Import Debian changes 2.04-17parrot1

grub2 (2.04-17parrot1) rolling; urgency=medium . * Import new Debian release. . grub2 (2.04-17) unstable; urgency=medium . * Pass --sbat when building the d-i netboot image as well. * i386-pc: build verifiers API as module (thanks, Michael Chang; closes: #984488, #985374).

Import Debian changes 2.04-17parrot1
grub2 (2.04-17parrot1) rolling; urgency=medium . * Import new Debian release. . grub2 (2.04-17) unstable; urgency=medium . * Pass --sbat when building the d-i netboot image as well. * i386-pc: build verifiers API as module (thanks, Michael Chang; closes: #984488, #985374).
772d1fad · Lorenzo "Palinuro" Faletra · 6b70d7c8 · 772d1fad · 772d1fad · 772d1fad
Commit 772d1fad authored Apr 28, 2021 by Lorenzo "Palinuro" Faletra
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
 # see git-dpm(1) from git-dpm package
-9cd32c57605b7ad713e108e0b98ebd504caa532e
-9cd32c57605b7ad713e108e0b98ebd504caa532e
+3d246c561a2c6aa18b78eae69e5100a2347dc7aa
+3d246c561a2c6aa18b78eae69e5100a2347dc7aa
 578bb115fbd47e1c464696f1f8d6183e5443975d
 578bb115fbd47e1c464696f1f8d6183e5443975d
 grub2_2.04.orig.tar.xz

--- a/debian/build-efi-images
+++ b/debian/build-efi-images
@@ -224,6 +224,8 @@ NET_MODULES="$CD_MODULES
 "$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name-installer.efi" \
 	-d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \
 	-m "$workdir/memdisk-netboot.fat" \
-	-p "/${efi_vendor}-installer/$deb_arch/grub" $NET_MODULES
+	-p "/${efi_vendor}-installer/$deb_arch/grub" \
+	--sbat "$sbat_csv" \
+	$NET_MODULES

 exit 0
--- a/debian/changelog
+++ b/debian/changelog
+grub2 (2.04-17parrot1) rolling; urgency=medium
+
+  * Import new Debian release.
+
+ -- Lorenzo "Palinuro" Faletra <palinuro@parrotsec.org>  Wed, 28 Apr 2021 22:13:38 +0200
+
+grub2 (2.04-17) unstable; urgency=medium
+
+  * Pass --sbat when building the d-i netboot image as well.
+  * i386-pc: build verifiers API as module (thanks, Michael Chang; closes:
+    #984488, #985374).
+
+ -- Colin Watson <cjwatson@debian.org>  Fri, 19 Mar 2021 10:41:41 +0000
+
 grub2 (2.04-16parrot1) rolling; urgency=medium

  * Import new Debian release.

--- a/debian/control
+++ b/debian/control
@@ -2,8 +2,7 @@ Source: grub2
 Section: admin
 Priority: optional
 XSBC-Original-Maintainer: GRUB Maintainers <pkg-grub-devel@alioth-lists.debian.net>
-Maintainer: Parrot Dev Team <team@parrotsec.org>
-Uploaders: Lorenzo "Palinuro" Faletra <palinuro@parrotsec.org>
+Maintainer: Lorenzo "Palinuro" Faletra <palinuro@parrotsec.org>
 Build-Depends: debhelper-compat (= 10),
 patchutils,
 python3,

--- a/debian/gbp.conf
+++ b/debian/gbp.conf
@@ -6,3 +6,7 @@ patch-numbers = False

