||||
+static grub_efi_uintn_t shim_pages;
|
||||
+static grub_efi_loaded_image_t shim_li_bak;
|
||||
+static grub_efi_status_t (*shim_entry_point) (grub_efi_handle_t image_handle,
|
||||
+ grub_efi_system_table_t *systab);
|
||||
+
|
||||
+static const grub_uint16_t
|
||||
+grub_shim_machine_type =
|
||||
+#if defined(__x86_64__)
|
||||
+ GRUB_PE32_MACHINE_X86_64;
|
||||
+#elif defined(__aarch64__)
|
||||
+ IMAGE_FILE_MACHINE_ARM64;
|
||||
+#elif defined(__arm__)
|
||||
+ IMAGE_FILE_MACHINE_ARMTHUMB_MIXED;
|
||||
+#elif defined(__i386__) || defined(__i486__) || defined(__i686__)
|
||||
+ GRUB_PE32_MACHINE_I386;
|
||||
+#elif defined(__ia64__)
|
||||
+ GRUB_PE32_MACHINE_IA64;
|
||||
+#else
|
||||
+#error this architecture is not supported by shim chainloader
|
||||
+#endif
|
||||
+
|
||||
+static grub_efi_guid_t grub_shim_protocol_guid = GRUB_EFI_SHIM_PROTOCOL_GUID;
|
||||
+
|
||||
+static grub_int32_t
|
||||
+grub_shim_allow_64_bit (void)
|
||||
+{
|
||||
+/* TODO: what is the definition for aarch64? */
|
||||
+#if defined(__x86_64__)
|
||||
+ return 1;
|
||||
+#elif defined(__i386__) || defined(__i686__)
|
||||
+/* TODO: find out what to do with in_protocol */
|
||||
+ return 0;
|
||||
+#else /* assuming everything else is 32-bit... */
|
||||
+ return 0;
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
+static grub_int32_t
|
||||
+grub_shim_allow_32_bit (void)
|
||||
+{
|
||||
+/* TODO: what is the definition for aarch64? */
|
||||
+#if defined(__x86_64__)
|
||||
+/* TODO: find out what to do with in_protocol */
|
||||
+ return 0;
|
||||
+#elif defined(__i386__) || defined(__i686__)
|
||||
+ return 1;
|
||||
+#else /* assuming everything else is 32-bit... */
|
||||
+ return 1;
|
||||
+#endif
|
||||
+}
|
||||
+
|
||||
+static grub_int32_t
|
||||
+grub_shim_image_is_64_bit (union grub_shim_optional_header_union *pe_hdr)
|
||||
+{
|
||||
+ /* .Magic is the same offset in all cases */
|
||||
+ if (pe_hdr->pe32plus.opt_hdr.magic == GRUB_PE32_PE64_MAGIC)
|
||||
+ return 1;
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static grub_int32_t
|
||||
+grub_shim_image_is_loadable (union grub_shim_optional_header_union *pe_hdr)
|
||||
+{
|
||||
+ /* If the machine type doesn't match the binary, bail, unless
|
||||
+ * we're in an allowed 64-on-32 scenario
|
||||
+ */
|
||||
+ if (pe_hdr->pe32.file_hdr.machine != grub_shim_machine_type)
|
||||
+ {
|
||||
+ if (!(grub_shim_machine_type == GRUB_PE32_MACHINE_I386
|
||||
+ && pe_hdr->pe32.file_hdr.machine == GRUB_PE32_MACHINE_X86_64
|
||||
+ && grub_shim_allow_64_bit ()))
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ /* If it's not a header type we recognize at all, bail */
|
||||
+ switch (pe_hdr->pe32plus.opt_hdr.magic)
|
||||
+ {
|
||||
+ case GRUB_PE32_PE64_MAGIC:
|
||||
+ case GRUB_PE32_PE32_MAGIC:
|
||||
+ break;
|
||||
+ default:
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
+ /* and now just check for general 64-vs-32 compatibility */
|
||||
+ if (grub_shim_image_is_64_bit(pe_hdr))
|
||||
+ {
|
||||
+ if (grub_shim_allow_64_bit ())
|
||||
+ return 1;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ if (grub_shim_allow_32_bit ())
|
||||
+ return 1;
|
||||
+ }
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Perform basic bounds checking of the intra-image pointers
|
||||
+ */
|
||||
+static grub_efi_uint64_t
|
||||
+grub_shim_image_address (grub_addr_t image, grub_uint32_t size, grub_uint32_t addr)
|
||||
+{
|
||||
+ if (addr > size)
|
||||
+ return 0;
|
||||
+ return image + addr;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Perform the actual relocation
|
||||
+ */
|
||||
+static grub_err_t
|
||||
+grub_shim_relocate_coff (struct grub_shim_pe_coff_loader_image_context *context,
|
||||
+ void *orig, void *data)
|
||||
+{
|
||||
+ struct grub_image_base_relocation *reloc_base, *reloc_base_end;
|
||||
+ grub_efi_uint64_t adjust;
|
||||
+ grub_efi_uint16_t *reloc, *reloc_end;
|
||||
+ grub_uint8_t *fixup, *fixup_base, *fixup_data = NULL;
|
||||
+ grub_efi_uint16_t *fixup16;
|
||||
+ grub_efi_uint32_t *fixup32;
|
||||
+ grub_efi_uint64_t *fixup64;
|
||||
+ grub_int32_t size = context->image_size;
|
||||
+ void *image_end = (char *)orig + size;
|
||||
+
|
||||
+ if (grub_shim_image_is_64_bit(context->pe_hdr))
|
||||
+ context->pe_hdr->pe32plus.opt_hdr.image_base = (grub_efi_uint64_t)(unsigned long)data;
|
||||
+ else
|
||||
+ context->pe_hdr->pe32.opt_hdr.image_base = (grub_efi_uint32_t)(unsigned long)data;
|
||||
+
|
||||
+ reloc_base = (struct grub_image_base_relocation *)
|
||||
+ grub_shim_image_address ((grub_efi_uint64_t)orig, size,
|
||||
+ context->reloc_dir->rva);
|
||||
+ reloc_base_end = (struct grub_image_base_relocation *)
|
||||
+ grub_shim_image_address ((grub_efi_uint64_t)orig, size,
|
||||
+ context->reloc_dir->rva
|
||||
+ + context->reloc_dir->size - 1);
|
||||
+
|
||||
+ if (!reloc_base || !reloc_base_end)
|
||||
+ {
|
||||
+ grub_printf("Reloc table overflows binary\n");
|
||||
+ return GRUB_ERR_BAD_FILE_TYPE;
|
||||
+ }
|
||||
+
|
||||
+ adjust = (grub_efi_uintn_t)data - context->image_address;
|
||||
+
|
||||
+ if (adjust == 0)
|
||||
+ return GRUB_EFI_SUCCESS;
|
||||
+
|
||||
+ while (reloc_base < reloc_base_end)
|
||||
+ {
|
||||
+ reloc = (grub_efi_uint16_t *) ((grub_int8_t *) reloc_base
|
||||
+ + sizeof (struct grub_image_base_relocation));
|
||||
+
|
||||
+ if ((reloc_base->block_size == 0)
|
||||
+ || (reloc_base->block_size > context->reloc_dir->size))
|
||||
+ {
|
||||
+ grub_printf("Reloc block size %d is invalid\n", reloc_base->block_size);
|
||||
+ return GRUB_ERR_FILE_READ_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ reloc_end = (grub_efi_uint16_t *)
|
||||
+ ((grub_uint8_t *) reloc_base + reloc_base->block_size);
|
||||
+ if ((void *)reloc_end < orig || (void *)reloc_end > image_end)
|
||||
+ {
|
||||
+ grub_printf("Reloc entry overflows binary\n");
|
||||
+ return GRUB_ERR_FILE_READ_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ fixup_base = (grub_uint8_t *)
|
||||
+ grub_shim_image_address ((grub_efi_uint64_t)data,
|
||||
+ size,
|
||||
+ reloc_base->virtual_address);
|
||||
+ if (!fixup_base)
|
||||
+ {
|
||||
+ grub_printf("Invalid fixup_base\n");
|
||||
+ return GRUB_ERR_FILE_READ_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ while (reloc < reloc_end)
|
||||
+ {
|
||||
+ fixup = fixup_base + (*reloc & 0xFFF);
|
||||
+ switch ((*reloc) >> 12)
|
||||
+ {
|
||||
+ case EFI_IMAGE_REL_BASED_ABSOLUTE:
|
||||
+ break;
|
||||
+
|
||||
+ case EFI_IMAGE_REL_BASED_HIGH:
|
||||
+ fixup16 = (grub_efi_uint16_t *) fixup;
|
||||
+ *fixup16 = (grub_efi_uint16_t)
|
||||
+ (*fixup16
|
||||
+ + ((grub_efi_uint16_t) ((grub_efi_uint32_t) adjust >> 16)));
|
||||
+ if (fixup_data != NULL)
|
||||
+ {
|
||||
+ *(grub_efi_uint16_t *) fixup_data = *fixup16;
|
||||
+ fixup_data = fixup_data + sizeof (grub_efi_uint16_t);
|
||||
+ }
|
||||
+ break;
|
||||
+
|
||||
+ case EFI_IMAGE_REL_BASED_LOW:
|
||||
+ fixup16 = (grub_efi_uint16_t *) fixup;
|
||||
+ *fixup16 = (grub_efi_uint16_t)
|
||||
+ (*fixup16 + (grub_efi_uint16_t) adjust);
|
||||
+ if (fixup_data != NULL)
|
||||
+ {
|
||||
+ *(grub_efi_uint16_t *) fixup_data = *fixup16;
|
||||
+ fixup_data = fixup_data + sizeof (grub_efi_uint16_t);
|
||||
+ }
|
||||
+ break;
