diff options
| author | Maksim Fomin | 2019-07-09 20:22:07 +0000 |
|---|---|---|
| committer | Maksim Fomin | 2019-07-09 20:22:07 +0000 |
| commit | 1798aecbe2a573e8bf465145a4f5a0f14216dd95 (patch) | |
| tree | e440a836a58fa726f1f5f736b90be1ab7addcae0 | |
| parent | b79676c7dd7595806d5544695c6b939b7f519bcc (diff) | |
| download | aur-1798aecbe2a573e8bf465145a4f5a0f14216dd95.tar.gz | |
Update to version 2.04
| -rw-r--r-- | .SRCINFO | 49 | ||||
| -rw-r--r-- | .gitignore | 6 | ||||
| -rw-r--r-- | 0001-Cryptomount-support-LUKS-detached-header.patch | 247 | ||||
| -rw-r--r-- | 0002-Cryptomount-support-key-files.patch | 205 | ||||
| -rw-r--r-- | 0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch | 329 | ||||
| -rw-r--r-- | 0004-Cryptomount-support-plain-dm-crypt.patch | 644 | ||||
| -rw-r--r-- | 0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch | 140 | ||||
| -rw-r--r-- | 0005-Cryptomount-support-for-hyphens-in-UUID.patch | 122 | ||||
| -rw-r--r-- | 0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch | 108 | ||||
| -rw-r--r-- | 0006-tsc-Change-default-tsc-calibration-method-to-pmtimer-on-EFI-systems.patch | 31 | ||||
| -rw-r--r-- | 0007-grub-mkconfig_10_linux_Support_multiple_early_initrd_images.patch | 177 | ||||
| -rw-r--r-- | 0008-Fix-packed-not-aligned-error-on-GCC-8.patch | 72 | ||||
| -rw-r--r-- | 0009-xfs-Accept-filesystem-with-sparse-inodes.patch | 60 | ||||
| -rw-r--r-- | 0010-relocation.patch | 65 | ||||
| -rw-r--r-- | PKGBUILD | 72 | ||||
| -rw-r--r-- | grub.cfg | 139 |
16 files changed, 1691 insertions, 775 deletions
@@ -1,7 +1,7 @@ pkgbase = grub-luks-keyfile pkgdesc = GNU GRand Unified Bootloader (2) with crypto extensions to support for DMCrypt and LUKS volumes with detached headers and key files. - pkgver = 2.02 - pkgrel = 8 + pkgver = 2.04 + pkgrel = 1 epoch = 2 url = https://www.gnu.org/software/grub/ install = grub.install @@ -50,50 +50,37 @@ pkgbase = grub-luks-keyfile backup = boot/grub/grub.cfg backup = etc/default/grub backup = etc/grub.d/40_custom - source = https://ftp.gnu.org/gnu/grub/grub-2.02.tar.xz - source = https://ftp.gnu.org/gnu/grub/grub-2.02.tar.xz.sig + source = https://ftp.gnu.org/gnu/grub/grub-2.04.tar.xz + source = https://ftp.gnu.org/gnu/grub/grub-2.04.tar.xz.sig source = https://git.savannah.nongnu.org/cgit/grub-extras.git/snapshot/grub-extras-f2a079441939eee7251bf141986cdd78946e1d20.tar.gz - source = https://ftp.gnu.org/gnu/unifont/unifont-10.0.06/unifont-10.0.06.bdf.gz - source = https://ftp.gnu.org/gnu/unifont/unifont-10.0.06/unifont-10.0.06.bdf.gz.sig + source = https://ftp.gnu.org/gnu/unifont/unifont-12.1.02/unifont-12.1.02.bdf.gz + source = https://ftp.gnu.org/gnu/unifont/unifont-12.1.02/unifont-12.1.02.bdf.gz.sig source = 0003-10_linux-detect-archlinux-initramfs.patch source = 0004-add-GRUB_COLOR_variables.patch - source = 0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch - source = 0006-tsc-Change-default-tsc-calibration-method-to-pmtimer-on-EFI-systems.patch - source = 0007-grub-mkconfig_10_linux_Support_multiple_early_initrd_images.patch - source = 0008-Fix-packed-not-aligned-error-on-GCC-8.patch - source = https://grub.johnlane.ie/assets/0001-Cryptomount-support-LUKS-detached-header.patch - source = https://grub.johnlane.ie/assets/0002-Cryptomount-support-key-files.patch - source = https://grub.johnlane.ie/assets/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch - source = https://grub.johnlane.ie/assets/0004-Cryptomount-support-plain-dm-crypt.patch - source = https://grub.johnlane.ie/assets/0005-Cryptomount-support-for-hyphens-in-UUID.patch - source = 0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch::https://github.com/johnlane/grub/pull/8.patch - source = 0009-xfs-Accept-filesystem-with-sparse-inodes.patch - source = 0010-relocation.patch + source = 0001-Cryptomount-support-LUKS-detached-header.patch + source = 0002-Cryptomount-support-key-files.patch + source = 0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch + source = 0004-Cryptomount-support-plain-dm-crypt.patch + source = 0005-Cryptomount-support-for-hyphens-in-UUID.patch + source = 0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch source = grub.default - source = grub.cfg validpgpkeys = E53D497F3FA42AD8C9B4D1E835A93B74E82E4209 + validpgpkeys = BE5C23209ACDDACEB20DB0A28C8189F1988C2166 validpgpkeys = 95D2E9AB8740D8046387FD151A09227B1F435A33 - sha256sums = 810b3798d316394f94096ec2797909dbf23c858e48f7b3830826b8daa06b7b0f + sha256sums = e5292496995ad42dabe843a0192cf2a2c502e7ffcc7479398232b10a472df77d sha256sums = SKIP sha256sums = 2844601914cea6b1231eca0104853a93c4d67a5209933a0766f1475953300646 - sha256sums = 0d81571fc519573057b7641d26a31ead55cc0b02a931589fb346a3a534c3dcc1 + sha256sums = 04d652be1e28a6d464965c75c71ac84633085cd0960c2687466651c34c94bd89 sha256sums = SKIP sha256sums = b41e4438319136b5e74e0abdfcb64ae115393e4e15207490272c425f54026dd3 sha256sums = a5198267ceb04dceb6d2ea7800281a42b3f91fd02da55d2cc9ea20d47273ca29 - sha256sums = 535422c510a050d41efe7720dbe54de29e04bdb8f86fd5aea5feb0b24f7abe46 - sha256sums = c38f2b2caae33008b35a37d8293d8bf13bf6fd779a4504925da1837fd007aeb5 - sha256sums = e43566c4fe3b1b87e677167323d4716b82ac0810410a9d8dc7fbf415c8db2b8a - sha256sums = e84b8de569c7e6b73263758c35cf95c6516fde85d4ed451991427864f6a4e5a8 - sha256sums = f7790e7fd4641eed8347039ebb44b67a3f517f2bc4de213fe34d2ae887c03b92 - sha256sums = c1d042ca83f6ac64414f1d5df82fe324a46eaa842768fff214091b177ad30191 + sha256sums = b9d737d1b403b540a00a8e9c25240a06bb371da7588d3e665af8543397724698 + sha256sums = 5d7060fbe9738764d2f8ebc96b43cc0bb8939c2e4e4e78b7a82a1a149ea6e837 sha256sums = d2ad15610f5b683ca713329bbe25d43963af9386c9c8732b61cdc135843715f1 sha256sums = e47409d04f740a71360775af25c53662386a49ea7f93ada39ed636b9ae8a0a22 sha256sums = 7b9ff45ba6e6c1ad45e6984580393e3801ef86144e48dbe5fe97d4aa8b90706e - sha256sums = 2c312e4e46fc3b5a215771fb9bfb328079d588ac59751e980cecaed06f7f5c76 - sha256sums = fcd5a626d4af33665d041ce42df813f1f198d8230ea186481b155a5b676f3b87 - sha256sums = 51562fa1016c54567dbf42a86c0cfc902372ab579bbee17879a81aff09b76b99 + sha256sums = 4d2b6f5e1a50a01b127602d8537fca1152b2d1799918faaa94dc98cf7b854513 sha256sums = 74e5dd2090a153c10a7b9599b73bb09e70fddc6a019dd41641b0f10b9d773d82 - sha256sums = c5e4f3836130c6885e9273c21f057263eba53f4b7c0e2f111f6e5f2e487a47ad pkgname = grub-luks-keyfile diff --git a/.gitignore b/.gitignore index 15f51defd0d6..99d4f89d72dc 100644 --- a/.gitignore +++ b/.gitignore @@ -5,9 +5,3 @@ src *.xz *.sig *~ -0001-Cryptomount-support-LUKS-detached-header.patch -0002-Cryptomount-support-key-files.patch -0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch -0004-Cryptomount-support-plain-dm-crypt.patch -0005-Cryptomount-support-for-hyphens-in-UUID.patch -0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch diff --git a/0001-Cryptomount-support-LUKS-detached-header.patch b/0001-Cryptomount-support-LUKS-detached-header.patch new file mode 100644 index 000000000000..65943f41b8c8 --- /dev/null +++ b/0001-Cryptomount-support-LUKS-detached-header.patch @@ -0,0 +1,247 @@ +From 2008e08c0a511da5d454664363f452a9e26c734f Mon Sep 17 00:00:00 2001 +From: John Lane <john@lane.uk.net> +Date: Tue, 23 Jun 2015 11:16:30 +0100 +Subject: [PATCH 1/7] Cryptomount support LUKS detached header + +--- + grub-core/disk/cryptodisk.c | 22 ++++++++++++++++++---- + grub-core/disk/geli.c | 7 +++++-- + grub-core/disk/luks.c | 45 +++++++++++++++++++++++++++++++++++++-------- + include/grub/cryptodisk.h | 5 +++-- + 4 files changed, 63 insertions(+), 16 deletions(-) + +diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c +index bd60a66b3..5230a5a9a 100644 +--- a/grub-core/disk/cryptodisk.c ++++ b/grub-core/disk/cryptodisk.c +@@ -41,6 +41,7 @@ static const struct grub_arg_option options[] = + /* TRANSLATORS: It's still restricted to cryptodisks only. */ + {"all", 'a', 0, N_("Mount all."), 0, 0}, + {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0}, ++ {"header", 'H', 0, N_("Read LUKS header from file"), 0, ARG_TYPE_STRING}, + {0, 0, 0, 0, 0, 0} + }; + +@@ -809,6 +810,7 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk) + + static int check_boot, have_it; + static char *search_uuid; ++static grub_file_t hdr; + + static void + cryptodisk_close (grub_cryptodisk_t dev) +@@ -833,13 +835,13 @@ grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source) + + FOR_CRYPTODISK_DEVS (cr) + { +- dev = cr->scan (source, search_uuid, check_boot); ++ dev = cr->scan (source, search_uuid, check_boot, hdr); + if (grub_errno) + return grub_errno; + if (!dev) + continue; + +- err = cr->recover_key (source, dev); ++ err = cr->recover_key (source, dev, hdr); + if (err) + { + cryptodisk_close (dev); +@@ -880,7 +882,7 @@ grub_cryptodisk_cheat_mount (const char *sourcedev, const char *cheat) + + FOR_CRYPTODISK_DEVS (cr) + { +- dev = cr->scan (source, search_uuid, check_boot); ++ dev = cr->scan (source, search_uuid, check_boot,0); + if (grub_errno) + return grub_errno; + if (!dev) +@@ -934,6 +936,18 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) + if (argc < 1 && !state[1].set && !state[2].set) + return grub_error (GRUB_ERR_BAD_ARGUMENT, "device name required"); + ++ if (state[3].set) /* LUKS detached header */ ++ { ++ if (state[0].set) /* Cannot use UUID lookup with detached header */ ++ return GRUB_ERR_BAD_ARGUMENT; ++ ++ hdr = grub_file_open (state[3].arg, GRUB_FILE_TYPE_NONE); ++ if (!hdr) ++ return grub_errno; ++ } ++ else ++ hdr = NULL; ++ + have_it = 0; + if (state[0].set) + { +@@ -1141,7 +1155,7 @@ GRUB_MOD_INIT (cryptodisk) + { + grub_disk_dev_register (&grub_cryptodisk_dev); + cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0, +- N_("SOURCE|-u UUID|-a|-b"), ++ N_("SOURCE|-u UUID|-a|-b|-H file"), + N_("Mount a crypto device."), options); + grub_procfs_register ("luks_script", &luks_script); + } +diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c +index e9d23299a..f4394eb42 100644 +--- a/grub-core/disk/geli.c ++++ b/grub-core/disk/geli.c +@@ -52,6 +52,7 @@ + #include <grub/dl.h> + #include <grub/err.h> + #include <grub/disk.h> ++#include <grub/file.h> + #include <grub/crypto.h> + #include <grub/partition.h> + #include <grub/i18n.h> +@@ -243,7 +244,8 @@ grub_util_get_geli_uuid (const char *dev) + + static grub_cryptodisk_t + configure_ciphers (grub_disk_t disk, const char *check_uuid, +- int boot_only) ++ int boot_only, ++ grub_file_t hdr __attribute__ ((unused)) ) + { + grub_cryptodisk_t newdev; + struct grub_geli_phdr header; +@@ -398,7 +400,8 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, + } + + static grub_err_t +-recover_key (grub_disk_t source, grub_cryptodisk_t dev) ++recover_key (grub_disk_t source, grub_cryptodisk_t dev, ++ grub_file_t hdr __attribute__ ((unused)) ) + { + grub_size_t keysize; + grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN]; +diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c +index 86c50c612..66e64c0e0 100644 +--- a/grub-core/disk/luks.c ++++ b/grub-core/disk/luks.c +@@ -23,6 +23,7 @@ + #include <grub/dl.h> + #include <grub/err.h> + #include <grub/disk.h> ++#include <grub/file.h> + #include <grub/crypto.h> + #include <grub/partition.h> + #include <grub/i18n.h> +@@ -66,7 +67,7 @@ gcry_err_code_t AF_merge (const gcry_md_spec_t * hash, grub_uint8_t * src, + + static grub_cryptodisk_t + configure_ciphers (grub_disk_t disk, const char *check_uuid, +- int check_boot) ++ int check_boot, grub_file_t hdr) + { + grub_cryptodisk_t newdev; + const char *iptr; +@@ -86,11 +87,21 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, + int benbi_log = 0; + grub_err_t err; + ++ err = GRUB_ERR_NONE; ++ + if (check_boot) + return NULL; + + /* Read the LUKS header. */ +- err = grub_disk_read (disk, 0, 0, sizeof (header), &header); ++ if (hdr) ++ { ++ grub_file_seek (hdr, 0); ++ if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header)) ++ err = GRUB_ERR_READ_ERROR; ++ } ++ else ++ err = grub_disk_read (disk, 0, 0, sizeof (header), &header); ++ + if (err) + { + if (err == GRUB_ERR_OUT_OF_RANGE) +@@ -304,12 +315,14 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, + grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid)); + newdev->modname = "luks"; + COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= sizeof (uuid)); ++ + return newdev; + } + + static grub_err_t + luks_recover_key (grub_disk_t source, +- grub_cryptodisk_t dev) ++ grub_cryptodisk_t dev, ++ grub_file_t hdr) + { + struct grub_luks_phdr header; + grub_size_t keysize; +@@ -321,8 +334,19 @@ luks_recover_key (grub_disk_t source, + grub_err_t err; + grub_size_t max_stripes = 1; + char *tmp; ++ grub_uint32_t sector; ++ ++ err = GRUB_ERR_NONE; ++ ++ if (hdr) ++ { ++ grub_file_seek (hdr, 0); ++ if (grub_file_read (hdr, &header, sizeof (header)) != sizeof (header)) ++ err = GRUB_ERR_READ_ERROR; ++ } ++ else ++ err = grub_disk_read (source, 0, 0, sizeof (header), &header); + +- err = grub_disk_read (source, 0, 0, sizeof (header), &header); + if (err) + return err; + +@@ -391,13 +415,18 @@ luks_recover_key (grub_disk_t source, + return grub_crypto_gcry_error (gcry_err); + } + ++ sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset); + length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes)); + + /* Read and decrypt the key material from the disk. */ +- err = grub_disk_read (source, +- grub_be_to_cpu32 (header.keyblock +- [i].keyMaterialOffset), 0, +- length, split_key); ++ if (hdr) ++ { ++ grub_file_seek (hdr, sector * 512); ++ if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length) ++ err = GRUB_ERR_READ_ERROR; ++ } ++ else ++ err = grub_disk_read (source, sector, 0, length, split_key); + if (err) + { + grub_free (split_key); +diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h +index 32f564ae0..4e6e89a93 100644 +--- a/include/grub/cryptodisk.h ++++ b/include/grub/cryptodisk.h +@@ -20,6 +20,7 @@ + #define GRUB_CRYPTODISK_HEADER 1 + + #include <grub/disk.h> ++#include <grub/file.h> + #include <grub/crypto.h> + #include <grub/list.h> + #ifdef GRUB_UTIL +@@ -107,8 +108,8 @@ struct grub_cryptodisk_dev + struct grub_cryptodisk_dev **prev; + + grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid, +- int boot_only); +- grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev); ++ int boot_only, grub_file_t hdr); ++ grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, grub_file_t hdr); + }; + typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t; + +-- +2.16.2 + diff --git a/0002-Cryptomount-support-key-files.patch b/0002-Cryptomount-support-key-files.patch new file mode 100644 index 000000000000..43af5ff3cbf9 --- /dev/null +++ b/0002-Cryptomount-support-key-files.patch @@ -0,0 +1,205 @@ +From df3aa34cc68b128c5441ee25ef092e6c2c87392e Mon Sep 17 00:00:00 2001 +From: John Lane <john@lane.uk.net> +Date: Fri, 26 Jun 2015 13:37:10 +0100 +Subject: [PATCH 2/7] Cryptomount support key files + +--- + grub-core/disk/cryptodisk.c | 46 ++++++++++++++++++++++++++++++++++++++++++++- + grub-core/disk/geli.c | 4 +++- + grub-core/disk/luks.c | 44 +++++++++++++++++++++++++++++-------------- + include/grub/cryptodisk.h | 5 ++++- + 4 files changed, 82 insertions(+), 17 deletions(-) + +diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c +index 5230a5a9a..5261af547 100644 +--- a/grub-core/disk/cryptodisk.c ++++ b/grub-core/disk/cryptodisk.c +@@ -42,6 +42,9 @@ static const struct grub_arg_option options[] = + {"all", 'a', 0, N_("Mount all."), 0, 0}, + {"boot", 'b', 0, N_("Mount all volumes with `boot' flag set."), 0, 0}, + {"header", 'H', 0, N_("Read LUKS header from file"), 0, ARG_TYPE_STRING}, ++ {"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING}, ++ {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT}, ++ {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_TYPE_INT}, + {0, 0, 0, 0, 0, 0} + }; + +@@ -811,6 +814,8 @@ grub_util_cryptodisk_get_uuid (grub_disk_t disk) + static int check_boot, have_it; + static char *search_uuid; + static grub_file_t hdr; ++static grub_uint8_t *key, keyfile_buffer[GRUB_CRYPTODISK_MAX_KEYFILE_SIZE]; ++static grub_size_t keyfile_size; + + static void + cryptodisk_close (grub_cryptodisk_t dev) +@@ -841,7 +846,7 @@ grub_cryptodisk_scan_device_real (const char *name, grub_disk_t source) + if (!dev) + continue; + +- err = cr->recover_key (source, dev, hdr); ++ err = cr->recover_key (source, dev, hdr, key, keyfile_size); + if (err) + { + cryptodisk_close (dev); +@@ -949,6 +954,45 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) + hdr = NULL; + + have_it = 0; ++ key = NULL; ++ ++ if (state[4].set) /* Key file; fails back to passphrase entry */ ++ { ++ grub_file_t keyfile; ++ int keyfile_offset; ++ grub_size_t requested_keyfile_size; ++ ++ requested_keyfile_size = state[6].set ? grub_strtoul(state[6].arg, 0, 0) : 0; ++ ++ if (requested_keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE) ++ grub_printf (N_("Key file size exceeds maximum (%llu)\n"), \ ++ (unsigned long long) GRUB_CRYPTODISK_MAX_KEYFILE_SIZE); ++ else ++ { ++ keyfile_offset = state[5].set ? grub_strtoul (state[5].arg, 0, 0) : 0; ++ keyfile_size = requested_keyfile_size ? requested_keyfile_size : \ ++ GRUB_CRYPTODISK_MAX_KEYFILE_SIZE; ++ ++ keyfile = grub_file_open (state[4].arg, GRUB_FILE_TYPE_NONE); ++ if (!keyfile) ++ grub_printf (N_("Unable to open key file %s\n"), state[4].arg); ++ else if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1) ++ grub_printf (N_("Unable to seek to offset %d in key file\n"), keyfile_offset); ++ else ++ { ++ keyfile_size = grub_file_read (keyfile, keyfile_buffer, keyfile_size); ++ if (keyfile_size == (grub_size_t)-1) ++ grub_printf (N_("Error reading key file\n")); ++ else if (requested_keyfile_size && (keyfile_size != requested_keyfile_size)) ++ grub_printf (N_("Cannot read %llu bytes for key file (read %llu bytes)\n"), ++ (unsigned long long) requested_keyfile_size, ++ (unsigned long long) keyfile_size); ++ else ++ key = keyfile_buffer; ++ } ++ } ++ } ++ + if (state[0].set) + { + grub_cryptodisk_t dev; +diff --git a/grub-core/disk/geli.c b/grub-core/disk/geli.c +index f4394eb42..da6aa6a63 100644 +--- a/grub-core/disk/geli.c ++++ b/grub-core/disk/geli.c +@@ -401,7 +401,9 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, + + static grub_err_t + recover_key (grub_disk_t source, grub_cryptodisk_t dev, +- grub_file_t hdr __attribute__ ((unused)) ) ++ grub_file_t hdr __attribute__ ((unused)), ++ grub_uint8_t *key __attribute__ ((unused)), ++ grub_size_t keyfile_size __attribute__ ((unused)) ) + { + grub_size_t keysize; + grub_uint8_t digest[GRUB_CRYPTO_MAX_MDLEN]; +diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c +index 66e64c0e0..588236888 100644 +--- a/grub-core/disk/luks.c ++++ b/grub-core/disk/luks.c +@@ -322,12 +322,16 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, + static grub_err_t + luks_recover_key (grub_disk_t source, + grub_cryptodisk_t dev, +- grub_file_t hdr) ++ grub_file_t hdr, ++ grub_uint8_t *keyfile_bytes, ++ grub_size_t keyfile_bytes_size) + { + struct grub_luks_phdr header; + grub_size_t keysize; + grub_uint8_t *split_key = NULL; +- char passphrase[MAX_PASSPHRASE] = ""; ++ char interactive_passphrase[MAX_PASSPHRASE] = ""; ++ grub_uint8_t *passphrase; ++ grub_size_t passphrase_length; + grub_uint8_t candidate_digest[sizeof (header.mkDigest)]; + unsigned i; + grub_size_t length; +@@ -364,18 +368,30 @@ luks_recover_key (grub_disk_t source, + if (!split_key) + return grub_errno; + +- /* Get the passphrase from the user. */ +- tmp = NULL; +- if (source->partition) +- tmp = grub_partition_get_name (source->partition); +- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name, +- source->partition ? "," : "", tmp ? : "", +- dev->uuid); +- grub_free (tmp); +- if (!grub_password_get (passphrase, MAX_PASSPHRASE)) ++ if (keyfile_bytes) + { +- grub_free (split_key); +- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); ++ /* Use bytestring from key file as passphrase */ ++ passphrase = keyfile_bytes; ++ passphrase_length = keyfile_bytes_size; ++ } ++ else ++ { ++ /* Get the passphrase from the user. */ ++ tmp = NULL; ++ if (source->partition) ++ tmp = grub_partition_get_name (source->partition); ++ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name, ++ source->partition ? "," : "", tmp ? : "", dev->uuid); ++ grub_free (tmp); ++ if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE)) ++ { ++ grub_free (split_key); ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); ++ } ++ ++ passphrase = (grub_uint8_t *)interactive_passphrase; ++ passphrase_length = grub_strlen (interactive_passphrase); ++ + } + + /* Try to recover master key from each active keyslot. */ +@@ -393,7 +409,7 @@ luks_recover_key (grub_disk_t source, + + /* Calculate the PBKDF2 of the user supplied passphrase. */ + gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase, +- grub_strlen (passphrase), ++ passphrase_length, + header.keyblock[i].passwordSalt, + sizeof (header.keyblock[i].passwordSalt), + grub_be_to_cpu32 (header.keyblock[i]. +diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h +index 4e6e89a93..67f6b0b59 100644 +--- a/include/grub/cryptodisk.h ++++ b/include/grub/cryptodisk.h +@@ -55,6 +55,8 @@ typedef enum + #define GRUB_CRYPTODISK_GF_BYTES (1U << GRUB_CRYPTODISK_GF_LOG_BYTES) + #define GRUB_CRYPTODISK_MAX_KEYLEN 128 + ++#define GRUB_CRYPTODISK_MAX_KEYFILE_SIZE 8192 ++ + struct grub_cryptodisk; + + typedef gcry_err_code_t +@@ -109,7 +111,8 @@ struct grub_cryptodisk_dev + + grub_cryptodisk_t (*scan) (grub_disk_t disk, const char *check_uuid, + int boot_only, grub_file_t hdr); +- grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, grub_file_t hdr); ++ grub_err_t (*recover_key) (grub_disk_t disk, grub_cryptodisk_t dev, ++ grub_file_t hdr, grub_uint8_t *key, grub_size_t keyfile_size); + }; + typedef struct grub_cryptodisk_dev *grub_cryptodisk_dev_t; + +-- +2.16.2 + diff --git a/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch b/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch new file mode 100644 index 000000000000..19ffed89ca8d --- /dev/null +++ b/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch @@ -0,0 +1,329 @@ +From d055c1e314fa37957f169e08bea9d19c4417ed21 Mon Sep 17 00:00:00 2001 +From: John Lane <john@lane.uk.net> +Date: Fri, 26 Jun 2015 13:49:58 +0100 +Subject: [PATCH 3/7] cryptomount luks allow multiple passphrase attempts + +--- + grub-core/disk/luks.c | 278 ++++++++++++++++++++++++++------------------------ + 1 file changed, 143 insertions(+), 135 deletions(-) + +diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c +index 588236888..11e437edb 100644 +--- a/grub-core/disk/luks.c ++++ b/grub-core/disk/luks.c +@@ -321,10 +321,10 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, + + static grub_err_t + luks_recover_key (grub_disk_t source, +- grub_cryptodisk_t dev, +- grub_file_t hdr, +- grub_uint8_t *keyfile_bytes, +- grub_size_t keyfile_bytes_size) ++ grub_cryptodisk_t dev, ++ grub_file_t hdr, ++ grub_uint8_t *keyfile_bytes, ++ grub_size_t keyfile_bytes_size) + { + struct grub_luks_phdr header; + grub_size_t keysize; +@@ -339,6 +339,7 @@ luks_recover_key (grub_disk_t source, + grub_size_t max_stripes = 1; + char *tmp; + grub_uint32_t sector; ++ unsigned attempts = 2; + + err = GRUB_ERR_NONE; + +@@ -361,151 +362,158 @@ luks_recover_key (grub_disk_t source, + + for (i = 0; i < ARRAY_SIZE (header.keyblock); i++) + if (grub_be_to_cpu32 (header.keyblock[i].active) == LUKS_KEY_ENABLED +- && grub_be_to_cpu32 (header.keyblock[i].stripes) > max_stripes) ++ && grub_be_to_cpu32 (header.keyblock[i].stripes) > max_stripes) + max_stripes = grub_be_to_cpu32 (header.keyblock[i].stripes); + + split_key = grub_malloc (keysize * max_stripes); + if (!split_key) + return grub_errno; + +- if (keyfile_bytes) ++ while (attempts) + { +- /* Use bytestring from key file as passphrase */ +- passphrase = keyfile_bytes; +- passphrase_length = keyfile_bytes_size; +- } +- else +- { +- /* Get the passphrase from the user. */ +- tmp = NULL; +- if (source->partition) +- tmp = grub_partition_get_name (source->partition); +- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name, +- source->partition ? "," : "", tmp ? : "", dev->uuid); +- grub_free (tmp); +- if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE)) ++ if (keyfile_bytes) + { +- grub_free (split_key); +- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); +- } +- +- passphrase = (grub_uint8_t *)interactive_passphrase; +- passphrase_length = grub_strlen (interactive_passphrase); +- +- } +- +- /* Try to recover master key from each active keyslot. */ +- for (i = 0; i < ARRAY_SIZE (header.keyblock); i++) +- { +- gcry_err_code_t gcry_err; +- grub_uint8_t candidate_key[GRUB_CRYPTODISK_MAX_KEYLEN]; +- grub_uint8_t digest[GRUB_CRYPTODISK_MAX_KEYLEN]; +- +- /* Check if keyslot is enabled. */ +- if (grub_be_to_cpu32 (header.keyblock[i].active) != LUKS_KEY_ENABLED) +- continue; +- +- grub_dprintf ("luks", "Trying keyslot %d\n", i); +- +- /* Calculate the PBKDF2 of the user supplied passphrase. */ +- gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase, +- passphrase_length, +- header.keyblock[i].passwordSalt, +- sizeof (header.keyblock[i].passwordSalt), +- grub_be_to_cpu32 (header.keyblock[i]. +- passwordIterations), +- digest, keysize); +- +- if (gcry_err) +- { +- grub_free (split_key); +- return grub_crypto_gcry_error (gcry_err); +- } +- +- grub_dprintf ("luks", "PBKDF2 done\n"); +- +- gcry_err = grub_cryptodisk_setkey (dev, digest, keysize); +- if (gcry_err) +- { +- grub_free (split_key); +- return grub_crypto_gcry_error (gcry_err); +- } +- +- sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset); +- length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes)); +- +- /* Read and decrypt the key material from the disk. */ +- if (hdr) +- { +- grub_file_seek (hdr, sector * 512); +- if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length) +- err = GRUB_ERR_READ_ERROR; ++ /* Use bytestring from key file as passphrase */ ++ passphrase = keyfile_bytes; ++ passphrase_length = keyfile_bytes_size; ++ keyfile_bytes = NULL; /* use it only once */ + } + else +- err = grub_disk_read (source, sector, 0, length, split_key); +- if (err) +- { +- grub_free (split_key); +- return err; +- } +- +- gcry_err = grub_cryptodisk_decrypt (dev, split_key, length, 0); +- if (gcry_err) +- { +- grub_free (split_key); +- return grub_crypto_gcry_error (gcry_err); +- } +- +- /* Merge the decrypted key material to get the candidate master key. */ +- gcry_err = AF_merge (dev->hash, split_key, candidate_key, keysize, +- grub_be_to_cpu32 (header.keyblock[i].stripes)); +- if (gcry_err) +- { +- grub_free (split_key); +- return grub_crypto_gcry_error (gcry_err); +- } +- +- grub_dprintf ("luks", "candidate key recovered\n"); +- +- /* Calculate the PBKDF2 of the candidate master key. */ +- gcry_err = grub_crypto_pbkdf2 (dev->hash, candidate_key, +- grub_be_to_cpu32 (header.keyBytes), +- header.mkDigestSalt, +- sizeof (header.mkDigestSalt), +- grub_be_to_cpu32 +- (header.mkDigestIterations), +- candidate_digest, +- sizeof (candidate_digest)); +- if (gcry_err) +- { +- grub_free (split_key); +- return grub_crypto_gcry_error (gcry_err); +- } +- +- /* Compare the calculated PBKDF2 to the digest stored +- in the header to see if it's correct. */ +- if (grub_memcmp (candidate_digest, header.mkDigest, +- sizeof (header.mkDigest)) != 0) +- { +- grub_dprintf ("luks", "bad digest\n"); +- continue; +- } ++ { ++ /* Get the passphrase from the user. */ ++ tmp = NULL; ++ if (source->partition) ++ tmp = grub_partition_get_name (source->partition); ++ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name, ++ source->partition ? "," : "", tmp ? : "", dev->uuid); ++ grub_free (tmp); ++ if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE)) ++ { ++ grub_free (split_key); ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); ++ } ++ ++ passphrase = (grub_uint8_t *)interactive_passphrase; ++ passphrase_length = grub_strlen (interactive_passphrase); + +- /* TRANSLATORS: It's a cryptographic key slot: one element of an array +- where each element is either empty or holds a key. */ +- grub_printf_ (N_("Slot %d opened\n"), i); ++ } + +- /* Set the master key. */ +- gcry_err = grub_cryptodisk_setkey (dev, candidate_key, keysize); +- if (gcry_err) +- { +- grub_free (split_key); +- return grub_crypto_gcry_error (gcry_err); +- } ++ /* Try to recover master key from each active keyslot. */ ++ for (i = 0; i < ARRAY_SIZE (header.keyblock); i++) ++ { ++ gcry_err_code_t gcry_err; ++ grub_uint8_t candidate_key[GRUB_CRYPTODISK_MAX_KEYLEN]; ++ grub_uint8_t digest[GRUB_CRYPTODISK_MAX_KEYLEN]; ++ ++ /* Check if keyslot is enabled. */ ++ if (grub_be_to_cpu32 (header.keyblock[i].active) != LUKS_KEY_ENABLED) ++ continue; ++ ++ grub_dprintf ("luks", "Trying keyslot %d\n", i); ++ ++ /* Calculate the PBKDF2 of the user supplied passphrase. */ ++ gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase, ++ passphrase_length, ++ header.keyblock[i].passwordSalt, ++ sizeof (header.keyblock[i].passwordSalt), ++ grub_be_to_cpu32 (header.keyblock[i]. ++ passwordIterations), ++ digest, keysize); ++ ++ if (gcry_err) ++ { ++ grub_free (split_key); ++ return grub_crypto_gcry_error (gcry_err); ++ } ++ ++ grub_dprintf ("luks", "PBKDF2 done\n"); ++ ++ gcry_err = grub_cryptodisk_setkey (dev, digest, keysize); ++ if (gcry_err) ++ { ++ grub_free (split_key); ++ return grub_crypto_gcry_error (gcry_err); ++ } ++ ++ sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset); ++ length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes)); ++ ++ /* Read and decrypt the key material from the disk. */ ++ if (hdr) ++ { ++ grub_file_seek (hdr, sector * 512); ++ if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length) ++ err = GRUB_ERR_READ_ERROR; ++ } ++ else ++ err = grub_disk_read (source, sector, 0, length, split_key); ++ if (err) ++ { ++ grub_free (split_key); ++ return err; ++ } ++ ++ gcry_err = grub_cryptodisk_decrypt (dev, split_key, length, 0); ++ if (gcry_err) ++ { ++ grub_free (split_key); ++ return grub_crypto_gcry_error (gcry_err); ++ } ++ ++ /* Merge the decrypted key material to get the candidate master key. */ ++ gcry_err = AF_merge (dev->hash, split_key, candidate_key, keysize, ++ grub_be_to_cpu32 (header.keyblock[i].stripes)); ++ if (gcry_err) ++ { ++ grub_free (split_key); ++ return grub_crypto_gcry_error (gcry_err); ++ } ++ ++ grub_dprintf ("luks", "candidate key recovered\n"); ++ ++ /* Calculate the PBKDF2 of the candidate master key. */ ++ gcry_err = grub_crypto_pbkdf2 (dev->hash, candidate_key, ++ grub_be_to_cpu32 (header.keyBytes), ++ header.mkDigestSalt, ++ sizeof (header.mkDigestSalt), ++ grub_be_to_cpu32 ++ (header.mkDigestIterations), ++ candidate_digest, ++ sizeof (candidate_digest)); ++ if (gcry_err) ++ { ++ grub_free (split_key); ++ return grub_crypto_gcry_error (gcry_err); ++ } ++ ++ /* Compare the calculated PBKDF2 to the digest stored ++ in the header to see if it's correct. */ ++ if (grub_memcmp (candidate_digest, header.mkDigest, ++ sizeof (header.mkDigest)) != 0) ++ { ++ grub_dprintf ("luks", "bad digest\n"); ++ continue; ++ } ++ ++ /* TRANSLATORS: It's a cryptographic key slot: one element of an array ++ where each element is either empty or holds a key. */ ++ grub_printf_ (N_("Slot %d opened\n"), i); ++ ++ /* Set the master key. */ ++ gcry_err = grub_cryptodisk_setkey (dev, candidate_key, keysize); ++ if (gcry_err) ++ { ++ grub_free (split_key); ++ return grub_crypto_gcry_error (gcry_err); ++ } + +- grub_free (split_key); ++ grub_free (split_key); + +- return GRUB_ERR_NONE; ++ return GRUB_ERR_NONE; ++ } ++ grub_printf_ (N_("Failed to decrypt master key.\n")); ++ if (--attempts) grub_printf_ (N_("%u attempt%s remaining.\n"), attempts, ++ (attempts==1) ? "" : "s"); + } + + grub_free (split_key); +-- +2.16.2 + diff --git a/0004-Cryptomount-support-plain-dm-crypt.patch b/0004-Cryptomount-support-plain-dm-crypt.patch new file mode 100644 index 000000000000..34c10d7216bb --- /dev/null +++ b/0004-Cryptomount-support-plain-dm-crypt.patch @@ -0,0 +1,644 @@ +From a8f9e3dcece89c179e89414abe89985c7ab1e03f Mon Sep 17 00:00:00 2001 +From: John Lane <john@lane.uk.net> +Date: Fri, 26 Jun 2015 22:09:52 +0100 +Subject: [PATCH 4/7] Cryptomount support plain dm-crypt + +Patch modified to take into account a change to context +brought about by c93d3e694713b8230fa2cf88414fabe005b56782 + +grub-core/disk/cryptodisk.c +142c142 +< if (disklast) +--- +> +--- + grub-core/disk/cryptodisk.c | 298 +++++++++++++++++++++++++++++++++++++++++++- + grub-core/disk/luks.c | 195 +---------------------------- + include/grub/cryptodisk.h | 8 ++ + 3 files changed, 310 insertions(+), 191 deletions(-) + +diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c +index 5261af547..7f656f75c 100644 +--- a/grub-core/disk/cryptodisk.c ++++ b/grub-core/disk/cryptodisk.c +@@ -45,6 +45,12 @@ static const struct grub_arg_option options[] = + {"keyfile", 'k', 0, N_("Key file"), 0, ARG_TYPE_STRING}, + {"keyfile-offset", 'O', 0, N_("Key file offset (bytes)"), 0, ARG_TYPE_INT}, + {"keyfile-size", 'S', 0, N_("Key file data size (bytes)"), 0, ARG_TYPE_INT}, ++ {"plain", 'p', 0, N_("Plain (no LUKS header)"), 0, ARG_TYPE_NONE}, ++ {"cipher", 'c', 0, N_("Plain mode cipher"), 0, ARG_TYPE_STRING}, ++ {"digest", 'd', 0, N_("Plain mode passphrase digest (hash)"), 0, ARG_TYPE_STRING}, ++ {"offset", 'o', 0, N_("Plain mode data sector offset"), 0, ARG_TYPE_INT}, ++ {"size", 's', 0, N_("Size of raw device (sectors, defaults to whole device)"), 0, ARG_TYPE_INT}, ++ {"key-size", 'K', 0, N_("Set key size (bits)"), 0, ARG_TYPE_INT}, + {0, 0, 0, 0, 0, 0} + }; + +@@ -933,6 +939,48 @@ grub_cryptodisk_scan_device (const char *name, + return have_it && search_uuid ? 