Commit e77098bc authored by Lorenzo "Palinuro" Faletra's avatar Lorenzo "Palinuro" Faletra
Browse files

Import Debian changes 2.02+dfsg1-18parrot1

grub2 (2.02+dfsg1-18parrot1) testing; urgency=medium

  * Import new Debian release.

grub2 (2.02+dfsg1-18) unstable; urgency=medium

  * Apply patches from Alexander Graf to fix grub-efi-arm crash (closes:
    #927269):
    - arm: Move trampolines into code section
    - arm: Align section alignment with manual relocation offset code
  * Make grub2-common Breaks+Replaces grub-cloud-amd64 (<< 0.0.4) to work
    around that package shipping colliding configuration file names in
    stretch-backports (closes: #919915).
  * Apply patch from Peter Jones to forbid the "devicetree" command when
    Secure Boot is enabled (closes: #927888).

grub2 (2.02+dfsg1-17) unstable; urgency=medium

  * Make grub-efi-*-bin recommend efibootmgr.  We don't actually use it any
    more, but it's helpful for debugging.
parent db69d0bc
# see git-dpm(1) from git-dpm package
3ddfe605a6a472100f529c3d7465bf4eb7fe954d
3ddfe605a6a472100f529c3d7465bf4eb7fe954d
9569221816a2a1a832be106440375a612e0121b7
9569221816a2a1a832be106440375a612e0121b7
59aeb1cfaa3d5bfd7bbeeee0f0d37f6d9eed51fe
59aeb1cfaa3d5bfd7bbeeee0f0d37f6d9eed51fe
grub2_2.02+dfsg1.orig.tar.xz
......
grub2 (2.02+dfsg1-18parrot1) testing; urgency=medium
* Import new Debian release.
-- Lorenzo "Palinuro" Faletra <palinuro@parrotsec.org> Fri, 17 May 2019 14:06:24 +0200
grub2 (2.02+dfsg1-18) unstable; urgency=medium
* Apply patches from Alexander Graf to fix grub-efi-arm crash (closes:
#927269):
- arm: Move trampolines into code section
- arm: Align section alignment with manual relocation offset code
* Make grub2-common Breaks+Replaces grub-cloud-amd64 (<< 0.0.4) to work
around that package shipping colliding configuration file names in
stretch-backports (closes: #919915).
* Apply patch from Peter Jones to forbid the "devicetree" command when
Secure Boot is enabled (closes: #927888).
-- Colin Watson <cjwatson@debian.org> Sat, 04 May 2019 22:58:32 +0100
grub2 (2.02+dfsg1-17) unstable; urgency=medium
* Make grub-efi-*-bin recommend efibootmgr. We don't actually use it any
more, but it's helpful for debugging.
-- Colin Watson <cjwatson@debian.org> Mon, 15 Apr 2019 18:38:30 +0100
grub2 (2.02+dfsg1-16parrot2) testing; urgency=medium
* Import failsafe options patch from precedent parrot version.
......
Source: grub2
Section: admin
Priority: optional
Maintainer: GRUB Maintainers <pkg-grub-devel@alioth-lists.debian.net>
XSBC-Original-Maintainer: GRUB Maintainers <pkg-grub-devel@alioth-lists.debian.net>
Maintainer: Kali Developers <devel@kali.org>
Uploaders: Felix Zielcke <fzielcke@z-51.de>, Jordi Mallach <jordi@debian.org>, Colin Watson <cjwatson@debian.org>, Ian Campbell <ijc@debian.org>