|
||||
+
|
||||
+ case EFI_IMAGE_REL_BASED_HIGHLOW:
|
||||
+ fixup32 = (grub_efi_uint32_t *) fixup;
|
||||
+ *fixup32 = *fixup32 + (grub_efi_uint32_t) adjust;
|
||||
+ if (fixup_data != NULL)
|
||||
+ {
|
||||
+ fixup_data = ALIGN_POINTER (fixup_data, sizeof (grub_efi_uint32_t));
|
||||
+ *(grub_efi_uint32_t *)fixup_data = *fixup32;
|
||||
+ fixup_data = fixup_data + sizeof (grub_efi_uint32_t);
|
||||
+ }
|
||||
+ break;
|
||||
+
|
||||
+ case EFI_IMAGE_REL_BASED_DIR64:
|
||||
+ fixup64 = (grub_efi_uint64_t *) fixup;
|
||||
+ *fixup64 = *fixup64 + (grub_efi_uint64_t) adjust;
|
||||
+ if (fixup_data != NULL)
|
||||
+ {
|
||||
+ fixup_data = ALIGN_POINTER (fixup_data, sizeof(grub_efi_uint64_t));
|
||||
+ *(grub_efi_uint64_t *)(fixup_data) = *fixup64;
|
||||
+ fixup_data = fixup_data + sizeof(grub_efi_uint64_t);
|
||||
+ }
|
||||
+ break;
|
||||
+
|
||||
+ default:
|
||||
+ grub_printf("Unknown relocation\n");
|
||||
+ return GRUB_ERR_FILE_READ_ERROR;
|
||||
+ }
|
||||
+ reloc += 1;
|
||||
+ }
|
||||
+ reloc_base = (struct grub_image_base_relocation *) reloc_end;
|
||||
+ }
|
||||
+
|
||||
+ return GRUB_EFI_SUCCESS;
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Read the binary header and grab appropriate information from it
|
||||
+ */
|
||||
+static grub_err_t
|
||||
+grub_shim_read_header(grub_efi_physical_address_t data, grub_uint32_t datasize,
|
||||
+ struct grub_shim_pe_coff_loader_image_context *context)
|
||||
+{
|
||||
+ struct grub_dos_header *dos_hdr = (struct grub_dos_header *)data;
|
||||
+ union grub_shim_optional_header_union *pe_hdr = (union grub_shim_optional_header_union *)data;
|
||||
+ grub_uint64_t header_without_data_dir, section_header_offset, opt_hdr_size;
|
||||
+
|
||||
+ if (datasize < sizeof (pe_hdr->pe32))
|
||||
+ {
|
||||
+ grub_printf("Invalid image\n");
|
||||
+ return GRUB_ERR_BAD_FILE_TYPE;
|
||||
+ }
|
||||
+
|
||||
+ if (dos_hdr->magic == EFI_IMAGE_DOS_SIGNATURE)
|
||||
+ pe_hdr = (union grub_shim_optional_header_union *)((grub_uint8_t *)data
|
||||
+ + dos_hdr->lfanew);
|
||||
+
|
||||
+ if (!grub_shim_image_is_loadable(pe_hdr))
|
||||
+ {
|
||||
+ grub_printf("Platform does not support this image\n");
|
||||
+ return GRUB_ERR_BAD_FILE_TYPE;
|
||||
+ }
|
||||
+
|
||||
+ if (grub_shim_image_is_64_bit(pe_hdr))
|
||||
+ {
|
||||
+ context->number_of_rva_and_sizes = pe_hdr->pe32plus.opt_hdr.num_data_directories;
|
||||
+ context->header_size = pe_hdr->pe32plus.opt_hdr.header_size;
|
||||
+ context->image_size = pe_hdr->pe32plus.opt_hdr.image_size;
|
||||
+ opt_hdr_size = sizeof(struct grub_pe64_optional_header);
|
||||
+ } else
|
||||
+ {
|
||||
+ context->number_of_rva_and_sizes = pe_hdr->pe32.opt_hdr.num_data_directories;
|
||||
+ context->header_size = pe_hdr->pe32.opt_hdr.header_size;
|
||||
+ context->image_size = (grub_efi_uint64_t)pe_hdr->pe32.opt_hdr.header_size;
|
||||
+ opt_hdr_size = sizeof(struct grub_pe32_optional_header);
|
||||
+ }
|
||||
+
|
||||
+ context->num_sections = pe_hdr->pe32.file_hdr.num_sections;
|
||||
+
|
||||
+ if (GRUB_PE32_NUM_DATA_DIRECTORIES < context->number_of_rva_and_sizes)
|
||||
+ {
|
||||
+ grub_printf("Image header too small\n");
|
||||
+ return GRUB_ERR_FILE_READ_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ header_without_data_dir = opt_hdr_size
|
||||
+ - sizeof (struct grub_pe32_data_directory)
|
||||
+ * GRUB_PE32_NUM_DATA_DIRECTORIES;
|
||||
+ if (((grub_efi_uint32_t)pe_hdr->pe32.file_hdr.optional_header_size
|
||||
+ - header_without_data_dir) !=
|
||||
+ context->number_of_rva_and_sizes * sizeof (struct grub_pe32_data_directory))
|
||||
+ {
|
||||
+ grub_printf("Image header overflows data directory\n");
|
||||
+ return GRUB_ERR_FILE_READ_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ section_header_offset = dos_hdr->lfanew
|
||||
+ + sizeof (grub_efi_uint32_t)
|
||||
+ + sizeof (struct grub_pe32_coff_header)
|
||||
+ + pe_hdr->pe32.file_hdr.optional_header_size;
|
||||
+ if (((grub_efi_uint32_t)context->image_size - section_header_offset)
|
||||
+ / sizeof (struct grub_pe32_section_table)
|
||||
+ <= context->num_sections)
|
||||
+ {
|
||||
+ grub_printf("Image sections overflow image size\n");
|
||||
+ return GRUB_ERR_FILE_READ_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ if ((context->header_size - section_header_offset)
|
||||
+ / sizeof (struct grub_pe32_section_table)
|
||||
+ < (grub_efi_uint32_t)context->num_sections)
|
||||
+ {
|
||||
+ grub_printf("Image sections overflow section headers\n");
|
||||
+ return GRUB_ERR_FILE_READ_ERROR;
|
||||
+ }
|
||||
+
|
||||
+ if ((((grub_efi_uint8_t *)pe_hdr
|
||||
+ - (grub_efi_uint8_t *)data)
|
||||
+ + sizeof(union grub_shim_optional_header_union )) > datasize)
|
||||
+ {
|
||||
+ grub_printf("Invalid image\n");
|
||||
+ return GRUB_ERR_BAD_FILE_TYPE;
|
||||
+ }
|
||||
+
|
||||
+ if (pe_hdr->te.signature != EFI_IMAGE_NT_SIGNATURE)
|
||||
+ {
|
||||
+ grub_printf("Unsupported image type\n");
|
||||
+ return GRUB_ERR_BAD_FILE_TYPE;
|
||||
+ }
|
||||
+
|
||||
+ if (pe_hdr->pe32.file_hdr.characteristics & GRUB_PE32_RELOCS_STRIPPED)
|
||||
+ {
|
||||
+ grub_printf("Unsupported image - Relocations have been stripped\n");
|
||||
+ return GRUB_ERR_BAD_FILE_TYPE;
|
||||
+ }
|
||||
+
|
||||
+ context->pe_hdr = pe_hdr;
|
||||
+
|
||||
+ if (grub_shim_image_is_64_bit(pe_hdr))
|
||||
+ {
|
||||
+ context->image_address = pe_hdr->pe32plus.opt_hdr.image_base;
|
||||
+ context->entry_point = pe_hdr->pe32plus.opt_hdr.entry_addr;
|
||||
+ context->reloc_dir = &pe_hdr->pe32plus.opt_hdr.base_relocation_table;
|
||||
+ context->sec_dir = &pe_hdr->pe32plus.opt_hdr.certificate_table;
|
||||
+ } else
|
||||
+ {
|
||||
+ context->image_address = pe_hdr->pe32.opt_hdr.image_base;
|
||||
+ context->entry_point = pe_hdr->pe32.opt_hdr.entry_addr;
|
||||
+ context->reloc_dir = &pe_hdr->pe32.opt_hdr.base_relocation_table;
|
||||
+ context->sec_dir = &pe_hdr->pe32.opt_hdr.certificate_table;
|
||||
+ }
|
||||
+
|
||||
+ context->first_section = (struct grub_pe32_section_table *)
|
||||
+ ((char *)pe_hdr
|
||||
+ + pe_hdr->pe32.file_hdr.optional_header_size
|
||||
+ + sizeof(grub_efi_uint32_t)
|
||||
+ + sizeof(struct grub_pe32_coff_header));
|
||||
+
|
||||
+ if (context->image_size < context->header_size)
|
||||
+ {
|
||||
+ grub_printf("Invalid image\n");
|
||||
+ return GRUB_ERR_BAD_FILE_TYPE;
|
||||
+ }
|
||||
+
|
||||
+ if ((unsigned long)((grub_efi_uint8_t *)context->sec_dir - (grub_efi_uint8_t *)data) >
|
||||
+ (datasize - sizeof(struct grub_pe32_data_directory)))
|
||||
+ {
|
||||
+ grub_printf("Invalid image\n");
|
||||
+ return GRUB_ERR_BAD_FILE_TYPE;
|
||||
+ }
|
||||
+
|
||||
+ if (context->sec_dir->rva >= datasize)
|
||||
+ {
|
||||
+ grub_printf("Malformed security header\n");
|
||||
+ return GRUB_ERR_BAD_FILE_TYPE;
|
||||
+ }
|
||||
+ return GRUB_ERR_NONE;
|
||||
+}
|
||||
+
|
||||
+static grub_efi_status_t
|
||||
+grub_shim_verify (grub_addr_t addr, grub_ssize_t size)
|
||||
+{
|
||||
+ struct grub_shim_lock *shim_lock;
|
||||
+ shim_lock = grub_efi_locate_protocol (&grub_shim_protocol_guid, 0);
|
||||
+ if (!shim_lock)
|
||||
+ {
|
||||
+ grub_error (GRUB_ERR_BAD_OS, "could not load shim protocol");
|
||||
+ return GRUB_EFI_UNSUPPORTED;
|
||||
+ }
|
||||
+
|
||||