1 : 0; + } + ++/* Hashes a passphrase into a key and stores it with cipher. */ ++static gcry_err_code_t ++set_passphrase (grub_cryptodisk_t dev, grub_size_t keysize, const char *passphrase) ++{ ++ grub_uint8_t derived_hash[GRUB_CRYPTODISK_MAX_KEYLEN * 2], *dh = derived_hash; ++ char *p; ++ unsigned int round, i; ++ unsigned int len, size; ++ ++ /* Need no passphrase if there's no key */ ++ if (keysize == 0) ++ return GPG_ERR_INV_KEYLEN; ++ ++ /* Hack to support the "none" hash */ ++ if (dev->hash) ++ len = dev->hash->mdlen; ++ else ++ len = grub_strlen (passphrase); ++ ++ if (keysize > GRUB_CRYPTODISK_MAX_KEYLEN || len > GRUB_CRYPTODISK_MAX_KEYLEN) ++ return GPG_ERR_INV_KEYLEN; ++ ++ p = grub_malloc (grub_strlen (passphrase) + 2 + keysize / len); ++ if (!p) ++ return grub_errno; ++ ++ for (round = 0, size = keysize; size; round++, dh += len, size -= len) ++ { ++ for (i = 0; i < round; i++) ++ p[i] = 'A'; ++ ++ grub_strcpy (p + i, passphrase); ++ ++ if (len > size) ++ len = size; ++ ++ grub_crypto_hash (dev->hash, dh, p, grub_strlen (p)); ++ } ++ ++ return grub_cryptodisk_setkey (dev, derived_hash, keysize); ++} ++ + static grub_err_t + grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) + { +@@ -1060,7 +1108,63 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) + return GRUB_ERR_NONE; + } + +- err = grub_cryptodisk_scan_device_real (diskname, disk); ++ if (state[7].set) /* Plain mode */ ++ { ++ char *cipher; ++ char *mode; ++ char *digest; ++ int offset, size, key_size; ++ ++ cipher = grub_strdup (state[8].set ? state[8].arg : GRUB_CRYPTODISK_PLAIN_CIPHER); ++ digest = grub_strdup (state[9].set ? state[9].arg : GRUB_CRYPTODISK_PLAIN_DIGEST); ++ offset = state[10].set ? grub_strtoul (state[10].arg, 0, 0) : 0; ++ size = state[11].set ? grub_strtoul (state[11].arg, 0, 0) : 0; ++ key_size = ( state[12].set ? grub_strtoul (state[12].arg, 0, 0) \ ++ : GRUB_CRYPTODISK_PLAIN_KEYSIZE ) / 8; ++ ++ /* no strtok, do it manually */ ++ mode = grub_strchr(cipher,'-'); ++ if (!mode) ++ return GRUB_ERR_BAD_ARGUMENT; ++ else ++ *mode++ = 0; ++ ++ dev = grub_cryptodisk_create (disk, NULL, cipher, mode, digest); ++ ++ dev->offset = offset; ++ if (size) dev->total_length = size; ++ ++ if (key) ++ { ++ err = grub_cryptodisk_setkey (dev, key, key_size); ++ if (err) ++ return err; ++ } ++ else ++ { ++ char passphrase[GRUB_CRYPTODISK_MAX_PASSPHRASE] = ""; ++ ++ grub_printf_ (N_("Enter passphrase for %s: "), diskname); ++ if (!grub_password_get (passphrase, GRUB_CRYPTODISK_MAX_PASSPHRASE)) ++ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); ++ ++ err = set_passphrase (dev, key_size, passphrase); ++ if (err) ++ { ++ grub_crypto_cipher_close (dev->cipher); ++ return err; ++ } ++ } ++ ++ grub_cryptodisk_insert (dev, diskname, disk); ++ ++ grub_free (cipher); ++ grub_free (digest); ++ ++ err = GRUB_ERR_NONE; ++ } ++ else ++ err = grub_cryptodisk_scan_device_real (diskname, disk); + + grub_disk_close (disk); + if (disklast) +@@ -1193,13 +1297,203 @@ struct grub_procfs_entry luks_script = + .get_contents = luks_script_get + }; + ++grub_cryptodisk_t ++grub_cryptodisk_create (grub_disk_t disk, char *uuid, ++ char *ciphername, char *ciphermode, char *hashspec) ++{ ++ grub_cryptodisk_t newdev; ++ char *cipheriv = NULL; ++ grub_crypto_cipher_handle_t cipher = NULL, secondary_cipher = NULL; ++ grub_crypto_cipher_handle_t essiv_cipher = NULL; ++ const gcry_md_spec_t *hash = NULL, *essiv_hash = NULL; ++ const struct gcry_cipher_spec *ciph; ++ grub_cryptodisk_mode_t mode; ++ grub_cryptodisk_mode_iv_t mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64; ++ int benbi_log = 0; ++ ++ if (!uuid) ++ uuid = (char*)"00000000000000000000000000000000"; ++ ++ ciph = grub_crypto_lookup_cipher_by_name (ciphername); ++ if (!ciph) ++ { ++ grub_error (GRUB_ERR_FILE_NOT_FOUND, "Cipher %s isn't available", ++ ciphername); ++ return NULL; ++ } ++ ++ /* Configure the cipher used for the bulk data. */ ++ cipher = grub_crypto_cipher_open (ciph); ++ if (!cipher) ++ return NULL; ++ ++ /* Configure the cipher mode. */ ++ if (grub_strcmp (ciphermode, "ecb") == 0) ++ { ++ mode = GRUB_CRYPTODISK_MODE_ECB; ++ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN; ++ cipheriv = NULL; ++ } ++ else if (grub_strcmp (ciphermode, "plain") == 0) ++ { ++ mode = GRUB_CRYPTODISK_MODE_CBC; ++ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN; ++ cipheriv = NULL; ++ } ++ else if (grub_memcmp (ciphermode, "cbc-", sizeof ("cbc-") - 1) == 0) ++ { ++ mode = GRUB_CRYPTODISK_MODE_CBC; ++ cipheriv = ciphermode + sizeof ("cbc-") - 1; ++ } ++ else if (grub_memcmp (ciphermode, "pcbc-", sizeof ("pcbc-") - 1) == 0) ++ { ++ mode = GRUB_CRYPTODISK_MODE_PCBC; ++ cipheriv = ciphermode + sizeof ("pcbc-") - 1; ++ } ++ else if (grub_memcmp (ciphermode, "xts-", sizeof ("xts-") - 1) == 0) ++ { ++ mode = GRUB_CRYPTODISK_MODE_XTS; ++ cipheriv = ciphermode + sizeof ("xts-") - 1; ++ secondary_cipher = grub_crypto_cipher_open (ciph); ++ if (!secondary_cipher) ++ { ++ grub_crypto_cipher_close (cipher); ++ return NULL; ++ } ++ if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES) ++ { ++ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d", ++ cipher->cipher->blocksize); ++ grub_crypto_cipher_close (cipher); ++ grub_crypto_cipher_close (secondary_cipher); ++ return NULL; ++ } ++ if (secondary_cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES) ++ { ++ grub_crypto_cipher_close (cipher); ++ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d", ++ secondary_cipher->cipher->blocksize); ++ grub_crypto_cipher_close (secondary_cipher); ++ return NULL; ++ } ++ } ++ else if (grub_memcmp (ciphermode, "lrw-", sizeof ("lrw-") - 1) == 0) ++ { ++ mode = GRUB_CRYPTODISK_MODE_LRW; ++ cipheriv = ciphermode + sizeof ("lrw-") - 1; ++ if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES) ++ { ++ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported LRW block size: %d", ++ cipher->cipher->blocksize); ++ grub_crypto_cipher_close (cipher); ++ return NULL; ++ } ++ } ++ else ++ { ++ grub_crypto_cipher_close (cipher); ++ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown cipher mode: %s", ++ ciphermode); ++ return NULL; ++ } ++ ++ if (cipheriv == NULL); ++ else if (grub_memcmp (cipheriv, "plain", sizeof ("plain") - 1) == 0) ++ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN; ++ else if (grub_memcmp (cipheriv, "plain64", sizeof ("plain64") - 1) == 0) ++ mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64; ++ else if (grub_memcmp (cipheriv, "benbi", sizeof ("benbi") - 1) == 0) ++ { ++ if (cipher->cipher->blocksize & (cipher->cipher->blocksize - 1) ++ || cipher->cipher->blocksize == 0) ++ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported benbi blocksize: %d", ++ cipher->cipher->blocksize); ++ /* FIXME should we return an error here? */ ++ for (benbi_log = 0; ++ (cipher->cipher->blocksize << benbi_log) < GRUB_DISK_SECTOR_SIZE; ++ benbi_log++); ++ mode_iv = GRUB_CRYPTODISK_MODE_IV_BENBI; ++ } ++ else if (grub_memcmp (cipheriv, "null", sizeof ("null") - 1) == 0) ++ mode_iv = GRUB_CRYPTODISK_MODE_IV_NULL; ++ else if (grub_memcmp (cipheriv, "essiv:", sizeof ("essiv:") - 1) == 0) ++ { ++ char *hash_str = cipheriv + 6; ++ ++ mode_iv = GRUB_CRYPTODISK_MODE_IV_ESSIV; ++ ++ /* Configure the hash and cipher used for ESSIV. */ ++ essiv_hash = grub_crypto_lookup_md_by_name (hash_str); ++ if (!essiv_hash) ++ { ++ grub_crypto_cipher_close (cipher); ++ grub_crypto_cipher_close (secondary_cipher); ++ grub_error (GRUB_ERR_FILE_NOT_FOUND, ++ "Couldn't load %s hash", hash_str); ++ return NULL; ++ } ++ essiv_cipher = grub_crypto_cipher_open (ciph); ++ if (!essiv_cipher) ++ { ++ grub_crypto_cipher_close (cipher); ++ grub_crypto_cipher_close (secondary_cipher); ++ return NULL; ++ } ++ } ++ else ++ { ++ grub_crypto_cipher_close (cipher); ++ grub_crypto_cipher_close (secondary_cipher); ++ grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown IV mode: %s", ++ cipheriv); ++ return NULL; ++ } ++ ++ /* Configure the passphrase hash (LUKS also uses AF splitter and HMAC). */ ++ hash = grub_crypto_lookup_md_by_name (hashspec); ++ if (!hash) ++ { ++ grub_crypto_cipher_close (cipher); ++ grub_crypto_cipher_close (essiv_cipher); ++ grub_crypto_cipher_close (secondary_cipher); ++ grub_error (GRUB_ERR_FILE_NOT_FOUND, "Couldn't load %s hash", ++ hashspec); ++ return NULL; ++ } ++ ++ newdev = grub_zalloc (sizeof (struct grub_cryptodisk)); ++ if (!newdev) ++ { ++ grub_crypto_cipher_close (cipher); ++ grub_crypto_cipher_close (essiv_cipher); ++ grub_crypto_cipher_close (secondary_cipher); ++ return NULL; ++ } ++ newdev->cipher = cipher; ++ newdev->offset = 0; ++ newdev->source_disk = NULL; ++ newdev->benbi_log = benbi_log; ++ newdev->mode = mode; ++ newdev->mode_iv = mode_iv; ++ newdev->secondary_cipher = secondary_cipher; ++ newdev->essiv_cipher = essiv_cipher; ++ newdev->essiv_hash = essiv_hash; ++ newdev->hash = hash; ++ newdev->log_sector_size = 9; ++ newdev->total_length = grub_disk_get_size (disk) - newdev->offset; ++ grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid)); ++ COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= sizeof (uuid)); ++ ++ return newdev; ++} ++ + static grub_extcmd_t cmd; + + GRUB_MOD_INIT (cryptodisk) + { + grub_disk_dev_register (&grub_cryptodisk_dev); + cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0, +- N_("SOURCE|-u UUID|-a|-b|-H file"), ++ N_("SOURCE|-u UUID|-a|-b|-H file|-p -c cipher -d digest"), + N_("Mount a crypto device."), options); + grub_procfs_register ("luks_script", &luks_script); + } +diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c +index 11e437edb..4ebe21b4e 100644 +--- a/grub-core/disk/luks.c ++++ b/grub-core/disk/luks.c +@@ -30,8 +30,6 @@ + + GRUB_MOD_LICENSE ("GPLv3+"); + +-#define MAX_PASSPHRASE 256 +- + #define LUKS_KEY_ENABLED 0x00AC71F3 + + /* On disk LUKS header */ +@@ -76,15 +74,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, + char uuid[sizeof (header.uuid) + 1]; + char ciphername[sizeof (header.cipherName) + 1]; + char ciphermode[sizeof (header.cipherMode) + 1]; +- char *cipheriv = NULL; + char hashspec[sizeof (header.hashSpec) + 1]; +- grub_crypto_cipher_handle_t cipher = NULL, secondary_cipher = NULL; +- grub_crypto_cipher_handle_t essiv_cipher = NULL; +- const gcry_md_spec_t *hash = NULL, *essiv_hash = NULL; +- const struct gcry_cipher_spec *ciph; +- grub_cryptodisk_mode_t mode; +- grub_cryptodisk_mode_iv_t mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64; +- int benbi_log = 0; + grub_err_t err; + + err = GRUB_ERR_NONE; +@@ -119,7 +109,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, + iptr++) + { + if (*iptr != '-') +- *optr++ = *iptr; ++ *optr++ = *iptr; + } + *optr = 0; + +@@ -129,6 +119,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, + return NULL; + } + ++ + /* Make sure that strings are null terminated. */ + grub_memcpy (ciphername, header.cipherName, sizeof (header.cipherName)); + ciphername[sizeof (header.cipherName)] = 0; +@@ -137,184 +128,10 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, + grub_memcpy (hashspec, header.hashSpec, sizeof (header.hashSpec)); + hashspec[sizeof (header.hashSpec)] = 0; + +- ciph = grub_crypto_lookup_cipher_by_name (ciphername); +- if (!ciph) +- { +- grub_error (GRUB_ERR_FILE_NOT_FOUND, "Cipher %s isn't available", +- ciphername); +- return NULL; +- } +- +- /* Configure the cipher used for the bulk data. */ +- cipher = grub_crypto_cipher_open (ciph); +- if (!cipher) +- return NULL; +- +- if (grub_be_to_cpu32 (header.keyBytes) > 1024) +- { +- grub_error (GRUB_ERR_BAD_ARGUMENT, "invalid keysize %d", +- grub_be_to_cpu32 (header.keyBytes)); +- grub_crypto_cipher_close (cipher); +- return NULL; +- } +- +- /* Configure the cipher mode. */ +- if (grub_strcmp (ciphermode, "ecb") == 0) +- { +- mode = GRUB_CRYPTODISK_MODE_ECB; +- mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN; +- cipheriv = NULL; +- } +- else if (grub_strcmp (ciphermode, "plain") == 0) +- { +- mode = GRUB_CRYPTODISK_MODE_CBC; +- mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN; +- cipheriv = NULL; +- } +- else if (grub_memcmp (ciphermode, "cbc-", sizeof ("cbc-") - 1) == 0) +- { +- mode = GRUB_CRYPTODISK_MODE_CBC; +- cipheriv = ciphermode + sizeof ("cbc-") - 1; +- } +- else if (grub_memcmp (ciphermode, "pcbc-", sizeof ("pcbc-") - 1) == 0) +- { +- mode = GRUB_CRYPTODISK_MODE_PCBC; +- cipheriv = ciphermode + sizeof ("pcbc-") - 1; +- } +- else if (grub_memcmp (ciphermode, "xts-", sizeof ("xts-") - 1) == 0) +- { +- mode = GRUB_CRYPTODISK_MODE_XTS; +- cipheriv = ciphermode + sizeof ("xts-") - 1; +- secondary_cipher = grub_crypto_cipher_open (ciph); +- if (!secondary_cipher) +- { +- grub_crypto_cipher_close (cipher); +- return NULL; +- } +- if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES) +- { +- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d", +- cipher->cipher->blocksize); +- grub_crypto_cipher_close (cipher); +- grub_crypto_cipher_close (secondary_cipher); +- return NULL; +- } +- if (secondary_cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES) +- { +- grub_crypto_cipher_close (cipher); +- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported XTS block size: %d", +- secondary_cipher->cipher->blocksize); +- grub_crypto_cipher_close (secondary_cipher); +- return NULL; +- } +- } +- else if (grub_memcmp (ciphermode, "lrw-", sizeof ("lrw-") - 