mirrors/flatcar-scripts
1
0
Fork 0
mirror of https://github.com/flatcar/scripts.git synced 2026-05-04 19:56:32 +02:00
Code Issues Packages Projects Releases Wiki Activity

sys-boot/grub: Apply Red Hat's large patch set (and drop Gentoo's)

Browse Source 
We initially thought we would need Red Hat's patch set. Then it looked
like we wouldn't because the TPM Event Log appeared to work without it.
We later discovered that on amd64, it only works with Secure Boot
disabled. The patch set also fixes Secure Boot on arm64, which would
have otherwise needed a couple of patches from Canonical.

We have to drop Gentoo's patches because they conflict, but they don't
affect Flatcar anyway.

Signed-off-by: James Le Cuirot <jlecuirot@microsoft.com>
This commit is contained in:
James Le Cuirot 2024-10-03 17:48:54 +01:00
parent 2fcff863dc
commit fb3c9cff98
No known key found for this signature in database
GPG Key ID: 1226415D00DD3137
5 changed files with 41372 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
changelog/changes/2024-11-06-grub-2.12-flatcar3.md Normal file
View File

@ -0,0 +1 @@
- grub 2.12-flatcar3: GRUB now includes many patches from Red Hat to support Secure Boot, as well as Flatcar's own patches. The version string includes a numbered "flatcar" suffix to track changes to these additional patches. This string can be seen in the GRUB menu. ([scripts#2431](https://github.com/flatcar/scripts/pull/2431))

8
sdk_container/src/third_party/coreos-overlay/coreos/config/env/sys-boot/grub vendored
View File

@ -1,7 +1,11 @@
# Bump the flatcar version stated here every time we or Gentoo change patches
# Bump the flatcar version stated here every time we or Red Hat change patches
# that modify parts of GRUB that are installed to the boot partition. Reset the
# version back to 1 when the upstream GRUB version changes.
FLATCAR_VERSION=flatcar2
FLATCAR_VERSION=flatcar3
# Gentoo's patches conflict with Red Hat's patches, and none of Gentoo's patches
# affect Flatcar, so skip them all.
PATCHES=()
# Adjust the version string for Flatcar. This propagates throughout the source.
cros_pre_src_prepare_adjust_version() {

18
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-boot/grub/README.md vendored
View File

@ -15,6 +15,24 @@ to use a separate repo was scrapped, and two patch files were created. The patch
files migrated only the essential commits, and dropped all the other commits, which
were either half-baked, or redundant at the point of migration.
From version 2.12, Flatcar has adopted Red Hat's large patch set. This fixes
Secure Boot on arm64 and the TPM Event Log on amd64, among many other things.
A further two patches are applied on top. One is for additional GPT
functionality, and the other is for extracting the verity root hash from the
initrd. Gentoo's upstream ebuild is used, but Gentoo's patches are discarded
because they conflict and are not relevant to Flatcar.
## How to import the Red Hat patches
Red Hat maintains a fork of GRUB on GitHub with branches for each Fedora release. Generate a diff between the latest upstream release and the latest Fedora branch.
```
git clone https://github.com/rhboot/grub2.git grub
cd grub
git diff grub-<VERSION>..fedora-<VERSION> -- . ':(exclude).gitignore' ':(exclude)bootstrap.conf' > grub-2.12-00-redhat.patch
```
## Summary of the Flatcar patches
The patch starts with adding a new implementation of reading the GPT instead

41291
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-boot/grub/grub-2.12-00-redhat.patch vendored Normal file
View File

File diff suppressed because one or more lines are too long

77
sdk_container/src/third_party/coreos-overlay/coreos/user-patches/sys-boot/grub/grub-2.12-add-verity-hash.patch vendored
View File

