Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock grub2 2.04-18. This is mostly fixes from Steve to sort
out UEFI Secure Boot on i386. The upstream patch to fix section size
calculation *seems* to only fix a problem on ia64 right now, which of
course wouldn't be release-critical by itself, but having
potentially-incorrect section sizes gives me the shivers so I thought it
best to include this as well.
You may need to manually unblock grub-efi-{amd64,arm64,ia32}-signed as
well to match, since these four source packages must all have matching
versions - I'm not sure exactly how the tools work from your end.
diff -Nru grub2-2.04/debian/.git-dpm grub2-2.04/debian/.git-dpm
--- grub2-2.04/debian/.git-dpm 2021-03-19 10:41:41.000000000 +0000
+++ grub2-2.04/debian/.git-dpm 2021-04-25 16:20:17.000000000 +0100
@@ -1,6 +1,6 @@
# see git-dpm(1) from git-dpm package
-3d246c561a2c6aa18b78eae69e5100a2347dc7aa
-3d246c561a2c6aa18b78eae69e5100a2347dc7aa
+0eae44daa60c3f0ce8fdb349ba71b869a6738efd
+0eae44daa60c3f0ce8fdb349ba71b869a6738efd
578bb115fbd47e1c464696f1f8d6183e5443975d
578bb115fbd47e1c464696f1f8d6183e5443975d
grub2_2.04.orig.tar.xz
diff -Nru grub2-2.04/debian/build-efi-images grub2-2.04/debian/build-efi-images
--- grub2-2.04/debian/build-efi-images 2021-03-19 10:41:41.000000000 +0000
+++ grub2-2.04/debian/build-efi-images 2021-04-25 16:20:17.000000000 +0100
@@ -150,12 +150,6 @@
cpuid
linuxefi
play
- "
- ;;
-esac
-case $platform in
- x86_64-efi)
- CD_MODULES="$CD_MODULES
tpm
"
;;
@@ -197,6 +191,7 @@
"
# CD boot image
+echo "Including modules $CD_MODULES in $outdir/gcd$efi_name.efi"
"$grub_mkimage" -O "$platform" -o "$outdir/gcd$efi_name.efi" \
-d "$grub_core" \
-c "$workdir/grub-bootstrap.cfg" -m "$workdir/memdisk.fat" \
@@ -205,12 +200,14 @@
$CD_MODULES
# Normal disk boot image
+echo "Including modules $GRUB_MODULES in $outdir/grub$efi_name.efi"
"$grub_mkimage" -O "$platform" -o "$outdir/grub$efi_name.efi" \
-d "$grub_core" -p "/EFI/$efi_vendor" \
--sbat "$sbat_csv" \
$GRUB_MODULES
# Normal network boot image
+echo "Including modules $NET_MODULES in $outdir/grubnet$efi_name.efi"
"$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name.efi" \
-d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \
-m "$workdir/memdisk-netboot.fat" \
@@ -221,6 +218,7 @@
# Special network boot image for d-i to use. Just the same as the
# normal network boot image, but with a different value baked in for
# the prefix setting
+echo "Including modules $NET_MODULES in $outdir/grubnet$efi_name-installer.efi"
"$grub_mkimage" -O "$platform" -o "$outdir/grubnet$efi_name-installer.efi" \
-d "$grub_core" -c "$workdir/grub-bootstrap.cfg" \
-m "$workdir/memdisk-netboot.fat" \
diff -Nru grub2-2.04/debian/changelog grub2-2.04/debian/changelog
--- grub2-2.04/debian/changelog 2021-03-19 10:41:41.000000000 +0000
+++ grub2-2.04/debian/changelog 2021-04-25 16:20:17.000000000 +0100
@@ -1,3 +1,18 @@
+grub2 (2.04-18) unstable; urgency=medium
+
+ [ Steve McIntyre ]
+ * Enable the shim_lock and tpm modules for i386-efi too. Ensure that
+ tpm is included in our EFI images.
+ * List the modules we include the EFI images - make it easier to
+ debug things.
+ * Add debug to display what's going on with verifiers
+
+ [ Colin Watson ]
+ * util/mkimage: Some fixes to PE binaries section size calculation
+ (closes: #987103).
+
+ -- Colin Watson <cjwat...@debian.org> Sun, 25 Apr 2021 16:20:17 +0100
+
grub2 (2.04-17) unstable; urgency=medium
* Pass --sbat when building the d-i netboot image as well.
