-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Update grub2 to version 2.12~rc1 / rev 305 via SR 1120471
https://build.opensuse.org/request/show/1120471 by user dirkmueller + anag+factory
- Loading branch information
1 parent
9a21a34
commit 510afd4
Showing
7 changed files
with
267 additions
and
4 deletions.
There are no files selected for viewing
Binary file not shown.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
142 changes: 142 additions & 0 deletions
142
packages/g/grub2/0001-luks2-Use-grub-tpm2-token-for-TPM2-protected-volume-.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,142 @@ | ||
| From 06af22d6c893b0249712e9a486e0cbae15160e5c Mon Sep 17 00:00:00 2001 | ||
| From: Michael Chang <[email protected]> | ||
| Date: Mon, 23 Oct 2023 16:11:53 +0800 | ||
| Subject: [PATCH] luks2: Use grub-tpm2 token for TPM2-protected volume unlock | ||
|
|
||
| This commit enables the use of the grub-tpm2 token for unlocking LUKS2 | ||
| volumes protected by TPM2. The token tracks keyslots associated with a | ||
| sealed key, making the unsealing process more efficient and secure. | ||
|
|
||
| Signed-Off-by Michael Chang <[email protected]> | ||
| --- | ||
| grub-core/disk/luks2.c | 81 ++++++++++++++++++++++++++++++++++++++++-- | ||
| 1 file changed, 79 insertions(+), 2 deletions(-) | ||
|
|
||
| diff --git a/grub-core/disk/luks2.c b/grub-core/disk/luks2.c | ||
| index d5106402f..fe5ba777a 100644 | ||
| --- a/grub-core/disk/luks2.c | ||
| +++ b/grub-core/disk/luks2.c | ||
| @@ -124,6 +124,14 @@ struct grub_luks2_digest | ||
| }; | ||
| typedef struct grub_luks2_digest grub_luks2_digest_t; | ||
|
|
||
| +struct grub_luks2_token_tpm | ||
| +{ | ||
| + grub_uint64_t idx; | ||
| + grub_uint64_t keyslots; | ||
| + const char *timestamp; | ||
| +}; | ||
| +typedef struct grub_luks2_token_tpm grub_luks2_token_tpm_t; | ||
| + | ||
| gcry_err_code_t AF_merge (const gcry_md_spec_t * hash, grub_uint8_t * src, | ||
| grub_uint8_t * dst, grub_size_t blocksize, | ||
| grub_size_t blocknumbers); | ||
| @@ -257,6 +265,39 @@ luks2_parse_digest (grub_luks2_digest_t *out, const grub_json_t *digest) | ||
| return GRUB_ERR_NONE; | ||
| } | ||
|
|
||
| +static grub_err_t | ||
| +luks2_parse_token_tpm (grub_luks2_token_tpm_t *out, const grub_json_t *token) | ||
| +{ | ||
| + grub_json_t keyslots, o; | ||
| + grub_size_t i, size; | ||
| + grub_uint64_t bit; | ||
| + const char *type; | ||
| + | ||
| + if (grub_json_getstring (&type, token, "type")) | ||
| + return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid token type"); | ||
| + else if (grub_strcmp (type, "grub-tpm2")) | ||
| + return GRUB_ERR_NONE; | ||
| + | ||
| + if (grub_json_getvalue (&keyslots, token, "keyslots") || | ||
| + grub_json_getstring (&out->timestamp, token, "timestamp")) | ||
| + return grub_error (GRUB_ERR_BAD_ARGUMENT, "Missing token parameters"); | ||
| + | ||
| + if (grub_json_getsize (&size, &keyslots)) | ||
| + return grub_error (GRUB_ERR_BAD_ARGUMENT, | ||
| + "Token references no keyslots"); | ||
| + | ||
| + out->keyslots = 0; | ||
| + for (i = 0; i < size; i++) | ||
| + { | ||
| + if (grub_json_getchild (&o, &keyslots, i) || | ||
| + grub_json_getuint64 (&bit, &o, NULL)) | ||
| + return grub_error (GRUB_ERR_BAD_ARGUMENT, "Invalid keyslot"); | ||
| + out->keyslots |= (1 << bit); | ||
| + } | ||
| + | ||
| + return GRUB_ERR_NONE; | ||
| +} | ||
| + | ||
| static grub_err_t | ||
| luks2_get_keyslot (grub_luks2_keyslot_t *k, grub_luks2_digest_t *d, grub_luks2_segment_t *s, | ||
| const grub_json_t *root, grub_size_t keyslot_json_idx) | ||
| @@ -561,13 +602,14 @@ luks2_recover_key (grub_disk_t source, | ||
| { | ||
| grub_uint8_t candidate_key[GRUB_CRYPTODISK_MAX_KEYLEN]; | ||
| char cipher[32], *json_header = NULL, *ptr; | ||
| - grub_size_t candidate_key_len = 0, json_idx, size; | ||
| + grub_size_t candidate_key_len = 0, json_idx, size, tsize; | ||
| grub_luks2_header_t header; | ||
| grub_luks2_keyslot_t keyslot; | ||
| grub_luks2_digest_t digest; | ||