+ return shim_lock->verify((void *) addr, size);
|
||||
+}
|
||||
+
|
||||
+static grub_err_t
|
||||
+grub_shim_load_image(grub_addr_t addr, grub_ssize_t size,
|
||||
+ struct grub_shim_pe_coff_loader_image_context *context)
|
||||
+{
|
||||
+ grub_err_t status;
|
||||
+ grub_efi_status_t efi_status;
|
||||
+ grub_uint32_t sect_size;
|
||||
+ /* TODO: can they be unsigned? */
|
||||
+ grub_int8_t *base, *end;
|
||||
+ grub_int32_t i;
|
||||
+ struct grub_pe32_section_table *section;
|
||||
+ grub_efi_boot_services_t *b;
|
||||
+
|
||||
+ shim_used = 0;
|
||||
+ shim_buffer = 0;
|
||||
+
|
||||
+ status = grub_shim_verify (addr, size);
|
||||
+ if (status != GRUB_ERR_NONE)
|
||||
+ {
|
||||
+ grub_error (GRUB_ERR_BAD_OS, "shim verification failed");
|
||||
+ return GRUB_ERR_BAD_OS;
|
||||
+ }
|
||||
+
|
||||
+ grub_memset(context, 0, sizeof(*context));
|
||||
+ status = grub_shim_read_header (addr, size, context);
|
||||
+ if (status != GRUB_ERR_NONE)
|
||||
+ {
|
||||
+ grub_error (GRUB_ERR_BAD_OS, "read header failed");
|
||||
+ return GRUB_ERR_BAD_OS;
|
||||
+ }
|
||||
+
|
||||
+ /* TODO: do we need to do this with efi_allocate? */
|
||||
+ shim_pages = (((grub_efi_uintn_t) context->image_size + ((1 << 12) - 1)) >> 12);
|
||||
+
|
||||
+ b = grub_efi_system_table->boot_services;
|
||||
+ efi_status = efi_call_4 (b->allocate_pages, GRUB_EFI_ALLOCATE_ANY_PAGES,
|
||||
+ GRUB_EFI_LOADER_CODE, shim_pages, &shim_buffer);
|
||||
+ if (efi_status != GRUB_EFI_SUCCESS)
|
||||
+ {
|
||||
+ grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("out of memory for shim buffer"));
|
||||
+ return GRUB_ERR_OUT_OF_MEMORY;
|
||||
+ }
|
||||
+
|
||||
+ /* TODO: do we need the double cast? */
|
||||
+ grub_memcpy ((void *) ((grub_efi_physical_address_t) shim_buffer),
|
||||
+ (void *) ((grub_addr_t) addr), context->header_size);
|
||||
+ /*
|
||||
+ * Copy the executable's sections to their desired offsets
|
||||
+ */
|
||||
+ section = context->first_section;
|
||||
+ for (i = 0; i < context->num_sections; i++, section++)
|
||||
+ {
|
||||
+ if (section->characteristics & 0x02000000)
|
||||
+ /* section has EFI_IMAGE_SCN_MEM_DISCARDABLE attr set */
|
||||
+ continue;
|
||||
+
|
||||
+ sect_size = section->virtual_size;
|
||||
+
|
||||
+ if (sect_size > section->raw_data_size)
|
||||
+ sect_size = section->raw_data_size;
|
||||
+
|
||||
+ base = (grub_int8_t *)
|
||||
+ grub_shim_image_address (shim_buffer, context->image_size,
|
||||
+ section->virtual_address);
|
||||
+ end = (grub_int8_t *)
|
||||
+ grub_shim_image_address (shim_buffer, context->image_size,
|
||||
+ section->virtual_address
|
||||
+ + sect_size - 1);
|
||||
+ if (!base || !end)
|
||||
+ {
|
||||
+ grub_printf("Invalid section base\n");
|
||||
+ status = GRUB_ERR_BAD_FILE_TYPE;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ if (section->virtual_address < context->header_size
|
||||
+ || section->raw_data_offset < context->header_size)
|
||||
+ {
|
||||
+ grub_printf("Section is inside image headers\n");
|
||||
+ status = GRUB_ERR_BAD_FILE_TYPE;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ if (section->raw_data_size > 0)
|
||||
+ /* TODO: do we need the double cast? */
|
||||
+ grub_memcpy ((void *)base,
|
||||
+ (void *) (((grub_addr_t) addr)
|
||||
+ + section->raw_data_offset), sect_size);
|
||||
+
|
||||
+ if (sect_size < section->virtual_size)
|
||||
+ grub_memset ((void *)(base + sect_size), 0,
|
||||
+ section->virtual_size - sect_size);
|
||||
+ }
|
||||
+
|
||||
+ if (context->number_of_rva_and_sizes <= EFI_IMAGE_DIRECTORY_ENTRY_BASERELOC)
|
||||
+ {
|
||||
+ grub_printf("Image has no relocation entry\n");
|
||||
+ status = GRUB_ERR_BAD_FILE_TYPE;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ if (context->reloc_dir->size)
|
||||
+ {
|
||||
+ status = grub_shim_relocate_coff (context, (void *) addr,
|
||||
+ (void *) shim_buffer);
|
||||
+ if (status != GRUB_ERR_NONE)
|
||||
+ {
|
||||
+ grub_printf("Relocation failed: [%u]\n", status);
|
||||
+ status = GRUB_ERR_BAD_FILE_TYPE;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ }
|
||||
+ shim_entry_point = (void *)grub_shim_image_address (shim_buffer,
|
||||
+ context->image_size,
|
||||
+ context->entry_point);
|
||||
+ if (!shim_entry_point)
|
||||
+ {
|
||||
+ grub_printf("Invalid entry point\n");
|
||||
+ status = GRUB_ERR_BAD_FILE_TYPE;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ shim_used = 1;
|
||||
+ return GRUB_ERR_NONE;
|
||||
+fail:
|
||||
+ efi_call_2 (b->free_pages, shim_buffer, shim_pages);
|
||||
+ shim_buffer = 0;
|
||||
+ return status;
|
||||
+}
|
||||
|
||||
static grub_err_t
|
||||
grub_chainloader_unload (void)
|
||||
--
|
||||
2.17.1
|
||||
|
@ -0,0 +1,98 @@
|
||||
From 5d5f5231b008fa5e6299a76f9ae92a6da035c4f0 Mon Sep 17 00:00:00 2001
|
||||
From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
|
||||
Date: Fri, 27 Mar 2015 08:26:08 -0700
|
||||
Subject: [PATCH] efi: chainloader: use shim to load and verify an image
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
The grub chainloader module uses the UEFI LoadImage service
|
||||
to load a chainloaded binary. However, if such binary is not
|
||||
signed by the UEFI certification authority, LoadImage will fail.
|
||||
Under shim, we can use Machine-Owned Keys (MOKs) to verify an
|
||||
image. Thus, in case LoadImage fails due to a security violation
|
||||
we rely on the shim verification service. If successful, the
|
||||
image is parsed and loaded.
|
||||
|
||||
Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
|
||||
---
|
||||
grub-core/loader/efi/chainloader.c | 49 ++++++++++++++++++++++++------
|
||||
1 file changed, 40 insertions(+), 9 deletions(-)
|
||||
|
||||
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
|
||||
index d192e2d..121af25 100644
|
||||
--- a/grub-core/loader/efi/chainloader.c
|
||||
+++ b/grub-core/loader/efi/chainloader.c
|
||||
@@ -761,6 +761,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
||||
char *filename;
|
||||
void *boot_image = 0;
|
||||
grub_efi_handle_t dev_handle = 0;
|
||||
+ struct grub_shim_pe_coff_loader_image_context context;
|
||||
|
||||
if (argc == 0)
|
||||
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
|
||||
@@ -892,23 +893,53 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
||||
if (status != GRUB_EFI_SUCCESS)
|
||||
{
|
||||
if (status == GRUB_EFI_OUT_OF_RESOURCES)
|
||||
- grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of resources");
|
||||
+ {
|
||||
+ grub_error (GRUB_ERR_OUT_OF_MEMORY, "out of resources");
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ /* try with shim */
|
||||
+ else if (status == GRUB_EFI_SECURITY_VIOLATION)
|
||||
+ {
|
||||
+ status = grub_shim_load_image (address, size, &context);
|
||||
+ if (status != GRUB_EFI_SUCCESS)
|
||||
+ {
|
||||
+ grub_error (GRUB_ERR_BAD_OS, "shim cannot load image");
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ }
|
||||
else
|
||||
- grub_error (GRUB_ERR_BAD_OS, "cannot load image");
|
||||
-
|
||||
- goto fail;
|
||||
+ {
|
||||
+ grub_error (GRUB_ERR_BAD_OS, "cannot load image");
|
||||
+ goto fail;
|
||||
+ }
|
||||
}
|
||||
|
||||
- /* LoadImage does not set a device handler when the image is
|
||||
- loaded from memory, so it is necessary to set it explicitly here.
