Commit Graph

27 Commits

Author SHA1 Message Date
Li Zhou daea2d8219 grub2/grub-efi: fix CVE-2023-4692/CVE-2023-4693
Porting patches from grub2_2.06-3~deb11u6 to fix
CVE-2023-4692/CVE-2023-4693.

The source code of grub2_2.06-3~deb11u6 is from:
https://snapshot.debian.org/archive/debian-security/20231006T185629Z/
pool/updates/main/g/grub2/grub2_2.06-3~deb11u6.debian.tar.xz

Patch for CVE-2023-4692:
<fs/ntfs: Fix an OOB write when parsing the $ATTRIBUTE_LIST attribute
 for the $MFT file>
Patch for CVE-2023-4693:
<fs/ntfs: Fix an OOB read when reading data from the resident $DATA
 attribute>

No content changes for all the patches from debian release.

We do this because grub2/grub-efi is ported from wrlinux for
secure boot bringing up.

Test plan:
 - PASS: build grub2/grub-efi.
 - PASS: build-image and install and boot up on lab/qemu.
 - PASS: check that the "stx.N" version number is right for both
         bios(grub2 ver) and uefi(grub-efi ver) boot.

Closes-bug: 2038742

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I7c8e11952fb409be93e9d777bf7da7b87414a95d
2023-10-09 22:31:36 -04:00
Li Zhou 8e6824ec91 grub2/grub-efi: fix CVE-2022-28736
We add patches to fix CVEs for grub instead of upgrading because
grub2/grub-efi is ported from yocto for secure boot bringing up.

The patches for CVE-2022-28736 have conflicts with the patches for
secure boot. So refer to below link to fix this CVE:
(1) https://patchwork.yoctoproject.org/project/oe-core/patch/
20221207034254.58292-1-xiangyu.chen@eng.windriver.com/
(2)https://github.com/jiazhang0/meta-secure-core/pull/257

The special patches for grub-efi are from layers meta-lat and
meta-secure-core of yocto upstream, which are based on the patches
for grub-efi in oe-core layer (including CVE patches). We used to mix
all the patches together. Now we will move the patches from meta-lat
and meta-secure-core to the end of sequence for applying patches,
so that we can keep align with yocto upstream and make it easier
to maintain the grub here.
Since there are many patches involved here, we don't change the number
in patches' name in case confusion is caused if we rename many files.

Below commits are added for the CVE:
<loader/efi/chainloader: Simplify the loader state>
<commands/boot: Add API to pass context to loader>
<loader/efi/chainloader: Use grub_loader_set_ex()>

Below patches for secure boot are adapted for conflicts with above:
secure-core/0009 <efi: chainloader: port shim to grub>
secure-core/0010 <efi: chainloader: use shim to load and verify an image>
secure-core/0012 <efi: chainloader: take care of unload undershim>

All of them are aligned with upstream and no changes here.

Test plan:
 - PASS: build grub2/grub-efi.
 - PASS: build-image and install and boot up on lab/qemu.
 - PASS: check that the "stx.N" version number is right for both
         bios(grub2 ver) and uefi(grub-efi ver) boot.
 - PASS: the tests are done on lab with secure boot disabled and
         enabled.

Closes-Bug: #2034119

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I9a37cd8b804b238407f8ac6528f087a2eb0cf2de
2023-09-07 02:00:19 -04:00
Li Zhou 44f318a38d grub2/grub-efi: fix CVEs
Porting patches from grub2_2.06-3~deb11u1 to fix below CVEs:
CVE-2021-3695
CVE-2021-3696
CVE-2021-3697
CVE-2022-28733
CVE-2022-28734

The source code of grub2_2.06-3~deb11u1 is from:
https://snapshot.debian.org/archive/debian/20220807T030023Z/pool
/main/g/grub2/grub2_2.06-3~deb11u1.debian.tar.xz

The relationship between commits and CVEs is as below:
(1)CVE-2021-3695
commit <video/readers/png: Drop greyscale support to fix heap
out-of-bounds write>
(2)CVE-2021-3696
commit <video/readers/png: Avoid heap OOB R/W inserting huff table items>
(3)CVE-2021-3697
commit <video/readers/jpeg: Block int underflow -> wild pointer write>
(4)CVE-2022-28733
commit <net/ip: Do IP fragment maths safely>
(5)CVE-2022-28734
commit <net/http: Fix OOB write for split http headers>
commit <net/http: Error out on headers with LF without CR>

Test plan:
 - PASS: build grub2/grub-efi.
 - PASS: build-image and install and boot up on lab/qemu.
 - PASS: check that the "stx.N" version number is right for both
         bios(grub2 ver) and uefi(grub-efi ver) boot.