Build-Depends: debhelper (>= 10~),
patchutils,
......@@ -37,8 +38,8 @@ Build-Depends: debhelper (>= 10~),
Build-Conflicts: autoconf2.13, libzfs-dev, libnvpair-dev
Standards-Version: 3.9.6
Homepage: https://www.gnu.org/software/grub/
Vcs-Git: https://salsa.debian.org/grub-team/grub.git
Vcs-Browser: https://salsa.debian.org/grub-team/grub
Vcs-Git: https://gitlab.com/kalilinux/packages/grub2.git
Vcs-Browser: https://gitlab.com/kalilinux/packages/grub2
Rules-Requires-Root: no
Package: grub2
......@@ -92,9 +93,9 @@ Package: grub2-common
# of the package is not very useful in a utilities-only build.
Architecture: any-i386 any-amd64 any-powerpc any-ppc64 any-ppc64el any-sparc any-sparc64 any-mipsel any-ia64 any-arm any-arm64
Depends: grub-common (= ${binary:Version}), dpkg (>= 1.15.4) | install-info, ${shlibs:Depends}, ${misc:Depends}
Replaces: grub, grub-legacy, ${legacy-doc-br}, grub-common (<< 1.99-1), grub-pc (<< 2.02+dfsg1-7), grub-coreboot (<< 2.02+dfsg1-7), grub-efi-ia32 (<< 2.02+dfsg1-7), grub-efi-amd64 (<< 2.02+dfsg1-7), grub-efi-ia64 (<< 2.02+dfsg1-7), grub-efi-arm (<< 2.02+dfsg1-7), grub-efi-arm64 (<< 2.02+dfsg1-7), grub-ieee1275 (<< 2.02+dfsg1-7), grub-uboot (<< 2.02+dfsg1-7), grub-xen (<< 2.02+dfsg1-7), grub-yeeloong (<< 2.02+dfsg1-7)
Replaces: grub, grub-legacy, ${legacy-doc-br}, grub-common (<< 1.99-1), grub-pc (<< 2.02+dfsg1-7), grub-coreboot (<< 2.02+dfsg1-7), grub-efi-ia32 (<< 2.02+dfsg1-7), grub-efi-amd64 (<< 2.02+dfsg1-7), grub-efi-ia64 (<< 2.02+dfsg1-7), grub-efi-arm (<< 2.02+dfsg1-7), grub-efi-arm64 (<< 2.02+dfsg1-7), grub-ieee1275 (<< 2.02+dfsg1-7), grub-uboot (<< 2.02+dfsg1-7), grub-xen (<< 2.02+dfsg1-7), grub-yeeloong (<< 2.02+dfsg1-7), grub-cloud-amd64 (<< 0.0.4)
Conflicts: grub-legacy
Breaks: grub (<< 0.97-54), ${legacy-doc-br}, shim (<< 0.9+1474479173.6c180c6-0ubuntu1~), grub-pc (<< 2.02+dfsg1-7), grub-coreboot (<< 2.02+dfsg1-7), grub-efi-ia32 (<< 2.02+dfsg1-7), grub-efi-amd64 (<< 2.02+dfsg1-7), grub-efi-ia64 (<< 2.02+dfsg1-7), grub-efi-arm (<< 2.02+dfsg1-7), grub-efi-arm64 (<< 2.02+dfsg1-7), grub-ieee1275 (<< 2.02+dfsg1-7), grub-uboot (<< 2.02+dfsg1-7), grub-xen (<< 2.02+dfsg1-7), grub-yeeloong (<< 2.02+dfsg1-7)
Breaks: grub (<< 0.97-54), ${legacy-doc-br}, shim (<< 0.9+1474479173.6c180c6-0ubuntu1~), grub-pc (<< 2.02+dfsg1-7), grub-coreboot (<< 2.02+dfsg1-7), grub-efi-ia32 (<< 2.02+dfsg1-7), grub-efi-amd64 (<< 2.02+dfsg1-7), grub-efi-ia64 (<< 2.02+dfsg1-7), grub-efi-arm (<< 2.02+dfsg1-7), grub-efi-arm64 (<< 2.02+dfsg1-7), grub-ieee1275 (<< 2.02+dfsg1-7), grub-uboot (<< 2.02+dfsg1-7), grub-xen (<< 2.02+dfsg1-7), grub-yeeloong (<< 2.02+dfsg1-7), grub-cloud-amd64 (<< 0.0.4)
Multi-Arch: foreign
Description: GRand Unified Bootloader (common files for version 2)
This package contains common files shared by the distinct flavours of GRUB.