|
||||
- This is a mess. */
|
||||
- loaded_image = grub_efi_get_loaded_image (image_handle);
|
||||
+ /* if we use shim, the UEFI load_image failed, thus, we borrow
|
||||
+ * grub_efi_image_handle and restore it later
|
||||
+ */
|
||||
+ if (shim_used)
|
||||
+ /* if we use shim, the UEFI load_image failed, thus, we borrow
|
||||
+ grub_efi_image_handle and restore it later */
|
||||
+ loaded_image = grub_efi_get_loaded_image (grub_efi_image_handle);
|
||||
+ else
|
||||
+ /* LoadImage does not set a device handler when the image is
|
||||
+ loaded from memory, so it is necessary to set it explicitly here.
|
||||
+ This is a mess. */
|
||||
+ loaded_image = grub_efi_get_loaded_image (image_handle);
|
||||
+
|
||||
if (! loaded_image)
|
||||
{
|
||||
grub_error (GRUB_ERR_BAD_OS, "no loaded image available");
|
||||
goto fail;
|
||||
}
|
||||
- loaded_image->device_handle = dev_handle;
|
||||
+ if (shim_used)
|
||||
+ {
|
||||
+ grub_memcpy(&shim_li_bak, loaded_image, sizeof(shim_li_bak));
|
||||
+ loaded_image->image_base = (void *)shim_buffer;
|
||||
+ loaded_image->image_size = context.image_size;
|
||||
+ }
|
||||
+ else
|
||||
+ loaded_image->device_handle = dev_handle;
|
||||
|
||||
if (argc > 1)
|
||||
{
|
||||
--
|
||||
2.17.1
|
||||
|
@ -0,0 +1,63 @@
|
||||
From 9645bb29a0ffb93c854cbeed175c62775ba38bb7 Mon Sep 17 00:00:00 2001
|
||||
From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
|
||||
Date: Fri, 27 Mar 2015 08:29:13 -0700
|
||||
Subject: [PATCH] efi: chainloader: boot the image using shim
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
If the image was loaded using shim, boot the image. Given that
|
||||
shim loaded the image, the UEFI firmware will not know where to
|
||||
jump after the execution completes. Thus, replace the UEFI boot
|
||||
service Exit with our own implementation to make sure we jump
|
||||
to the instruction after the call to the entry point.
|
||||
|
||||
Replace the system Exit service when done.
|
||||
|
||||
Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
|
||||
---
|
||||
grub-core/loader/efi/chainloader.c | 27 ++++++++++++++++++++++++++-
|
||||
1 file changed, 26 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
|
||||
index 121af25..adaf3c9 100644
|
||||
--- a/grub-core/loader/efi/chainloader.c
|
||||
+++ b/grub-core/loader/efi/chainloader.c
|
||||
@@ -609,9 +609,34 @@ grub_chainloader_boot (void)
|
||||
grub_efi_status_t status;
|
||||
grub_efi_uintn_t exit_data_size;
|
||||
grub_efi_char16_t *exit_data = NULL;
|
||||
+ grub_efi_loaded_image_t *loaded_image = NULL;
|
||||
+ grub_efi_status_t
|
||||
+ (*saved_exit) (grub_efi_handle_t image_handle,
|
||||
+ grub_efi_status_t exit_status,
|
||||
+ grub_efi_uintn_t exit_data_size,
|
||||
+ grub_efi_char16_t *exit_data) __attribute__((noreturn));
|
||||
|
||||
b = grub_efi_system_table->boot_services;
|
||||
- status = efi_call_3 (b->start_image, image_handle, &exit_data_size, &exit_data);
|
||||
+
|
||||
+ if (!shim_used)
|
||||
+ status = efi_call_3 (b->start_image, image_handle, &exit_data_size, &exit_data);
|
||||
+ else
|
||||
+ {
|
||||
+ saved_exit = grub_efi_system_table->boot_services->exit;
|
||||
+ grub_efi_system_table->boot_services->exit = efi_shim_exit;
|
||||
+ status = efi_call_foo(shim_entry_point,
|
||||
+ (grub_efi_uint64_t)grub_efi_image_handle,
|
||||
+ (grub_efi_uint64_t)grub_efi_system_table);
|
||||
+ grub_efi_system_table->boot_services->exit = saved_exit;
|
||||
+
|
||||
+ loaded_image = grub_efi_get_loaded_image (grub_efi_image_handle);
|
||||
+ if (!loaded_image)
|
||||
+ /* TODO: this is serious, what to do? */
|
||||
+ grub_error (GRUB_ERR_BAD_OS, "GRUB loaded image not found");
|
||||
+ else
|
||||
+ /* restore loaded image */
|
||||
+ grub_memcpy(loaded_image, &shim_li_bak, sizeof(shim_li_bak));
|
||||
+ }
|
||||
if (status != GRUB_EFI_SUCCESS)
|
||||
{
|
||||
if (exit_data)
|
||||
--
|
||||
2.17.1
|
||||
|
@ -0,0 +1,43 @@
|
||||
From 416eaf86565248e11bfb4ef56b6d5a5e21a4541f Mon Sep 17 00:00:00 2001
|
||||
From: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
|
||||
Date: Fri, 27 Mar 2015 08:31:27 -0700
|
||||
Subject: [PATCH] efi: chainloader: take care of unload undershim
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Under shim, we use a custom buffer to put the relocated image, make
|
||||
sure we free that memory when unloading.
|
||||
|
||||
Signed-off-by: Ricardo Neri <ricardo.neri-calderon@linux.intel.com>
|
||||
---
|
||||
grub-core/loader/efi/chainloader.c | 14 ++++++++++++--
|
||||
1 file changed, 12 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
|
||||
index adaf3c9..285271d 100644
|
||||
--- a/grub-core/loader/efi/chainloader.c
|
||||
+++ b/grub-core/loader/efi/chainloader.c
|
||||
@@ -590,8 +590,18 @@ grub_chainloader_unload (void)
|
||||
grub_efi_boot_services_t *b;
|
||||
|
||||
b = grub_efi_system_table->boot_services;
|
||||
- efi_call_1 (b->unload_image, image_handle);
|
||||
- efi_call_2 (b->free_pages, address, pages);
|
||||
+ if (!shim_used)
|
||||
+ {
|
||||
+ efi_call_1 (b->unload_image, image_handle);
|
||||
+ efi_call_2 (b->free_pages, address, pages);
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ if (shim_buffer)
|
||||
+ {
|
||||
+ efi_call_2 (b->free_pages, shim_buffer, shim_pages);
|
||||
+ }
|
||||
+ }
|
||||
|
||||
grub_free (file_path);
|
||||
grub_free (cmdline);
|
||||
--
|
||||
2.17.1
|
||||
|
@ -0,0 +1,32 @@
|
||||
From d06de03facd9a330a2085450abeecb1b7e637f9c Mon Sep 17 00:00:00 2001
|
||||
From: Lans Zhang <jia.zhang@windriver.com>
|
||||
Date: Sun, 24 Apr 2016 12:58:10 +0800
|
||||
Subject: [PATCH] chainloader: handle the unauthenticated image by shim
|
||||
|
||||
Upstream-Status: Pending
|
||||
|
||||
EFI_ACCESS_DENIED is another case whenever an unauthenticated image is loaded
|
||||
by UEFI LoadImage() boot service. Shim verification protocol should handle
|
||||
this case as EFI_SECURITY_VIOLATION.
|
||||
|
||||
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
||||
---
|
||||
grub-core/loader/efi/chainloader.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
|
||||
index 285271d..9ff4faf 100644
|
||||
--- a/grub-core/loader/efi/chainloader.c
|
||||
+++ b/grub-core/loader/efi/chainloader.c
|
||||
@@ -933,7 +933,7 @@ grub_cmd_chainloader (grub_command_t cmd __attribute__ ((unused)),
|
||||
goto fail;
|
||||
}
|
||||
/* try with shim */
|
||||
- else if (status == GRUB_EFI_SECURITY_VIOLATION)
|
||||
+ else if ((status == GRUB_EFI_ACCESS_DENIED) || (status == GRUB_EFI_SECURITY_VIOLATION))
|
||||
{
|
||||
status = grub_shim_load_image (address, size, &context);
|
||||
if (status != GRUB_EFI_SUCCESS)
|
||||
--
|
||||
2.17.1
|
||||
|
@ -0,0 +1,32 @@
|
||||
From 5b7c30a1d5f6a30b60cbed7cedc516a27dba36d9 Mon Sep 17 00:00:00 2001
|
||||
From: Lans Zhang <jia.zhang@windriver.com>
|
||||
Date: Sun, 24 Apr 2016 15:56:38 +0800
|
||||
Subject: [PATCH] chainloader: Don't check empty section in file like .bss
|
||||
|
||||
Upstream-Status: Pending
|
||||
|
||||
Because this kind of section always has a zeroed PointerToRawData denoting
|
||||
the offset to file and a valid VirtualSize denoting the real size in the
|
||||
memory.
