Porting patches from grub2_2.06-3~deb11u6 to fix
CVE-2023-4692/CVE-2023-4693.
The source code of grub2_2.06-3~deb11u6 is from:
https://snapshot.debian.org/archive/debian-security/20231006T185629Z/
pool/updates/main/g/grub2/grub2_2.06-3~deb11u6.debian.tar.xz
Patch for CVE-2023-4692:
<fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute
for the $MFT file>
Patch for CVE-2023-4693:
<fs/ntfs: Fix an OOB read when reading data from the resident $DATA
attribute>
No content changes for all the patches from debian release.
We do this because grub2/grub-efi is ported from wrlinux for
secure boot bringing up.
Test plan:
- PASS: build grub2/grub-efi.
- PASS: build-image and install and boot up on lab/qemu.
- PASS: check that the "stx.N" version number is right for both
bios(grub2 ver) and uefi(grub-efi ver) boot.
Closes-bug: 2038742
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I7c8e11952fb409be93e9d777bf7da7b87414a95d
We add patches to fix CVEs for grub instead of upgrading because
grub2/grub-efi is ported from yocto for secure boot bringing up.
The patches for CVE-2022-28736 have conflicts with the patches for
secure boot. So refer to below link to fix this CVE:
(1) https://patchwork.yoctoproject.org/project/oe-core/patch/
20221207034254.58292-1-xiangyu.chen@eng.windriver.com/
(2)https://github.com/jiazhang0/meta-secure-core/pull/257
The special patches for grub-efi are from layers meta-lat and
meta-secure-core of yocto upstream, which are based on the patches
for grub-efi in oe-core layer (including CVE patches). We used to mix
all the patches together. Now we will move the patches from meta-lat
and meta-secure-core to the end of sequence for applying patches,
so that we can keep align with yocto upstream and make it easier
to maintain the grub here.
Since there are many patches involved here, we don't change the number
in patches' name in case confusion is caused if we rename many files.
Below commits are added for the CVE:
<loader/efi/chainloader: Simplify the loader state>
<commands/boot: Add API to pass context to loader>
<loader/efi/chainloader: Use grub_loader_set_ex()>
Below patches for secure boot are adapted for conflicts with above:
secure-core/0009 <efi: chainloader: port shim to grub>
secure-core/0010 <efi: chainloader: use shim to load and verify an image>
secure-core/0012 <efi: chainloader: take care of unload undershim>
All of them are aligned with upstream and no changes here.
Test plan:
- PASS: build grub2/grub-efi.
- PASS: build-image and install and boot up on lab/qemu.
- PASS: check that the "stx.N" version number is right for both
bios(grub2 ver) and uefi(grub-efi ver) boot.
- PASS: the tests are done on lab with secure boot disabled and
enabled.
Closes-Bug: #2034119
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I9a37cd8b804b238407f8ac6528f087a2eb0cf2de
Porting patches from grub2_2.06-3~deb11u1 to fix below CVEs:
CVE-2021-3695
CVE-2021-3696
CVE-2021-3697
CVE-2022-28733
CVE-2022-28734
The source code of grub2_2.06-3~deb11u1 is from:
https://snapshot.debian.org/archive/debian/20220807T030023Z/pool
/main/g/grub2/grub2_2.06-3~deb11u1.debian.tar.xz
The relationship between commits and CVEs is as below:
(1)CVE-2021-3695
commit <video/readers/png: Drop greyscale support to fix heap
out-of-bounds write>
(2)CVE-2021-3696
commit <video/readers/png: Avoid heap OOB R/W inserting huff table items>
(3)CVE-2021-3697
commit <video/readers/jpeg: Block int underflow -> wild pointer write>
(4)CVE-2022-28733
commit <net/ip: Do IP fragment maths safely>
(5)CVE-2022-28734
commit <net/http: Fix OOB write for split http headers>
commit <net/http: Error out on headers with LF without CR>
Test plan:
- PASS: build grub2/grub-efi.
- PASS: build-image and install and boot up on lab/qemu.
- PASS: check that the "stx.N" version number is right for both
bios(grub2 ver) and uefi(grub-efi ver) boot.
Partial-Bug: #2034119
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: Ia27b1ee225f13e9c4ad08a0828f93ea37f8d3dfb
Porting patches from grub2_2.06-3~deb11u4 to fix
CVE-2022-2601/CVE-2022-3775.
The source code of grub2_2.06-3~deb11u4 is from:
https://snapshot.debian.org/archive/debian/20221124T030451Z/
pool/main/g/grub2/grub2_2.06-3~deb11u4.debian.tar.xz
Refer to above source code and this link for the fix:
https://lists.gnu.org/archive/html/grub-devel/2022-11/msg00059.html
The 1st patch in the list is for making proper context for the 14
patches of the 2 CVEs. No content changes for all the patches from
debian release.
We do this because grub2/grub-efi is ported from wrlinux for
secure boot bringing up.
