Commit 772d1fad authored by Lorenzo "Palinuro" Faletra's avatar Lorenzo "Palinuro" Faletra
Browse files

Import Debian changes 2.04-17parrot1

grub2 (2.04-17parrot1) rolling; urgency=medium
.
  * Import new Debian release.
.
grub2 (2.04-17) unstable; urgency=medium
.
  * Pass --sbat when building the d-i netboot image as well.
  * i386-pc: build verifiers API as module (thanks, Michael Chang; closes:
    #984488, #985374).
parent 6b70d7c8
Pipeline #3015 failed with stages
# see git-dpm(1) from git-dpm package
9cd32c57605b7ad713e108e0b98ebd504caa532e
9cd32c57605b7ad713e108e0b98ebd504caa532e
3d246c561a2c6aa18b78eae69e5100a2347dc7aa
3d246c561a2c6aa18b78eae69e5100a2347dc7aa
578bb115fbd47e1c464696f1f8d6183e5443975d
578bb115fbd47e1c464696f1f8d6183e5443975d
grub2_2.04.orig.tar.xz
......
......@@ -224,6 +224,8 @@ NET_MODULES="$CD_MODULES
"$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name-installer.efi" \
-d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \
-m "$workdir/memdisk-netboot.fat" \
-p "/${efi_vendor}-installer/$deb_arch/grub" $NET_MODULES
-p "/${efi_vendor}-installer/$deb_arch/grub" \
--sbat "$sbat_csv" \
$NET_MODULES
exit 0
grub2 (2.04-17parrot1) rolling; urgency=medium
* Import new Debian release.
-- Lorenzo "Palinuro" Faletra <palinuro@parrotsec.org> Wed, 28 Apr 2021 22:13:38 +0200
grub2 (2.04-17) unstable; urgency=medium
* Pass --sbat when building the d-i netboot image as well.
* i386-pc: build verifiers API as module (thanks, Michael Chang; closes:
#984488, #985374).
-- Colin Watson <cjwatson@debian.org> Fri, 19 Mar 2021 10:41:41 +0000
grub2 (2.04-16parrot1) rolling; urgency=medium
* Import new Debian release.
......
......@@ -2,8 +2,7 @@ Source: grub2
Section: admin
Priority: optional
XSBC-Original-Maintainer: GRUB Maintainers <pkg-grub-devel@alioth-lists.debian.net>
Maintainer: Parrot Dev Team <team@parrotsec.org>
Uploaders: Lorenzo "Palinuro" Faletra <palinuro@parrotsec.org>
Maintainer: Lorenzo "Palinuro" Faletra <palinuro@parrotsec.org>
Build-Depends: debhelper-compat (= 10),
patchutils,
python3,
......
......@@ -6,3 +6,7 @@ patch-numbers = False
[dch]
multimaint-merge = True
[import-dsc]
debian-branch = debian
debian-tag = debian/%(version)s
From 3d246c561a2c6aa18b78eae69e5100a2347dc7aa Mon Sep 17 00:00:00 2001
From: Michael Chang <mchang@suse.com>
Date: Thu, 18 Mar 2021 19:30:26 +0800
Subject: i386-pc: build verifiers API as module
Given no core functions on i386-pc would require verifiers to work and
the only consumer of the verifier API is the pgp module, it looks good
to me that we can move the verifiers out of the kernel image and let
moddep.lst to auto-load it when pgp is loaded on i386-pc platform.
This helps to reduce the size of core image and thus can relax the
tension of exploding on some i386-pc system with very short MBR gap
size. See also a very comprehensive summary from Colin [1] about the
details.
[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00240.html
V2:
Drop COND_NOT_i386_pc and use !COND_i386_pc.
Add comment in kern/verifiers.c to help understanding what's going on
without digging into the commit history.
