grub

Merge ~juliank/grub/+git/ubuntu:ubuntu into ~ubuntu-core-dev/grub/+git/ubuntu:ubuntu

  1. Git
  2. lp:~juliank/grub/+git/ubuntu
  3. ubuntu
  4. Merge into ubuntu
Proposed by Julian Andres Klode
Status: Merged
Merged at revision: f334ceef8d79d9389737e2ddff3eb39c6674ec41
Proposed branch: ~juliank/grub/+git/ubuntu:ubuntu
Merge into: ~ubuntu-core-dev/grub/+git/ubuntu:ubuntu
Diff against target: 302 lines (+186/-30)
7 files modified
debian/.git-dpm (+2/-2)
debian/changelog (+3/-1)
debian/patches/0077-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch (+118/-0)
debian/patches/0078-ubuntu-Update-the-linux-boot-protocol-version-check.patch (+25/-0)
debian/patches/series (+2/-0)
grub-core/loader/i386/efi/linux.c (+10/-6)
grub-core/loader/i386/linux.c (+26/-21)
Reviewer Review Type Date Requested Status
Dimitri John Ledkov Pending
Review via email: mp+380563@code.launchpad.net
To post a comment you must log in.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 89761e2..f4a174d 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1# see git-dpm(1) from git-dpm package1# see git-dpm(1) from git-dpm package
279d4ae1df7b63ef106a85ad18bfedb6d709ef29a2e13f71514b0b6ca3b3e15cb8013a8db1e47d3ea9
379d4ae1df7b63ef106a85ad18bfedb6d709ef29a3e13f71514b0b6ca3b3e15cb8013a8db1e47d3ea9
4578bb115fbd47e1c464696f1f8d6183e5443975d4578bb115fbd47e1c464696f1f8d6183e5443975d
5578bb115fbd47e1c464696f1f8d6183e5443975d5578bb115fbd47e1c464696f1f8d6183e5443975d
6grub2_2.04.orig.tar.xz6grub2_2.04.orig.tar.xz
diff --git a/debian/changelog b/debian/changelog
index aa3f194..4ccc769 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,8 +1,10 @@
1grub2 (2.04-1ubuntu22) UNRELEASED; urgency=medium1grub2 (2.04-1ubuntu22) UNRELEASED; urgency=medium
22
3 * smbios: Add a --linux argument to apply linux modalias-like filtering3 * smbios: Add a --linux argument to apply linux modalias-like filtering
4 * Make the linux command in EFI grub always try EFI handover; thanks
5 to Chris Coulson for the patches (LP: #1864533)
46
5 -- Julian Andres Klode <juliank@ubuntu.com> Wed, 11 Mar 2020 14:16:40 +01007 -- Julian Andres Klode <juliank@ubuntu.com> Wed, 11 Mar 2020 16:47:03 +0100
68
7grub2 (2.04-1ubuntu21) focal; urgency=medium9grub2 (2.04-1ubuntu21) focal; urgency=medium
810
diff --git a/debian/patches/0077-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch b/debian/patches/0077-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch
9new file mode 10064411new file mode 100644
index 0000000..97f0f56
--- /dev/null
+++ b/debian/patches/0077-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch
@@ -0,0 +1,118 @@
1From a9ec17dcc442a6a0b09e480ca864746438cc3fad Mon Sep 17 00:00:00 2001
2From: Chris Coulson <chris.coulson@canonical.com>
3Date: Wed, 11 Mar 2020 16:46:00 +0100
4Subject: ubuntu: Make the linux command in EFI grub always try EFI handover
5
6The previous implementation only boots via the EFI handover protocol when
7secure boot is enabled. This means that disabling secure boot breaks some
8features that depend on the kernel being booted via the EFI handover entry
9point, such as retrieval of the TCG event log.