1) == 0) +- { +- mode = GRUB_CRYPTODISK_MODE_LRW; +- cipheriv = ciphermode + sizeof ("lrw-") - 1; +- if (cipher->cipher->blocksize != GRUB_CRYPTODISK_GF_BYTES) +- { +- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported LRW block size: %d", +- cipher->cipher->blocksize); +- grub_crypto_cipher_close (cipher); +- return NULL; +- } +- } +- else +- { +- grub_crypto_cipher_close (cipher); +- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown cipher mode: %s", +- ciphermode); +- return NULL; +- } +- +- if (cipheriv == NULL); +- else if (grub_memcmp (cipheriv, "plain", sizeof ("plain") - 1) == 0) +- mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN; +- else if (grub_memcmp (cipheriv, "plain64", sizeof ("plain64") - 1) == 0) +- mode_iv = GRUB_CRYPTODISK_MODE_IV_PLAIN64; +- else if (grub_memcmp (cipheriv, "benbi", sizeof ("benbi") - 1) == 0) +- { +- if (cipher->cipher->blocksize & (cipher->cipher->blocksize - 1) +- || cipher->cipher->blocksize == 0) +- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unsupported benbi blocksize: %d", +- cipher->cipher->blocksize); +- /* FIXME should we return an error here? */ +- for (benbi_log = 0; +- (cipher->cipher->blocksize << benbi_log) < GRUB_DISK_SECTOR_SIZE; +- benbi_log++); +- mode_iv = GRUB_CRYPTODISK_MODE_IV_BENBI; +- } +- else if (grub_memcmp (cipheriv, "null", sizeof ("null") - 1) == 0) +- mode_iv = GRUB_CRYPTODISK_MODE_IV_NULL; +- else if (grub_memcmp (cipheriv, "essiv:", sizeof ("essiv:") - 1) == 0) +- { +- char *hash_str = cipheriv + 6; +- +- mode_iv = GRUB_CRYPTODISK_MODE_IV_ESSIV; +- +- /* Configure the hash and cipher used for ESSIV. */ +- essiv_hash = grub_crypto_lookup_md_by_name (hash_str); +- if (!essiv_hash) +- { +- grub_crypto_cipher_close (cipher); +- grub_crypto_cipher_close (secondary_cipher); +- grub_error (GRUB_ERR_FILE_NOT_FOUND, +- "Couldn't load %s hash", hash_str); +- return NULL; +- } +- essiv_cipher = grub_crypto_cipher_open (ciph); +- if (!essiv_cipher) +- { +- grub_crypto_cipher_close (cipher); +- grub_crypto_cipher_close (secondary_cipher); +- return NULL; +- } +- } +- else +- { +- grub_crypto_cipher_close (cipher); +- grub_crypto_cipher_close (secondary_cipher); +- grub_error (GRUB_ERR_BAD_ARGUMENT, "Unknown IV mode: %s", +- cipheriv); +- return NULL; +- } +- +- /* Configure the hash used for the AF splitter and HMAC. */ +- hash = grub_crypto_lookup_md_by_name (hashspec); +- if (!hash) +- { +- grub_crypto_cipher_close (cipher); +- grub_crypto_cipher_close (essiv_cipher); +- grub_crypto_cipher_close (secondary_cipher); +- grub_error (GRUB_ERR_FILE_NOT_FOUND, "Couldn't load %s hash", +- hashspec); +- return NULL; +- } ++ newdev = grub_cryptodisk_create (disk, uuid, ciphername, ciphermode, hashspec); + +- newdev = grub_zalloc (sizeof (struct grub_cryptodisk)); +- if (!newdev) +- { +- grub_crypto_cipher_close (cipher); +- grub_crypto_cipher_close (essiv_cipher); +- grub_crypto_cipher_close (secondary_cipher); +- return NULL; +- } +- newdev->cipher = cipher; + newdev->offset = grub_be_to_cpu32 (header.payloadOffset); +- newdev->source_disk = NULL; +- newdev->benbi_log = benbi_log; +- newdev->mode = mode; +- newdev->mode_iv = mode_iv; +- newdev->secondary_cipher = secondary_cipher; +- newdev->essiv_cipher = essiv_cipher; +- newdev->essiv_hash = essiv_hash; +- newdev->hash = hash; +- newdev->log_sector_size = 9; +- newdev->total_length = grub_disk_get_size (disk) - newdev->offset; +- grub_memcpy (newdev->uuid, uuid, sizeof (newdev->uuid)); + newdev->modname = "luks"; +- COMPILE_TIME_ASSERT (sizeof (newdev->uuid) >= sizeof (uuid)); + + return newdev; + } +@@ -329,7 +146,7 @@ luks_recover_key (grub_disk_t source, + struct grub_luks_phdr header; + grub_size_t keysize; + grub_uint8_t *split_key = NULL; +- char interactive_passphrase[MAX_PASSPHRASE] = ""; ++ char interactive_passphrase[GRUB_CRYPTODISK_MAX_PASSPHRASE] = ""; + grub_uint8_t *passphrase; + grub_size_t passphrase_length; + grub_uint8_t candidate_digest[sizeof (header.mkDigest)]; +@@ -376,7 +193,7 @@ luks_recover_key (grub_disk_t source, + /* Use bytestring from key file as passphrase */ + passphrase = keyfile_bytes; + passphrase_length = keyfile_bytes_size; +- keyfile_bytes = NULL; /* use it only once */ ++ keyfile_bytes = NULL; /* use it only once */ + } + else + { +@@ -387,7 +204,7 @@ luks_recover_key (grub_disk_t source, + grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name, + source->partition ? "," : "", tmp ? : "", dev->uuid); + grub_free (tmp); +- if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE)) ++ if (!grub_password_get (interactive_passphrase, GRUB_CRYPTODISK_MAX_PASSPHRASE)) + { + grub_free (split_key); + return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied"); +diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h +index 67f6b0b59..bb25ab730 100644 +--- a/include/grub/cryptodisk.h ++++ b/include/grub/cryptodisk.h +@@ -54,9 +54,14 @@ typedef enum + #define GRUB_CRYPTODISK_GF_LOG_BYTES (GRUB_CRYPTODISK_GF_LOG_SIZE - 3) + #define GRUB_CRYPTODISK_GF_BYTES (1U << GRUB_CRYPTODISK_GF_LOG_BYTES) + #define GRUB_CRYPTODISK_MAX_KEYLEN 128 ++#define GRUB_CRYPTODISK_MAX_PASSPHRASE 256 + + #define GRUB_CRYPTODISK_MAX_KEYFILE_SIZE 8192 + ++#define GRUB_CRYPTODISK_PLAIN_CIPHER "aes-cbc-essiv:sha256" ++#define GRUB_CRYPTODISK_PLAIN_DIGEST "ripemd160" ++#define GRUB_CRYPTODISK_PLAIN_KEYSIZE 256 ++ + struct grub_cryptodisk; + + typedef gcry_err_code_t +@@ -160,4 +165,7 @@ grub_util_get_geli_uuid (const char *dev); + grub_cryptodisk_t grub_cryptodisk_get_by_uuid (const char *uuid); + grub_cryptodisk_t grub_cryptodisk_get_by_source_disk (grub_disk_t disk); + ++grub_cryptodisk_t grub_cryptodisk_create (grub_disk_t disk, char *uuid, ++ char *ciphername, char *ciphermode, char *digest); ++ + #endif +-- +2.16.2 + diff --git a/0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch b/0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch deleted file mode 100644 index 22d62926fa74..000000000000 --- a/0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch +++ /dev/null @@ -1,140 +0,0 @@ -From 734668238fcc0ef691a080839e04f33854fa133a Mon Sep 17 00:00:00 2001 -From: Eric Biggers <ebiggers@google.com> -Date: Thu, 29 Jun 2017 13:27:49 +0000 -Subject: Allow GRUB to mount ext2/3/4 filesystems that have the encryption - feature. - -On such a filesystem, inodes may have EXT4_ENCRYPT_FLAG set. -For a regular file, this means its contents are encrypted; for a -directory, this means the filenames in its directory entries are -encrypted; and for a symlink, this means its target is encrypted. Since -GRUB cannot decrypt encrypted contents or filenames, just issue an error -if it would need to do so. This is sufficient to allow unencrypted boot -files to co-exist with encrypted files elsewhere on the filesystem. - -(Note that encrypted regular files and symlinks will not normally be -encountered outside an encrypted directory; however, it's possible via -hard links, so they still need to be handled.) - -Tested by booting from an ext4 /boot partition on which I had run -'tune2fs -O encrypt'. I also verified that the expected error messages -are printed when trying to access encrypted directories, files, and -symlinks from the GRUB command line. Also ran 'sudo ./grub-fs-tester -ext4_encrypt'; note that this requires e2fsprogs v1.43+ and Linux v4.1+. - -Signed-off-by: Eric Biggers <ebiggers@google.com> ---- - grub-core/fs/ext2.c | 23 ++++++++++++++++++++++- - tests/ext234_test.in | 1 + - tests/util/grub-fs-tester.in | 10 ++++++++++ - 3 files changed, 33 insertions(+), 1 deletion(-) - -diff --git a/grub-core/fs/ext2.c b/grub-core/fs/ext2.c -index cdce63b..b8ad75a 100644 ---- a/grub-core/fs/ext2.c -+++ b/grub-core/fs/ext2.c -@@ -102,6 +102,7 @@ GRUB_MOD_LICENSE ("GPLv3+"); - #define EXT4_FEATURE_INCOMPAT_64BIT 0x0080 - #define EXT4_FEATURE_INCOMPAT_MMP 0x0100 - #define EXT4_FEATURE_INCOMPAT_FLEX_BG 0x0200 -+#define EXT4_FEATURE_INCOMPAT_ENCRYPT 0x10000 - - /* The set of back-incompatible features this driver DOES support. Add (OR) - * flags here as the related features are implemented into the driver. */ -@@ -109,7 +110,8 @@ GRUB_MOD_LICENSE ("GPLv3+"); - | EXT4_FEATURE_INCOMPAT_EXTENTS \ - | EXT4_FEATURE_INCOMPAT_FLEX_BG \ - | EXT2_FEATURE_INCOMPAT_META_BG \ -- | EXT4_FEATURE_INCOMPAT_64BIT) -+ | EXT4_FEATURE_INCOMPAT_64BIT \ -+ | EXT4_FEATURE_INCOMPAT_ENCRYPT) - /* List of rationales for the ignored "incompatible" features: - * needs_recovery: Not really back-incompatible - was added as such to forbid - * ext2 drivers from mounting an ext3 volume with a dirty -@@ -138,6 +140,7 @@ GRUB_MOD_LICENSE ("GPLv3+"); - #define EXT3_JOURNAL_FLAG_DELETED 4 - #define EXT3_JOURNAL_FLAG_LAST_TAG 8 - -+#define EXT4_ENCRYPT_FLAG 0x800 - #define EXT4_EXTENTS_FLAG 0x80000 - - /* The ext2 superblock. */ -@@ -706,6 +709,12 @@ grub_ext2_read_symlink (grub_fshelp_node_t node) - grub_ext2_read_inode (diro->data, diro->ino, &diro->inode); - if (grub_errno) - return 0; -+ -+ if (diro->inode.flags & grub_cpu_to_le32_compile_time (EXT4_ENCRYPT_FLAG)) -+ { -+ grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "symlink is encrypted"); -+ return 0; -+ } - } - - symlink = grub_malloc (grub_le_to_cpu32 (diro->inode.size) + 1); -@@ -749,6 +758,12 @@ grub_ext2_iterate_dir (grub_fshelp_node_t dir, - return 0; - } - -+ if (diro->inode.flags & grub_cpu_to_le32_compile_time (EXT4_ENCRYPT_FLAG)) -+ { -+ grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "directory is encrypted"); -+ return 0; -+ } -+ - /* Search the file. */ - while (fpos < grub_le_to_cpu32 (diro->inode.size)) - { -@@ -859,6 +874,12 @@ grub_ext2_open (struct grub_file *file, const char *name) - goto fail; - } - -+ if (fdiro->inode.flags & grub_cpu_to_le32_compile_time (EXT4_ENCRYPT_FLAG)) -+ { -+ err = grub_error (GRUB_ERR_NOT_IMPLEMENTED_YET, "file is encrypted"); -+ goto fail; -+ } -+ - grub_memcpy (data->inode, &fdiro->inode, sizeof (struct grub_ext2_inode)); - grub_free (fdiro); - -diff --git a/tests/ext234_test.in b/tests/ext234_test.in -index 892b99c..4f1eb52 100644 ---- a/tests/ext234_test.in -+++ b/tests/ext234_test.in -@@ -30,3 +30,4 @@ fi - "@builddir@/grub-fs-tester" ext3 - "@builddir@/grub-fs-tester" ext4 - "@builddir@/grub-fs-tester" ext4_metabg -+"@builddir@/grub-fs-tester" ext4_encrypt -diff --git a/tests/util/grub-fs-tester.in b/tests/util/grub-fs-tester.in -index 88cbe73..fd7e0f1 100644 ---- a/tests/util/grub-fs-tester.in -+++ b/tests/util/grub-fs-tester.in -@@ -156,6 +156,12 @@ for LOGSECSIZE in $(range "$MINLOGSECSIZE" "$MAXLOGSECSIZE" 1); do - # Could go further but what's the point? - MAXBLKSIZE=$((65536*1024)) - ;; -+ xext4_encrypt) -+ # OS LIMITATION: Linux currently only allows the 'encrypt' feature -+ # in combination with block_size = PAGE_SIZE (4096 bytes on x86). -+ MINBLKSIZE=$(getconf PAGE_SIZE) -+ MAXBLKSIZE=$MINBLKSIZE -+ ;; - xext*) - MINBLKSIZE=1024 - if [ $MINBLKSIZE -lt $SECSIZE ]; then -@@ -796,6 +802,10 @@ for LOGSECSIZE in $(range "$MINLOGSECSIZE" "$MAXLOGSECSIZE" 1); do - MKE2FS_DEVICE_SECTSIZE=$SECSIZE "mkfs.ext4" -O meta_bg,^resize_inode -b $BLKSIZE -L "$FSLABEL" -q "${MOUNTDEVICE}" - MOUNTFS=ext4 - ;; -+ xext4_encrypt) -+ MKE2FS_DEVICE_SECTSIZE=$SECSIZE "mkfs.ext4" -O encrypt -b $BLKSIZE -L "$FSLABEL" -q "${MOUNTDEVICE}" -+ MOUNTFS=ext4 -+ ;; - xext*) - MKE2FS_DEVICE_SECTSIZE=$SECSIZE "mkfs.