diff -Nru grub2-2.04/debian/patches/debug_verifiers.patch
grub2-2.04/debian/patches/debug_verifiers.patch
--- grub2-2.04/debian/patches/debug_verifiers.patch 1970-01-01
01:00:00.000000000 +0100
+++ grub2-2.04/debian/patches/debug_verifiers.patch 2021-04-25
16:20:17.000000000 +0100
@@ -0,0 +1,28 @@
+From bb6fe7f81818b8d102ca92b174d79aebb62469a0 Mon Sep 17 00:00:00 2001
+From: Steve McIntyre <93...@debian.org>
+Date: Sat, 17 Apr 2021 22:05:47 +0100
+Subject: Add debug to display what's going on with verifiers
+
+Patch-Name: debug_verifiers.patch
+---
+ grub-core/kern/verifiers.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/grub-core/kern/verifiers.c b/grub-core/kern/verifiers.c
+index 58dbe152a..ff984c8d8 100644
+--- a/grub-core/kern/verifiers.c
++++ b/grub-core/kern/verifiers.c
+@@ -100,11 +100,13 @@ grub_verifiers_open (grub_file_t io, enum grub_file_type
type)
+ FOR_LIST_ELEMENTS(ver, grub_file_verifiers)
+ {
+ enum grub_verify_flags flags = 0;
++ grub_dprintf ("verify", "trying verifier %s\n", ver->name);
+ err = ver->init (io, type, &context, &flags);
+ if (err)
+ goto fail_noclose;
+ if (flags & GRUB_VERIFY_FLAGS_DEFER_AUTH)
+ {
++ grub_dprintf ("verify", "verifier %s said
GRUB_VERIFY_FLAGS_DEFER_AUTH\n", ver->name);
+ defer = 1;
+ continue;
+ }
diff -Nru grub2-2.04/debian/patches/enable_shim_lock_i386_efi.patch
grub2-2.04/debian/patches/enable_shim_lock_i386_efi.patch
--- grub2-2.04/debian/patches/enable_shim_lock_i386_efi.patch 1970-01-01
01:00:00.000000000 +0100
+++ grub2-2.04/debian/patches/enable_shim_lock_i386_efi.patch 2021-04-25
16:20:17.000000000 +0100
@@ -0,0 +1,33 @@
+From 3d04d38e67bb78127a6ec4329634441c4bf4194c Mon Sep 17 00:00:00 2001
+From: Steve McIntyre <93...@debian.org>
+Date: Sat, 17 Apr 2021 22:04:38 +0100
+Subject: Enable shim_lock and tpm modules for all efi platforms, not just
+ x86_64_efi
+
+Patch-Name: enable_shim_lock_i386_efi.patch
+---
+ grub-core/Makefile.core.def | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
+index 43b3da725..b9d2912a0 100644
+--- a/grub-core/Makefile.core.def
++++ b/grub-core/Makefile.core.def
+@@ -948,7 +948,7 @@ module = {
+ module = {
+ name = shim_lock;
+ common = commands/efi/shim_lock.c;
+- enable = x86_64_efi;
++ enable = efi;
+ };
+
+ module = {
+@@ -2488,7 +2488,7 @@ module = {
+ name = tpm;
+ common = commands/tpm.c;
+ efi = commands/efi/tpm.c;
+- enable = x86_64_efi;
++ enable = efi;
+ };
+
+ module = {
diff -Nru grub2-2.04/debian/patches/mkimage-fix-section-sizes.patch
grub2-2.04/debian/patches/mkimage-fix-section-sizes.patch
--- grub2-2.04/debian/patches/mkimage-fix-section-sizes.patch 1970-01-01
01:00:00.000000000 +0100
+++ grub2-2.04/debian/patches/mkimage-fix-section-sizes.patch 2021-04-25
16:20:17.000000000 +0100
@@ -0,0 +1,109 @@
+From 0eae44daa60c3f0ce8fdb349ba71b869a6738efd Mon Sep 17 00:00:00 2001
+From: Javier Martinez Canillas <javi...@redhat.com>
+Date: Fri, 16 Apr 2021 21:37:23 +0200
+Subject: util/mkimage: Some fixes to PE binaries section size calculation
+
+Commit f60ba9e5945 (util/mkimage: Refactor section setup to use a helper)
+added a helper function to setup PE sections, but it caused regressions
+in some arches where the natural alignment lead to wrong section sizes.
+
+This patch fixes a few things that were caused the section sizes to be
+calculated wrongly. These fixes are:
+
+ * Only align the virtual memory addresses but not the raw data offsets.
+ * Use aligned sizes for virtual memory sizes but not for raw data sizes.
+ * Always align the sizes to set the virtual memory sizes.
+
+These seems to not cause problems for x64 and aa64 EFI platforms but was
+a problem for ia64. Because the size of the ".data" and "mods" sections
+were wrong and didn't have the correct content. Which lead to GRUB not
+being able to load any built-in module.