10
11Update the linux command to always attempt to defer to linuxefi in EFI grub
12builds, regardless of whether secure boot is enabled or not. This also allows
13a fallback to the non-EFI handover path on kernels that don't support it, but
14only if secure boot is disabled.
15---
16 grub-core/loader/i386/efi/linux.c | 14 +++++----
17 grub-core/loader/i386/linux.c | 47 +++++++++++++++++--------------
18 2 files changed, 35 insertions(+), 26 deletions(-)
19
20diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
21index 6b6aef87f..fe3ca2c59 100644
22--- a/grub-core/loader/i386/efi/linux.c
23+++ b/grub-core/loader/i386/efi/linux.c
24@@ -27,6 +27,7 @@
25 #include <grub/lib/cmdline.h>
26 #include <grub/efi/efi.h>
27 #include <grub/efi/linux.h>
28+#include <grub/efi/sb.h>
29
30 GRUB_MOD_LICENSE ("GPLv3+");
31
32@@ -195,12 +196,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
33 goto fail;
34 }
35
36- rc = grub_linuxefi_secure_validate (kernel, filelen);
37- if (rc < 0)
38+ if (grub_efi_secure_boot ())
39 {
40- grub_error (GRUB_ERR_ACCESS_DENIED, N_("%s has invalid signature"),
41- argv[0]);
42- goto fail;
43+ rc = grub_linuxefi_secure_validate (kernel, filelen);
44+ if (rc < 0)
45+ {
46+ grub_error (GRUB_ERR_ACCESS_DENIED, N_("%s has invalid signature"),
47+ argv[0]);
48+ goto fail;
49+ }
50 }
51
52 params = grub_efi_allocate_pages_max (0x3fffffff,
53diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
54index 4328bcbdb..991eb29db 100644
55--- a/grub-core/loader/i386/linux.c
56+++ b/grub-core/loader/i386/linux.c
57@@ -658,35 +658,40 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
58
59 #ifdef GRUB_MACHINE_EFI
60 using_linuxefi = 0;
61- if (grub_efi_secure_boot ())
62- {
63- /* linuxefi requires a successful signature check and then hand over
64- to the kernel without calling ExitBootServices. */
65- grub_dl_t mod;
66- grub_command_t linuxefi_cmd;
67
68- grub_dprintf ("linux", "Secure Boot enabled: trying linuxefi\n");
69+ grub_dl_t mod;
70+ grub_command_t linuxefi_cmd;
71+
72+ grub_dprintf ("linux", "Trying linuxefi\n");
73
74- mod = grub_dl_load ("linuxefi");
75- if (mod)
76+ mod = grub_dl_load ("linuxefi");
77+ if (mod)
78+ {
79+ grub_dl_ref (mod);
80+ linuxefi_cmd = grub_command_find ("linuxefi");
81+ initrdefi_cmd = grub_command_find ("initrdefi");
82+ if (linuxefi_cmd && initrdefi_cmd)
83 {
84- grub_dl_ref (mod);
85- linuxefi_cmd = grub_command_find ("linuxefi");
86- initrdefi_cmd = grub_command_find ("initrdefi");
87- if (linuxefi_cmd && initrdefi_cmd)
88+ (linuxefi_cmd->func) (linuxefi_cmd, argc, argv);
89+ if (grub_errno == GRUB_ERR_NONE)
90+ {
91+ grub_dprintf ("linux", "Handing off to linuxefi\n");
92+ using_linuxefi = 1;
93+ return GRUB_ERR_NONE;
94+ }
95+ else if (grub_efi_secure_boot ())
96 {
97- (linuxefi_cmd->func) (linuxefi_cmd, argc, argv);
98- if (grub_errno == GRUB_ERR_NONE)
99- {
100- grub_dprintf ("linux", "Handing off to linuxefi\n");
101- using_linuxefi = 1;
102- return GRUB_ERR_NONE;
103- }
104- grub_dprintf ("linux", "linuxefi failed (%d)\n", grub_errno);
105+ grub_dprintf ("linux", "linuxefi failed and secure boot is enabled (%d)\n", grub_errno);
106 goto fail;
107 }
108 }
109 }
110+
111+ if (grub_efi_secure_boot ())
112+ {
113+ grub_dprintf("linux", "Unable to hand off to linuxefi and secure boot is enabled\n");
114+ goto fail;
115+ }
116 #endif
117
118 if (argc == 0)
diff --git a/debian/patches/0078-ubuntu-Update-the-linux-boot-protocol-version-check.patch b/debian/patches/0078-ubuntu-Update-the-linux-boot-protocol-version-check.patch
0new file mode 100644119new file mode 100644
index 0000000..0e8244a
--- /dev/null
+++ b/debian/patches/0078-ubuntu-Update-the-linux-boot-protocol-version-check.patch
@@ -0,0 +1,25 @@
1From e13f71514b0b6ca3b3e15cb8013a8db1e47d3ea9 Mon Sep 17 00:00:00 2001
2From: Chris Coulson <chris.coulson@canonical.com>
3Date: Wed, 11 Mar 2020 16:46:41 +0100
4Subject: ubuntu: Update the linux boot protocol version check.