$fs" -b $BLKSIZE -L "$FSLABEL" -q "${MOUNTDEVICE}" ;; - xxfs) --- -cgit v1.0-41-gc330 - diff --git a/0005-Cryptomount-support-for-hyphens-in-UUID.patch b/0005-Cryptomount-support-for-hyphens-in-UUID.patch new file mode 100644 index 000000000000..f6ed18a66d7b --- /dev/null +++ b/0005-Cryptomount-support-for-hyphens-in-UUID.patch @@ -0,0 +1,122 @@ +From 0939fef502c4b97d1facc7972a54d5dfeba4ab71 Mon Sep 17 00:00:00 2001 +From: John Lane <john@lane.uk.net> +Date: Fri, 26 Jun 2015 22:48:03 +0100 +Subject: [PATCH 5/7] Cryptomount support for hyphens in UUID + +--- + grub-core/disk/cryptodisk.c | 20 +++++++++++++++++--- + grub-core/disk/luks.c | 26 ++++++++------------------ + include/grub/cryptodisk.h | 2 ++ + 3 files changed, 27 insertions(+), 21 deletions(-) + +diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c +index 7f656f75c..c442d3a34 100644 +--- a/grub-core/disk/cryptodisk.c ++++ b/grub-core/disk/cryptodisk.c +@@ -114,6 +114,20 @@ gf_mul_be (grub_uint8_t *o, const grub_uint8_t *a, const grub_uint8_t *b) + } + } + ++int ++grub_cryptodisk_uuidcmp(char *uuid_a, char *uuid_b) ++{ ++ while ((*uuid_a != '\0') && (*uuid_b != '\0')) ++ { ++ while (*uuid_a == '-') uuid_a++; ++ while (*uuid_b == '-') uuid_b++; ++ if (grub_toupper(*uuid_a) != grub_toupper(*uuid_b)) break; ++ uuid_a++; ++ uuid_b++; ++ } ++ return (*uuid_a == '\0') && (*uuid_b == '\0'); ++} ++ + static gcry_err_code_t + grub_crypto_pcbc_decrypt (grub_crypto_cipher_handle_t cipher, + void *out, void *in, grub_size_t size, +@@ -509,8 +523,8 @@ grub_cryptodisk_open (const char *name, grub_disk_t disk) + if (grub_memcmp (name, "cryptouuid/", sizeof ("cryptouuid/") - 1) == 0) + { + for (dev = cryptodisk_list; dev != NULL; dev = dev->next) +- if (grub_strcasecmp (name + sizeof ("cryptouuid/") - 1, dev->uuid) == 0) +- break; ++ if (grub_cryptodisk_uuidcmp(name + sizeof ("cryptouuid/") - 1, dev->uuid)) ++ break; + } + else + { +@@ -742,7 +756,7 @@ grub_cryptodisk_get_by_uuid (const char *uuid) + { + grub_cryptodisk_t dev; + for (dev = cryptodisk_list; dev != NULL; dev = dev->next) +- if (grub_strcasecmp (dev->uuid, uuid) == 0) ++ if (grub_cryptodisk_uuidcmp(dev->uuid, uuid)) + return dev; + return NULL; + } +diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c +index 4ebe21b4e..80a760670 100644 +--- a/grub-core/disk/luks.c ++++ b/grub-core/disk/luks.c +@@ -68,9 +68,7 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, + int check_boot, grub_file_t hdr) + { + grub_cryptodisk_t newdev; +- const char *iptr; + struct grub_luks_phdr header; +- char *optr; + char uuid[sizeof (header.uuid) + 1]; + char ciphername[sizeof (header.cipherName) + 1]; + char ciphermode[sizeof (header.cipherMode) + 1]; +@@ -104,22 +102,6 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, + || grub_be_to_cpu16 (header.version) != 1) + return NULL; + +- optr = uuid; +- for (iptr = header.uuid; iptr < &header.uuid[ARRAY_SIZE (header.uuid)]; +- iptr++) +- { +- if (*iptr != '-') +- *optr++ = *iptr; +- } +- *optr = 0; +- +- if (check_uuid && grub_strcasecmp (check_uuid, uuid) != 0) +- { +- grub_dprintf ("luks", "%s != %s\n", uuid, check_uuid); +- return NULL; +- } +- +- + /* Make sure that strings are null terminated. */ + grub_memcpy (ciphername, header.cipherName, sizeof (header.cipherName)); + ciphername[sizeof (header.cipherName)] = 0; +@@ -127,6 +109,14 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid, + ciphermode[sizeof (header.cipherMode)] = 0; + grub_memcpy (hashspec, header.hashSpec, sizeof (header.hashSpec)); + hashspec[sizeof (header.hashSpec)] = 0; ++ grub_memcpy (uuid, header.uuid, sizeof (header.uuid)); ++ uuid[sizeof (header.uuid)] = 0; ++ ++ if ( check_uuid && ! grub_cryptodisk_uuidcmp(check_uuid, uuid)) ++ { ++ grub_dprintf ("luks", "%s != %s\n", uuid, check_uuid); ++ return NULL; ++ } + + newdev = grub_cryptodisk_create (disk, uuid, ciphername, ciphermode, hashspec); + +diff --git a/include/grub/cryptodisk.h b/include/grub/cryptodisk.h +index bb25ab730..01c02696e 100644 +--- a/include/grub/cryptodisk.h ++++ b/include/grub/cryptodisk.h +@@ -168,4 +168,6 @@ grub_cryptodisk_t grub_cryptodisk_get_by_source_disk (grub_disk_t disk); + grub_cryptodisk_t grub_cryptodisk_create (grub_disk_t disk, char *uuid, + char *ciphername, char *ciphermode, char *digest); + ++int ++grub_cryptodisk_uuidcmp(char *uuid_a, char *uuid_b); + #endif +-- +2.16.2 + diff --git a/0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch b/0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch new file mode 100644 index 000000000000..49750f84aca2 --- /dev/null +++ b/0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch @@ -0,0 +1,108 @@ +From 908f4282cc934422923ff59836a835e63d6a7117 Mon Sep 17 00:00:00 2001 +From: Paul Gideon Dann <pdgiddie@gmail.com> +Date: Tue, 19 Jul 2016 12:36:37 +0100 +Subject: [PATCH] Add support for using a whole device as a keyfile + +--- + grub-core/disk/cryptodisk.c | 86 +++++++++++++++++++++++++++++-------- + 1 file changed, 68 insertions(+), 18 deletions(-) + +diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c +index d0388c6d1..c5d8021ba 100644 +--- a/grub-core/disk/cryptodisk.c ++++ b/grub-core/disk/cryptodisk.c +@@ -1031,26 +1031,76 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args) + else + { + keyfile_offset = state[5].set ? grub_strtoul (state[5].arg, 0, 0) : 0; +- keyfile_size = requested_keyfile_size ? requested_keyfile_size : \ +- GRUB_CRYPTODISK_MAX_KEYFILE_SIZE; +- +- keyfile = grub_file_open (state[4].arg, GRUB_FILE_TYPE_NONE); +- if (!keyfile) +- grub_printf (N_("Unable to open key file %s\n"), state[4].arg); +- else if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1) +- grub_printf (N_("Unable to seek to offset %d in key file\n"), keyfile_offset); +- else ++ ++ if (grub_strchr (state[4].arg, '/')) + { +- keyfile_size = grub_file_read (keyfile, keyfile_buffer, keyfile_size); +- if (keyfile_size == (grub_size_t)-1) +- grub_printf (N_("Error reading key file\n")); +- else if (requested_keyfile_size && (keyfile_size != requested_keyfile_size)) +- grub_printf (N_("Cannot read %llu bytes for key file (read %llu bytes)\n"), +- (unsigned long long) requested_keyfile_size, +- (unsigned long long) keyfile_size); ++ keyfile_size = requested_keyfile_size ? requested_keyfile_size : \ ++ GRUB_CRYPTODISK_MAX_KEYFILE_SIZE; ++ keyfile = grub_file_open (state[4].arg, GRUB_FILE_TYPE_NONE); ++ if (!keyfile) ++ grub_printf (N_("Unable to open key file %s\n"), state[4].arg); ++ else if (grub_file_seek (keyfile, keyfile_offset) == (grub_off_t)-1) ++ grub_printf (N_("Unable to seek to offset %d in key file\n"), keyfile_offset); + else +- key = keyfile_buffer; +- } ++ { ++ keyfile_size = grub_file_read (keyfile, keyfile_buffer, keyfile_size); ++ if (keyfile_size == (grub_size_t)-1) ++ grub_printf (N_("Error reading key file\n")); ++ else if (requested_keyfile_size && (keyfile_size != requested_keyfile_size)) ++ grub_printf (N_("Cannot read %llu bytes for key file (read %llu bytes)\n"), ++ (unsigned long long) requested_keyfile_size, ++ (unsigned long long) keyfile_size); ++ else ++ key = keyfile_buffer; ++ } ++ } ++ else ++ { ++ grub_disk_t keydisk; ++ char* keydisk_name; ++ grub_err_t err; ++ grub_uint64_t total_sectors; ++ ++ keydisk_name = grub_file_get_device_name(state[4].arg); ++ keydisk = grub_disk_open (keydisk_name); ++ if (!keydisk) ++ { ++ grub_printf (N_("Unable to open disk %s\n"), keydisk_name); ++ goto cleanup_keydisk_name; ++ } ++ ++ total_sectors = grub_disk_get_size (keydisk); ++ if (total_sectors == GRUB_DISK_SIZE_UNKNOWN) ++ { ++ grub_printf (N_("Unable to determine size of disk %s\n"), keydisk_name); ++ goto cleanup_keydisk; ++ } ++ ++ keyfile_size = (total_sectors << GRUB_DISK_SECTOR_BITS); ++ if (requested_keyfile_size > 0 && requested_keyfile_size < keyfile_size) ++ keyfile_size = requested_keyfile_size; ++ if (keyfile_size > GRUB_CRYPTODISK_MAX_KEYFILE_SIZE) ++ { ++ grub_printf (N_("Key file size exceeds maximum (%llu)\n"), \ ++ (unsigned long long) GRUB_CRYPTODISK_MAX_KEYFILE_SIZE); ++ goto cleanup_keydisk; ++ } ++ ++ err = grub_disk_read (keydisk, 0, keyfile_offset, keyfile_size, keyfile_buffer); ++ if (err != GRUB_ERR_NONE) ++ { ++ grub_printf (N_("Failed to read from disk %s\n"), keydisk_name); ++ keyfile_size = 0; ++ goto cleanup_keydisk; ++ } ++ ++ key = keyfile_buffer; ++ ++ cleanup_keydisk: ++ grub_disk_close (keydisk); ++ cleanup_keydisk_name: ++ grub_free (keydisk_name); ++ } + } + } + diff --git a/0006-tsc-Change-default-tsc-calibration-method-to-pmtimer-on-EFI-systems.patch b/0006-tsc-Change-default-tsc-calibration-method-to-pmtimer-on-EFI-systems.patch deleted file mode 100644 index 38dcddad6ab0..000000000000 --- a/0006-tsc-Change-default-tsc-calibration-method-to-pmtimer-on-EFI-systems.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 446794de8da4329ea532cbee4ca877bcafd0e534 Mon Sep 17 00:00:00 2001 -From: "David E. Box" <david.e.box@linux.intel.com> -Date: Fri, 15 Sep 2017 15:37:05 -0700 -Subject: tsc: Change default tsc calibration method to pmtimer on EFI systems - -On efi systems, make pmtimer based tsc calibration the default over the -pit. This prevents Grub from hanging on Intel SoC systems that power gate -the pit. - -Signed-off-by: David E. Box <david.e.box@linux.intel.com> -Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> ---- - grub-core/kern/i386/tsc.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/grub-core/kern/i386/tsc.c b/grub-core/kern/i386/tsc.c -index 2e85289d8..f266eb131 100644 ---- a/grub-core/kern/i386/tsc.c -+++ b/grub-core/kern/i386/tsc.c -@@ -68,7 +68,7 @@ grub_tsc_init (void) - #ifdef GRUB_MACHINE_XEN - (void) (grub_tsc_calibrate_from_xen () || calibrate_tsc_hardcode()); - #elif defined (GRUB_MACHINE_EFI) -- (void) (grub_tsc_calibrate_from_pit () || grub_tsc_calibrate_from_pmtimer () || grub_tsc_calibrate_from_efi() || calibrate_tsc_hardcode()); -+ (void) (grub_tsc_calibrate_from_pmtimer () || grub_tsc_calibrate_from_pit () || grub_tsc_calibrate_from_efi() || calibrate_tsc_hardcode()); - #elif defined (GRUB_MACHINE_COREBOOT) - (void) (grub_tsc_calibrate_from_pmtimer () || grub_tsc_calibrate_from_pit () || calibrate_tsc_hardcode()); - #else --- -cgit v1.1-26-g67d0 - diff --git a/0007-grub-mkconfig_10_linux_Support_multiple_early_initrd_images.patch b/0007-grub-mkconfig_10_linux_Support_multiple_early_initrd_images.patch deleted file mode 100644 index a0c5cbc09418..000000000000 --- a/0007-grub-mkconfig_10_linux_Support_multiple_early_initrd_images.patch +++ /dev/null @@ -1,177 +0,0 @@ -From a698240df0c43278b2d1d7259c8e7a6926c63112 Mon Sep 17 00:00:00 2001 -From: "Matthew S. Turnbull" <sparky@bluefang-logic.com> -Date: Sat, 24 Feb 2018 17:44:58 -0500 -Subject: grub-mkconfig/10_linux: Support multiple early initrd images - -Add support for multiple, shared, early initrd images. These early -images will be loaded in the order declared, and all will be loaded -before the initrd image. - -While many classes of data can be provided by early images, the -immediate use case would be for distributions to provide CPU -microcode to mitigate the Meltdown and Spectre vulnerabilities. - -There are two environment variables provided for declaring the early -images. - -* GRUB_EARLY_INITRD_LINUX_STOCK is for the distribution declare - images that are provided by the distribution or installed packages. - If undeclared, this will default to a set of common microcode image - names. - -* GRUB_EARLY_INITRD_LINUX_CUSTOM is for user created images. User - images will be loaded after the stock images. - -These separate configurations allow the distribution and user to -declare different image sets without clobbering each other. - -This also makes a minor update to ensure that UUID partition labels -stay disabled when no initrd image is found, even if early images are -present. - -This is a continuation of a previous patch published by Christian -Hesse in 2016: -http://lists.gnu.org/archive/html/grub-devel/2016-02/msg00025.html - -Down stream Gentoo bug: -https://bugs.gentoo.org/645088 - -Signed-off-by: Robin H. Johnson <robbat2@gentoo.org> -Signed-off-by: Matthew S. Turnbull <sparky@bluefang-logic.com> -Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> ---- - docs/grub.texi | 19 +++++++++++++++++++ - util/grub-mkconfig.in | 8 ++++++++ - util/grub.d/10_linux.in | 33 +++++++++++++++++++++++++++------ - 3 files changed, 54 insertions(+), 6 deletions(-) - -diff --git a/docs/grub.texi b/docs/grub.texi -index 137b894fa..65b4bbeda 100644 ---- a/docs/grub.texi -+++ b/docs/grub.texi -@@ -1398,6 +1398,25 @@ for all respectively normal entries. - The values of these options replace the values of @samp{GRUB_CMDLINE_LINUX} - and @samp{GRUB_CMDLINE_LINUX_DEFAULT} for Linux and Xen menu entries. - -+@item GRUB_EARLY_INITRD_LINUX_CUSTOM -+@itemx GRUB_EARLY_INITRD_LINUX_STOCK -+List of space-separated early initrd images to be loaded from @samp{/boot}. -+This is for loading things like CPU microcode, firmware, ACPI tables, crypto -+keys, and so on. These early images will be loaded in the order declared, -+and all will be loaded before the actual functional initrd image. -+ -+@samp{GRUB_EARLY_INITRD_LINUX_STOCK} is for your distribution to declare -+images that are provided by the distribution. It should not be modified -+without understanding the consequences. They will be loaded first. -+ -+@samp{GRUB_EARLY_INITRD_LINUX_CUSTOM} is for your custom created images. -+ -+The default stock images are as follows, though they may be overridden by -+your distribution: -+@example -+intel-uc.img intel-ucode.img amd-uc.img amd-ucode.img early_ucode.cpio microcode.cpio -+@end example -+ - @item GRUB_DISABLE_LINUX_UUID - Normally, @command{grub-mkconfig} will generate menu entries that use - universally-unique identifiers (UUIDs) to identify the root filesystem to -diff --git a/util/grub-mkconfig.in b/util/grub-mkconfig.in -index f8496d28b..35ef583b0 100644 ---- a/util/grub-mkconfig.in -+++ b/util/grub-mkconfig.in -@@ -147,6 +147,12 @@ if [ x"$GRUB_FS" = xunknown ]; then - GRUB_FS="$(stat -f --printf=%T / || echo unknown)" - fi - -+# Provide a default set of stock linux early initrd images. -+# Define here so the list can be modified in the sourced config file. -+if [ "x${GRUB_EARLY_INITRD_LINUX_STOCK}" = "x" ]; then -+ GRUB_EARLY_INITRD_LINUX_STOCK="intel-uc.img intel-ucode.img amd-uc.img amd-ucode.img early_ucode.cpio microcode.cpio" -+fi -+ - if test -f ${sysconfdir}/default/grub ; then - . ${sysconfdir}/default/grub - fi -@@ -211,6 +217,8 @@ export GRUB_DEFAULT \ - GRUB_CMDLINE_NETBSD \ - GRUB_CMDLINE_NETBSD_DEFAULT \ - GRUB_CMDLINE_GNUMACH \ -+ GRUB_EARLY_INITRD_LINUX_CUSTOM \ -+ GRUB_EARLY_INITRD_LINUX_STOCK \ - GRUB_TERMINAL_INPUT \ - GRUB_TERMINAL_OUTPUT \ - GRUB_SERIAL_COMMAND \ -diff --git a/util/grub.d/10_linux.in b/util/grub.d/10_linux.in -index de9044c7f..faedf74e1 100644 ---- a/util/grub.d/10_linux.in -+++ b/util/grub.d/10_linux.in -@@ -136,9 +136,13 @@ EOF - if test -n "${initrd}" ; then - # TRANSLATORS: ramdisk isn't identifier. Should be translated. - message="$(gettext_printf "Loading initial ramdisk ...")" -+ initrd_path= -+ for i in ${initrd}; do -+ initrd_path="${initrd_path} ${rel_dirname}/${i}" -+ done - sed "s/^/$submenu_indentation/" << EOF - echo '$(echo "$message" | grub_quote)' -- initrd ${rel_dirname}/${initrd} -+ initrd $(echo $initrd_path) - EOF - fi - sed "s/^/$submenu_indentation/" << EOF -@@ -188,7 +192,15 @@ while [ "x$list" != "x" ] ; do - alt_version=`echo $version | sed -e "s,\.old$,,g"` - linux_root_device_thisversion="${LINUX_ROOT_DEVICE}" - -- initrd= -+ initrd_early= -+ for i in ${GRUB_EARLY_INITRD_LINUX_STOCK} \ -+ ${GRUB_EARLY_INITRD_LINUX_CUSTOM}; do -+ if test -e "${dirname}/${i}" ; then -+ initrd_early="${initrd_early} ${i}" -+ fi -+ done -+ -+ initrd_real= - for i in "initrd.img-${version}" "initrd-${version}.img" "initrd-${version}.gz" \ - "initrd-${version}" "initramfs-${version}.img" \ - "initrd.img-${alt_version}" "initrd-${alt_version}.img" \ -@@ -198,11 +210,22 @@ while [ "x$list" != "x" ] ; do - "initramfs-genkernel-${GENKERNEL_ARCH}-${version}" \ - "initramfs-genkernel-${GENKERNEL_ARCH}-${alt_version}"; do - if test -e "${dirname}/${i}" ; then -- initrd="$i" -+ initrd_real="${i}" - break - fi - done - -+ initrd= -+ if test -n "${initrd_early}" || test -n "${initrd_real}"; then -+ initrd="${initrd_early} ${initrd_real}" -+ -+ initrd_display= -+ for i in ${initrd}; do -+ initrd_display="${initrd_display} ${dirname}/${i}" -+ done -+ gettext_printf "Found initrd image: %s\n" "$(echo $initrd_display)" >&2 -+ fi -+ - config= - for i in "${dirname}/config-${version}" "${dirname}/config-${alt_version}" "/etc/kernels/kernel-config-${version}" ; do - if test -e "${i}" ; then -@@ -216,9 +239,7 @@ while [ "x$list" != "x" ] ; do - initramfs=`grep CONFIG_INITRAMFS_SOURCE= "${config}" | cut -f2 -d= | tr -d \"` - fi - -- if test -n "${initrd}" ; then -- gettext_printf "Found initrd image: %s\n" "${dirname}/${initrd}" >&2 -- elif test -z "${initramfs}" ; then -+ if test -z "${initramfs}" && test -z "${initrd_real}" ; then - # "UUID=" and "ZFS=" magic is parsed by initrd or initramfs. Since there's - # no initrd or builtin initramfs, it can't work here. - linux_root_device_thisversion=${GRUB_DEVICE} --- -cgit v1.1-33-g03f6 - diff --git a/0008-Fix-packed-not-aligned-error-on-GCC-8.patch b/0008-Fix-packed-not-aligned-error-on-GCC-8.patch deleted file mode 100644 index 2d09149f72d4..000000000000 --- a/0008-Fix-packed-not-aligned-error-on-GCC-8.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 563b1da6e6ae7af46cc8354cadb5dab416989f0a Mon Sep 17 00:00:00 2001 -From: Michael Chang <mchang@suse.com> -Date: Mon, 26 Mar 2018 16:52:34 +0800 -Subject: Fix packed-not-aligned error on GCC 8 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -When building with GCC 8, there are several errors regarding packed-not-aligned. - -./include/grub/gpt_partition.h:79:1: error: alignment 1 of ‘struct grub_gpt_partentry’ is less than 8 [-Werror=packed-not-aligned] - -This patch fixes the build error by cleaning up the ambiguity of placing -aligned structure in a packed one. In "struct grub_btrfs_time" and "struct -grub_gpt_part_type", the aligned attribute seems to be superfluous, and also -has to be packed, to ensure the structure is bit-to-bit mapped to the format -laid on disk. I think we could blame to copy and paste error here for the -mistake. In "struct efi_variable", we have to use grub_efi_packed_guid_t, as -the name suggests. :) - -Signed-off-by: Michael Chang <mchang@suse.com> -Tested-by: Michael Chang <mchang@suse.com> -Tested-by: Paul Menzel <paulepanter@users.sourceforge.net> -Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> ---- - grub-core/fs/btrfs.c | 2 +- - include/grub/efiemu/runtime.h | 2 +- - include/grub/gpt_partition.h | 2 +- - 3 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/grub-core/fs/btrfs.c b/grub-core/fs/btrfs.c -index 4849c1ceb..be195448d 100644 ---- a/grub-core/fs/btrfs.c -+++ b/grub-core/fs/btrfs.c -@@ -175,7 +175,7 @@ struct grub_btrfs_time - { - grub_int64_t sec; - grub_uint32_t nanosec; --} __attribute__ ((aligned (4))); -+} GRUB_PACKED; - - struct grub_btrfs_inode - { -diff --git a/include/grub/efiemu/runtime.h b/include/grub/efiemu/runtime.h -index 9b6b729f4..36d2dedf4 100644 ---- a/include/grub/efiemu/runtime.h -+++ b/include/grub/efiemu/runtime.h -@@ -29,7 +29,7 @@ struct grub_efiemu_ptv_rel - - struct efi_variable - { -- grub_efi_guid_t guid; -+ grub_efi_packed_guid_t guid; - grub_uint32_t namelen; - grub_uint32_t size; - grub_efi_uint32_t attributes; -diff --git a/include/grub/gpt_partition.h b/include/grub/gpt_partition.h -index 1b32f6725..9668a68c3 100644 ---- a/include/grub/gpt_partition.h -+++ b/include/grub/gpt_partition.h -@@ -28,7 +28,7 @@ struct grub_gpt_part_type - grub_uint16_t data2; - grub_uint16_t data3; - grub_uint8_t data4[8]; --} __attribute__ ((aligned(8))); -+} GRUB_PACKED; - typedef struct grub_gpt_part_type grub_gpt_part_type_t; - - #define GRUB_GPT_PARTITION_TYPE_EMPTY \ --- -cgit v1.1-33-g03f6 - diff --git a/0009-xfs-Accept-filesystem-with-sparse-inodes.patch b/0009-xfs-Accept-filesystem-with-sparse-inodes.patch deleted file mode 100644 index 6c6a750b42f0..000000000000 --- a/0009-xfs-Accept-filesystem-with-sparse-inodes.patch +++ /dev/null @@ -1,60 +0,0 @@ -From cda0a857dd7a27cd5d621747464bfe71e8727fff Mon Sep 17 00:00:00 2001 -From: Daniel Kiper <daniel.kiper@oracle.com> -Date: Tue, 29 May 2018 16:16:02 +0200 -Subject: xfs: Accept filesystem with sparse inodes - -The sparse inode metadata format became a mkfs.xfs default in -xfsprogs-4.16.0, and such filesystems are now rejected by grub as -containing an incompatible feature. - -In essence, this feature allows xfs to allocate inodes into fragmented -freespace. (Without this feature, if xfs could not allocate contiguous -space for 64 new inodes, inode creation would fail.) - -In practice, the disk format change is restricted to the inode btree, -which as far as I can tell is not used by grub. If all you're doing -today is parsing a directory, reading an inode number, and converting -that inode number to a disk location, then ignoring this feature -should be fine, so I've added it to XFS_SB_FEAT_INCOMPAT_SUPPORTED - -I did some brief testing of this patch by hacking up the regression -tests to completely fragment freespace on the test xfs filesystem, and -then write a large-ish number of inodes to consume any existing -contiguous 64-inode chunk. This way any files the grub tests add and -traverse would be in such a fragmented inode allocation. Tests passed, -but I'm not sure how to cleanly integrate that into the test harness. - -Signed-off-by: Eric Sandeen <sandeen@redhat.com> -Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> -Tested-by: Chris Murphy <lists@colorremedies.com> ---- - grub-core/fs/xfs.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/grub-core/fs/xfs.c b/grub-core/fs/xfs.c -index c6031bd..3b00c74 100644 ---- a/grub-core/fs/xfs.c -+++ b/grub-core/fs/xfs.c -@@ -79,9 +79,18 @@ GRUB_MOD_LICENSE ("GPLv3+"); - #define XFS_SB_FEAT_INCOMPAT_SPINODES (1 << 1) /* sparse inode chunks */ - #define XFS_SB_FEAT_INCOMPAT_META_UUID (1 << 2) /* metadata UUID */ - --/* We do not currently verify metadata UUID so it is safe to read such filesystem */ -+/* -+ * Directory entries with ftype are explicitly handled by GRUB code. -+ * -+ * We do not currently read the inode btrees, so it is safe to read filesystems -+ * with the XFS_SB_FEAT_INCOMPAT_SPINODES feature. -+ * -+ * We do not currently verify metadata UUID, so it is safe to read filesystems -+ * with the XFS_SB_FEAT_INCOMPAT_META_UUID feature. -+ */ - #define XFS_SB_FEAT_INCOMPAT_SUPPORTED \ - (XFS_SB_FEAT_INCOMPAT_FTYPE | \ -+ XFS_SB_FEAT_INCOMPAT_SPINODES | \ - XFS_SB_FEAT_INCOMPAT_META_UUID) - - struct grub_xfs_sblock --- -cgit v1.0-41-gc330 - diff --git a/0010-relocation.patch b/0010-relocation.patch deleted file mode 100644 index 1aeae68493f7..000000000000 --- a/0010-relocation.patch +++ /dev/null @@ -1,65 +0,0 @@ -commit 842c390469e2c2e10b5aa36700324cd3bde25875 -Author: H.J. Lu <hjl.tools@gmail.com> -Date: Sat Feb 17 06:47:28 2018 -0800 - - x86-64: Treat R_X86_64_PLT32 as R_X86_64_PC32 - - Starting from binutils commit bd7ab16b4537788ad53521c45469a1bdae84ad4a: - - https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=bd7ab16b4537788ad53521c45469a1bdae84ad4a - - x86-64 assembler generates R_X86_64_PLT32, instead of R_X86_64_PC32, for - 32-bit PC-relative branches. Grub2 should treat R_X86_64_PLT32 as - R_X86_64_PC32. - - Signed-off-by: H.J. Lu <hjl.tools@gmail.com> - Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> - -diff --git a/grub-core/efiemu/i386/loadcore64.c b/grub-core/efiemu/i386/loadcore64.c -index e49d0b6ff..18facf47f 100644 ---- a/grub-core/efiemu/i386/loadcore64.c -+++ b/grub-core/efiemu/i386/loadcore64.c -@@ -98,6 +98,7 @@ grub_arch_efiemu_relocate_symbols64 (grub_efiemu_segment_t