@ -16,9 +16,9 @@ Signed-off-by: Sayan Chowdhury <schowdhury@microsoft.com>
---
diff -Naur a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
--- a/grub-core/loader/efi/linux.c 2023-10-03 12:21:48.000000000 -0000
+++ b/grub-core/loader/efi/linux.c 2024-09-12 10:18:36.454803371 -0000
@@ -34,6 +34,8 @@
--- a/grub-core/loader/efi/linux.c 2024-09-05 16:04:35.466205483 -0000
+++ b/grub-core/loader/efi/linux.c 2024-09-05 16:54:36.760503901 -0000
@@ -38,6 +38,8 @@
#include <grub/lib/cmdline.h>
#include <grub/verify.h>
@ -27,9 +27,9 @@ diff -Naur a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
GRUB_MOD_LICENSE ("GPLv3+");
static grub_dl_t my_mod;
@@ -533,7 +535,8 @@
grub_dprintf ("linux", "kernel @ %p\n", kernel_addr);
@@ -833,7 +835,8 @@
kernel = NULL;
#endif
- cmdline_size = grub_loader_cmdline_size (argc, argv) + sizeof (LINUX_IMAGE);
+ cmdline_size = grub_loader_cmdline_size (argc, argv) + sizeof (LINUX_IMAGE)
@ -37,7 +37,7 @@ diff -Naur a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
linux_args = grub_malloc (cmdline_size);
if (!linux_args)
{
@@ -550,6 +553,7 @@
@@ -850,6 +853,7 @@
if (grub_errno == GRUB_ERR_NONE)
{
@ -45,29 +45,64 @@ diff -Naur a/grub-core/loader/efi/linux.c b/grub-core/loader/efi/linux.c
grub_loader_set (grub_linux_boot, grub_linux_unload, 0);
loaded = 1;
}
diff -Naur a/grub-core/loader/i386/linux.c b/grub-core/loader/i386/linux.c
--- a/grub-core/loader/i386/linux.c 2023-10-03 12:21:48.000000000 -0000
+++ b/grub-core/loader/i386/linux.c 2024-09-12 10:28:05.571587951 -0000
@@ -38,6 +38,8 @@
#include <grub/machine/kernel.h>
diff -Naur a/grub-core/loader/i386/efi/linux.c b/grub-core/loader/i386/efi/linux.c
--- a/grub-core/loader/i386/efi/linux.c 2024-09-11 15:08:38.463525457 -0000
+++ b/grub-core/loader/i386/efi/linux.c 2024-09-11 15:10:30.732085424 -0000
@@ -31,6 +31,8 @@
#include <grub/tpm.h>
#include <grub/safemath.h>
+#include <grub/verity-hash.h>
+
GRUB_MOD_LICENSE ("GPLv3+");
#ifdef GRUB_MACHINE_PCBIOS
@@ -1018,6 +1020,7 @@
goto fail;
}
static grub_dl_t my_mod;
@@ -466,7 +468,7 @@
grub_dprintf ("linux", "new lh is at %p\n", lh);
+ grub_pass_verity_hash (&lh, linux_cmdline, maximal_cmdline_size);
len = prot_file_size;
if (grub_file_read (file, prot_mode_mem, len) != len && !grub_errno)
grub_error (GRUB_ERR_BAD_OS, N_("premature end of file %s"),
grub_dprintf ("linux", "setting up cmdline\n");
- cmdline = kernel_alloc (KERNEL_MEM, lh->cmdline_size + 1,
+ cmdline = kernel_alloc (KERNEL_MEM, lh->cmdline_size + 1 + VERITY_CMDLINE_LENGTH,
GRUB_EFI_LOADER_DATA,
N_("can't allocate cmdline"));
if (!cmdline)
@@ -479,6 +481,9 @@
lh->cmdline_size - (sizeof (LINUX_IMAGE) - 1),
GRUB_VERIFY_KERNEL_CMDLINE);
+ grub_pass_verity_hash (kernel, cmdline + sizeof (LINUX_IMAGE) - 1,
+ lh->cmdline_size - (sizeof (LINUX_IMAGE) - 1) + VERITY_CMDLINE_LENGTH);
+
grub_dprintf ("linux", "cmdline:%s\n", cmdline);
grub_dprintf ("linux", "setting lh->cmd_line_ptr to 0x%08x\n",
LOW_U32(cmdline));
diff -Naur a/grub-core/loader/i386/pc/linux.c b/grub-core/loader/i386/pc/linux.c
--- a/grub-core/loader/i386/pc/linux.c 2024-09-11 15:08:38.464525462 -0000
+++ b/grub-core/loader/i386/pc/linux.c 2024-09-11 15:12:26.552628521 -0000
@@ -38,6 +38,8 @@
#include <grub/safemath.h>
#include <grub/efi/sb.h>
+#include <grub/verity-hash.h>
+
GRUB_MOD_LICENSE ("GPLv3+");
#define GRUB_LINUX_CL_OFFSET 0x9000
@@ -358,6 +360,11 @@
if (err)
goto fail;
+ grub_pass_verity_hash (&lh,
+ (char *)grub_linux_real_chunk
+ + GRUB_LINUX_CL_OFFSET + sizeof (LINUX_IMAGE) - 1,
+ maximal_cmdline_size);
+
if (grub_linux_is_bzimage)
grub_linux_prot_target = GRUB_LINUX_BZIMAGE_ADDR;
else
diff -Naur a/include/grub/verity-hash.h b/include/grub/verity-hash.h
--- a/include/grub/verity-hash.h 1970-01-01 00:00:00.000000000 -0000
+++ b/include/grub/verity-hash.h 2024-09-12 10:18:39.993826952 -0000
+++ b/include/grub/verity-hash.h 2024-09-11 15:07:54.473295324 -0000
@@ -0,0 +1,51 @@
+/* CoreOS verity hash */
+