|
||||
|
||||
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
||||
---
|
||||
grub-core/loader/efi/chainloader.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
|
||||
index 9ff4faf..f736bee 100644
|
||||
--- a/grub-core/loader/efi/chainloader.c
|
||||
+++ b/grub-core/loader/efi/chainloader.c
|
||||
@@ -530,7 +530,7 @@ grub_shim_load_image(grub_addr_t addr, grub_ssize_t size,
|
||||
}
|
||||
|
||||
if (section->virtual_address < context->header_size
|
||||
- || section->raw_data_offset < context->header_size)
|
||||
+ || (section->raw_data_offset && section->raw_data_offset < context->header_size))
|
||||
{
|
||||
grub_printf("Section is inside image headers\n");
|
||||
status = GRUB_ERR_BAD_FILE_TYPE;
|
||||
--
|
||||
2.17.1
|
||||
|
@ -0,0 +1,223 @@
|
||||
From 3df0895087be6affb95db4f42239bc0160c16bfa Mon Sep 17 00:00:00 2001
|
||||
From: Lans Zhang <jia.zhang@windriver.com>
|
||||
Date: Sun, 24 Apr 2016 19:02:28 +0800
|
||||
Subject: [PATCH] chainloader: find the relocations correctly
|
||||
|
||||
Upstream-Status: Pending
|
||||
|
||||
Refer to a846aedd0e9dfe26ca6afaf6a1db8a54c20363c1 in shim.
|
||||
|
||||
Actually find the relocations correctly and process them that way
|
||||
in chainloader.
|
||||
|
||||
Find the relocations based on the *file* address in the old binary,
|
||||
because it's only the same as the virtual address some of the time.
|
||||
|
||||
Also perform some extra validation before processing it, and don't bail
|
||||
out in /error/ if both reloc_base and reloc_base_end are null - that
|
||||
condition is fine.
|
||||
|
||||
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
||||
[lz: Adapt git log and do some whitespaces cleanups.]
|
||||
Signed-off-by: Li Zhou <li.zhou@windriver.com>
|
||||
---
|
||||
grub-core/loader/efi/chainloader.c | 97 +++++++++++++++++++++++++-----
|
||||
1 file changed, 81 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/grub-core/loader/efi/chainloader.c b/grub-core/loader/efi/chainloader.c
|
||||
index f736bee..0979dc0 100644
|
||||
--- a/grub-core/loader/efi/chainloader.c
|
||||
+++ b/grub-core/loader/efi/chainloader.c
|
||||
@@ -166,6 +166,7 @@ grub_shim_image_address (grub_addr_t image, grub_uint32_t size, grub_uint32_t ad
|
||||
*/
|
||||
static grub_err_t
|
||||
grub_shim_relocate_coff (struct grub_shim_pe_coff_loader_image_context *context,
|
||||
+ struct grub_pe32_section_table *section,
|
||||
void *orig, void *data)
|
||||
{
|
||||
struct grub_image_base_relocation *reloc_base, *reloc_base_end;
|
||||
@@ -177,19 +178,53 @@ grub_shim_relocate_coff (struct grub_shim_pe_coff_loader_image_context *context,
|
||||
grub_efi_uint64_t *fixup64;
|
||||
grub_int32_t size = context->image_size;
|
||||
void *image_end = (char *)orig + size;
|
||||
+ int n = 0;
|
||||
|
||||
if (grub_shim_image_is_64_bit(context->pe_hdr))
|
||||
context->pe_hdr->pe32plus.opt_hdr.image_base = (grub_efi_uint64_t)(unsigned long)data;
|
||||
else
|
||||
context->pe_hdr->pe32.opt_hdr.image_base = (grub_efi_uint32_t)(unsigned long)data;
|
||||
|
||||
+
|
||||
+ /* Alright, so here's how this works:
|
||||
+ *
|
||||
+ * context->RelocDir gives us two things:
|
||||
+ * - the VA the table of base relocation blocks are (maybe) to be
|
||||
+ * mapped at (RelocDir->VirtualAddress)
|
||||
+ * - the virtual size (RelocDir->Size)
|
||||
+ *
|
||||
+ * The .reloc section (Section here) gives us some other things:
|
||||
+ * - the name! kind of. (Section->Name)
|
||||
+ * - the virtual size (Section->VirtualSize), which should be the same
|
||||
+ * as RelocDir->Size
|
||||
+ * - the virtual address (Section->VirtualAddress)
|
||||
+ * - the file section size (Section->SizeOfRawData), which is
|
||||
+ * a multiple of OptHdr->FileAlignment. Only useful for image
|
||||
+ * validation, not really useful for iteration bounds.
|
||||
+ * - the file address (Section->PointerToRawData)
|
||||
+ * - a bunch of stuff we don't use that's 0 in our binaries usually
|
||||
+ * - Flags (Section->Characteristics)
|
||||
+ *
|
||||
+ * and then the thing that's actually at the file address is an array
|
||||
+ * of EFI_IMAGE_BASE_RELOCATION structs with some values packed behind
|
||||
+ * them. The SizeOfBlock field of this structure includes the
|
||||
+ * structure itself, and adding it to that structure's address will
|
||||
+ * yield the next entry in the array.
|
||||
+ */
|
||||
reloc_base = (struct grub_image_base_relocation *)
|
||||
grub_shim_image_address ((grub_efi_uint64_t)orig, size,
|
||||
- context->reloc_dir->rva);
|
||||
+ section->raw_data_offset);
|
||||
+ /* reloc_base_end is the address of the first entry /past/ the
|
||||
+ * table. */
|
||||
reloc_base_end = (struct grub_image_base_relocation *)
|
||||
grub_shim_image_address ((grub_efi_uint64_t)orig, size,
|
||||
- context->reloc_dir->rva
|
||||
- + context->reloc_dir->size - 1);
|
||||
+ section->raw_data_offset
|
||||
+ + section->virtual_size - 1);
|
||||
+
|
||||
+ if (!reloc_base && !reloc_base_end)
|
||||
+ {
|
||||
+ return GRUB_EFI_SUCCESS;
|
||||
+ }
|
||||
|
||||
if (!reloc_base || !reloc_base_end)
|
||||
{
|
||||
@@ -210,7 +245,7 @@ grub_shim_relocate_coff (struct grub_shim_pe_coff_loader_image_context *context,
|
||||
if ((reloc_base->block_size == 0)
|
||||
|| (reloc_base->block_size > context->reloc_dir->size))
|
||||
{
|
||||
- grub_printf("Reloc block size %d is invalid\n", reloc_base->block_size);
|
||||
+ grub_printf("Reloc %d block size %d is invalid\n", n, reloc_base->block_size);
|
||||
return GRUB_ERR_FILE_READ_ERROR;
|
||||
}
|
||||
|
||||
@@ -218,7 +253,7 @@ grub_shim_relocate_coff (struct grub_shim_pe_coff_loader_image_context *context,
|
||||
((grub_uint8_t *) reloc_base + reloc_base->block_size);
|
||||
if ((void *)reloc_end < orig || (void *)reloc_end > image_end)
|
||||
{
|
||||
- grub_printf("Reloc entry overflows binary\n");
|
||||
+ grub_printf("Reloc %d entry overflows binary\n", n);
|
||||
return GRUB_ERR_FILE_READ_ERROR;
|
||||
}
|
||||
|
||||
@@ -228,7 +263,7 @@ grub_shim_relocate_coff (struct grub_shim_pe_coff_loader_image_context *context,
|
||||
reloc_base->virtual_address);
|
||||
if (!fixup_base)
|
||||
{
|
||||
- grub_printf("Invalid fixup_base\n");
|
||||
+ grub_printf("Reloc %d invalid fixup_base\n", n);
|
||||
return GRUB_ERR_FILE_READ_ERROR;
|
||||
}
|
||||
|
||||
@@ -286,12 +321,13 @@ grub_shim_relocate_coff (struct grub_shim_pe_coff_loader_image_context *context,
|
||||
break;
|
||||
|
||||
default:
|
||||
- grub_printf("Unknown relocation\n");
|
||||
+ grub_printf("Reloc %d unknown relocation\n", n);
|
||||
return GRUB_ERR_FILE_READ_ERROR;
|
||||
}
|
||||
reloc += 1;
|
||||
}
|
||||
reloc_base = (struct grub_image_base_relocation *) reloc_end;
|
||||
+ n++;
|
||||
}
|
||||
|
||||
return GRUB_EFI_SUCCESS;
|
||||
@@ -462,9 +498,9 @@ grub_shim_load_image(grub_addr_t addr, grub_ssize_t size,
|
||||
grub_efi_status_t efi_status;
|
||||
grub_uint32_t sect_size;
|
||||
/* TODO: can they be unsigned? */
|
||||
- grub_int8_t *base, *end;
|
||||
+ grub_int8_t *base, *end, *reloc_base, *reloc_base_end;
|
||||
grub_int32_t i;
|
||||
- struct grub_pe32_section_table *section;
|
||||
+ struct grub_pe32_section_table *section, *reloc_section;
|
||||
grub_efi_boot_services_t *b;