......@@ -247,7 +248,8 @@ Description: GRand Unified Bootloader, version 2 (Coreboot version)
Package: grub-efi-ia32-bin
Architecture: any-i386 any-amd64
Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version})
Conflicts: grub-efi-ia32-signed,
Conflicts: grub-efi-ia32-signed
Recommends: efibootmgr [linux-any]
Replaces: grub2 (<< ${source:Version}), grub-common (<= 1.97~beta2-1), grub-efi, grub-efi-ia32 (<< 1.99-1)
Multi-Arch: foreign
XB-Efi-Vendor: ${efi:Vendor}
......@@ -308,7 +310,8 @@ Description: GRand Unified Bootloader, version 2 (EFI-IA32 signing template)
Package: grub-efi-amd64-bin
Architecture: i386 kopensolaris-i386 any-amd64
Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version})
Conflicts: grub-efi-amd64-signed,
Conflicts: grub-efi-amd64-signed
Recommends: efibootmgr [linux-any]
Replaces: grub2 (<< ${source:Version}), grub-common (<= 1.97~beta2-1), grub-efi-amd64 (<< 1.99-1)
Multi-Arch: foreign
XB-Efi-Vendor: ${efi:Vendor}
......@@ -418,6 +421,7 @@ Description: GRand Unified Bootloader, version 2 (IA64 version)
Package: grub-efi-arm-bin
Architecture: any-arm
Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version})
Recommends: efibootmgr [linux-any]
Multi-Arch: foreign
XB-Efi-Vendor: ${efi:Vendor}
Description: GRand Unified Bootloader, version 2 (ARM UEFI modules)
......@@ -468,7 +472,8 @@ Description: GRand Unified Bootloader, version 2 (ARM UEFI version)
Package: grub-efi-arm64-bin
Architecture: any-arm64
Depends: ${shlibs:Depends}, ${misc:Depends}, grub-common (= ${binary:Version})
Conflicts: grub-efi-arm64-signed,
Conflicts: grub-efi-arm64-signed
Recommends: efibootmgr [linux-any]
Multi-Arch: foreign
XB-Efi-Vendor: ${efi:Vendor}
Description: GRand Unified Bootloader, version 2 (ARM64 UEFI modules)
......
Description: Add failsafe options for acpi and nouveau on boot screen
Author: Lorenzo "Palinuro" Faletra <palinuro@parrotsec.org>
Last-Update: 2019-03-20
--- grub2-2.02+dfsg1.orig/util/grub.d/10_linux.in
+++ grub2-2.02+dfsg1/util/grub.d/10_linux.in
@@ -17,6 +17,8 @@ set -e
# You should have received a copy of the GNU General Public License
# along with GRUB. If not, see <http://www.gnu.org/licenses/>.
+
+
prefix="@prefix@"
exec_prefix="@exec_prefix@"
datarootdir="@datarootdir@"
@@ -120,6 +122,10 @@ linux_entry ()
title="$(gettext_printf "%s, with Linux %s (%s)" "${os}" "${version}" "$(gettext "${GRUB_RECOVERY_TITLE}")")" ;;
init-*)
title="$(gettext_printf "%s, with Linux %s (%s)" "${os}" "${version}" "${type#init-}")" ;;
+ nouveau-off)
+ title="$(gettext_printf "%s, with Linux %s (%s)" "${os}" "${version}" "$(gettext "Nouveau/Nvidia Off")")" ;;
+ acpi-off)
+ title="$(gettext_printf "%s, with Linux %s (%s)" "${os}" "${version}" "$(gettext "ACPI Off")")" ;;
*)
title="$(gettext_printf "%s, with Linux %s" "${os}" "${version}")" ;;
esac
@@ -334,6 +340,11 @@ while [ "x$list" != "x" ] ; do
if [ "x$is_top_level" = xtrue ] && [ "x${GRUB_DISABLE_SUBMENU}" != xy ]; then
linux_entry "${OS}" "${version}" simple \
"${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT}"
+
+ linux_entry "${OS}" "${version}" nouveau-off \
+ "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT} nouveau.modeset=0"
+ linux_entry "${OS}" "${version}" acpi-off \
+ "${GRUB_CMDLINE_LINUX} ${GRUB_CMDLINE_LINUX_DEFAULT} acpi=off"
submenu_indentation="$grub_tab"
From 98e5faf41eb40e287dc00c79f461f5afa92d8a34 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@csgraf.de>
Date: Tue, 30 Apr 2019 22:43:57 +0200
Subject: arm: Align section alignment with manual relocation offset code
The arm relocation code has a manual special case for EFI binaries to
add the natural alignment to its own relocation awareness.