segs, - break; - - case R_X86_64_PC32: -+ case R_X86_64_PLT32: - err = grub_efiemu_write_value (addr, - *addr32 + rel->r_addend - + sym.off -diff --git a/grub-core/kern/x86_64/dl.c b/grub-core/kern/x86_64/dl.c -index 440690673..3a73e6e6c 100644 ---- a/grub-core/kern/x86_64/dl.c -+++ b/grub-core/kern/x86_64/dl.c -@@ -70,6 +70,7 @@ grub_arch_dl_relocate_symbols (grub_dl_t mod, void *ehdr, - break; - - case R_X86_64_PC32: -+ case R_X86_64_PLT32: - { - grub_int64_t value; - value = ((grub_int32_t) *addr32) + rel->r_addend + sym->st_value - -diff --git a/util/grub-mkimagexx.c b/util/grub-mkimagexx.c -index a2bb05439..39d7efb91 100644 ---- a/util/grub-mkimagexx.c -+++ b/util/grub-mkimagexx.c -@@ -841,6 +841,7 @@ SUFFIX (relocate_addresses) (Elf_Ehdr *e, Elf_Shdr *sections, - break; - - case R_X86_64_PC32: -+ case R_X86_64_PLT32: - { - grub_uint32_t *t32 = (grub_uint32_t *) target; - *t32 = grub_host_to_target64 (grub_target_to_host32 (*t32) -diff --git a/util/grub-module-verifier.c b/util/grub-module-verifier.c -index 9179285a5..a79271f66 100644 ---- a/util/grub-module-verifier.c -+++ b/util/grub-module-verifier.c -@@ -19,6 +19,7 @@ struct grub_module_verifier_arch archs[] = { - -1 - }, (int[]){ - R_X86_64_PC32, -+ R_X86_64_PLT32, - -1 - } - }, @@ -12,7 +12,7 @@ _GRUB_EMU_BUILD="0" _GRUB_EXTRAS_COMMIT="f2a079441939eee7251bf141986cdd78946e1d20" -_UNIFONT_VER="10.0.06" +_UNIFONT_VER="12.1.02" [[ "${CARCH}" == "x86_64" ]] && _EFI_ARCH="x86_64" [[ "${CARCH}" == "i686" ]] && _EFI_ARCH="i386" @@ -23,8 +23,8 @@ _UNIFONT_VER="10.0.06" _pkgname="grub" pkgname="grub-luks-keyfile" pkgdesc="GNU GRand Unified Bootloader (2) with crypto extensions to support for DMCrypt and LUKS volumes with detached headers and key files." -pkgver=2.02 -pkgrel=8 +pkgver=2.04 +pkgrel=1 epoch=2 url="https://www.gnu.org/software/grub/" arch=('x86_64') @@ -57,6 +57,7 @@ if [[ "${_GRUB_EMU_BUILD}" == "1" ]]; then fi validpgpkeys=('E53D497F3FA42AD8C9B4D1E835A93B74E82E4209' # Vladimir 'phcoder' Serbinenko <phcoder@gmail.com> + 'BE5C23209ACDDACEB20DB0A28C8189F1988C2166' # Daniel Kiper <dkiper@net-space.pl> '95D2E9AB8740D8046387FD151A09227B1F435A33') # Paul Hardy <unifoundry@unifoundry.com> source=("https://ftp.gnu.org/gnu/${_pkgname}/${_pkgname}-${pkgver}.tar.xz"{,.sig} @@ -64,42 +65,28 @@ source=("https://ftp.gnu.org/gnu/${_pkgname}/${_pkgname}-${pkgver}.tar.xz"{,.sig "https://ftp.gnu.org/gnu/unifont/unifont-${_UNIFONT_VER}/unifont-${_UNIFONT_VER}.bdf.gz"{,.sig} '0003-10_linux-detect-archlinux-initramfs.patch' '0004-add-GRUB_COLOR_variables.patch' - '0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch' - '0006-tsc-Change-default-tsc-calibration-method-to-pmtimer-on-EFI-systems.patch' - '0007-grub-mkconfig_10_linux_Support_multiple_early_initrd_images.patch' - '0008-Fix-packed-not-aligned-error-on-GCC-8.patch' - 'https://grub.johnlane.ie/assets/0001-Cryptomount-support-LUKS-detached-header.patch' - 'https://grub.johnlane.ie/assets/0002-Cryptomount-support-key-files.patch' - 'https://grub.johnlane.ie/assets/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch' - 'https://grub.johnlane.ie/assets/0004-Cryptomount-support-plain-dm-crypt.patch' - 'https://grub.johnlane.ie/assets/0005-Cryptomount-support-for-hyphens-in-UUID.patch' - '0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch::https://github.com/johnlane/grub/pull/8.patch' - '0009-xfs-Accept-filesystem-with-sparse-inodes.patch' - '0010-relocation.patch' - 'grub.default' - 'grub.cfg') - -sha256sums=('810b3798d316394f94096ec2797909dbf23c858e48f7b3830826b8daa06b7b0f' + '0001-Cryptomount-support-LUKS-detached-header.patch' + '0002-Cryptomount-support-key-files.patch' + '0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch' + '0004-Cryptomount-support-plain-dm-crypt.patch' + '0005-Cryptomount-support-for-hyphens-in-UUID.patch' + '0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch' + 'grub.default') + +sha256sums=('e5292496995ad42dabe843a0192cf2a2c502e7ffcc7479398232b10a472df77d' 'SKIP' '2844601914cea6b1231eca0104853a93c4d67a5209933a0766f1475953300646' - '0d81571fc519573057b7641d26a31ead55cc0b02a931589fb346a3a534c3dcc1' + '04d652be1e28a6d464965c75c71ac84633085cd0960c2687466651c34c94bd89' 'SKIP' 'b41e4438319136b5e74e0abdfcb64ae115393e4e15207490272c425f54026dd3' 'a5198267ceb04dceb6d2ea7800281a42b3f91fd02da55d2cc9ea20d47273ca29' - '535422c510a050d41efe7720dbe54de29e04bdb8f86fd5aea5feb0b24f7abe46' - 'c38f2b2caae33008b35a37d8293d8bf13bf6fd779a4504925da1837fd007aeb5' - 'e43566c4fe3b1b87e677167323d4716b82ac0810410a9d8dc7fbf415c8db2b8a' - 'e84b8de569c7e6b73263758c35cf95c6516fde85d4ed451991427864f6a4e5a8' - 'f7790e7fd4641eed8347039ebb44b67a3f517f2bc4de213fe34d2ae887c03b92' - 'c1d042ca83f6ac64414f1d5df82fe324a46eaa842768fff214091b177ad30191' + 'b9d737d1b403b540a00a8e9c25240a06bb371da7588d3e665af8543397724698' + '5d7060fbe9738764d2f8ebc96b43cc0bb8939c2e4e4e78b7a82a1a149ea6e837' 'd2ad15610f5b683ca713329bbe25d43963af9386c9c8732b61cdc135843715f1' 'e47409d04f740a71360775af25c53662386a49ea7f93ada39ed636b9ae8a0a22' '7b9ff45ba6e6c1ad45e6984580393e3801ef86144e48dbe5fe97d4aa8b90706e' - '2c312e4e46fc3b5a215771fb9bfb328079d588ac59751e980cecaed06f7f5c76' - 'fcd5a626d4af33665d041ce42df813f1f198d8230ea186481b155a5b676f3b87' - '51562fa1016c54567dbf42a86c0cfc902372ab579bbee17879a81aff09b76b99' - '74e5dd2090a153c10a7b9599b73bb09e70fddc6a019dd41641b0f10b9d773d82' - 'c5e4f3836130c6885e9273c21f057263eba53f4b7c0e2f111f6e5f2e487a47ad') + '4d2b6f5e1a50a01b127602d8537fca1152b2d1799918faaa94dc98cf7b854513' + '74e5dd2090a153c10a7b9599b73bb09e70fddc6a019dd41641b0f10b9d773d82') prepare() { cd "${srcdir}/grub-${pkgver}/" @@ -113,20 +100,6 @@ prepare() { patch -Np1 -i "${srcdir}/0004-add-GRUB_COLOR_variables.patch" echo - msg "Patch to allow GRUB to mount ext2/3/4 filesystems that have the encryption feature" - patch -Np1 -i "${srcdir}/0005-Allow_GRUB_to_mount_ext234_filesystems_that_have_the_encryption_feature.patch" - echo - - msg "Patch to change default tsc calibration method to pmtimer on EFI systems" - patch -Np1 -i "${srcdir}/0006-tsc-Change-default-tsc-calibration-method-to-pmtimer-on-EFI-systems.patch" - echo - - msg "Support multiple early initrd images" - patch -Np1 -i "${srcdir}/0007-grub-mkconfig_10_linux_Support_multiple_early_initrd_images.patch" - - msg "Fix packed-not-aligned error on GCC 8" - patch -Np1 -i "${srcdir}/0008-Fix-packed-not-aligned-error-on-GCC-8.patch" - msg "Patch for adding support for DMCrypt and LUKS volumes with detached headers and key files" patch -Np1 -i "${srcdir}/0001-Cryptomount-support-LUKS-detached-header.patch" patch -Np1 -i "${srcdir}/0002-Cryptomount-support-key-files.patch" @@ -136,12 +109,6 @@ prepare() { patch -Np1 -i "${srcdir}/0006-Cryptomount-support-for-using-whole-device-as-keyfile.patch" echo - msg "Patch xfs: Accept filesystem with sparse inodes" - patch -Np1 -i "${srcdir}/0009-xfs-Accept-filesystem-with-sparse-inodes.patch" - - msg "Patch x86-64: Treat R_X86_64_PLT32 as R_X86_64_PC32" - patch -Np1 -i "${srcdir}/0010-relocation.patch" - msg "Fix DejaVuSans.ttf location so that grub-mkfont can create *.pf2 files for starfield theme" sed 's|/usr/share/fonts/dejavu|/usr/share/fonts/dejavu /usr/share/fonts/TTF|g' -i "configure.ac" @@ -361,9 +328,6 @@ _package_grub-common_and_bios() { msg "Install /etc/default/grub (used by grub-mkconfig)" install -D -m0644 "${srcdir}/grub.default" "${pkgdir}/etc/default/grub" - - msg "Install grub.cfg for backup array" - install -D -m0644 "${srcdir}/grub.cfg" "${pkgdir}/boot/grub/grub.cfg" } _package_grub-efi() { diff --git a/grub.cfg b/grub.cfg deleted file mode 100644 index 9d9144f870d1..000000000000 --- a/grub.cfg +++ /dev/null @@ -1,139 +0,0 @@ -# -# DO NOT EDIT THIS FILE -# -# It is automatically generated by grub-mkconfig using templates -# from /etc/grub.d and settings from /etc/default/grub -# - -### BEGIN /etc/grub.d/00_header ### -insmod part_gpt -insmod part_msdos -if [ -s $prefix/grubenv ]; then - load_env -fi -set default="0" - -if [ x"${feature_menuentry_id}" = xy ]; then - menuentry_id_option="--id" -else - menuentry_id_option="" -fi - -export menuentry_id_option - -if [ "${prev_saved_entry}" ]; then - set saved_entry="${prev_saved_entry}" - save_env saved_entry - set prev_saved_entry= - save_env prev_saved_entry - set boot_once=true -fi - -function savedefault { - if [ -z "${boot_once}" ]; then - saved_entry="${chosen}" - save_env saved_entry - fi -} - -function load_video { - if [ x$feature_all_video_module = xy ]; then - insmod all_video - else - insmod efi_gop - insmod efi_uga - insmod ieee1275_fb - insmod vbe - insmod vga - insmod video_bochs - insmod video_cirrus - fi -} - -if [ x$feature_default_font_path = xy ] ; then - font=unicode -else -insmod part_msdos -insmod ext2 -set root='hd0,msdos5' -if [ x$feature_platform_search_hint = xy ]; then - search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos5 --hint-efi=hd0,msdos5 --hint-baremetal=ahci0,msdos5 ad4103fa-d940-47ca-8506-301d8071d467 -else - search --no-floppy --fs-uuid --set=root ad4103fa-d940-47ca-8506-301d8071d467 -fi - font="/usr/share/grub/unicode.pf2" -fi - -if loadfont $font ; then - set gfxmode=auto - load_video - insmod gfxterm - set locale_dir=$prefix/locale - set lang=en_US - insmod gettext -fi -terminal_input console -terminal_output gfxterm -set timeout=5 -### END /etc/grub.d/00_header ### - -### BEGIN /etc/grub.d/10_linux ### -menuentry 'Arch Linux, with Linux core repo kernel' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-core repo kernel-true-ad4103fa-d940-47ca-8506-301d8071d467' { - load_video - set gfxpayload=keep - insmod gzio - insmod part_msdos - insmod ext2 - set root='hd0,msdos5' - if [ x$feature_platform_search_hint = xy ]; then - search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos5 --hint-efi=hd0,msdos5 --hint-baremetal=ahci0,msdos5 ad4103fa-d940-47ca-8506-301d8071d467 - else - search --no-floppy --fs-uuid --set=root ad4103fa-d940-47ca-8506-301d8071d467 - fi - echo 'Loading Linux core repo kernel ...' - linux /boot/vmlinuz-linux root=UUID=ad4103fa-d940-47ca-8506-301d8071d467 rw quiet - echo 'Loading initial ramdisk ...' - initrd /boot/initramfs-linux.img -} -menuentry 'Arch Linux, with Linux core repo kernel (Fallback initramfs)' --class arch --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-core repo kernel-fallback-ad4103fa-d940-47ca-8506-301d8071d467' { - load_video - set gfxpayload=keep - insmod gzio - insmod part_msdos - insmod ext2 - set root='hd0,msdos5' - if [ x$feature_platform_search_hint = xy ]; then - search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos5 --hint-efi=hd0,msdos5 --hint-baremetal=ahci0,msdos5 ad4103fa-d940-47ca-8506-301d8071d467 - else - search --no-floppy --fs-uuid --set=root ad4103fa-d940-47ca-8506-301d8071d467 - fi - echo 'Loading Linux core repo kernel ...' - linux /boot/vmlinuz-linux root=UUID=ad4103fa-d940-47ca-8506-301d8071d467 rw quiet - echo 'Loading initial ramdisk ...' - initrd /boot/initramfs-linux-fallback.img -} - -### END /etc/grub.d/10_linux ### - -### BEGIN /etc/grub.d/20_linux_xen ### -### END /etc/grub.d/20_linux_xen ### - -### BEGIN /etc/grub.d/20_memtest86+ ### -### END /etc/grub.d/20_memtest86+ ### - -### BEGIN /etc/grub.d/30_os-prober ### -### END /etc/grub.d/30_os-prober ### - -### BEGIN /etc/grub.d/40_custom ### -# This file provides an easy way to add custom menu entries. Simply type the -# menu entries you want to add after this comment. Be careful not to change -# the 'exec tail' line above. -### END /etc/grub.d/40_custom ### - -### BEGIN /etc/grub.d/41_custom ### -if [ -f ${config_directory}/custom.cfg ]; then - source ${config_directory}/custom.cfg -elif [ -z "${config_directory}" -a -f $prefix/custom.cfg ]; then - source $prefix/custom.cfg; -fi -### END /etc/grub.d/41_custom ### |