|
||||
|
||||
shim_used = 0;
|
||||
@@ -500,16 +536,21 @@ grub_shim_load_image(grub_addr_t addr, grub_ssize_t size,
|
||||
/* TODO: do we need the double cast? */
|
||||
grub_memcpy ((void *) ((grub_efi_physical_address_t) shim_buffer),
|
||||
(void *) ((grub_addr_t) addr), context->header_size);
|
||||
+
|
||||
+ reloc_base = (grub_int8_t *) grub_shim_image_address (shim_buffer, size,
|
||||
+ context->reloc_dir->rva);
|
||||
+ /* reloc_base_end here is the address of the last byte of the table */
|
||||
+ reloc_base_end = (grub_int8_t *) grub_shim_image_address (shim_buffer, size,
|
||||
+ context->reloc_dir->rva +
|
||||
+ context->reloc_dir->size - 1);
|
||||
+ reloc_section = NULL;
|
||||
+
|
||||
/*
|
||||
* Copy the executable's sections to their desired offsets
|
||||
*/
|
||||
section = context->first_section;
|
||||
for (i = 0; i < context->num_sections; i++, section++)
|
||||
{
|
||||
- if (section->characteristics & 0x02000000)
|
||||
- /* section has EFI_IMAGE_SCN_MEM_DISCARDABLE attr set */
|
||||
- continue;
|
||||
-
|
||||
sect_size = section->virtual_size;
|
||||
|
||||
if (sect_size > section->raw_data_size)
|
||||
@@ -522,6 +563,30 @@ grub_shim_load_image(grub_addr_t addr, grub_ssize_t size,
|
||||
grub_shim_image_address (shim_buffer, context->image_size,
|
||||
section->virtual_address
|
||||
+ sect_size - 1);
|
||||
+
|
||||
+ /* We do want to process .reloc, but it's often marked
|
||||
+ * discardable, so we don't want to memcpy it. */
|
||||
+ if (grub_memcmp (section->name, ".reloc\0\0", 8) == 0) {
|
||||
+ if (reloc_section) {
|
||||
+ grub_printf("Image has multiple relocation sections\n");
|
||||
+ status = GRUB_ERR_BAD_FILE_TYPE;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ /* If it has nonzero sizes, and our bounds check
|
||||
+ * made sense, and the VA and size match RelocDir's
|
||||
+ * versions, then we believe in this section table. */
|
||||
+ if (section->raw_data_size && section->virtual_size &&
|
||||
+ base && end &&
|
||||
+ reloc_base == base &&
|
||||
+ reloc_base_end == end) {
|
||||
+ reloc_section = section;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (section->characteristics & 0x02000000)
|
||||
+ /* section has EFI_IMAGE_SCN_MEM_DISCARDABLE attr set */
|
||||
+ continue;
|
||||
+
|
||||
if (!base || !end)
|
||||
{
|
||||
grub_printf("Invalid section base\n");
|
||||
@@ -555,10 +620,10 @@ grub_shim_load_image(grub_addr_t addr, grub_ssize_t size,
|
||||
goto fail;
|
||||
}
|
||||
|
||||
- if (context->reloc_dir->size)
|
||||
+ if (context->reloc_dir->size && reloc_section)
|
||||
{
|
||||
- status = grub_shim_relocate_coff (context, (void *) addr,
|
||||
- (void *) shim_buffer);
|
||||
+ status = grub_shim_relocate_coff (context, reloc_section,
|
||||
+ (void *) addr, (void *) shim_buffer);
|
||||
if (status != GRUB_ERR_NONE)
|
||||
{
|
||||
grub_printf("Relocation failed: [%u]\n", status);
|
||||
--
|
||||
2.17.1
|
||||
|
@ -0,0 +1,282 @@
|
||||
From a9bccd374d23f67d2c3604f7c069be40ec996f9f Mon Sep 17 00:00:00 2001
|
||||
From: Lans Zhang <jia.zhang@windriver.com>
|
||||
Date: Thu, 22 Jun 2017 15:22:01 +0800
|
||||
Subject: [PATCH] Add a module for reading EFI global variables
|
||||
|
||||
Add functions to read EFI global variables.
|
||||
|
||||
Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
|
||||
[lz: Add git log.]
|
||||
Signed-off-by: Li Zhou <li.zhou@windriver.com>
|
||||
---
|
||||
grub-core/Makefile.core.def | 8 ++
|
||||
grub-core/commands/efi/efivar.c | 238 ++++++++++++++++++++++++++++++++
|
||||
2 files changed, 246 insertions(+)
|
||||
create mode 100644 grub-core/commands/efi/efivar.c
|
||||
|
||||
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
|
||||
index 8022e1c..f8fad6e 100644
|
||||
--- a/grub-core/Makefile.core.def
|
||||
+++ b/grub-core/Makefile.core.def
|
||||
@@ -761,6 +761,14 @@ module = {
|
||||
enable = i386_multiboot;
|
||||
};
|
||||
|
||||
+module = {
|
||||
+ name = efivar;
|
||||
+
|
||||
+ common = commands/efi/efivar.c;
|
||||
+
|
||||
+ enable = efi;
|
||||
+};
|
||||
+
|
||||
module = {
|
||||
name = lsacpi;
|
||||
|
||||
diff --git a/grub-core/commands/efi/efivar.c b/grub-core/commands/efi/efivar.c
|
||||
new file mode 100644
|
||||
index 0000000..bb9aed3
|
||||
--- /dev/null
|
||||
+++ b/grub-core/commands/efi/efivar.c
|
||||
@@ -0,0 +1,238 @@
|
||||
+/* efivar.c - Read EFI global variables. */
|
||||
+/*
|
||||
+ * GRUB -- GRand Unified Bootloader
|
||||
+ * Copyright (C) 2015 Free Software Foundation, Inc.
|
||||
+ * Copyright (C) 2015 CloudFlare, Inc.
|
||||
+ *
|
||||
+ * GRUB is free software: you can redistribute it and/or modify
|
||||
+ * it under the terms of the GNU General Public License as published by
|
||||
+ * the Free Software Foundation, either version 3 of the License, or
|
||||
+ * (at your option) any later version.
|
||||
+ *
|
||||
+ * GRUB is distributed in the hope that it will be useful,
|
||||
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
+ * GNU General Public License for more details.
|
||||
+ *
|
||||
+ * You should have received a copy of the GNU General Public License
|
||||
+ * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
||||
+ */
|
||||
+
|
||||
+#include <grub/types.h>
|
||||
+#include <grub/mm.h>
|
||||
+#include <grub/misc.h>
|
||||
+#include <grub/efi/api.h>
|
||||
+#include <grub/efi/efi.h>
|
||||
+#include <grub/extcmd.h>
|
||||
+#include <grub/env.h>
|
||||
+#include <grub/lib/hexdump.h>
|
||||
+
|
||||
+GRUB_MOD_LICENSE ("GPLv3+");
|
||||
+
|
||||
+static const struct grub_arg_option options[] = {
|
||||
+ {"format", 'f', GRUB_ARG_OPTION_OPTIONAL, N_("Parse EFI_VAR in specific format (hex, uint8, ascii, dump). Default: hex."), N_("FORMAT"), ARG_TYPE_STRING},
|
||||
+ {"set", 's', GRUB_ARG_OPTION_OPTIONAL, N_("Save parsed result to environment variable (does not work with dump)."), N_("ENV_VAR"), ARG_TYPE_STRING},
|
||||
+ {0, 0, 0, 0, 0, 0}
|
||||
+};
|
||||
+
|
||||
+enum efi_var_type
|
||||
+ {
|
||||
+ EFI_VAR_ASCII = 0,
|
||||
+ EFI_VAR_UINT8,
|
||||
+ EFI_VAR_HEX,
|
||||
+ EFI_VAR_DUMP,
|
||||
+ EFI_VAR_INVALID = -1
|
||||
+ };
|
||||
+
|
||||
+static enum efi_var_type
|
||||
+parse_efi_var_type (const char *type)
|
||||
+{
|
||||
+ if (!grub_strncmp (type, "ascii", sizeof("ascii")))
|
||||
+ return EFI_VAR_ASCII;
|
||||
+
|
||||
+ if (!grub_strncmp (type, "uint8", sizeof("uint8")))
|
||||
+ return EFI_VAR_UINT8;
|
||||
+
|
||||
+ if (!grub_strncmp (type, "hex", sizeof("hex")))
|
||||
+ return EFI_VAR_HEX;
|
||||
+
|
||||
+ if (!grub_strncmp (type, "dump", sizeof("dump")))
|
||||
+ return EFI_VAR_DUMP;
|
||||
+
|
||||
+ return EFI_VAR_INVALID;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+grub_print_ascii (char *str, char c)
|
||||
+{
|
||||
+ if (grub_iscntrl (c))
|
||||
+ {
|
||||
+ switch (c)
|
||||
+ {
|
||||
+ case '\0':
|
||||
+ str[0] = '\\';
|
||||
+ str[1] = '0';
|
||||
+ return 2;
|
||||
+
|
||||
+ case '\a':
|
||||
+ str[0] = '\\';
|
||||
+ str[1] = 'a';
|
||||
+ return 2;
|
||||
+
|
||||
+ case '\b':
|
||||
+ str[0] = '\\';
|
||||
+ str[1] = 'b';
|
||||
+ return 2;
|
||||
+
|
||||
+ case '\f':
|
||||
+ str[0] = '\\';
|
||||
+ str[1] = 'f';
|
||||
+ return 2;
|
||||
+
|
||||
+ case '\n':
|
||||
+ str[0] = '\\';
|
||||