5
6The EFI implementation of grub_cmd_linux makes use of xloadflags which was
7introduced in to version 2.12 of the kernel's boot protocol, so update the
8check accordingly.
9---
10 grub-core/loader/i386/efi/linux.c | 2 +-
11 1 file changed, 1 insertion(+), 1 deletion(-)
12
13diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
14index fe3ca2c59..2929da7a2 100644
15--- a/grub-core/loader/i386/efi/linux.c
16+++ b/grub-core/loader/i386/efi/linux.c
17@@ -245,7 +245,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
18 }
19
20 grub_dprintf ("linuxefi", "checking lh->version\n");
21- if (lh->version < grub_cpu_to_le16 (0x020b))
22+ if (lh->version < grub_cpu_to_le16 (0x020c))
23 {
24 grub_error (GRUB_ERR_BAD_OS, N_("kernel too old"));
25 goto fail;
diff --git a/debian/patches/series b/debian/patches/series
index 4666699..d1dc6d3 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -74,3 +74,5 @@ cherrypick-smbios-module.patch
74cherrypick-lsefisystab-show-dtb.patch74cherrypick-lsefisystab-show-dtb.patch
750075-uefi-firmware-rename-fwsetup-menuentry-to-UEFI-Firmw.patch750075-uefi-firmware-rename-fwsetup-menuentry-to-UEFI-Firmw.patch
760076-smbios-Add-a-linux-argument-to-apply-linux-modalias-.patch760076-smbios-Add-a-linux-argument-to-apply-linux-modalias-.patch
770077-ubuntu-Make-the-linux-command-in-EFI-grub-always-try.patch
780078-ubuntu-Update-the-linux-boot-protocol-version-check.patch
diff --git a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
index 6b6aef8..2929da7 100644
--- a/grub-core/loader/i386/efi/linux.c
+++ b/grub-core/loader/i386/efi/linux.c
@@ -27,6 +27,7 @@
27#include <grub/lib/cmdline.h>27#include <grub/lib/cmdline.h>
28#include <grub/efi/efi.h>28#include <grub/efi/efi.h>
29#include <grub/efi/linux.h>29#include <grub/efi/linux.h>
30#include <grub/efi/sb.h>
3031
31GRUB_MOD_LICENSE ("GPLv3+");32GRUB_MOD_LICENSE ("GPLv3+");
3233
@@ -195,12 +196,15 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
195 goto fail;196 goto fail;
196 }197 }
197198
198 rc = grub_linuxefi_secure_validate (kernel, filelen);199 if (grub_efi_secure_boot ())
199 if (rc < 0)
200 {200 {
201 grub_error (GRUB_ERR_ACCESS_DENIED, N_("%s has invalid signature"),201 rc = grub_linuxefi_secure_validate (kernel, filelen);
202 argv[0]);202 if (rc < 0)
203 goto fail;203 {
204 grub_error (GRUB_ERR_ACCESS_DENIED, N_("%s has invalid signature"),
205 argv[0]);
206 goto fail;
207 }
204 }208 }
205209
206 params = grub_efi_allocate_pages_max (0x3fffffff,210 params = grub_efi_allocate_pages_max (0x3fffffff,
@@ -241,7 +245,7 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