Test plan:
- PASS: build grub2/grub-efi.
- PASS: build-image and install and boot up on lab/qemu.
- PASS: check that the "stx.N" version number is right for both
bios(grub2 ver) and uefi(grub-efi ver) boot.
Closes-bug: 2020730
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: Ia6c58a2021a786ef92f760b3cfe035fbccedacf7
This commit fixes lint errors identified by Zuul after stx-integ-pylint
job is executed.
Test Plan:
PASS: stx-integ-pylint job is executed successfully.
PASS: Run "yamllint ." command on integ repo base directory. Observe
that no lint errors of line-length, truthy, indentation,
new-line-at-end-of-file and document-start are listed.
PASS: build-pkgs -a -c
Closes-Bug: 2011632
Change-Id: I4d8229b5de8c9d88ff2aab6169521ab377b5866c
Signed-off-by: Manoel Benedito Neto <manoel.beneditoneto@windriver.com>
New git repo cgcs-root/public-keys is available now for public
keys used in secure boot process.
This commit moves the keys from integ to the git repo.
Keys involved:
boot_pub_key
tis-boot.crt
tis-shim.der
For grub-efi, the "src_files" in meta_data.yaml can't cause
the files copied to source code dir when "dl_hook" exists.
So remove the useless "src_files" settings here.
Test plan:
The tests are done with all the changes which involve
public-keys/integ/root repos for this enhancement about pub keys.
- PASS: rebuild gurb-efi/efitools/shim packages;
- PASS: follow the process to build iso image for secure boot;
- PASS: installation test on AIO-DX lab with secure boot enabled.
Story: 2009221
Task: 47358
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I8cde2acfbe90872151f871c3e01a0e45ad8c4c6c
This is done for moving packages that are related to secure boot
out of LAT and into integ.
Use grub version: 2.06-1 .
Port grub-efi from LAT and make its build independent from grub2.
The patches for code and changes for debian build are ported from
layers ( meta-lat and meta-secure-core ) of yocto upstream.
Make grub-efi independent from grub2 because some code changes
for secure boot can make grub-pc's build fail.
This porting of grub-efi customizes grub images and grub.cfg for
efi boot. Install those files customized to grub-efi-amd64 package.
Test Plan:
The tests are done with all the changes for this porting,
which involves efitools/shim/grub2/grub-efi/lat-sdk.sh, because
they are in a chain for secure boot verification.
- PASS: secure boot OK on qemu.
- PASS: secure boot OK on PowerEdge R430 lab.
- PASS: secure boot NG on qemu/hardware when shim/grub-efi images
are without the right signatures.
Story: 2009221
Task: 46402
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: Ia3b482c1959b5e6462fe54f0b0e59a69db1b1ca7
This is done for moving packages that are related to secure boot
out of LAT and into integ.
Update to grub version: 2.06-1 .
Keep the source code version aligned with grub-efi.
Remove packages related to grub-efi.
Test Plan:
The tests are done with all the changes for this porting,
which involves efitools/shim/grub2/grub-efi/lat-sdk.sh, because
they are in a chain for secure boot verification.
- PASS: secure boot OK on qemu.
- PASS: secure boot OK on PowerEdge R430 lab.
- PASS: secure boot NG on qemu/hardware when shim/grub-efi images
are without the right signatures.
- PASS: boot OK with legacy BIOS on both qemu and intel NUC board.
Story: 2009221
Task: 46402
Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: Ie88412127abd6d3177b9cbc72fe8abda248bf93a
In /etc we make symbolic links to the grub config
files. Why? So tools like grubby can locate them.
We package these links in the grub2-common package
which is similar to what is done in CentOS.
Verification:
- install from iso, confirm the symlinks exist
in /etc
Story: 2009964
Task: 45044
Change-Id: I265b7c50300cfd37d1ab1d90db7bcfdad8fc7fcf
Signed-off-by: Jim Somerville <jim.somerville@windriver.com>
Add new debian package for grubby in order for the ansible
playbooks and puppet modules to complete.
Story: 2009101
Task: 44402
Test Plan
PASS Build Pakcage
PASS Add package to ISO
PASS Boot ISO
Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: If7489106cafd8c1283ffdb24c9f14dfe9c480c39
This commit results in no change to actual code. It
cleans up the following issues in the meta patches:
- some patches generated fuzz and offset warnings
- patch file names do not match that generated by
git format-patch
- some patches were not in git format, did not have
a proper git header
- some patches were not signed off by anybody
- file names contained grub2 which is redundant
- one patch added a blank line to the end of a file
generating a warning, and a subsequent patch removed
it. This has now been squashed out.
There are 13 patches in total, they were numbered 1-14 with
4 being absent. They are now numbered 1-13.
Verification:
Built and captured the output, verified that there are no
more fuzz and offset warnings.
Closes-Bug: 1959037
Change-Id: I8056adf3ee96dc036262aa8c2d9eecfc353cc5ba
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
Grub unit tests do not like more than 1 CPU being
specified when building the package. So set the jobs
to 1 in the meta_data.yaml. Build will be slower but
at least it will build.
Test Plan:
Pass: successfully build test
Pass: successfully install test
Pass: successfully boot test
Depends-On: https://review.opendev.org/c/starlingx/root/+/821048
Story: 2009221
Task: 43679
Change-Id: I8bda78819a14995618d4504471d24b0ffebb6ca2
Signed-off-by: Charles Short <charles.short@windriver.com>
Porting CentOS patch 1001-add-tboot.patch
Ignore 3 CentOS patches:
a) 1000_linux-mktitle-de-brand-the-grub.cfg-menu.patch
It replaces "CentOS" with "Linux" in grub menu, that is
introduced by a patch from grub2-2.02-0.86.el7.centos.src.rpm.
0176-Make-grub2-mkconfig-construct-titles-that-look-like-.patch
b) 1002-Don-t-write-trailing-colon-when-populating-MAC-strin.patch
It is the supplement patch of 0263-Fix-grub_net_hwaddr_to_str.patch,
which is from grub2-2.02-0.86.el7.centos.src.rpm. The original issue
is introduced by 0248-Add-support-for-non-Ethernet-network-cards.patch,
which is also from grub2-2.02-0.86.el7.centos.src.rpm.
3) 1003-tftp-roll-over-block-counter-to-prevent-timeouts-wit.patch
It is duplicate of the patch in grub2_2.04-20.debian.tar.xz.
debian/patches/tftp-roll-over-block-counter.patch
Other patches in centos/meta_patches modify the spec file. The grub2
for each distributions is deep customized, so just ignore them.
BTW, not using dl_path, because the package on salsa.debian.org has
building issue.
Test Plan:
Pass: successfully build test
Pass: successfully install test
Pass: successfully boot test
Story: 2009221
Task: 43679
Signed-off-by: Yue Tao <yue.tao@windriver.com>
Change-Id: Icfd2f1993fd123824155c94da26c0ddf9a9c0873
The block number is a 16-bit counter which only allows to fetch
files no bigger than 65535 * blksize. To avoid this limit, the
counter is rolled over. This behavior isn't defined in RFC 1350
but is handled by many TFTP servers and it's what GRUB was doing
before implicitly due an overflow.
Closes-Bug: #1938559
Signed-off-by: Jiping Ma <jiping.ma2@windriver.com>
Change-Id: I4a0c04cf15b87f6f40c7a979d20fb3c57657cefd
Avoid to the heap-based buffer overflow.
Upgrade to the below package to fix the CVE issue:
grub2-2.02-0.86.el7.centos.src.rpm
At the same time adjust the context and drop
0004-grub2-remove-32b-requirements.patch since it already had been
included in the new version.
Story: 2008532
Task: 41664
Change-Id: I7943127323ee28457ffe0a4ece54764633f86d9f
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
This update makes use of the PKG_GITREVCOUNT variable
to auto-version the packages in this repo.
Story: 2007750
Task: 39951
Change-Id: I854419c922b9db4edbbf6f1e987a982ec2ec7b59
Signed-off-by: Dongqi Chen <chen.dq@neusoft.com>
Closes-Bug: 1814360
Test Case:
Deploy 2 controller and 1 compute on bare metal
Change-Id: I4ec59180a28ac743935601332cb8f210e87e4a85
Signed-off-by: Martin, Chen <haochuan.z.chen@intel.com>
When do Centos 7.5 upgraded, some patches didn't resolve and cause
the fuzzy in the line numbers of the patches. And it may cause
.orig file is created when do patch. And this .orig file will lead
to rpm packaging failure due to the unexpected and unpackaged .orig
file.
Please visit below link to get more detail info:
https://bugs.launchpad.net/starlingx/+bug/1794611
Solution:
Safest solution is to de-fuzz our patches.
Story: 2003389
Task: 26755
Change-Id: I4bcf73175e81083a575d35d4b1448b29b11beaf7
Signed-off-by: slin14 <shuicheng.lin@intel.com>
Uprev grub2 package to 0.64. This required regeneration and
restructuring of the patch and meta-patch files
Depends-On: https://review.openstack.org/#/c/578440
Change-Id: I462cefad6dd929601f6368364ef83327f69be161
Signed-off-by: Scott Little <scott.little@windriver.com>
Move content from stx-gplv3 into stx-integ
Packages will be relocated to
stx-integ:
base/
anaconda
crontabs
dnsmasq
rsync
database/
python-psycopg2
filesystem/
parted
grub/
grub2
security/
python-keyring
Change-Id: Ib2807e3762a9ad17ef246398ab8e8cb7a7cf335c
Story: 2002801
Task: 22687
Signed-off-by: Scott Little <scott.little@windriver.com>