 [dch]
 multimaint-merge = True
+
+[import-dsc]
+debian-branch = debian
+debian-tag = debian/%(version)s
--- a/debian/patches/pc-verifiers-module.patch
+++ b/debian/patches/pc-verifiers-module.patch
+From 3d246c561a2c6aa18b78eae69e5100a2347dc7aa Mon Sep 17 00:00:00 2001
+From: Michael Chang <mchang@suse.com>
+Date: Thu, 18 Mar 2021 19:30:26 +0800
+Subject: i386-pc: build verifiers API as module
+
+Given no core functions on i386-pc would require verifiers to work and
+the only consumer of the verifier API is the pgp module, it looks good
+to me that we can move the verifiers out of the kernel image and let
+moddep.lst to auto-load it when pgp is loaded on i386-pc platform.
+
+This helps to reduce the size of core image and thus can relax the
+tension of exploding on some i386-pc system with very short MBR gap
+size. See also a very comprehensive summary from Colin [1] about the
+details.
+
+[1] https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00240.html
+
+V2:
+Drop COND_NOT_i386_pc and use !COND_i386_pc.
+Add comment in kern/verifiers.c to help understanding what's going on
+without digging into the commit history.
+
+Reported-by: Colin Watson <cjwatson@debian.org>
+Reviewed-by: Colin Watson <cjwatson@debian.org>
+Signed-off-by: Michael Chang <mchang@suse.com>
+
+Origin: other, https://lists.gnu.org/archive/html/grub-devel/2021-03/msg00251.html
+Bug-Debian: https://bugs.debian.org/984488
+Bug-Debian: https://bugs.debian.org/985374
+Last-Update: 2021-03-18
+
+Patch-Name: pc-verifiers-module.patch
+---
+ grub-core/Makefile.am       |  2 ++
+ grub-core/Makefile.core.def |  8 +++++++-
+ grub-core/kern/main.c       |  4 ++++
+ grub-core/kern/verifiers.c  | 17 +++++++++++++++++
+ include/grub/verify.h       |  9 +++++++++
+ 5 files changed, 39 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/Makefile.am b/grub-core/Makefile.am
+index 5308caa7b..4900265a4 100644
+--- a/grub-core/Makefile.am
+++ b/grub-core/Makefile.am
+@@ -92,7 +92,9 @@ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/partition.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/stack_protector.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/term.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/time.h
+if !COND_i386_pc
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/verify.h
+endif
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/mm_private.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/net.h
+ KERNEL_HEADER_FILES += $(top_srcdir)/include/grub/memory.h
+diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
+index 248835aca..43b3da725 100644
+--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
+@@ -141,7 +141,7 @@ kernel = {
+   common = kern/rescue_parser.c;
+   common = kern/rescue_reader.c;
+   common = kern/term.c;
+-  common = kern/verifiers.c;
+  nopc = kern/verifiers.c;
+ 
+   noemu = kern/compiler-rt.c;
+   noemu = kern/mm.c;
+@@ -951,6 +951,12 @@ module = {
+   enable = x86_64_efi;
+ };
+ 
+module = {
+  name = verifiers;
+  common = kern/verifiers.c;
+  enable = i386_pc;
+};
+
+ module = {
+   name = hdparm;
+   common = commands/hdparm.c;
+diff --git a/grub-core/kern/main.c b/grub-core/kern/main.c
+index 2879d644a..c6fb66853 100644
+--- a/grub-core/kern/main.c
+++ b/grub-core/kern/main.c
+@@ -29,7 +29,9 @@
+ #include <grub/command.h>
+ #include <grub/reader.h>
+ #include <grub/parser.h>
+#ifndef GRUB_MACHINE_PCBIOS
+ #include <grub/verify.h>
+#endif
+ 
+ #ifdef GRUB_MACHINE_PCBIOS
+ #include <grub/machine/memory.h>
+@@ -285,8 +287,10 @@ grub_main (void)
+   grub_setcolorstate (GRUB_TERM_COLOR_STANDARD);
+ #endif
+ 
+#ifndef GRUB_MACHINE_PCBIOS
+   /* Init verifiers API. */
+   grub_verifiers_init ();
+#endif
+ 
+   grub_load_config ();
+ 
+diff --git a/grub-core/kern/verifiers.c b/grub-core/kern/verifiers.c
+index aa3dc7c64..58dbe152a 100644
+--- a/grub-core/kern/verifiers.c
+++ b/grub-core/kern/verifiers.c
+@@ -217,8 +217,25 @@ grub_verify_string (char *str, enum grub_verify_string_type type)
+   return GRUB_ERR_NONE;
+ }
+ 
+/*
+ * It is intended to build verifiers as module on i386-pc platform to minimize
+ * the impact of growing core image size could blow up the 63 sectors limit of
+ * some MBR gap one day. It is also adequate to do so, given no core function
+ * on i386-pc would require the verifiers API to work.
+ */
+#ifdef GRUB_MACHINE_PCBIOS
+GRUB_MOD_INIT(verifiers)
+#else
+ void
+ grub_verifiers_init (void)
+#endif
+ {
+   grub_file_filter_register (GRUB_FILE_FILTER_VERIFY, grub_verifiers_open);
+ }
+
+#ifdef GRUB_MACHINE_PCBIOS
+GRUB_MOD_FINI(verifiers)
+{
+  grub_file_filter_unregister (GRUB_FILE_FILTER_VERIFY);
+}
+#endif
+diff --git a/include/grub/verify.h b/include/grub/verify.h
+index cd129c398..6fde244fc 100644
+--- a/include/grub/verify.h
+++ b/include/grub/verify.h
+@@ -64,10 +64,14 @@ struct grub_file_verifier
+   grub_err_t (*verify_string) (char *str, enum grub_verify_string_type type);
+ };
+ 
+#ifdef GRUB_MACHINE_PCBIOS
+extern struct grub_file_verifier *grub_file_verifiers;
+#else
+ extern struct grub_file_verifier *EXPORT_VAR (grub_file_verifiers);
+ 
+ extern void
+ grub_verifiers_init (void);
+#endif
+ 
+ static inline void
+ grub_verifier_register (struct grub_file_verifier *ver)
+@@ -81,7 +85,12 @@ grub_verifier_unregister (struct grub_file_verifier *ver)
+   grub_list_remove (GRUB_AS_LIST (ver));
+ }
+ 
+#ifdef GRUB_MACHINE_PCBIOS
+grub_err_t
+grub_verify_string (char *str, enum grub_verify_string_type type);
+#else
+ extern grub_err_t
+ EXPORT_FUNC (grub_verify_string) (char *str, enum grub_verify_string_type type);
+#endif
+ 
+ #endif /* ! GRUB_VERIFY_HEADER */
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -100,7 +100,6 @@ mdraid1x-linux-gcc-10.patch
 zfs-gcc-10.patch
 uefi-firmware-efivarfs.patch
 grub-install-inverted-nls-test.patch
-add-failsafe-boot-options.patch
 2021-02-security/001-verifiers-Move-verifiers-API-to-kernel-image.patch
 2021-02-security/002-kern-Add-lockdown-support.patch
 2021-02-security/003-kern-lockdown-Set-a-variable-if-the-GRUB-is-locked-down.patch
@@ -214,3 +213,4 @@ add-failsafe-boot-options.patch
 2021-02-security/111-kern-misc-Add-function-to-check-printf-format-against-expected-format.patch
 2021-02-security/112-gfxmenu-gui-Check-printf-format-in-the-gui_progress_bar-and-gui_label.patch
 2021-02-security/113-kern-mm-Fix-grub_debug_calloc-compilation-error.patch
+pc-verifiers-module.patch