241 }245 }
242246
243 grub_dprintf ("linuxefi", "checking lh->version\n");247 grub_dprintf ("linuxefi", "checking lh->version\n");
244 if (lh->version < grub_cpu_to_le16 (0x020b))248 if (lh->version < grub_cpu_to_le16 (0x020c))
245 {249 {
246 grub_error (GRUB_ERR_BAD_OS, N_("kernel too old"));250 grub_error (GRUB_ERR_BAD_OS, N_("kernel too old"));
247 goto fail;251 goto fail;
diff --git a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
index 4328bcb..991eb29 100644
--- a/grub-core/loader/i386/linux.c
+++ b/grub-core/loader/i386/linux.c
@@ -658,35 +658,40 @@ grub_cmd_linux (grub_command_t cmd __attribute__ ((unused)),
658658
659#ifdef GRUB_MACHINE_EFI659#ifdef GRUB_MACHINE_EFI
660 using_linuxefi = 0;660 using_linuxefi = 0;
661 if (grub_efi_secure_boot ())
662 {
663 /* linuxefi requires a successful signature check and then hand over
664 to the kernel without calling ExitBootServices. */
665 grub_dl_t mod;
666 grub_command_t linuxefi_cmd;
667661
668 grub_dprintf ("linux", "Secure Boot enabled: trying linuxefi\n");662 grub_dl_t mod;
663 grub_command_t linuxefi_cmd;
664
665 grub_dprintf ("linux", "Trying linuxefi\n");
669666
670 mod = grub_dl_load ("linuxefi");667 mod = grub_dl_load ("linuxefi");
671 if (mod)668 if (mod)
669 {
670 grub_dl_ref (mod);
671 linuxefi_cmd = grub_command_find ("linuxefi");
672 initrdefi_cmd = grub_command_find ("initrdefi");
673 if (linuxefi_cmd && initrdefi_cmd)
672 {674 {
673 grub_dl_ref (mod);675 (linuxefi_cmd->func) (linuxefi_cmd, argc, argv);
674 linuxefi_cmd = grub_command_find ("linuxefi");676 if (grub_errno == GRUB_ERR_NONE)
675 initrdefi_cmd = grub_command_find ("initrdefi");677 {
676 if (linuxefi_cmd && initrdefi_cmd)678 grub_dprintf ("linux", "Handing off to linuxefi\n");
679 using_linuxefi = 1;
680 return GRUB_ERR_NONE;
681 }
682 else if (grub_efi_secure_boot ())
677 {683 {
678 (linuxefi_cmd->func) (linuxefi_cmd, argc, argv);684 grub_dprintf ("linux", "linuxefi failed and secure boot is enabled (%d)\n", grub_errno);
679 if (grub_errno == GRUB_ERR_NONE)
680 {
681 grub_dprintf ("linux", "Handing off to linuxefi\n");
682 using_linuxefi = 1;
683 return GRUB_ERR_NONE;
684 }
685 grub_dprintf ("linux", "linuxefi failed (%d)\n", grub_errno);
686 goto fail;685 goto fail;
687 }686 }
688 }687 }
689 }688 }
689
690 if (grub_efi_secure_boot ())
691 {
692 grub_dprintf("linux", "Unable to hand off to linuxefi and secure boot is enabled\n");
693 goto fail;
694 }
690#endif695#endif
691696
692 if (argc == 0)697 if (argc == 0)

Subscribers

People subscribed via source and target branches