+ str[1] = 'n';
|
||||
+ return 2;
|
||||
+
|
||||
+ case '\r':
|
||||
+ str[0] = '\\';
|
||||
+ str[1] = 'r';
|
||||
+ return 2;
|
||||
+
|
||||
+ case '\t':
|
||||
+ str[0] = '\\';
|
||||
+ str[1] = 't';
|
||||
+ return 2;
|
||||
+
|
||||
+ case '\v':
|
||||
+ str[0] = '\\';
|
||||
+ str[1] = 'v';
|
||||
+ return 2;
|
||||
+
|
||||
+ default:
|
||||
+ str[0] = '.'; /* as in hexdump -C */
|
||||
+ return 1;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ str[0] = c;
|
||||
+ return 1;
|
||||
+}
|
||||
+
|
||||
+static grub_err_t
|
||||
+grub_cmd_get_efi_var (struct grub_extcmd_context *ctxt,
|
||||
+ int argc, char **args)
|
||||
+{
|
||||
+ struct grub_arg_list *state = ctxt->state;
|
||||
+ grub_err_t status;
|
||||
+ void *efi_var = NULL;
|
||||
+ grub_size_t efi_var_size = 0;
|
||||
+ enum efi_var_type efi_type = EFI_VAR_HEX;
|
||||
+ grub_efi_guid_t global = GRUB_EFI_GLOBAL_VARIABLE_GUID;
|
||||
+ char *env_var = NULL;
|
||||
+ grub_size_t i;
|
||||
+ char *ptr;
|
||||
+
|
||||
+ if (1 != argc)
|
||||
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("one argument expected"));
|
||||
+
|
||||
+ if (state[0].set)
|
||||
+ efi_type = parse_efi_var_type (state[0].arg);
|
||||
+
|
||||
+ if (EFI_VAR_INVALID == efi_type)
|
||||
+ return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("invalid format specifier"));
|
||||
+
|
||||
+ grub_efi_get_variable (args[0], &global, &efi_var_size, &efi_var);
|
||||
+ if (!efi_var || !efi_var_size)
|
||||
+ {
|
||||
+ status = grub_error (GRUB_ERR_READ_ERROR, N_("cannot read variable"));
|
||||
+ goto err;
|
||||
+ }
|
||||
+
|
||||
+ switch (efi_type)
|
||||
+ {
|
||||
+ case EFI_VAR_ASCII:
|
||||
+ env_var = grub_malloc (efi_var_size * 2 + 1);
|
||||
+ if (!env_var)
|
||||
+ {
|
||||
+ status = grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("out of memory"));
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ ptr = env_var;
|
||||
+
|
||||
+ for (i = 0; i < efi_var_size; i++)
|
||||
+ ptr += grub_print_ascii (ptr, ((const char *)efi_var)[i]);
|
||||
+ *ptr = '\0';
|
||||
+ break;
|
||||
+
|
||||
+ case EFI_VAR_UINT8:
|
||||
+ env_var = grub_malloc (4);
|
||||
+ if (!env_var)
|
||||
+ {
|
||||
+ status = grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("out of memory"));
|
||||
+ break;
|
||||
+ }
|
||||
+ grub_snprintf (env_var, 4, "%u", *((grub_uint8_t *)efi_var));
|
||||
+ break;
|
||||
+
|
||||
+ case EFI_VAR_HEX:
|
||||
+ env_var = grub_malloc (efi_var_size * 2 + 1);
|
||||
+ if (!env_var)
|
||||
+ {
|
||||
+ status = grub_error (GRUB_ERR_OUT_OF_MEMORY, N_("out of memory"));
|
||||
+ break;
|
||||
+ }
|
||||
+ for (i = 0; i < efi_var_size; i++)
|
||||
+ grub_snprintf (env_var + (i * 2), 3, "%02x", ((grub_uint8_t *)efi_var)[i]);
|
||||
+ break;
|
||||
+
|
||||
+ case EFI_VAR_DUMP:
|
||||
+ if (state[1].set)
|
||||
+ status = grub_error (GRUB_ERR_BAD_ARGUMENT, N_("cannot set variable with dump format specifier"));
|
||||
+ else
|
||||
+ {
|
||||
+ hexdump (0, (char *)efi_var, efi_var_size);
|
||||
+ status = GRUB_ERR_NONE;
|
||||
+ }
|
||||
+ break;
|
||||
+
|
||||
+ default:
|
||||
+ status = grub_error (GRUB_ERR_BUG, N_("should not happen (bug in module?)"));
|
||||
+ }
|
||||
+
|
||||
+ if (efi_type != EFI_VAR_DUMP)
|
||||
+ {
|
||||
+ if (state[1].set)
|
||||
+ status = grub_env_set (state[1].arg, env_var);
|
||||
+ else
|
||||
+ {
|
||||
+ grub_printf ("%s\n", (const char *)env_var);
|
||||
+ status = GRUB_ERR_NONE;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+err:
|
||||
+
|
||||
+ if (env_var)
|
||||
+ grub_free (env_var);
|
||||
+
|
||||
+ if (efi_var)
|
||||
+ grub_free (efi_var);
|
||||
+
|
||||
+ return status;
|
||||
+}
|
||||
+
|
||||
+static grub_extcmd_t cmd = NULL;
|
||||
+
|
||||
+GRUB_MOD_INIT (efivar)
|
||||
+{
|
||||
+ cmd = grub_register_extcmd ("get_efivar", grub_cmd_get_efi_var, 0, N_("[-f FORMAT] [-s ENV_VAR] EFI_VAR"),
|
||||
+ N_("Read EFI variable and print it or save its contents to environment variable."), options);
|
||||
+}
|
||||
+
|
||||
+GRUB_MOD_FINI (efivar)
|
||||
+{
|
||||
+ if (cmd)
|
||||
+ grub_unregister_extcmd (cmd);
|
||||
+}
|
||||
--
|
||||
2.17.1
|
||||
|
@ -0,0 +1,69 @@
|
||||
From 038c21e7a7609340734d044482f24fee7f9f7a8f Mon Sep 17 00:00:00 2001
|
||||
From: Jason Wessel <jason.wessel@windriver.com>
|
||||
Date: Thu, 17 Oct 2019 12:35:01 -0700
|
||||
Subject: [PATCH] grub shim verify: Report that the loaded object is verified
|
||||
|
||||
When check_signatures is set to enforcing, the signatures of the
|
||||
loaded files have been checked, so the shim service should be informed
|
||||
that it is ok to execute the loaded file.
|
||||
|
||||
Upstream-Status: Inappropriate
|
||||
|
||||
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
|
||||
---
|
||||
grub-core/loader/i386/linux.c | 25 +++++++++++++++++++++++++
|
||||
1 file changed, 25 insertions(+)
|
||||
|
||||
diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
|
||||
index 747cfe0..87469e7 100644
|
||||
--- a/grub-core/loader/i386/linux.c
|
||||
+++ b/grub-core/loader/i386/linux.c
|
||||
@@ -21,6 +21,10 @@
|
||||
#include <grub/normal.h>
|
||||
#include <grub/file.h>
|
||||
#include <grub/disk.h>
|
||||
+#include <grub/efi/api.h>
|
||||
+#include <grub/efi/efi.h>
|
||||
+#include <grub/efi/disk.h>
|
||||
+#include <grub/efi/shim.h>
|
||||
#include <grub/err.h>
|
||||
#include <grub/misc.h>
|
||||
#include <grub/types.h>
|
||||
@@ -647,6 +651,23 @@ grub_linux_unload (void)
|
||||
return GRUB_ERR_NONE;
|
||||
}
|
||||
|
||||
+static grub_efi_guid_t grub_shim_protocol_guid = GRUB_EFI_SHIM_PROTOCOL_GUID;
|
||||
+
|
||||
+static grub_efi_status_t
|
||||
+grub_shim_verify (grub_addr_t addr, grub_ssize_t size)
|
||||
+{
|
||||
+ struct grub_shim_lock *shim_lock;
|
||||
+ shim_lock = grub_efi_locate_protocol (&grub_shim_protocol_guid, 0);
|
||||
+ if (!shim_lock)
|
||||
+ {
|
||||
+ grub_error (GRUB_ERR_BAD_OS, "could not load shim protocol");
|
||||
+ return GRUB_EFI_UNSUPPORTED;
|
||||
+ }
|
||||
+
|
||||
+ shim_lock->verify((void *) addr, size);
|
||||
+ return GRUB_ERR_NONE;
|
||||
+}
|
||||
+
|
||||
static grub_err_t
|
||||
grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
||||
int argc, char *argv[])
|
||||
@@ -680,6 +701,10 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
|
||||
argv[0]);
|
||||
goto fail;
|
||||
}
|
||||
+ const char *ge_val = grub_env_get ("check_signatures");
|
||||
+ if (ge_val && (ge_val[0] == '1' || ge_val[0] == 'e'))
|
||||
+ /* Verify was handled by .sig files, inform shim */
|
||||
+ grub_shim_verify((grub_addr_t)&lh, sizeof(lh));
|
||||
|
||||
if (lh.boot_flag != grub_cpu_to_le16_compile_time (0xaa55))
|
||||
{
|
||||
--
|
||||
2.17.1
|
||||
|
@ -0,0 +1,111 @@
|
||||
From aacf59cc01555c645e5594c0cdaa0e6735921e80 Mon Sep 17 00:00:00 2001
|
||||
From: Jason Wessel <jason.wessel@windriver.com>
|
||||
Date: Thu, 17 Oct 2019 12:35:01 -0700
|
||||
Subject: [PATCH] grub verify: Add strict_security variable
|
||||
|
||||
With strict_security set to 1, it is impossible to change the value of
|
||||
check_signatures. It will also cause grub to reboot instead of
|
||||
allowing a rescue or grub shell, which could allow an end user to
|
||||
alter boot arguments or load some other binary.