Partial-Bug: #2034119

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: Ia27b1ee225f13e9c4ad08a0828f93ea37f8d3dfb
2023-09-07 01:42:31 -04:00
Li Zhou d10d6fb187 grub2/grub-efi: fix CVE-2022-2601/CVE-2022-3775
Porting patches from grub2_2.06-3~deb11u4 to fix
CVE-2022-2601/CVE-2022-3775.

The source code of grub2_2.06-3~deb11u4 is from:
https://snapshot.debian.org/archive/debian/20221124T030451Z/
pool/main/g/grub2/grub2_2.06-3~deb11u4.debian.tar.xz

Refer to above source code and this link for the fix:
https://lists.gnu.org/archive/html/grub-devel/2022-11/msg00059.html

The 1st patch in the list is for making proper context for the 14
patches of the 2 CVEs. No content changes for all the patches from
debian release.

We do this because grub2/grub-efi is ported from wrlinux for
secure boot bringing up.

Test plan:
 - PASS: build grub2/grub-efi.
 - PASS: build-image and install and boot up on lab/qemu.
 - PASS: check that the "stx.N" version number is right for both
         bios(grub2 ver) and uefi(grub-efi ver) boot.

Closes-bug: 2020730

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: Ia6c58a2021a786ef92f760b3cfe035fbccedacf7
2023-06-01 06:08:44 -04:00
Manoel Benedito Neto c15e3e1a3a Fix lint errors identified by Zuul pylint job
This commit fixes lint errors identified by Zuul after stx-integ-pylint
job is executed.

Test Plan:
PASS: stx-integ-pylint job is executed successfully.
PASS: Run "yamllint ." command on integ repo base directory. Observe
      that no lint errors of line-length, truthy, indentation,
      new-line-at-end-of-file and document-start are listed.
PASS: build-pkgs -a -c

Closes-Bug: 2011632
Change-Id: I4d8229b5de8c9d88ff2aab6169521ab377b5866c
Signed-off-by: Manoel Benedito Neto <manoel.beneditoneto@windriver.com>
2023-03-15 12:07:17 +00:00
Li Zhou 8171154a6b secure boot: move pub key to git repo
New git repo cgcs-root/public-keys is available now for public
keys used in secure boot process.
This commit moves the keys from integ to the git repo.
Keys involved:
  boot_pub_key
  tis-boot.crt
  tis-shim.der

For grub-efi, the "src_files" in meta_data.yaml can't cause
the files copied to source code dir when "dl_hook" exists.
So remove the useless "src_files" settings here.

Test plan:
  The tests are done with all the changes which involve
public-keys/integ/root repos for this enhancement about pub keys.
 - PASS: rebuild gurb-efi/efitools/shim packages;
 - PASS: follow the process to build iso image for secure boot;
 - PASS: installation test on AIO-DX lab with secure boot enabled.

Story: 2009221
Task: 47358

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: I8cde2acfbe90872151f871c3e01a0e45ad8c4c6c
2023-02-14 01:03:04 -05:00
Li Zhou 48a2e836ff Debian: grub-efi: porting from LAT
This is done for moving packages that are related to secure boot
out of LAT and into integ.

Use grub version: 2.06-1 .

Port grub-efi from LAT and make its build independent from grub2.
The patches for code and changes for debian build are ported from
layers ( meta-lat and meta-secure-core ) of yocto upstream.
Make grub-efi independent from grub2 because some code changes
for secure boot can make grub-pc's build fail.

This porting of grub-efi customizes grub images and grub.cfg for
efi boot. Install those files customized to grub-efi-amd64 package.

