This config has a security problem. If a user has full acces to some
partition (e.g. fto server partition) he can put grub.xen there and load
his own code
On Dec 12, 2013 4:38 PM, "Colin Watson" <cjwat...@ubuntu.com> wrote:
> * .gitignore: Add xen.cfg.
> * Makefile.am (grub-core/xen.cfg): New rule.
> (grub.xen): Likewise. Add to platform_DATA.
> * configure.ac (COND_xen): New conditional.
> * grub-core/Makefile.core.def (xen.cfg): New definition.
> * grub-core/boot/xen/xen.cfg.in: New file. This is suitable for
> installation both in the dom0 filesystem (where it will find and
> chainload a secondary grub.xen) and in the domU filesystem (where it
> will load a matching grub.cfg).
> ---
> .gitignore | 1 +
> ChangeLog | 14 ++++++++++++++
> Makefile.am | 14 ++++++++++++++
> configure.ac | 1 +
> grub-core/Makefile.core.def | 7 +++++++
> grub-core/boot/xen/xen.cfg.in | 31 +++++++++++++++++++++++++++++++
> 6 files changed, 68 insertions(+)
> create mode 100644 grub-core/boot/xen/xen.cfg.in
>
> diff --git a/.gitignore b/.gitignore
> index 2292cc9..51aa8b4 100644
> --- a/.gitignore
> +++ b/.gitignore
> @@ -153,6 +153,7 @@ trigtables.c
> uhci_test
> update-grub_lib
> unidata.c
> +xen.cfg
> xzcompress_test
> Makefile.in
> GPATH
> diff --git a/ChangeLog b/ChangeLog
> index fc86601..58304f7 100644
> --- a/ChangeLog
> +++ b/ChangeLog
> @@ -1,5 +1,19 @@
> 2013-12-12 Colin Watson <cjwat...@ubuntu.com>
>
> + Build grub.xen.
> +
> + * .gitignore: Add xen.cfg.
> + * Makefile.am (grub-core/xen.cfg): New rule.
> + (grub.xen): Likewise. Add to platform_DATA.
> + * configure.ac (COND_xen): New conditional.
> + * grub-core/Makefile.core.def (xen.cfg): New definition.
> + * grub-core/boot/xen/xen.cfg.in: New file. This is suitable for
> + installation both in the dom0 filesystem (where it will find and
> + chainload a secondary grub.xen) and in the domU filesystem (where
> it
> + will load a matching grub.cfg).
> +
> +2013-12-12 Colin Watson <cjwat...@ubuntu.com>
> +
> Accept environment variables on the command line for Xen.
>
> * grub-core/kern/xen/init.c (fetch_command_line_word): New
> function.
> diff --git a/Makefile.am b/Makefile.am
> index 0a2c099..e9792f6 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -402,6 +402,20 @@ default_payload.elf: grub-mkstandalone grub-mkimage
> pkgdatadir=. ./grub-mkstandalone --grub-mkimage=./grub-mkimage -O
> i386-coreboot -o $@ --modules='ahci pata ehci uhci ohci usb_keyboard usbms
> part_msdos xfs ext2 fat at_keyboard part_gpt usbserial_usbdebug cbfs'
> --install-modules='ls linux search configfile normal cbtime cbls memrw iorw
> minicmd lsmmap lspci halt reboot hexdump pcidump regexp setpci lsacpi chain
> test' --fonts= --themes= --locales= -d grub-core/
> /boot/grub/grub.cfg=$(srcdir)/coreboot.cfg
> endif
>
> +if COND_xen
> +# The grub-core/util split means that we have to duplicate rules a little
> +# bit here.
> +grub-core/xen.cfg: grub-core/boot/xen/xen.cfg.in
> + $(MAKE) -C grub-core xen.cfg
> +
> +grub.xen: grub-mkstandalone grub-mkimage grub-core/xen.cfg
> + pkgdatadir=. ./grub-mkstandalone --grub=mkimage=./grub-mkimage \
> + -o $@ -O $(target_cpu)-$(platform) -d grub-core/ \
> + /boot/grub/grub.cfg=grub-core/xen.cfg
> +
> +platform_DATA += grub.xen
> +endif
> +
> windowsdir=$(top_builddir)/$(PACKAGE)-$(VERSION)-for-windows
> windowsdir: $(PROGRAMS) $(starfield_DATA) $(platform_DATA)
> test -d $(windowsdir) && rm -rf $(windowsdir) || true
> diff --git a/configure.ac b/configure.ac
> index 0abbb99..08aa751 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -1590,6 +1590,7 @@ AM_CONDITIONAL([COND_i386_ieee1275], [test
> x$target_cpu = xi386 -a x$platform =
> AM_CONDITIONAL([COND_i386_coreboot], [test x$target_cpu = xi386 -a
> x$platform = xcoreboot])
> AM_CONDITIONAL([COND_i386_multiboot], [test x$target_cpu = xi386 -a
> x$platform = xmultiboot])
> AM_CONDITIONAL([COND_x86_64_efi], [test x$target_cpu = xx86_64 -a
> x$platform = xefi])
> +AM_CONDITIONAL([COND_xen], [test x$platform = xxen])
> AM_CONDITIONAL([COND_i386_xen], [test x$target_cpu = xi386 -a x$platform
> = xxen])
> AM_CONDITIONAL([COND_x86_64_xen], [test x$target_cpu = xx86_64 -a
> x$platform = xxen])
> AM_CONDITIONAL([COND_mips_loongson], [test x$target_cpu = xmipsel -a
> x$platform = xloongson])
> diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
> index 060de44..63a8351 100644
> --- a/grub-core/Makefile.core.def
> +++ b/grub-core/Makefile.core.def
> @@ -44,6 +44,13 @@ script = {
> enable = powerpc_ieee1275;
> };
>
> +script = {
> + installdir = platform;
> + name = xen.cfg;
> + common = boot/xen/xen.cfg.in;
> + enable = xen;
> +};
> +
> kernel = {
> name = kernel;
>
> diff --git a/grub-core/boot/xen/xen.cfg.in b/grub-core/boot/xen/xen.cfg.in
> new file mode 100644
> index 0000000..e2e590c
> --- /dev/null
> +++ b/grub-core/boot/xen/xen.cfg.in
> @@ -0,0 +1,31 @@
> +if [ -z "$grub_xen_guest" ]; then
> + # This is the copy of grub.xen installed in the dom0's filesystem.
> + # Look for a copy in the domU's filesystem and chainload that.
> This
> + # allows us to guarantee that GRUB will be in sync with the
> + # configuration file in the domU. The file locations here must not
> + # have any configure-generated substitutions applied, as the intent
> + # is that a single grub.xen should be able to cope with a variety
> of
> + # domU systems.
> + if search --set=root --file /boot/grub/grub.xen; then
> + linux /boot/grub/grub.xen grub_xen_guest=1
> + boot
> + elif search --set=root --file=/boot/grub2/grub.xen; then
> + linux /boot/grub2/grub.xen grub_xen_guest=1
> + boot
> + else
> + echo "No grub.xen found in guest filesystem. Tried:"
> + echo " /boot/grub/grub.xen"
> + echo " /boot/grub2/grub.xen"
> + halt
> + fi
> +else
> + # This is the copy of grub.xen installed in the domU's filesystem.
> + # Read its configuration file.
> + if search --set=root --exclude=memdisk --file \
> + /@bootdirname@/@grubdirname@/grub.cfg; then
> + configfile /@bootdirname@/@grubdirname@/grub.cfg
> + else
> + echo "No /@bootdirname@/@grubdirname@/grub.cfg found in
> guest filesystem."
> + halt
> + fi
> +fi
> --
> 1.8.4.4
>
> _______________________________________________
> Grub-devel mailing list
> Grub-devel@gnu.org
> https://lists.gnu.org/mailman/listinfo/grub-devel
>
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