+
+Reported-by: John Paul Adrian Glaubitz <glaub...@physik.fu-berlin.de>
+Signed-off-by: Javier Martinez Canillas <javi...@redhat.com>
+
+Bug-Debian: https://bugs.debian.org/987103
+
+Patch-Name: mkimage-fix-section-sizes.patch
+---
+ util/mkimage.c | 21 ++++++++++++---------
+ 1 file changed, 12 insertions(+), 9 deletions(-)
+
+diff --git a/util/mkimage.c b/util/mkimage.c
+index b354ec1d9..9c01723ef 100644
+--- a/util/mkimage.c
++++ b/util/mkimage.c
+@@ -841,7 +841,7 @@ init_pe_section(const struct
grub_install_image_target_desc *image_target,
+
+ section->raw_data_offset = grub_host_to_target32 (*rda);
+ section->raw_data_size = grub_host_to_target32 (rsz);
+- (*rda) = ALIGN_UP (*rda + rsz, GRUB_PE32_FILE_ALIGNMENT);
++ (*rda) = *rda + rsz;
+
+ section->characteristics = grub_host_to_target32 (characteristics);
+
+@@ -1296,7 +1296,7 @@ grub_install_generate_image (const char *dir, const char
*prefix,
+ char *pe_img, *pe_sbat, *header;
+ struct grub_pe32_section_table *section;
+ size_t n_sections = 4;
+- size_t scn_size;
++ size_t scn_size, raw_size;
+ grub_uint32_t vma, raw_data;
+ size_t pe_size, header_size;
+ struct grub_pe32_coff_header *c;
+@@ -1397,7 +1397,8 @@ grub_install_generate_image (const char *dir, const char
*prefix,
+ GRUB_PE32_SCN_MEM_EXECUTE |
+ GRUB_PE32_SCN_MEM_READ);
+
+- scn_size = ALIGN_UP (layout.kernel_size - layout.exec_size,
GRUB_PE32_FILE_ALIGNMENT);
++ raw_size = layout.kernel_size - layout.exec_size;
++ scn_size = ALIGN_UP (raw_size, GRUB_PE32_FILE_ALIGNMENT);
+ /* ALIGN_UP (sbat_size, GRUB_PE32_FILE_ALIGNMENT) is done earlier. */
+ PE_OHDR (o32, o64, data_size) = grub_host_to_target32 (scn_size +
sbat_size +
+ ALIGN_UP
(total_module_size,
+@@ -1405,15 +1406,16 @@ grub_install_generate_image (const char *dir, const
char *prefix,
+
+ section = init_pe_section (image_target, section, ".data",
+ &vma, scn_size, image_target->section_align,
+- &raw_data, scn_size,
++ &raw_data, raw_size,
+ GRUB_PE32_SCN_CNT_INITIALIZED_DATA |
+ GRUB_PE32_SCN_MEM_READ |
+ GRUB_PE32_SCN_MEM_WRITE);
+
+- scn_size = pe_size - layout.reloc_size - sbat_size - raw_data;
++ raw_size = pe_size - layout.reloc_size - sbat_size - raw_data;
++ scn_size = ALIGN_UP (raw_size, GRUB_PE32_FILE_ALIGNMENT);
+ section = init_pe_section (image_target, section, "mods",
+ &vma, scn_size, image_target->section_align,
+- &raw_data, scn_size,
++ &raw_data, raw_size,
+ GRUB_PE32_SCN_CNT_INITIALIZED_DATA |
+ GRUB_PE32_SCN_MEM_READ |
+ GRUB_PE32_SCN_MEM_WRITE);
+@@ -1423,21 +1425,22 @@ grub_install_generate_image (const char *dir, const
char *prefix,
+ pe_sbat = pe_img + raw_data;
+ grub_util_load_image (sbat_path, pe_sbat);
+
++ scn_size = ALIGN_UP (sbat_size, GRUB_PE32_FILE_ALIGNMENT);
+ section = init_pe_section (image_target, section, ".sbat",
+- &vma, sbat_size,
++ &vma, scn_size,
+ image_target->section_align,
+ &raw_data, sbat_size,
+ GRUB_PE32_SCN_CNT_INITIALIZED_DATA |
+ GRUB_PE32_SCN_MEM_READ);
+ }
+
+- scn_size = layout.reloc_size;
++ scn_size = ALIGN_UP (layout.reloc_size, GRUB_PE32_FILE_ALIGNMENT);
+ PE_OHDR (o32, o64, base_relocation_table.rva) = grub_host_to_target32
(vma);
+ PE_OHDR (o32, o64, base_relocation_table.size) = grub_host_to_target32
(scn_size);
+ memcpy (pe_img + raw_data, layout.reloc_section, scn_size);
+ init_pe_section (image_target, section, ".reloc",
+ &vma, scn_size, image_target->section_align,
+- &raw_data, scn_size,
++ &raw_data, layout.reloc_size,
+ GRUB_PE32_SCN_CNT_INITIALIZED_DATA |
+ GRUB_PE32_SCN_MEM_DISCARDABLE |
+ GRUB_PE32_SCN_MEM_READ);
diff -Nru grub2-2.04/debian/patches/series grub2-2.04/debian/patches/series
--- grub2-2.04/debian/patches/series 2021-03-19 10:41:41.000000000 +0000
+++ grub2-2.04/debian/patches/series 2021-04-25 16:20:17.000000000 +0100
@@ -214,3 +214,6 @@
2021-02-security/112-gfxmenu-gui-Check-printf-format-in-the-gui_progress_bar-and-gui_label.patch
2021-02-security/113-kern-mm-Fix-grub_debug_calloc-compilation-error.patch
pc-verifiers-module.patch
+enable_shim_lock_i386_efi.patch
+debug_verifiers.patch
+mkimage-fix-section-sizes.patch
unblock grub2/2.04-18
Thanks,
--
Colin Watson (he/him) [cjwat...@debian.org]
signature.asc
Description: PGP signature