Test Plan:
 The tests are done with all the changes for this porting,
 which involves efitools/shim/grub2/grub-efi/lat-sdk.sh, because
 they are in a chain for secure boot verification.
 - PASS: secure boot OK on qemu.
 - PASS: secure boot OK on PowerEdge R430 lab.
 - PASS: secure boot NG on qemu/hardware when shim/grub-efi images
         are without the right signatures.

Story: 2009221
Task: 46402

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: Ia3b482c1959b5e6462fe54f0b0e59a69db1b1ca7
2022-10-08 21:50:14 -04:00
Li Zhou a12eb5f44c Debian: grub2: porting from LAT
This is done for moving packages that are related to secure boot
out of LAT and into integ.

Update to grub version: 2.06-1 .
Keep the source code version aligned with grub-efi.
Remove packages related to grub-efi.

Test Plan:
 The tests are done with all the changes for this porting,
 which involves efitools/shim/grub2/grub-efi/lat-sdk.sh, because
 they are in a chain for secure boot verification.
 - PASS: secure boot OK on qemu.
 - PASS: secure boot OK on PowerEdge R430 lab.
 - PASS: secure boot NG on qemu/hardware when shim/grub-efi images
         are without the right signatures.
 - PASS: boot OK with legacy BIOS on both qemu and intel NUC board.

Story: 2009221
Task: 46402

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Change-Id: Ie88412127abd6d3177b9cbc72fe8abda248bf93a
2022-10-08 21:48:59 -04:00
Jim Somerville e2869c5bd1 debian: Provide softlinks to grub menus
In /etc we make symbolic links to the grub config
files.  Why?  So tools like grubby can locate them.

We package these links in the grub2-common package
which is similar to what is done in CentOS.

Verification:
- install from iso, confirm the symlinks exist
in /etc

Story: 2009964
Task: 45044

Change-Id: I265b7c50300cfd37d1ab1d90db7bcfdad8fc7fcf
Signed-off-by: Jim Somerville <jim.somerville@windriver.com>
2022-04-12 15:58:37 -04:00
Yue Tao 4a709349a9 meta_data.yaml: add sha256sum checksum
Test Plan:
Pass: Verify sha256sum checksum via "download -s"

Story: 2008846
Task: 44578

Signed-off-by: Yue Tao <Yue.Tao@windriver.com>
Change-Id: I78d9dff2af0afb18c6db4e8d2d39ef79b5cf5864
2022-03-03 14:30:40 +08:00
Charles Short a933729a1f debian: Add debian package for grubby
Add new debian package for grubby in order for the ansible
playbooks and puppet modules to complete.

Story: 2009101
Task: 44402

Test Plan
PASS Build Pakcage
PASS Add package to ISO
PASS Boot ISO

Signed-off-by: Charles Short <charles.short@windriver.com>
Change-Id: If7489106cafd8c1283ffdb24c9f14dfe9c480c39
2022-02-04 16:32:22 +00:00
Jim Somerville 589e8020db grub2: cleanup meta patches
This commit results in no change to actual code.  It
cleans up the following issues in the meta patches:

- some patches generated fuzz and offset warnings
- patch file names do not match that generated by
  git format-patch
- some patches were not in git format, did not have
  a proper git header
- some patches were not signed off by anybody
- file names contained grub2 which is redundant
- one patch added a blank line to the end of a file
  generating a warning, and a subsequent patch removed
  it.  This has now been squashed out.

There are 13 patches in total, they were numbered 1-14 with
4 being absent.  They are now numbered 1-13.

Verification:
Built and captured the output, verified that there are no
more fuzz and offset warnings.

Closes-Bug: 1959037

Change-Id: I8056adf3ee96dc036262aa8c2d9eecfc353cc5ba
Signed-off-by: Jim Somerville <Jim.Somerville@windriver.com>
2022-01-27 10:45:07 -05:00
Charles Short 107f773837 debian: Serialize grub build
Grub unit tests do not like more than 1 CPU being
specified when building the package. So set the jobs
to 1 in the meta_data.yaml. Build will be slower but
at least it will build.

Test Plan:

Pass: successfully build test
Pass: successfully install test
Pass: successfully boot test

Depends-On: https://review.opendev.org/c/starlingx/root/+/821048

Story: 2009221
Task: 43679

Change-Id: I8bda78819a14995618d4504471d24b0ffebb6ca2
Signed-off-by: Charles Short <charles.short@windriver.com>
2022-01-19 08:21:40 -05:00
Bin Qian 45e97910d5 relocate /pxeboot to /var/pxeboot
Relocate writable /pxeboot dir to /var/pxeboot

Story: 2009101
Task: 44229

TCs are list https://review.opendev.org/c/starlingx/metal/+/822008.

Depends-on: https://review.opendev.org/c/starlingx/metal/+/822008
Change-Id: Ia1d12db455bc72c5ef7c111f0fb398aabeed1266
Signed-off-by: Bin Qian <bin.qian@windriver.com>
2021-12-23 14:29:00 -05:00
Yue Tao 2caa2ff976 grub2: add deb folder
Porting CentOS patch 1001-add-tboot.patch

Ignore 3 CentOS patches:

a) 1000_linux-mktitle-de-brand-the-grub.cfg-menu.patch

It replaces "CentOS" with "Linux" in grub menu, that is
introduced by a patch from grub2-2.02-0.86.el7.centos.src.rpm.

0176-Make-grub2-mkconfig-construct-titles-that-look-like-.patch

b) 1002-Don-t-write-trailing-colon-when-populating-MAC-strin.patch

It is the supplement patch of 0263-Fix-grub_net_hwaddr_to_str.patch,
which is from grub2-2.02-0.86.el7.centos.src.rpm. The original issue
is introduced by 0248-Add-support-for-non-Ethernet-network-cards.patch,
which is also from grub2-2.02-0.86.el7.centos.src.rpm.

3) 1003-tftp-roll-over-block-counter-to-prevent-timeouts-wit.patch

It is duplicate of the patch in grub2_2.04-20.debian.tar.xz.

debian/patches/tftp-roll-over-block-counter.patch

Other patches in centos/meta_patches modify the spec file. The grub2
for each distributions is deep customized, so just ignore them.

BTW, not using dl_path, because the package on salsa.debian.org has
building issue.

Test Plan:

Pass: successfully build test
Pass: successfully install test
Pass: successfully boot test

Story: 2009221
Task: 43679
Signed-off-by: Yue Tao <yue.tao@windriver.com>
Change-Id: Icfd2f1993fd123824155c94da26c0ddf9a9c0873
2021-12-07 22:45:15 +00:00
Jiping Ma 572cd24c49 tftp: roll over block counter to prevent timeouts with data packets
The block number is a 16-bit counter which only allows to fetch
files no bigger than 65535 * blksize. To avoid this limit, the
counter is rolled over. This behavior isn't defined in RFC 1350
but is handled by many TFTP servers and it's what GRUB was doing
before implicitly due an overflow.

Closes-Bug: #1938559

Signed-off-by: Jiping Ma <jiping.ma2@windriver.com>
Change-Id: I4a0c04cf15b87f6f40c7a979d20fb3c57657cefd
2021-09-01 20:57:18 -04:00
Zhixiong Chi a0b2acecaa grub2: fix CVE-2020-15707
Avoid to the heap-based buffer overflow.

Upgrade to the below package to fix the CVE issue:
 grub2-2.02-0.86.el7.centos.src.rpm

At the same time adjust the context and drop
0004-grub2-remove-32b-requirements.patch since it already had been
included in the new version.

Story: 2008532
Task: 41664
Change-Id: I7943127323ee28457ffe0a4ece54764633f86d9f
Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
2021-01-25 04:15:59 -05:00
Dongqi Chen af359d4938 Add auto-versioning to starlingx/integ packages
This update makes use of the PKG_GITREVCOUNT variable
to auto-version the packages in this repo.

Story: 2007750
Task: 39951
Change-Id: I854419c922b9db4edbbf6f1e987a982ec2ec7b59
Signed-off-by: Dongqi Chen <chen.dq@neusoft.com>
2020-06-24 09:48:28 +08:00
Martin, Chen 54fa029a43 Fix pxe boot fail, for incorrect folder access /pxe/EFI/ on controller-0
Closes-Bug: 1814360

Test Case:
Deploy 2 controller and 1 compute on bare metal

Change-Id: I4ec59180a28ac743935601332cb8f210e87e4a85
Signed-off-by: Martin, Chen <haochuan.z.chen@intel.com>
2019-02-12 05:06:53 +08:00
Zuul d89dbd238a Merge "rebase grub2 patch to CentOS 7.6 version" into f/centos76 2019-01-15 05:29:43 +00:00
Zhe Hu f3729d2d23 rebase grubby patch to CentOS 7.6 version
Test:
Pass build and simplex deploy test

Depends-On: https://review.openstack.org/627466

Story: 2004522
Task: 28419

Change-Id: Ieaf38802edbd21471ff2ccf4bd64c687d7929b72
Signed-off-by: Zhe Hu <zhe.hu@intel.com>
2018-12-27 14:46:31 +08:00
Zhe Hu b5306a34ee rebase grub2 patch to CentOS 7.6 version
Test:
Pass build and simplex deploy test

Depends-On: https://review.openstack.org/627434

Story: 2004522
Task: 28417

Change-Id: Ibd2c0866dc5d7f4475e3da6ad5aeedc284ed5829
Signed-off-by: Zhe Hu <zhe.hu@intel.com>
2018-12-27 12:23:40 +08:00
slin14 d3d8639028 de-fuzz grub2 patches
When do Centos 7.5 upgraded, some patches didn't resolve and cause
the fuzzy in the line numbers of the patches. And it may cause
.orig file is created when do patch. And this .orig file will lead
to rpm packaging failure due to the unexpected and unpackaged .orig
file.

Please visit below link to get more detail info:
https://bugs.launchpad.net/starlingx/+bug/1794611

Solution:
  Safest solution is to de-fuzz our patches.

Story: 2003389
Task: 26755

Change-Id: I4bcf73175e81083a575d35d4b1448b29b11beaf7
Signed-off-by: slin14 <shuicheng.lin@intel.com>
2018-09-28 08:10:39 +08:00
slin14 11c474e8de rebase grub2 patch to CentOS7.5
Story: 2003389
Task: 24495

Change-Id: Ia5ccf65e9c3e462710694f1e860bf4281339ca85
Signed-off-by: slin14 <shuicheng.lin@intel.com>
2018-08-27 03:03:28 +00:00
jmckenna b546e2213b Uprev grub2 package to 0.64
Uprev grub2 package to 0.64.  This required regeneration and
restructuring of the patch and meta-patch files

Depends-On: https://review.openstack.org/#/c/578440

Change-Id: I462cefad6dd929601f6368364ef83327f69be161
Signed-off-by: Scott Little <scott.little@windriver.com>
2018-08-01 15:39:52 -04:00
Scott Little c428727bf5 Relocate grub2 to stx-integ/grub/grub2
Move content from stx-gplv3 into stx-integ

Packages will be relocated to

stx-integ:
    base/
        anaconda
        crontabs
        dnsmasq
        rsync

    database/
        python-psycopg2

    filesystem/
        parted

    grub/
        grub2

    security/
        python-keyring

Change-Id: Ib2807e3762a9ad17ef246398ab8e8cb7a7cf335c
Story: 2002801
Task: 22687
Signed-off-by: Scott Little <scott.little@windriver.com>
2018-08-01 15:39:49 -04:00
Scott Little 50838ff661 Relocate grubby to stx-integ/grub/grubby
Move content from stx-utils into stx-integ or stx-update

Packages will be relocated to

stx-update:
    enable-dev-patch
    extras

stx-integ:
    config-files/
        io-scheduler

    filesystem/
        filesystem-scripts

    grub/
        grubby

    logging/
        logmgmt

    tools/
        collector
        monitor-tools

    tools/engtools/
        hostdata-collectors
        parsers

    utilities/
        build-info
        branding   (formerly wrs-branding)
        platform-util

Change-Id: If77fdabde9ff43b5e4381837283bac1d39112c58
Story: 2002801
Task: 22687
Signed-off-by: Scott Little <scott.little@windriver.com>
2018-08-01 12:25:42 -04:00