Since commit a51f953f4ee87 ("mkimage: Align efi sections on 4k
boundary") we changed that alignment from 0x400 to 0x1000 bytes. Reflect
the change in that branch that we forgot as well.
This fixes running 32bit arm grub efi binaries for me again.
Fixes: a51f953f4ee87 ("mkimage: Align efi sections on 4k boundary")
Reported-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
Reported-by: Steve McIntyre <steve@einval.com>
Signed-off-by: Alexander Graf <agraf@csgraf.de>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
Tested-by: Julien ROBIN <julien.robin28@free.fr>
Tested-by: Leif Lindholm <leif.lindholm@linaro.org>
Bug-Debian: https://bugs.debian.org/927269
Origin: other, https://lists.gnu.org/archive/html/grub-devel/2019-04/msg00132.html
Last-Update: 2019-05-03
Patch-Name: arm-align-section-alignment-with-manual-reloc-offset.patch
---
util/grub-mkimagexx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c
index 2f80e5abc..740b30483 100644
--- a/util/grub-mkimagexx.c
+++ b/util/grub-mkimagexx.c
@@ -1105,7 +1105,7 @@ SUFFIX (relocate_addresses) (Elf_Ehdr *e, Elf_Shdr *sections,
(int) sym_addr, (int) sym_addr);
/* Data will be naturally aligned */
if (image_target->id == IMAGE_EFI)
- sym_addr += 0x400;
+ sym_addr += GRUB_PE32_SECTION_ALIGNMENT;
*target = grub_host_to_target32 (grub_target_to_host32 (*target) + sym_addr);
}
break;
From 61f1b949b4b9302b664553cdc5c77cb6fea8f897 Mon Sep 17 00:00:00 2001
From: Alexander Graf <agraf@csgraf.de>
Date: Tue, 30 Apr 2019 22:43:56 +0200
Subject: arm: Move trampolines into code section
When creating T32->A32 transition jumps, the relocation code in grub
will generate trampolines. These trampolines live in the .data section
of our PE binary which means they are not marked as executable.
This misbehavior was unmasked by commit a51f953f4ee87 ("mkimage: Align
efi sections on 4k boundary") which made the X/NX boundary more obvious
because everything became page aligned.
To put things into proper order, let's move the arm trampolines into the
.text section instead. That way everyone knows they are executable.
Fixes: a51f953f4ee87 ("mkimage: Align efi sections on 4k boundary")
Reported-by: Julien ROBIN <julien.robin28@free.fr>
Reported-by: Leif Lindholm <leif.lindholm@linaro.org>
Signed-off-by: Alexander Graf <agraf@csgraf.de>
Reviewed-by: Leif Lindholm <leif.lindholm@linaro.org>
Tested-by: Julien ROBIN <julien.robin28@free.fr>
Tested-by: Leif Lindholm <leif.lindholm@linaro.org>
Bug-Debian: https://bugs.debian.org/927269
Origin: other, https://lists.gnu.org/archive/html/grub-devel/2019-04/msg00131.html
Last-Update: 2019-05-03
Patch-Name: arm-move-trampolines-into-code-section.patch
---
util/grub-mkimagexx.c | 32 +++++++++++++++-----------------
1 file changed, 15 insertions(+), 17 deletions(-)
diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c
index 6c02faffb..2f80e5abc 100644
--- a/util/grub-mkimagexx.c
+++ b/util/grub-mkimagexx.c
@@ -1860,6 +1860,21 @@ SUFFIX (locate_sections) (Elf_Ehdr *e, const char *kernel_path,
}
}
+#ifdef MKIMAGE_ELF32
+ if (image_target->elf_target == EM_ARM)
+ {
+ grub_size_t tramp;
+
+ layout->kernel_size = ALIGN_UP (layout->kernel_size, 16);
+
+ tramp = arm_get_trampoline_size (e, sections, section_entsize,
+ num_sections, image_target);
+