| grub_luks2_segment_t segment; | ||
| + grub_luks2_token_tpm_t token_tpm; | ||
| gcry_err_code_t gcry_ret; | ||
| - grub_json_t *json = NULL, keyslots; | ||
| + grub_json_t *json = NULL, keyslots, tokens; | ||
| grub_err_t ret; | ||
|
|
||
| if (cargs->key_data == NULL || cargs->key_len == 0) | ||
| @@ -605,6 +647,37 @@ luks2_recover_key (grub_disk_t source, | ||
| goto err; | ||
| } | ||
|
|
||
| + token_tpm.keyslots = 0; | ||
| + tsize = 0; | ||
| + if (cargs->protectors) | ||
| + { | ||
| + int i; | ||
| + for (i = 0; cargs->protectors[i]; i++) | ||
| + if (grub_strcmp(cargs->protectors[i], "tpm2") == 0) | ||
| + break; | ||
| + | ||
| + if (!cargs->protectors[i] || | ||
| + cargs->key_cache[i].invalid || | ||
| + grub_json_getvalue (&tokens, json, "tokens") || | ||
| + grub_json_getsize (&tsize, &tokens)) | ||
| + grub_dprintf ("luks2", "No valid token or not a tpm2 protector\n"); | ||
| + } | ||
| + | ||
| + for (json_idx = 0; json_idx < tsize; json_idx++) | ||
| + { | ||
| + grub_json_t token; | ||
| + | ||
| + if (grub_json_getchild (&token, &tokens, json_idx) || | ||
| + grub_json_getuint64 (&token_tpm.idx, &token, NULL) || | ||
| + grub_json_getchild (&token, &token, 0) || | ||
| + luks2_parse_token_tpm (&token_tpm, &token)) | ||
| + { | ||
| + grub_dprintf ("luks2", "Could not parse token index %" PRIuGRUB_SIZE "\n", json_idx); | ||
| + grub_errno = GRUB_ERR_NONE; | ||
| + continue; | ||
| + } | ||
| + } | ||
| + | ||
| if (grub_disk_native_sectors (source) == GRUB_DISK_SIZE_UNKNOWN) | ||
| { | ||
| /* FIXME: Allow use of source disk, and maybe cause errors in read. */ | ||
| @@ -641,6 +714,10 @@ luks2_recover_key (grub_disk_t source, | ||
| continue; | ||
| } | ||
|
|
||
| + if (token_tpm.keyslots && | ||
| + !(token_tpm.keyslots & (1 << keyslot.idx))) | ||
| + continue; | ||
| + | ||
| grub_dprintf ("luks2", "Trying keyslot \"%" PRIuGRUB_UINT64_T "\"\n", keyslot.idx); | ||
|
|
||
| /* Sector size should be one of 512, 1024, 2048, or 4096. */ | ||
| -- | ||
| 2.42.0 | ||
|
|
86 changes: 86 additions & 0 deletions
86
packages/g/grub2/Fix-the-size-calculation-for-the-synthesized-initrd.patch
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,86 @@ | ||
| From d441356c924102b43b303520cc1c62a624b014d6 Mon Sep 17 00:00:00 2001 | ||
| From: Gary Lin <[email protected]> | ||
| Date: Thu, 26 Oct 2023 13:18:24 +0800 | ||
| Subject: [PATCH] Fix the size calculation for the synthesized initrd | ||
|
|
||
| When calculating the size of the synthesized initrd in | ||
| grub_initrd_component(), the ending "TRAILER!!!" is counted in for every | ||
| synthesized initrd. However, in grub_initrd_load(), only one "TRAILER!!!" | ||
| will be appended for one group of consecutive synthesized initrds. The | ||
| additional size calculation for the ending "TRAILER!!!" could make the | ||
| linux kernel to read uninitialized bytes and result in the error message | ||
| like this: | ||
|
|
||
| Initramfs unpacking failed: invalid magic at start of compressed archive | ||
|
|
||
| To fit into the original 'newc' design, the ending "TRAILER!!!" is | ||
| removed from grub_initrd_component(). Instead, in grub_initrd_init(), | ||
| the 'newc' flag is set when calculating size of the synthesized initrd | ||
| to append the ending "TRAILER!!!" later. As for grub_initrd_load(), | ||
| since the path to the unsealed key is specified in 'newc_name', it's | ||
| unnecessary to set the 'newc' flag while copying the unsealed key | ||
| because the flag is already set when parsing the path name. | ||
|
|
||
| Signed-off-by: Gary Lin <[email protected]> | ||
| --- | ||
| grub-core/loader/linux.c | 23 ++++++++--------------- | ||
| 1 file changed, 8 insertions(+), 15 deletions(-) | ||
|
|
||
| diff --git a/grub-core/loader/linux.c b/grub-core/loader/linux.c | ||
| index 4e028f5..9ee8f37 100644 | ||
| --- a/grub-core/loader/linux.c | ||
| +++ b/grub-core/loader/linux.c | ||
| @@ -209,13 +209,6 @@ grub_initrd_component (const char *buf, int bufsz, const char *newc_name, | ||