|
||||
|
||||
Upstream-Status: Pending
|
||||
|
||||
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
|
||||
---
|
||||
grub-core/commands/pgp.c | 16 +++++++++++++++-
|
||||
grub-core/kern/main.c | 9 +++++++++
|
||||
grub-core/normal/main.c | 7 +++++--
|
||||
3 files changed, 29 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/grub-core/commands/pgp.c b/grub-core/commands/pgp.c
|
||||
index e60a29a..578ad18 100644
|
||||
--- a/grub-core/commands/pgp.c
|
||||
+++ b/grub-core/commands/pgp.c
|
||||
@@ -864,6 +864,7 @@ grub_cmd_verify_signature (grub_extcmd_context_t ctxt,
|
||||
}
|
||||
|
||||
static int sec = 0;
|
||||
+static int strict_sec = 0;
|
||||
|
||||
static grub_err_t
|
||||
grub_pubkey_init (grub_file_t io, enum grub_file_type type __attribute__ ((unused)),
|
||||
@@ -930,10 +931,21 @@ static char *
|
||||
grub_env_write_sec (struct grub_env_var *var __attribute__ ((unused)),
|
||||
const char *val)
|
||||
{
|
||||
- sec = (*val == '1') || (*val == 'e');
|
||||
+ if (!strict_sec)
|
||||
+ sec = (*val == '1') || (*val == 'e');
|
||||
return grub_strdup (sec ? "enforce" : "no");
|
||||
}
|
||||
|
||||
+static char *
|
||||
+grub_env_write_strict_sec (struct grub_env_var *var __attribute__ ((unused)),
|
||||
+ const char *val)
|
||||
+{
|
||||
+ /* once it is set, it is a one way transition */
|
||||
+ if (!strict_sec)
|
||||
+ strict_sec = (*val == '1') || (*val == 'e');
|
||||
+ return grub_strdup (strict_sec ? "enforce" : "no");
|
||||
+}
|
||||
+
|
||||
static grub_ssize_t
|
||||
pseudo_read (struct grub_file *file, char *buf, grub_size_t len)
|
||||
{
|
||||
@@ -973,7 +985,9 @@ GRUB_MOD_INIT(pgp)
|
||||
sec = 0;
|
||||
|
||||
grub_register_variable_hook ("check_signatures", 0, grub_env_write_sec);
|
||||
+ grub_register_variable_hook ("strict_security", 0, grub_env_write_strict_sec);
|
||||
grub_env_export ("check_signatures");
|
||||
+ grub_env_export ("strict_security");
|
||||
|
||||
grub_pk_trusted = 0;
|
||||
FOR_MODULES (header)
|
||||
diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
|
||||
index 73967e2..86e7f35 100644
|
||||
--- a/grub-core/kern/main.c
|
||||
+++ b/grub-core/kern/main.c
|
||||
@@ -30,6 +30,7 @@
|
||||
#include <grub/reader.h>
|
||||
#include <grub/parser.h>
|
||||
#include <grub/verify.h>
|
||||
+#include <grub/time.h>
|
||||
|
||||
#ifdef GRUB_MACHINE_PCBIOS
|
||||
#include <grub/machine/memory.h>
|
||||
@@ -312,5 +313,13 @@ grub_main (void)
|
||||
grub_boot_time ("After execution of embedded config. Attempt to go to normal mode");
|
||||
|
||||
grub_load_normal_mode ();
|
||||
+ const char *val = grub_env_get ("strict_security");
|
||||
+ if (val && (val[0] == '1' || val[0] == 'e'))
|
||||
+ while (1) {
|
||||
+ grub_printf("Boot configuration error - Attempting reboot\n");
|
||||
+ grub_sleep(3);
|
||||
+ grub_dl_load ("reboot");
|
||||
+ grub_command_execute ("reboot", 0, 0);
|
||||
+ }
|
||||
grub_rescue_run ();
|
||||
}
|
||||
diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
|
||||
index c4ebe9e..2c3f4f8 100644
|
||||
--- a/grub-core/normal/main.c
|
||||
+++ b/grub-core/normal/main.c
|
||||
@@ -302,8 +302,11 @@ grub_enter_normal_mode (const char *config)
|
||||
grub_boot_time ("Entering normal mode");
|
||||
nested_level++;
|
||||
grub_normal_execute (config, 0, 0);
|
||||
- grub_boot_time ("Entering shell");
|
||||
- grub_cmdline_run (0, 1);
|
||||
+ const char *val = grub_env_get ("strict_security");
|
||||
+ if (!(val && (val[0] == '1' || val[0] == 'e'))) {
|
||||
+ grub_boot_time ("Entering shell");
|
||||
+ grub_cmdline_run (0, 1);
|
||||
+ }
|
||||
nested_level--;
|
||||
if (grub_normal_exit_level)
|
||||
grub_normal_exit_level--;
|
||||
--
|
||||
2.17.1
|
||||
|
@ -0,0 +1,48 @@
|
||||
From 7ed6b7cbdc5f0721a7f6e89e601ad1b8c2cff267 Mon Sep 17 00:00:00 2001
|
||||
From: Yi Zhao <yi.zhao@windriver.com>
|
||||
Date: Wed, 7 Apr 2021 11:00:37 +0800
|
||||
Subject: [PATCH] Disable inside lockdown and shim_lock verifiers
|
||||
|
||||
The lockdown support[1] and secure boot detection[2] have been added to
|
||||
grub 2.06. These verifiers are registered when UEFI Secure Boot is
|
||||
enabled. Unfortunately, they conflict with the current MOK2 Verify
|
||||
mechanism. So disable them when enable SELoader.
|
||||
|
||||
Fixes grub error:
|
||||
error: failed to verify kernel /bzImage
|
||||
|
||||
[1] http://git.savannah.gnu.org/cgit/grub.git/commit/?id=578c95298bcc46e0296f4c786db64c2ff26ce2cc
|
||||
[2] http://git.savannah.gnu.org/cgit/grub.git/commit/?id=d7e54b2e5feee95d2f83058ed30d883c450d1473
|
||||
|
||||
Upstream-Status: Inappropriate [embedded specific]
|
||||
|
||||
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
|
||||
[lz: Adapt git log.]
|
||||
Signed-off-by: Li Zhou <li.zhou@windriver.com>
|
||||
---
|
||||
grub-core/kern/efi/init.c | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/grub-core/kern/efi/init.c b/grub-core/kern/efi/init.c
|
||||
index 4a88397..e512a8e 100644
|
||||
--- a/grub-core/kern/efi/init.c
|
||||
+++ b/grub-core/kern/efi/init.c
|
||||
@@ -159,6 +159,7 @@ grub_efi_init (void)
|
||||
/* Initialize the memory management system. */
|
||||
grub_efi_mm_init ();
|
||||
|
||||
+#if 0
|
||||
/*
|
||||
* Lockdown the GRUB and register the shim_lock verifier
|
||||
* if the UEFI Secure Boot is enabled.
|
||||
@@ -168,6 +169,7 @@ grub_efi_init (void)
|
||||
grub_lockdown ();
|
||||
grub_shim_lock_verifier_setup ();
|
||||
}
|
||||
+#endif
|
||||
|
||||
efi_call_4 (grub_efi_system_table->boot_services->set_watchdog_timer,
|
||||
0, 0, 0, NULL);
|
||||
--
|
||||
2.17.1
|
||||
|
19
grub/grub-efi/debian/patches/series
Normal file
19
grub/grub-efi/debian/patches/series
Normal file
@ -0,0 +1,19 @@
|
||||
0001-grub2-add-tboot.patch
|
||||
0002-grub2-checking-if-loop-devices-are-available.patch
|
||||
0003-Make-UEFI-watchdog-behaviour-configurable.patch
|
||||
0004-correct-grub_errno.patch
|
||||
0005-grub-verify-Add-skip_check_cfg-variable.patch
|
||||
0006-pe32.h-add-header-structures-for-TE-and-DOS-executab.patch
|
||||
0007-shim-add-needed-data-structures.patch
|
||||
0008-efi-chainloader-implement-an-UEFI-Exit-service.patch
|
||||
0009-efi-chainloader-port-shim-to-grub.patch
|
||||
0010-efi-chainloader-use-shim-to-load-and-verify-an-image.patch
|
||||
0011-efi-chainloader-boot-the-image-using-shim.patch
|
||||
0012-efi-chainloader-take-care-of-unload-undershim.patch
|
||||
0013-chainloader-handle-the-unauthenticated-image-by-shim.patch
|
||||
0014-chainloader-Don-t-check-empty-section-in-file-like-..patch
|
||||
0015-chainloader-find-the-relocations-correctly.patch
|
||||
0016-Add-a-module-for-reading-EFI-global-variables.patch
|
||||
0017-grub-shim-verify-Report-that-the-loaded-object-is-ve.patch
|
||||
0018-grub-verify-Add-strict_security-variable.patch
|
||||
0019-Disable-inside-lockdown-and-shim_lock-verifiers.patch
|
Loading…
x
Reference in New Issue
Block a user