Reported-by: Colin Watson <cjwatson@debian.org>
Reviewed-by: Colin Watson <cjwatson@debian.org>
Signed-off-by: Michael Chang <mchang@suse.com>
Origin: other, https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00251.html
Bug-Debian: https://bugs.debian.org/984488
Bug-Debian: https://bugs.debian.org/985374
Last-Update: 2021-03-18
Patch-Name: pc-verifiers-module.patch
---
grub-core/Makefile.am | 2 ++
grub-core/Makefile.core.def | 8 +++++++-
grub-core/kern/main.c | 4 ++++
grub-core/kern/verifiers.c | 17 +++++++++++++++++
include/grub/verify.h | 9 +++++++++
5 files changed, 39 insertions(+), 1 deletion(-)
diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
index 5308caa7b..4900265a4 100644
--- a/grub-core/Makefile.am
+++ b/grub-core/Makefile.am
@@ -92,7 +92,9 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/partition.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/stack_protector.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h
+if !COND_i386_pc
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/verify.h
+endif
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm_private.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/net.h
KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/memory.h
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index 248835aca..43b3da725 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -141,7 +141,7 @@ kernel = {
common = kern/rescue_parser.c;
common = kern/rescue_reader.c;
common = kern/term.c;
- common = kern/verifiers.c;
+ nopc = kern/verifiers.c;
noemu = kern/compiler-rt.c;
noemu = kern/mm.c;
@@ -951,6 +951,12 @@ module = {
enable = x86_64_efi;
};
+module = {
+ name = verifiers;
+ common = kern/verifiers.c;
+ enable = i386_pc;
+};
+
module = {
name = hdparm;
common = commands/hdparm.c;
diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
index 2879d644a..c6fb66853 100644
--- a/grub-core/kern/main.c
+++ b/grub-core/kern/main.c
@@ -29,7 +29,9 @@
#include <grub/command.h>
#include <grub/reader.h>
#include <grub/parser.h>
+#ifndef GRUB_MACHINE_PCBIOS
#include <grub/verify.h>
+#endif
#ifdef GRUB_MACHINE_PCBIOS
#include <grub/machine/memory.h>
@@ -285,8 +287,10 @@ grub_main (void)
grub_setcolorstate (GRUB_TERM_COLOR_STANDARD);
#endif
+#ifndef GRUB_MACHINE_PCBIOS
/* Init verifiers API. */
grub_verifiers_init ();
+#endif
grub_load_config ();
diff --git a/grub-core/kern/verifiers.c b/grub-core/kern/verifiers.c
index aa3dc7c64..58dbe152a 100644
--- a/grub-core/kern/verifiers.c
+++ b/grub-core/kern/verifiers.c
@@ -217,8 +217,25 @@ grub_verify_string (char *str, enum grub_verify_string_type type)
return GRUB_ERR_NONE;
}
+/*
+ * It is intended to build verifiers as module on i386-pc platform to minimize
+ * the impact of growing core image size could blow up the 63 sectors limit of
+ * some MBR gap one day. It is also adequate to do so, given no core function
+ * on i386-pc would require the verifiers API to work.
+ */
+#ifdef GRUB_MACHINE_PCBIOS
+GRUB_MOD_INIT(verifiers)
+#else
void
grub_verifiers_init (void)
+#endif
{
grub_file_filter_register (GRUB_FILE_FILTER_VERIFY, grub_verifiers_open);
}
+
+#ifdef GRUB_MACHINE_PCBIOS
+GRUB_MOD_FINI(verifiers)
+{
+ grub_file_filter_unregister (GRUB_FILE_FILTER_VERIFY);
+}
+#endif
diff --git a/include/grub/verify.h b/include/grub/verify.h
index cd129c398..6fde244fc 100644
--- a/include/grub/verify.h
+++ b/include/grub/verify.h
@@ -64,10 +64,14 @@ struct grub_file_verifier
grub_err_t (*verify_string) (char *str, enum grub_verify_string_type type);
};
+#ifdef GRUB_MACHINE_PCBIOS
+extern struct grub_file_verifier *grub_file_verifiers;
+#else
extern struct grub_file_verifier *EXPORT_VAR (grub_file_verifiers);
extern void
grub_verifiers_init (void);
+#endif
static inline void
grub_verifier_register (struct grub_file_verifier *ver)
@@ -81,7 +85,12 @@ grub_verifier_unregister (struct grub_file_verifier *ver)
grub_list_remove (GRUB_AS_LIST (ver));
}
+#ifdef GRUB_MACHINE_PCBIOS
+grub_err_t
+grub_verify_string (char *str, enum grub_verify_string_type type);
+#else
extern grub_err_t
EXPORT_FUNC (grub_verify_string) (char *str, enum grub_verify_string_type type);
+#endif
#endif /* ! GRUB_VERIFY_HEADER */
......@@ -100,7 +100,6 @@ mdraid1x-linux-gcc-10.patch
zfs-gcc-10.patch
uefi-firmware-efivarfs.patch
grub-install-inverted-nls-test.patch
add-failsafe-boot-options.patch
2021-02-security/001-verifiers-Move-verifiers-API-to-kernel-image.patch
2021-02-security/002-kern-Add-lockdown-support.patch
2021-02-security/003-kern-lockdown-Set-a-variable-if-the-GRUB-is-locked-down.patch
......@@ -214,3 +213,4 @@ add-failsafe-boot-options.patch
2021-02-security/111-kern-misc-Add-function-to-check-printf-format-against-expected-format.patch
2021-02-security/112-gfxmenu-gui-Check-printf-format-in-the-gui_progress_bar-and-gui_label.patch
2021-02-security/113-kern-mm-Fix-grub_debug_calloc-compilation-error.patch
pc-verifiers-module.patch
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment