upgpkg: grub 2:2.02-2

Allow GRUB to mount ext2/3/4 filesystems that have the encryption feature (FS#51879)

git-svn-id: file:///srv/repos/svn-packages/svn@305042 eb2447ed-0c53-47e4-bac8-5bc4a241df78

3 files changed, 150 insertions, 2 deletions

diff --git a/.SRCINFO b/.SRCINFO
index 1d25ee61bb7e..01ae2670eeb2 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,7 +1,7 @@
 pkgbase = grub
 	pkgdesc = GNU GRand Unified Bootloader (2)
 	pkgver = 2.02
-	pkgrel = 1
+	pkgrel = 2
 	epoch = 2
 	url = https://www.gnu.org/software/grub/
 	install = grub.install
@@ -56,6 +56,7 @@ pkgbase = grub
 	source = 0002-intel-ucode.patch
 	source = 0003-10_linux-detect-archlinux-initramfs.patch
 	source = 0004-add-GRUB_COLOR_variables.patch
+	source = 0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch
 	source = grub.default
 	source = grub.cfg
 	validpgpkeys = E53D497F3FA42AD8C9B4D1E835A93B74E82E4209
@@ -68,6 +69,7 @@ pkgbase = grub
 	sha256sums = 37adb95049f6cdcbdbf60ed6b6440c5be99a4cd307a0f96c3c3837b6c2e07f3c
 	sha256sums = b41e4438319136b5e74e0abdfcb64ae115393e4e15207490272c425f54026dd3
 	sha256sums = a5198267ceb04dceb6d2ea7800281a42b3f91fd02da55d2cc9ea20d47273ca29
+	sha256sums = 535422c510a050d41efe7720dbe54de29e04bdb8f86fd5aea5feb0b24f7abe46
 	sha256sums = df764fbd876947dea973017f95371e53833bf878458140b09f0b70d900235676
 	sha256sums = c5e4f3836130c6885e9273c21f057263eba53f4b7c0e2f111f6e5f2e487a47ad
 
diff --git a/0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch b/0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch
new file mode 100644
index 000000000000..22d62926fa74
--- /dev/null
+++ b/0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch
@@ -0,0 +1,140 @@
+From 734668238fcc0ef691a080839e04f33854fa133a Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Thu, 29 Jun 2017 13:27:49 +0000
+Subject: Allow GRUB to mount ext2/3/4 filesystems that have the encryption
+ feature.
+
+On such a filesystem, inodes may have EXT4_ENCRYPT_FLAG set.
+For a regular file, this means its contents are encrypted; for a
+directory, this means the filenames in its directory entries are
+encrypted; and for a symlink, this means its target is encrypted.  Since
+GRUB cannot decrypt encrypted contents or filenames, just issue an error
+if it would need to do so.  This is sufficient to allow unencrypted boot
+files to co-exist with encrypted files elsewhere on the filesystem.
+
+(Note that encrypted regular files and symlinks will not normally be
+encountered outside an encrypted directory; however, it's possible via
+hard links, so they still need to be handled.)
+
+Tested by booting from an ext4 /boot partition on which I had run
+'tune2fs -O encrypt'.  I also verified that the expected error messages
+are printed when trying to access encrypted directories, files, and
+symlinks from the GRUB command line.  Also ran 'sudo ./grub-fs-tester
+ext4_encrypt'; note that this requires e2fsprogs v1.43+ and Linux v4.1+.
+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+---
+ grub-core/fs/ext2.c          | 23 ++++++++++++++++++++++-
+ tests/ext234_test.in         |  1 +
+ tests/util/grub-fs-tester.in | 10 ++++++++++
+ 3 files changed, 33 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c
+index cdce63b..b8ad75a 100644
+--- a/grub-core/fs/ext2.c
++++ b/grub-core/fs/ext2.c
+@@ -102,6 +102,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
+ #define EXT4_FEATURE_INCOMPAT_64BIT		0x0080
+ #define EXT4_FEATURE_INCOMPAT_MMP		0x0100
+ #define EXT4_FEATURE_INCOMPAT_FLEX_BG		0x0200
++#define EXT4_FEATURE_INCOMPAT_ENCRYPT          0x10000
+ 
+ /* The set of back-incompatible features this driver DOES support. Add (OR)
+  * flags here as the related features are implemented into the driver.  */
+@@ -109,7 +110,8 @@ GRUB_MOD_LICENSE ("GPLv3+");
+                                        | EXT4_FEATURE_INCOMPAT_EXTENTS  \
+                                        | EXT4_FEATURE_INCOMPAT_FLEX_BG \
+                                        | EXT2_FEATURE_INCOMPAT_META_BG \
+-                                       | EXT4_FEATURE_INCOMPAT_64BIT)
++                                       | EXT4_FEATURE_INCOMPAT_64BIT \
++                                       | EXT4_FEATURE_INCOMPAT_ENCRYPT)
+ /* List of rationales for the ignored "incompatible" features:
+  * needs_recovery: Not really back-incompatible - was added as such to forbid
+  *                 ext2 drivers from mounting an ext3 volume with a dirty
+@@ -138,6 +140,7 @@ GRUB_MOD_LICENSE ("GPLv3+");
+ #define EXT3_JOURNAL_FLAG_DELETED	4
+ #define EXT3_JOURNAL_FLAG_LAST_TAG	8
+ 
++#define EXT4_ENCRYPT_FLAG              0x800
+ #define EXT4_EXTENTS_FLAG		0x80000
+ 
+ /* The ext2 superblock.  */
+@@ -706,6 +709,12 @@ grub_ext2_read_symlink (grub_fshelp_node_t node)
+       grub_ext2_read_inode (diro->data, diro->ino, &diro->inode);
+       if (grub_errno)
+ 	return 0;
++
++      if (diro->inode.flags & grub_cpu_to_le32_compile_time (EXT4_ENCRYPT_FLAG))
++       {
++         grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "symlink is encrypted");
++         return 0;
++       }
+     }
+ 
+   symlink = grub_malloc (grub_le_to_cpu32 (diro->inode.size) + 1);
+@@ -749,6 +758,12 @@ grub_ext2_iterate_dir (grub_fshelp_node_t dir,
+ 	return 0;
+     }
+ 
++  if (diro->inode.flags & grub_cpu_to_le32_compile_time (EXT4_ENCRYPT_FLAG))
++    {
++      grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "directory is encrypted");
++      return 0;
++    }
++
+   /* Search the file.  */
+   while (fpos < grub_le_to_cpu32 (diro->inode.size))
+     {
+@@ -859,6 +874,12 @@ grub_ext2_open (struct grub_file *file, const char *name)
+ 	goto fail;
+     }
+ 
++  if (fdiro->inode.flags & grub_cpu_to_le32_compile_time (EXT4_ENCRYPT_FLAG))
++    {
++      err = grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "file is encrypted");
++      goto fail;
++    }
++
+   grub_memcpy (data->inode, &fdiro->inode, sizeof (struct grub_ext2_inode));
+   grub_free (fdiro);
+ 
+diff --git a/tests/ext234_test.in b/tests/ext234_test.in
+index 892b99c..4f1eb52 100644
+--- a/tests/ext234_test.in
++++ b/tests/ext234_test.in
+@@ -30,3 +30,4 @@ fi
+ "@builddir@/grub-fs-tester" ext3
+ "@builddir@/grub-fs-tester" ext4
+ "@builddir@/grub-fs-tester" ext4_metabg
++"@builddir@/grub-fs-tester" ext4_encrypt
+diff --git a/tests/util/grub-fs-tester.in b/tests/util/grub-fs-tester.in
+index 88cbe73..fd7e0f1 100644
+--- a/tests/util/grub-fs-tester.in
++++ b/tests/util/grub-fs-tester.in
+@@ -156,6 +156,12 @@ for LOGSECSIZE in $(range "$MINLOGSECSIZE" "$MAXLOGSECSIZE" 1); do
+ 		# Could go further but what's the point?
+ 	    MAXBLKSIZE=$((65536*1024))
+ 	    ;;
++       xext4_encrypt)
++           # OS LIMITATION: Linux currently only allows the 'encrypt' feature
++           # in combination with block_size = PAGE_SIZE (4096 bytes on x86).
++           MINBLKSIZE=$(getconf PAGE_SIZE)
++           MAXBLKSIZE=$MINBLKSIZE
++           ;;
+ 	xext*)
+ 	    MINBLKSIZE=1024
+ 	    if [ $MINBLKSIZE -lt $SECSIZE ]; then
+@@ -796,6 +802,10 @@ for LOGSECSIZE in $(range "$MINLOGSECSIZE" "$MAXLOGSECSIZE" 1); do
+ 		    MKE2FS_DEVICE_SECTSIZE=$SECSIZE "mkfs.ext4" -O meta_bg,^resize_inode -b $BLKSIZE -L "$FSLABEL" -q "${MOUNTDEVICE}"
+ 		    MOUNTFS=ext4
+ 		    ;;
++               xext4_encrypt)
++                   MKE2FS_DEVICE_SECTSIZE=$SECSIZE "mkfs.ext4" -O encrypt -b $BLKSIZE -L "$FSLABEL" -q "${MOUNTDEVICE}"
++                   MOUNTFS=ext4
++                   ;;
+ 		xext*)
+ 		    MKE2FS_DEVICE_SECTSIZE=$SECSIZE "mkfs.$fs" -b $BLKSIZE -L "$FSLABEL" -q "${MOUNTDEVICE}" ;;
+ 		xxfs)
+-- 
+cgit v1.0-41-gc330
+
diff --git a/PKGBUILD b/PKGBUILD
index d0167c5c2261..f5f5e48f827f 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -22,7 +22,7 @@ _UNIFONT_VER="9.0.06"
 pkgname="grub"
 pkgdesc="GNU GRand Unified Bootloader (2)"
 pkgver=2.02
-pkgrel=1
+pkgrel=2
 epoch=2
 url="https://www.gnu.org/software/grub/"
 arch=('x86_64' 'i686')
@@ -63,6 +63,7 @@ source=("https://ftp.gnu.org/gnu/${pkgname}/${pkgname}-${pkgver}.tar.xz"{,.sig}
         '0002-intel-ucode.patch'
         '0003-10_linux-detect-archlinux-initramfs.patch'
         '0004-add-GRUB_COLOR_variables.patch'
+        '0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch'
         'grub.default'
         'grub.cfg')
 
@@ -74,6 +75,7 @@ sha256sums=('810b3798d316394f94096ec2797909dbf23c858e48f7b3830826b8daa06b7b0f'
             '37adb95049f6cdcbdbf60ed6b6440c5be99a4cd307a0f96c3c3837b6c2e07f3c'
             'b41e4438319136b5e74e0abdfcb64ae115393e4e15207490272c425f54026dd3'
             'a5198267ceb04dceb6d2ea7800281a42b3f91fd02da55d2cc9ea20d47273ca29'
+            '535422c510a050d41efe7720dbe54de29e04bdb8f86fd5aea5feb0b24f7abe46'
             'df764fbd876947dea973017f95371e53833bf878458140b09f0b70d900235676'
             'c5e4f3836130c6885e9273c21f057263eba53f4b7c0e2f111f6e5f2e487a47ad')
 
@@ -93,6 +95,10 @@ prepare() {
 	patch -Np1 -i "${srcdir}/0004-add-GRUB_COLOR_variables.patch"
 	echo
 
+	msg "Patch to allow GRUB to mount ext2/3/4 filesystems that have the encryption feature"
+	patch -Np1 -i "${srcdir}/0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch"
+	echo
+
 	msg "Fix DejaVuSans.ttf location so that grub-mkfont can create *.pf2 files for starfield theme"
 	sed 's|/usr/share/fonts/dejavu|/usr/share/fonts/dejavu /usr/share/fonts/TTF|g' -i "configure.ac"