| &initrd_ctx->size)) | ||
| goto overflow; | ||
|
|
||
| - initrd_ctx->size = ALIGN_UP (initrd_ctx->size, 4); | ||
| - if (grub_add (initrd_ctx->size, | ||
| - ALIGN_UP (sizeof (struct newc_head) | ||
| - + sizeof ("TRAILER!!!") - 1, 4), | ||
| - &initrd_ctx->size)) | ||
| - goto overflow; | ||
| - | ||
| free_dir (root); | ||
| root = 0; | ||
| return GRUB_ERR_NONE; | ||
| @@ -312,6 +305,13 @@ grub_initrd_init (int argc, char *argv[], | ||
| goto overflow; | ||
| } | ||
|
|
||
| + FOR_LIST_ELEMENTS (pk, kpuber) | ||
| + if (pk->key && pk->path) | ||
| + { | ||
| + grub_initrd_component (pk->key, pk->key_len, pk->path, initrd_ctx); | ||
| + newc = 1; | ||
| + } | ||
| + | ||
| if (newc) | ||
| { | ||
| initrd_ctx->size = ALIGN_UP (initrd_ctx->size, 4); | ||
| @@ -324,10 +324,6 @@ grub_initrd_init (int argc, char *argv[], | ||
| root = 0; | ||
| } | ||
|
|
||
| - FOR_LIST_ELEMENTS (pk, kpuber) | ||
| - if (pk->key && pk->path) | ||
| - grub_initrd_component (pk->key, pk->key_len, pk->path, initrd_ctx); | ||
| - | ||
| return GRUB_ERR_NONE; | ||
|
|
||
| overflow: | ||
| @@ -404,10 +400,7 @@ grub_initrd_load (struct grub_linux_initrd_context *initrd_ctx, | ||
|
|
||
| cursize = initrd_ctx->components[i].size; | ||
| if (initrd_ctx->components[i].buf) | ||
| - { | ||
| - grub_memcpy (ptr, initrd_ctx->components[i].buf, cursize); | ||
| - newc = 1; | ||
| - } | ||
| + grub_memcpy (ptr, initrd_ctx->components[i].buf, cursize); | ||
| else if (grub_file_read (initrd_ctx->components[i].file, ptr, cursize) | ||
| != cursize) | ||
| { | ||
| -- | ||
| 2.35.3 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,3 +1,23 @@ | ||
| ------------------------------------------------------------------- | ||
| Thu Oct 26 06:04:54 UTC 2023 - Gary Ching-Pang Lin <[email protected]> | ||
|
|
||
| - Fix a potential error when appending multiple keys into the | ||
| synthesized initrd | ||
| * Fix-the-size-calculation-for-the-synthesized-initrd.patch | ||
|
|
||
| ------------------------------------------------------------------- | ||
| Wed Oct 25 01:56:09 UTC 2023 - Michael Chang <[email protected]> | ||
|
|
||
| - Fix Xen chainloding error of no matching file path found (bsc#1216081) | ||
| * grub2-efi-chainload-harder.patch | ||
|
|
||
| ------------------------------------------------------------------- | ||
| Mon Oct 23 13:11:45 UTC 2023 - Michael Chang <[email protected]> | ||
|
|
||
| - Use grub-tpm2 token to unlock keyslots to make the unsealing process more | ||
| efficient and secure. | ||
| * 0001-luks2-Use-grub-tpm2-token-for-TPM2-protected-volume-.patch | ||
|
|
||
| ------------------------------------------------------------------- | ||
| Mon Oct 16 08:05:03 UTC 2023 - Michael Chang <[email protected]> | ||
|
|
||
|
|
@@ -785,7 +805,7 @@ Wed Jun 8 03:25:26 UTC 2022 - Michael Chang <[email protected]> | |
| ------------------------------------------------------------------- | ||
| Wed Jun 8 03:17:29 UTC 2022 - Michael Chang <[email protected]> | ||
|
|
||
| - Add patches for automatic TPM disk unlock (jsc#SLE-24018) (bsc#1196668) | ||
| - Add patches for automatic TPM disk unlock (jsc#SLE-24018) (bsc#1196668) (jsc#PED-1276) | ||
| * 0001-luks2-Add-debug-message-to-align-with-luks-and-geli-.patch | ||
| * 0002-cryptodisk-Refactor-to-discard-have_it-global.patch | ||
| * 0003-cryptodisk-Return-failure-in-cryptomount-when-no-cry.patch | ||
|
|
@@ -868,7 +888,7 @@ Thu May 26 10:10:56 UTC 2022 - Michael Chang <[email protected]> | |
| Tue May 17 10:46:38 UTC 2022 - Michael Chang <[email protected]> | ||
|
|
||
| - Fix installation over serial console ends up in infinite boot loop | ||
| (bsc#1187810) | ||
| (bsc#1187810) (bsc#1209667) (bsc#1209372) | ||
| * 0001-Fix-infinite-boot-loop-on-headless-system-in-qemu.patch | ||
| - Fix ppc64le build error for new IEEE long double ABI | ||
| * 0001-libc-config-merge-from-glibc.patch | ||
|
|
||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters