Hello community,
here is the log from the commit of package grub2 for openSUSE:Factory checked
in at 2020-08-23 09:21:14
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/grub2 (Old)
and /work/SRC/openSUSE:Factory/.grub2.new.3399 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "grub2"
Sun Aug 23 09:21:14 2020 rev:225 rq:828453 version:2.04
Changes:
--------
--- /work/SRC/openSUSE:Factory/grub2/grub2.changes 2020-08-15
21:18:45.947568047 +0200
+++ /work/SRC/openSUSE:Factory/.grub2.new.3399/grub2.changes 2020-08-23
09:21:21.278690946 +0200
@@ -1,0 +2,15 @@
+Fri Aug 21 04:40:48 UTC 2020 - Michael Chang <mch...@suse.com>
+
+- Add fibre channel device's ofpath support to grub-ofpathname and search hint
+ to speed up root device discovery (bsc#1172745)
+ * 0001-ieee1275-powerpc-implements-fibre-channel-discovery-.patch
+ * 0002-ieee1275-powerpc-enables-device-mapper-discovery.patch
+
+-------------------------------------------------------------------
+Tue Aug 18 06:02:21 UTC 2020 - Michael Chang <mch...@suse.com>
+
+- Fix for CVE-2020-15705 (bsc#1174421)
+ * 0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch
+ * 0002-cmdline-Provide-cmdline-functions-as-module.patch
+
+-------------------------------------------------------------------
New:
----
0001-ieee1275-powerpc-implements-fibre-channel-discovery-.patch
0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch
0002-cmdline-Provide-cmdline-functions-as-module.patch
0002-ieee1275-powerpc-enables-device-mapper-discovery.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ grub2.spec ++++++
--- /var/tmp/diff_new_pack.uDApST/_old 2020-08-23 09:21:25.218693130 +0200
+++ /var/tmp/diff_new_pack.uDApST/_new 2020-08-23 09:21:25.222693132 +0200
@@ -321,6 +321,14 @@
# overflows in initrd size handling
Patch713: 0010-linux-Fix-integer-overflows-in-initrd-size-handling.patch
Patch714: 0001-kern-mm.c-Make-grub_calloc-inline.patch
+# bsc#1174421 VUL-0: CVE-2020-15705: grub2: linuxefi: fail kernel validation
+# without shim protocol
+Patch715: 0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch
+Patch716: 0002-cmdline-Provide-cmdline-functions-as-module.patch
+# bsc#1172745 L3: SLES 12 SP4 - Slow boot of system after updated kernel -
+# takes 45 minutes after grub to start loading kernel
+Patch717: 0001-ieee1275-powerpc-implements-fibre-channel-discovery-.patch
+Patch718: 0002-ieee1275-powerpc-enables-device-mapper-discovery.patch
Requires: gettext-runtime
%if 0%{?suse_version} >= 1140
@@ -637,6 +645,10 @@
%patch712 -p1
%patch713 -p1
%patch714 -p1
+%patch715 -p1
+%patch716 -p1
+%patch717 -p1
+%patch718 -p1
%build
# collect evidence to debug spurious build failure on SLE15
++++++ 0001-ieee1275-powerpc-implements-fibre-channel-discovery-.patch ++++++
>From ca30b3c6fd8c848f510445316d0c4a8fca6061ba Mon Sep 17 00:00:00 2001
From: Diego Domingos <dieg...@br.ibm.com>
Date: Wed, 24 Jun 2020 08:17:18 -0400
Subject: [PATCH 1/2] ieee1275/powerpc: implements fibre channel discovery for
ofpathname
grub-ofpathname doesn't work with fibre channel because there is no
function currently implemented for it.
This patch enables it by prividing a function that looks for the port
name, building the entire path for OF devices.
---
grub-core/osdep/linux/ofpath.c | 48 ++++++++++++++++++++++++++++++++++
1 file changed, 48 insertions(+)
diff --git a/grub-core/osdep/linux/ofpath.c b/grub-core/osdep/linux/ofpath.c
index a6153d359..f2bc9fc5c 100644
--- a/grub-core/osdep/linux/ofpath.c
+++ b/grub-core/osdep/linux/ofpath.c
@@ -399,6 +399,37 @@ of_path_of_nvme(const char *sys_devname
__attribute__((unused)),
}
#endif
+static void
+of_fc_port_name(const char *path, const char *subpath, char *port_name)
+{
+ char *bname, *basepath, *p;
+ int fd;
+
+ bname = xmalloc(sizeof(char)*150);
+ basepath = xmalloc(strlen(path));
+
+ /* Generate the path to get port name information from the drive */
+ strncpy(basepath,path,subpath-path);
+ basepath[subpath-path-1] = '\0';
+ p = get_basename(basepath);
+ snprintf(bname,sizeof(char)*150,"%s/fc_transport/%s/port_name",basepath,p);
+
+ /* Read the information from the port name */
+ fd = open (bname, O_RDONLY);
+ if (fd < 0)
+ grub_util_error (_("cannot open `%s': %s"), bname, strerror (errno));
+
+ if (read(fd,port_name,sizeof(char)*19) < 0)
+ grub_util_error (_("cannot read `%s': %s"), bname, strerror (errno));
+
+ sscanf(port_name,"0x%s",port_name);
+
+ close(fd);
+
+ free(bname);
+ free(basepath);
+}
+
static int
vendor_is_ATA(const char *path)
{
@@ -577,6 +608,16 @@ of_path_of_scsi(const char *sys_devname
__attribute__((unused)), const char *dev
digit_string = trailing_digits (device);
if (strncmp (of_path, "/vdevice/", sizeof ("/vdevice/") - 1) == 0)
{
+ if(strstr(of_path,"vfc-client"))
+ {
+ char * port_name = xmalloc(sizeof(char)*17);
+ of_fc_port_name(sysfs_path, p, port_name);
+
+ snprintf(disk,sizeof(disk),"/%s@%s", disk_name, port_name);
+ free(port_name);
+ }
+ else
+ {
unsigned long id = 0x8000 | (tgt << 8) | (bus << 5) | lun;
if (*digit_string == '\0')
{
@@ -590,6 +631,13 @@ of_path_of_scsi(const char *sys_devname
__attribute__((unused)), const char *dev
snprintf(disk, sizeof (disk),
"/%s@%04lx000000000000:%c", disk_name, id, 'a' + (part - 1));
}
+ }
+ } else if
(strstr(of_path,"fibre-channel")||(strstr(of_path,"vfc-client"))){
+ char * port_name = xmalloc(sizeof(char)*17);
+ of_fc_port_name(sysfs_path, p, port_name);
+
+ snprintf(disk,sizeof(disk),"/%s@%s", disk_name, port_name);
+ free(port_name);
}
else
{
--
2.26.2
++++++ 0001-linuxefi-fail-kernel-validation-without-shim-protoco.patch ++++++
>From 1b4f4b2f5cd9b804a5bb66861b659d05d9a4f35a Mon Sep 17 00:00:00 2001
From: Michael Chang <mch...@suse.com>
Date: Mon, 17 Aug 2020 17:09:01 +0800
Subject: [PATCH 1/2] linuxefi: fail kernel validation without shim protocol.
If certificates that signed grub are installed into db, grub can be
booted directly. It will then boot any kernel without signature
validation. The booted kernel will think it was booted in secureboot
mode and will implement lockdown, yet it could have been tampered.
This version of the patch skips calling verification, when booted
without secureboot.
CVE-2020-15705
Reported-by: Mathieu Trudel-Lapierre <cypher...@ubuntu.com>
Also-by: Dimitri John Ledkov <x...@ubuntu.com>
Signed-off-by: Michael Chang <mch...@suse.com>
---
grub-core/loader/i386/efi/linux.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/grub-core/loader/i386/efi/linux.c
b/grub-core/loader/i386/efi/linux.c
index 61b2d5177..8017e8c05 100644
--- a/grub-core/loader/i386/efi/linux.c
+++ b/grub-core/loader/i386/efi/linux.c
@@ -172,6 +172,23 @@ grub_cmd_linux (grub_command_t cmd __attribute__
((unused)),
goto fail;
}
+ if (grub_efi_secure_boot())
+ {
+ grub_dl_t mod;
+
+ mod = grub_dl_get ("shim_lock");
+ if (!mod)
+ {
+ grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock module is not
loaded"));
+ goto fail;
+ }
+ if (!grub_dl_is_persistent (mod))
+ {
+ grub_error (GRUB_ERR_ACCESS_DENIED, N_("shim_lock protocol is not
available"));
+ goto fail;
+ }
+ }
+
file = grub_file_open (argv[0], GRUB_FILE_TYPE_LINUX_KERNEL);
if (! file)
goto fail;
--
2.26.2
++++++ 0002-cmdline-Provide-cmdline-functions-as-module.patch ++++++
>From 42cb0ebbffd660608612f9e32150a6596c6933c4 Mon Sep 17 00:00:00 2001
From: Michael Chang <mch...@suse.com>
Date: Mon, 17 Aug 2020 17:25:56 +0800
Subject: [PATCH 2/2] cmdline: Provide cmdline functions as module
The command line processing is needed by many loader modules, hence we should
make it a sharable one rather than belonging to linux loader. This can cut the
dependency to linux module among multiple loaders like multiboot linuxefi and
so on to make custom boot image much more flexible to compose.
Signed-off-by: Michael Chang <mch...@suse.com>
---
grub-core/Makefile.core.def | 6 +++++-
grub-core/lib/cmdline.c | 3 +++
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index c413267a0..6045da47b 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -1790,7 +1790,6 @@ module = {
riscv64 = loader/riscv/linux.c;
emu = loader/emu/linux.c;
common = loader/linux.c;
- common = lib/cmdline.c;
};
module = {
@@ -2518,3 +2517,8 @@ module = {
common = commands/i386/wrmsr.c;
enable = x86;
};
+
+module = {
+ name = cmdline;
+ common = lib/cmdline.c;
+};
diff --git a/grub-core/lib/cmdline.c b/grub-core/lib/cmdline.c
index ed0b149dc..bd392e30f 100644
--- a/grub-core/lib/cmdline.c
+++ b/grub-core/lib/cmdline.c
@@ -19,6 +19,9 @@
#include <grub/lib/cmdline.h>
#include <grub/misc.h>
+#include <grub/dl.h>
+
+GRUB_MOD_LICENSE ("GPLv3+");
static unsigned int check_arg (char *c, int *has_space)
{
--
2.26.2
++++++ 0002-ieee1275-powerpc-enables-device-mapper-discovery.patch ++++++
>From 8b31ebfa42eb5af0633191d26fcdcea8c539e521 Mon Sep 17 00:00:00 2001
From: Diego Domingos <dieg...@br.ibm.com>
Date: Wed, 24 Jun 2020 08:22:50 -0400
Subject: [PATCH 2/2] ieee1275/powerpc: enables device mapper discovery
this patch enables the device mapper discovery on ofpath.c. Currently,
when we are dealing with a device like /dev/dm-* the ofpath returns null
since there is no function implemented to handle this case.
This patch implements a function that will look into /sys/block/dm-*
devices and search recursively inside slaves directory to find the root
disk.
---
grub-core/osdep/linux/ofpath.c | 64 +++++++++++++++++++++++++++++++++-
1 file changed, 63 insertions(+), 1 deletion(-)
diff --git a/grub-core/osdep/linux/ofpath.c b/grub-core/osdep/linux/ofpath.c
index f2bc9fc5c..d1040c4e6 100644
--- a/grub-core/osdep/linux/ofpath.c
+++ b/grub-core/osdep/linux/ofpath.c
@@ -37,6 +37,7 @@
#include <fcntl.h>
#include <errno.h>
#include <ctype.h>
+#include <dirent.h>
#ifdef __sparc__
typedef enum
@@ -754,13 +755,74 @@ strip_trailing_digits (const char *p)
return new;
}
+static char *
+get_slave_from_dm(const char * device){
+ char *curr_device, *tmp;
+ char *directory;
+ char *ret = NULL;
+
+ directory = grub_strdup (device);
+ tmp = get_basename(directory);
+ curr_device = grub_strdup (tmp);
+ *tmp = '\0';
+
+ /* Recursively check for slaves devices so we can find the root device */
+ while ((curr_device[0] == 'd') && (curr_device[1] == 'm') && (curr_device[2]
== '-')){
+ DIR *dp;
+ struct dirent *ep;
+ char* device_path;
+
+ device_path = grub_xasprintf ("/sys/block/%s/slaves", curr_device);
+ dp = opendir(device_path);
+ free(device_path);
+
+ if (dp != NULL)
+ {
+ ep = readdir (dp);
+ while (ep != NULL){
+
+ /* avoid some system directories */
+ if (!strcmp(ep->d_name,"."))
+ goto next_dir;
+ if (!strcmp(ep->d_name,".."))
+ goto next_dir;
+
+ free (curr_device);
+ free (ret);
+ curr_device = grub_strdup (ep->d_name);
+ ret = grub_xasprintf ("%s%s", directory, curr_device);
+ break;
+
+ next_dir:
+ ep = readdir (dp);
+ continue;
+ }
+ closedir (dp);
+ }
+ else
+ grub_util_warn (_("cannot open directory `%s'"), device_path);
+ }
+
+ free (directory);
+ free (curr_device);
+
+ return ret;
+}
+
char *
grub_util_devname_to_ofpath (const char *sys_devname)
{
- char *name_buf, *device, *devnode, *devicenode, *ofpath;
+ char *name_buf, *device, *devnode, *devicenode, *ofpath, *realname;
name_buf = xrealpath (sys_devname);
+ realname = get_slave_from_dm (name_buf);
+ if (realname)
+ {
+ free (name_buf);
+ name_buf = realname;
+ }
+
device = get_basename (name_buf);
devnode = strip_trailing_digits (name_buf);
devicenode = strip_trailing_digits (device);
--
2.26.2