+ layout->tramp_off = layout->kernel_size;
+ layout->kernel_size += ALIGN_UP (tramp, 16);
+ }
+#endif
+
layout->kernel_size = ALIGN_UP (layout->kernel_size + image_target->vaddr_offset,
image_target->section_align)
- image_target->vaddr_offset;
@@ -1876,23 +1891,6 @@ SUFFIX (locate_sections) (Elf_Ehdr *e, const char *kernel_path,
strtab,
image_target);
-#ifdef MKIMAGE_ELF32
- if (image_target->elf_target == EM_ARM)
- {
- grub_size_t tramp;
- layout->kernel_size = ALIGN_UP (layout->kernel_size + image_target->vaddr_offset,
- image_target->section_align) - image_target->vaddr_offset;
-
- layout->kernel_size = ALIGN_UP (layout->kernel_size, 16);
-
- tramp = arm_get_trampoline_size (e, sections, section_entsize,
- num_sections, image_target);
-
- layout->tramp_off = layout->kernel_size;
- layout->kernel_size += ALIGN_UP (tramp, 16);
- }
-#endif
-
layout->bss_start = layout->kernel_size;
layout->end = layout->kernel_size;
From 9569221816a2a1a832be106440375a612e0121b7 Mon Sep 17 00:00:00 2001
From: Peter Jones <pjones@redhat.com>
Date: Wed, 24 Apr 2019 10:03:04 -0400
Subject: Forbid the "devicetree" command when Secure Boot is enabled.
Signed-off-by: Peter Jones <pjones@redhat.com>
Signed-off-by: Steve McIntyre <93sam@debian.org>
Origin: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927888#15
Bug-Debian: https://bugs.debian.org/927888
Last-Update: 2019-05-04
Patch-Name: no-devicetree-if-secure-boot.patch
---
grub-core/loader/arm/linux.c | 14 +++++++++++++-
grub-core/loader/efi/fdt.c | 8 ++++++++
2 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/grub-core/loader/arm/linux.c b/grub-core/loader/arm/linux.c
index 9300adc8f..72d747578 100644
--- a/grub-core/loader/arm/linux.c
+++ b/grub-core/loader/arm/linux.c
@@ -29,6 +29,10 @@
#include <grub/lib/cmdline.h>
#include <grub/linux.h>
+#ifdef GRUB_MACHINE_EFI
+#include <grub/efi/efi.h>
+#endif
+
GRUB_MOD_LICENSE ("GPLv3+");
static grub_dl_t my_mod;
@@ -433,9 +437,17 @@ grub_cmd_devicetree (grub_command_t cmd __attribute__ ((unused)),
if (argc != 1)
return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("filename expected"));
+#ifdef GRUB_MACHINE_EFI
+ if (grub_efi_secure_boot ())
+ {
+ return grub_error (GRUB_ERR_ACCESS_DENIED,
+ "Secure Boot forbids loading devicetree from %s", argv[0]);
+ }
+#endif
+
dtb = grub_file_open (argv[0]);
if (!dtb)
- goto out;
+ return grub_errno;
size = grub_file_size (dtb);
if (size == 0)
diff --git a/grub-core/loader/efi/fdt.c b/grub-core/loader/efi/fdt.c
index c9aee74ef..2def3dc5d 100644
--- a/grub-core/loader/efi/fdt.c
+++ b/grub-core/loader/efi/fdt.c
@@ -123,6 +123,14 @@ grub_cmd_devicetree (grub_command_t cmd __attribute__ ((unused)),
return GRUB_ERR_NONE;
}
+#ifdef GRUB_MACHINE_EFI
+ if (grub_efi_secure_boot ())
+ {
+ return grub_error (GRUB_ERR_ACCESS_DENIED,
+ "Secure Boot forbids loading devicetree from %s", argv[0]);
+ }
+#endif
+
dtb = grub_file_open (argv[0]);
if (!dtb)
goto out;
......@@ -134,4 +134,6 @@ util-check-errors.patch
xfs-sparse-inodes.patch
vsnprintf-upper-case-hex.patch
efi-variable-storage-minimise-writes.patch
add-failsafe-boot-options.patch
arm-move-trampolines-into-code-section.patch
arm-align-section-alignment-with-manual-reloc-offset.patch
no-devicetree-if-secure-boot.patch
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment